Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Manual A2h124 Completo

    Hochgeladen von

    georger002712
    566 Ansichten470 Seiten
    Enterasys NETWORKS reserves the right to make changes in specifications and other information contained in this document and its WEB SITE without prior notice. The hardware, firmware, or software described in this document is subject to change without notice. In NO EVENT SHALL Enterasys be LIABLE FOR any INCIDENTAL, INDIRECT, SPECIAL, or CONSEQUENTIAL damages whatsoever.

    Originalbeschreibung:

    Originaltitel

    Manual a2h124 Completo

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Enterasys NETWORKS reserves the right to make changes in specifications and other information contained in this document and its WEB SITE without prior notice. The hardware, firmware, or software described in this document is subject to change without notice. In NO EVENT SHALL Enterasys be LIABLE FOR any INCIDENTAL, INDIRECT, SPECIAL, or CONSEQUENTIAL damages whatsoever.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    566 Ansichten470 Seiten

    Manual A2h124 Completo

    Hochgeladen von

    georger002712
    Enterasys NETWORKS reserves the right to make changes in specifications and other information contained in this document and its WEB SITE without prior notice. The hardware, firmware, or software described in this document is subject to change without notice. In NO EVENT SHALL Enterasys be LIABLE FOR any INCIDENTAL, INDIRECT, SPECIAL, or CONSEQUENTIAL damages whatsoever.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 470

    SecureStack A2

    Stackable Switches

    Configuration Guide
    Firmware Version 1.04.xx

    P/N 9034155-06 Rev. 0B

    Notice
    EnterasysNetworksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthisdocumentand itswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasysNetworkstodeterminewhetheranysuch changeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYSNETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL,OR CONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS)ARISINGOUTOF ORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDINTHEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWNOF,THEPOSSIBILITYOFSUCH DAMAGES. EnterasysNetworks,Inc. 50MinutemanRoad Andover,MA01810 2008 Enterasys Networks, Inc. All rights reserved. PartNumber: 903415506Rev.0B February 2008 ENTERASYS,ENTERASYSNETWORKS,ENTERASYSNETSIGHT,WEBVIEW,andanylogosassociatedtherewith,are trademarksorregisteredtrademarksofEnterasysNetworks,Inc.intheUnitedStatesandothercountries. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespectivecompanies. DocumentationURL:http://www.enterasys.com/support/manuals DocumentacionURL:http://www.enterasys.com/support/manuals DokumentationimInternet:http://www.enterasys.com/support/manuals

    Version:

    Information in this guide refers to SecureStack A2 firmware version 1.04.xx

    ENTERASYS NETWORKS, INC. FIRMWARE LICENSE AGREEMENT


    BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT.
    Thisdocumentisanagreement(Agreement)betweentheenduser(You)andEnterasysNetworks,Inc.,onbehalfofitself anditsAffiliates(ashereinafterdefined)(Enterasys)thatsetsforthYourrightsandobligationswithrespecttotheEnterasys softwareprogram/firmware(includinganyaccompanyingdocumentation,hardwareormedia)(Program)inthepackage andprevailsoveranyadditional,conflictingorinconsistenttermsandconditionsappearingonanypurchaseorderorother documentsubmittedbyYou.Affiliatemeansanyperson,partnership,corporation,limitedliabilitycompany,otherformof enterprisethatdirectlyorindirectlythroughoneormoreintermediaries,controls,oriscontrolledby,orisundercommon controlwiththepartyspecified.ThisAgreementconstitutestheentireunderstandingbetweentheparties,withrespecttothe subjectmatterofthisAgreement.TheProgrammaybecontainedinfirmware,chipsorothermedia. BYINSTALLINGOROTHERWISEUSINGTHEPROGRAM,YOUREPRESENTTHATYOUAREAUTHORIZEDTOACCEPT THESETERMSONBEHALFOFTHEENDUSER(IFTHEENDUSERISANENTITYONWHOSEBEHALFYOUARE AUTHORIZEDTOACT,YOUANDYOURSHALLBEDEEMEDTOREFERTOSUCHENTITY)ANDTHATYOU AGREETHATYOUAREBOUNDBYTHETERMSOFTHISAGREEMENT,WHICHINCLUDES,AMONGOTHER PROVISIONS,THELICENSE,THEDISCLAIMEROFWARRANTYANDTHELIMITATIONOFLIABILITY.IFYOUDONOT AGREETOTHETERMSOFTHISAGREEMENTORARENOTAUTHORIZEDTOENTERINTOTHISAGREEMENT, ENTERASYSISUNWILLINGTOLICENSETHEPROGRAMTOYOUANDYOUAGREETORETURNTHEUNOPENED PRODUCTTOENTERASYSORYOURDEALER,IFANY,WITHINTEN(10)DAYSFOLLOWINGTHEDATEOFRECEIPT FORAFULLREFUND. IFYOUHAVEANYQUESTIONSABOUTTHISAGREEMENT,CONTACTENTERASYSNETWORKS,LEGAL DEPARTMENTAT(978)6841000. YouandEnterasysagreeasfollows: 1. LICENSE. Youhavethenonexclusiveandnontransferablerighttouseonlytheone(1)copyoftheProgramprovidedin thispackagesubjecttothetermsandconditionsofthisAgreement. 2. RESTRICTIONS. ExceptasotherwiseauthorizedinwritingbyEnterasys,Youmaynot,normayYoupermitanythird partyto: (a) Reverseengineer,decompile,disassembleormodifytheProgram,inwholeorinpart,includingforreasonsoferror correctionorinteroperability,excepttotheextentexpresslypermittedbyapplicablelawandtotheextenttheparties shallnotbepermittedbythatapplicablelaw,suchrightsareexpresslyexcluded.Informationnecessarytoachieve interoperabilityorcorrecterrorsisavailablefromEnterasysuponrequestanduponpaymentofEnterasysapplicable fee. (b) IncorporatethePrograminwholeorinpart,inanyotherproductorcreatederivativeworksbasedontheProgram,in wholeorinpart. (c) Publish,disclose,copyreproduceortransmittheProgram,inwholeorinpart. (d) Assign,sell,license,sublicense,rent,lease,encumberbywayofsecurityinterest,pledgeorotherwisetransferthe Program,inwholeorinpart. (e) Removeanycopyright,trademark,proprietaryrights,disclaimerorwarningnoticeincludedonorembeddedinany partoftheProgram. 3. APPLICABLELAW. ThisAgreementshallbeinterpretedandgovernedunderthelawsandinthestateandfederalcourts oftheCommonwealthofMassachusettswithoutregardtoitsconflictsoflawsprovisions.Youacceptthepersonaljurisdiction andvenueoftheCommonwealthofMassachusettscourts.Noneofthe1980UnitedNationsConventionontheLimitationPeriod intheInternationalSaleofGoods,andtheUniformComputerInformationTransactionsActshallapplytothisAgreement. 4. EXPORTRESTRICTIONS. YouunderstandthatEnterasysanditsAffiliatesaresubjecttoregulationbyagenciesofthe U.S.Government,includingtheU.S.DepartmentofCommerce,whichprohibitexportordiversionofcertaintechnicalproducts tocertaincountries,unlessalicensetoexporttheproductisobtainedfromtheU.S.Governmentoranexceptionfromobtaining suchlicensemayberelieduponbytheexportingparty. IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionCIVundertheU.S.Export AdministrationRegulations,YouagreethatYouareacivilenduseroftheProgramandagreethatYouwillusetheProgramfor civilendusesonlyandnotformilitarypurposes. IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionTSRundertheU.S.Export AdministrationRegulations,inadditiontotherestrictionontransfersetforthinSection1or2ofthisAgreement,Youagreenot to(i)reexportorreleasetheProgram,thesourcecodefortheProgramortechnologytoanationalofacountryinCountry GroupsD:1orE:2(Albania,Armenia,Azerbaijan,Belarus,Cambodia,Cuba,Georgia,Iraq,Kazakhstan,Laos,Libya,Macau,

    ii

    Moldova,Mongolia,NorthKorea,thePeoplesRepublicofChina,Russia,Tajikistan,Turkmenistan,Ukraine,Uzbekistan, Vietnam,orsuchothercountriesasmaybedesignatedbytheUnitedStatesGovernment),(ii)exporttoCountryGroupsD:1or E:2(asdefinedherein)thedirectproductoftheProgramorthetechnology,ifsuchforeignproduceddirectproductissubjectto nationalsecuritycontrolsasidentifiedontheU.S.CommerceControlList,or(iii)ifthedirectproductofthetechnologyisa completeplantoranymajorcomponentofaplant,exporttoCountryGroupsD:1orE:2thedirectproductoftheplantora majorcomponentthereof,ifsuchforeignproduceddirectproductissubjecttonationalsecuritycontrolsasidentifiedonthe U.S.CommerceControlListorissubjecttoStateDepartmentcontrolsundertheU.S.MunitionsList. 5. UNITEDSTATESGOVERNMENTRESTRICTEDRIGHTS. TheenclosedProgram(i)wasdevelopedsolelyatprivate expense;(ii)containsrestrictedcomputersoftwaresubmittedwithrestrictedrightsinaccordancewithsection52.22719(a) through(d)oftheCommercialComputerSoftwareRestrictedRightsClauseanditssuccessors,and(iii)inallrespectsis proprietarydatabelongingtoEnterasysand/oritssuppliers.ForDepartmentofDefenseunits,theProgramisconsidered commercialcomputersoftwareinaccordancewithDFARSsection227.72023anditssuccessors,anduse,duplication,or disclosurebytheU.S.Governmentissubjecttorestrictionssetforthherein. 6. DISCLAIMEROFWARRANTY. EXCEPTFORTHOSEWARRANTIESEXPRESSLYPROVIDEDTOYOUINWRITING BYENTERASYS,ENTERASYSDISCLAIMSALLWARRANTIES,EITHEREXPRESSORIMPLIED,INCLUDINGBUTNOT LIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITY,SATISFACTORYQUALITY,FITNESSFORAPARTICULAR PURPOSE,TITLEANDNONINFRINGEMENTWITHRESPECTTOTHEPROGRAM.IFIMPLIEDWARRANTIESMAYNOT BEDISCLAIMEDBYAPPLICABLELAW,THENANYIMPLIEDWARRANTIESARELIMITEDINDURATIONTOTHIRTY (30)DAYSAFTERDELIVERYOFTHEPROGRAMTOYOU. 7. LIMITATIONOFLIABILITY. INNOEVENTSHALLENTERASYSORITSSUPPLIERSBELIABLEFORANY DAMAGESWHATSOEVER(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFBUSINESS,PROFITS, BUSINESSINTERRUPTION,LOSSOFBUSINESSINFORMATION,SPECIAL,INCIDENTAL,CONSEQUENTIAL,OR RELIANCEDAMAGES,OROTHERLOSS)ARISINGOUTOFTHEUSEORINABILITYTOUSETHEPROGRAM,EVENIF ENTERASYSHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THISFOREGOINGLIMITATIONSHALL APPLYREGARDLESSOFTHECAUSEOFACTIONUNDERWHICHDAMAGESARESOUGHT. THECUMULATIVELIABILITYOFENTERASYSTOYOUFORALLCLAIMSRELATINGTOTHEPROGRAM,IN CONTRACT,TORTOROTHERWISE,SHALLNOTEXCEEDTHETOTALAMOUNTOFFEESPAIDTOENTERASYSBY YOUFORTHERIGHTSGRANTEDHEREIN. 8. AUDITRIGHTS. YouherebyacknowledgethattheintellectualpropertyrightsassociatedwiththeProgramareofcritical valuetoEnterasys,and,accordingly,Youherebyagreetomaintaincompletebooks,recordsandaccountsshowing(i)license feesdueandpaid,and(ii)theuse,copyinganddeploymentoftheProgram.YoualsogranttoEnterasysanditsauthorized representatives,uponreasonablenotice,therighttoauditandexamineduringYournormalbusinesshours,Yourbooks,records, accountsandhardwaredevicesuponwhichtheProgrammaybedeployedtoverifycompliancewiththisAgreement,including theverificationofthelicensefeesdueandpaidEnterasysandtheuse,copyinganddeploymentoftheProgram.Enterasysright ofexaminationshallbeexercisedreasonably,ingoodfaithandinamannercalculatedtonotunreasonablyinterferewithYour business.IntheeventsuchauditdiscoversnoncompliancewiththisAgreement,includingcopiesoftheProgrammade,used ordeployedinbreachofthisAgreement,YoushallpromptlypaytoEnterasystheappropriatelicensefees.Enterasysreserves theright,tobeexercisedinitssolediscretionandwithoutpriornotice,toterminatethislicense,effectiveimmediately,forfailure tocomplywiththisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramandshallreturn toEnterasystheProgramandallcopiesoftheProgram. 9. OWNERSHIP. Thisisalicenseagreementandnotanagreementforsale.YouacknowledgeandagreethattheProgram constitutestradesecretsand/orcopyrightedmaterialofEnterasysand/oritssuppliers.Youagreetoimplementreasonable securitymeasurestoprotectsuchtradesecretsandcopyrightedmaterial.Allright,titleandinterestinandtotheProgramshall remainwithEnterasysand/oritssuppliers.AllrightsnotspecificallygrantedtoYoushallbereservedtoEnterasys. 10. ENFORCEMENT. YouacknowledgeandagreethatanybreachofSections2,4,or9ofthisAgreementbyYoumaycause Enterasysirreparabledamageforwhichrecoveryofmoneydamageswouldbeinadequate,andthatEnterasysmaybeentitled toseektimelyinjunctiverelieftoprotectEnterasysrightsunderthisAgreementinadditiontoanyandallremediesavailableat law. 11. ASSIGNMENT. Youmaynotassign,transferorsublicensethisAgreementoranyofYourrightsorobligationsunderthis Agreement,exceptthatYoumayassignthisAgreementtoanypersonorentitywhichacquiressubstantiallyallofYourstock assets.EnterasysmayassignthisAgreementinitssolediscretion.ThisAgreementshallbebindinguponandinuretothebenefit oftheparties,theirlegalrepresentatives,permittedtransferees,successorsandassignsaspermittedbythisAgreement.Any attemptedassignment,transferorsublicenseinviolationofthetermsofthisAgreementshallbevoidandabreachofthis Agreement. 12. WAIVER. AwaiverbyEnterasysofabreachofanyofthetermsandconditionsofthisAgreementmustbeinwritingand willnotbeconstruedasawaiverofanysubsequentbreachofsuchtermorcondition.Enterasysfailuretoenforceatermupon YourbreachofsuchtermshallnotbeconstruedasawaiverofYourbreachorpreventenforcementonanyotheroccasion.

    iii

    13. SEVERABILITY. IntheeventanyprovisionofthisAgreementisfoundtobeinvalid,illegalorunenforceable,thevalidity, legalityandenforceabilityofanyoftheremainingprovisionsshallnotinanywaybeaffectedorimpairedthereby,andthat provisionshallbereformed,construedandenforcedtothemaximumextentpermissible.Anysuchinvalidity,illegality,or unenforceabilityinanyjurisdictionshallnotinvalidateorrenderillegalorunenforceablesuchprovisioninanyother jurisdiction. 14. TERMINATION. EnterasysmayterminatethisAgreementimmediatelyuponYourbreachofanyofthetermsand conditionsofthisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramandshallreturn toEnterasystheProgramandallcopiesoftheProgram.

    iv

    Contents
    About This Guide
    Using This Guide ........................................................................................................................................... xxiii Structure of This Guide .................................................................................................................................. xxiii Related Documents ....................................................................................................................................... xxiv Conventions Used in This Guide .................................................................................................................... xxv Getting Help ................................................................................................................................................... xxvi

    Chapter 1: Introduction
    SecureStack A2 CLI Overview ....................................................................................................................... 1-1 Switch Management Methods ........................................................................................................................ 1-2 Factory Default Settings ................................................................................................................................. 1-2 Using the Command Line Interface ................................................................................................................ 1-5 Starting a CLI Session ............................................................................................................................. 1-5 Logging In ................................................................................................................................................ 1-6 Navigating the Command Line Interface .................................................................................................. 1-6

    Chapter 2: Configuring Switches in a Stack


    About SecureStack A2 Switch Operation in a Stack ...................................................................................... 2-1 Installing a New Stackable System of Up to Eight Units ................................................................................ 2-2 Installing Previously-Configured Systems in a Stack ..................................................................................... 2-3 Adding a New Unit to an Existing Stack ......................................................................................................... 2-3 Creating a Virtual Switch Configuration .......................................................................................................... 2-4 Considerations About Using Clear Config in a Stack ..................................................................................... 2-5 Configuring Standalone A2 Stack Ports ......................................................................................................... 2-5 Stacking Configuration and Management Commands ................................................................................... 2-6 Purpose .................................................................................................................................................... 2-6 Commands ............................................................................................................................................... 2-6 show switch ........................................................................................................................................ 2-7 show switch switchtype ...................................................................................................................... 2-8 show switch stack-ports...................................................................................................................... 2-9 set switch stack-port ........................................................................................................................... 2-9 set switch .......................................................................................................................................... 2-11 set switch copy-fw ............................................................................................................................ 2-11 set switch description ....................................................................................................................... 2-12 set switch movemanagement ........................................................................................................... 2-12 set switch member............................................................................................................................ 2-13 clear switch member......................................................................................................................... 2-14

    Chapter 3: Basic Configuration


    Setting User Accounts and Passwords .......................................................................................................... 3-2 Purpose .................................................................................................................................................... 3-2 Commands ............................................................................................................................................... 3-2 show system login .............................................................................................................................. 3-2 set system login .................................................................................................................................. 3-3 clear system login ............................................................................................................................... 3-4 set password ...................................................................................................................................... 3-4 set system password length ............................................................................................................... 3-5 set system password aging ................................................................................................................3-6 set system password history .............................................................................................................. 3-6 show system lockout .......................................................................................................................... 3-7

    set system lockout .............................................................................................................................. 3-8 Setting Basic Switch Properties ...................................................................................................................... 3-9 Purpose .................................................................................................................................................... 3-9 Commands ............................................................................................................................................... 3-9 show ip address................................................................................................................................ 3-10 set ip address ................................................................................................................................... 3-10 clear ip address ................................................................................................................................ 3-11 show ip protocol................................................................................................................................ 3-11 set ip protocol ................................................................................................................................... 3-12 show system..................................................................................................................................... 3-12 show system hardware..................................................................................................................... 3-13 show system utilization..................................................................................................................... 3-14 set system enhancedbuffermode ..................................................................................................... 3-15 show time ......................................................................................................................................... 3-16 set time ............................................................................................................................................. 3-16 show summertime ............................................................................................................................ 3-17 set summertime ................................................................................................................................ 3-17 set summertime date ........................................................................................................................ 3-18 set summertime recurring ................................................................................................................. 3-18 clear summertime ............................................................................................................................. 3-19 set prompt......................................................................................................................................... 3-20 show banner motd ............................................................................................................................ 3-20 set banner motd................................................................................................................................ 3-21 clear banner motd............................................................................................................................. 3-21 show version..................................................................................................................................... 3-22 set system name .............................................................................................................................. 3-23 set system location ........................................................................................................................... 3-23 set system contact............................................................................................................................ 3-24 set width ........................................................................................................................................... 3-24 set length .......................................................................................................................................... 3-25 show logout ...................................................................................................................................... 3-25 set logout ......................................................................................................................................... 3-26 show console .................................................................................................................................... 3-26 set console baud .............................................................................................................................. 3-27 Configuring Power over Ethernet (PoE) ....................................................................................................... 3-28 Purpose .................................................................................................................................................. 3-28 Commands ............................................................................................................................................. 3-28 show inlinepower .............................................................................................................................. 3-29 set inlinepower threshold.................................................................................................................. 3-29 set inlinepower trap .......................................................................................................................... 3-30 show port inlinepower ....................................................................................................................... 3-30 set port inlinepower .......................................................................................................................... 3-31 Downloading a New Firmware Image ........................................................................................................... 3-32 Downloading from a TFTP Server .......................................................................................................... 3-32 Downloading via the Serial Port ............................................................................................................. 3-32 Reviewing and Selecting a Boot Firmware Image ........................................................................................ 3-35 Purpose .................................................................................................................................................. 3-35 Commands ............................................................................................................................................. 3-35 show boot system ............................................................................................................................. 3-35 set boot system ................................................................................................................................ 3-36 Starting and Configuring Telnet .................................................................................................................... 3-37 Purpose .................................................................................................................................................. 3-37 Commands ............................................................................................................................................. 3-37 show telnet ....................................................................................................................................... 3-37 set telnet ........................................................................................................................................... 3-38 telnet................................................................................................................................................. 3-38
    vi

    Managing Switch Configuration and Files .................................................................................................... 3-39 Configuration Persistence Mode ............................................................................................................ 3-39 Purpose .................................................................................................................................................. 3-39 Commands ............................................................................................................................................. 3-39 show snmp persistmode ................................................................................................................... 3-40 set snmp persistmode ...................................................................................................................... 3-40 save config ....................................................................................................................................... 3-41 dir...................................................................................................................................................... 3-41 show file............................................................................................................................................ 3-42 show config....................................................................................................................................... 3-43 configure ........................................................................................................................................... 3-44 copy .................................................................................................................................................. 3-45 delete................................................................................................................................................ 3-45 show tftp settings.............................................................................................................................. 3-46 set tftp timeout .................................................................................................................................. 3-46 clear tftp timeout ............................................................................................................................... 3-47 set tftp retry....................................................................................................................................... 3-47 clear tftp retry.................................................................................................................................... 3-48 Configuring CDP ........................................................................................................................................... 3-49 Purpose .................................................................................................................................................. 3-49 Commands ............................................................................................................................................. 3-49 show cdp .......................................................................................................................................... 3-49 set cdp state ..................................................................................................................................... 3-51 set cdp auth ...................................................................................................................................... 3-51 set cdp interval ................................................................................................................................. 3-52 set cdp hold-time .............................................................................................................................. 3-53 clear cdp ........................................................................................................................................... 3-53 show neighbors ................................................................................................................................ 3-54 Clearing and Closing the CLI ........................................................................................................................ 3-55 Purpose .................................................................................................................................................. 3-55 Commands ............................................................................................................................................. 3-55 cls (clear screen) .............................................................................................................................. 3-55 exit .................................................................................................................................................... 3-56 Resetting the Switch ..................................................................................................................................... 3-57 Purpose .................................................................................................................................................. 3-57 Commands ............................................................................................................................................. 3-57 reset.................................................................................................................................................. 3-57 clear config ....................................................................................................................................... 3-58 Using and Configuring WebView .................................................................................................................. 3-59 Purpose .................................................................................................................................................. 3-59 Commands ............................................................................................................................................. 3-59 show webview .................................................................................................................................. 3-59 set webview ...................................................................................................................................... 3-60 show ssl............................................................................................................................................ 3-60 set ssl ............................................................................................................................................... 3-61

    Chapter 4: Port Configuration


    Port Configuration Summary .......................................................................................................................... 4-1 A2H124-24 and A2H124-24P Switch Ports ............................................................................................. 4-1 A2H124-48 and A2H124-48P Switch Ports ............................................................................................. 4-2 A2H124-24FX Switch Ports ..................................................................................................................... 4-2 A2H254-16 Switch Ports .......................................................................................................................... 4-2 Port String Syntax Used in the CLI .......................................................................................................... 4-2 Reviewing Port Status .................................................................................................................................... 4-4 Purpose .................................................................................................................................................... 4-4

    vii

    Commands ............................................................................................................................................... 4-4 show port ............................................................................................................................................ 4-4 show port status ................................................................................................................................. 4-5 show port counters ............................................................................................................................. 4-6 Disabling / Enabling and Naming Ports .......................................................................................................... 4-7 Purpose .................................................................................................................................................... 4-7 Commands ............................................................................................................................................... 4-7 set port disable ................................................................................................................................... 4-8 set port enable.................................................................................................................................... 4-8 show port alias.................................................................................................................................... 4-9 set port alias ....................................................................................................................................... 4-9 Setting Speed and Duplex Mode .................................................................................................................. 4-10 Purpose .................................................................................................................................................. 4-10 Commands ............................................................................................................................................. 4-10 show port speed ............................................................................................................................... 4-10 set port speed................................................................................................................................... 4-11 show port duplex .............................................................................................................................. 4-11 set port duplex .................................................................................................................................. 4-12 Enabling / Disabling Jumbo Frame Support ................................................................................................. 4-13 Purpose .................................................................................................................................................. 4-13 Commands ............................................................................................................................................. 4-13 show port jumbo ............................................................................................................................... 4-13 set port jumbo................................................................................................................................... 4-14 clear port jumbo ................................................................................................................................ 4-14 Setting Auto-Negotiation and Advertised Ability ........................................................................................... 4-15 Purpose .................................................................................................................................................. 4-15 Commands ............................................................................................................................................. 4-15 show port negotiation ....................................................................................................................... 4-15 set port negotiation ........................................................................................................................... 4-16 show port advertise .......................................................................................................................... 4-16 set port advertise .............................................................................................................................. 4-17 clear port advertise ........................................................................................................................... 4-18 Setting Flow Control ..................................................................................................................................... 4-19 Purpose .................................................................................................................................................. 4-19 Commands ............................................................................................................................................. 4-19 show flowcontrol ............................................................................................................................... 4-19 set flowcontrol................................................................................................................................... 4-20 Setting Port Link Traps ................................................................................................................................. 4-21 Purpose .................................................................................................................................................. 4-21 Commands ............................................................................................................................................. 4-21 show port trap................................................................................................................................... 4-21 set port trap ...................................................................................................................................... 4-21 Configuring Broadcast Suppression ............................................................................................................. 4-22 Purpose .................................................................................................................................................. 4-22 Commands ............................................................................................................................................. 4-22 show port broadcast ......................................................................................................................... 4-22 set port broadcast............................................................................................................................. 4-23 clear port broadcast.......................................................................................................................... 4-24 Port Mirroring ................................................................................................................................................ 4-25 Mirroring Features .................................................................................................................................. 4-25 Purpose .................................................................................................................................................. 4-25 Commands ............................................................................................................................................. 4-25 show port mirroring........................................................................................................................... 4-26 set port mirroring .............................................................................................................................. 4-26 clear port mirroring ........................................................................................................................... 4-27

    viii

    Link Aggregation Control Protocol (LACP) ................................................................................................... 4-28 LACP Operation ..................................................................................................................................... 4-28 LACP Terminology ................................................................................................................................. 4-29 SecureStack A2 Usage Considerations ................................................................................................. 4-29 Commands ............................................................................................................................................. 4-30 show lacp.......................................................................................................................................... 4-31 set lacp ............................................................................................................................................. 4-32 set lacp asyspri................................................................................................................................. 4-33 set lacp aadminkey........................................................................................................................... 4-33 clear lacp .......................................................................................................................................... 4-34 set lacp static.................................................................................................................................... 4-35 clear lacp static ................................................................................................................................. 4-35 set lacp singleportlag........................................................................................................................ 4-36 clear lacp singleportlag..................................................................................................................... 4-37 show port lacp .................................................................................................................................. 4-37 set port lacp ...................................................................................................................................... 4-39 clear port lacp ................................................................................................................................... 4-41 Configuring Protected Ports ......................................................................................................................... 4-42 Protected Port Operation ....................................................................................................................... 4-42 Commands ............................................................................................................................................. 4-42 set port protected.............................................................................................................................. 4-43 show port protected .......................................................................................................................... 4-43 clear port protected........................................................................................................................... 4-44 set port protected name.................................................................................................................... 4-45 show port protected name ................................................................................................................ 4-45 clear port protected name................................................................................................................. 4-46

    Chapter 5: SNMP Configuration


    SNMP Configuration Summary ...................................................................................................................... 5-1 SNMPv1 and SNMPv2c ........................................................................................................................... 5-1 SNMPv3 ................................................................................................................................................... 5-2 About SNMP Security Models and Levels ............................................................................................... 5-2 Using SNMP Contexts to Access Specific MIBs ...................................................................................... 5-3 Configuration Considerations ................................................................................................................... 5-3 Reviewing SNMP Statistics ............................................................................................................................ 5-4 Purpose .................................................................................................................................................... 5-4 Commands ............................................................................................................................................... 5-4 show snmp engineid........................................................................................................................... 5-4 show snmp counters........................................................................................................................... 5-5 Configuring SNMP Users, Groups, and Communities .................................................................................... 5-8 Purpose .................................................................................................................................................... 5-8 Commands ............................................................................................................................................... 5-8 show snmp user ................................................................................................................................. 5-9 set snmp user ................................................................................................................................... 5-10 clear snmp user ................................................................................................................................ 5-11 show snmp group ............................................................................................................................. 5-11 set snmp group ................................................................................................................................. 5-12 clear snmp group .............................................................................................................................. 5-13 show snmp community ..................................................................................................................... 5-13 set snmp community......................................................................................................................... 5-14 clear snmp community...................................................................................................................... 5-15 Configuring SNMP Access Rights ................................................................................................................ 5-16 Purpose .................................................................................................................................................. 5-16 Commands ............................................................................................................................................. 5-16 show snmp access ........................................................................................................................... 5-16

    ix

    set snmp access............................................................................................................................... 5-18 clear snmp access............................................................................................................................ 5-19 Configuring SNMP MIB Views ...................................................................................................................... 5-20 Purpose .................................................................................................................................................. 5-20 Commands ............................................................................................................................................. 5-20 show snmp view ............................................................................................................................... 5-20 show snmp context........................................................................................................................... 5-22 set snmp view................................................................................................................................... 5-23 clear snmp view................................................................................................................................ 5-24 Configuring SNMP Target Parameters ......................................................................................................... 5-25 Purpose .................................................................................................................................................. 5-25 Commands ............................................................................................................................................. 5-25 show snmp targetparams ................................................................................................................. 5-25 set snmp targetparams..................................................................................................................... 5-27 clear snmp targetparams.................................................................................................................. 5-28 Configuring SNMP Target Addresses .......................................................................................................... 5-29 Purpose .................................................................................................................................................. 5-29 Commands ............................................................................................................................................. 5-29 show snmp targetaddr ...................................................................................................................... 5-29 set snmp targetaddr.......................................................................................................................... 5-30 clear snmp targetaddr....................................................................................................................... 5-31 Configuring SNMP Notification Parameters ................................................................................................. 5-33 About SNMP Notify Filters ..................................................................................................................... 5-33 Purpose .................................................................................................................................................. 5-33 Commands ............................................................................................................................................. 5-33 show snmp notify .............................................................................................................................. 5-34 set snmp notify ................................................................................................................................. 5-35 clear snmp notify .............................................................................................................................. 5-36 show snmp notifyfilter ....................................................................................................................... 5-36 set snmp notifyfilter........................................................................................................................... 5-37 clear snmp notifyfilter........................................................................................................................ 5-38 show snmp notifyprofile .................................................................................................................... 5-38 set snmp notifyprofile........................................................................................................................ 5-39 clear snmp notifyprofile..................................................................................................................... 5-40 Creating a Basic SNMP Trap Configuration ................................................................................................. 5-41 Example ................................................................................................................................................. 5-41

    Chapter 6: Spanning Tree Configuration


    Spanning Tree Configuration Summary ......................................................................................................... 6-1 Overview: Single, Rapid, and Multiple Spanning Tree Protocols ............................................................. 6-1 Spanning Tree Features .......................................................................................................................... 6-2 Configuring Spanning Tree Bridge Parameters .............................................................................................. 6-3 Purpose .................................................................................................................................................... 6-3 Commands ............................................................................................................................................... 6-3 show spantree stats............................................................................................................................ 6-5 set spantree........................................................................................................................................ 6-7 show spantree version........................................................................................................................ 6-7 set spantree version ........................................................................................................................... 6-8 clear spantree version ........................................................................................................................ 6-8 show spantree bpdu-forwarding ......................................................................................................... 6-9 set spantree bpdu-forwarding............................................................................................................. 6-9 show spantree bridgeprioritymode ................................................................................................... 6-10 set spantree bridgeprioritymode ....................................................................................................... 6-10 clear spantree bridgeprioritymode .................................................................................................... 6-11 show spantree mstilist ...................................................................................................................... 6-11

    set spantree msti .............................................................................................................................. 6-12 clear spantree msti ........................................................................................................................... 6-12 show spantree mstmap .................................................................................................................... 6-13 set spantree mstmap ........................................................................................................................ 6-13 clear spantree mstmap ..................................................................................................................... 6-14 show spantree vlanlist ...................................................................................................................... 6-14 show spantree mstcfgid .................................................................................................................... 6-15 set spantree mstcfgid ....................................................................................................................... 6-16 clear spantree mstcfgid .................................................................................................................... 6-16 set spantree priority .......................................................................................................................... 6-17 clear spantree priority ....................................................................................................................... 6-17 set spantree hello ............................................................................................................................. 6-18 clear spantree hello .......................................................................................................................... 6-18 set spantree maxage ........................................................................................................................ 6-19 clear spantree maxage ..................................................................................................................... 6-19 set spantree fwddelay....................................................................................................................... 6-20 clear spantree fwddelay.................................................................................................................... 6-20 show spantree backuproot ............................................................................................................... 6-21 set spantree backuproot ................................................................................................................... 6-21 clear spantree backuproot ................................................................................................................ 6-22 show spantree tctrapsuppress.......................................................................................................... 6-22 set spantree tctrapsuppress ............................................................................................................. 6-23 clear spantree tctrapsuppress .......................................................................................................... 6-24 set spantree protomigration .............................................................................................................. 6-24 show spantree spanguard ................................................................................................................ 6-25 set spantree spanguard .................................................................................................................... 6-25 clear spantree spanguard ................................................................................................................. 6-26 show spantree spanguardtimeout .................................................................................................... 6-26 set spantree spanguardtimeout ........................................................................................................ 6-27 clear spantree spanguardtimeout ..................................................................................................... 6-27 show spantree spanguardlock .......................................................................................................... 6-28 clear / set spantree spanguardlock................................................................................................... 6-28 show spantree spanguardtrapenable ............................................................................................... 6-29 set spantree spanguardtrapenable ................................................................................................... 6-29 clear spantree spanguardtrapenable ................................................................................................ 6-30 show spantree legacypathcost ......................................................................................................... 6-30 set spantree legacypathcost............................................................................................................. 6-31 clear spantree legacypathcost .......................................................................................................... 6-31 Configuring Spanning Tree Port Parameters ............................................................................................... 6-32 Purpose .................................................................................................................................................. 6-32 Commands ............................................................................................................................................. 6-32 set spantree portadmin..................................................................................................................... 6-33 clear spantree portadmin.................................................................................................................. 6-33 show spantree portadmin ................................................................................................................. 6-34 show spantree portpri ....................................................................................................................... 6-34 set spantree portpri........................................................................................................................... 6-35 clear spantree portpri........................................................................................................................ 6-35 show spantree adminpathcost .......................................................................................................... 6-36 set spantree adminpathcost ............................................................................................................. 6-37 clear spantree adminpathcost .......................................................................................................... 6-37 show spantree adminedge ............................................................................................................... 6-38 set spantree adminedge ................................................................................................................... 6-38 clear spantree adminedge ................................................................................................................ 6-39

    xi

    Chapter 7: 802.1Q VLAN Configuration


    VLAN Configuration Summary ....................................................................................................................... 7-1 Port String Syntax Used in the CLI .......................................................................................................... 7-1 Creating a Secure Management VLAN .................................................................................................... 7-1 Viewing VLANs ............................................................................................................................................... 7-3 Purpose .................................................................................................................................................... 7-3 Commands ............................................................................................................................................... 7-3 show vlan............................................................................................................................................ 7-3 Creating and Naming Static VLANs ............................................................................................................... 7-5 Purpose .................................................................................................................................................... 7-5 Commands ............................................................................................................................................... 7-5 set vlan ............................................................................................................................................... 7-5 set vlan name ..................................................................................................................................... 7-6 clear vlan ............................................................................................................................................ 7-6 clear vlan name .................................................................................................................................. 7-7 Assigning Port VLAN IDs (PVIDs) and Ingress Filtering ................................................................................ 7-8 Purpose .................................................................................................................................................... 7-8 Commands ............................................................................................................................................... 7-8 show port vlan .................................................................................................................................... 7-8 set port vlan ........................................................................................................................................ 7-9 clear port vlan ................................................................................................................................... 7-10 show port ingress filter...................................................................................................................... 7-10 set port ingress filter ......................................................................................................................... 7-11 show port discard ............................................................................................................................. 7-12 set port discard ................................................................................................................................. 7-13 Configuring the VLAN Egress List ................................................................................................................ 7-14 Purpose .................................................................................................................................................. 7-14 Commands ............................................................................................................................................. 7-14 show port egress .............................................................................................................................. 7-15 set vlan forbidden ............................................................................................................................. 7-15 set vlan egress ................................................................................................................................. 7-16 clear vlan egress .............................................................................................................................. 7-17 show vlan dynamicegress ................................................................................................................ 7-18 set vlan dynamicegress .................................................................................................................... 7-19 Setting the Host VLAN .................................................................................................................................. 7-20 Purpose .................................................................................................................................................. 7-20 Commands ............................................................................................................................................. 7-20 show host vlan.................................................................................................................................. 7-20 set host vlan ..................................................................................................................................... 7-21 clear host vlan .................................................................................................................................. 7-22 Enabling/Disabling GVRP (GARP VLAN Registration Protocol) .................................................................. 7-23 About GARP VLAN Registration Protocol (GVRP) ................................................................................ 7-23 Purpose .................................................................................................................................................. 7-24 Commands ............................................................................................................................................. 7-24 show gvrp ......................................................................................................................................... 7-25 show garp timer ................................................................................................................................ 7-25 set gvrp............................................................................................................................................. 7-27 clear gvrp .......................................................................................................................................... 7-27 set garp timer.................................................................................................................................... 7-28

    xii

    Chapter 8: Differentiated Services Configuration


    Globally Enabling or Disabling Diffserv .......................................................................................................... 8-2 Purpose .................................................................................................................................................... 8-2 Command ................................................................................................................................................. 8-2 set diffserv adminmode ...................................................................................................................... 8-2 Creating Diffserv Classes and Matching Conditions ...................................................................................... 8-3 Purpose .................................................................................................................................................... 8-3 Commands ............................................................................................................................................... 8-3 show diffserv info ................................................................................................................................ 8-3 show diffserv class ............................................................................................................................. 8-4 set class create................................................................................................................................... 8-4 set diffserv class delete ...................................................................................................................... 8-5 set diffserv class match ...................................................................................................................... 8-6 set diffserv class rename .................................................................................................................... 8-9 Configuring Diffserv Policies and Assigning Classes ................................................................................... 8-10 Purpose .................................................................................................................................................. 8-10 Commands ............................................................................................................................................. 8-10 show diffserv policy .......................................................................................................................... 8-11 set diffserv policy create ................................................................................................................... 8-11 set diffserv policy delete ................................................................................................................... 8-12 set diffserv policy class..................................................................................................................... 8-12 set diffserv policy mark ..................................................................................................................... 8-13 set diffserv policy police style simple ................................................................................................ 8-14 set diffserv policy police action conform ........................................................................................... 8-14 set diffserv policy police action nonconform ..................................................................................... 8-15 set diffserv policy rename ................................................................................................................. 8-16 Assigning Policies to Service Ports .............................................................................................................. 8-17 Purpose .................................................................................................................................................. 8-17 Commands ............................................................................................................................................. 8-17 show diffserv service info ................................................................................................................. 8-17 show diffserv service stats................................................................................................................ 8-18 set diffserv service............................................................................................................................ 8-19

    Chapter 9: Port Priority and Rate Limiting Configuration


    Port Priority Configuration Summary .............................................................................................................. 9-1 Configuring Port Priority ................................................................................................................................. 9-2 Purpose .................................................................................................................................................... 9-2 Commands ............................................................................................................................................... 9-2 show port priority ................................................................................................................................ 9-2 set port priority.................................................................................................................................... 9-3 clear port priority................................................................................................................................. 9-4 Configuring Priority to Transmit Queue Mapping ........................................................................................... 9-5 Purpose .................................................................................................................................................... 9-5 Commands ............................................................................................................................................... 9-5 show port priority-queue ..................................................................................................................... 9-5 set port priority-queue......................................................................................................................... 9-6 clear port priority-queue...................................................................................................................... 9-7 Configuring Quality of Service (QoS) ............................................................................................................. 9-8 Purpose .................................................................................................................................................... 9-8 Commands ............................................................................................................................................... 9-8 show port txq ...................................................................................................................................... 9-8 set port txq.......................................................................................................................................... 9-9 clear port txq..................................................................................................................................... 9-10 Configuring Port Traffic Rate Limiting ........................................................................................................... 9-12 Purpose .................................................................................................................................................. 9-12

    xiii

    Commands ............................................................................................................................................. 9-12 show port ratelimit ............................................................................................................................ 9-12 set port ratelimit ................................................................................................................................ 9-14 clear port ratelimit ............................................................................................................................. 9-15

    Chapter 10: IGMP Configuration


    IGMP Overview ............................................................................................................................................ 10-1 About IP Multicast Group Management ................................................................................................. 10-1 About Multicasting .................................................................................................................................. 10-1 Configuring IGMP at Layer 2 ........................................................................................................................ 10-2 Purpose .................................................................................................................................................. 10-2 Commands ............................................................................................................................................. 10-2 show igmpsnooping .......................................................................................................................... 10-3 set igmpsnooping adminmode.......................................................................................................... 10-3 set igmpsnooping interfacemode...................................................................................................... 10-4 set igmpsnooping groupmembershipinterval .................................................................................... 10-5 set igmpsnooping maxresponse ....................................................................................................... 10-5 set igmpsnooping mcrtrexpiretime.................................................................................................... 10-6 set igmpsnooping add-static ............................................................................................................. 10-7 set igmpsnooping remove-static ....................................................................................................... 10-7 show igmpsnooping static ................................................................................................................ 10-8 show igmpsnooping mfdb ................................................................................................................. 10-9 clear igmpsnooping ........................................................................................................................ 10-10

    Chapter 11: Logging and Network Management


    Configuring System Logging ........................................................................................................................ 11-1 Purpose .................................................................................................................................................. 11-1 Commands ............................................................................................................................................. 11-1 show logging server.......................................................................................................................... 11-2 set logging server ............................................................................................................................. 11-3 clear logging server .......................................................................................................................... 11-4 show logging default......................................................................................................................... 11-4 set logging default ............................................................................................................................ 11-5 clear logging default ......................................................................................................................... 11-6 show logging application .................................................................................................................. 11-7 set logging application ...................................................................................................................... 11-8 clear logging application ................................................................................................................... 11-9 show logging local ............................................................................................................................ 11-9 set logging local.............................................................................................................................. 11-10 clear logging local........................................................................................................................... 11-10 show logging buffer ........................................................................................................................ 11-11 Monitoring Network Events and Status ...................................................................................................... 11-12 Purpose ................................................................................................................................................ 11-12 Commands ........................................................................................................................................... 11-12 history ............................................................................................................................................. 11-12 show history.................................................................................................................................... 11-13 set history ....................................................................................................................................... 11-13 ping................................................................................................................................................. 11-14 show users ..................................................................................................................................... 11-15 disconnect ...................................................................................................................................... 11-15 Managing Switch Network Addresses and Routes ..................................................................................... 11-17 Purpose ................................................................................................................................................ 11-17 Commands ........................................................................................................................................... 11-17 show arp ......................................................................................................................................... 11-17 set arp............................................................................................................................................. 11-18
    xiv

    clear arp.......................................................................................................................................... 11-18 traceroute ....................................................................................................................................... 11-19 show mac ....................................................................................................................................... 11-20 show mac agetime.......................................................................................................................... 11-22 set mac agetime ............................................................................................................................. 11-22 clear mac agetime .......................................................................................................................... 11-23 Configuring Simple Network Time Protocol (SNTP) ................................................................................... 11-24 Purpose ................................................................................................................................................ 11-24 Commands ........................................................................................................................................... 11-24 show sntp ....................................................................................................................................... 11-24 set sntp client.................................................................................................................................. 11-26 clear sntp client............................................................................................................................... 11-26 set sntp server ................................................................................................................................ 11-27 clear sntp server ............................................................................................................................. 11-27 set sntp poll-interval........................................................................................................................ 11-28 clear sntp poll-interval..................................................................................................................... 11-28 set sntp poll-retry ............................................................................................................................ 11-29 clear sntp poll-retry ......................................................................................................................... 11-29 set sntp poll-timeout ....................................................................................................................... 11-30 clear sntp poll-timeout .................................................................................................................... 11-30 Configuring Node Aliases ........................................................................................................................... 11-31 Purpose ................................................................................................................................................ 11-31 Commands ........................................................................................................................................... 11-31 show nodealias config .................................................................................................................... 11-31 set nodealias .................................................................................................................................. 11-32 clear nodealias config ..................................................................................................................... 11-33

    Chapter 12: Configuring RMON


    RMON Monitoring Group Functions ............................................................................................................. 12-1 Statistics Group Commands ......................................................................................................................... 12-3 Purpose .................................................................................................................................................. 12-3 Commands ............................................................................................................................................. 12-3 show rmon stats ............................................................................................................................... 12-3 set rmon stats ................................................................................................................................... 12-5 clear rmon stats ................................................................................................................................ 12-6 History Group Commands ............................................................................................................................ 12-7 Purpose .................................................................................................................................................. 12-7 Commands ............................................................................................................................................. 12-7 show rmon history ............................................................................................................................ 12-7 set rmon history ................................................................................................................................ 12-8 clear rmon history ............................................................................................................................. 12-9 Alarm Group Commands ............................................................................................................................ 12-10 Purpose ................................................................................................................................................ 12-10 Commands ........................................................................................................................................... 12-10 show rmon alarm ............................................................................................................................ 12-10 set rmon alarm properties............................................................................................................... 12-11 set rmon alarm status ..................................................................................................................... 12-13 clear rmon alarm............................................................................................................................. 12-14 Event Group Commands ............................................................................................................................ 12-15 Purpose ................................................................................................................................................ 12-15 Commands ........................................................................................................................................... 12-15 show rmon event ............................................................................................................................ 12-15 set rmon event properties ............................................................................................................... 12-16 set rmon event status ..................................................................................................................... 12-17 clear rmon event............................................................................................................................. 12-18

    xv

    Filter Group Commands ............................................................................................................................. 12-19 Commands ........................................................................................................................................... 12-19 show rmon channel ........................................................................................................................ 12-19 set rmon channel ............................................................................................................................ 12-20 clear rmon channel ......................................................................................................................... 12-21 show rmon filter .............................................................................................................................. 12-21 set rmon filter .................................................................................................................................. 12-22 clear rmon filter ............................................................................................................................... 12-23 Packet Capture Commands ....................................................................................................................... 12-24 Purpose ................................................................................................................................................ 12-24 Commands ........................................................................................................................................... 12-24 show rmon capture ......................................................................................................................... 12-24 set rmon capture............................................................................................................................. 12-25 clear rmon capture.......................................................................................................................... 12-26

    Chapter 13: Configuring DHCP Server


    DHCP Overview ........................................................................................................................................... 13-1 DHCP Server ......................................................................................................................................... 13-1 Configuring a DHCP Server ................................................................................................................... 13-2 Configuring General DHCP Server Parameters ........................................................................................... 13-3 Purpose .................................................................................................................................................. 13-3 Commands ............................................................................................................................................. 13-3 set dhcp ............................................................................................................................................ 13-3 set dhcp bootp .................................................................................................................................. 13-4 set dhcp conflict logging ................................................................................................................... 13-4 show dhcp conflict ............................................................................................................................ 13-5 clear dhcp conflict............................................................................................................................. 13-5 set dhcp exclude............................................................................................................................... 13-6 clear dhcp exclude............................................................................................................................ 13-7 set dhcp ping .................................................................................................................................... 13-7 clear dhcp ping ................................................................................................................................. 13-8 show dhcp binding............................................................................................................................ 13-8 clear dhcp binding ............................................................................................................................ 13-9 show dhcp server statistics............................................................................................................... 13-9 clear dhcp server statistics ............................................................................................................. 13-10 Configuring IP Address Pools ..................................................................................................................... 13-11 Manual Pool Configuration Considerations .......................................................................................... 13-11 Purpose ................................................................................................................................................ 13-11 Commands ........................................................................................................................................... 13-11 set dhcp pool .................................................................................................................................. 13-13 clear dhcp pool ............................................................................................................................... 13-13 set dhcp pool network..................................................................................................................... 13-14 clear dhcp pool network.................................................................................................................. 13-14 set dhcp pool hardware-address .................................................................................................... 13-15 clear dhcp pool hardware-address ................................................................................................. 13-16 set dhcp pool host .......................................................................................................................... 13-16 clear dhcp pool host ....................................................................................................................... 13-17 set dhcp pool client-identifier .......................................................................................................... 13-17 clear dhcp pool client-identifier ....................................................................................................... 13-18 set dhcp pool client-name............................................................................................................... 13-19 clear dhcp pool client-name............................................................................................................13-19 set dhcp pool bootfile...................................................................................................................... 13-20 clear dhcp pool bootfile................................................................................................................... 13-20 set dhcp pool next-server ............................................................................................................... 13-21 clear dhcp pool next-server ............................................................................................................13-21

    xvi

    set dhcp pool lease......................................................................................................................... 13-22 clear dhcp pool lease...................................................................................................................... 13-22 set dhcp pool default-router ............................................................................................................13-23 clear dhcp pool default-router......................................................................................................... 13-24 set dhcp pool dns-server ................................................................................................................ 13-24 clear dhcp pool dns-server ............................................................................................................. 13-25 set dhcp pool domain-name ........................................................................................................... 13-25 clear dhcp pool domain-name ........................................................................................................ 13-26 set dhcp pool netbios-name-server ................................................................................................ 13-26 clear dhcp pool netbios-name-server ............................................................................................. 13-27 set dhcp pool netbios-node-type .................................................................................................... 13-27 clear dhcp pool netbios-node-type ................................................................................................. 13-28 set dhcp pool option ....................................................................................................................... 13-28 clear dhcp pool option .................................................................................................................... 13-29 show dhcp pool configuration ......................................................................................................... 13-30

    Chapter 14: Security Configuration


    Overview of Security Methods ...................................................................................................................... 14-1 Configuring RADIUS ..................................................................................................................................... 14-3 Purpose .................................................................................................................................................. 14-3 Commands ............................................................................................................................................. 14-3 show radius ...................................................................................................................................... 14-4 set radius .......................................................................................................................................... 14-5 clear radius ....................................................................................................................................... 14-7 show radius accounting .................................................................................................................... 14-8 set radius accounting........................................................................................................................ 14-9 clear radius accounting................................................................................................................... 14-10 Configuring 802.1X Authentication ............................................................................................................. 14-11 Purpose ................................................................................................................................................ 14-11 Commands ........................................................................................................................................... 14-11 show dot1x ..................................................................................................................................... 14-12 show dot1x auth-config................................................................................................................... 14-13 set dot1x ......................................................................................................................................... 14-15 set dot1x auth-config ...................................................................................................................... 14-16 clear dot1x auth-config ................................................................................................................... 14-17 show eapol ..................................................................................................................................... 14-18 set eapol ......................................................................................................................................... 14-20 clear eapol ...................................................................................................................................... 14-21 Configuring MAC Authentication ................................................................................................................ 14-22 Purpose ................................................................................................................................................ 14-22 Commands ........................................................................................................................................... 14-22 show macauthentication ................................................................................................................. 14-23 show macauthentication session .................................................................................................... 14-24 set macauthentication..................................................................................................................... 14-25 set macauthentication password .................................................................................................... 14-26 clear macauthentication password ................................................................................................. 14-26 set macauthentication port ............................................................................................................. 14-27 set macauthentication portinitialize................................................................................................. 14-27 set macauthentication portquietperiod............................................................................................ 14-28 clear macauthentication portquietperiod......................................................................................... 14-28 set macauthentication macinitialize ................................................................................................ 14-29 set macauthentication reauthentication .......................................................................................... 14-29 set macauthentication portreauthenticate.......................................................................................14-30 set macauthentication macreauthenticate ...................................................................................... 14-30 set macauthentication reauthperiod ...............................................................................................14-31

    xvii

    clear macauthentication reauthperiod ............................................................................................ 14-32 set macauthentication significant-bits ............................................................................................. 14-32 clear macauthentication significant-bits .......................................................................................... 14-33 Configuring Multiple Authentication Methods ............................................................................................. 14-34 About Multiple Authentication Types .................................................................................................... 14-34 Commands ........................................................................................................................................... 14-34 show multiauth................................................................................................................................ 14-35 set multiauth mode ......................................................................................................................... 14-36 clear multiauth mode ...................................................................................................................... 14-36 set multiauth precedence ............................................................................................................... 14-37 clear multiauth precedence ............................................................................................................14-37 show multiauth port ........................................................................................................................ 14-38 set multiauth port ............................................................................................................................ 14-39 clear multiauth port ......................................................................................................................... 14-39 show multiauth station .................................................................................................................... 14-40 Configuring VLAN Authorization (RFC 3580) ............................................................................................. 14-41 Purpose ................................................................................................................................................ 14-41 Commands ........................................................................................................................................... 14-41 set vlanauthorization....................................................................................................................... 14-42 set vlanauthorization egress ........................................................................................................... 14-42 clear vlanauthorization.................................................................................................................... 14-43 show vlanauthorization ................................................................................................................... 14-44 Configuring MAC Locking ........................................................................................................................... 14-45 Purpose ................................................................................................................................................ 14-45 Commands ........................................................................................................................................... 14-45 show maclock ................................................................................................................................. 14-46 show maclock stations.................................................................................................................... 14-47 set maclock enable......................................................................................................................... 14-48 set maclock disable ........................................................................................................................ 14-49 set maclock..................................................................................................................................... 14-49 clear maclock.................................................................................................................................. 14-50 set maclock static ........................................................................................................................... 14-51 clear maclock static ........................................................................................................................ 14-51 set maclock firstarrival .................................................................................................................... 14-52 clear maclock firstarrival ................................................................................................................. 14-53 set maclock move ........................................................................................................................... 14-53 set maclock trap ............................................................................................................................. 14-54 Configuring Secure Shell (SSH) ................................................................................................................. 14-55 Purpose ................................................................................................................................................ 14-55 Commands ........................................................................................................................................... 14-55 show ssh status .............................................................................................................................. 14-55 set ssh ............................................................................................................................................ 14-56 set ssh hostkey............................................................................................................................... 14-56 Configuring Layer 2 Access Control Lists ................................................................................................... 14-57 Commands ........................................................................................................................................... 14-58 set access-list (create list) .............................................................................................................. 14-58 set access-list (create rules) ........................................................................................................... 14-59 set access-list (ports)...................................................................................................................... 14-60 show access-list ............................................................................................................................. 14-60 show access-list ports .................................................................................................................... 14-61 clear access-list .............................................................................................................................. 14-62

    Index

    xviii

    Figures
    1-1 1-2 1-3 1-4 1-5 1-6 7-1 SecureStack A2 Startup Screen ......................................................................................................... 1-5 Sample CLI Defaults Description........................................................................................................ 1-7 Performing a Keyword Lookup ........................................................................................................... 1-7 Performing a Partial Keyword Lookup ................................................................................................ 1-7 Scrolling Screen Output...................................................................................................................... 1-8 Abbreviating a Command ................................................................................................................... 1-8 Example of VLAN Propagation via GVRP ........................................................................................ 7-24

    Tables
    1-1 1-2 3-1 3-2 3-3 3-4 4-1 4-2 4-3 4-4 5-1 5-2 5-3 5-4 5-5 5-6 5-7 5-8 5-9 5-10 5-11 6-1 7-1 7-2 7-3 8-1 9-1 11-1 11-2 11-3 11-4 11-5 11-6 11-7 12-1 12-2 12-3 12-4 14-1 14-2 14-3 14-4 14-5 14-6 14-7 Default Settings for Basic Switch Operation ....................................................................................... 1-2 Basic Line Editing Commands............................................................................................................ 1-9 show system lockout Output Details................................................................................................... 3-7 show system Output Details ............................................................................................................. 3-13 show version Output Details ............................................................................................................. 3-22 show cdp Output Details................................................................................................................... 3-50 show port status Output Details.......................................................................................................... 4-5 show port counters Output Details ..................................................................................................... 4-7 LACP Terms and Definitions ............................................................................................................ 4-29 show lacp Output Details.................................................................................................................. 4-31 SNMP Security Levels........................................................................................................................ 5-2 show snmp engineid Output Details ................................................................................................... 5-4 show snmp counters Output Details ................................................................................................... 5-6 show snmp user Output Details........................................................................................................ 5-10 show snmp group Output Details ..................................................................................................... 5-12 show snmp access Output Details ................................................................................................... 5-17 show snmp view Output Details ....................................................................................................... 5-21 show snmp targetparams Output Details ......................................................................................... 5-26 show snmp targetaddr Output Details .............................................................................................. 5-30 show snmp notify Output Details ...................................................................................................... 5-34 Basic SNMP Trap Configuration....................................................................................................... 5-41 show spantree Output Details ............................................................................................................ 6-6 Command Set for Creating a Secure Management VLAN ................................................................. 7-2 show vlan Output Details.................................................................................................................... 7-4 show gvrp configuration Output Details ............................................................................................ 7-26 Valid IP DSCP Numeric and Keyword Values .................................................................................... 8-7 show port ratelimit Output Details..................................................................................................... 9-13 show logging server Output Details.................................................................................................. 11-2 show logging application Output Details........................................................................................... 11-7 Mnemonic Values for Logging Applications...................................................................................... 11-8 show arp Output Details ................................................................................................................. 11-18 show mac Output Details................................................................................................................ 11-21 show sntp Output Details................................................................................................................ 11-25 show nodealias config Output Details ............................................................................................ 11-32 RMON Monitoring Group Functions and Commands ....................................................................... 12-1 show rmon stats Output Details........................................................................................................ 12-4 show rmon alarm Output Details .................................................................................................... 12-11 show rmon event Output Details .................................................................................................... 12-16 show radius Output Details............................................................................................................... 14-4 show eapol Output Details.............................................................................................................. 14-19 show macauthentication Output Details ......................................................................................... 14-23 show macauthentication session Output Details ............................................................................ 14-25 show vlanauthorization Output Details ........................................................................................... 14-44 show maclock Output Details ......................................................................................................... 14-46 show maclock stations Output Details............................................................................................ 14-47

    xix

    14-8

    ACL Rule Precedence .................................................................................................................... 14-57

    xx

    About This Guide


    WelcometotheEnterasysNetworksSecureStackA2ConfigurationGuide.Thismanualexplains howtoaccessthedevicesCommandLineInterface(CLI)andhowtouseittoconfigure SecureStackA2switchdevices.

    Important Notice
    Depending on the firmware version used in your SecureStack device, some features described in this document may not be supported. Refer to the Release Notes shipped with your device to determine which features are supported.

    Using This Guide


    AgeneralworkingknowledgeofbasicnetworkoperationsandanunderstandingofCLI managementapplicationsishelpfulbeforeconfiguringtheSecureStackdevice. Thismanualdescribeshowtodothefollowing: AccesstheSecureStackCLI. UseCLIcommandstoperformnetworkmanagementanddeviceconfigurationoperations EstablishandmanageVirtualLocalAreaNetworks(VLANs). Establishandmanagestaticanddynamicallyassignedpolicyclassifications. Establishandmanagepriorityclassification. Configuresecurityprotocols,including802.1XandRADIUS,SSHv2,MAClocking,andMAC authentication.

    Structure of This Guide


    Theguideisorganizedasfollows: Chapter 1,Introduction,providesanoverviewofthetasksthatcanbeaccomplishedusingthe CLIinterface,anoverviewoflocalmanagementrequirements,anoverviewofthedevicesfactory defaultsettings,andinformationaboutusingtheCommandLineInterface(CLI). Chapter 2,ConfiguringSwitchesinaStack,providesinformationabouthowtoconfigureand managestackedswitches. Chapter 3,BasicConfiguration,provideshowtosetbasicsystemproperties,howtodownloada firmwareimage,howtoconfigureWebViewandTelnet,howtomanageconfigurationfiles,how tosettheloginpassword,andhowtoexittheCLI. Chapter 4,PortConfiguration,describeshowtoreviewandconfigureconsoleportsettings,and howtoenableordisableswitchportsandconfigureswitchportsettings,includingportspeed, duplexmode,autonegotiation,flowcontrol,portmirroring,linkaggegationandbroadcast suppression. Chapter 5,SNMPConfiguration,describeshowtoconfigureSNMPusersandusergroups,access rights,targetaddresses,andnotificationparameters.

    SecureStack A2 Configuration Guide

    xxiii

    Related Documents

    Chapter 6,SpanningTreeConfiguration,describeshowtoreviewandsetSpanningTreebridge parametersforthedevice,includingbridgepriority,hellotime,maximumagingtimeandforward delay;andhowtoreviewandsetSpanningTreeportparameters,includingportpriorityandpath costs. Chapter 7,802.1QVLANConfiguration,describeshowtocreatestaticVLANs,selectthemodeof operationforeachport,establishVLANforwarding(egress)lists,routeframesaccordingto VLANID,displaythecurrentportsandporttypesassociatedwithaVLANandprotocol,createa securemanagementVLAN,andconfigureportsonthedeviceasGVRPawareports. Chapter 8,DifferentiatedServicesConfiguration,describeshowtodisplayandconfigure Diffservsettings. Chapter 9,PortPriorityandRateLimitingConfiguration,describeshowtosetthetransmit priorityofeachportandconfigurearatelimitforagivenportandlistofpriorities. Chapter 10,IGMPConfiguration,describeshowtoconfigureInternetGroupManagement Protocol(IGMP)settingsformulticastfiltering. Chapter 11,LoggingandNetworkManagement,describeshowtoconfigureSyslog,howto managegeneralswitchsettings,howtomonitornetworkeventsandstatus,andhowtoconfigure SNTPandnodealiases. Chapter 12,ConfiguringRMON,describeshowtouseRMON(RemoteNetworkMonitoring), whichprovidescomprehensivenetworkfaultdiagnosis,planning,andperformancetuning informationandallowsforinteroperabilitybetweenSNMPmanagementstationsandmonitoring agents. Chapter 13,ConfiguringDHCPServer,describeshowtoreviewandconfigureDHCPserver parameters,howtoreviewandconfigureDHCPaddresspools,andhowtodisplayDHCPserver information. Chapter 14,SecurityConfiguration,describeshowtoconfigure802.1Xauthenticationusing EAPOL,howtoconfigureRADIUSserver,SecureShellserver,MACauthentication,andMAC locking,andhowtoconfigureLayer2ACLs.

    Related Documents
    ThefollowingEnterasysNetworksdocumentsmayhelpyoutosetup,control,andmanagethe SecureStackdevice: EthernetTechnologyGuide CablingGuide SecureStackA2InstallationGuide(s) SecureStackRedundantPowerSystemInstallationGuide

    Documentslistedabove,canbeobtainedfromtheWorldWideWebinAdobeAcrobatPortable DocumentFormat(PDF)atthefollowingwebsite: http://www.enterasys.com/support/manuals/

    xxiv

    About This Guide

    Conventions Used in This Guide

    Conventions Used in This Guide


    Thefollowingconventionsareusedinthetextofthisdocument:
    Convention Bold font italic font Courier font Courier font in italics [] {} | [x | y | z] {x | y | z} [x {y | z} ] Description Indicates mandatory keywords, parameters or keyboard keys. Indicates complete document titles. Used for examples of information displayed on the screen. Indicates a user-supplied value, either required or optional. Square brackets indicate an optional value. Braces indicate required values. One or more values may be required. A vertical bar indicates a choice in values. Square brackets with a vertical bar indicate a choice of a value. Braces with a vertical bar indicate a choice of a required value. A combination of square brackets with braces and vertical bars indicates a required choice of an optional value.

    Thefollowingiconsareusedinthisguide:
    Note: Calls the readers attention to any item of information that may be of special importance.

    Caution: Contains information essential to avoid damage to the equipment. Precaucin: Contiene informacin esencial para prevenir daar el equipo. Achtung: Verweit auf wichtige Informationen zum Schutz gegen Beschdigungen.

    SecureStack A2 Configuration Guide

    xxv

    Getting Help

    Getting Help
    Foradditionalsupportrelatedtothisswitchordocument,contactEnterasysNetworksusingone ofthefollowingmethods:
    World Wide Web http://www.enterasys.com/services/support 1-800-872-8440 (toll-free in U.S. and Canada) or 1-978-684-1000 Phone Internet mail For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/services/support/contact/ support@enterasys.com To expedite your message, type [C-SERIES] in the subject line. To send comments or suggestions concerning this document to the Technical Publications Department: techpubs@enterasys.com Make sure to include the document Part Number in the email message.

    BeforecallingEnterasysNetworks,havethefollowinginformationready: YourEnterasysNetworksservicecontractnumber Adescriptionofthefailure Adescriptionofanyaction(s)alreadytakentoresolvetheproblem(forexample,changing modeswitchesorrebootingtheunit) TheserialandrevisionnumbersofallinvolvedEnterasysNetworksproductsinthenetwork Adescriptionofyournetworkenvironment(forexample,layout,cabletype) Networkloadandframesizeatthetimeoftrouble(ifknown) Theswitchhistory(forexample,haveyoureturnedtheswitchbefore,isthisarecurring problem?) AnypreviousReturnMaterialAuthorization(RMA)numbers

    xxvi

    About This Guide

    1
    Introduction
    ThischapterprovidesanoverviewoftheSecureStackA2suniquefeaturesandfunctionality,an overviewofthetasksthatmaybeaccomplishedusingtheCLIinterface,anoverviewofwaysto managetheswitch,factorydefaultsettings,andinformationabouthowtousetheCommandLine Interfacetoconfiguretheswitch.
    For information about ... SecureStack A2 CLI Overview Switch Management Methods Factory Default Settings Using the Command Line Interface Refer to page ... 1-1 1-2 1-2 1-5

    SecureStack A2 CLI Overview


    EnterasysNetworksSecureStackA2CLIinterfaceallowsyoutoperformavarietyofnetwork managementtasks,includingthefollowing: UseCLIcommandstoperformnetworkmanagementandswitchconfigurationoperations. Downloadanewfirmwareimage. AssignIPaddressandsubnetmask. Selectadefaultgateway. EstablishandmanageVirtualLocalAreaNetworks(VLANs). Establishandmanagepriorityclassification. Configuresecurityprotocols,including802.1XandRADIUS,SSHv2,PWA,MAClocking,and MACauthentication.

    SecureStack A2 Configuration Guide

    1-1

    Switch Management Methods

    Switch Management Methods


    TheSecureStackA2switchcanbemanagedusingthefollowingmethods: LocallyusingaVTtypeterminalconnectedtotheconsoleport. RemotelyusingaVTtypeterminalconnectedthroughamodem. RemotelyusinganSNMPmanagementstation. InbandthroughaTelnetconnection. InbandusingtheEnterasysNetSightmanagementapplication. RemotelyusingWebView,EnterasysNetworksembeddedwebserverapplication.

    TheInstallationGuideforyourSecureStackA2deviceprovidessetupinstructionsforconnectinga terminalormodemtotheswitch.

    Factory Default Settings


    ThefollowingtableslistfactorydefaultsettingsavailableontheSecureStackA2switch.Table 11 listsdefaultsettingsforSecureStackA2switchoperation. Table 1-1
    Feature CDP discovery protocol CDP authentication code CDP hold time CDP interval Cisco discovery protocol Cisco DP hold time Cisco DP interval timer Community name Console (serial) port required settings

    Default Settings for Basic Switch Operation


    Default Setting Auto enabled on all ports. Set to 00-00-00-00-00-00-00-00 Set to 180 seconds. Transmit frequency of CDP messages set to 60 seconds. Auto enabled on all ports. Set to 180 seconds. Set to 60 seconds. Public. Baud rate: 9600 Data bits: 8 Flow control: disabled Stop bits: 1 Parity: none

    DHCP server Diffserv EAPOL EAPOL authentication mode GARP timer GVRP History buffer size

    Disabled. Disabled. Disabled. When enabled, set to auto for all ports. Join timer set to 20 centiseconds; leave timer set to 60 centiseconds; leaveall timer set to 1000 centiseconds. Globally enabled. 20 lines.

    1-2

    Introduction

    Factory Default Settings

    Table 1-1
    Feature

    Default Settings for Basic Switch Operation (Continued)


    Default Setting Disabled. Disabled. When enabled, query interval is set to 260 seconds and response time is set to 10 seconds. Subnet mask set to 0.0.0.0; default gateway set to 0.0.0.0. No static routes configured. Enabled on all ports. Enabled. Set to 32768 for all ports. Disabled. Set to 32768 for all ports. Set to DIP-SIP. Set to disable Read-Write and Read-Only users, and to lockout the default admin (Super User) account for 15 minutes, after 3 failed login attempts. Syslog port set to UDP port number 514. Logging severity level set to 6 (significant conditions) for all applications. Set to 300 seconds. Disabled (globally and on all ports). Set to an empty string for all default user accounts. User must press ENTER at the password prompt to access CLI. Disabled. No passwords are checked for duplication. Enabled on all ports. Maximum ability advertised on all ports.

    IEEE 802.1 authentication IGMP snooping IP mask and gateway IP routes Jumbo frame support Link aggregation control protocol (LACP) Link aggregation admin key Link aggregation flow regeneration Link aggregation system priority Link aggregation outport algorithm Lockout Logging MAC aging time MAC locking Passwords Password aging Password history Port auto-negotiation Port advertised ability

    Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch ports Port duplex mode Port enable/disable Port priority Port speed Port trap Power over Ethernet port admin state Priority classification Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to full duplex. Enabled. Set to 0. Set to 10 Mbps, except for 1000BASE-X, which is set to 1000 Mbps, and 100BASE-FX, which is set to 100 Mbps. All ports are enabled to send link traps. Administrative state is on (auto). Classification rules are automatically enabled when created.

    SecureStack A2 Configuration Guide

    1-3

    Factory Default Settings

    Table 1-1
    Feature

    Default Settings for Basic Switch Operation (Continued)


    Default Setting Disabled. When the client is enabled, set to Challenge. When the client is enabled, set to 3. When the client is enabled, set to 20 seconds. Disabled (globally and on all ports). Enabled. Disabled. Globally enabled and enabled on all ports. Edge port administrative status begins with the value set to false initially after the device is powered up. If a Spanning Tree BDPU is not received on the port within a few seconds, the status setting changes to true. Enabled. Set to 15 seconds. Set to 2 seconds. Set to 0. Set to 20 seconds. All ports with bridge priority are set to 128 (medium priority). Bridge priority is set to 32768. Enabled. Set to mstp (Multiple Spanning Tree Protocol). Disabled. Set to 9600 baud. Set to empty string. Set to empty string. Set to empty string. CLI display set to 80 columns and 24 rows. Set to 5 minutes. Login accounts set to ro for Read-Only access; rw for Read-Write access; and admin for Super User access. Disabled on all VLANs. All ports use a VLAN identifier of 1. Default host VLAN is 1.

    RADIUS client RADIUS last resort action RADIUS retries RADIUS timeout Rate limiting SNMP SNTP Spanning Tree Spanning Tree edge port administrative status Spanning Tree edge port delay Spanning Tree forward delay Spanning Tree hello interval Spanning Tree ID (SID) Spanning Tree maximum aging time Spanning Tree port priority Spanning Tree priority Spanning Tree topology change trap suppression Spanning Tree version SSH System baud rate System contact System location System name Terminal Timeout User names VLAN dynamic egress VLAN ID Host VLAN

    1-4

    Introduction

    Using the Command Line Interface

    Using the Command Line Interface


    Starting a CLI Session
    Connecting Using the Console Port
    ConnectaterminaltothelocalconsoleportasdescribedinyourSecureStackA2InstallationGuide. Thestartupscreen,Figure 11,willdisplayontheterminal.YoucannowstarttheCommandLine Interface(CLI)by usingadefaultuseraccount,asdescribedinUsingaDefaultUserAccountonpage 16,or usinganadministrativelyassigneduseraccountasdescribedinUsinganAdministratively ConfiguredUserAccountonpage 16. SecureStack A2 Startup Screen

    Figure 1-1

    Username:admin Password: Enterasys SecureStack A2 Command Line Interface Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A. Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com (c) Copyright Enterasys Networks, Inc. 2006 Chassis Serial Number: Chassis Firmware Revision: 041800249041 1.04.xx

    A2(su)->

    Connecting Using Telnet


    OncetheSecureStackA2devicehasavalidIPaddress,youcanestablishaTelnetsessionfromany TCP/IPbasednodeonthenetwork.ForinformationaboutsettingtheswitchsIPaddress,referto setipaddressonpage 310. ToestablishaTelnetsession: 1. 2. TelnettotheswitchsIPaddress. Enterlogin(username)andpasswordinformationinoneofthefollowingways: Iftheswitchsdefaultloginandpasswordsettingshavenotbeenchanged,followthe stepslistedinUsingaDefaultUserAccountonpage 16,or Enteranadministrativelyconfiguredusernameandpassword.

    ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11. ForinformationaboutconfiguringTelnetsettings,refertoStartingandConfiguringTelneton page 337.


    SecureStack A2 Configuration Guide 1-5

    Using the Command Line Interface

    RefertotheinstructionsincludedwiththeTelnetapplicationforinformationaboutestablishinga Telnetsession.

    Logging In
    Bydefault,theSecureStackA2switchisconfiguredwiththreeuserloginaccountsrofor ReadOnlyaccess,rwforReadWriteaccess,andadminforsuperuseraccesstoallmodifiable parameters.Thedefaultpasswordissettoablankstring.Forinformationonchangingthese defaultsettings,refertoSettingUserAccountsandPasswordsonpage 32.

    Using a Default User Account


    IfthisisthefirsttimeyouareloggingintotheSecureStackA2switch,orifthedefaultuser accountshavenotbeenadministrativelychanged,proceedasfollows: 1. Attheloginprompt,enteroneofthefollowingdefaultusernames: 2. 3. roforReadOnlyaccess. rwforReadWriteaccess. adminforSuperUseraccess.

    PressENTER.ThePasswordpromptdisplays. LeavethisstringblankandpressENTER.Theswitchinformationandpromptdisplaysas showninFigure 11.

    Using an Administratively Configured User Account


    Iftheswitchsdefaultuseraccountsettingshavebeenchanged,proceedasfollows: 1. 2. Attheloginprompt,enteryouradministrativelyassignedusernameandpressENTER. AtthePasswordprompt,enteryourpasswordandpressENTER.

    ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11.
    Note: Users with Read-Write (rw) and Read-Only access can use the set password command (page 3-4) to change their own passwords. Administrators with Super User (su) access can use the set system login command (page 3-3) to create and change user accounts, and the set password command to change any local account password.

    Navigating the Command Line Interface


    Getting Help with CLI Syntax
    TheSecureStackA2switchallowsyoutodisplayusageandsyntaxinformationforindividual commandsbytypinghelpor?afterthecommand.

    CLI Command Defaults Descriptions


    EachcommanddescriptioninthisguideincludesasectionentitledDefaultswhichcontains differentinformationfromthefactorydefaultsettingsontheswitchdescribedinTable 11.The sectiondefinesCLIbehavioriftheuserentersacommandwithouttypingoptionalparameters (indicatedbysquarebrackets[]).Forcommandswithoutoptionalparameters,thedefaults sectionlistsNone.Forcommandswithoptionalparameters,thissectiondescribeshowtheCLI respondsiftheuseroptstoenteronlythekeywordsofthecommandsyntax.Figure 12provides anexample.

    1-6

    Introduction

    Using the Command Line Interface

    Figure 1-2

    Sample CLI Defaults Description

    Syntax
    show port status [port-string]

    Defaults
    Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.

    CLI Command Modes


    EachcommanddescriptioninthisguideincludesasectionentitledModewhichstateswhether thecommandisexecutableinAdmin(SuperUser),ReadWrite,orReadOnlymode.Userswith ReadOnlyaccesswillonlybepermittedtoviewReadOnly(show)commands.UserswithRead Writeaccesswillbeabletomodifyallmodifiableparametersinsetandshowcommands,aswell asviewReadOnlycommands.AdministratorsorSuperUserswillbeallowedallReadWriteand ReadOnlyprivileges,andwillbeabletomodifylocaluseraccounts.TheSecureStackA2switch indicateswhichmodeauserisloggedinasbydisplayingoneofthefollowingprompts: Admin:A2(su)> ReadWrite:A2(rw)> ReadOnly:A2(ro)>

    Performing Keyword Lookups


    Enteringaspaceandaquestionmark(?)afterakeywordwilldisplayallcommandsbeginning withthekeyword.Figure 13showshowtoperformakeywordlookupfortheshowsnmp command.Inthiscase,fouradditionalkeywordsareusedbytheshowsnmpcommand.Entering aspaceandaquestionmark(?)afteranyoftheseparameters(suchasshowsnmpcommunity) willdisplayadditionalparametersnestedwithinthesyntax. Figure 1-3 Performing a Keyword Lookup

    A2(su)->show snmp ? community notify targetaddr targetparams SNMP SNMP SNMP SNMP v1/v2c notify target target community name configuration configuration address configuration parameters configuration

    Enteringaquestionmark(?)withoutaspaceafterapartialkeywordwilldisplayalistof commandsthatbeginwiththepartialkeyword.Figure 14showshowtousethisfunctionforall commandsbeginningwithco: Figure 1-4 Performing a Partial Keyword Lookup
    copy

    A2(rw)->co? configure A2(su)->co

    Note: At the end of the lookup display, the system will repeat the command you entered without the ?.

    SecureStack A2 Configuration Guide

    1-7

    Using the Command Line Interface

    Displaying Scrolling Screens


    IftheCLIscreenlengthhasbeensetusingthesetlengthcommandasdescribedonpage325,CLI outputrequiringmorethanonescreenwilldisplay--More-- toindicatecontinuingscreens.To displayadditionalscreenoutput: PressanykeyotherthanENTERtoadvancetheoutputonescreenatatime. PressENTERtoadvancetheoutputonelineatatime.

    TheexampleinFigure 15showshowtheshowmaccommandindicatesthatoutputcontinueson morethanonescreen. Figure 1-5 Scrolling Screen Output

    A2(su)->show mac MAC Address FID Port Type ---------------------------------------------------------00-00-1d-67-68-69 1 host Management 00-00-02-00-00-00 1 fe.1.2 Learned 00-00-02-00-00-01 1 fe.1.3 Learned 00-00-02-00-00-02 1 fe.1.4 Learned 00-00-02-00-00-03 1 fe.1.5 Learned 00-00-02-00-00-04 1 fe.1.6 Learned 00-00-02-00-00-05 1 fe.1.7 Learned 00-00-02-00-00-06 1 fe.1.8 Learned 00-00-02-00-00-07 1 fe.1.9 Learned 00-00-02-00-00-08 1 fe.1.10 Learned --More--

    Abbreviating and Completing Commands


    TheSecureStackA2switchallowsyoutoabbreviateCLIcommandsandkeywordsdowntothe numberofcharactersthatwillallowforauniqueabbreviation.Figure 16showshowto abbreviatetheshownetstatcommandtoshnet. Figure 1-6 Abbreviating a Command

    A2(su)->sh net Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address ----- ------ ------ --------------------- --------------------TCP 0 0 10.21.73.13.23 134.141.190.94.51246 TCP 0 275 10.21.73.13.23 134.141.192.119.4724 TCP 0 0 *.80 *.* TCP 0 0 *.23 *.* UDP 0 0 10.21.73.13.1030 134.141.89.113.514 UDP 0 0 *.161 *.* UDP 0 0 *.1025 *.* UDP 0 0 *.123 *.*

    State ------ESTABLISHED ESTABLISHED LISTEN LISTEN

    1-8

    Introduction

    Using the Command Line Interface

    Basic Line Editing Commands


    TheCLIsupportsEMACslikelineeditingcommands.Table 12listssomecommonlyused commands. Table 1-2 Basic Line Editing Commands
    Command Move cursor to beginning of line. Move cursor back one character. Delete a character. Move cursor to end of line. Move cursor forward one character. Delete character to left of cursor. Complete word. Delete all characters after cursor. Scroll to next command in command history (use the CLI history command to display the history). Scroll to previous command in command history. Resume the CLI process. Pause the CLI process (for scrolling). Transpose characters. Delete all characters before cursor. Delete word to the left of cursor. Restore the most recently deleted item.

    Key Sequence Ctrl+A Ctrl+B Ctrl+D Ctrl+E Ctrl+F Ctrl+H Ctrl+I or TAB Ctrl+K Ctrl+N Ctrl+P Ctr1+Q Ctr1+S Ctrl+T Ctrl+U or Ctrl+X Ctrl+W Ctrl+Y

    SecureStack A2 Configuration Guide

    1-9

    Using the Command Line Interface

    1-10

    Introduction

    2
    Configuring Switches in a Stack
    ThischapterprovidesinformationaboutconfiguringSecureStackA2switchesinastack.
    For information about ... About SecureStack A2 Switch Operation in a Stack Installing a New Stackable System of Up to Eight Units Installing Previously-Configured Systems in a Stack Adding a New Unit to an Existing Stack Creating a Virtual Switch Configuration Considerations About Using Clear Config in a Stack Configuring Standalone A2 Stack Ports Stacking Configuration and Management Commands Refer to page ... 2-1 2-2 2-3 2-3 2-4 2-5 2-5 2-6

    About SecureStack A2 Switch Operation in a Stack


    TheSecureStackA2productsarestackableswitchesthatcanbeadaptedandscaledtohelpmeet yournetworkneeds.Theseswitchesprovideamanagementplatformanduplinktoanetwork backboneforastackedgroupofuptoeightSecureStackA2switches. Onceinstalledinastack,theswitchesbehaveandperformasasingleswitchproduct.Assuch, youcanstartwithasingleunitandaddmoreunitsasyournetworkexpands.Youcanalsomix differentproductsinthefamilyinasinglestacktoprovideadesiredcombinationofporttypes andfunctionstomatchtherequirementsofindividualapplications.Inallcases,astackofunits performsasonelargeproduct,andismanagedasasinglenetworkentity. WhenswitchesareinstalledandconnectedasdescribedintheSecureStackA2InstallationGuides, thefollowingoccursduringinitialization: Theswitchthatwillmanagethestackisautomaticallyestablished.Thisisknownasthe managerswitch. Allotherswitchesareestablishedasmembersinthestack. Thehierarchyoftheswitchesthatwillassumethefunctionofbackupmanagerisalso determinedincasethecurrentmanagermalfunctions,ispowereddown,orisdisconnected fromthestack. Theconsoleportonthemanagerswitchremainsactiveforoutofband(local)switch management,buttheconsoleportoneachmemberswitchisdeactivated.Thisenablesyouto settheIPaddressandsystempasswordusingasingleconsoleport.Noweachswitchcanbe configuredlocallyusingonlythemanagersconsoleport,orinbandusingaremotedeviceand theCLIsetofcommandsdescribedinthissection.
    SecureStack A2 Configuration Guide 2-1

    Installing a New Stackable System of Up to Eight Units

    Onceastackiscreated(morethanoneswitchisinterconnected),thefollowingprocedureoccurs: 1. 2. Bydefault,unitIDsarearbitrarilyassignedonafirstcome,firstservedbasis. UnitIDsaresavedagainsteachmodule.Then,everytimeaboardispowercycled,itwill initializewiththesameunitID.Thisisimportantforportspecificinformation(forexample: ge.4.12isthe12thGigabitEthernetportonUnit#4). Themanagementelectionprocessusesthefollowingprecedencetoassignamanagement switch: a. b. c. Previouslyassigned/electedmanagementunit Managementassignedpriority(values115) Hardwarepreferencelevel

    3.

    d. HighestMACAddress Usethefollowingrecommendedprocedureswheninstallinganewstackablesystemoraddinga newunittoanexistingstack.

    Important
    The following procedures assume that all units have a clean configuration from manufacturing. When adding a new unit to an already running stack, it is also assumed that the new unit is using the same firmware image version as other units in the stack.

    Installing a New Stackable System of Up to Eight Units


    Usethefollowingprocedureforinstallinganewstackofuptoeightunitsoutofthebox. 1. 2. Beforeapplyingpower,makeallphysicalconnectionswiththestackcablesasdescribedinthe SecureStackA2InstallationGuides. Onceallofthestackcableshavebeenconnected,individuallypoweroneachunitfromtopto bottom.
    Notes: Ensure that each switch is fully operational before applying power to the next switch. Since unit IDs are assigned on a first-come, first-served basis, this will ensure that unit IDs are ordered sequentially. Once unit IDs are assigned, they are persistent and will be retained during a power cycle to any or all of the units.

    3. 4. 5.

    (Optional)Ifdesired,changethemanagementunitusingthesetswitchmovemanagement commandasdescribedinsetswitchmovemanagementonpage212. Oncethedesiredmasterunithasbeenselected,resetthesystemusingtheresetcommandas describedinresetonpage357. Afterthestackhasbeenconfigured,youcanusetheshowswitchunitcommand(show switchonpage27)tophysicallyidentifyeachunit.Whenyouenterthecommandwitha unitnumber,theMGRLEDofthespecifiedswitchwillblinkfor10seconds.Thenormalstate ofthisLEDisoffformemberunitsandsteadygreenforthemanagerunit.

    2-2

    Configuring Switches in a Stack

    Installing Previously-Configured Systems in a Stack

    Installing Previously-Configured Systems in a Stack


    Ifmemberunitsinastackhavebeenpreviousmembersofadifferentstack,youmayneedto configuretherenumberingofthestackasfollows: 1. 2. 3. 4. 5. 6. Stacktheunitsinthemethoddesired,andconnectthestackcables. Poweruponlytheunityouwishtobemanager. Oncethemanagementunitispoweredup,logintotheCLI,andusetheshowswitch commandasdescribedinshowswitchonpage27todisplaystackinginformation. Clearanyswitcheswhicharelistedasunassignedusingtheclearswitchmember commandasdescribedinclearswitchmemberonpage214. Powerupthememberofthestackyouwishtobecomeunit2.Oncethesecondunitisfully powered,theCOMsessionoftheCLIwillstatethatanewCPUwasadded. Usetheshowswitchcommandtoredisplaystackinginformation. a. b. Ifthenewmemberdisplaysasunit2,youcanproceedtorepeatthisstepwiththenext unit. Ifthenewmemberdisplaysadifferentunitnumber,youmust: (1) Renumberthestackusingthesetswitchrenumbercommandasdescribedinset switchonpage211,then (2) Cleartheoriginalunitnumberusingtheclearswitchmembercommand. 7. 8. RepeatStep6untilallmembershavebeenrenumberedintheorderyoudesire. Afterthestackhasbeenreconfigured,youcanusetheshowswitchunitcommand(show switchonpage27)tophysicallyconfirmtheidentityofeachunit.Whenyouenterthe commandwithaunitnumber,theMGRLEDofthespecifiedswitchwillblinkfor10seconds. ThenormalstateofthisLEDisoffformemberunitsandsteadygreenforthemanagerunit.

    Adding a New Unit to an Existing Stack


    Usethefollowingprocedureforinstallinganewunittoanexistingstackconfiguration.This procedureassumesthatthenewunitbeingaddedhasacleanconfigurationfrommanufacturing andisrunningthesamefirmwareimageversionasotherunitsinthestack. 1. 2. Ensurethatpowerisoffonthenewunitbeinginstalled. Useoneofthefollowingmethodstocompletestackcableconnections: Iftherunningstackusesadaisychaintopology,makethestackcableconnectionsfrom thebottomofthestacktothenewunit(thatis,STACKDOWNportfromthebottomunit oftherunningstacktotheSTACKUPportonthenewunit). Iftherunningstackusesaringstacktopology,breaktheringandmakethestackcable connectionstothenewunittoclosethering.

    3.

    Applypowertothenewunit.

    SecureStack A2 Configuration Guide

    2-3

    Creating a Virtual Switch Configuration

    Creating a Virtual Switch Configuration


    YoucancreateaconfigurationforaSecureStackA2switchbeforeaddingtheactualphysical devicetoastack.Thispreconfigurationfeatureincludesconfiguringprotocolsontheportsofthe virtualswitch. Tocreateavirtualswitchconfigurationinastackenvironment: 1. 2. 3. Displaythetypesofswitchessupportedinthestack,usingtheshowswitchswitchtype command(page28). Usingtheoutputoftheshowswitchswitchtypecommand,determinetheswitchindex(SID) ofthemodelofswitchbeingconfigured. Addthevirtualswitchtothestackusingthesetswitchmembercommand(page213).Use theSIDoftheswitchmodel,determinedinthepreviousstep,andtheunitIDthatyouwantto assigntothisswitchmember. Proceedtoconfiguretheportsofthevirtualswitchasyouwoulddoforphysicallypresent devices.

    4.

    ThefollowingexampleaddsanA2H12448Pmodel(SIDis4)toastackasunit2ofthestack.The firstportonthatvirtualswitch(fe.2.1)isthenassociatedwithVLAN555.
    A2(su)->show switch switchtype SID --1 2 3 4 5 6 Switch Model ID -------------------------------A2H124-24P A2H124-24 A2H124-48 A2H124-48P A2H124-24FX A2H254-16 Mgmt Pref ---1 1 1 1 1 1 Code Version --------0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245

    A2(su)->set switch member 2 4 A2(su)->show switch Management Preconfig Plugged-in Switch Switch Status Model ID Model ID Status ------ ------------ ------------- ------------- --------------------1 Mgmt Switch A2H124-48 A2H124-48 OK 2 Unassigned A2H124-48P Not Present A2(su)->set vlan create 555 A2(su)->clear vlan egress 1 fe.2.1 A2(su)->set port vlan fe.2.1 555 untagged A2(su)->show port vlan fe.2.1 fe.2.1 is set to 555

    Code Version -------01.03.22 00.00.00

    Note: If you preconfigure a virtual switch and then add a physical switch of a different type to the stack as that unit number, any configured functionality that cannot be supported on the physical switch will cause a configuration mismatch status for that device and the ports of the new device will join detached. You must clear the mismatch before the new device will properly join the stack.

    2-4

    Configuring Switches in a Stack

    Considerations About Using Clear Config in a Stack

    Considerations About Using Clear Config in a Stack


    Whenusingtheclearconfigcommand(page358)toclearconfigurationparametersinastack,it isimportanttorememberthefollowing: UseclearconfigtoclearconfigparameterswithoutclearingstackunitIDs.Thiscommand WILLNOTclearstackparametersortheIPaddressandavoidstheprocessofrenumbering thestack. Useclearconfigallwhenitisnecessarytoclearallconfigparameters,includingstackunit IDsandswitchpriorityvalues.ThiscommandwillnotcleartheIPaddressnorwillitremove anappliedadvancedfeaturelicense. UseclearipaddresstoremovetheIPaddressofthestack. Useclearlicensetoremoveanappliedlicensefromaswitch.

    Configurationparametersandstackinginformationcanalsobeclearedonthemasterunitonly byselectingtherestoreconfigurationtofactorydefaultsoptionfromthebootmenuonswitch startup.Thisselectionwillleavestackingprioritiesonallotherunits.

    Configuring Standalone A2 Stack Ports


    ItispossibleonastandaloneA2switchtoconfigurethetwostackportsasstandardgigabit Ethernetports.Formoreinformation,refertothesetswitchstackportcommanddescribedon page29.

    When Uplink Ports are Configured as Ethernet Ports


    Whenusingtheclearconfigcommand(page358)toclearconfigurationparametersona standaloneA2switchwiththeuplinkportsconfiguredasstandardEthernetports,itisimportant torememberthefollowing: TheclearconfigcommandWILLNOTsetthefrontpaneluplinkportsbacktostackports. TheclearconfigallcommandWILLsetthefrontpaneluplinkportsbacktostackports.

    SecureStack A2 Configuration Guide

    2-5

    Stacking Configuration and Management Commands

    Stacking Configuration and Management Commands


    Purpose
    Toreview,individuallyconfigureandmanageswitchesinaSecureStackA2stack.

    Commands
    For information about... show switch show switch switchtype show switch stack-ports set switch stack-port set switch set switch copy-fw set switch description set switch movemanagement set switch member clear switch member Refer to page... 2-7 2-8 2-9 2-9 2-11 2-11 2-12 2-12 2-13 2-14

    2-6

    Configuring Switches in a Stack

    show switch

    show switch
    Usethiscommandtodisplayinformationaboutoneormoreunitsinthestack.

    Syntax
    show switch [status] [unit]

    Parameters
    status unit (Optional)Displayspowerandadministrativestatusinformationforone ormoreunitsinthestack. (Optional)Specifiestheunit(s)forwhichinformationwilldisplay.

    Defaults
    Ifnotspecified,statusandotherconfigurationinformationaboutallunitswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    Afterastackhasbeenconfigured,youcanusethiscommandtophysicallyconfirmtheidentityof eachunit.Whenyouenterthecommandwithaunitnumber,theMGRLEDofthespecified switchwillblinkfor10seconds.ThenormalstateofthisLEDisoffformemberunitsandsteady greenforthemanagerunit.

    Examples
    Thisexampleshowshowtodisplayinformationaboutallswitchunitsinthestack:
    A2(rw)->show switch Management Switch Status ------ -----------1 Mgmt Switch 2 Stack Member 3 Stack Member 4 Stack Member 5 Stack Member 6 Stack Member 7 Stack Member 8 Stack Member Preconfig Model ID ------------A2G124-24 A2G124-24 A2G124-24 A2G124-24 A2G124-24 A2G124-24 A2G124-24 A2G124-24 Plugged-in Model ID ------------A2G124-24 A2G124-24 A2G124-24 A2G124-24 A2G124-24 A2G124-24 A2G124-24 A2G124-24 Switch Status --------------------OK OK OK OK OK OK OK OK Code Version -------01.04.xx 01.04.xx 01.04.xx 01.04.xx 01.04.xx 01.04.xx 01.04.xx 01.04.xx

    Thisexampleshowshowtodisplayinformationaboutswitchunit1inthestack:
    A2(ro)->show switch 1 Switch Management Status Hardware Management Preference Admin Management Preference Switch Type Preconfigured Model Identifier Plugged-in Model Identifier Switch Status Switch Description Detected Code Version 1 Management Switch Unassigned Unassigned A2G124-24 A2G124-24 A2G124-24 OK Enterasys Networks, Inc. A2 -- Model A2G124-24 01.04.xx

    SecureStack A2 Configuration Guide

    2-7

    show switch switchtype

    Detected Code in Flash Detected Code in Back Image Up Time

    03.01.20 02.01.37 0 days 6 hrs 37 mins 54 secs

    Thisexampleshowshowtodisplaystatusinformationforswitchunit1inthestack:
    A2(ro)->show switch status 1 Switch Switch Status Admin State Power State Inserted Switch: Model Identifier Description Configured Switch: Model Identifier Description 1 Full

    A2G124-24 Enterasys Networks, Inc. A2 -- Model A2G124-24 A2G124-24 Enterasys Networks, Inc. A2 -- Model A2G124-24

    show switch switchtype


    Usethiscommandtodisplayinformationaboutsupportedswitchtypesinthestack.

    Syntax
    show switch switchtype [switchindex]

    Parameters
    switchindex Specifiestheswitchindex(SID)oftheswitchtypetodisplay.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowshowtodisplayswitchtypeinformationaboutallswitchesinthestack:
    A2(rw)->show switch switchtype SID --1 2 3 4 5 Switch Model ID -------------------------------A2H124-24P A2H124-24 A2H124-48 A2H124-48P A2H124-24FX Mgmt Pref ---1 1 1 1 1 Code Version --------0xa08245 0xa08245 0xa08245 0xa08245 0xa08245

    ThisexampleshowshowtodisplayswitchtypeinformationaboutSID1:
    A2(ro)->show switch switchtype 1 Switch Type Model Identifier Switch Description 0x56540002 A2H124-24P Enterasys Networks, Inc. A2 -Model A2H124-24P

    2-8

    Configuring Switches in a Stack

    show switch stack-ports

    Management Preference Expected Code Version Supported Cards: Slot Card Index (CID) Model Identifier

    1 0xa08245

    0 10 A2H124-24P

    show switch stack-ports


    Usethiscommandtodisplayvariousdataflowanderrorcountersonstackports.

    Syntax
    show switch stack-ports [unit]

    Parameters
    unit SpecifiestheswitchunitID,anintegerrangingfrom1to8.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaydataanderrorinformationonstackports:
    A2(ro)->show switch stack-ports ------------TX-------------- ------------RX----------Data Error Data Error Stacking Rate Rate Total Rate Rate Total Switch Port (Mb/s) (Errors/s) Errors (Mb/s) (Errors/s) Errors ------ ---------- ------ ---------- ---------- ------ ---------- -------1 Up 0 0 0 0 0 0 Down 0 0 0 0 0 0

    set switch stack-port


    UsethiscommandtoconfigurethetwofrontpaneluplinkportsasstandardGigabitEthernet portsorstackports.

    Syntax
    set switch stack-port {ethernet | stack}

    Parameters
    ethernet stack ChangethetwofrontpanelstackportstoEthernetmode. ChangethetwofrontpanelstackportstoStackingmode.

    SecureStack A2 Configuration Guide

    2-9

    set switch stack-port

    Defaults
    Bydefault,thefrontpaneluplinkportsareinstackmode.

    Mode
    Switchmode,readwrite.

    Usage
    Usethiscommandonlyonstandalone(nonstacked)A2switches. Usingthiscommandwillcauseaswitchreset. DonotstackA2switcheswithuplinkportsthatareinEthernetmode.

    Example
    ThisexampleshowshowtosetthefrontpanelstackingportsasGigabitEthernetports.
    A2(su)->set switch stack-port ethernet This command will reset the entire system. Do you want to continue (y/n) [n]?y

    2-10

    Configuring Switches in a Stack

    set switch

    set switch
    UsethiscommandtoassignaswitchID,tosetaswitchspriorityforbecomingthemanagement switchifthepreviousmanagementswitchfails,ortochangetheswitchunitIDforaswitchinthe stack.

    Syntax
    set switch {unit [priority value | renumber newunit]}

    Parameters
    unit priorityvalue renumbernewunit Specifiesaunitnumberfortheswitch.Valuecanrangefrom1to8. Specifiesapriorityvaluefortheunit.Validvaluesare1to15withhigher valuesassigninghigherpriority. Specifiesanewnumberfortheunit.
    Note: This number must be a previously unassigned unit ID number.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtoassignpriority3toswitch5:
    A2(su)->set switch 5 priority 3

    Thisexampleshowshowtorenumberswitch5toswitch7:
    A2(su)->set switch 5 renumber 7

    set switch copy-fw


    Usethiscommandtoreplicatethecodeimagefilefromthemanagementswitchtoother switch(es)inthestack.

    Syntax
    set switch copy-fw [destination-system unit]

    Parameters
    destinationsystem (Optional)Specifiestheunitnumberofunitonwhichtocopythe unit managementimagefile.

    Defaults
    Ifdestinationsystemisnotspecified,themanagementimagefilewillbereplicatedtoallswitches inthestack.

    SecureStack A2 Configuration Guide

    2-11

    set switch description

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoreplicatethemanagementimagefiletoallswitchesinthestack:
    A2(su)->set switch copy-fw Are you sure you want to copy firmware? (y/n) y Code transfer completed successfully.

    set switch description


    Usethiscommandtoassignanametoaswitchinthestack.

    Syntax
    set switch description unit description

    Parameters
    unit description Specifiesaunitnumberfortheswitch. Specifiesatextdescriptionfortheunit.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoassignthenameFirstUnittoswitchunit1inthestack:
    A2(su)->set switch description 1 FirstUnit

    set switch movemanagement


    Usethiscommandtomovemanagementswitchfunctionalityfromoneswitchtoanother.

    Syntax
    set switch movemanagement fromunit tounit

    Parameters
    fromunit tounit Specifiestheunitnumberofthecurrentmanagementswitch. Specifiestheunitnumberofthenewlydesignatedmanagementswitch.

    Defaults
    None.

    2-12

    Configuring Switches in a Stack

    set switch member

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtomovemanagementfunctionalityfromswitch1toswitch2:
    A2(su)->set switch movemenagement 1 2 Moving stack management will unconfigure entire stack including all interfaces. Are you sure you want to move stack management? (y/n) y

    set switch member


    Usethiscommandtoaddavirtualmembertoastack.Thisallowsyoutopreconfigureaswitch beforethephysicaldeviceisactuallyaddedtothestack.

    Syntax
    set switch member unit switch-id

    Parameters
    unit switchid Specifiesaunitnumberfortheswitch. SpecifiesaswitchID(SID)fortheswitch.SIDscanbedisplayedwiththe showswitchswitchtypecommand.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    RefertoCreatingaVirtualSwitchConfigurationonpage24formoreinformationabouthowto addavirtualswitchtoastack.

    Example
    Thisexampleshowshowtospecifyaswitchasunit1withaswitchIDof1:
    A2(su)->set switch member 1 1

    SecureStack A2 Configuration Guide

    2-13

    clear switch member

    clear switch member


    Usethiscommandtoremoveamemberentryfromthestack.

    Syntax
    clear switch member unit

    Parameters
    unit Specifiestheunitnumberoftheswitch.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoremovetheswitch5entryfromthestack:
    A2(su)->clear switch member 5

    2-14

    Configuring Switches in a Stack

    3
    Basic Configuration
    Atstartup,theSecureStackA2switchisconfiguredwithmanydefaultsandstandardfeatures. Thischapterdescribeshowtocustomizebasicsystemsettingstoadapttoyourworkenvironment.
    For information about ... Setting User Accounts and Passwords Setting Basic Switch Properties Configuring Power over Ethernet (PoE) Downloading a New Firmware Image Reviewing and Selecting a Boot Firmware Image Starting and Configuring Telnet Managing Switch Configuration and Files Configuring CDP Clearing and Closing the CLI Resetting the Switch Using and Configuring WebView Refer to page ... 3-2 3-9 3-28 3-32 3-35 3-37 3-39 3-49 3-55 3-57 3-59

    SecureStack A2 Configuration Guide

    3-1

    Setting User Accounts and Passwords

    Setting User Accounts and Passwords


    Purpose
    Tochangetheswitchsdefaultuserloginandpasswordsettings,andtoaddnewuseraccounts andpasswords.

    Commands
    Thecommandsusedtoconfigureuseraccountsandpasswordsarelistedbelow.
    For information about... show system login set system login clear system login set password set system password length set system password aging set system password history show system lockout set system lockout Refer to page... 3-2 3-3 3-4 3-4 3-5 3-6 3-6 3-7 3-8

    show system login


    Usethiscommandtodisplayuserloginaccountinformation.

    Syntax
    show system login

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtodisplayloginaccountinformation.Inthiscase,switchdefaultshave notbeenchanged:
    A2(su)->show system login Password history size: 0 Password aging : disabled

    3-2

    Basic Configuration

    set system login

    Username admin ro rw

    Access super-user read-only read-write

    State enabled enabled enabled

    Table 31providesanexplanationofthecommandoutput. Table 3-1


    Output Password history size

    show system login Output Details


    What It Displays... Number of previously used user login passwords that will be checked for duplication when the set password command is executed. Configured with set system password history (page 3-6). Number of days user passwords will remain valid before aging out. Configured with set system password aging (page 3-6). Login user names. Access assigned to this user account: super-user, read-write or read-only. Whether this user account is enabled or disabled.

    Password aging Username Access State

    set system login


    Usethiscommandtocreateanewuserloginaccount,ortodisableorenableanexistingaccount. TheSecureStackA2switchsupportsupto16useraccounts,includingtheadminaccount,which cannotbedeleted.

    Syntax
    set system login username {super-user | read-write | read-only} {enable | disable}

    Parameters
    username Specifiesaloginnameforaneworexistinguser.Thisstringcanbea maximumof80characters,althoughamaximumof16charactersis recommendedforproperviewingintheshowsystemlogindisplay. Specifiestheaccessprivilegesforthisuser.

    superuser| readwrite| readonly enable|disable

    Enablesordisablestheuseraccount.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtoenableanewuseraccountwiththeloginnamenetopswithsuper useraccessprivileges:
    A2(su)->set system login netops super-user enable

    SecureStack A2 Configuration Guide

    3-3

    clear system login

    clear system login


    Usethiscommandtoremovealocalloginuseraccount.

    Syntax
    clear system login username

    Parameters
    username Specifiestheloginnameoftheaccounttobecleared.
    Note: The default admin (su) account cannot be deleted.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtoremovethenetopsuseraccount:
    A2(su)->clear system login netops

    set password
    UsethiscommandtochangesystemdefaultpasswordsortosetanewloginpasswordontheCLI.

    Syntax
    set password [username]

    Parameters
    username (Onlyavailabletouserswithsuperuseraccess.)Specifiesasystemdefault orauserconfiguredloginaccountname.Bydefault,theSecureStackA2 switchprovidesthefollowingaccountnames: roforReadOnlyaccess. rwforReadWriteaccess. adminforSuperUseraccess.(ThisaccesslevelallowsReadWriteaccess toallmodifiableparameters,includinguseraccounts.)

    Defaults
    None.

    Mode
    Switchcommand,readwrite. Switchcommand,superuser.

    3-4

    Basic Configuration

    set system password length

    Usage
    ReadWriteuserscanchangetheirownpasswords. SuperUsers(Admin)canchangeanypasswordonthesystem.

    Examples
    ThisexampleshowshowasuperuserwouldchangetheReadWritepasswordfromthesystem default(blankstring):
    A2(su)->set password rw Please enter new password: ******** Please re-enter new password: ******** Password changed. A2(su)->

    ThisexampleshowshowauserwithReadWriteaccesswouldchangehispassword:
    A2(su)->set password Please enter old password: ******** Please enter new password: ******** Please re-enter new password: ******** Password changed. A2(su)->

    set system password length


    Usethiscommandtosettheminimumuserloginpasswordlength.

    Syntax
    set system password length characters

    Parameters
    characters Specifiestheminimumnumberofcharactersforauseraccountpassword. Validvaluesare0to40.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtosettheminimumsystempasswordlengthto8characters:
    A2(su)->set system password length 8

    SecureStack A2 Configuration Guide

    3-5

    set system password aging

    set system password aging


    Usethiscommandtosetthenumberofdaysuserpasswordswillremainvalidbeforeagingout,or todisableuseraccountpasswordaging.

    Syntax
    set system password aging {days | disable}

    Parameters
    days disable Specifiesthenumberofdaysuserpasswordswillremainvalidbefore agingout.Validvaluesare1to365. Disablespasswordaging.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtosetthesystempasswordagetimeto45days:
    A2(su)->set system password aging 45

    set system password history


    Usethiscommandtosetthenumberofpreviouslyuseduserloginpasswordsthatwillbechecked forpasswordduplication.Thispreventsduplicatepasswordsfrombeingenteredintothesystem withthesetpasswordcommand.

    Syntax
    set system password history size

    Parameters
    size Specifiesthenumberofpasswordscheckedforduplication.Validvalues are0to10.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtoconfigurethesystemtocheckthelast10passwordsforduplication
    A2(su)->set system password history 10

    3-6

    Basic Configuration

    show system lockout

    show system lockout


    Usethiscommandtodisplaysettingsforlockingoutusersafterfailedattemptstologintothe system.

    Syntax
    show system lockout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtodisplayuserlockoutsettings.Inthiscase,switchdefaultshavenot beenchanged:
    A2(su)->show system lockout Lockout attempts: 3 Lockout time: 15 minutes.

    Table 31providesanexplanationofthecommandoutput.Thesesettingsareconfiguredwiththe setsystemlockoutcommand(setsystemlockoutonpage38). Table 3-1


    Output Lockout attempts Lockout time

    show system lockout Output Details


    What It Displays... Number of failed login attempts allowed before a read-write or read-only users account will be disabled. Number of minutes the default admin user account will be locked out after the maximum login attempts.

    SecureStack A2 Configuration Guide

    3-7

    set system lockout

    set system lockout


    Usethiscommandtosetthenumberoffailedloginattemptsbeforelockingout(disabling)aread writeorreadonlyuseraccount,andthenumberofminutestolockoutthedefaultadminsuper useraccountaftermaximumloginattempts.Onceauseraccountislockedout,itcanonlybere enabledbyasuperuserwiththesetsystemlogincommand(page33).

    Syntax
    set system lockout {[attempts attempts] [time time]}

    Parameters
    attemptsattempts timetime Specifiesthenumberoffailedloginattemptsallowedbeforeareadwrite orreadonlyusersaccountwillbedisabled.Validvaluesare1to10. Specifiesthenumberofminutesthedefaultadminuseraccountwillbe lockedoutafterthemaximumloginattempts.Validvaluesare0to60.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtosetloginattemptsto5andlockouttimeto30minutes:
    A2(su)->set system lockout attempts 5 time 30

    3-8

    Basic Configuration

    Setting Basic Switch Properties

    Setting Basic Switch Properties


    Purpose
    TodisplayandsetthesystemIPaddressandotherbasicsystem(switch)properties.

    Commands
    Thecommandsusedtosetbasicsysteminformationarelistedbelow.
    For information about... show ip address set ip address clear ip address show ip protocol set ip protocol show system show system hardware show system utilization set system enhancedbuffermode show time set time show summertime set summertime set summertime date set summertime recurring clear summertime set prompt show banner motd set banner motd clear banner motd show version set system name set system location set system contact set width set length show logout set logout Refer to page... 3-10 3-10 3-11 3-11 3-12 3-12 3-13 3-14 3-15 3-16 3-16 3-17 3-17 3-18 3-18 3-19 3-20 3-20 3-21 3-21 3-22 3-23 3-23 3-24 3-24 3-25 3-25 3-26

    SecureStack A2 Configuration Guide

    3-9

    show ip address

    For information about... show console set console baud

    Refer to page... 3-26 3-27

    show ip address
    UsethiscommandtodisplaythesystemIPaddressandsubnetmask.

    Syntax
    show ip address

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythesystemIPaddressandsubnetmask:
    A2(su)->show ip address Name ---------------host Address ---------------10.42.13.20 Mask ---------------255.255.0.0

    set ip address
    UsethiscommandtosetthesystemIPaddress,subnetmaskanddefaultgateway.

    Syntax
    set ip address ip-address [mask ip-mask] [gateway ip-gateway]

    Parameters
    ipaddress SetstheIPaddressforthesystem.ForSecureStackA2systems,thisisthe IPaddressofthemanagementswitchasdescribedinAboutSecureStack A2SwitchOperationinaStackonpage21. (Optional)Setsthesystemssubnetmask. (Optional)Setsthesystemsdefaultgateway(nexthopdevice).

    maskipmask gatewayipgateway

    Defaults
    Ifnotspecified,ipmaskwillbesettothenaturalmaskoftheipaddressandipgatewaywillbesetto theipaddress.

    3-10

    Basic Configuration

    clear ip address

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthesystemIPaddressto10.1.10.1withamaskof255.255.128.0and adefaultgatewayof10.1.0.1:
    A2(su)->set ip address 10.1.10.1 mask 255.255.128.0 gateway 10.1.10.1

    clear ip address
    UsethiscommandtoclearthesystemIPaddress.

    Syntax
    clear ip address

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearthesystemIPaddress:
    A2(rw)->clear ip address

    show ip protocol
    UsethiscommandtodisplaythemethodusedtoacquireanetworkIPaddressforswitch management.

    Syntax
    show ip protocol

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    SecureStack A2 Configuration Guide

    3-11

    set ip protocol

    Example
    ThisexampleshowshowtodisplaythemethodusedtoacquireanetworkIPaddress:
    A2(su)->show ip protocol System IP address acquisition method: dhcp

    set ip protocol
    UsethiscommandtospecifytheprotocolusedtoacquireanetworkIPaddressforswitch management.

    Syntax
    set ip protocol {bootp | dhcp | none}

    Parameters
    bootp dhcp none SelectBOOTPastheprotocoltousetoacquirethesystemIPaddress. SelectDHCPastheprotocoltousetoacquirethesystemIPaddress. NoprotocolwillbeusedtoacquirethesystemIPaddress.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthemethodusedtoacquireanetworkIPaddresstoDHCP.
    A2(su)->set ip protocol dhcp

    show system
    Usethiscommandtodisplaysysteminformation,includingcontactinformation,powerandfan traystatusanduptime.

    Syntax
    show system

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    3-12

    Basic Configuration

    show system hardware

    Example
    Thisexampleshowshowtodisplaysysteminformation:
    A2(su)->show system System contact:John Smith System location:Bldg10 2nd floor East System name:10-2-A2 Switch 1 -------PS1-Status ---------Ok Fan1-Status ----------Ok Uptime d,h:m:s -------------2,19:57:39 Logout ------5 min

    PS2-Status ---------Not Installed and/or Not Operating Fan2-Status ----------Ok

    Table 32providesanexplanationofthecommandoutput. Table 3-2


    Output System contact System location System name PS1 and PS2-Status Fan Status Uptime d,h:m:s Logout

    show system Output Details


    What It Displays... Contact person for the system. Default of a blank string can be changed with the set system contact command (set system contact on page 3-24). Where the system is located. Default of a blank string can be changed with the set system location command (set system location on page 3-23). Name identifying the system. Default of a blank string can be changed with the set system name command (set system name on page 3-23). Operational status for power supply 1 and, if installed, power supply 2. Operational status of the fan trays. System uptime. Time an idle console or Telnet CLI session will remain connected before timing out. Default of 5 minutes can be changed with the set logout command (set logout on page 3-26).

    show system hardware


    Usethiscommandtodisplaythesystemshardwareconfiguration.

    Syntax
    show system hardware

    Parameters
    None.

    Defaults
    None.
    SecureStack A2 Configuration Guide 3-13

    show system utilization

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythesystemshardwareconfiguration.Pleasenotethatthe informationyouseedisplayedmaydifferfromthisexample.
    A2(su)->show system hardware SLOT HARDWARE INFORMATION -------------------Model: Serial Number: Vendor ID: Base MAC Address: Hardware Version: FirmWare Version: Boot Code Version:

    A2G124-24 041800129041 0x0e10 00:01:F4:5F:1D:E0 BCM56504 REV 19 1.04.xx 01.00.17

    show system utilization


    Usethiscommandtodisplaydetailedinformationabouttheprocessorrunningontheswitch,or theoverallmemoryusageoftheFlashandSDRAMstoragedevicesontheunit,ortheprocesses runningontheswitch.Onlythememoryusageinthemasterunitofastackisshown.

    Syntax
    show system utilization {cpu | storage | process}

    Parameters
    cpu storage process Displayinformationabouttheprocessorrunningontheswitch. Displayinformationabouttheoverallmemoryusageontheswitch. Displayinformationabouttheprocessesrunningontheswitch.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Examples
    ThisexampleshowshowtodisplaythesystemsCPUutilization:
    A2(ro)->show system utilization cpu Total CPU Utilization: Switch CPU 5 sec 1 min 5 min ----------------------------------------------1 1 3% 1% 1%

    Thisexampleshowshowtodisplaythesystemsoverallmemoryusage:
    A2(ro)->show system utilization storage

    3-14

    Basic Configuration

    set system enhancedbuffermode

    Storage Utilization: Type Description Size(Kb) Available (Kb) --------------------------------------------------------------RAM RAM device 262144 97173 Flash Images, Config, Other 31095 8094

    Thisexampleshowshowtodisplayinformationabouttheprocessesrunningonthesystem.Only partialoutputisshown.
    A2(ro)->show system utilization process TID Name 5Sec 8d45148 captureTask 0.00% 8e264f8 poe_monitor 0.00% 8ea6d38 poe_read 0.80% 8eb7140 vlanDynEg 0.00% 8f0be10 tcdpSendTask 0.00% 8f1c0e8 tcdpTask 0.00% ... 1Min 0.00% 0.01% 0.22% 0.00% 0.00% 0.00% 5Min 0.00% 0.05% 0.20% 0.00% 0.00% 0.00%

    set system enhancedbuffermode


    Usethiscommandtoenableordisableenhancedbuffermode,whichoptimizesbuffer distributionfornonstackingsingleCoSqueueoperation.Executingthiscommandwillresetthe switch,sothesystempromptsyoutoconfirmwhetheryouwanttoproceed.

    Syntax
    set system enhancedbuffermode {enable | disable}

    Parameters
    enable|disable Enablesordisablesenhancedbuffermode.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoenableenhancedbuffermode:
    A2(su)->set system enhancedbuffermode enable Changes in the enhanced buffer mode will require reseting this unit. Are you sure you want to continue? (y/n)

    SecureStack A2 Configuration Guide

    3-15

    show time

    show time
    Usethiscommandtodisplaythecurrenttimeofdayinthesystemclock.

    Syntax
    show time

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythecurrenttime.Theoutputshowsthedayoftheweek, month,day,andthetimeofdayinhours,minutes,andsecondsandtheyear:
    A2(su)->show time THU SEP 05 09:21:57 2002

    set time
    Usethiscommandtochangethetimeofdayonthesystemclock.

    Syntax
    set time [mm/dd/yyyy] [hh:mm:ss]

    Parameters
    [mm/dd/yyyy] [hh:mm:ss] Setsthetimein: month,day,yearand/or 24hourformat Atleastonesetoftimeparametersmustbeentered.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesystemclockto7:50a.m:
    A2(su)->set time 7:50:00

    3-16

    Basic Configuration

    show summertime

    show summertime
    Usethiscommandtodisplaydaylightsavingstimesettings.

    Syntax
    show summertime

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaydaylightsavingstimesettings:
    A2(su)->show summertime Summertime is disabled and set to '' Start : SUN APR 04 02:00:00 2004 End : SUN OCT 31 02:00:00 2004 Offset: 60 minutes (1 hours 0 minutes) Recurring: yes, starting at 2:00 of the first Sunday of April and ending at 2:00 of the last Sunday of October

    set summertime
    Usethiscommandtoenableordisablethedaylightsavingstimefunction.

    Syntax
    set summertime {enable | disable} [zone]

    Parameters
    enable|disable zone Enablesordisablesthedaylightsavingstimefunction. (Optional)Appliesanametothedaylightsavingstimesettings.

    Defaults
    Ifazonenameisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtoenabledaylightsavingstimefunction:
    A2(su)->set summertime enable

    SecureStack A2 Configuration Guide

    3-17

    set summertime date

    set summertime date


    Usethiscommandtoconfigurespecificdatestostartandstopdaylightsavingstime.These settingswillbenonrecurringandwillhavetoberesetannually.

    Syntax
    set summertime date start_month start_date start_year start_hr_min end_month end_date end_year end_hr_min [offset_minutes]

    Parameters
    start_month start_date start_year start_hr_min end_month end_date end_year end_hr_min offset_minutes Specifiesthemonthoftheyeartostartdaylightsavingstime. Specifiesthedayofthemonthtostartdaylightsavingstime. Specifiestheyeartostartdaylightsavingstime. Specifiesthetimeofdaytostartdaylightsavingstime.Formatishh:mm. Specifiesthemonthoftheyeartoenddaylightsavingstime. Specifiesthedayofthemonthtoenddaylightsavingstime. Specifiestheyeartoenddaylightsavingstime. Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm. (Optional)Specifiestheamountoftimeinminutestooffsetdaylight savingstimefromthenondaylightsavingstimesystemsetting.Valid valuesare11440.

    Defaults
    Ifanoffsetisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetadaylightsavingstimestartdateofApril4,2004at2a.m.andan endingdateofOctober31,2004at2a.m.withanoffsettimeofonehour:
    A2(su)->set summertime date April 4 2004 02:00 October 31 2004 02:00 60

    set summertime recurring


    Usethiscommandtoconfigurerecurringdaylightsavingstimesettings.Thesesettingswillstart andstopdaylightsavingstimeatthespecifieddayofthemonthandhoureachyearandwillnot havetoberesetannually.

    Syntax
    set summertime recurring start_week start_day start_month start_hr_min end_week end_day end_month end_hr_min [offset_minutes]

    Parameters
    start_week Specifiestheweekofthemonthtorestartdaylightsavingstime.Valid valuesare:first,second,third,fourth,andlast.

    3-18

    Basic Configuration

    clear summertime

    start_day start_hr_min end_week end_day end_hr_min offset_minutes

    Specifiesthedayoftheweektorestartdaylightsavingstime. Specifiesthetimeofdaytorestartdaylightsavingstime.Formatis hh:mm. Specifiestheweekofthemonthtoenddaylightsavingstime. Specifiesthedayoftheweektoenddaylightsavingstime. Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm. (Optional)Specifiestheamountoftimeinminutestooffsetdaylight savingstimefromthenondaylightsavingstimesystemsetting.Valid valuesare11440.

    Defaults
    Ifanoffsetisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowsetdaylightsavingstimetorecurstartingonthefirstSundayofAprilat 2a.m.andendingthelastSundayofOctoberat2a.m.withanoffsettimeofonehour:
    A2(su)->set summertime recurring first Sunday April 02:00 last Sunday October 02:00 60

    clear summertime
    Usethiscommandtoclearthedaylightsavingstimeconfiguration.

    Syntax
    clear summertime

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthedaylightsavingstimeconfiguration:
    A2(su)->clear summertime

    SecureStack A2 Configuration Guide

    3-19

    set prompt

    set prompt
    Usethiscommandtomodifythecommandprompt.

    Syntax
    set prompt prompt_string

    Parameters
    prompt_string Specifiesatextstringforthecommandprompt.
    Note: A prompt string containing a space in the text must be enclosed in quotes as shown in the example below.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthecommandprompttoSwitch1:
    A2(su)->set prompt Switch 1 Switch 1(su)->

    show banner motd


    Usethiscommandtoshowthebannermessageofthedaythatwilldisplayatsessionlogin.

    Syntax
    show banner motd

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythebannermessageoftheday:
    A2(rw)->show banner motd O Knights of Ni, you are just and fair, and we will return with a shrubbery -King Arthur

    3-20

    Basic Configuration

    set banner motd

    set banner motd


    Usethiscommandtosetthebannermessageofthedaydisplayedatsessionlogin.

    Syntax
    set banner motd message

    Parameters
    message Specifiesamessageoftheday.Thisisatextstringthatneedstobein doublequotesifanyspacesareused.Usea\nforanewlineand\tfora tab(eightspaces).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthemessageofthedaybannertoreadOKnightsofNi,youare justandfair,andwewillreturnwithashrubberyKingArthur:
    A2(rw)->set banner motd "O Knights of Ni, you are just and \n fair, and we will return with a shrubbery \n \t -King Arthur"

    clear banner motd


    Usethiscommandtoclearthebannermessageofthedaydisplayedatsessionlogintoablank string.

    Syntax
    clear banner motd

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthemessageofthedaybannertoablankstring:
    A2(rw)->clear banner motd

    SecureStack A2 Configuration Guide

    3-21

    show version

    show version
    Usethiscommandtodisplayhardwareandfirmwareinformation.RefertoDownloadingaNew FirmwareImageonpage332forinstructionsonhowtodownloadafirmwareimage.

    Syntax
    show version

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayversioninformation.Pleasenotethatyoumayseedifferent informationdisplayed,dependingonthetypeofhardwareinthestack.
    A2(rw)->show version Copyright (c) 2005 by Enterasys Networks, Inc. Model -------------A2H124-48 Serial # ----------------052200119001 Versions ------------------Hw:BCM5655 REV 18 Bp:01.00.33 Fw:01.00.26 BuFw:01.00.07 Hw:BCM5655 REV 18 Bp:01.00.33 Fw:01.00.26 BuFw:01.00.07 PoE:290_21

    A2H124-48P

    052800949041

    Table 33providesanexplanationofthecommandoutput. Table 3-3


    Output Model Serial # Versions

    show version Output Details


    What It Displays... Switchs model number. Serial number of the switch. Hw: Hardware version number. Bp: BootPROM version. Fw: Current firmware version number. BuFw: Backup firmware version number. PoE: Power over Ethernet driver version. (Displays only for PoE switches.)

    3-22

    Basic Configuration

    set system name

    set system name


    Usethiscommandtoconfigureanameforthesystem.

    Syntax
    set system name [string]

    Parameters
    string (Optional)Specifiesatextstringthatidentifiesthesystem.
    Note: A name string containing a space in the text must be enclosed in quotes as shown in the example below.

    Defaults
    Ifstringisnotspecified,thesystemnamewillbecleared.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthesystemnametoInformationSystems:
    A2(su)->set system name Information Systems

    set system location


    Usethiscommandtoidentifythelocationofthesystem.

    Syntax
    set system location [string]

    Parameters
    string (Optional)Specifiesatextstringthatindicateswherethesystemis located.
    Note: A location string containing a space in the text must be enclosed in quotes as shown in the example below.

    Defaults
    Ifstringisnotspecified,thelocationnamewillbecleared.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesystemlocationstring:
    A2(su)->set system location Bldg N32-04 Closet 9

    SecureStack A2 Configuration Guide

    3-23

    set system contact

    set system contact


    Usethiscommandtoidentifyacontactpersonforthesystem.

    Syntax
    set system contact [string]

    Parameters
    string (Optional)Specifiesatextstringthatcontainsthenameofthepersonto contactforsystemadministration.
    Note: A contact string containing a space in the text must be enclosed in quotes as shown in the example below.

    Defaults
    Ifstringisnotspecified,thecontactnamewillbecleared.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesystemcontactstring:
    A2(su)->set system contact Joe Smith

    set width
    Usethiscommandtosetthenumberofcolumnsfortheterminalconnectedtotheswitchsconsole port.

    Syntax
    set width screenwidth [default]

    Parameters
    screenwidth default Setsthenumberofterminalcolumns.Validvaluesare50to150. (Optional)Makesthissettingpersistentforallfuturesessions(writtento NVRAM).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThenumberofrowsofCLIoutputdisplayedissetusingthesetlengthcommandasdescribedin setlengthonpage325.

    3-24

    Basic Configuration

    set length

    Example
    Thisexampleshowshowtosettheterminalcolumnsto50:
    A2(su)->set width 50

    set length
    UsethiscommandtosetthenumberoflinestheCLIwilldisplay.Thiscommandispersistent (writtentoNVRAM).

    Syntax
    set length screenlength

    Parameters
    screenlength SetsthenumberoflinesintheCLIdisplay.Validvaluesare0,which disablesthescrollingscreenfeaturedescribedinDisplayingScrolling Screensonpage18,andfrom5to512.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosettheterminallengthto50:
    A2(su)->set length 50

    show logout
    Usethiscommandtodisplaythetime(inseconds)anidleconsoleorTelnetCLIsessionwill remainconnectedbeforetimingout.

    Syntax
    show logout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheCLIlogoutsetting:
    SecureStack A2 Configuration Guide 3-25

    set logout

    A2(su)->show logout Logout currently set to: 10 minutes.

    set logout
    Usethiscommandtosetthetime(inminutes)anidleconsoleorTelnetCLIsessionwillremain connectedbeforetimingout.

    Syntax
    set logout timeout

    Parameters
    timeout Setsthenumberofminutesthesystemwillremainidlebeforetimingout.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesystemtimeoutto10minutes:
    A2(su)->set logout 10

    show console
    Usethiscommandtodisplayconsolesettings.

    Syntax
    show console [baud] [bits] [flowcontrol] [parity] [stopbits]

    Parameters
    baud bits flowcontrol parity stopbits (Optional)Displaystheinput/outputbaudrate. (Optional)Displaysthenumberofbitspercharacter. (Optional)Displaysthetypeofflowcontrol. (Optional)Displaysthetypeofparity. (Optional)Displaysthenumberofstopbits.

    Defaults
    Ifnoparametersarespecified,allsettingswillbedisplayed.

    Mode
    Switchcommand,readonly.

    3-26

    Basic Configuration

    set console baud

    Example
    Thisexampleshowshowtodisplayallconsolesettings:
    A2(su)->show console Baud Flow Bits ------ ------- ---9600 Disable 8 StopBits ---------1 Parity -----none

    set console baud


    Usethiscommandtosettheconsoleportbaudrate.

    Syntax
    set console baud rate

    Parameters
    rate Setstheconsolebaudrate.Validvaluesare:300,600,1200,2400,4800,5760, 9600,14400,19200,38400,and115200.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosettheconsoleportbaudrateto19200:
    A2(su)->set console baud 19200

    SecureStack A2 Configuration Guide

    3-27

    Configuring Power over Ethernet (PoE)

    Configuring Power over Ethernet (PoE)


    Important Notice
    This section applies only to PoE-equipped SecureStack A2 switches. Consult the Installation Guide shipped with your product to determine if it is PoE-equipped.

    Purpose
    ToreviewandsetPoEparameters,includingthepoweravailabletothesystem,theusage thresholdforeachmodule,whetherornotSNMPtrapmessageswillbesentwhenpowerstatus changes,andperportPoEsettings.

    Commands
    ThecommandsusedtoreviewandsetPoEportparametersarelistedbelow.
    For information about... show inlinepower set inlinepower threshold set inlinepower trap show port inlinepower set port inlinepower Refer to page... 3-29 3-29 3-30 3-30 3-31

    3-28

    Basic Configuration

    show inlinepower

    show inlinepower
    UsethiscommandtodisplayswitchPoEproperties.

    Syntax
    show inlinepower

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayswitchPoEproperties.Inthiscase,units1,3,and5arePoE modules,sotheirpowerconfigurationsdisplay:
    A2(su)->show inlinepower Unit ---2 4 8 Status -----auto auto auto Power(W) -------360 360 360 Consumption(W) -------------0.00 0.00 5.20 Usage(%) -------0.00 0.00 1.44 Threshold(%) -----------80 80 80 Trap ---enable enable enable

    set inlinepower threshold


    UsethiscommandtosetthePoEusagethresholdonaspecifiedunit.

    Syntax
    set inlinepower threshold usage-threshold module-number

    Parameters
    usagethreshold modulenumber SpecifiesaPoEthresholdasapercentageoftotalsystempowerusage. Validvaluesare11to100. SpecifiestheunitonwhichtosetthePoEthreshold.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    3-29

    set inlinepower trap

    Example
    ThisexampleshowshowtosetthePoEthresholdto50onunit1:
    A2(su)->set inlinepower threshold 50 1

    set inlinepower trap


    UsethiscommandtoenableordisablethesendingofanSNMPtrapmessageforaunitwhenever thestatusofitsportschanges,orwhenevertheunitsPoEusagethresholdiscrossed.Theunits PoEusagethresholdmustbesetusingthesetinlinepowerthresholdcommandasdescribedon page329.

    Syntax
    set inlinepower trap {disable | enable} module-number

    Parameters
    disable|enable modulenumber DisablesorenablesPoEtrapmessaging. Specifiestheunitonwhichtodisableorenabletrapmessaging.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenablePoEtrapmessagingonunit1:
    A2(su)->set inlinepower trap enable 1

    show port inlinepower


    UsethiscommandtodisplayallportssupportingPoE.

    Syntax
    show port inlinepower [port-string]

    Parameters
    portstring (Optional)DisplaysinformationforspecificPoEport(s).

    Defaults
    Ifnotspecified,informationforallPoEportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayPoEinformationforFastEthernetports1through6inunit1. Inthiscase,theportsadministrativestate,PoEpriorityandclasshavenotbeenchangedfrom defaultvalues:

    3-30

    Basic Configuration

    set port inlinepower

    A2(su)->show port Port Admin ----------fe.1.1 auto fe.1.2 auto fe.1.3 auto fe.1.4 auto fe.1.5 auto fe.1.6 auto

    inlinepower fe.1.1-6 Oper Priority ----------------------searching low searching low searching low searching low searching low searching low

    Class ----0 0 0 0 0 0

    set port inlinepower


    UsethiscommandtoconfigurePoEparametersononeormoreports.

    Syntax
    set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]}

    Parameters
    portstring adminoff|auto prioritycritical| high|low typetype Specifiestheport(s)onwhichtoconfigurePoE. SetsthePoEadministrativestatetooff(disabled)orauto(on). Setstheport(s)priorityforthePoEallocationalgorithmtocritical (highest),highorlow. Specifiesastringdescribingthetypeofdeviceconnectedtoaport.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenablePoEonportfe.3.1withcriticalpriority:
    A2(su)->set port inlinepower fe.3.1 admin auto priority critical

    SecureStack A2 Configuration Guide

    3-31

    Downloading a New Firmware Image

    Downloading a New Firmware Image


    YoucanupgradetheoperationalfirmwareintheSecureStackA2switchwithoutphysically openingtheswitchorbeinginthesamelocation.Therearetwowaystodownloadfirmwaretothe switch: ViaTFTPdownload.ThisprocedureusesaTFTPserverconnectedtothenetworkand downloadsthefirmwareusingtheTFTPprotocol.FordetailsonhowtoperformaTFTP downloadusingthecopycommand,refertocopyonpage345.Forinformationonsetting TFTPtimeoutandretryparameters,refertosettftptimeoutonpage346andsettftp retryonpage347. Viatheserial(console)port.Thisprocedureisanoutofbandoperationthatcopiesthe firmwarethroughtheserialporttotheswitch.Itshouldbeusedincaseswhenyoucannot connecttheswitchtoperformtheinbandcopydownloadprocedureviaTFTP.Serialconsole downloadhasbeensuccessfullytestedwiththefollowingapplications: HyperTerminalCopyright1999 TeraTermProVersion2.3

    Anyotherterminalapplicationsmayworkbutarenotexplicitlysupported. TheA2switchallowsyoutodownloadandstoredualimages.Thebackupimagecanbe downloadedandselectedasthestartupimagebyusingthecommandsdescribedinthissection.

    Downloading from a TFTP Server


    ToperformaTFTPdownload,proceedasfollows: 1. 2. Ifyouhavenotalreadydoneso,settheswitchsIPaddressusingthesetipaddresscommand asdetailedinsetipaddressonpage310. Downloadanewimagefileusingthecopycommandasdetailedincopyonpage345.

    Downloading via the Serial Port


    Todownloadswitchfirmwareviatheserial(console)port,proceedasfollows: 1. Withtheconsoleportconnected,poweruptheswitch.Thefollowingmessagedisplays:
    Version 01.00.29 05-09-2005 Computing MD5 Checksum of operational code... Select an option. If no selection in 2 seconds then operational code will start. 1 - Start operational code. 2 - Start Boot Menu. Select (1, 2):2 Password: *************

    2.

    Beforethebootupcompletes,type2toselectStartBootMenu.Useadministratorfor thePassword.
    Note: The above Boot Menu password administrator can be changed using boot menu option 11.

    3-32

    Basic Configuration

    Downloading a New Firmware Image

    Boot Menu Version 01.00.29 05-09-2005 Options available 1 - Start operational code 2 - Change baud rate 3 - Retrieve event log using XMODEM (64KB). 4 - Load new operational code using XMODEM 5 - Display operational code vital product data 6 - Run Flash Diagnostics 7 - Update Boot Code 8 - Delete operational code 9 - Reset the system 10 - Restore Configuration to factory defaults (delete config files) 11 - Set new Boot Code password [Boot Menu] 2

    3.

    Type2.Thefollowingbaudrateselectionscreendisplays:
    1 2 3 4 5 6 7 8 0 1200 2400 4800 9600 19200 38400 57600 115200 no change

    4.

    Type8tosettheswitchbaudrateto115200.Thefollowingmessagedisplays:
    Setting baud rate to 115200, you must change your terminal baud rate.

    5. 6.

    Settheterminalbaudrateto115200andpressENTER. Fromthebootmenuoptionsscreen,type4toloadnewoperationalcodeusingXMODEM. WhentheXMODEMtransferiscomplete,thefollowingmessageandheaderinformationwill display:


    [Boot Menu] 4 Ready to receive the file with XMODEM/CRC.... Ready to RECEIVE File xcode.bin in binary mode Send several Control-X characters to cCKCKCKCKCKCKCK XMODEM transfer complete, checking CRC.... Verified operational code CRC. The following Enterasys Header is in the image: MD5 Checksum....................fe967970996c4c8c43a10cd1cd7be99a Boot File Identifier............0x0517 Header Version..................0x0100 Image Type......................0x82 Image Offset....................0x004d Image length....................0x006053b3 Ident Strings Length............0x0028 Ident Strings................... A2H124-24 A2H124-48 A2H124-48 Image Version Length............0x7
    SecureStack A2 Configuration Guide 3-33

    Downloading a New Firmware Image

    Image Version Bytes.............0x30 0x2e 0x35 0x2e 0x30 0x2e 0x34 (0.5.0.4)

    7. 8.

    Fromthebootmenuoptionsscreen,type2todisplaythebaudrateselectionscreenagain. Type4settheswitchbaudrateto9600.Thefollowingmessagedisplays:
    Setting baud rate to 9600, you must change your terminal baud rate.

    9.

    Settheterminalbaudrateto9600andpressENTER.

    10. Fromthebootmenuoptionsscreen,type1tostartthenewoperationalcode.Thefollowing messagedisplays:


    Operational Code Date: Tue Jun 29 08:34:05 2004 Uncompressing.....

    3-34

    Basic Configuration

    Reviewing and Selecting a Boot Firmware Image

    Reviewing and Selecting a Boot Firmware Image


    Purpose
    Todisplayandsettheimagefiletheswitchloadsatstartup.TheA2switchallowsyouto downloadandstoreabackupimage,whichcanbeselectedasthestartupimagebyusingthe commandsdescribedinthissection.

    Commands
    Thecommandsusedtoreviewandselecttheswitchsbootimagefilearelistedbelow.
    For information about... show boot system set boot system Refer to page... 3-35 3-36

    show boot system


    Usethiscommandtodisplaythefirmwareimagetheswitchloadsatstartup.

    Syntax
    show boot system

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheswitchsbootfirmwareimage:
    A2(su)->show boot system Current system image to boot: bootfile

    SecureStack A2 Configuration Guide

    3-35

    set boot system

    set boot system


    Usethiscommandtosetthefirmwareimagetheswitchloadsatstartup.

    Syntax
    set boot system filename

    Parameters
    filename Specifiesthenameofthefirmwareimagefile.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthebootfirmwareimagefiletonewimage:
    A2(su)->set boot system newimage

    3-36

    Basic Configuration

    Starting and Configuring Telnet

    Starting and Configuring Telnet


    Purpose
    ToenableordisableTelnet,andtostartaTelnetsessiontoaremotehost.TheSecureStackA2 switchallowsatotaloffourinboundand/oroutboundTelnetsessiontorunsimultaneously.

    Commands
    Thecommandsusedtoenable,startandconfigureTelnetarelistedbelow.
    For information about... show telnet set telnet telnet Refer to page... 3-37 3-38 3-38

    show telnet
    UsethiscommandtodisplaythestatusofTelnetontheswitch.

    Syntax
    show telnet

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayTelnetstatus:
    A2(su)->show telnet Telnet inbound is currently: ENABLED Telnet outbound is currently: ENABLED

    SecureStack A2 Configuration Guide

    3-37

    set telnet

    set telnet
    UsethiscommandtoenableordisableTelnetontheswitch.

    Syntax
    set telnet {enable | disable} [inbound | outbound | all]

    Parameters
    enable|disable inbound| outbound|all EnablesordisablesTelnetservices. (Optional)Specifiesinboundservice(theabilitytoTelnettothisswitch), outboundservice(theabilitytoTelnettootherdevices),orall(both inboundandoutbound).

    Defaults
    Ifnotspecified,bothinboundandoutboundTelnetservicewillbeenabledordisabled.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableinboundandoutboundTelnetservices:
    A2(su)->set telnet disable all Disconnect all telnet sessions and disable now (y/n)? [n]: y All telnet sessions have been terminated, telnet is now disabled.

    telnet
    UsethiscommandtostartaTelnetconnectiontoaremotehost.TheSecureStackA2switchallows atotaloffourinboundand/oroutboundTelnetsessiontorunsimultaneously.

    Syntax
    telnet host [port]

    Parameters
    host port SpecifiesthenameorIPaddressoftheremotehost. (Optional)Specifiestheserverportnumber.

    Defaults
    Ifnotspecified,thedefaultportnumber23willbeused.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtostartaTelnetsessiontoahostat10.21.42.13:
    A2(su)->telnet 10.21.42.13

    3-38

    Basic Configuration

    Managing Switch Configuration and Files

    Managing Switch Configuration and Files


    Configuration Persistence Mode
    Thedefaultstateofconfigurationpersistencemodeisauto,whichmeansthatwhenCLI configurationcommandsareentered,orwhenaconfigurationfilestoredontheswitchis executed,theconfigurationissavedtoNVRAMautomaticallyatthefollowingintervals: Onastandaloneunit,theconfigurationischeckedeverytwominutesandsavediftherehas beenachange. Onastack,theconfigurationissavedacrossthestackevery30minutesiftherehasbeena change.

    IfyouwanttosavearunningconfigurationtoNVRAMmoreoftenthantheautomaticintervals, executethesaveconfigcommandandwaitforthesystemprompttoreturn.Aftertheprompt returns,theconfigurationwillbepersistent. Youcanchangethepersistencemodefromautotomanualwiththesetsnmppersistmode command.Ifthepersistencemodeissettomanual,configurationcommandswillnotbe automaticallywrittentoNVRAM.Althoughtheconfigurationcommandswillactivelymodifythe runningconfiguration,theywillnotpersistacrossaresetunlessthesaveconfigcommandhas beenexecuted.

    Purpose
    TosetandviewthepersistencemodeforCLIconfigurationcommands,manuallysavethe runningconfiguration,view,manage,andexecuteconfigurationfilesandimagefiles,andsetand viewTFTPparameters.

    Commands
    For information about... show snmp persistmode set snmp persistmode save config dir show file show config configure copy delete show tftp settings set tftp timeout clear tftp timeout set tftp retry clear tftp retry Refer to page... 3-40 3-40 3-41 3-41 3-42 3-43 3-44 3-45 3-45 3-46 3-46 3-47 3-47 3-48

    SecureStack A2 Configuration Guide

    3-39

    show snmp persistmode

    show snmp persistmode


    Usethiscommandtodisplaytheconfigurationpersistencemodesetting.

    Syntax
    show snmp persistmode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    Bydefault,themodeissettoautosave,whichautomaticallysavesconfigurationchangesat specificintervals.Ifthemodeissettomanual,configurationcommandsareneverautomatically saved.Inordertomakeconfigurationchangespersistentwhenthemodeismanual,thesave configcommandmustbeissuedasdescribedinConfigurationPersistenceModeonpage339.

    Example
    Thisexampleshowshowtodisplaytheconfigurationpersistencemodesetting.Inthiscase, persistencemodeissettomanual,whichmeansconfigurationchangesarenotbeing automaticallysaved.
    A2(su)->show snmp persistmode persistmode is manual

    set snmp persistmode


    Usethiscommandtosettheconfigurationpersistencemode,whichdetermineswhetheruser definedconfigurationchangesaresavedautomatically,orrequireissuingthesaveconfig command.SeeConfigurationPersistenceModeonpage339formoreinformation.

    Syntax
    set snmp persistmode {auto | manual}

    Parameters
    auto manual Setstheconfigurationpersistencemodetoautomatic.Thisisthedefault state. Setstheconfigurationpersistencemodetomanual.Inordertomake configurationchangespersistent,thesaveconfigcommandmustbe issuedasdescribedinsaveconfigonpage341.Thismodeisusefulfor revertingbacktooldconfigurations.

    3-40

    Basic Configuration

    save config

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosettheconfigurationpersistencemodetomanual:
    A2(su)->set snmp persistmade manual

    save config
    Usethiscommandtosavetherunningconfigurationonallswitchmembersinastack.

    Syntax
    save config

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosavetherunningconfiguration:
    A2(su)->save config

    dir
    Usethiscommandtolistconfigurationandimagefilesstoredinthefilesystem.

    Syntax
    dir [filename]

    Parameters
    filename (Optional)Specifiesthefilenameordirectorytolist.

    Defaults
    Iffilenameisnotspecified,allfilesinthesystemwillbedisplayed.

    Mode
    Switchcommand,readonly.
    SecureStack A2 Configuration Guide 3-41

    show file

    Example
    Thisexampleshowshowtolistalltheconfigurationandimagefilesinthesystem:
    A2(su)->dir Images: ================================================================== Filename: a2-series_01.02.10 (Active) (Boot) Version: 01.02.10 Size: 5115904 (bytes) Date: Thu Apr 13 14:19:33 2006 CheckSum: 8ed356d3bb823c92ab9f659550930783 Compatibility: A2H124-24, A2H124-24P, A2H124-48, A2H124-48P, A2H124-24FX A2H254-16 Files: Size ================================ ======== configs: logs: current.log 256017

    show file
    Usethiscommandtodisplaythecontentsofafile.

    Syntax
    show file filename

    Parameters
    filename Specifiesthenameofthefiletodisplay.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayatextfilenamedmypolicyintheconfigs/directory.Note thatonlyaportionofthefileisshowninthisexample.
    A2(rw)->show file configs/mypolicy 1 : 2 : 3 : #policy 4 : 5 : set policy profile 1 name "Check GUEST" pvid-status enable pvid 4095 untaggedvlans 1 6 : 7 : set policy profile 2 name "User LABORATORIES" pvid-status enable pvid 680 cosstatus enable cos 4 untagged-vlans 680 8 : 9 : set policy profile 3 name "Administrator" pvid-status enable pvid 4095 10 :

    3-42

    Basic Configuration

    show config

    11 : set policy profile 4 name "Guest" pvid-status enable pvid 999 cos-status enable cos 3 untagged-vlans 999 12 : 13 : set policy port fe.1.1 4 14 : 15 : set policy port fe.1.2 4

    show config
    Usethiscommandtodisplaythesystemconfigurationorwritetheconfigurationtoafile.

    Syntax
    show config [all | facility] [outfile {configs/filename}]

    Parameters
    all facility (Optional)Displaysdefaultandnondefaultconfigurationsettings. (Optional)Specifiestheexactnameofonefacilityforwhichtoshow configuration.Forexample,enterroutertoshowonlyrouter configuration. (Optional)Specifiesthatthecurrentconfigurationwillbewrittentoatext fileintheconfigs/directory. Specifiesafilenameintheconfigs/directorytodisplay.

    outfile configs/filename

    Defaults
    Bydefault,showconfigwilldisplayallnondefaultconfigurationinformationforallfacilities.

    Mode
    Switchcommand,readonly.

    Usage
    Theseparatefacilitiesthatcanbedisplayedbythiscommandareidentifiedinthedisplayofthe currentconfigurationbya#precedingthefacilityname.Forexample,#portindicatesthefacility nameport.

    Examples
    Thisexampleshowshowtowritethecurrentconfigurationtoafilenamedsave_config2:
    A2(rw)->show config all outfile configs/save_config2

    Thisexampleshowshowtodisplayconfigurationforthefacilityport.
    A2(rw)->show config port This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. begin ! #***** NON-DEFAULT CONFIGURATION ***** ! ! #port
    SecureStack A2 Configuration Guide 3-43

    configure

    set port jumbo disable ge.1.1 ! end

    configure
    Usethiscommandtoexecuteapreviouslydownloadedconfigurationfilestoredontheswitch.

    Syntax
    configure filename [append]

    Parameters
    filename append Specifiesthepathandfilenameoftheconfigurationfiletoexecute. (Optional)Appendstheconfigurationfilecontentstothecurrent configuration.Thisisequivalenttotypingthecontentsoftheconfigfile directlyintotheCLIandcanbeused,forexample,tomakeincremental adjustmentstothecurrentconfiguration.

    Defaults
    Ifappendisnotspecified,thecurrentrunningconfigurationwillbereplacedwiththecontentsof theconfigurationfile,whichwillrequireanautomatedresetofthechassis.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoexecutetheJan1_2004.cfgconfigurationfile:
    A2(su)->configure configs/Jan1_2004.cfg

    3-44

    Basic Configuration

    copy

    copy
    UsethiscommandtouploadordownloadanimageoraCLIconfigurationfile.

    Syntax
    copy source destination

    Parameters
    source destination Specifieslocationandnameofthesourcefiletocopy.Optionsarealocalfile pathintheconfigsdirectory,ortheURLofaTFTPserver. Specifieslocationandnameofthedestinationwherethefilewillbecopied. Optionsareaslotlocationandfilename,ortheURLofaTFTPserver.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtodownloadanimageviaTFTP:
    A2(su)->copy tftp://10.1.192.34/version01000 system:image

    Thisexampleshowshowtodownloadaconfigurationfiletotheconfigsdirectory:
    A2(su)->copy tftp://10.1.192.1/Jan1_2004.cfg configs/Jan1_2004.cfg

    delete
    UsethiscommandtoremoveanimageoraCLIconfigurationfilefromtheswitch.

    Syntax
    delete filename

    Parameters
    filename Specifiesthelocalpathnametothefile.Validdirectoriesare/imagesand /configs.44

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Usethedircommand(page341)todisplaycurrentimageandconfigurationfilenames.
    SecureStack A2 Configuration Guide 3-45

    show tftp settings

    Example
    ThisexampleshowshowtodeletetheJan1_2004.cfgconfigurationfile:
    A2(su)->delete configs/Jan1_2004.cfg

    show tftp settings


    UsethiscommandtodisplayTFTPsettingsusedbytheswitchduringdatatransfersusingTFTP.

    Syntax
    show tftp settings

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    TheTFTPtimeoutvaluecanbesetwiththesettftptimeoutcommand.TheTFTPretryvaluecan besetwiththesettftpretrycommand.

    Example
    Thisexampleshowstheoutputofthiscommand.
    A2(ro)->show tftp settings TFTP packet timeout (seconds): 2 TFTP max retry: 5

    set tftp timeout


    UsethiscommandtoconfigurehowlongTFTPwillwaitforareplyofeitheranacknowledgement packetoradatapacketduringadatatransfer.

    Syntax
    set tftp timeout seconds

    Parameters
    seconds Specifiesthenumberofsecondstowaitforareply.Thevalidrangeis from1to30seconds.Defaultvalueis2seconds.

    Defaults
    None.

    3-46

    Basic Configuration

    clear tftp timeout

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsthetimeoutperiodto4seconds.
    A2(rw)->set tftp timeout 4

    clear tftp timeout


    UsethiscommandtoresettheTFTPtimeoutvaluetothedefaultvalueof2seconds.

    Syntax
    clear tftp timeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthetimeoutvaluetothedefaultof2seconds.
    A2(rw)-> clear tftp timeout

    set tftp retry


    UsethiscommandtoconfigurehowmanytimesTFTPwillresendapacket,eitheran acknowledgementpacketoradatapacket.

    Syntax
    set tftp retry retry

    Parameters
    retry Specifiesthenumberoftimesapacketwillberesent.Thevalidrangeis from1to1000.Defaultvalueis5retries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    3-47

    clear tftp retry

    Example
    Thisexamplesetstheretrycountto3.
    A2(rw)->set tftp retry 3

    clear tftp retry


    UsethiscommandtoresettheTFTPretryvaluetothedefaultvalueof5retries.

    Syntax
    clear tftp retry

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtocleartheretryvaluetothedefaultof5retries.
    A2(rw)-> clear tftp retry

    3-48

    Basic Configuration

    Configuring CDP

    Configuring CDP
    Purpose
    ToreviewandconfiguretheEnterasysCDPdiscoveryprotocol.Thisprotocolisusedtodiscover networktopology.Whenenabled,thisprotocolallowsEnterasysdevicestosendperiodicPDUs aboutthemselvestoneighboringdevices.

    Commands
    ThecommandsusedtoreviewandconfiguretheCDPdiscoveryprotocolarelistedbelow.
    For information about... show cdp set cdp state set cdp auth set cdp interval set cdp hold-time clear cdp show neighbors Refer to page... 3-49 3-51 3-51 3-52 3-53 3-53 3-54

    show cdp
    UsethiscommandtodisplaythestatusoftheCDPdiscoveryprotocolandmessageintervalon oneormoreports.

    Syntax
    show cdp [port-string]

    Parameters
    portstring (Optional)DisplaysCDPstatusforaspecificport.Foradetaileddescription ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage41.

    Defaults
    Ifportstringisnotspecified,allCDPinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayCDPinformationforportsfe.1.1throughfe.1.9:
    A2(su)->show cdp fe.1.1-9 CDP Global Status :auto-enable CDP Version Supported :30 hex

    SecureStack A2 Configuration Guide

    3-49

    show cdp

    CDP Hold Time CDP Authentication Code CDP Transmit Frequency Port Status ----------------fe.1.1 auto-enable fe.1.2 auto-enable fe.1.3 auto-enable fe.1.4 auto-enable fe.1.5 auto-enable fe.1.6 auto-enable fe.1.7 auto-enable fe.1.8 auto-enable fe.1.9 auto-enable

    :180 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 hex :60

    Table 34providesanexplanationofthecommandoutput. Table 3-4


    Output CDP Global Status

    show cdp Output Details


    What It Displays... Whether CDP is globally auto-enabled, enabled or disabled. The default state of auto-enabled can be reset with the set cdp state command. For details, refer to set cdp state on page 3-51. CDP version number(s) supported by the switch. Minimum time interval (in seconds) at which CDP configuration messages can be set. The default of 180 seconds can be reset with the set cdp hold-time command. For details, refer to set cdp hold-time on page 3-53. Authentication code for CDP discovery protocol. The default of 00-00-00-00-00-0000-00 can be reset using the set cdp auth command. For details, refer to set cdp auth on page 3-51. Frequency (in seconds) at which CDP messages can be transmitted. The default of 60 seconds can be reset with the set cdp interval command. For details, refer to set cdp interval on page 3-52. Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-1. Whether CDP is enabled, disabled or auto-enabled on the port.

    CDP Versions Supported CDP Hold Time

    CDP Authentication Code CDP Transmit Frequency Port Status

    3-50

    Basic Configuration

    set cdp state

    set cdp state


    UsethiscommandtoenableordisabletheCDPdiscoveryprotocolononeormoreports.

    Syntax
    set cdp state {auto | disable | enable} [port-string]

    Parameters
    auto|disable| enable portstring Autoenables,disablesorenablestheCDPprotocolonthespecifiedport(s). Inautoenablemode,whichisthedefaultmodeforallports,aport automaticallybecomesCDPenableduponreceivingitsfirstCDPmessage. (Optional)EnablesordisablesCDPonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage41.

    Defaults
    Ifportstringisnotspecified,theCDPstatewillbegloballyset.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtogloballyenableCDP:
    A2(su)->set cdp state enable

    ThisexampleshowshowtoenabletheCDPforportfe.1.2:
    A2(su)->set cdp state enable fe.1.2

    ThisexampleshowshowtodisabletheCDPforportfe.1.2:
    A2(su)->set cdp state disable fe.1.2

    set cdp auth


    UsethiscommandtosetaglobalCDPauthenticationcode.

    Syntax
    set cdp auth auth-code

    Parameters
    authcode SpecifiesanauthenticationcodefortheCDPprotocol.Thiscanbeupto16 hexadecimalvaluesseparatedbycommas.

    Defaults
    None.

    SecureStack A2 Configuration Guide

    3-51

    set cdp interval

    Mode
    Switchcommand,readwrite.

    Usage
    TheauthenticationcodevaluedeterminesaswitchsCDPdomain.Iftwoormoreswitcheshave thesameCDPauthenticationcode,theywillbeenteredintoeachothersCDPneighbortables.If theyhavedifferentauthenticationcodes,theyareindifferentdomainsandwillnotbeentered intoeachothersCDPneighbortables. Aswitchwiththedefaultauthenticationcode(16nullcharacters)willrecognizeallswitches,no matterwhattheirauthenticationcode,andenterthemintoitsCDPneighbortable.

    Example
    ThisexampleshowshowtosettheCDPauthenticationcodeto1,2,3,4,5,6,7,8:
    A2(su)->set cdp auth 1,2,3,4,5,6,7,8:

    set cdp interval


    Usethiscommandtosetthemessageintervalfrequency(inseconds)oftheCDPdiscovery protocol.

    Syntax
    set cdp interval frequency

    Parameters
    frequency SpecifiesthetransmitfrequencyofCDPmessagesinseconds.Validvalues arefrom5to900seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheCDPintervalfrequencyto15seconds:
    A2(su)->set cdp interval 15

    3-52

    Basic Configuration

    set cdp hold-time

    set cdp hold-time


    UsethiscommandtosettheholdtimevalueforCDPdiscoveryprotocolconfigurationmessages.

    Syntax
    set cdp hold-time hold-time

    Parameters
    holdtime SpecifiestheholdtimevalueforCDPmessagesinseconds.Validvaluesare from15to600.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetCDPholdtimeto60seconds:
    A2(su)->set cdp hold-time 60

    clear cdp
    UsethiscommandtoresetCDPdiscoveryprotocolsettingstodefaults.

    Syntax
    clear cdp {[state] [port-state port-string] [interval] [hold-time] [auth-code]}

    Parameters
    state portstateportstring interval holdtime authcode (Optional)ResetstheglobalCDPstatetoautoenabled. (Optional)Resetstheportstateonspecificport(s)toautoenabled. (Optional)Resetsthemessagefrequencyintervalto60seconds. (Optional)Resetstheholdtimevalueto180seconds. (Optional)Resetstheauthenticationcodeto16bytesof00(000000 0000000000).

    Defaults
    Atleastoneoptionalparametermustbeentered.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheCDPstatetoautoenabled:
    A2(su)->clear cdp state

    SecureStack A2 Configuration Guide

    3-53

    show neighbors

    show neighbors
    ThiscommanddisplaysNeighborDiscoveryinformationforeithertheCDPorCiscoDP protocols.

    Syntax
    show neighbors [port-string]

    Parameters
    portstring (Optional)SpecifiestheportorportsforwhichtodisplayNeighbor Discoveryinformation.

    Defaults
    Ifnoportisspecified,allNeighborDiscoveryinformationisdisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    ThiscommanddisplaysinformationdiscoveredbyboththeCDPandtheCiscoDPprotocols.

    Example
    ThisexampledisplaysNeighborDiscoveryinformationforallports.
    A2(su)->show neighbors Port Device ID Port ID Type Network Address -----------------------------------------------------------------------------ge.1.6 00-01-f4-00-72-fe 140.2.4.102 cdp 140.2.4.102 ge.1.6 00-01-f4-00-70-8a 140.2.4.104 cdp 140.2.4.104 ge.1.6 00-01-f4-c5-f7-20 140.2.4.101 cdp 140.2.4.101 ge.1.6 00-01-f4-89-4f-ae 140.2.4.105 cdp 140.2.4.105 ge.1.6 00-01-f4-5f-1f-c0 140.2.1.11 cdp 140.2.1.11

    3-54

    Basic Configuration

    Clearing and Closing the CLI

    Clearing and Closing the CLI


    Purpose
    TocleartheCLIscreenortocloseyourCLIsession.

    Commands
    ThecommandsusedtoclearandclosetheCLIsessionarelistedbelow.
    For information about... cls exit Refer to page... 3-55 3-56

    cls (clear screen)


    UsethiscommandtoclearthescreenforthecurrentCLIsession.

    Syntax
    cls

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtocleartheCLIscreen:
    A2(su)->cls

    SecureStack A2 Configuration Guide

    3-55

    exit

    exit
    UseeitherofthesecommandstoleaveaCLIsession.

    Syntax
    exit

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    Bydefault,switchtimeoutoccursafter15minutesofuserinactivity,automaticallyclosingyour CLIsession.Usethesetlogoutcommand(page326)tochangethisdefault.

    Example
    ThisexampleshowshowtoexitaCLIsession:
    A2(su)->exit

    3-56

    Basic Configuration

    Resetting the Switch

    Resetting the Switch


    Purpose
    Toresetoneormoreswitches,andtocleartheuserdefinedconfigurationparameters.

    Commands
    Thecommandsusedtoresettheswitchandcleartheconfigurationarelistedbelow.
    For information about... reset clear config Refer to page... 3-57 3-58

    reset
    Usethiscommandtoresettheswitchwithoutlosinganyuserdefinedconfigurationsettings.

    Syntax
    reset [unit]

    Parameters
    unit (Optional)Specifiesaunittobereset.

    Defaults
    IfnounitIDisspecified,theentiresystemwillbereset.

    Mode
    Switchcommand,readwrite.

    Usage
    ASecureStackA2switchcanalsoberesetwiththeRESETbuttonlocatedonitsfrontpanel.For informationonhowtodothis,refertotheSecureStackA2InstallationGuideshippedwithyour switch.

    Examples
    Thisexampleshowshowtoresetthesystem:
    A2(su)->reset Are you sure you want to reload the stack? (y/n) y Saving Configuration to stacking members Reloading all switches.

    Thisexampleshowshowtoresetunit1inthestack:
    A2(su)->reset 1

    SecureStack A2 Configuration Guide

    3-57

    clear config

    Are you sure you want to reload the switch? (y/n) y Reloading switch 1. This switch is manager of the stack. STACK: detach 3 units

    clear config
    Usethiscommandtocleartheuserdefinedconfigurationparameters.

    Syntax
    clear config [all]

    Parameters
    all (Optional)Clearsuserdefinedconfigurationparametersandstackunit numbersandpriorities.

    Defaults
    Ifallisnotspecified,stackingconfigurationparameterswillnotbecleared.

    Mode
    Switchcommand,readwrite.

    Usage
    Whenusingtheclearconfigcommandtoclearconfigurationparametersinastack,itisimportant torememberthefollowing: UseclearconfigtoclearconfigurationparameterswithoutclearingstackunitIDs.This commandWILLNOTclearstackparametersandavoidstheprocessofrenumberingthe stack. Useclearconfigallwhenitisnecessarytoclearallconfigurationparameters,includingstack unitIDsandswitchpriorityvalues. UsetheclearipaddresscommandtocleartheIPaddress.

    Configurationparametersandstackinginformationcanalsobeclearedonthemasterunitonlyby selectingoption10(restoreconfigurationtofactorydefaults)fromthebootmenuonswitch startup.Thisselectionwillleavestackingprioritiesonallotherunits.

    Example
    Thisexampleshowshowtoclearconfigurationparametersincludingstackingparameters:
    A2(su)->clear config all

    3-58

    Basic Configuration

    Using and Configuring WebView

    Using and Configuring WebView


    Purpose
    Bydefault,WebView(TheEnterasysNetworksembeddedwebserverforswitchconfiguration andmanagementtasks)isenabledonTCPportnumber80ontheSecureStackA2switch.Youcan verifyWebViewstatus,andenableordisableWebViewusingthecommandsdescribedinthis section.WebViewcanalsobesecurelyusedoverSSLport443,ifSSLisenabledontheswitch.By default,SSLisdisabled. TouseWebView,typetheIPaddressoftheswitchinyourbrowser.TouseWebViewoverSSL, typeinhttps://thentheIPaddressoftheswitch.Forexample,https://172.16.2.10.

    Commands
    ThecommandstoconfigureWebViewandSSLaredescribedbelow.
    For information about... show webview set webview show ssl set ssl Refer to page... 3-59 3-60 3-60 3-61

    show webview
    UsethiscommandtodisplayWebViewstatus.

    Syntax
    show webview

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayWebViewstatus:
    A2(rw)->show webview WebView is Enabled.

    SecureStack A2 Configuration Guide

    3-59

    set webview

    set webview
    UsethiscommandtoenableordisableWebViewontheswitch.

    Syntax
    set webview {enable | disable}

    Parameters
    enable|disable EnableordisableWebViewontheswitch.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ItisgoodpracticeforsecurityreasonstodisableHTTPaccessontheswitchwhenfinished configuringwithWebView,andthentoonlyenableWebViewontheswitchwhenchangesneedto bemade.

    Example
    ThisexampleshowshowtodisableWebViewontheswitch:
    A2(rw)->set webview disable

    show ssl
    UsethiscommandtodisplaySSLstatus.

    Syntax
    show ssl

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySSLstatus:
    A2(rw)->show ssl SSL status: Enabled

    3-60

    Basic Configuration

    set ssl

    set ssl
    UsethiscommandtoenableordisabletheuseofWebViewoverSSLport443.Bydefault,SSLis disabledontheswitch.Thiscommandcanalsobeusedtoreinitializethehostkeythatisusedfor encryption.

    Syntax
    set ssl {enabled | disabled | reinitialize | hostkey reinitialize}

    Parameters
    enabled|disabled reinitialize hostkeyreinitialize EnableordisabletheabilitytouseWebViewoverSSL. StopsandthenrestartstheSSLprocess. StopsSSL,regeneratesnewkeys,andthenrestartsSSL.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenableSSL:
    A2(rw)->set ssl enabled

    SecureStack A2 Configuration Guide

    3-61

    set ssl

    3-62

    Basic Configuration

    4
    Port Configuration
    ThischapterdescribesthePortConfigurationsetofcommandsandhowtousethem.
    For information about... Port Configuration Summary Reviewing Port Status Disabling / Enabling and Naming Ports Setting Speed and Duplex Mode Enabling / Disabling Jumbo Frame Support Setting Auto-Negotiation and Advertised Ability Setting Flow Control Setting Port Link Traps Configuring Broadcast Suppression Port Mirroring Link Aggregation Control Protocol (LACP) Configuring Protected Ports Refer to page... 4-1 4-4 4-7 4-10 4-13 4-15 4-19 4-21 4-22 4-25 4-28 4-42

    Port Configuration Summary


    A2H124-24 and A2H124-24P Switch Ports
    TheA2H12424andA2H12424Pstackabledevicesprovidethefollowingtypesofswitchport connections: 24RJ4510/100MbpsFastEthernetcopperports. 2SFPslots(labeledport27and28)thatprovidetheoptionofinstallingSmallFormPluggable (SFP)MiniGBICsfor1000BASETcompliantcopperconnectionsor1000BASESX\LXfiber opticconnections. 21000BASETRJ45connectors(labeledport25and26)thatcanbeusedforstackconnections whentheswitchisoperatinginastackconfiguration,orasstandardswitchportswhenthe switchisoperatingasastandalonedevice.

    SecureStack A2 Configuration Guide

    4-1

    Port Configuration Summary

    A2H124-48 and A2H124-48P Switch Ports


    TheA2H12448andA2H12448Pstackabledevicesprovidethefollowingtypesofswitchport connections: 48RJ4510/100MbpsFastEthernetcopperports. 2SFPslots(labeledport51and52)thatprovidetheoptionofinstallingSmallFormPluggable (SFP)MiniGBICsfor1000BASETcompliantcopperconnectionsor1000BASESX\LXfiber opticconnections. 21000BASETRJ45connectors(labeledport49and50)thatcanbeusedforstackconnections whentheswitchisoperatinginastackconfiguration,orasstandardswitchportswhenthe switchisoperatingasastandalonedevice.

    A2H124-24FX Switch Ports


    TheA2H12424FXstackabledeviceprovidesthefollowingtypesofswitchportconnections: 24100BASEFXmultimodeMTRJfiberopticports. 2SFPslots(labeledport27and28)thatprovidetheoptionofinstallingSmallFormPluggable (SFP)MiniGBICsfor1000BASETcompliantcopperconnectionsor1000BASESX\LXfiber opticconnections. 21000BASETRJ45connectors(labeledport25and26)thatcanbeusedforstackconnections whentheswitchisoperatinginastackconfiguration,orasstandardswitchportswhenthe switchisoperatingasastandalonedevice.

    A2H254-16 Switch Ports


    TheA2H12416stackabledeviceprovidesthefollowingtypesofswitchportconnections: 8100BASET10/100MbpscopperRJ445ports(oddnumbered115). 8100BASEFXmultimodeMTRJports(evennumbered216). 2SFPslots(labeledport19and20)thatprovidetheoptionofinstallingSmallFormPluggable (SFP)MiniGBICsfor1000BASETcompliantcopperconnectionsor1000BASESX\LXfiber opticconnections. 21000BASETRJ45connectors(labeledport17and18)thatcanbeusedforstackconnections whentheswitchisoperatinginastackconfiguration,orasstandardswitchportswhenthe switchisoperatingasastandalonedevice.

    Port String Syntax Used in the CLI


    Commandsrequiringaportstringparameterusethefollowingsyntaxtodesignateporttype,slot location,andportnumber: porttype.unitnumber.portnumber Whereporttypecanbe: fefor100MbpsEthernet gefor1GbpsEthernet tgfor10GbpsEthernet hostforthehostport vlanforvlaninterfaces lagforIEEE802.3linkaggregationports

    4-2

    Port Configuration

    Port Configuration Summary

    Unitnumbercanbe: 18forswitchunitsinaSecureStackA2stack Portnumbercanbe: 152fortheA2H12448andA2H12448P 128fortheA2H12424,A2H12424P,andA2H12424FX 120fortheA2H25416 Thehighestvalidportnumberisdependentonthenumberofportsinthedeviceandtheport type.

    Examples
    Note: You can use a wildcard (*) to indicate all of an item. For example, fe.3.* would represent all 100Mbps Ethernet (fe) ports in unit 3 in the stack.

    Thisexampleshowstheportstringsyntaxforspecifyingthe100MbpsEthernetports1through10 inunit1inthestack.
    fe.1.1-10

    Thisexampleshowstheportstringsyntaxforspecifyingthe1GigabitEthernetport14inunit3in thestack.
    ge.3.14

    Thisexampleshowstheportstringsyntaxforspecifyingthefirst10GigabitEthernetportofunit3 inthestack.
    tg.3.25

    Thisexampleshowstheportstringsyntaxforspecifyingall1GigabitEthernetportsinunit3in thestack.
    ge.3.*

    Thisexampleshowstheportstringsyntaxforspecifyingallports(ofanyinterfacetype)inallunits inthestack.
    *.*.*

    SecureStack A2 Configuration Guide

    4-3

    Reviewing Port Status

    Reviewing Port Status


    Purpose
    Todisplayoperatingstatus,duplexmode,speed,porttype,andstatisticalinformationabout trafficreceivedandtransmittedthroughoneorallswitchportsonthedevice.

    Commands
    Thecommandsusedtoreviewportstatusarelistedbelow.
    For information about... show port show port status show port counters Refer to page... 4-4 4-5 4-6

    show port
    Usethiscommandtodisplaywhetherornotoneormoreportsareenabledforswitching.

    Syntax
    show port [port-string]

    Parameters
    portstring (Optional)Displaysoperationalstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,operationalstatusinformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    OntheA2H25616,switchports19and20areshownasports17and18.OntheA2H12424FX, switchports27and28areshownasports25and26.

    Example
    Thisexampleshowshowtodisplayoperationalstatusinformationforfe.3.14:
    A2(su)->show port fe.3.14 Port fe.3.14 enabled

    4-4

    Port Configuration

    show port status

    show port status


    Usethiscommandtodisplayoperatingandadminstatus,speed,duplexmodeandporttypefor oneormoreportsonthedevice.

    Syntax
    show port status [port-string]

    Parameters
    portstring (Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page42.

    Defaults
    Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    ThefrontpanelStackingPortswillonlybedisplayedwiththeshowportstatuscommandwhen theyareinEthernetmode.Forinformationonconfiguringfrontpanelstackportsreferto ConfiguringStandaloneA2StackPortsonpage25.

    Example
    Thisexampleshowshowtodisplaystatusinformationforfe.3.14:
    A2(su)->show port status fe.3.14 Port Alias (truncated) ------------ -------------fe.3.14 Oper Status ------up Admin Status ------up Speed -------N/A Duplex Type

    ------- ------------N/A BaseT RJ45

    Table 41providesanexplanationofthecommandoutput. Table 4-1


    Output Port Alias (truncated) Oper Status Admin Status

    show port status Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. Alias configured for the port. For details on using the set port alias command, refer to set port alias on page 4-9. Operating status (up or down). Whether the specified port is enabled (up) or disabled (down). For details on using the set port disable command to change the default port status of enabled, refer to set port disable on page 4-8. For details on using the set port enable command to re-enable ports, refer to set port enable on page 4-8. Operational speed in Mbps or Kbps of the specified port. For details on using the set port speed command to change defaults, refer to set port speed on page 4-11.

    Speed

    SecureStack A2 Configuration Guide

    4-5

    show port counters

    Table 4-1
    Output Duplex

    show port status Output Details (Continued)


    What It Displays... Duplex mode (half or full) of the specified port. For details on using the set port duplex command to change defaults, refer to Setting Auto-Negotiation and Advertised Ability on page 4-15. Physical port and interface type.

    Type

    show port counters


    Usethiscommandtodisplayportcounterstatisticsdetailingtrafficthroughthedeviceand throughallMIB2networkdevices.

    Syntax
    show port counters [port-string] [switch | mib2]

    Parameters
    portstring (Optional)Displayscounterstatisticsforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage42. (Optional)DisplaysswitchorMIB2statistics.Switchstatisticsdetail performanceoftheSecureStackA2device.MIB2interfacestatisticsdetail performanceofallnetworkdevices.

    switch|mib2

    Defaults
    Ifportstringisnotspecified,counterstatisticswillbedisplayedforallports. Ifmib2orswitcharenotspecified,allcounterstatisticswillbedisplayedforthespecifiedport(s).

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowshowtodisplayallcounterstatistics,includingMIB2networktrafficand trafficthroughthedeviceforfe.3.1:
    A2(su)->show port counters fe.3.1 Port: fe.3.1 MIB2 Interface: 1 No counter discontinuity time ----------------------------------------------------------------MIB2 Interface Counters ----------------------In Octets In Unicast Pkts In Multicast Pkts In Broadcast Pkts In Discards In Errors Out Octets Out Unicasts Pkts Out Multicast Pkts

    0 0 0 0 0 0 0 0 0

    4-6

    Port Configuration

    show port counters

    Out Broadcast Pkts Out Errors 802.1Q Switch Counters ---------------------Frames Received Frames Transmitted

    0 0

    0 0

    Thisexampleshowshowtodisplayallfe.3.1portcounterstatisticsrelatedtotrafficthroughthe device.
    A2(su)->show port counters fe.3.1 switch Port: fe.3.1 Bridge Port: 2

    802.1Q Switch Counters ----------------------Frames Received Frames Transmitted

    0 0

    Table 42providesanexplanationofthecommandoutput. Table 4-2


    Output Port MIB2 Interface Bridge Port MIB2 Interface Counters 802.1Q Switch Counters

    show port counters Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. MIB2 interface designation. IEEE 802.1D bridge port designation. MIB2 network traffic counts Counts of frames received, transmitted, and filtered.

    SecureStack A2 Configuration Guide

    4-7

    Disabling / Enabling and Naming Ports

    Disabling / Enabling and Naming Ports


    Purpose
    Todisableandreenableoneormoreports,andtoassignanaliastoaport.Bydefault,allportsare enabledatdevicestartup.Youmaywanttodisableportsforsecurityortotroubleshootnetwork issues.Portsmayalsobeassignedanaliasforconvenience.

    Commands
    Thecommandsusedtoenable,disable,andnameportsarelistedbelow.
    For information about... set port disable set port enable show port alias set port alias Refer to page... 4-8 4-8 4-9 4-9

    set port disable


    Usethiscommandtoadministrativelydisableoneormoreports.Whenthiscommandis executed,inadditiontodisablingthephysicalEthernetlink,theportwillnolongerlearnentries intheforwardingdatabase.

    Syntax
    set port disable port-string

    Parameters
    portstring Specifiestheport(s)todisable.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodisablefe.1.1:
    A2(su)->set port disable fe.1.1

    4-8

    Port Configuration

    set port enable

    set port enable


    Usethiscommandtoadministrativelyenableoneormoreports.

    Syntax
    set port enable port-string

    Parameters
    portstring Specifiestheport(s)toenable.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoenablefe.1.3:
    A2(su)->set port enable fe.1.3

    show port alias


    Usethiscommandtodisplaythealiasnameforoneormoreports.

    Syntax
    show port alias [port-string]

    Parameters
    portstring (Optional)Displaysaliasname(s)forspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,aliasesforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayaliasinformationforports13onunit3:
    A2(rw)->show Port ge.3.1 Port ge.3.2 Port ge.3.3 port alias ge.3.1-3 user user Admin

    SecureStack A2 Configuration Guide

    4-9

    set port alias

    set port alias


    Usethiscommandtoassignanaliasnametoaport.

    Syntax
    set port alias port-string [name]

    Parameters
    portstring Specifiestheporttowhichanaliaswillbeassigned.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage42. (Optional)Assignsanaliasnametotheport.Ifthealiasnamecontains spaces,thetextstringmustbesurroundedbydoublequotes.Maximum lengthis60characters.

    name

    Defaults
    Ifnameisnotspecified,thealiasassignedtotheportwillbecleared.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtoassignthealiasAdmintoge.3.3:
    A2(rw)->set port alias ge.3.3 Admin

    Thisexampleshowshowtoclearthealiasforge.3.3:
    A2(rw)->set port alias ge.3.3

    4-10

    Port Configuration

    Setting Speed and Duplex Mode

    Setting Speed and Duplex Mode


    Purpose
    ToreviewandsettheoperationalspeedinMbpsandthedefaultduplexmode:Half,forhalf duplex,orFull,forfullduplexforoneormoreports.
    Note: These settings only take effect on ports that have auto-negotiation disabled.

    Commands
    Thecommandsusedtoreviewandsetportspeedandduplexmodearelistedbelow.
    For information about... show port speed set port speed show port duplex set port duplex Refer to page... 4-10 4-11 4-11 4-15

    show port speed


    Usethiscommandtodisplaythedefaultspeedsettingononeormoreports.

    Syntax
    show port speed [port-string]

    Parameters
    portstring (Optional)Displaysdefaultspeedsetting(s)forspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,defaultspeedsettingsforallportswilldisplay.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythedefaultspeedsettingfor1GigabitEthernetport14in unit 3:
    A2(su)->show port speed ge.3.14 default speed is 10 on port ge.3.14.

    SecureStack A2 Configuration Guide

    4-11

    set port speed

    set port speed


    Usethiscommandtosetthedefaultspeedofoneormoreports.Thissettingonlytakeseffecton portsthathaveautonegotiationdisabled.

    Syntax
    set port speed port-string {10 | 100 | 1000}

    Parameters
    portstring Specifiestheport(s)forwhichtoaspeedvaluewillbeset.Fora detaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage42. Specifiestheportspeed.Validvaluesare:10 Mbps,100 Mbps,or 1000 Mbps.

    10|100|1000

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetfe.3.3toaportspeedof10 Mbps:
    A2(su)->set port speed fe.3.3 10

    show port duplex


    Usethiscommandtodisplaythedefaultduplexsetting(halforfull)foroneormoreports.

    Syntax
    show port duplex [port-string]

    Parameters
    portstring (Optional)Displaysdefaultduplexsetting(s)forspecificport(s). Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,defaultduplexsettingsforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    4-12

    Port Configuration

    set port duplex

    Example
    ThisexampleshowshowtodisplaythedefaultduplexsettingforGigabitEthernetport14in unit 3:
    A2(su)->show port duplex ge.3.14 default duplex mode is full on port ge.3.14.

    set port duplex


    Usethiscommandtosetthedefaultduplextypeforoneormoreports.Thiscommandwillonly takeeffectonportsthathaveautonegotiationdisabled.

    Syntax
    set port duplex port-string {full | half}

    Parameters
    portstring Specifiestheport(s)forwhichduplextypewillbeset.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage42. Setstheport(s)tofullduplexorhalfduplexoperation.

    full|half

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetFastEthernetport17inunit1tofullduplex:
    A2(su)->set port duplex fe.1.17 full

    SecureStack A2 Configuration Guide

    4-13

    Enabling / Disabling Jumbo Frame Support

    Enabling / Disabling Jumbo Frame Support


    Purpose
    Toreview,enable,anddisablejumboframesupportononeormoreports.ThisallowsGigabit Ethernetportstotransmitframesupto10KBinsize.

    Commands
    Thecommandsusedtoreview,enableanddisablejumboframesupportarelistedbelow.
    For information about... show port jumbo set port jumbo clear port jumbo Refer to page... 4-13 4-14 4-14

    show port jumbo


    Usethiscommandtodisplaythestatusofjumboframesupportandmaximumtransmissionunits (MTU)ononeormoreports.

    Syntax
    show port jumbo [port-string]

    Parameters
    portstring (Optional)Displaysthestatusofjumboframesupportforspecific port(s).Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,jumboframesupportstatusforallportswilldisplay.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythestatusofjumboframesupportforge.1.1:
    A2(su)->show port jumbo ge.1.1 Port Number Jumbo Status Max Frame Size ------------- --------------- -----------------ge.1.1 Enable 9216

    4-14

    Port Configuration

    set port jumbo

    set port jumbo


    Usethiscommandtoenableordisablejumboframesupportononeormoreports.

    Syntax
    set port jumbo {enable | disable} [port-string]

    Parameters
    enable|disable portstring Enablesordisablesjumboframesupport. (Optional)Specifiestheport(s)onwhichtodisableorenablejumbo framesupport.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,jumboframesupportwillbeenabledordisabledonallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenablejumboframesupportforGigabitEthernetport14inunit3:
    A2(su)->set port jumbo enable ge.3.14

    clear port jumbo


    Usethiscommandtoresetjumboframesupportstatustoenabledononeormoreports.

    Syntax
    clear port jumbo [port-string]

    Parameters
    portstring (Optional)Specifiestheport(s)onwhichtoresetjumboframe supportstatustoenabled.Foradetaileddescriptionofpossible portstringvalues,refertoPortStringSyntaxUsedintheCLIon page42.

    Defaults
    Ifportstringisnotspecified,jumboframesupportstatuswillberesetonallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetjumboframesupportstatusforGigabitEthernetport14in unit 3:
    A2(su)->clear port jumbo ge.3.14

    SecureStack A2 Configuration Guide

    4-15

    Setting Auto-Negotiation and Advertised Ability

    Setting Auto-Negotiation and Advertised Ability


    Purpose
    Toreview,disableorenableautonegotiation,andtoconfigureportadvertisementforspeedand duplex. Duringautonegotiation,theporttellsthedeviceattheotherendofthesegmentwhatits capabilitiesandmodeofoperationare.Ifautonegotiationisdisabled,theportrevertstothe valuesspecifiedbydefaultspeed,defaultduplex,andtheportflowcontrolcommands. Innormaloperation,withallcapabilitiesenabled,advertisedabilityenablesaporttoadvertise thatithastheabilitytooperateinanymode.Theusermaychoosetoconfigureaportsothatonly aportionofitscapabilitiesareadvertisedandtheothersaredisabled.
    Note: Advertised ability can be activated only on ports that have auto-negotiation enabled.

    Commands
    Thecommandsusedtoreviewandconfigureautonegotiationandadvertisedabilityarelisted below:
    For information about... show port negotiation set port negotiation show port advertise set port advertise clear port advertise Refer to page... 4-15 4-16 4-16 4-17 4-18

    show port negotiation


    Usethiscommandtodisplaythestatusofautonegotiationforoneormoreports.

    Syntax
    show port negotiation [port-string]

    Parameters
    portstring (Optional)Displaysautonegotiationstatusforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,autonegotiationstatusforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.
    4-16 Port Configuration

    set port negotiation

    Example
    Thisexampleshowshowtodisplayautonegotiationstatusfor1GigabitEthernetport14in unit 3:
    A2(su)->show port negotiation ge.3.14 auto-negotiation is enabled on port ge.3.14.

    set port negotiation


    Usethiscommandtoenableordisableautonegotiationononeormoreports.

    Syntax
    set port negotiation port-string {enable | disable}

    Parameters
    portstring Specifiestheport(s)forwhichtoenableordisableautonegotiation.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage42. Enablesordisablesautonegotiation.

    enable|disable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodisableautonegotiationon1GigabitEthernetport3inunit14:
    A2(su)->set port negotiation ge.3.14 disable

    show port advertise


    Usethiscommandtodisplayportcapabilityandadvertisementasfarasspeedandduplexfor autonegotiation.

    Syntax
    show port advertise [port-string]

    Parameters
    portstring (Optional)Displaysadvertisedabilityforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,advertisementforallportswillbedisplayed.

    SecureStack A2 Configuration Guide

    4-17

    set port advertise

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayadvertisementstatusforGigabitports13and14:
    A2(su)->show port advertise ge.1.13-14 ge.1.13 capability advertised remote ------------------------------------------------10BASE-T yes yes yes 10BASE-TFD yes yes yes 100BASE-TX yes yes yes 100BASE-TXFD yes yes yes 1000BASE-T no no no 1000BASE-TFD yes yes yes pause yes yes no ge.1.14 capability advertised remote ------------------------------------------------10BASE-T yes yes yes 10BASE-TFD yes yes yes 100BASE-TX yes yes yes 100BASE-TXFD yes yes yes 1000BASE-T no no no 1000BASE-TFD yes yes yes pause yes yes no

    set port advertise


    Usethiscommandtoconfigurewhataportwilladvertiseforspeed/duplexcapabilitiesinauto negotiation.

    Syntax
    set port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause}

    Parameters
    portstring Selecttheportsforwhichtoconfigureadvertisements.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage42. Advertise10BASEThalfduplexmode. Advertise10BASETfullduplexmode. Advertise100BASETXhalfduplexmode. Advertise100BASETXfullduplexmode. Advertise1000BASEThalfduplexmode. Advertise1000BASETfullduplexmode. AdvertisePAUSEforfullduplexlinks.

    10t 10tfd 100tx 100txfd 1000t 1000tfd pause

    Defaults
    None.

    4-18

    Port Configuration

    clear port advertise

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoconfigureport1toadvertise1000BASETfullduplex:
    A2(su)->set port advertise ge.1.1 1000tfd

    clear port advertise


    Usethiscommandtoconfigureaporttonotadvertiseaspecificspeed/duplexcapabilitywhen autonegotiatingwithanotherport.

    Syntax
    clear port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause}

    Parameters
    portstring Clearadvertisementsforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedinthe CLIonpage42. Donotadvertise10BASEThalfduplexmode. Donotadvertise10BASETfullduplexmode. Donotadvertise100BASETXhalfduplexmode. Donotadvertise100BASETXfullduplexmode. Donotadvertise1000BASEThalfduplexmode. Donotadvertise1000BASETfullduplexmode. DonotadvertisePAUSEforfullduplexlinks.

    10t 10tfd 100tx 100txfd 1000t 1000tfd pause

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoconfigureport1tonotadvertise10MBcapabilityforauto negotiation:
    A2(su)->clear port advertise ge.1.1 10t 10tfd

    SecureStack A2 Configuration Guide

    4-19

    Setting Flow Control

    Setting Flow Control


    Purpose
    Toreview,enableordisableportflowcontrol.Flowcontrolisusedtomanagethetransmission betweentwodevicesasspecifiedbyIEEE 802.3xtopreventreceivingportsfrombeing overwhelmedbyframesfromtransmittingdevices.

    Commands
    Thecommandsusedtoreviewandsetportflowcontrolarelistedbelow:
    For information about... show flowcontrol set flowcontrol Refer to page... 4-19 4-20

    show flowcontrol
    Usethiscommandtodisplaytheflowcontrolstate.

    Syntax
    show flowcontrol

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheportflowcontrolstate:
    A2(su)->show flowcontrol Flow control status: enabled

    4-20

    Port Configuration

    set flowcontrol

    set flowcontrol
    Usethiscommandtoenableordisableflowcontrol.

    Syntax
    set flowcontrol {enable | disable}

    Parameters
    enable|disable Enablesordisablesflowcontrolsettings.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoenableflowcontrol:
    A2(su)->set flowcontrol enable

    SecureStack A2 Configuration Guide

    4-21

    Setting Port Link Traps

    Setting Port Link Traps


    Purpose
    Todisableorreenablelinktraps,displaylinktrapstatus.Bydefault,allportsareenabledtosend SNMPtrapmessagesindicatingchangestotheirlinkstatus(upordown).

    Commands
    For information about... show port trap set port trap Refer to page... 4-21 4-21

    show port trap


    UsethiscommandtodisplaywhethertheportisenabledforgeneratinganSNMPtrapmessageif itslinkstatechanges.

    Syntax
    show port trap [port-string]

    Parameters
    portstring (Optional)Displayslinktrapstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,thetrapstatusforallportswillbedisplayed.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodisplaylinktrapstatusforfe.3.1through4:
    A2(su)->show port trap fe.3.1-4 Link traps enabled on port fe.3.1. Link traps enabled on port fe.3.2. Link traps enabled on port fe.3.3. Link traps enabled on port fe.3.4.

    4-22

    Port Configuration

    set port trap

    set port trap


    UsethiscommandtoenableofdisableportsforsendingSNMPtrapmessageswhentheirlink statuschanges.

    Syntax
    set port trap port-string {enable|disable}

    Parameters
    portstring Specifiestheport(s)forwhichtoenableordisableporttraps.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage42. Enablesordisablessendingtrapmessageswhenlinkstatuschanges.

    enable|disable

    Defaults
    Sendingtrapswhenlinkstatuschangesisenabledbydefault.

    Mode
    Switchcommand,readwrite.

    Example
    ThefollowingexampledisablessendingtraponFastEthernetport1onunit3.
    A2(su)->set port trap fe.3.1 disable

    SecureStack A2 Configuration Guide

    4-23

    Configuring Broadcast Suppression

    Configuring Broadcast Suppression


    Purpose
    Toreviewandsetthebroadcastsuppressionthresholdforoneormoreports.Thisfeaturelimits thenumberofreceivedbroadcastframestheswitchwillacceptperport.Broadcastsuppression thresholdsapplyonlytobroadcasttrafficmulticasttrafficisnotaffected.Bydefault,abroadcast suppressionthresholdof14881packetspersecond(pps)willbeused,regardlessofactualport speed.BroadcastsuppressionprotectsagainstbroadcaststormsandARPsweeps.

    Commands
    Thecommandsusedtoreviewandconfigureportbroadcastsuppressionarelistedbelow.
    For information about... show port broadcast set port broadcast clear port broadcast Refer to page... 4-22 4-23 4-24

    show port broadcast


    Usethiscommandtodisplayportbroadcastsuppressionthresholds.

    Syntax
    show port broadcast [port-string]

    Parameters
    portstring (Optional)Selecttheportsforwhichtoshowbroadcastsuppression thresholds.Foradetaileddescriptionofpossibleportstringvalues,refer toPortStringSyntaxUsedintheCLIonpage42.

    Defaults
    Ifportstringisnotspecified,broadcaststatusofallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythebroadcastsuppressionthresholdsforports1through4:
    A2(su)->show port broadcast ge.1.1-4 Port Total BC Threshold Packets (pkts/s) ---------------------------------------ge.1.1 0 50 ge.1.2 0 50 ge.1.3 0 40 ge.1.4 0 14881

    4-24

    Port Configuration

    set port broadcast

    set port broadcast


    Usethiscommandtosetthebroadcastsuppressionthreshold,inpacketspersecond,ononeor moreports.Thissetsathresholdonthebroadcasttrafficthatisreceivedandswitchedouttoother ports.

    Syntax
    set port broadcast port-string threshold-val

    Parameters
    portstring Selecttheportsforwhichtoconfigurebroadcastsuppressionthresholds. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage42. Setsthepacketspersecondthresholdonbroadcasttraffic.Maximum valueis148810forFastEthernetportsand1488100forGigabitports.

    thresholdval

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleconfiguresports1through5withabroadcastlimitof50pps:
    A2(su)->set port broadcast ge.1.1-5 50

    clear port broadcast


    Usethiscommandtoclearthebroadcastthresholdlimittothedefaultvalueof14881forthe selectedport.

    Syntax
    clear port broadcast port-string threshold

    Parameters
    portstring Selecttheportsforwhichtoclearbroadcastsuppressionthresholds.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleclearsthebroadcastthresholdlimitto14881ppsforports1through5:
    A2(su)->clear port broadcast ge.1.1-5 threshold
    SecureStack A2 Configuration Guide 4-25

    Port Mirroring

    Port Mirroring
    Caution: Port mirroring configuration should be performed only by personnel who are knowledgeable about the effects of port mirroring and its impact on network operation.

    TheSecureStackA2deviceallowsyoutomirror(orredirect)thetrafficbeingswitchedonaport forthepurposesofnetworktrafficanalysisandconnectionassurance.Whenportmirroringis enabled,oneportbecomesamonitorportforanotherportwithinthedevice.

    Mirroring Features
    TheSecureStackA2devicesupportsthefollowingmirroringfeatures: Mirroringcanbeconfiguredinamanytooneconfigurationsothatonetarget(destination) portcanmonitortrafficonupto4sourceports.Onlyonemirrordestinationportcanbe configuredperstack. Bothtransmitandreceivetrafficwillbemirrored. Amirroringsessionwhichisconfiguredtobeactive(enabled)willbeoperationallyactive onlyifbothadestinationportandatleastonesourceporthavebeenconfigured. Adestinationportwillonlyactasamirroringportwhenthesessionisoperationallyactive.If themirroringsessionisnotoperationallyactive,thenthedestinationportwillactasanormal portandparticipateinallnormaloperationwithrespecttotransmittingtrafficand participatinginprotocols.

    Purpose
    Toreviewandconfigureportmirroringonthedevice.

    Commands
    Thecommandsusedtoreviewandconfigureportmirroringarelistedbelow.
    For information about... show port mirroring set port mirroring clear port mirroring Refer to page... 4-26 4-26 4-27

    4-26

    Port Configuration

    show port mirroring

    show port mirroring


    Usethiscommandtodisplaythesourceandtargetportsformirroring,andwhethermirroringis currentlyenabledordisabledforthoseports.

    Syntax
    show port mirroring

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayportmirroringinformation.Inthiscase,fe.1.4isconfiguredas asourceportandfe.1.11isatargetandmirroringhasbeenenabledbetweentheseports:
    A2(su)->show port mirroring Port Mirroring ============== Source Port = fe.1.4 Target Port = fe.1.11 Frames Mirrored = Rx and Tx Port Mirroring status enabled.

    set port mirroring


    Usethiscommandtocreateanewmirroringrelationshiportoenableordisableanexisting mirroringrelationshipbetweentwoports.

    Syntax
    set port mirroring {create | disable | enable} source destination}

    Parameters
    create|disable| enable source Creates,disablesorenablesmirroringsettingsonthespecifiedports. Specifiesthesourceportdesignation.Thisistheportonwhichthetraffic willbemonitored.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage42. Specifiesthetargetportdesignation.Thisistheportthatwillduplicateor mirrorallthetrafficonthemonitoredport.Onlyonedestinationport canbeconfiguredperstack. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage42.

    destination

    SecureStack A2 Configuration Guide

    4-27

    clear port mirroring

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    NotethatLAGportsandtheirunderlyingphysicalports,asdescribedinLinkAggregation ControlProtocol(LACP)onpage428,cannotbemirrored.

    Example
    Thisexampleshowshowtocreateandenableportmirroringwithfe.1.4asthesourceport,and fe.1.11asthetargetport:
    A2(su)->set port mirroring create fe.1.4 fe.1.11 A2(su)->set port mirroring enable fe.1.4 fe.1.11

    clear port mirroring


    Usethiscommandtoclearaportmirroringrelationship.

    Syntax
    clear port mirroring source destination

    Parameters
    source Specifiesthesourceportofthemirroringconfigurationtobecleared.For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage42. Specifiesthetargetportofthemirroringconfigurationtobecleared.

    destination

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearportmirroringbetweensourceportfe.1.4andtargetportfe.1.11:
    A2(su)->clear port mirroring fe.1.4 fe.1.11

    4-28

    Port Configuration

    Link Aggregation Control Protocol (LACP)

    Link Aggregation Control Protocol (LACP)


    Caution: Link aggregation configuration should only be performed by personnel who are knowledgeable about Spanning Tree and Link Aggregation, and fully understand the ramifications of modifications beyond device defaults. Otherwise, the proper operation of the network could be at risk.

    Usingmultiplelinkssimultaneouslytoincreasebandwidthisadesirableswitchfeature,which canbeaccomplishedifbothsidesagreeonasetofportsthatarebeingusedasaLinkAggregation Group(LAG).OnceaLAGisformedfromselectedports,problemswithloopingcanbeavoided sincetheSpanningTreecantreatthisLAGasasingleport. Enabledbydefault,theLinkAggregationControlProtocol(LACP)logicallygroupsinterfaces togethertocreateagreaterbandwidthuplink,orlinkaggregation,accordingtotheIEEE802.3ad standard.ThisstandardallowstheswitchtodeterminewhichportsareinLAGsandconfigure themdynamically.SincetheprotocolisbasedontheIEEE802.3adspecification,anyswitchfrom anyvendorthatsupportsthisstandardcanaggregatelinksautomatically. 802.3adLACPaggregationscanalsoberuntoendusers(thatis,aserver)ortoarouter.
    Note: Earlier (proprietary) implementations of port aggregation referred to groups of aggregated ports as "trunks".

    LACP Operation
    Foreachaggregatableportinthedevice,LACP: Maintainsconfigurationinformation(reflectingtheinherentpropertiesoftheindividuallinks aswellasthoseestablishedbymanagement)tocontrolaggregation. ExchangesconfigurationinformationwithotherdevicestoallocatethelinktoaLink AggregationGroup(LAG).
    Note: A given link is allocated to, at most, one Link Aggregation Group (LAG) at a time. The allocation mechanism attempts to maximize aggregation, subject to management controls.

    AttachestheporttotheaggregatorusedbytheLAG,anddetachestheportfromthe aggregatorwhenitisnolongerusedbytheLAG. Usesinformationfromthepartnerdeviceslinkaggregationcontrolentitytodecidewhether toaggregateports.

    TheoperationofLACPinvolvesthefollowingactivities: Checkingthatcandidatelinkscanactuallybeaggregated. ControllingtheadditionofalinktoaLAG,andthecreationofthegroupifnecessary. Monitoringthestatusofaggregatedlinkstoensurethattheaggregationisstillvalid. RemovingalinkfromaLAGifitsmembershipisnolongervalid,andremovingthegroupifit nolongerhasanymemberlinks.

    InordertoallowLACPtodeterminewhetherasetoflinksconnecttothesamedevice,andto determinewhetherthoselinksarecompatiblefromthepointofviewofaggregation,itis necessarytobeabletoestablish Agloballyuniqueidentifierforeachdevicethatparticipatesinlinkaggregation.

    SecureStack A2 Configuration Guide

    4-29

    Link Aggregation Control Protocol (LACP)

    Ameansofidentifyingthesetofcapabilitiesassociatedwitheachportandwitheach aggregator,asunderstoodbyagivendevice. AmeansofidentifyingaLAGanditsassociatedaggregator.

    LACP Terminology
    Table 43defineskeyterminologyusedinLACPconfiguration. Table 4-3
    Term Aggregator

    LACP Terms and Definitions


    Definition Virtual port that controls link aggregation for underlying physical ports. Each SecureStack A2 module provides 6 aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6. Link Aggregation Group. Once underlying physical ports (for example, fe.x.x, or ge.x.x) are associated with an aggregator port, the resulting aggregation will be represented as one LAG with a lag.x.x port designation. SecureStack A2 LAGs can have up to 4 associated physical ports.

    LAG

    LACPDU

    Link Aggregation Control Protocol Data Unit. The protocol exchanges aggregation state/mode information by way of a ports actor and partner operational states. LACPDUs sent by the first party (the actor) convey to the second party (the actors protocol partner) what the actor knows, both about its own state and that of its partner. An actor is the local device sending LACPDUs. Its protocol partner is the device on the other end of the link aggregation. Each maintains current status of the other via LACPDUs containing information about their ports LACP status and operational state. Value assigned to aggregator ports and physical ports that are candidates for joining a LAG. The LACP implementation on SecureStack A2 devices will use this value to form an oper key and will determine which underlying physical ports are capable of aggregating by comparing oper keys. Aggregator ports allow only underlying ports with oper keys matching theirs to join their LAG. On SecureStack A2 devices, the default admin key value is 32768. Value used to build a LAG ID, which determines aggregation precedence. If there are two partner devices competing for the same aggregator, LACP compares the LAG IDs for each grouping of ports. The LAG with the lower LAG ID is given precedence and will be allowed to use the aggregator. Note: Only one LACP system priority can be set on a SecureStack A2 device, using either the set lacp asyspri command (page 4-33), or the set port lacp command (page 4-39).

    Actor and Partner

    Admin Key

    System Priority

    SecureStack A2 Usage Considerations


    Innormalusage(andtypicalimplementations)thereisnoneedtomodifyanyofthedefault LACPparametersontheswitch.Thedefaultvalueswillresultinthemaximumnumberof aggregationspossible.Iftheswitchisplacedinaconfigurationwithitspeersnotrunningthe protocol,nodynamiclinkaggregationswillbeformedandtheswitchwillfunctionnormally(that is,willblockredundantpaths).Forinformationaboutbuildingstaticaggregations,refertoset lacpstatic(page 435). EachSecureStackA2moduleprovidessixvirtuallinkaggregatorports,whicharedesignatedin theCLIaslag.0.1throughlag.0.6.EachLAGcanhaveuptofourassociatedphysicalports.Once underlyingphysicalports(forexample,fe.x.x,orge.x.x)areassociatedwithanaggregatorport,
    4-30 Port Configuration

    Link Aggregation Control Protocol (LACP)

    theresultingaggregationwillberepresentedasoneLAGwithalag.x.xportdesignation.LACP determineswhichunderlyingphysicalportsarecapableofaggregatingbycomparingoperational keys.AggregatorportsallowonlyunderlyingportswithkeysmatchingtheirstojointheirLAG. LACPusesasystempriorityvaluetobuildaLAGID,whichdeterminesaggregationprecedence. Iftherearetwopartnerdevicescompetingforthesameaggregator,LACPcomparestheLAGIDs foreachgroupingofports.TheLAGwiththelowerLAGIDisgivenprecedenceandwillbe allowedtousetheaggregator. Thereareafewcasesinwhichportswillnotaggregate: Anunderlyingphysicalportisattachedtoanotherportonthissameswitch(loopback). ThereisnoavailableaggregatorfortwoormoreportswiththesameLAGID.Thiscan happeniftherearesimplynoavailableaggregators,orifnoneoftheaggregatorshavea matchingadminkeyandsystempriority. 802.1xauthenticationisenabledusingtheseteapolcommand(page 1420)andportsthat wouldotherwiseaggregatearenot802.1Xauthorized.

    TheLACPimplementationontheSecureStackA2devicewillallowuptofourphysicalportsinto aLAG.ThedevicewiththelowestLAGIDdetermineswhichunderlyingphysicalportsare allowedintoaLAGbasedontheportsLAGportpriority.PortswiththelowestLAGportpriority valuesareallowedintotheLAGandallotherspeedgroupingsgointoastandbystate. WhenanexistingdynamicallycreatedLAGisreducedtooneport,theSecureStackA2removes theLAGfromitsVLANandaddstheremainingunderlyingporttotheVLAN.Forthisreason, youshouldensurethattheLAGandalltheportsintheLAGareassignedtotheegresslistofthe desiredVLAN.Otherwise,whentheLAGisremoved,theremainingportmaybeassignedtothe wrongVLAN.Theotheroptionistoenablethesingleportlagfeatureasdescribedinsetlacp singleportlagonpage436.
    Note: To aggregate, underlying physical ports must be running in full duplex mode and must be of the same operating speed.

    Commands
    ThecommandsusedtoreviewandconfigureLACParelistedbelow.
    For information about... show lacp set lacp set lacp asyspri set lacp aadminkey clear lacp set lacp static clear lacp static set lacp singleportlag clear lacp singleportlag show port lacp set port lacp clear port lacp Refer to page... 4-31 4-32 4-33 4-33 4-34 4-35 4-35 4-36 4-35 4-37 4-39 4-41
    SecureStack A2 Configuration Guide 4-31

    show lacp

    show lacp
    Usethiscommandtodisplayinformationaboutoneormoreaggregatorports.

    Syntax
    show lacp [port-string]

    Parameters
    portstring (Optional)DisplaysLACPinformationforspecificLAGport(s).Valid portdesignationsarelag.0.16.

    Defaults
    Ifportstringisnotspecified,linkaggregationinformationforallLAGswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    EachSecureStackA2moduleprovides6virtuallinkaggregatorports,whicharedesignatedinthe CLIaslag.0.1throughlag.0.6.Onceunderlyingphysicalports(thatis,fe.x.x,ge.x.x)areassociated withanaggregatorport,theresultingaggregationwillberepresentedasoneLinkAggregation Group(LAG)withalag.x.xportdesignation.

    Example
    Thisexampleshowshowtodisplaylacpinformationforlag.0.1.Thefollowingtabledescribesthe outputfields.
    A2(su)->show lacp lag.0.1 Global Link Aggregation state: enabled Single Port LAGs: disabled Aggregator: lag.0.1 System Identifier: System Priority: Admin Key: Oper Key: Attached Ports: Actor 00:01:F4:5F:1E:20 32768 32768 32768 ge.1.1 ge.1.3 Partner 00:11:88:11:74:F9 32768 0

    Table 44providesanexplanationofthecommandoutput. Table 4-4


    Output Global Link Aggregation state Single Port LAGs

    show lacp Output Details


    What It Displays... Shows if LACP is enabled or disabled on the switch. Displays if the single port LAG feature has been enabled on the switch. See set lacp singleportlag on page 4-36 for more about single port LAG.

    4-32

    Port Configuration

    set lacp

    Table 4-4
    Output Aggregator

    show lacp Output Details (Continued)


    What It Displays... LAG port designation. Each SecureStack A2 module provides 6 virtual link aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6. Once underlying physical ports (for example, fe.x.x, ge.x.x) are associated with an aggregator port, the resulting Link Aggregation Group (LAG) is represented with a lag.x.x port designation. Local device participating in LACP negotiation. Remote device participating in LACP negotiation. MAC addresses for actor and partner. System priority value which determines aggregation precedence. Only one LACP system priority can be set on a SecureStack A2 device, using either the set lacp asyspri command (page 4-33), or the set port lacp command (page 4-39). Ports assigned key. SecureStack A2 devices provide a default admin key value of 32768 for all LAG ports (lag.0.1 though lag.0.6). Ports operational key, derived from the admin key. Only underlying physical ports with oper keys matching the aggregators will be allowed to aggregate. Underlying physical ports associated with this aggregator.

    Actor Partner System Identifier System Priority

    Admin Key Oper Key Attached Ports

    set lacp
    UsethiscommandtodisableorenabletheLinkAggregationControlProtocol(LACP)onthe device.

    Syntax
    set lacp {disable | enable}

    Parameters
    disable|enable DisablesorenablesLACP.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableLACP:
    A2(su)->set lacp disable

    SecureStack A2 Configuration Guide

    4-33

    set lacp asyspri

    set lacp asyspri


    UsethiscommandtosettheLACPsystempriority.

    Syntax
    set lacp asyspri value

    Parameters
    asyspri value SetsthesystemprioritytobeusedincreatingaLAG(LinkAggregation Group)ID.Validvaluesare0to65535. Specifiesasystempriorityvalue.Validvaluesare0to65535,with precedencegiventolowervalues.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    LACPusesthisvaluetodetermineaggregationprecedence.Iftherearetwopartnerdevices competingforthesameaggregator,LACPcomparestheLAGIDsforeachgroupingofports.The LAGwiththelowerLAGIDisgivenprecedenceandwillbeallowedtousetheaggregator.

    Example
    ThisexampleshowshowtosettheLACPsystempriorityto1000:
    A2(su)->set lacp asyspri 1000

    set lacp aadminkey


    Usethiscommandtosettheadministrativelyassignedkeyforoneormoreaggregatorports.

    Syntax
    set lacp aadminkey port-string value

    Parameters
    portstring value SpecifiestheLAGport(s)onwhichtoassignanadminkey. Specifiesanadminkeyvaluetoset.Validvaluesare0to65535.The defaultadminkeyvalueis32768.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    4-34

    Port Configuration

    clear lacp

    Usage
    LACPwillusethisvaluetoformanoperkey.Onlyunderlyingphysicalportswithoperkeys matchingthoseoftheiraggregatorswillbeallowedtoaggregate.Thedefaultadminkeyvaluefor allLAGportsis32768.

    Example
    ThisexampleshowshowtosettheLACPadminkeyto2000forLAGport6:
    A2(su)->set lacp aadminkey lag.0.6 2000

    clear lacp
    UsethiscommandtoclearLACPsystempriorityoradminkeysettings.

    Syntax
    clear lacp {[asyspri] [aadminkey port-string]}

    Parameters
    asyspri aadminkeyportstring Clearssystempriority. Resetsadminkeysforoneormoreportstothedefaultvalueof32768.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheactoradminkeyforLAGport6:
    A2(su)->clear lacp aadminkey lag.0.6

    SecureStack A2 Configuration Guide

    4-35

    set lacp static

    set lacp static


    Usethiscommandtodisableorenablestaticlinkaggregation,ortoassignoneormoreunderlying physicalportstoaLinkAggregationGroup(LAG).

    Syntax
    set lacp static {disable | enable} | lagportstring [key] port-string

    Parameters
    disable|enable lagportstring key Disablesorenablesstaticlinkaggregation. SpecifiestheLAGaggregatorporttowhichnewportswillbeassigned. (Optional)SpecifiesthenewmemberportandLAGportaggregator adminkeyvalue.Onlyportswithmatchingkeysareallowedto aggregate.Validvaluesare065535.
    Note: This key value must be unique. If ports other than the desired underlying physical ports share the same admin key value, aggregation will fail or undesired aggregations will form.

    portstring

    Specifiesthememberport(s)toaddtotheLAG.Foradetaileddescription ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage42.

    Defaults
    Ifnotspecified,akeywillbeassignedaccordingtothespecifiedaggregator.Forexampleakeyof4 wouldbeassignedtolag.0.4.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoaddportfe.1.6totheLAGofaggregatorport6:
    A2(su)->set lacp static lag.0.6 fe.1.6

    clear lacp static


    UsethiscommandtoremovespecificportsfromaLinkAggregationGroup.

    Syntax
    clear lacp static lagportstring port-string

    Parameters
    lagportstring portstring SpecifiestheLAGaggregatorportfromwhichportswillberemoved. Specifiestheport(s)toremovefromtheLAG.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage42.

    4-36

    Port Configuration

    set lacp singleportlag

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoremovefe.1.6fromtheLAGofaggregatorport6:
    A2(su)->clear lacp static lag.0.6 fe.1.6

    set lacp singleportlag


    UsethiscommandtoenableordisabletheformationofsingleportLAGs.

    Syntax
    set lacp singleportlag {enable | disable}

    Parameters
    disable|enable EnablesordisablestheformationofsingleportLAGs.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    WhensingleportLAGsareenabled,LAGsaremaintainedwhenonlyoneportisreceiving protocoltransmissionsfromapartner.IfsingleportLAGsarenotenabledandaLAGgoesdown tooneport,theLAG(lag.x.x)willnotbeusedbutinsteadtheportssyntaxwillbeused(for example,fe.3.24).ThiscouldcauseproblemsiftheLAGandtheporthavedifferentconfigurations (theLAGandtheportmayhavedifferentVLANorPolicyconfigurations).

    Example
    ThisexampleshowshowtoenablesingleportLAGs:
    A2(su)->set lacp singleportlag enable

    SecureStack A2 Configuration Guide

    4-37

    clear lacp singleportlag

    clear lacp singleportlag


    UsethiscommandtoresetthesingleportLAGfunctionbacktothedefaultstateofdisabled.

    Syntax
    clear lacp singleportlag

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthesingleportLAGfunctionbacktodisabled:
    A2(su)->clear lacp singleportlag

    show port lacp


    Usethiscommandtodisplaylinkaggregationinformationforoneormoreunderlyingphysical ports.

    Syntax
    show port lacp port port-string {[status {detail | summary}] | [counters]}

    Parameters
    portportstring DisplaysLACPinformationforspecificport(s).Foradetaileddescription ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage42. DisplaysLACPstatusindetailedorsummaryinformation. DisplaysLACPcounterinformation.

    statusdetail| summary counters

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    Statedefinitions,suchasActorAdminStateandPartnerAdminState,areindicatedwithletter abbreviations.Iftheshowportlacpcommanddisplaysoneormoreofthefollowingletters,it meansthestateistruefortheassociatedactororpartnerports:

    4-38

    Port Configuration

    show port lacp

    E=Expired F=Defaulted D=Distributing(txenabled) C=Collecting(rxenabled) S=Synchronized(actorandpartneragree) G=Aggregationallowed S/l=Short/LongLACPtimeout A/p=Active/PassiveLACP

    Formoreinformationaboutthesestates,refertosetportlacp(page 439)andtheIEEE802.32002 specification.

    Examples
    ThisexampleshowshowtodisplaydetailedLACPstatusinformationforportfe.1.12:
    A2(su)-> show port lacp port fe.1.12 status detail Port Instance: fe.1.12 ActorPort: 1411 PartnerAdminPort: 1411 ActorSystemPriority: 32768 PartnerOperPort: 1411 ActorPortPriority: 32768 PartnerAdminSystemPriority: 32768 ActorAdminKey: 32768 PartnerOperSystemPriority: 32768 ActorOperKey: 32768 PartnerAdminPortPriority: 32768 ActorAdminState: -----GlA PartnerOperPortPriority: 32768 ActorOperState: -F----lA PartnerAdminKey: 1411 ActorSystemID: 00-e0-63-9d-b5-87 PartnerOperKey: 1411 SelectedAggID: none PartnerAdminState: --DCSGlp AttachedAggID: none PartnerOperState: --DC-Glp MuxState: Detached PartnerAdminSystemID: 00-00-00-00-00-00 DebugRxState: port Disabled PartnerOperSystemID: 00-00-00-00-00-00

    ThisexampleshowshowtodisplaysummarizedLACPstatusinformationforportfe.1.12:
    A2(su)->show port lacp port fe.1.12 status summary Port Aggr Actor System Partner System Pri: System ID: Key: Pri: System ID: Key: fe.1.12 none [(32768,00e0639db587,32768),(32768,000000000000, 1411)]

    ThisexampleshowshowtodisplayLACPcountersforportfe.1.12:
    A2(su)->show port lacp port fe.1.12 counters Port Instance: fe.1.12 LACPDUsRx: 11067 LACPDUsTx: 0 IllegalRx: 0 UnknownRx: 0 MarkerPDUsRx: 0 MarkerPDUsTx: 0 MarkerResponsePDUsRx: 0 MarkerResponsePDUsTx: 374

    SecureStack A2 Configuration Guide

    4-39

    set port lacp

    set port lacp


    Usethiscommandtosetlinkaggregationparametersforoneormoreports.Thesesettingswill determinethespecifiedunderlyingphysicalportsabilitytojoinaLAG,andtheiradministrative stateonceaggregated.

    Syntax
    set port lacp port port-string {[aadminkey aadminkey] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}] [aportpri aportpri] [asyspri asyspri] [enable | [disable] [padminkey padminkey] [padminport padminport] [padminportpri padminportpri] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}] [padminsysid padminsysid] [padminsyspri padminsyspri]

    Parameters
    portportstring Specifiesthephysicalport(s)onwhichtoconfigureLACP.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage42. Setstheportsactoradminkey.LACPwillusethisvaluetoformanoper keyandwilldeterminewhichunderlyingphysicalportsarecapableof aggregatingbycomparingoperkeys.Aggregatorportsallowonly underlyingportswithoperkeysmatchingtheirstojointheirLAG.Valid valuesare165535.Thedefaultkeyvalueis32768. SetstheportsactorLACPadministrativestatetoallowfor: lacpactiveTransmittingLACPPDUs. lacptimeoutTransmittingLACPPDUsevery1sec.vs30sec.(default). lacpaggAggregationonthisport. lacpsyncTransitiontosynchronizationstate. lacpcollectTransitiontocollectionstate. lacpdistTransitiontodistributionstate. lacpdefTransitiontodefaultedstate. lacpexpireTransitiontoexpiredstate. aportpriaportpri asyspriasyspri Setstheportsactorportpriority.Validvaluesare065535,withlower valuesdesignatinghigherpriority. Setstheportsactorsystempriority.TheLACPimplementationonthe SecureStackA2deviceusesthisvaluetodetermineaggregation precedencewhentherearetwodevicescompetingforthesame aggregator.Validvaluesare065535,withhigherprecedencegivento lowervalues.
    Note: Only one LACP system priority can be set on a SecureStack A2 device, using either this command, or the set lacp asyspri command (set lacp asyspri on page 4-33).

    aadminkey aadminkey

    aadminstate lacpactive| lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire

    enable disable padminkey padminkey

    (Optional)EnablesLACPDUprocessingonthisport. (Optional)DisablesLACPDUprocessingonthisport. Setsadefaultvaluetouseastheportspartneradminkey.Onlyportswith matchingadminkeysareallowedtoaggregate.Validvaluesare165535.

    4-40

    Port Configuration

    set port lacp

    padminport padminport padminportpri padminportpri

    Setsadefaultvaluetouseastheportspartneradminvalue.Validvalues are165535. Setsadefaultvaluetouseastheportspartnerportpriority.Validvalues are065535,withlowervaluesgivenhigherpriority.

    SetsaportspartnerLACPadministrativestate.Seeaadminstateforvalid padminstate options. lacpactive| lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire padminsysid padminsysid padminsyspri padminsyspri SetsadefaultvaluetouseastheportspartnersystemID.ThisisaMAC address. Setsadefaultvaluetouseastheportspartnerpriority.Validvaluesare0 65535,withlowervaluesgivenhigherpriority.

    Defaults
    Atleastoneparametermustbeenteredperportstring. Ifenableordisablearenotspecified,port(s)willbeenabledwiththeLACPparametersentered.

    Mode
    Switchcommand,readwrite.

    Usage
    LACPcommandsandparametersbeginningwithana(suchasaadminkey)setactorvalues. Correspondingcommandsandparametersbeginningwithap(suchaspadminkey)set correspondingpartnervalues.ActorreferstothelocaldeviceparticipatinginLACPnegotiation, whilepartnerreferstoitsremotedevicepartnerattheotherendofthenegotiation.Actorsand partnersmaintaincurrentstatusoftheotherviaLACPDUscontaininginformationabouttheir portsLACPstatusandoperationalstate.

    Example
    Thisexampleshowshowtosettheactoradminkeyto3555forportge.3.16:
    A2(su)->set port lacp ge.3.16 aadminkey 3555

    SecureStack A2 Configuration Guide

    4-41

    clear port lacp

    clear port lacp


    Usethiscommandtoclearlinkaggregationsettingsforoneormoreports.

    Syntax
    clear port lacp port port-string {[aadminkey] [aportpri] [asyspri] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all}] [padminsyspri] [padminsysid] [padminkey] [padminportpri] [padminport] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all}]}

    Parameters
    portportstring Specifiesthephysicalport(s)onwhichLACPsettingswillbecleared.For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage42. Clearsaportsactoradminkey. Clearsaportsactorportpriority. Clearstheportsactorsystempriority.

    aadminkey aportpri asyspri

    aadminstate Clearsaportsspecificactoradminstate,orallactoradminstate(s).For lacpactive| descriptionsofspecificstates,refertothesetportlacpcommand(set lacptimeout| portlacponpage439). lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire|all padminsyspri padminsysid padminkey padminportpri padminport Clearstheportsdefaultpartnerpriorityvalue. ClearstheportsdefaultpartnersystemID. Clearstheportsdefaultpartneradminkey. Clearstheportsdefaultpartnerportpriority. DeletesapartnerportfromtheLACPconfiguration.

    Clearstheportsspecificpartneradminstate,orallpartneradminstate(s). padminstate lacpactive| lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire|all

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearalllinkaggregationparametersforportge.3.16:
    A2(su)->clear port lacp port ge.3.16

    4-42

    Port Configuration

    Configuring Protected Ports

    Configuring Protected Ports


    TheProtectedPortfeatureisusedtopreventportsfromforwardingtraffictoeachother,even whentheyareonthesameVLAN.Portsmaybedesignatedaseitherprotectedorunprotected. Portsareunprotectedbydefault.Multiplegroupsofprotectedportsaresupported.

    Protected Port Operation


    Portsthatareconfiguredtobeprotectedcannotforwardtraffictootherprotectedportsinthe samegroup,regardlessofhavingthesameVLANmembership.However,protectedportscan forwardtraffictoportswhichareunprotected(notlistedinanygroup).Protectedportscanalso forwardtraffictoprotectedportsinadifferentgroup,iftheyareinthesameVLAN.Unprotected portscanforwardtraffictobothprotectedandunprotectedports.Aportmaybelongtoonlyone groupofprotectedports. Thisfeatureonlyappliestoportswithinaswitch.Itdoesnotapplyacrossmultipleswitchesina network.

    Commands
    For information about... set port protected show port protected clear port protected set port protected name show port protected name clear port protected name Refer to page... 4-43 4-43 4-44 4-45 4-45 4-46

    SecureStack A2 Configuration Guide

    4-43

    set port protected

    set port protected


    Usethiscommandtospecifyaporttobeprotectedandassigntheporttoagroupofprotected ports.Aportcanbeassignedtoonlyonegroup.

    Syntax
    set port protected port-string group-id

    Parameters
    portstring groupid Specifiestheportorportstobeprotected. Specifiestheidofthegrouptowhichtheportsshouldbeassigned.Idcan rangefrom0to2.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoassignportsge.1.1throughge.1.3toprotectedportgroup1:
    A2(rw)->set port protected ge.1.1-3 1

    show port protected


    Usethiscommandtodisplayinformationabouttheportsconfiguredforprotectedmode.

    Syntax
    show port protected [port-string] | [group-id]

    Parameters
    portstring groupid (Optional)Specifiestheportorportsforwhichtodisplayinformation. (Optional)Specifiestheidofthegroupforwhichtodisplayinformation. Idcanrangefrom0to2.

    Defaults
    Ifnoparametersareentered,informationaboutallprotectedportsisdisplayed.

    Mode
    Readonly.

    4-44

    Port Configuration

    clear port protected

    Example
    Thisexampleshowshowtodisplayinformationaboutallprotectedports:
    A2(ro)->show port protected Group id Port ---------------------1 ge.1.1 1 ge.1.2 1 ge.1.3

    clear port protected


    Usethiscommandtoremoveaportorgroupfromprotectedmode.

    Syntax
    clear port protected [port-string] | [group-id]

    Parameters
    portstring groupid (Optional)Specifiestheportorportstoremovefromprotectedmode. (Optional)Specifiestheidofthegrouptoremovefromprotectedmode. Idcanrangefrom0to2.

    Defaults
    Ifnoparametersareentered,allprotectedportsandgroupsarecleared.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearprotectedportsge.1.1throughge.1.3:
    A2(rw)->clear port protected ge.1.1-3

    SecureStack A2 Configuration Guide

    4-45

    set port protected name

    set port protected name


    Usethiscommandtoassignanametoaprotectedportgroupid.

    Syntax
    set port protected name group-id name

    Parameters
    groupid name Specifiestheidofthisgroup.Idcanrangefrom0to2. Specifiesanameforthegroup.Thenamecanbeupto32charactersin length.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoassignthenamegroup1toprotectedportgroup1:
    A2(rw)->set port protected name 1 group1

    show port protected name


    Usethiscommandtodisplaythenameforthegroupidsspecified.

    Syntax
    show port protected name group-id

    Parameters
    groupid Specifiestheidofthegrouptodisplay.Idcanrangefrom0to2.

    Defaults
    None.

    Mode
    Readonly.

    Example
    Thisexampleshowshowtoshowthenameofprotectedportgroup1:
    A2(ro)->show port protected name 1 Group ID Group Name ----------------------------1 group1

    4-46

    Port Configuration

    clear port protected name

    clear port protected name


    Usethiscommandtoclearthenameofaprotectedgroup.

    Syntax
    clear port protected name group-id

    Parameters
    groupid Specifiestheidofthegroupforwhichtoclearthename.Idcanrange from0to2.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthenameofprotectedportgroup1:
    A2(rw)->clear port protected name 1

    SecureStack A2 Configuration Guide

    4-47

    clear port protected name

    4-48

    Port Configuration

    5
    SNMP Configuration
    ThischapterdescribestheSimpleNetworkManagementProtocol(SNMP)setofcommandsand howtousethem.
    For information about... SNMP Configuration Summary Reviewing SNMP Statistics Configuring SNMP Users, Groups, and Communities Configuring SNMP Access Rights Configuring SNMP MIB Views Configuring SNMP Target Parameters Configuring SNMP Target Addresses Configuring SNMP Notification Parameters Creating a Basic SNMP Trap Configuration Refer to page... 5-1 5-4 5-8 5-16 5-20 5-25 5-29 5-33 5-41

    SNMP Configuration Summary


    SNMPisanapplicationlayerprotocolthatfacilitatestheexchangeofmanagementinformation betweennetworkdevices.SNMPenablesnetworkadministratorstomanagenetwork performance,findandsolvenetworkproblems,andplanfornetworkgrowth. SecureStackA2devicessupportthreeversionsofSNMP: Version1(SNMPv1)ThisistheinitialimplementationofSNMP.RefertoRFC1157forafull descriptionoffunctionality. Version2(SNMPv2c)ThesecondreleaseofSNMP,describedinRFC1907,hasadditions andenhancementstodatatypes,countersize,andprotocoloperations. Version3(SNMPv3)ThisisthemostrecentversionofSNMP,andincludessignificant enhancementstoadministrationandsecurity.SNMPv3isfullydescribedinRFC2571, RFC 2572,RFC2573,RFC2574,andRFC2575.

    SNMPv1 and SNMPv2c


    ThecomponentsofSNMPv1andSNMPv2cnetworkmanagementfallintothreecategories: Manageddevices(suchasaswitch). SNMPagentsandMIBs,includingSNMPtraps,communitystrings,andRemoteMonitoring (RMON)MIBs,whichrunonmanageddevices.
    SecureStack A2 Configuration Guide 5-1

    SNMP Configuration Summary

    SNMPnetworkmanagementapplications,suchastheEnterasysNetSightapplication,which communicatewithagentstogetstatisticsandalertsfromthemanageddevices.

    SNMPv3
    SNMPv3isaninteroperablestandardsbasedprotocolthatprovidessecureaccesstodevicesby authenticatingandencryptingframesoverthenetwork.Theadvancedsecurityfeaturesprovided inSNMPv3areasfollows: MessageintegrityCollectsdatasecurelywithoutbeingtamperedwithorcorrupted. AuthenticationDeterminesthemessageisfromavalidsource. EncryptionScramblesthecontentsofaframetopreventitfrombeingseenbyan unauthorizedsource.

    UnlikeSNMPv1andSNMPv2c,inSNMPv3,theconceptofSNMPagentsandSNMPmanagersno longerapply.TheseconceptshavebeencombinedintoanSNMPentity.AnSNMPentityconsists ofanSNMPengineandSNMPapplications.AnSNMPengineconsistsofthefollowingfour components: DispatcherThiscomponentsendsandreceivesmessages. MessageprocessingsubsystemThiscomponentacceptsoutgoingPDUsfromthe dispatcherandpreparesthemfortransmissionbywrappingtheminamessageheaderand returningthemtothedispatcher.Themessageprocessingsubsystemalsoacceptsincoming messagesfromthedispatcher,processeseachmessageheader,andreturnstheenclosedPDU tothedispatcher. SecuritysubsystemThiscomponentauthenticatesandencryptsmessages. AccesscontrolsubsystemThiscomponentdetermineswhichusersandwhichoperations areallowedaccesstomanagedobjects.

    About SNMP Security Models and Levels


    AnSNMPsecuritymodelisanauthenticationstrategythatissetupforauserandthegroupin whichtheuserresides.Asecuritylevelisthepermittedlevelofsecuritywithinasecuritymodel. ThethreelevelsofSNMPsecurityare:Noauthenticationrequired(NoAuthNoPriv); authenticationrequired(AuthNoPriv);andprivacy(authPriv).Acombinationofasecuritymodel andasecurityleveldetermineswhichsecuritymechanismisemployedwhenhandlinganSNMP frame.Table 51identifiesthelevelsofSNMPsecurityavailableonSecureStackA2devicesand authenticationrequiredwithineachmodel. Table 5-1
    Model v1 v2c

    SNMP Security Levels


    Security Level NoAuthNoPriv NoAuthNoPriv Authentication Community string Community string Encryption None None How It Works Uses a community string match for authentication. Uses a community string match for authentication.

    5-2

    SNMP Configuration

    SNMP Configuration Summary

    Table 5-1
    Model v3

    SNMP Security Levels (Continued)


    Security Level NoAuthNoPriv AuthNoPriv Authentication User name MD5 or SHA Encryption None None How It Works Uses a user name match for authentication. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBCDES (DES-56) standard.

    authPriv

    MD5 or SHA

    DES

    Using SNMP Contexts to Access Specific MIBs


    Bydefault,whenoperatingfromtheswitchCLI,SecureStackA2devicesallowaccesstoallSNMP MIBsorcontexts.AcontextisacollectionofMIBobjects,oftenassociatedwithaparticular physicalorlogicaldevice. Ifnooptionalcontextparametersareconfiguredforv1andv2communitynamesandv3user groups,thesegroupsareabletoaccessallSNMPMIBobjectswheninswitchmode. SpecifyingacontextparameterwhensettingupSNMPusergroupwouldpermitorrestrictthe groupsswitchmanagementaccesstotheMIB(s)specifiedbythecontext(MIBobjectID)value. AllSNMPcontextsknowntothedevicecanbedisplayedusingtheshowsnmpcontextcommand asdescribedinshowsnmpcontextonpage 522.

    Example
    ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
    A2(su)->set snmp access powergroup security-model usm

    Configuration Considerations
    CommandsforconfiguringSNMPontheSecureStackA2deviceareindependentduringthe SNMPsetupprocess.Forinstance,targetparameterscanbespecifiedwhensettingupoptional notificationfilterseventhoughtheseparametershavenotyetbeencreatedwiththesetsnmp targetparamscommand.

    SecureStack A2 Configuration Guide

    5-3

    Reviewing SNMP Statistics

    Reviewing SNMP Statistics


    Purpose
    ToreviewSNMPstatistics.

    Commands
    ThecommandsusedtoreviewSNMPstatisticsarelistedbelow.
    For information about... show snmp engineid show snmp counters Refer to page... 5-4 5-5

    show snmp engineid


    UsethiscommandtodisplaytheSNMPlocalengineID.ThisistheSNMPv3engines administrativelyuniqueidentifier.

    Syntax
    show snmp engineid

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPengineproperties:
    A2(su)->show snmp engineid EngineId: 80:00:15:f8:03:00:e0:63:9d:b5:87 Engine Boots = 12 Engine Time = 162181 Max Msg Size = 2048

    Table 52showsadetailedexplanationofthecommandoutput. Table 5-2


    Output EngineId Engine Boots

    show snmp engineid Output Details


    What It Displays... String identifying the SNMP agent on the device. Number of times the SNMP engine has been started or reinitialized.

    5-4

    SNMP Configuration

    show snmp counters

    Table 5-2
    Output

    show snmp engineid Output Details (Continued)


    What It Displays... Time in seconds since last reboot. Maximum accepted length, in bytes, of SNMP frame.

    Engine Time Max Msg Size

    show snmp counters


    UsethiscommandtodisplaySNMPtrafficcountervalues.

    Syntax
    show snmp counters

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPcountervalues
    A2(su)->show snmp counters --- mib2 SNMP group counters: snmpInPkts = 396601 snmpOutPkts = 396601 snmpInBadVersions = 0 snmpInBadCommunityNames = 0 snmpInBadCommunityUses = 0 snmpInASNParseErrs = 0 snmpInTooBigs = 0 snmpInNoSuchNames = 0 snmpInBadValues = 0 snmpInReadOnlys = 0 snmpInGenErrs = 0 snmpInTotalReqVars = 403661 snmpInTotalSetVars = 534 snmpInGetRequests = 290 snmpInGetNexts = 396279 snmpInSetRequests = 32 snmpInGetResponses = 0 snmpInTraps = 0 snmpOutTooBigs = 0 snmpOutNoSuchNames = 11 snmpOutBadValues = 0 snmpOutGenErrs = 0 snmpOutGetRequests = 0 snmpOutGetNexts = 0 snmpOutSetRequests = 0 snmpOutGetResponses = 396601
    SecureStack A2 Configuration Guide 5-5

    show snmp counters

    snmpOutTraps snmpSilentDrops snmpProxyDrops

    = 0 = 0 = 0

    --- USM Stats counters: usmStatsUnsupportedSecLevels usmStatsNotInTimeWindows usmStatsUnknownUserNames usmStatsUnknownEngineIDs usmStatsWrongDigests usmStatsDecryptionErrors

    = = = = = =

    0 0 0 0 0 0

    Table 53showsadetailedexplanationofthecommandoutput. Table 5-3


    Output snmpInPkts snmpOutPkts snmpInBadVersions snmpInBadCommunityNames snmpInBadCommunityUses

    show snmp counters Output Details


    What It Displays... Number of messages delivered to the SNMP entity from the transport service. Number of SNMP messages passed from the SNMP protocol entity to the transport service. Number of SNMP messages delivered to the SNMP entity for an unsupported SNMP version. Number of SNMP messages delivered to the SNMP entity that used an SNMP community name not known to the entity. Number of SNMP messages delivered to the SNMP entity that represented an SNMP operation not allowed by the SNMP community named in the message. Number of ASN.1 (Abstract Syntax Notation) or BER (Basic Encoding Rules) errors encountered by the SNMP entity when decoding received SNMP messages. Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "tooBig." Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "noSuchName." Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "badValue." Number of valid SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "readOnly." Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "genErr." Number of MIB objects retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs. Number of MIB objects altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs. Number of SNMP Get-Request PDUs accepted and processed by the SNMP protocol entity. Number of SNMP Get-Next PDUs accepted and processed by the SNMP protocol entity. Number of SNMP Set-Request PDUs accepted and processed by the SNMP protocol entity.

    snmpInASNParseErrs

    snmpInTooBigs snmpInNoSuchNames snmpInBadValues snmpInReadOnlys snmpInGenErrs snmpInTotalReqVars

    snmpInTotalSetVars snmpInGetRequests snmpInGetNexts snmpInSetRequests

    5-6

    SNMP Configuration

    show snmp counters

    Table 5-3
    Output

    show snmp counters Output Details (Continued)


    What It Displays... Number of SNMP Get-Response PDUs accepted and processed by the SNMP protocol entity. Number of SNMP Trap PDUs accepted and processed by the SNMP protocol entity. Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "tooBig." Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status as "noSuchName." Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "badValue." Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "genErr." Number of SNMP Get-Request PDUs generated by the SNMP protocol entity. Number of SNMP Get-Next PDUs generated by the SNMP protocol entity. Number of SNMP Set-Request PDUs generated by the SNMP protocol entity. Number of SNMP Get-Response PDUs generated by the SNMP protocol entity. Number of SNMP Trap PDUs generated by the SNMP protocol entity. Number of SNMP Get, Set, or Inform request error messages that were dropped because the reply was larger than the requestors maximum message size. Number of SNMP Get, Set, or Inform request error messages that were dropped because the reply was larger than the proxy targets maximum message size. Number of packets received by the SNMP engine that were dropped because they requested a security level that was unknown to the SNMP engine or otherwise unavailable. Number of packets received by the SNMP engine that were dropped because they appeared outside of the authoritative SNMP engine's window. Number of packets received by the SNMP engine that were dropped because they referenced a user that was not known to the SNMP engine. Number of packets received by the SNMP engine that were dropped because they referenced an snmpEngineID that was not known to the SNMP engine. Number of packets received by the SNMP engine that were dropped because they did not contain the expected digest value. Number of packets received by the SNMP engine that were dropped because they could not be decrypted.

    snmpInGetResponses snmpInTraps snmpOutTooBigs snmpOutNoSuchNames snmpOutBadValues snmpOutGenErrs snmpOutGetRequests snmpOutGetNexts snmpOutSetRequests snmpOutGetResponses snmpOutTraps snmpSilentDrops

    snmpProxyDrops

    usmStatsUnsupportedSec Levels usmStatsNotInTimeWindows

    usmStatsUnknownUserNames

    usmStatsUnknownEngineIDs

    usmStatsWrongDigests usmStatsDecriptionErrors

    SecureStack A2 Configuration Guide

    5-7

    Configuring SNMP Users, Groups, and Communities

    Configuring SNMP Users, Groups, and Communities


    Purpose
    ToreviewandconfigureSNMPusers,groups,andv1andv2communities.Thesearedefinedas follows: UserApersonregisteredinSNMPv3toaccessSNMPmanagement. GroupAcollectionofuserswhosharethesameSNMPaccessprivileges. CommunityAnameusedtoauthenticateSNMPv1andv2users.

    Commands
    ThecommandsusedtoreviewandconfigureSNMPusers,groups,andcommunitiesarelisted below.
    For information about... show snmp user set snmp user clear snmp user show snmp group set snmp group clear snmp group show snmp community set snmp community clear snmp community Refer to page... 5-9 5-10 5-11 5-11 5-12 5-13 5-13 5-14 5-15

    5-8

    SNMP Configuration

    show snmp user

    show snmp user


    UsethiscommandtodisplayinformationaboutSNMPusers.Thesearepeopleregisteredto accessSNMPmanagement.

    Syntax
    show snmp user [list] | [user] | [remote remote] [volatile | nonvolatile | readonly]

    Parameters
    list user remoteremote (Optional)DisplaysalistofregisteredSNMPusernames. (Optional)Displaysinformationaboutaspecificuser. (Optional)DisplaysinformationaboutusersonaspecificremoteSNMP engine.

    volatile|nonvolatile (Optional)Displaysuserinformationforaspecifiedstoragetype. |readonly

    Defaults
    Iflistisnotspecified,detailedSNMPinformationwillbedisplayed. Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed. Ifremoteisnotspecified,userinformationaboutthelocalSNMPenginewillbedisplayed. Ifnotspecified,userinformationforallstoragetypeswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    ThisexampleshowshowtodisplayanSNMPuserlist:
    (su)->show snmp user list --- SNMP user information ----- List of registered users: Guest admin1 admin2 netops

    ThisexampleshowshowtodisplayinformationfortheSNMPguestuser:
    (su)->show snmp user guest --- SNMP user information --EngineId: 00:00:00:63:00:00:00:a1:00:00:00:00 Username = Guest Auth protocol = usmNoAuthProtocol Privacy protocol = usmNoPrivProtocol Storage type = nonVolatile Row status = active

    Table 54showsadetailedexplanationofthecommandoutput.

    SecureStack A2 Configuration Guide

    5-9

    set snmp user

    Table 5-4
    Output EngineId Username

    show snmp user Output Details


    What It Displays... SNMP local engine identifier. SNMPv1 or v2 community name or SNMPv3 user name. Type of authentication protocol applied to this user. Whether a privacy protocol is applied when authentication protocol is in use. Whether entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    Auth protocol Privacy protocol Storage type Row status

    set snmp user


    UsethiscommandtocreateanewSNMPv3user.

    Syntax
    set snmp user user [remote remoteid] [authentication {md5 | sha}] [authpassword] [privacy privpassword] [volatile | nonvolatile]

    Parameters
    user remoteremoteid SpecifiesanamefortheSNMPv3user. (Optional)RegisterstheuseronaspecificremoteSNMPengine.

    authenticationmd5 (Optional)SpecifiestheauthenticationtyperequiredforthisuserasMD5 |sha orSHA. authpassword (Optional)Specifiesapasswordforthisuserwhenauthenticationis required.Minimumof8characters.

    privacyprivpassword (Optional)Appliesencryptionandspecifiesanencryptionpassword. Minimumof8character.s volatile| nonvolatile (Optional)Specifiesastoragetypeforthisuserentry.

    Defaults
    Ifremoteisnotspecified,theuserwillberegisteredforthelocalSNMPengine. Ifauthenticationisnotspecified,noauthenticationwillbeapplied. Ifprivacyisnotspecified,noencryptionwillbeapplied. Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateanewSNMPusernamednetops.Bydefault,thisuserwillbe registeredonthelocalSNMPenginewithoutauthenticationandencryption.Entriesrelatedtothis userwillbestoredinpermanent(nonvolatile)memory:
    A2(su)->set snmp user netops

    5-10

    SNMP Configuration

    clear snmp user

    clear snmp user


    UsethiscommandtoremoveauserfromtheSNMPv3securitymodellist.

    Syntax
    clear snmp user user [remote remote]

    Parameters
    user remoteremote SpecifiesanSNMPv3usertoremove. (Optional)RemovestheuserfromaspecificremoteSNMPengine.

    Defaults
    Ifremoteisnotspecified,theuserwillberemovedfromthelocalSNMPengine.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoremovetheSNMPusernamedbill:
    A2(su)->clear snmp user bill

    show snmp group


    UsethiscommandtodisplayanSNMPgroupconfiguration.AnSNMPgroupisacollectionof SNMPv3userswhosharethesameaccessprivileges.

    Syntax
    show snmp group [groupname groupname] [user user] [security-model {v1 | v2c | usm}] [volatile | nonvolatile | read-only]

    Parameters
    groupname groupname useruser (Optional)DisplaysinformationforaspecificSNMPgroup. (Optional)Displaysinformationaboutuserswithinthespecifiedgroup.

    securitymodelv1| (Optional)Displaysinformationaboutgroupsassignedtoaspecific v2c|usm securitySNMPmodel. volatile| nonvolatile|read only (Optional)DisplaysSNMPgroupinformationforaspecifiedstoragetype.

    Defaults
    Ifgroupnameisnotspecified,informationaboutallSNMPgroupswillbedisplayed. Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed. Ifsecuritymodelisnotspecified,userinformationaboutallSNMPversionswillbedisplayed. Ifnotspecified,informationforallstoragetypeswillbedisplayed.

    SecureStack A2 Configuration Guide

    5-11

    set snmp group

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPgroupinformation:
    A2(su)->show snmp group --- SNMP group information --Security model = SNMPv1 Security/user name = public Group name = Anyone Storage type = nonVolatile Row status = active Security model Security/user name Group name Storage type Row status = = = = = SNMPv1 public.router1 Anyone nonVolatile active

    Table 55showsadetailedexplanationofthecommandoutput. Table 5-5


    Output Security model Security/user name Group name Storage type Row status

    show snmp group Output Details


    What It Displays... SNMP version associated with this group. User belonging to the SNMP group. Name of SNMP group. Whether entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    set snmp group


    UsethiscommandtocreateanSNMPgroup.ThisassociatesSNMPv3userstoagroupthatshares commonaccessprivileges.

    Syntax
    set snmp group groupname user user security-model {v1 | v2c | usm} [volatile | nonvolatile]

    Parameters
    groupname useruser SpecifiesanSNMPgroupnametocreate. SpecifiesanSNMPv3usernametoassigntothegroup.

    securitymodelv1| SpecifiesanSNMPsecuritymodeltoassigntothegroup. v2c|usm volatile| nonvolatile (Optional)SpecifiesastoragetypeforSNMPentriesassociatedwiththe group.

    Defaults
    Ifstoragetypeisnotspecified,nonvolatilestoragewillbeapplied.
    5-12 SNMP Configuration

    clear snmp group

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateanSNMPgroupcalledanyone,assignausernamedpublic andassignSNMPv3securitytothegroup:
    A2(su)->set snmp group anyone user public security-model usm

    clear snmp group


    UsethiscommandtoclearSNMPgroupsettingsgloballyorforaspecificSNMPgroupanduser.

    Syntax
    clear snmp group groupname user [security-model {v1 | v2c | usm}]

    Parameters
    groupname user SpecifiestheSNMPgrouptobecleared. SpecifiestheSNMPusertobecleared.

    securitymodelv1| (Optional)Clearsthesettingsassociatedwithaspecificsecuritymodel. v2c|usm

    Defaults
    If not specified, settings related to all security models will be cleared.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearallsettingsassignedtothepublicuserwithintheSNMPgroup anyone:
    A2(su)->clear snmp group anyone public

    show snmp community


    UsethiscommandtodisplaySNMPcommunitynamesandstatus.InSNMPv1andv2, communitynamesactaspasswordstoremotemanagement.

    Syntax
    show snmp community [name]

    Parameters
    name (Optional)DisplaysSNMPinformationforaspecificcommunityname.

    Defaults
    Ifnameisnotspecified,informationwillbedisplayedforallSNMPcommunities.

    SecureStack A2 Configuration Guide

    5-13

    set snmp community

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayinformationabouttheSNMPpubliccommunityname.For adescriptionofthisoutput,refertosetsnmpcommunity(page514).
    A2(su)->show snmp community public --- Configured community strings --Name Security name Context Transport tag Storage type Status = = = = = = public public

    nonVolatile active

    set snmp community


    UsethiscommandtoconfigureanSNMPcommunitygroup.

    Syntax
    set snmp community community [securityname securityname] [context context] [transport transport] [volatile | nonvolatile]

    Parameters
    community securityname securityname contextcontext Specifiesacommunitygroupname. (Optional)SpecifiesanSNMPsecuritynametoassociatewiththis community. (Optional)Specifiesasubsetofmanagementinformationthiscommunity willbeallowedtoaccess.Validvaluesarefullorpartialcontextnames.To reviewallcontextsconfiguredforthedevice,usetheshowsnmpcontext commandasdescribedinshowsnmpcontextonpage 522. (Optional)SpecifiesthesetoftransportendpointsfromwhichSNMP requestwiththiscommunitynamewillbeaccepted.Makesalinktoa targetaddresstable. (Optional)Specifiesthestoragetypefortheseentries.

    transporttransport

    volatile| nonvolatile

    Defaults
    Ifsecuritynameisnotspecified,thecommunitynamewillbeused. Ifcontextisnotspecified,accesswillbegrantedforthedefaultcontext. Iftransporttagisnotspecified,nonewillbeapplied. Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.

    Mode
    Switchcommand,readwrite.
    5-14 SNMP Configuration

    clear snmp community

    Example
    ThisexampleshowshowtosetanSNMPcommunitynamecalledvip
    A2(su)->set snmp community vip

    clear snmp community


    UsethiscommandtodeleteanSNMPcommunityname.

    Syntax
    clear snmp community name

    Parameters
    name SpecifiestheSNMPcommunitynametoclear.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodeletethecommunitynamevip.
    A2(su)->clear snmp community vip

    SecureStack A2 Configuration Guide

    5-15

    Configuring SNMP Access Rights

    Configuring SNMP Access Rights


    Purpose
    ToreviewandconfigureSNMPaccessrights,assigningviewingprivilegesandsecuritylevelsto SNMPusergroups.

    Commands
    ThecommandsusedtoreviewandconfigureSNMPaccessarelistedbelow.
    For information about... show snmp access set snmp access clear snmp access Refer to page... 5-16 5-18 5-19

    show snmp access


    UsethiscommandtodisplayaccessrightsandsecuritylevelsconfiguredforSNMPoneormore groups.

    Syntax
    show snmp access [groupname] [security-model {v1 | v2c | usm}] [noauthentication | authentication | privacy] [context context] [volatile | nonvolatile | read-only]

    Parameters
    groupname (Optional)DisplaysaccessinformationforaspecificSNMPv3group. securitymodelv1| (Optional)DisplaysaccessinformationforSNMPsecuritymodelversion v2c|usm 1,2cor3(usm). noauthentication| authentication| privacy contextcontext (Optional)Displaysaccessinformationforaspecificsecuritylevel.

    (Optional)Displaysaccessinformationforaspecificcontext.Fora descriptionofhowtospecifySNMPcontexts,refertoUsingSNMP ContextstoAccessSpecificMIBsonpage 53. (Optional)Displaysaccessentriesforaspecificstoragetype.

    volatile| nonvolatile|read only

    Defaults
    Ifgroupnameisnotspecified,accessinformationforallSNMPgroupswillbedisplayed. Ifsecuritymodelisnotspecified,accessinformationforallSNMPversionswillbedisplayed. Ifnoauthentication,authenticationorprivacyarenotspecified,accessinformationforall securitylevelswillbedisplayed. Ifcontextisnotspecified,allcontextswillbedisplayed.

    5-16

    SNMP Configuration

    show snmp access

    Ifvolatile,nonvolatileorreadonlyarenotspecified,allentriesofallstoragetypeswillbe displayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPaccessinformation:
    A2(su)->show snmp Group = Security model = Security level = Read View = Write View = Notify View = Context match = Storage type = Row status = Group Security model Security level Read View Write View Notify View Context match Storage type Row status = = = = = = = = = access SystemAdmin USM noAuthNoPriv All All exact match nonVolatile active NightOperator USM noAuthNoPriv All All exact match nonVolatile active

    Table 56showsadetailedexplanationofthecommandoutput. Table 5-6


    Output Group Security model Security level

    show snmp access Output Details


    What It Displays... SNMP group name. Security model applied to this group. Valid types are: SNMPv1, SNMPv2c, and SNMPv3 (User based - USM). Security level applied to this group. Valid levels are: noAuthNoPrivacy (no authentication required) AuthNoPrivacy (authentication required) authPriv (privacy -- most secure level)

    Read View Write View Notify View Context match Storage type Row status

    Name of the view that allows this group to view SNMP MIB objects. Name of the view that allows this group to configure the contents of the SNMP agent. Name of the view that allows this group to send an SNMP trap message. Whether or not SNMP context match must be exact (full context name match) or a partial match with a given prefix. Whether access entries for this group are stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    SecureStack A2 Configuration Guide

    5-17

    set snmp access

    set snmp access


    UsethiscommandtosetanSNMPaccessconfiguration.

    Syntax
    set snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context] [exact | prefix] [read read] [write write] [notify notify] [volatile | nonvolatile]

    Parameters
    groupname SpecifiesanameforanSNMPv3group. securitymodelv1| SpecifiesSNMPversion1,2cor3(usm). v2c|usm noauthentication| authentication| privacy (Optional)AppliesSNMPsecuritylevelasnoauthentication, authentication(withoutprivacy)orprivacy.Privacyspecifiesthat messagessentonbehalfoftheuserareprotectedfromdisclosure.

    contextcontextexact (Optional)Setsthecontextforthisaccessconfigurationandspecifiesthat |prefix thematchmustbeexact(matchingthewholecontextstring)oraprefix matchonly.ContextisasubsetofmanagementinformationthisSNMP groupwillbeallowedtoaccess.Validvaluesarefullorpartialcontext names.Toreviewallcontextsconfiguredforthedevice,usetheshow snmpcontextcommandasdescribedinshowsnmpcontexton page 522. readread writewrite notifynotify volatile| nonvolatile|read only (Optional)Specifiesareadaccessview. (Optional)Specifiesawriteaccessview. (Optional)Specifiesanotifyaccessview. (Optional)StoresassociatedSNMPentriesastemporaryorpermanent,or readonly.

    Defaults
    Ifsecuritylevelisnotspecified,noauthenticationwillbeapplied. Ifcontextisnotspecified,accesswillbeenabledforthedefaultcontext.Ifcontextisspecified withoutacontextmatch,exactmatchwillbeapplied. Ifreadviewisnotspecifiednonewillbeapplied. Ifwriteviewisnotspecified,nonewillbeapplied. Ifnotifyviewisnotspecified,nonewillbeapplied. Ifstoragetypeisnotspecified,entrieswillbestoredaspermanentandwillbeheldthroughdevice reboot.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
    A2(su)->set snmp access powergroup security-model usm

    5-18

    SNMP Configuration

    clear snmp access

    clear snmp access


    UsethiscommandtocleartheSNMPaccessentryofaspecificgroup,includingitssetSNMP securitymodel,andlevelofsecurity.

    Syntax
    clear snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context]

    Parameters
    groupname SpecifiesthenameoftheSNMPgroupforwhichtoclearaccess. securitymodelv1| SpecifiesthesecuritymodeltobeclearedfortheSNMPaccessgroup. v2c|usm noauthentication| authentication| privacy contextcontext (Optional)ClearsaspecificsecuritylevelfortheSNMPaccessgroup.

    (Optional)ClearsaspecificcontextfortheSNMPaccessgroup.Enter// toclearthedefaultcontext.

    Defaults
    Ifsecuritylevelisnotspecified,alllevelswillbecleared. Ifcontextisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearSNMPversion3accessforthemisgroupviathe authenticationprotocol:
    A2(su)->clear snmp access mis-group security-model usm authentication

    SecureStack A2 Configuration Guide

    5-19

    Configuring SNMP MIB Views

    Configuring SNMP MIB Views


    Purpose
    ToreviewandconfigureSNMPMIBviews.SNMPviewsmapSNMPobjectstoaccessrights.

    Commands
    ThecommandsusedtoreviewandconfigureSNMPMIBviewsarelistedbelow.
    For information about... show snmp view show snmp context set snmp view clear snmp view Refer to page... 5-20 5-22 5-23 5-24

    show snmp view


    UsethiscommandtodisplaytheMIBconfigurationforSNMPv3viewbasedaccess(VACM).

    Syntax
    show snmp view [viewname] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only]

    Parameters
    viewname subtreeoidormibobject volatile|nonvolatile| readonly (Optional)DisplaysinformationforaspecificMIBview. (Optional)DisplaysinformationforaspecificMIBsubtreewhen viewnameisspecified. (Optional)Displaysentriesforaspecificstoragetype.

    Defaults
    Ifnoparametersarespecified,allSNMPMIBviewconfigurationinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPMIBviewconfigurationinformation:
    A2(su)->show snmp view --- SNMP MIB View information --View Name = All Subtree OID = 1 Subtree mask = View Type = included

    5-20

    SNMP Configuration

    show snmp view

    Storage type Row status View Name Subtree OID Subtree mask View Type Storage type Row status View Name Subtree OID Subtree mask View Type Storage type Row status

    = nonVolatile = active = = = = = = = = = = = = All 0.0 included nonVolatile active Network 1.3.6.1.2.1 included nonVolatile active

    Table 57providesanexplanationofthecommandoutput.Fordetailsonusingthesetsnmpview commandtoassignvariables,refertosetsnmpviewonpage 523. Table 5-7


    Output View Name Subtree OID Subtree mask View Type Storage type Row status

    show snmp view Output Details


    What It Displays... Name assigned to a MIB view. Name identifying a MIB subtree. Bitmask applied to a MIB subtree. Whether or not subtree use must be included or excluded for this view. Whether storage is in nonVolatile or Volatile memory Status of this entry: active, notInService, or notReady.

    SecureStack A2 Configuration Guide

    5-21

    show snmp context

    show snmp context


    UsethiscommandtodisplaythecontextlistconfigurationforSNMPsviewbasedaccesscontrol.

    Syntax
    show snmp context

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    AnSNMPcontextisacollectionofmanagementinformationthatcanbeaccessedbyanSNMP agentorentity.ThedefaultcontextallowsallSNMPagentstoaccessallmanagementinformation (MIBs).Whencreatedusingthesetsnmpaccesscommand(setsnmpaccessonpage 518),other contextscanbeappliedtolimitaccesstoasubsetofmanagementinformation.

    Example
    ThisexampleshowshowtodisplayalistofallSNMPcontextsknowntothedevice:
    A2(su)->show snmp context --- Configured contexts: default context (all mibs)

    5-22

    SNMP Configuration

    set snmp view

    set snmp view


    UsethiscommandtosetaMIBconfigurationforSNMPv3viewbasedaccess(VACM).

    Syntax
    set snmp view viewname viewname subtree subtree [mask mask] [included | excluded] [volatile | nonvolatile]

    Parameters
    viewnameviewname SpecifiesanameforaMIBview. subtreesubtree maskmask included| excluded volatile| nonvolatile SpecifiesaMIBsubtreename. (Optional)Specifiesabitmaskforasubtree. (Optional)Specifiessubtreeuse(default)ornosubtreeuse. (Optional)Specifiestheuseoftemporaryorpermanent(default)storage.

    Defaults
    Ifnotspecified,maskwillbesetto255.255.255.255 Ifnotspecified,subtreeusewillbeincluded. Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetanSNMPMIBviewtopublicwithasubtreenameof1.3.6.1 included:
    A2(su)->set snmp view viewname public subtree 1.3.6.1 included

    SecureStack A2 Configuration Guide

    5-23

    clear snmp view

    clear snmp view


    UsethiscommandtodeleteanSNMPv3MIBview.

    Syntax
    clear snmp view viewname subtree

    Parameters
    viewname subtree SpecifiestheMIBviewnametobedeleted. SpecifiesthesubtreenameoftheMIBviewtobedeleted.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteSNMPMIBviewpublic:
    A2(su)->clear snmp view public 1.3.6.1

    5-24

    SNMP Configuration

    Configuring SNMP Target Parameters

    Configuring SNMP Target Parameters


    Purpose
    ToreviewandconfigureSNMPtargetparameters.Thiscontrolswhereandunderwhat circumstancesSNMPnotificationswillbesent.Atargetparameterentrycanbeboundtoatarget IPaddressallowedtoreceiveSNMPnotificationmessageswiththesetsnmptargetaddr command(setsnmptargetaddronpage 530).

    Commands
    ThecommandsusedtoreviewandconfigureSNMPtargetparametersarelistedbelow.
    For information about... show snmp targetparams set snmp targetparams clear snmp targetparams Refer to page... 5-25 5-27 5-28

    show snmp targetparams


    UsethiscommandtodisplaySNMPparametersusedtogenerateamessagetoatarget.

    Syntax
    show snmp targetparams [targetParams] [volatile | nonvolatile | read-only]

    Parameters
    targetParams volatile|nonvolatile| readonly (Optional)Displaysentriesforaspecifictargetparameter. (Optional)Displaystargetparameterentriesforaspecificstorage type.

    Defaults
    IftargetParamsisnotspecified,entriesassociatedwithalltargetparameterswillbedisplayed. Ifnotspecified,entriesofallstoragetypeswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPtargetparametersinformation:
    A2(su)->show snmp targetparams --- SNMP TargetParams information --Target Parameter Name = v1ExampleParams Security Name = public Message Proc. Model = SNMPv1 Security Level = noAuthNoPriv

    SecureStack A2 Configuration Guide

    5-25

    show snmp targetparams

    Storage type Row status Target Parameter Name Security Name Message Proc. Model Security Level Storage type Row status Target Parameter Name Security Name Message Proc. Model Security Level Storage type Row status

    = nonVolatile = active = = = = = = = = = = = = v2cExampleParams public SNMPv2c noAuthNoPriv nonVolatile active v3ExampleParams CharlieDChief USM authNoPriv nonVolatile active

    Table 58showsadetailedexplanationofthecommandoutput. Table 5-8


    Output Target Parameter Name Security Name Message Proc. Model Security Level

    show snmp targetparams Output Details


    What It Displays... Unique identifier for the parameter in the SNMP target parameters table. Maximum length is 32 bytes. Security string definition. SNMP version. Type of security level (auth: security level is set to use authentication protocol, noauth: security level is not set to use authentication protocol, or privacy). Whether entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    Storage type Row status

    5-26

    SNMP Configuration

    set snmp targetparams

    set snmp targetparams


    UsethiscommandtosetSNMPtargetparameters,anamedsetofsecurity/authorizationcriteria usedtogenerateamessagetoatarget.

    Syntax
    set snmp targetparams paramsname user user security-model {v1 | v2c | usm} messageprocessing {v1 | v2c | v3} [noauthentication | authentication | privacy] [volatile | nonvolatile]

    Parameters
    paramsname useruser SpecifiesanameidentifyingparametersusedtogenerateSNMPmessages toaparticulartarget. SpecifiesanSNMPv1orv2communitynameoranSNMPv3username. Maximumlengthis32bytes.

    securitymodelv1| SpecifiestheSNMPsecuritymodelappliedtothistargetparameteras v2c|usm version1,2cor3(usm). message SpecifiestheSNMPmessageprocessingmodelappliedtothistarget processingv1|v2c parameterasversion1,2cor3. |v3 noauthentication| authentication| privacy volatile| nonvolatile (Optional)SpecifiestheSNMPsecuritylevelappliedtothistarget parameterasnoauthentication,authentication(withoutprivacy)or privacy.Privacyspecifiesthatmessagessentonbehalfoftheuserare protectedfromdisclosure. (Optional)Specifiesthestoragetypeappliedtothistargetparameter.

    Defaults
    None. Ifnotspecified,securitylevelwillbesettonoauthentication. Ifnotspecified,storagetypewillbesettononvolatile.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetSNMPtargetparametersnamedv1ExampleParamsforauser namedfredusingversion3securitymodelandmessageprocessing,andauthentication:
    A2(su)->set snmp targetparams v1ExampleParams user fred security-model usm message-processing v3 authentication

    SecureStack A2 Configuration Guide

    5-27

    clear snmp targetparams

    clear snmp targetparams


    UsethiscommandtocleartheSNMPtargetparameterconfiguration.

    Syntax
    clear snmp targetparams targetParams

    Parameters
    targetParams SpecifiesthenameoftheparameterintheSNMPtargetparameterstable tobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearSNMPtargetparametersnamedv1ExampleParams:
    A2(su)->clear snmp targetparams v1ExampleParams

    5-28

    SNMP Configuration

    Configuring SNMP Target Addresses

    Configuring SNMP Target Addresses


    Purpose
    ToreviewandconfigureSNMPtargetaddresseswhichwillreceiveSNMPnotificationmessages. AnaddressconfigurationcanbelinkedtooptionalSNMPtransmit,ortarget,parameters(suchas timeout,retrycount,andUDPport)setwiththesetsnmptargetparamscommand((page527)).

    Commands
    ThecommandsusedtoreviewandconfigureSNMPtargetaddressesarelistedbelow.
    For information about... show snmp targetaddr set snmp targetaddr clear snmp targetaddr Refer to page... 5-29 5-30 5-31

    show snmp targetaddr


    UsethiscommandtodisplaySNMPtargetaddressinformation.

    Syntax
    show snmp targetaddr [targetAddr] [volatile | nonvolatile | read-only]

    Parameters
    targetAddr (Optional)Displaysinformationforaspecifictargetaddressname. volatile|nonvolatile (Optional)Whentargetaddressisspecified,displaystargetaddress |readonly informationforaspecificstoragetype.

    Defaults
    IftargetAddrisnotspecified,entriesforalltargetaddressnameswillbedisplayed. Ifnotspecified,entriesofallstoragetypeswillbedisplayedforatargetaddress.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPtargetaddressinformation:
    A2(su)->show snmp targetaddr Target Address Name = labmachine Tag List = v2cTrap IP Address = 10.2.3.116 UDP Port# = 162 Target Mask = 255.255.255.255 Timeout = 1500 Retry count = 4

    SecureStack A2 Configuration Guide

    5-29

    set snmp targetaddr

    Parameters Storage type Row status

    = v2cParams = nonVolatile = active

    Table 59showsadetailedexplanationofthecommandoutput. Table 5-9


    Output Target Address Name Tag List IP Address UDP Port# Target Mask Timeout Retry count Parameters Storage type Row status

    show snmp targetaddr Output Details


    What It Displays... Unique identifier in the snmpTargetAddressTable. Tags a location to the target address as a place to send notifications. Target IP address. Number of the UDP port of the target host to use. Target IP address mask. Timeout setting for the target address. Retry setting for the target address. Entry in the snmpTargetParamsTable. Whether entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    set snmp targetaddr


    UsethiscommandtoconfigureanSNMPtargetaddress.Thetargetaddressisauniqueidentifier andaspecificIPaddressthatwillreceiveSNMPnotificationmessagesanddeterminewhich communitystringswillbeaccepted.ThisaddressconfigurationcanbelinkedtooptionalSNMP transmitparameters(suchastimeout,retrycount,andUDPport).

    Syntax
    set snmp targetaddr targetaddr ipaddr param param [udpport udpport] [mask mask] [timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile]

    Parameters
    targetaddr ipaddr paramparam udpportudpport maskmask timeouttimeout SpecifiesauniqueidentifiertoindexthesnmpTargetAddrTable. Maximumlengthis32bytes. SpecifiestheIPaddressofthetarget. SpecifiesanentryintheSNMPtargetparameterstable,whichisused whengeneratingamessagetothetarget.Maximumlengthis32bytes. (Optional)SpecifieswhichUDPportofthetargethosttouse. (Optional)SpecifiestheIPmaskofthetarget. (Optional)Specifiesthemaximumroundtriptimeallowedto communicatetothistargetaddress.Thisvalueisin.01secondsandthe defaultis1500(15seconds.) (Optional)Specifiesthenumberofmessageretriesallowedifaresponseis notreceived.Defaultis3.

    retriesretries

    5-30

    SNMP Configuration

    clear snmp targetaddr

    taglisttaglist

    (Optional)SpecifiesalistofSNMPnotifytagvalues.Thistagsalocation tothetargetaddressasaplacetosendnotifications.Listmustbeenclosed inquotesandtagvaluesmustbeseparatedbyaspace(forexample, tag1tag2). (Optional)Specifiestemporary(default),orpermanentstorageforSNMP entries.

    volatile| nonvolatile

    Defaults
    Ifnotspecified,udpportwillbesetto162. Ifnotspecified,maskwillbesetto255.255.255.255 Ifnotspecified,timeoutwillbesetto1500. Ifnotspecified,numberofretrieswillbesetto3. Iftaglistisnotspecified,nonewillbeset. Ifnotspecified,storagetypewillbenonvolatile.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoconfigureatrapnotificationcalledTrapSink.Thistrapnotification willbesenttotheworkstation192.168.190.80(whichistargetaddresstr).Itwillusesecurity andauthorizationcriteriacontainedinatargetparametersentrycalledv2cExampleParams.For moreinformationonconfiguringabasicSNMPtrap,refertoCreatingaBasicSNMPTrap Configurationonpage 541:
    A2(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist TrapSink

    clear snmp targetaddr


    UsethiscommandtodeleteanSNMPtargetaddressentry.

    Syntax
    clear snmp targetaddr targetAddr

    Parameters
    targetAddr Specifiesthetargetaddressentrytodelete.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    5-31

    clear snmp targetaddr

    Example
    ThisexampleshowshowtoclearSNMPtargetaddressentrytr:
    A2(su)->clear snmp targetaddr tr

    5-32

    SNMP Configuration

    Configuring SNMP Notification Parameters

    Configuring SNMP Notification Parameters


    About SNMP Notify Filters
    ProfilesindicatingwhichtargetsshouldnotreceiveSNMPnotificationmessagesarekeptinthe NotifyFiltertable.Ifthistableisempty,meaningthatnofilteringisassociatedwithanySNMP target,thennofilteringwilltakeplace.Trapsorinformsnotificationswillbesenttoall destinationsintheSNMPtargetAddrTablethathavetagsmatchingthosefoundinthe NotifyTable. WhentheNotifyFiltertablecontainsprofileentries,theSNMPagentwillfindanyfilterprofile namethatcorrespondstothetargetparameternamecontainedinanoutgoingnotification message.Itwillthenapplytheappropriatesubtreespecificfilterwhengeneratingnotification messages.

    Purpose
    ToconfigureSNMPnotificationparametersandoptionalfilters.Notificationsareentitieswhich handlethegenerationofSNMPv1andv2trapsorSNMPv3informsmessagestoselect managementtargets.Optionalnotificationfiltersidentifywhichtargetsshouldnotreceive notifications.ForasampleSNMPtrapconfigurationshowinghowSNMPnotificationparameters areassociatedwithsecurityandauthorizationcriteria(targetparameters)andmappedtoa managementtargetaddress,refertoCreatingaBasicSNMPTrapConfigurationonpage 541.

    Commands
    ThecommandsusedtoconfigureSNMPnotificationparametersandfiltersarelistedbelow.
    For information about... show snmp notify set snmp notify clear snmp notify show snmp notifyfilter set snmp notifyfilter clear snmp notifyfilter show snmp notifyprofile set snmp notifyprofile clear snmp notifyprofile Refer to page... 5-34 5-35 5-36 5-36 5-37 5-38 5-38 5-39 5-40

    SecureStack A2 Configuration Guide

    5-33

    show snmp notify

    show snmp notify


    UsethiscommandtodisplaytheSNMPnotifyconfiguration,whichdetermineswhich managementtargetswillreceiveSNMPnotifications.

    Syntax
    show snmp notify [notify] [volatile | nonvolatile | read-only]

    Parameters
    notify volatile| nonvolatile|read only (Optional)Displaysnotifyentriesforaspecificnotifyname. (Optional)Displaysnotifyentriesforaspecificstoragetype.

    Defaults
    Ifanotifynameisnotspecified,allentrieswillbedisplayed. Ifvolatile,nonvolatileorreadonlyarenotspecified,allstoragetypeentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSNMPnotifyinformation:
    A2(su)->show snmp notify --- SNMP notifyTable information --Notify name = 1 Notify Tag = Console Notify Type = trap Storage type = nonVolatile Row status = active Notify name Notify Tag Notify Type Storage type Row status = = = = = 2 TrapSink trap nonVolatile active

    Table 510showsadetailedexplanationofthecommandoutput. Table 5-10


    Output Notify name Notify Tag Notify Type Storage type Row status

    show snmp notify Output Details


    What It Displays... A unique identifier used to index the SNMP notify table. Name of the entry in the SNMP notify table. Type of notification: SNMPv1 or v2 trap or SNMPv3 InformRequest message. Whether access entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    5-34

    SNMP Configuration

    set snmp notify

    set snmp notify


    UsethiscommandtosettheSNMPnotifyconfiguration.ThiscreatesanentryintheSNMPnotify table,whichisusedtoselectmanagementtargetswhoshouldreceivenotificationmessages.This commandstagparametercanbeusedtobindeachentrytoatargetaddressusingthesetsnmp targetaddrcommand(setsnmptargetaddronpage 530).

    Syntax
    set snmp notify notify tag tag [trap | inform] [volatile | nonvolatile]

    Parameters
    notify tagtag trap|inform volatile| nonvolatile SpecifiesanSNMPnotifyname. SpecifiesanSNMPnotifytag.ThisbindsthenotifynametotheSNMP targetaddresstable. (Optional)SpecifiesSNMPv1orv2Trapmessages(default)orSNMPv3 InformRequestmessages. (Optional)Specifiestemporary(default),orpermanentstorageforSNMP entries.

    Defaults
    Ifnotspecified,messagetypewillbesettotrap. Ifnotspecified,storagetypewillbesettononvolatile.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetanSNMPnotifyconfigurationwithanotifynameofhelloanda notifytagofworld.Notificationswillbesentastrapmessagesandstoragetypewill automaticallydefaulttopermanent:
    A2(su)->set snmp notify hello tag world trap

    SecureStack A2 Configuration Guide

    5-35

    clear snmp notify

    clear snmp notify


    UsethiscommandtoclearanSNMPnotifyconfiguration.

    Syntax
    clear snmp notify notify

    Parameters
    notify SpecifiesanSNMPnotifynametoclear.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheSNMPnotifyconfigurationforhello:
    A2(su)->clear snmp notify hello

    show snmp notifyfilter


    UsethiscommandtodisplaySNMPnotifyfilterinformation,identifyingwhichprofileswillnot receiveSNMPnotifications.

    Syntax
    show snmp notifyfilter [profile] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only]

    Parameters
    profile subtreeoidor mibobject volatile| nonvolatile|read only (Optional)Displaysaspecificnotifyfilter. (Optional)Displaysanotifyfilterwithinaspecificsubtree. (Optional)Displaysnotifyfilterentriesofaspecificstoragetype.

    Defaults
    Ifnoparametersarespecified,allnotifyfilterinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    SeeAboutSNMPNotifyFiltersonpage 533formoreinformationaboutnotifyfilters.

    5-36

    SNMP Configuration

    set snmp notifyfilter

    Example
    ThisexampleshowshowtodisplaySNMPnotifyfilterinformation.Inthiscase,thenotifyprofile pilot1insubtree1.3.6willnotreceiveSNMPnotificationmessages:
    A2(su)->show snmp notifyfilter --- SNMP notifyFilter information --Profile = pilot1 Subtree = 1.3.6 Filter type = included Storage type = nonVolatile Row status = active

    set snmp notifyfilter


    UsethiscommandtocreateanSNMPnotifyfilterconfiguration.Thisidentifieswhich managementtargetsshouldNOTreceivenotificationmessages,whichisusefulforfinetuningthe amountofSNMPtrafficgenerated.

    Syntax
    set snmp notifyfilter profile subtree oid-or-mibobject [mask mask] [included | excluded] [volatile | nonvolatile]

    Parameters
    profile subtreeoidor mibobject maskmask included| excluded volatile| nonvolatile SpecifiesanSNMPfilternotifyname. SpecifiesaMIBsubtreeIDtargetforthefilter. (Optional)Appliesasubtreemask. (Optional)Specifiesthatsubtreeisincludedorexcluded. (Optional)Specifiesastoragetype.

    Defaults
    Ifnotspecified,maskisnotset. Ifnotspecified,subtreewillbeincluded. Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.

    Mode
    Switchcommand,readwrite.

    Usage
    SeeAboutSNMPNotifyFiltersonpage 533formoreinformationaboutnotifyfilters.

    Example
    ThisexampleshowshowtocreateanSNMPnotifyfiltercalledpilot1withaMIBsubtreeIDof 1.3.6:
    A2(su)->set snmp notifyfilter pilot1 subtree 1.3.6

    SecureStack A2 Configuration Guide

    5-37

    clear snmp notifyfilter

    clear snmp notifyfilter


    UsethiscommandtodeleteanSNMPnotifyfilterconfiguration.

    Syntax
    clear snmp notifyfilter profile subtree oid-or-mibobject

    Parameters
    profile subtreeoidor mibobject SpecifiesanSNMPfilternotifynametodelete. SpecifiesaMIBsubtreeIDcontainingthefiltertobedeleted.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeletetheSNMPnotifyfilterpilot1:
    A2(su)->clear snmp notifyfilter pilot1 subtree 1.3.6

    show snmp notifyprofile


    UsethiscommandtodisplaySNMPnotifyprofileinformation.Thisassociatestargetparameters toanSNMPnotifyfiltertodeterminewhoshouldnotreceiveSNMPnotifications.

    Syntax
    show snmp notifyprofile [profile] [targetparam targetparam] [volatile | nonvolatile | read-only]

    Parameters
    profile targetparam targetparam volatile| nonvolatile|read only (Optional)Displaysaspecificnotifyprofile. (Optional)Displaysentriesforaspecifictargetparameter. (Optional)Displaysnotifyfilterentriesofaspecificstoragetype.

    Defaults
    Ifnoparametersarespecified,allnotifyprofileinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    5-38

    SNMP Configuration

    set snmp notifyprofile

    Example
    ThisexampleshowshowtodisplaySNMPnotifyinformationfortheprofilenamedarea51:
    A2(su)->show snmp notifyprofile area51 --- SNMP notifyProfile information --Notify Profile = area51 TargetParam = v3ExampleParams Storage type = nonVolatile Row status = active

    set snmp notifyprofile


    UsethiscommandtocreateanSNMPnotifyfilterprofileconfiguration.Thisassociatesa notificationfilter,createdwiththesetsnmpnotifyfiltercommand(setsnmpnotifyfilteron page 537),toasetofSNMPtargetparameterstodeterminewhichmanagementtargetsshould notreceiveSNMPnotifications.

    Syntax
    set snmp notifyprofile profile targetparam targetparam [volatile | nonvolatile]

    Parameters
    profile targetparam targetparam volatile| nonvolatile SpecifiesanSNMPfilternotifyname. SpecifiesanassociatedentryintheSNMPTargetParamsTable. (Optional)Specifiesastoragetype.

    Defaults
    Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateanSNMPnotifyprofilenamedarea51andassociateatarget parametersentry.
    A2(su)->set snmp notifyprofile area51 targetparam v3ExampleParams

    SecureStack A2 Configuration Guide

    5-39

    clear snmp notifyprofile

    clear snmp notifyprofile


    UsethiscommandtodeleteanSNMPnotifyprofileconfiguration.

    Syntax
    clear snmp notifyprofile profile targetparam targetparam

    Parameters
    profile targetparam targetparam SpecifiesanSNMPfilternotifynametodelete. SpecifiesanassociatedentryinthesnmpTargetParamsTable.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteSNMPnotifyprofilearea51:
    A2(su)->clear snmp notifyprofile area51 targetparam v3ExampleParams

    5-40

    SNMP Configuration

    Creating a Basic SNMP Trap Configuration

    Creating a Basic SNMP Trap Configuration


    TrapsarenotificationmessagessentbyanSNMPv1orv2agenttoanetworkmanagementstation, aconsole,oraterminaltoindicatetheoccurrenceofasignificantevent,suchaswhenaportor devicegoesupordown,whenthereareauthenticationfailures,andwhenpowersupplyerrors occur.ThefollowingconfigurationexampleshowshowtouseCLIcommandstoassociateSNMP notificationparameterswithsecurityandauthorizationcriteria(targetparameters),andmapthe parameterstoamanagementtargetaddress.
    Note: This example illustrates how to configure an SNMPv2 trap notification. Creating an SNMPv1 or v3 Trap, or an SNMPv3 Inform notification would require using the same commands with different parameters, where appropriate. Always ensure that v1/v2 communities or v3 users used for generating traps or informs are pre-configured with enough privileges to access corresponding MIBs.

    CompleteanSNMPv2trapconfigurationonaSecureStackA2deviceasfollows: 1. 2. 3. CreateacommunitynamethatwillactasanSNMPuserpassword. CreateanSNMPtargetparametersentrytoassociatesecurityandauthorizationcriteriatothe usersinthecommunitycreatedinStep1. VerifyifanyapplicableSNMPnotificationentriesexist,orcreateanewone.Youwillusethis entrytosendSNMPnotificationmessagestotheappropriatemanagementtargetscreatedin Step 2. CreateatargetaddressentrytobindamanagementIPaddressto: ThenotificationentryandtagnamecreatedinStep3and ThetargetparametersentrycreatedinStep2.

    4.

    Table 511showsthecommandsusedtocompleteanSNMPv2trapconfigurationona SecureStackA2device. Table 5-11


    To do this ... Create a community name. Create an SNMP target parameters entry. Verify if any applicable SNMP notification entries exist. Create a new notification entry. Create a target address entry.

    Basic SNMP Trap Configuration


    Use these commands ... set snmp community set snmp targetparams show snmp notify set snmp notify set snmp targetaddr

    Example
    Thisexampleshowshowto: CreateanSNMPcommunitycalledmgmt. ConfigureatrapnotificationcalledTrapSink.

    Thistrapnotificationwillbesentwiththecommunitynamemgmttotheworkstation 192.168.190.80(whichistargetaddresstr).Itwillusesecurityandauthorizationcriteriacontained inatargetparametersentrycalledv2cExampleParams.


    A2(su)->set snmp community mgmt A2(su)->set snmp targetparams v2cExampleParams user mgmt

    SecureStack A2 Configuration Guide

    5-41

    Creating a Basic SNMP Trap Configuration

    security-model v2c message-processing v2c A2(su)->set snmp notify entry1 tag TrapSink A2(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist TrapSink

    How SNMP Will Use This Configuration


    Inordertosendatrap/notificationrequestedbyaMIBcode,theSNMPagentrequiresthe equivalentofatrapdoor,akeytounlockthedoor,andaprocedureforcrossingthe doorstep.Todetermineifalltheseelementsareinplace,theSNMPagentproceedsasfollows: 1. Determinesifthekeysfortrapdoorsdoexist.Intheexampleconfigurationabove,the keythatSNMPislookingforisthenotificationentrycreatedwiththesetsnmpnotify commandwhich,inthiscase,isakeylabeledentry1. Searchesforthedoorsmatchingsuchakey.Forexample,theparameterssetfortheentry1key showsthatitopensonlythedoorTrapSink. VerifiesthatthespecifieddoorTrapSinkis,infact,available.Inthiscaseitwasbuiltusingthe setsnmptargetaddrcommand.Thiscommandalsospecifiesthatthisdoorleadstothe managementstation192.168.190.80,andtheprocedure(targetparams)tocrossthedoorstep iscalledv2ExampleParams. Verifiesthatthev2ExampleParamsdescriptionofhowtostepthroughthedooris,infact, there.Theagentcheckstargetparamsentriesanddeterminesthisdescriptionwasmadewith thesetsnmptargetparamscommand,whichtellsexactlywhichSNMPprotocoltouseand whatcommunitynametoprovide.Inthiscase,thecommunitynameismgmt. Verifiesthatthemgmtcommunitynameisavailable.Inthiscase,ithasbeenconfiguredusing thesetsnmpcommunitycommand. Sendsthetrapnotificationmessage.

    2. 3.

    4.

    5. 6.

    5-42

    SNMP Configuration

    6
    Spanning Tree Configuration
    ThischapterdescribestheSpanningTreeConfigurationsetofcommandsandhowtousethem.
    For information about... Spanning Tree Configuration Summary Configuring Spanning Tree Bridge Parameters Configuring Spanning Tree Port Parameters Refer to page... 6-1 6-3 6-32 Caution: Spanning Tree configuration should be performed only by personnel who are very knowledgeable about Spanning Trees and the configuration of the Spanning Tree Algorithm. Otherwise, the proper operation of the network could be at risk.

    Spanning Tree Configuration Summary


    Overview: Single, Rapid, and Multiple Spanning Tree Protocols
    TheIEEE802.1DSpanningTreeProtocol(STP)resolvestheproblemsofphysicalloopsina networkbyestablishingoneprimarypathbetweenanytwodevicesinanetwork.Anyduplicate pathsarebarredfromuseandbecomestandbyorblockedpathsuntiltheoriginalpathfails,at whichpointtheycanbebroughtintoservice.

    RSTP
    TheIEEE802.1wRapidSpanningProtocol(RSTP),anevolutionof802.1D,canachievemuch fasterconvergencethanlegacySTPinaproperlyconfigurednetwork.RSTPsignificantlyreduces thetimetoreconfigurethenetworksactivetopologywhenphysicaltopologyorconfiguration parameterchangesoccur.ItselectsoneswitchastherootofaSpanningTreeconnectedactive topologyandassignsportrolestoindividualportsontheswitch,dependingonwhetherthatport ispartoftheactivetopology. RSTPprovidesrapidconnectivityfollowingthefailureofaswitch,switchport,oraLAN.Anew rootportandthedesignatedportontheothersideofthebridgetransitiontoforwardingthrough anexplicithandshakebetweenthem.Bydefault,userportsareconfiguredtorapidlytransitionto forwardinginRSTP.

    MSTP
    TheIEEE802.1sMultipleSpanningTreeProtocol(MSTP)buildsupon802.1DandRSTPby optimizingutilizationofredundantlinksbetweenswitchesinanetwork.Whenredundantlinks existbetweenapairofswitchesrunningsingleSTP,onelinkisforwardingwhiletheothersare blockingforalltrafficflowingbetweenthetwoswitches.Theblockinglinksareeffectivelyused

    SecureStack A2 Configuration Guide

    6-1

    Spanning Tree Configuration Summary

    onlyiftheforwardinglinkgoesdown.MSTPassignseachVLANpresentonthenetworktoa particularSpanningTreeinstance,allowingeachswitchporttobeinadistinctstateforeachsuch instance:blockingforoneSpanningTreewhileforwardingforanother.Thus,trafficassociated withonesetofVLANscantraverseaparticularinterswitchlink,whiletrafficassociatedwith anothersetofVLANscanbeblockedonthatlink.IfVLANsareassignedtoSpanningTrees wisely,nointerswitchlinkwillbecompletelyidle,maximizingnetworkutilization. FordetailsoncreatingSpanningTreeinstances,refertosetspantreemstionpage 612. FordetailsonmappingSpanningTreeinstancestoVLANs,refertosetspantreemstmapon page 613.
    Note: MSTP and RSTP are fully compatible and interoperable with each other and with legacy STP 802.1D.

    Spanning Tree Features


    TheSecureStackA2devicemeetstherequirementsoftheSpanningTreeProtocolsbyperforming thefollowingfunctions: CreatingasingleSpanningTreefromanyarrangementofswitchingorbridgingelements. Compensatingautomaticallyforthefailure,removal,oradditionofanydeviceinanactive datapath. Achievingportchangesinshorttimeintervals,whichestablishesastableactivetopology quicklywithminimalnetworkdisturbance. Usingaminimumamountofcommunicationsbandwidthtoaccomplishtheoperationofthe SpanningTreeProtocol. Reconfiguringtheactivetopologyinamannerthatistransparenttostationstransmittingand receivingdatapackets. ManagingthetopologyinaconsistentandreproduciblemannerthroughtheuseofSpanning TreeProtocolparameters.
    Note: The term bridge is used as an equivalent to the term switch or device in this document.

    6-2

    Spanning Tree Configuration

    Configuring Spanning Tree Bridge Parameters

    Configuring Spanning Tree Bridge Parameters


    Purpose
    TodisplayandsetSpanningTreebridgeparameters,includingdevicepriorities,hellotime, maximumwaittime,forwarddelay,pathcost,andtopologychangetrapsuppression.

    Commands
    ThecommandsusedtoreviewandsetSpanningTreebridgeparametersarelistedbelow.
    For information about... show spantree stats set spantree show spantree version set spantree version clear spantree version show spantree bpdu-forwarding set spantree bpdu-forwarding show spantree bridgeprioritymode set spantree bridgeprioritymode clear spantree bridgeprioritymode show spantree mstilist set spantree msti clear spantree msti show spantree mstmap set spantree mstmap clear spantree mstmap show spantree vlanlist show spantree mstcfgid set spantree mstcfgid clear spantree mstcfgid set spantree priority clear spantree priority set spantree hello clear spantree hello set spantree maxage clear spantree maxage set spantree fwddelay Refer to page... 6-5 6-7 6-7 6-8 6-8 6-9 6-9 6-10 6-10 6-11 6-11 6-12 6-12 6-13 6-13 6-14 6-14 6-15 6-16 6-16 6-17 6-17 6-18 6-18 6-19 6-19 6-20

    SecureStack A2 Configuration Guide

    6-3

    Configuring Spanning Tree Bridge Parameters

    For information about... clear spantree fwddelay show spantree backuproot set spantree backuproot clear spantree backuproot show spantree tctrapsuppress set spantree tctrapsuppress clear spantree tctrapsuppress set spantree protomigration show spantree spanguard set spantree spanguard clear spantree spanguard show spantree spanguardtimeout set spantree spanguardtimeout clear spantree spanguardtimeout show spantree spanguardlock clear/set spantree spanguardlock show spantree spanguardtrapenable set spantree spanguardtrapenable clear spantree spanguardtrapenable show spantree legacypathcost set spantree legacypathcost clear spantree legacypathcost

    Refer to page... 6-20 6-21 6-21 6-22 6-22 6-23 6-24 6-24 6-25 6-25 6-26 6-26 6-27 6-27 6-28 6-28 6-29 6-29 6-30 6-30 6-31 6-31

    6-4

    Spanning Tree Configuration

    show spantree stats

    show spantree stats


    UsethiscommandtodisplaySpanningTreeinformationforoneormoreports.

    Syntax
    show spantree stats [port port-string] [sid sid] [active]

    Parameters
    portportstring (Optional)Displaysinformationforthespecifiedport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42. (Optional)DisplaysinformationforaspecificSpanningTreeidentifier.If notspecified,SID0isassumed. (Optional)DisplaysinformationforportsthathavereceivedSTPBPDUs sinceboot.

    sidsid active

    Defaults
    Ifportstringisnotspecified,SpanningTreeinformationforallportswillbedisplayed. Ifsidisnotspecified,informationforSpanningTree0willbedisplayed. Ifactiveisnotspecifiedinformationforallportswillbedisplayedregardlessofwhetherornot theyhavereceivedBPDUs.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythedevicesSpanningTreeconfiguration:
    A2(su)->show spantree stats Spanning tree status Spanning tree instance Designated Root MacAddr Designated Root Priority Designated Root Cost Designated Root Port Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge ID Priority Bridge Max Age Bridge Hello Time Bridge Forward Delay Topology Change Count Time Since Top Change Max Hops enabled 0 00-e0-63-9d-c1-c8 0 10000 lag.0.1 20 sec 2 sec 15 sec 00-01-f4-da-5e-3d 32768 20 sec 2 sec 15 sec 7 00 days 03:19:15 20

    Table 61showsadetailedexplanationofcommandoutput.

    SecureStack A2 Configuration Guide

    6-5

    show spantree stats

    Table 6-1
    Output

    show spantree Output Details


    What It Displays... Spanning Tree ID. Whether Spanning Tree is enabled or disabled. MAC address of the designated Spanning Tree root bridge. Port through which the root bridge can be reached. Priority of the designated root bridge. Total path cost to reach the root. Amount of time (in seconds) a BPDU packet should be considered valid. Interval (in seconds) at which the root device sends BPDU (Bridge Protocol Data Unit) packets. Amount of time (in seconds) the root device spends in listening or learning mode. Unique bridge MAC address, recognized by all bridges in the network. Bridge priority, which is a default value, or is assigned using the set spantree priority command. For details, refer to set spantree priority on page 6-17. Maximum time (in seconds) the bridge can wait without receiving a configuration message (bridge hello) before attempting to reconfigure. This is a default value, or is assigned using the set spantree maxage command. For details, refer to set spantree maxage on page 6-19. Amount of time (in seconds) the bridge sends BPDUs. This is a default value, or is assigned using the set spantree hello command. For details, refer to set spantree hello on page 6-18. Amount of time (in seconds) the bridge spends in listening or learning mode. This is a default value, or is assigned using the set spantree fwddelay command. For details, refer to set spantree fwddelay on page 6-20. Number of times topology has changed on the bridge. Amount of time (in days, hours, minutes and seconds) since the last topology change. Maximum number of hops information for a particular Spanning Tree instance may traverse (via relay of BPDUs within the applicable MST region) before being discarded.

    Spanning tree instance Spanning tree status Designated Root MacAddr Designated Root Port Designated Root Priority Designated Root Cost Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge ID Priority

    Bridge Max Age

    Bridge Hello Time

    Bridge Forward Delay

    Topology Change Count Time Since Top Change Max Hops

    6-6

    Spanning Tree Configuration

    set spantree

    set spantree
    UsethiscommandtogloballyenableordisabletheSpanningTreeprotocolontheswitch.

    Syntax
    set spantree {disable | enable}

    Parameters
    disable|enable GloballydisablesorenablesSpanningTree.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableSpanningTreeonthedevice:
    A2(su)->set spantree disable

    show spantree version


    UsethiscommandtodisplaythecurrentversionoftheSpanningTreeprotocolrunningonthe device.

    Syntax
    show spantree version

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySpanningTreeversioninformationforthedevice:
    A2(su)->show spantree version Force Version is mstp

    SecureStack A2 Configuration Guide

    6-7

    set spantree version

    set spantree version


    UsethiscommandtosettheversionoftheSpanningTreeprotocoltoMSTP(MultipleSpanning TreeProtocol),RSTP(RapidSpanningTreeProtocol)ortoSTP802.1Dcompatible.

    Syntax
    set spantree version {mstp | stpcompatible | rstp}

    Parameters
    mstp stpcompatible rstp SetstheversiontoSTP802.1scompatible. SetstheversiontoSTP802.1Dcompatible. Setstheversionto802.1wcompatible.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Inmostnetworks,SpanningTreeversionshouldnotbechangedfromitsdefaultsettingofmstp (MultipleSpanningTreeProtocol)mode.MSTPmodeisfullycompatibleandinteroperablewith legacySTP802.1DandRapidSpanningTree(RSTP)bridges.Settingtheversiontostpcompatible modewillcausethebridgetotransmitonly802.1DBPDUs,andwillpreventnonedgeportsfrom rapidlytransitioningtoforwardingstate.

    Example
    ThisexampleshowshowtogloballychangetheSpanningTreeversionfromthedefaultofMSTP toRSTP:
    A2(su)->set spantree version rstp

    clear spantree version


    UsethiscommandtoresettheSpanningTreeversiontoMSTPmode.

    Syntax
    clear spantree version

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    6-8

    Spanning Tree Configuration

    show spantree bpdu-forwarding

    Example
    ThisexampleshowshowtoresettheSpanningTreeversion:
    A2(su)->clear spantree version

    show spantree bpdu-forwarding


    Use this command to display the Spanning Tree BPDU forwarding mode.

    Syntax
    show spantree bpdu-forwarding

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSpanningTreeBPDUforwardingmode:
    A2(su)->show spantree bpdu-forwarding BPDU forwarding is disabled.

    set spantree bpdu-forwarding


    UsethiscommandtoenableordisableSpanningTreeBPDUforwarding.BydefaultBPDU forwardingisdisabled.

    Syntax
    set spantree bpdu-forwarding {disable | enable}

    Parameters
    disable|enable DisablesorenablesBPDUforwarding;.

    Defaults
    BydefaultBPDUforwardingisdisabled.

    Mode
    Switchcommand,readwrite.

    Usage
    TheSpanningTreeprotocolmustbedisabled(setspantreedisable)forthisfeaturetotakeeffect.

    SecureStack A2 Configuration Guide

    6-9

    show spantree bridgeprioritymode

    Example
    ThisexampleshowshowtoenableBPDUforwarding:
    A2(rw)-> set spantree bpdu-forwarding enable

    show spantree bridgeprioritymode


    UsethiscommandtodisplaytheSpanningTreebridgeprioritymodesetting.

    Syntax
    show spantree bridgeprioritymode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSpanningTreebridgeprioritymodesetting:
    A2(rw)->show spantree bridgeprioritymode Bridge Priority Mode is set to IEEE802.1t mode.

    set spantree bridgeprioritymode


    UsethiscommandtosettheSpanningTreebridgeprioritymodeto802.1D(legacy)or802.1t.

    Syntax
    set spantree bridgeprioritymode {8021d | 8021t}

    Parameters
    8021d 8021t Setsthebridgeprioritymodetouse802.1D(legacy)values,whichare0 65535. Setsthebridgeprioritymodetouse802.1tvalues,whichare0to61440,in incrementsof4096.Valueswillautomaticallyberoundedupordown, dependingonthe802.1tvaluetowhichtheenteredvalueisclosest. Thisisthedefaultbridgeprioritymode.

    Defaults
    None

    Mode
    Switchcommand,readwrite.

    6-10

    Spanning Tree Configuration

    clear spantree bridgeprioritymode

    Usage
    Themodeaffectstherangeofpriorityvaluesusedtodeterminewhichdeviceisselectedasthe SpanningTreerootasdescribedinsetspantreepriority(setspantreepriorityonpage 617).The defaultfortheswitchistouse802.1tbridgeprioritymode.

    Example
    Thisexampleshowshowtosetthebridgeprioritymodeto802.1D:
    A2(rw)->set spantree bridgeprioritymode 8021d

    clear spantree bridgeprioritymode


    UsethiscommandtoresettheSpanningTreebridgeprioritymodetothedefaultsettingof802.1t.

    Syntax
    clear spantree bridgeprioritymode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetthebridgeprioritymodeto802.1t:
    A2(rw)->clear spantree bridgeprioritymode

    show spantree mstilist


    UsethiscommandtodisplayalistofMultipleSpanningTree(MST)instancesconfiguredonthe device.

    Syntax
    show spantree mstilist

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    SecureStack A2 Configuration Guide

    6-11

    set spantree msti

    Example
    ThisexampleshowshowtodisplayalistofMSTinstances.Inthiscase,SID2hasbeenconfigured:
    A2(su)->show spantree mstilist Configured Multiple Spanning Tree instances: 2

    set spantree msti


    UsethiscommandtocreateordeleteaMultipleSpanningTreeinstance.

    Syntax
    set spantree msti sid sid {create | delete}

    Parameters
    sidsid SetstheMultipleSpanningTreeID.Validvaluesare14094. SecureStackA2deviceswillsupportupto4MSTinstances. create|delete CreatesordeletesanMSTinstance.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateanMSTinstance2:
    A2(su)->set spantree msti sid 2 create

    clear spantree msti


    UsethiscommandtodeleteoneormoreMultipleSpanningTreeinstances.

    Syntax
    clear spantree msti [sid sid]

    Parameters
    sidsid (Optional)DeletesaspecificmultipleSpanningTreeID.

    Defaults
    Ifsidisnotspecified,allMSTinstanceswillbecleared.

    Mode
    Switchcommand,readwrite.

    6-12

    Spanning Tree Configuration

    show spantree mstmap

    Example
    ThisexampleshowshowtodeleteallMSTinstances:
    A2(su)->clear spantree msti

    show spantree mstmap


    UsethiscommandtodisplaythemappingofafilteringdatabaseID(FID)toaSpanningTrees. SinceVLANsaremappedtoFIDs,thisshowstowhichSIDaVLANismapped.

    Syntax
    show spantree mstmap [fid fid]

    Parameters
    fidfid (Optional)DisplaysinformationforspecificFIDs.

    Defaults
    Iffidisnotspecified,informationforallassignedFIDswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySIDtoFIDmappinginformationforFID1.Inthiscase,no newmappingshavebeenconfigured:
    A2(su)->show spantree mstmap fid 1 FID: SID: 1 0

    set spantree mstmap


    UsethiscommandtomaponeormorefilteringdatabaseIDs(FIDs)toaSID.SinceVLANsare mappedtoFIDs,thisessentiallymapsoneormoreVLANIDstoaSpanningTree(SID).

    Syntax
    set spantree mstmap fid [sid sid]

    Parameters
    fid sidsid SpecifiesoneormoreFIDstoassigntotheMST.Validvaluesare14093, andmustcorrespondtoaVLANIDcreatedusingthesetvlancommand. (Optional)SpecifiesaMultipleSpanningTreeID.Validvaluesare14094, andmustcorrespondtoaSIDcreatedusingthesetmsticommand.

    Defaults
    Ifsidisnotspecified,FID(s)willbemappedtoSpanningTree0.

    SecureStack A2 Configuration Guide

    6-13

    clear spantree mstmap

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtomapFID3toSID2:
    A2(su)->set spantree mstmap 3 sid 2

    clear spantree mstmap


    UsethiscommandtomapaFIDbacktoSID0.

    Syntax
    clear spantree mstmap fid

    Parameters
    fid SpecifiesoneormoreFIDstoresetto0.

    Defaults
    Iffidisnotspecified,allSIDtoFIDmappingswillbereset.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtomapFID2backtoSID0:
    A2(su)->clear spantree mstmap 2

    show spantree vlanlist


    UsethiscommandtodisplaytheSpanningTreeID(s)assignedtooneormoreVLANs.

    Syntax
    show spantree vlanlist [vlan-list]

    Parameters
    vlanlist (Optional)DisplaysSIDsassignedtospecificVLAN(s).

    Defaults
    Ifnotspecified,SIDassignmentwillbedisplayedforallVLANs.

    Mode
    Switchcommand,readonly.

    6-14

    Spanning Tree Configuration

    show spantree mstcfgid

    Example
    ThisexampleshowshowtodisplaytheSIDsmappedtoVLAN1.Inthiscase,SIDs2,16and42 aremappedtoVLAN1.Forthisinformationtodisplay,theSIDinstancemustbecreatedusingthe setspantreemsticommandasdescribedinsetspantreemstionpage 612,andtheFIDsmust bemappedtoSID 1usingthesetspantreemstmapcommandasdescribedinsetspantree mstmaponpage 613:
    A2(su)->show spantree vlanlist 1 The following SIDS are assigned to VLAN 1: 2 16 42

    show spantree mstcfgid


    UsethiscommandtodisplaytheMSTconfigurationidentifierelements,includingformatselector, configurationname,revisionlevel,andconfigurationdigest.

    Syntax
    show spantree mstcfgid

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheMSTconfigurationidentifierelements.Inthiscase,the defaultrevisionlevelof0,andthedefaultconfigurationname(astringrepresentingthebridge MACaddress)havenotbeenchanged.Forinformationonusingthesetspantreemstcfgid commandtochangethesesettings,refertosetspantreemstcfgidonpage 616:
    A2(su)->show spantree mstcfgid MST Configuration Identifier: Format Selector: 0 Configuration Name: 00:01:f4:89:51:94 Revision Level: 0 Configuration Digest: ac:36:17:7f:50:28:3c:d4:b8:38:21:d8:ab:26:de:62

    SecureStack A2 Configuration Guide

    6-15

    set spantree mstcfgid

    set spantree mstcfgid


    UsethiscommandtosettheMSTconfigurationnameand/orrevisionlevel.

    Syntax
    set spantree mstcfgid {cfgname name | rev level}

    Parameters
    cfgnamename revlevel SpecifiesanMSTconfigurationname. SpecifiesanMSTrevisionlevel.Validvaluesare065535.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheMSTconfigurationnametomstconfig:
    A2(su)->set spantree mstconfigid cfgname mstconfig

    clear spantree mstcfgid


    UsethiscommandtoresettheMSTrevisionleveltoadefaultvalueof0,andtheconfiguration nametoadefaultstringrepresentingthebridgeMACaddress.

    Syntax
    clear spantree mstcfgid

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheMSTconfigurationidentifierelementstodefaultvalues:
    A2(su)->clear spantree mstcfgid

    6-16

    Spanning Tree Configuration

    set spantree priority

    set spantree priority


    UsethiscommandtosetthedevicesSpanningTreepriority.

    Syntax
    set spantree priority priority [sid]

    Parameters
    priority Specifiesthepriorityofthebridge.Validvaluesarefrom0to61440(in incrementsof4096),with0indicatinghighestpriorityand61440 lowestpriority. (Optional)SetsthepriorityonaspecificSpanningTree.Validvalues are04094.Ifnotspecified,SID 0isassumed.

    sid

    Defaults
    Ifsidisnotspecified,prioritywillbesetonSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Usage
    Thedevicewiththehighestpriority(lowestnumericalvalue)becomestheSpanningTreeroot device.Ifalldeviceshavethesamepriority,thedevicewiththelowestMACaddresswillthen becometherootdevice.Dependingonthebridgeprioritymode(setwiththesetspantree bridgeprioritymodecommanddescribedinsetspantreebridgeprioritymodeonpage 610, somepriorityvaluesmayberoundedupordown.

    Example
    Thisexampleshowshowtosetthebridgepriorityto4096onSID1:
    A2(su)->set spantree priority 4096 1

    clear spantree priority


    UsethiscommandtoresettheSpanningTreeprioritytothedefaultvalueof32768.

    Syntax
    clear spantree priority [sid]

    Parameters
    sid (Optional)ResetsthepriorityonaspecificSpanningTree.Validvalues are04094.Ifnotspecified,SID 0isassumed.

    Defaults
    Ifsidisnotspecified,prioritywillberesetonSpanningTree0.

    Mode
    Switchcommand,readwrite.
    SecureStack A2 Configuration Guide 6-17

    set spantree hello

    Example
    ThisexampleshowshowtoresetthebridgepriorityonSID1:
    A2(su)->clear spantree priority 1

    set spantree hello


    UsethiscommandtosetthedevicesSpanningTreehellotime,Thisisthetimeinterval(in seconds)thedevicewilltransmitBPDUsindicatingitisactive.

    Syntax
    set spantree hello interval

    Parameters
    interval Specifiesthenumberofsecondsthesystemwaitsbeforebroadcastinga bridgehellomessage(amulticastmessageindicatingthatthesystemis active).Validvaluesare110.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtogloballysettheSpanningTreehellotimeto10seconds:
    A2(su)->set spantree hello 10

    clear spantree hello


    UsethiscommandtoresettheSpanningTreehellotimetothedefaultvalueof2seconds.

    Syntax
    clear spantree hello

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtogloballyresettheSpanningTreehellotime:
    A2(su)->clear spantree hello
    6-18 Spanning Tree Configuration

    set spantree maxage

    set spantree maxage


    Usethiscommandtosetthebridgemaximumagingtime.

    Syntax
    set spantree maxage agingtime

    Parameters
    agingtime Specifiesthemaximumnumberofsecondsthatthesystemretainsthe informationreceivedfromotherbridgesthroughSTP.Validvaluesare6 40.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thebridgemaximumagingtimeisthemaximumtime(inseconds)adevicecanwaitwithout receivingaconfigurationmessage(bridgehello)beforeattemptingtoreconfigure.Alldevice ports(exceptfordesignatedports)shouldreceiveconfigurationmessagesatregularintervals. AnyportthatagesoutSTPinformationprovidedinthelastconfigurationmessagebecomesthe designatedportfortheattachedLAN.Ifitisarootport,anewrootportisselectedfromamong thedeviceportsattachedtothenetwork.

    Example
    Thisexampleshowshowtosetthemaximumagingtimeto25seconds:
    A2(su)->set spantree maxage 25

    clear spantree maxage


    UsethiscommandtoresetthemaximumagingtimeforaSpanningTreetothedefaultvalueof20 seconds.

    Syntax
    clear spantree maxage

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    6-19

    set spantree fwddelay

    Example
    Thisexampleshowshowtogloballyresetthemaximumagingtime:
    A2(su)->clear spantree maxage

    set spantree fwddelay


    UsethiscommandtosettheSpanningTreeforwarddelay.

    Syntax
    set spantree fwddelay delay

    Parameters
    delay Specifiesthenumberofsecondsforthebridgeforwarddelay.Validvalues are430.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Theforwarddelayisthemaximumtime(inseconds)therootdevicewillwaitbeforechanging states(i.e.,listeningtolearningtoforwarding).Thisdelayisrequiredbecauseeverydevicemust receiveinformationabouttopologychangesbeforeitstartstoforwardframes.Inaddition,each portneedstimetolistenforconflictinginformationthatwouldmakeitreturntoablockingstate; otherwise,temporarydataloopsmightresult.

    Example
    Thisexampleshowshowtogloballysetthebridgeforwarddelayto16seconds:
    A2(su)->set spantree fwddelay 16

    clear spantree fwddelay


    UsethiscommandtoresettheSpanningTreeforwarddelaytothedefaultsettingof15seconds.

    Syntax
    clear spantree fwddelay

    Parameters
    None.

    Defaults
    None.

    6-20

    Spanning Tree Configuration

    show spantree backuproot

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtogloballyresetthebridgeforwarddelay:
    A2(su)->clear spantree fwddelay

    show spantree backuproot


    UsethiscommandtodisplaythebackuprootstatusforanMSTinstance.

    Syntax
    show spantree backuproot [sid]

    Parameters
    sid (Optional)DisplaybackuprootstatusforaspecificSpanningTree identifier.Validvaluesare04094.Ifnotspecified,SID0isassumed.

    Defaults
    IfaSIDisnotspecified,thenstatuswillbeshownforSpanningTreeinstance0.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythestatusofthebackuprootfunctiononSID0:
    A2(rw)->show spantree backuproot Backup root is set to disable on sid 0

    set spantree backuproot


    UsethiscommandtoenableordisabletheSpanningTreebackuprootfunctionontheswitch.

    Syntax
    set spantree backuproot sid {disable | enable}

    Parameters
    sid disable|enable SpecifiestheSpanningTreeinstanceonwhichtoenableordisablethe backuprootfunction.Validvaluesare04094. Enablesordisablesthebackuprootfunction.

    Defaults
    None.

    SecureStack A2 Configuration Guide

    6-21

    clear spantree backuproot

    Mode
    Switchcommand,readwrite.

    Usage
    TheSpanningTreebackuprootfunctionisdisabledbydefaultontheSecureStackA2.Whenthis featureisenabledandtheswitchisdirectlyconnectedtotherootbridge,staleSpanningTree informationispreventedfromcirculatingiftherootbridgeislost.Iftherootbridgeislost,the backuprootwilldynamicallyloweritsbridgeprioritysothatitwillbeselectedasthenewroot overthelostrootbridge.

    Example
    ThisexampleshowshowtoenablethebackuprootfunctiononSID2:
    A2(rw)->set spantree backuproot 2 enable

    clear spantree backuproot


    UsethiscommandtoresettheSpanningTreebackuprootfunctiontothedefaultstateofdisabled.

    Syntax
    clear spantree backuproot sid

    Parameters
    sid SpecifiestheSpanningTreeonwhichtoclearthebackuproot function.Validvaluesare04094.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthebackuprootfunctiontodisabledonSID2:
    A2(rw)->clear spantree backuproot 2

    show spantree tctrapsuppress


    UsethiscommandtodisplaythestatusoftopologychangetrapsuppressiononRapidSpanning Treeedgeports.

    Syntax
    show spantree tctrapsuppress

    Parameters
    None.

    6-22

    Spanning Tree Configuration

    set spantree tctrapsuppress

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythestatusoftopologychangetrapsuppression:
    A2(rw)->show spantree tctrapsuppress Topology change Trap Suppression is set to enabled

    set spantree tctrapsuppress


    UsethiscommandtodisableorenabletopologychangetrapsuppressiononRapidSpanningTree edgeports.

    Syntax
    set spantree tctrapsuppress {disable | enable}

    Parameters
    disable|enable Disablesorenablestopologychangetrapsuppression.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Bydefault,RSTPnonedge(bridge)portsthattransitiontoforwardingorblockingcausethe switchtoissueatopologychangetrap.Whentopologychangetrapsuppressionisenabled,which isthedevicedefault,edgeports(suchasendstationPCs)arepreventedfromsendingtopology changetraps.Thisisbecausethereisusuallynoneedfornetworkmanagementtomonitoredge portSTPtransitionstates,suchaswhenPCsarepoweredon.Whentopologychangetrap suppressionisdisabled,allports,includingedgeandbridgeports,willtransmittopologychange traps.

    Example
    ThisexampleshowshowtoallowRapidSpanningTreeedgeportstotransmittopologychange traps:
    A2(rw)->set spantree tctrapsuppress disable

    SecureStack A2 Configuration Guide

    6-23

    clear spantree tctrapsuppress

    clear spantree tctrapsuppress


    UsethiscommandtoclearthestatusoftopologychangetrapsuppressiononRapidSpanningTree edgeportstothedefaultstateofenabled(edgeporttopologychangesdonotgeneratetraps).

    Syntax
    clear spantree tctrapsuppress

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtocleartopologychangetrapsuppressionsetting:
    A2(rw)->clear spantree tctrapsuppress

    set spantree protomigration


    UsethiscommandtoresettheprotocolstatemigrationmachineforoneormoreSpanningTree ports.WhenoperatinginRSTPmode,thisforcesaporttotransmitMSTPBPDUs.

    Syntax
    set spantree protomigration <port-string>

    Parameters
    portstring Resettheprotocolstatemigrationmachineforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresettheprotocolstatemigrationmachineonport20:
    A2(su)->set spantree protomigration ge.1.20

    6-24

    Spanning Tree Configuration

    show spantree spanguard

    show spantree spanguard


    UsethiscommandtodisplaythestatusoftheSpanningTreespanguardfunction.

    Syntax
    show spantree spanguard

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythespanguardfunctionstatus:
    A2(su)->show spantree spanguard Spanguard is disabled

    set spantree spanguard


    UsethiscommandtoenableordisabletheSpanningTreespanguardfunction.

    Syntax
    set spantree spanguard {enable | disable}

    Parameters
    enable|disable Enablesordisablesthespanguardfunction.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Spanguardisdesignedtodisable,orlockoutanedgeportwhenanunexpectedBPDUis received.Theportcanbeconfiguredtobereenabledafterasettimeperiod,oronlyaftermanual intervention. Aportcanbedefinedasanedge(user)portusingthesetspantreeadminedgecommand, describedinsetspantreeadminedgeonpage 638.Aportdesignatedasanedgeportis expectedtobeconnectedtoaworkstationorotherendusertypeofdevice,andnottoanother switchinthenetwork.WhenSpanguardisenabled,ifanonloopbackBPDUisreceivedonan edgeport,theSpanningTreestateofthatportwillbechangedtoblockingandwillnolonger forwardtraffic.Theportwillremaindisableduntiltheamountoftimedefinedbysetspantree

    SecureStack A2 Configuration Guide

    6-25

    clear spantree spanguard

    spanguardtimeout(setspantreespanguardtimeoutonpage 627)haspassedsincethelastseen BPDU,theportismanuallyunlocked(setorclearspantreespanguardlock,clear/setspantree spanguardlockonpage 628),theconfigurationoftheportischangedsoitisnotlongeranedge port,orthespanguardfunctionisdisabled. Spanguardisenabledanddisabledonlyonaglobalbasisacrossthestack.Bydefault,spanguard isdisabledandspanguardtrapsareenabled.

    Example
    Thisexampleshowshowtoenablethespanguardfunction:
    A2(rw)->set spantree spanguard enable

    clear spantree spanguard


    UsethiscommandtoresetthestatusoftheSpanningTreespanguardfunctiontodisabled.

    Syntax
    clear spantree spanguard

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetthestatusofthespanguardfunctiontodisabled:
    A2(rw)->clear spantree spanguard

    show spantree spanguardtimeout


    UsethiscommandtodisplaytheSpanningTreespanguardtimeoutsetting.

    Syntax
    show spantree spanguardtimeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    6-26

    Spanning Tree Configuration

    set spantree spanguardtimeout

    Example
    Thisexampleshowshowtodisplaythespanguardtimeoutsetting:
    A2(su)->show spantree spanguardtimeout Spanguard timeout: 300

    set spantree spanguardtimeout


    Usethiscommandtosettheamountoftime(inseconds)anedgeportwillremainlockedbythe spanguardfunction.

    Syntax
    set spantree spanguardtimeout timeout

    Parameters
    timeout Specifiesatimeoutvalueinseconds.Validvaluesare0to65535. Avalueof0willkeeptheportlockeduntilmanuallyunlocked.Thedefault valueis300seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthespanguardtimeoutto600seconds:
    A2(su)->set spantree spanguardtimeout 600

    clear spantree spanguardtimeout


    UsethiscommandtoresettheSpanningTreespanguardtimeouttothedefaultvalueof300 seconds.

    Syntax
    clear spantree spanguardtimeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    6-27

    show spantree spanguardlock

    Example
    Thisexampleshowshowtoresetthespanguardtimeoutto300seconds:
    A2(rw)->clear spantree spanguardtimeout

    show spantree spanguardlock


    Usethiscommandtodisplaythespanguardlockstatusofoneormoreports.

    Syntax
    show spantree spanguardlock [port-string]

    Parameters
    portstring (Optional)Specifiestheport(s)forwhichtoshowspanguardlockstatus. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifnoportstringisspecified,thespanguardlockstatusforallportsisdisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythespanguardlockstatusforge.1.1:
    A2(su)->show spantree spanguardlock ge.1.1 Port ge.1.1 is Unlocked

    clear / set spantree spanguardlock


    UseeitherofthesecommandstounlockoneormoreportslockedbytheSpanningTreespan guardfunction.Whenspanguardisenabled,itlocksportsthatreceiveBPDUswhenthoseports havebeendefinedasedge(user)ports(asdescribedinsetspantreeadminedgeonpage 638).

    Syntax
    clear spantree spanguardlock port-string set spantree spanguardlock port-string

    Parameters
    portstring Specifiesport(s)tounlock.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.
    6-28 Spanning Tree Configuration

    show spantree spanguardtrapenable

    Example
    Thisexampleshowshowtounlockportge.1.16:
    A2(rw)->clear spantree spanguardlock ge.1.16

    show spantree spanguardtrapenable


    UsethiscommandtodisplaythestateoftheSpanningTreespanguardtrapfunction.

    Syntax
    show spantree spanguardtrapenable

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythestateofthespanguardtrapfunction:
    A2(ro)->show spantree spanguardtrapenable Spanguard SNMP traps are enabled

    set spantree spanguardtrapenable


    UsethiscommandtoenableordisablethesendingofanSNMPtrapmessagewhenspanguard haslockedaport.

    Syntax
    set spantree spanguardtrapenable {disable | enable}

    Parameters
    disable|enable Disablesorenablessendingspanguardtraps.Bydefault,sendingtraps isenabled.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodisablethespanguardtrapfunction:
    A2(su)->set spantree spanguardtrapenable disable
    SecureStack A2 Configuration Guide 6-29

    clear spantree spanguardtrapenable

    clear spantree spanguardtrapenable


    UsethiscommandtoresettheSpanningTreespanguardtrapfunctionbacktothedefaultstateof enabled.

    Syntax
    clear spantree spanguardtrapenable

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetthespanguardtrapfunctiontoenabled:
    A2(rw)->clear spantree spanguardtrapenable

    show spantree legacypathcost


    UsethiscommandtodisplaythedefaultSpanningTreepathcostsetting.

    Syntax
    show spantree legacypathcost

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythedefaultSpanningTreepathcostsetting.
    A2(su)->show spantree legacypathcost Legacy Path Cost is disabled.

    6-30

    Spanning Tree Configuration

    set spantree legacypathcost

    set spantree legacypathcost


    Usethiscommandtoenableordisablelegacy(802.1D)pathcostvalues.

    Syntax
    set spantree legacypathcost {disable | enable}

    Parameters
    disable enable Use802.1t2001valuestocalculatepathcost. Use802.1d1998valuestocalculatepathcost.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Bydefault,legacypathcostisdisabled.Enablingthedevicetocalculatelegacypathcostsaffects therangeofvalidvaluesthatcanbeenteredinthesetspantreeadminpathcostcommand.

    Example
    Thisexampleshowshowtosetthedefaultpathcostvaluesto802.1D.
    A2(rw)->set spantree adminpathcost enable

    clear spantree legacypathcost


    UsethiscommandtosettheSpanningTreedefaultvalueforlegacypathcostto802.1tvalues.

    Syntax
    clear spantree legacypathcost

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleclearsthelegacypathcostto802.1tvalues.
    A2(rw)->clear spantree legacypathcost

    SecureStack A2 Configuration Guide

    6-31

    Configuring Spanning Tree Port Parameters

    Configuring Spanning Tree Port Parameters


    Purpose
    TodisplayandsetSpanningTreeportparameters.

    Commands
    ThecommandsusedtoreviewandsetSpanningTreeportparametersarelistedbelow.
    For information about... set spantree portadmin clear spantree portadmin show spantree portadmin show spantree portpri set spantree portpri clear spantree portpri show spantree adminpathcost set spantree adminpathcost clear spantree adminpathcost show spantree adminedge set spantree adminedge clear spantree adminedge Refer to page... 6-33 6-33 6-34 6-34 6-35 6-35 6-36 6-37 6-37 6-38 6-38 6-39

    6-32

    Spanning Tree Configuration

    set spantree portadmin

    set spantree portadmin


    UsethiscommandtodisableorenabletheSpanningTreealgorithmononeormoreports.

    Syntax
    set spantree portadmin port-string {disable | enable}

    Parameters
    portstring Specifiestheport(s)forwhichtoenableordisableSpanningTree.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42. DisablesorenablesSpanningTree.

    disable|enable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableSpanningTreeonfe.1.5:
    A2(rw)->set spantree portadmin fe.1.5 disable

    clear spantree portadmin


    UsethiscommandtoresetthedefaultSpanningTreeadminstatustoenableononeormoreports.

    Syntax
    clear spantree portadmin port-string

    Parameters
    portstring Resetsthedefaultadminstatusonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthedefaultSpanningTreeadminstatetoenableonfe.1.12:
    A2(rw)->clear spantree portadmin fe.1.12

    SecureStack A2 Configuration Guide

    6-33

    show spantree portadmin

    show spantree portadmin


    UsethiscommandtodisplaythestatusoftheSpanningTreealgorithmononeormoreports.

    Syntax
    show spantree portadmin [port port-string]

    Parameters
    portportstring (Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage 42.

    Defaults
    Ifportstringisnotspecified,statuswillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayportadminstatusforge.1.1:
    A2(ro)->show spantree portadmin port ge.1.1 Port ge.1.1 has portadmin set to enabled

    show spantree portpri


    UsethiscommandtoshowtheSpanningTreepriorityforoneormoreports.ortpriorityisa componentoftheportID,whichisoneelementusedindeterminingSpanningTreeportroles.

    Syntax
    show spantree portpri [port port-string] [sid sid]

    Parameters
    portportstring (Optional)Specifiestheport(s)forwhichtodisplaySpanningTreepriority. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42. (Optional)DisplaysportpriorityforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0isassumed.

    sidsid

    Defaults
    Ifportstringisnotspecified,portprioritywillbedisplayedforallSpanningTreeports. Ifsidisnotspecified,portprioritywillbedisplayedforSpanningTree0.

    Mode
    Switchcommand,readonly.

    6-34

    Spanning Tree Configuration

    set spantree portpri

    Example
    Thisexampleshowshowtodisplaytheportpriorityforfe.2.7:
    A2(su)->show spantree portpri port fe.2.7 Port fe.2.7 has a Port Priority of 128 on SID 0

    set spantree portpri


    UsethiscommandtosetaportsSpanningTreepriority.

    Syntax
    set spantree portpri port-string priority [sid sid]

    Parameters
    portstring Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42. SpecifiesanumberthatrepresentsthepriorityofalinkinaSpanningTree bridge.Validvaluesarefrom0to240(inincrementsof16)with0 indicatinghighpriority. (Optional)SetsportpriorityforaspecificSpanningTreeidentifier.Valid valuesare04094.Ifnotspecified,SID0isassumed.

    priority

    sidsid

    Defaults
    Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthepriorityoffe.1.3to240onSID1
    A2(su)->set spantree portpri fe.1.3 240 sid 1

    clear spantree portpri


    UsethiscommandtoresetthebridgepriorityofaSpanningTreeporttoadefaultvalueof128.

    Syntax
    clear spantree portpri port-string [sid sid]

    Parameters
    portstring Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42. (Optional)ResetstheportpriorityforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0willbeassumed.

    sidsid

    SecureStack A2 Configuration Guide

    6-35

    show spantree adminpathcost

    Defaults
    Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetthepriorityoffe.1.3to128onSID1
    A2(su)->clear spantree portpri fe.1.3 sid 1

    show spantree adminpathcost


    UsethiscommandtodisplaytheadminpathcostforaportononeormoreSpanningTrees.

    Syntax
    show spantree adminpathcost [port port-string] [sid sid]

    Parameters
    portportstring (Optional)Displaystheadminpathcostvalueforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42. (Optional)DisplaystheadminpathcostforaspecificSpanningTree identifier.Validvaluesare04094.Ifnotspecified,SID0willbeassumed.

    sidsid

    Defaults
    Ifportstringisnotspecified,adminpathcostforallSpanningTreeportswillbedisplayed. Ifsidisnotspecified,adminpathcostforSpanningTree0willbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheadminpathcostforfe.3.4onSID1:
    A2(su)->show spantree adminpathcost port fe.3.4 sid 1 Port fe.3.4 has a Port Admin Path Cost of 0 on SID 1

    6-36

    Spanning Tree Configuration

    set spantree adminpathcost

    set spantree adminpathcost


    UsethiscommandtosettheadministrativepathcostonaportandoneormoreSpanningTrees.

    Syntax
    set spantree adminpathcost port-string cost [sid sid]

    Parameters
    portstring Specifiestheport(s)onwhichtosetanadminpathcost.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42. Specifiestheportpathcost.Va1idvaluesare0200000000. (Optional)SetstheadminpathcostforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0willbeassumed.

    cost sidsid

    Defaults
    Ifsidisnotspecified,adminpathcostwillbesetforSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosettheadminpathcostto200forfe.3.2onSID1:
    A2(su)->set spantree adminpathcost fe.3.2 200 sid 1

    clear spantree adminpathcost


    UsethiscommandtoresettheSpanningTreedefaultvalueforportadminpathcostto0.

    Syntax
    clear spantree adminpathcost port-string [sid sid]

    Parameters
    portstring Specifiestheport(s)forwhichtoresetadminpathcost.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage 42. (Optional)ResetstheadminpathcostforspecificSpanningTree(s). Validvaluesare04094.Ifnotspecified,SID0isassumed.

    sidsid

    Defaults
    Ifsidisnotspecified,adminpathcostwillberesetforSpanningTree0.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    6-37

    show spantree adminedge

    Example
    Thisexampleshowshowtoresettheadminpathcostto0forfe.3.2onSID1:
    A2(su)->clear spantree adminpathcost fe.3.2 sid 1

    show spantree adminedge


    Usethiscommandtodisplaytheedgeportadministrativestatusforaport.

    Syntax
    show spantree adminedge [port port-string]

    Parameters
    portstring (Optional)Displaysedgeportadministrativestatusforspecific port(s).Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 42.

    Defaults
    IfportstringisnotspecifiededgeportadministrativestatuswillbedisplayedforallSpanningTree ports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheedgeportstatusforfe.3.2:
    A2(su)->show spantree adminedge port fe.3.2 Port fe.3.2 has a Port Admin Edge of Edge-Port

    set spantree adminedge


    UsethiscommandtosettheedgeportadministrativestatusonaSpanningTreeport.

    Syntax
    set spantree adminedge port-string {true | false}

    Parameters
    portstring true|false Specifiestheedgeport.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 42. Enables(true)ordisables(false)thespecifiedportasaSpanningTreeedge port.

    Defaults
    None.

    6-38

    Spanning Tree Configuration

    clear spantree adminedge

    Mode
    Switchcommand,readwrite.

    Usage
    Thedefaultbehavioroftheedgeportadministrativestatusbeginswiththevaluesettofalse initiallyafterthedeviceispoweredup.IfaSpanningTreeBDPUisnotreceivedontheportwithin afewseconds,thestatussettingchangestotrue.

    Example
    Thisexampleshowshowtosetfe.1.11asanedgeport:
    A2(su)->set spantree adminedge fe.1.11 true

    clear spantree adminedge


    UsethiscommandtoresetaSpanningTreeporttononedgestatus.

    Syntax
    clear spantree adminedge port-string

    Parameters
    portstring Specifiesport(s)onwhichtoresetedgeportstatus.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetfe.1.11asanonedgeport:
    A2(su)->clear spantree adminedge fe.1.11

    SecureStack A2 Configuration Guide

    6-39

    clear spantree adminedge

    6-40

    Spanning Tree Configuration

    7
    802.1Q VLAN Configuration
    ThischapterdescribestheSecureStackA2systemscapabilitiestoimplement802.1QvirtualLANs (VLANs).
    For information about... VLAN Configuration Summary Viewing VLANs Creating and Naming Static VLANs Assigning Port VLAN IDs (PVIDs) and Ingress Filtering Configuring the VLAN Egress List Setting the Host VLAN Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Refer to page... 7-1 7-3 7-5 7-8 7-14 7-20 7-23

    VLAN Configuration Summary


    VirtualLANsallowthenetworkadministratortopartitionnetworktrafficintologicalgroupsand controltheflowofthattrafficthroughthenetwork.Oncethetrafficand,ineffect,theusers creatingthetraffic,areassignedtoaVLAN,thenbroadcastandmulticasttrafficiscontained withintheVLANanduserscanbeallowedordeniedaccesstoanyofthenetworksresources. Also,someoralloftheportsonthedevicecanbeconfiguredasGVRPports,whichenableframes receivedwithaparticularVLANIDandprotocoltobetransmittedonalimitednumberofports. ThiskeepsthetrafficassociatedwithaparticularVLANandprotocolisolatedfromtheotherparts ofthenetwork.
    Note: The device can support up to 1024 802.1Q VLANs. The allowable range for VLAN IDs is 1 to 4093. As a default, all ports on the device are assigned to VLAN ID 1, untagged.

    Port String Syntax Used in the CLI


    ForinformationonhowtodesignateVLANsandportnumbersintheCLIsyntax,refertoPort StringSyntaxUsedintheCLIonpage 42.

    Creating a Secure Management VLAN


    Bydefaultatstartup,thereisoneVLANconfiguredontheSecureStackA2device.ItisVLANID 1,theDEFAULTVLAN.Thedefaultcommunityname,whichdeterminesremoteaccessforSNMP management,issettopublicwithreadwriteaccess.

    SecureStack A2 Configuration Guide

    7-1

    VLAN Configuration Summary

    IftheSecureStackA2deviceistobeconfiguredformultipleVLANs,itmaybedesirableto configureamanagementonlyVLAN.ThisallowsastationconnectedtothemanagementVLAN tomanagethedevice.Italsomakesmanagementsecurebypreventingconfigurationviaports assignedtootherVLANs. TocreateasecuremanagementVLAN,youmust:


    Step 1. 2. 3. 4. 5. Task Create a new VLAN. Set the PVID for the desired switch port to the VLAN created in Step 1. Add the desired switch port to the egress list for the VLAN created in Step 1. Assign host status to the VLAN. Set a private community name and access policy. Refer to page... 7-5 7-9 7-16 7-21 5-14

    ThecommandsusedtocreateasecuremanagementVLANarelistedinTable 71.Thisexample assumesthemanagementstationisattachedtofe.1.1andwantsuntaggedframes. Theprocessdescribedherewouldberepeatedoneverydevicethatisconnectedinthenetworkto ensurethateachdevicehasasecuremanagementVLAN. Table 7-1 Command Set for Creating a Secure Management VLAN
    Use these commands... set vlan create 2 (set vlan on page 7-5) (Optional) show vlan 2 (show vlan on page 7-3) Set the PVID to the new VLAN. Add the port to the new VLANs egress list. Remove the port from the default VLANs egress list. Assign host status to the VLAN. Set a private community name and access policy and confirm settings. set port vlan fe.1.1 2 (set port vlan on page 7-9) set vlan egress 2 fe.1.1 untagged (set vlan egress on page 7-16) clear vlan egress 1 fe.1.1 (clear vlan egress on page 7-17) set host vlan 2 (set host vlan on page 7-21) set snmp community private (set snmp community on page 5-14) (Optional) show snmp community (show snmp community on page 5-13)

    To do this... Create a new VLAN and confirm settings.

    7-2

    802.1Q VLAN Configuration

    Viewing VLANs

    Viewing VLANs
    Purpose
    TodisplayalistofVLANscurrentlyconfiguredonthedevice,todeterminehowoneormore VLANswerecreated,theportsallowedanddisallowedtotransmittrafficbelongingtoVLAN(s), andifthoseportswilltransmitthetrafficwithaVLANtagincluded.

    Commands
    ThecommandusedtoviewVLANsislistedbelow.
    For information about... show vlan Refer to page... 7-3

    show vlan
    UsethiscommandtodisplayallinformationrelatedtooneormoreVLANs.

    Syntax
    show vlan [static] [vlan-list] [portinfo [vlan vlan-list | vlan-name] [port portstring]]

    Parameters
    static (Optional)DisplaysinformationrelatedtostaticVLANs.StaticVLANsare manuallycreatedusingthesetvlancommand(setvlanonpage 75), SNMPMIBs,ortheWebViewmanagementapplication.ThedefaultVLAN, VLAN1,isalwaysstaticallyconfiguredandcantbedeleted.Onlyports thatuseaspecifiedVLANastheirdefaultVLAN(PVID)willbedisplayed. (Optional)DisplaysinformationforaspecificVLANorrangeofVLANs. (Optional)DisplaysVLANattributesrelatedtooneormoreports. (Optional)DisplaysportinformationforoneormoreVLANs. (Optional)Displaysportinformationforoneormoreports.

    vlanlist portinfo vlanvlanlist| vlanname portportstring

    Defaults
    Ifnooptionsarespecified,allinformationrelatedtostaticanddynamicVLANswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayinformationforVLAN1.Inthiscase,VLAN1isnamed DEFAULTVLAN.PortsallowedtotransmitframesbelongingtoVLAN1arelistedasegress ports.PortsthatwontincludeaVLANtagintheirtransmittedframesarelistedasuntagged ports.Therearenoforbiddenports(preventedfromtransmittedframes)onVLAN1:

    SecureStack A2 Configuration Guide

    7-3

    show vlan

    A2(su)->show vlan 1 VLAN: 1 NAME: DEFAULT VLAN VLAN Type: Default Egress Ports fe.1.1-10, ge.2.1-4, fe.3.1-7, Forbidden Egress Ports None. Untagged Ports fe.1.1-10, ge.2.1-4, fe.3.1-7,

    Table 72providesanexplanationofthecommandoutput. Table 7-2


    Output VLAN NAME Status VLAN Type Egress Ports Forbidden Egress Ports Untagged Ports

    show vlan Output Details


    What It Displays... VLAN ID. Name assigned to the VLAN. Whether it is enabled or disabled. Whether it is permanent (static) or dynamic. Ports configured to transmit frames for this VLAN. Ports prevented from transmitted frames for this VLAN. Ports configured to transmit untagged frames for this VLAN.

    7-4

    802.1Q VLAN Configuration

    Creating and Naming Static VLANs

    Creating and Naming Static VLANs


    Purpose
    TocreateanewstaticVLAN,ortoenableordisableexistingVLAN(s).

    Commands
    ThecommandsusedtocreateandnamestaticVLANsarelistedbelow.
    For information about... set vlan set vlan name clear vlan clear vlan name Refer to page... 7-5 7-6 7-6 7-7

    set vlan
    UsethiscommandtocreateanewstaticIEEE802.1QVLAN,ortoenableordisableanexisting VLAN.

    Syntax
    set vlan {create | enable | disable} vlan-list

    Parameters
    create|enable| disable vlanlist Creates,enablesordisablesVLAN(s). SpecifiesoneormoreVLANIDstobecreated,enabledordisabled.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    OnceaVLANiscreated,youcanassignitanameusingthesetvlannamecommanddescribedin setvlannameonpage 76. EachVLANIDmustbeunique.IfaduplicateVLANIDisentered,thedeviceassumesthatthe AdministratorintendstomodifytheexistingVLAN. EntertheVLANIDusingauniquenumberbetween1and4093.TheVLANIDsof0and4094and highermaynotbeusedforuserdefinedVLANs.

    SecureStack A2 Configuration Guide

    7-5

    set vlan name

    Examples
    ThisexampleshowshowtocreateVLAN3:
    A2(su)->set vlan create 3

    ThisexampleshowshowtodisableVLAN3:
    A2(su)->set vlan disable 3

    set vlan name


    UsethiscommandtosetorchangetheASCIInameforaneworexistingVLAN.

    Syntax
    set vlan name vlan-list vlan-name

    Parameters
    vlanlist vlanname SpecifiestheVLANIDoftheVLAN(s)tobenamed. SpecifiesthestringusedasthenameoftheVLAN(1to32characters).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthenameforVLAN7togreen:
    A2(su)->set vlan name 7 green

    clear vlan
    UsethiscommandtoremoveastaticVLANfromthelistofVLANsrecognizedbythedevice.

    Syntax
    clear vlan vlan-list

    Parameters
    vlanlist SpecifiestheVLANIDoftheVLAN(s)toberemoved.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    7-6

    802.1Q VLAN Configuration

    clear vlan name

    Example
    ThisexampleshowshowtoremoveastaticVLAN9fromthedevicesVLANlist:
    A2(su)->clear vlan 9

    clear vlan name


    UsethiscommandtoremovethenameofaVLANfromtheVLANlist.

    Syntax
    clear vlan name vlan-list

    Parameters
    vlanlist SpecifiestheVLANIDoftheVLAN(s)forwhichthenamewillbecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearthenameforVLAN9:
    A2(su)->clear vlan name 9

    SecureStack A2 Configuration Guide

    7-7

    Assigning Port VLAN IDs (PVIDs) and Ingress Filtering

    Assigning Port VLAN IDs (PVIDs) and Ingress Filtering


    Purpose
    ToassigndefaultVLANIDstountaggedframesononeormoreports,toconfigureVLANingress filteringandconstraints,andtosettheframediscardmode.

    Commands
    ThecommandsusedtoconfigureportVLANIDsandingressfilteringarelistedbelow.
    For information about... show port vlan set port vlan clear port vlan show port ingress filter set port ingress filter show port discard set port discard Refer to page... 7-8 7-9 7-10 7-10 7-11 7-12 7-13

    show port vlan


    UsethiscommandtodisplayportVLANidentifier(PVID)information.PVIDdeterminesthe VLANtowhichalluntaggedframesreceivedononeormoreportswillbeclassified.

    Syntax
    show port vlan [port-string]

    Parameters
    portstring (Optional)DisplaysPVIDinformationforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,portVLANinformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayPVIDsassignedtoFastEthernetports1through6inunit2.In thiscase,untaggedframesreceivedontheseportswillbeclassifiedtoVLAN1:
    A2(su)->show port vlan fe.2.1-6 fe.2.1 is set to 1 fe.2.2 is set to 1

    7-8

    802.1Q VLAN Configuration

    set port vlan

    fe.2.3 fe.2.4 fe.2.5 fe.2.6

    is is is is

    set set set set

    to to to to

    1 1 1 1

    set port vlan


    UsethiscommandtoconfigurethePVID(portVLANidentifier)foroneormoreports.

    Syntax
    set port vlan port-string pvid [modify-egress | no-modify-egress]

    Parameters
    portstring Specifiestheport(s)forwhichtoconfigureaVLANidentifier.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42. SpecifiestheVLANIDoftheVLANtowhichport(s)willbeadded. (Optional)Addsport(s)toVLANsuntaggedegresslistandremovesthem fromotheruntaggedegresslists. (Optional)Doesnotpromptforormakeegresslistchanges.

    pvid modifyegress nomodifyegress

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThePVIDisusedtoclassifyuntaggedframesastheyingressintoagivenport.Ifthespecified VLANhasnotalreadybeencreated,thiscommandwillcreateit.Itwillprompttheusertoaddthe VLANtotheportsegresslistasuntagged,andtoremovethedefaultVLANfromtheportsegress list.

    Example
    ThisexampleshowshowtoaddFastEthernetport10inunit1totheportVLANlistofVLAN4 (PVID4).SinceVLAN4isanewVLAN,itiscreated.Thenportfe.1.10isaddedtoVLAN4s untaggedegresslist.TheportmustthenbeclearedfromtheegresslistofVLAN1(thedefault VLAN)asshown:
    A2(su)->set port vlan fe.1.10 4 A2(su)->set vlan 4 create A2(su)->set vlan egress 4 fe.1.10 untagged A2(su)->clear vlan egress 1 fe.1.10

    SecureStack A2 Configuration Guide

    7-9

    clear port vlan

    clear port vlan


    Usethiscommandtoresetaports802.1QportVLANID(PVID)tothehostVLANID1.

    Syntax
    clear port vlan port-string

    Parameters
    portstring Specifiestheport(s)toberesettothehostVLANID1.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetportsfe.1.3through11toaVLAN IDof1(HostVLAN):
    A2(su)->clear port vlan fe.1.3-11

    show port ingress filter


    Usethiscommandtoshowallportsthatareenabledforportingressfiltering,whichlimits incomingVLANIDframesaccordingtoaportVLANegresslist.IftheVLANIDspecifiedinthe receivedframeisnotontheportsVLANegresslist,thenthatframeisdroppedandnot forwarded.

    Syntax
    show port ingress-filter [port-string]

    Parameters
    portstring (Optional)Specifiestheport(s)forwhichtodisplayingressfilteringstatus. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,ingressfilteringstatusforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheportingressfilterstatusforFastEthernetports10through 15inunit1.Inthiscase,theportsaredisabledforingressfiltering:

    7-10

    802.1Q VLAN Configuration

    set port ingress filter

    A2(su)->show port ingress-filter fe.1.10-15 Port State -------- --------fe.1.10 disabled fe.1.11 disabled fe.1.12 disabled fe.1.13 disabled fe.1.14 disabled fe.1.15 disabled

    set port ingress filter


    UsethiscommandtodiscardallframesreceivedwithaVLANIDthatdontmatchtheports VLANegresslist.

    Syntax
    set port ingress-filter port-string {disable | enable}

    Parameters
    portstring Specifiestheport(s)onwhichtoenableofdisableingressfiltering.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42. Disablesorenablesingressfiltering.

    disable|enable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Wheningressfilteringisenabledonaport,theVLANIDsofincomingframesarecomparedtothe portsegresslist.IfthereceivedVLANIDdoesnotmatchaVLANIDontheportsegresslist,then theframeisdropped. IngressfilteringisimplementedaccordingtotheIEEE802.1Qstandard.

    Example
    Thisexampleshowshowtoenableportingressfilteringonfe.1.3:
    A2(su)->set port ingress-filter fe.1.3 enable

    SecureStack A2 Configuration Guide

    7-11

    show port discard

    show port discard


    Usethiscommandtodisplaytheframediscardmodeforoneormoreports.Portscanbesetto discardframesbasedonwhetherornottheframecontainsaVLANtag.Theycanalsobesetto discardbothtaggedanduntaggedframes,orneither.

    Syntax
    show port discard [port-string]

    Parameters
    portstring (Optional)Displaystheframediscardmodeforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    If port-string is not specified, frame discard mode will be displayed for all ports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheframediscardmodeforFastEthernetport7inunit2.In thiscase,theporthasbeensettodiscardalltaggedframes:
    A2(su)->show port discard fe.2.7 Port Discard Mode ------------ ------------fe.2.7 tagged

    7-12

    802.1Q VLAN Configuration

    set port discard

    set port discard


    Usethiscommandtosettheframediscardmodeononeormoreports.

    Syntax
    set port discard port-string {tagged | untagged | both | none}

    Parameters
    portstring Specifiestheport(s)forwhichtosetframediscardmode.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42. TaggedDiscardallincoming(received)taggedpacketsonthedefined port(s). UntaggedDiscardallincominguntaggedpackets. BothAlltrafficwillbediscarded(taggedanduntagged). NoneNopacketswillbediscarded.

    tagged| untagged|both| none

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Theoptionsaretodiscardallincomingtaggedframes,allincominguntaggedframes,neither (essentiallyallowalltraffic),orboth(essentiallydiscardingalltraffic). Acommonpracticeistodiscardalltaggedpacketonuserports.TypicallyanAdministratordoes notwanttheendusersdefiningwhatVLANtheyuseforcommunication.

    Example
    Thisexampleshowshowtodiscardalltaggedframesreceivedonportge.3.3:
    A2(su)->set port discard ge.3.3 tagged

    SecureStack A2 Configuration Guide

    7-13

    Configuring the VLAN Egress List

    Configuring the VLAN Egress List


    Purpose
    ToassignorremoveportsontheegresslistofaparticularVLAN.Thisdetermineswhichportson theswitchwillbeeligibletotransmitframesforaparticularVLAN.Forexample,ports1,5,7,8 couldbeallowedtotransmitframesbelongingtoVLAN20andports7,8,9,10couldbeallowedto transmitframestaggedwithVLAN30(aportcanbelongtomultipleVLANEgresslists).Note thatthePortEgresslistforports7and8wouldcontainbothVLAN20and30. Theportegresstypeforallportscanbesettotagged,forbidden,oruntagged.Ingeneral,VLANs havenoegress(exceptforVLAN1)untiltheyareconfiguredbystaticadministration,orthrough dynamicmechanismssuchasGVRP. SettingaporttoforbiddenpreventsitfromparticipatinginthespecifiedVLANandensuresthat anydynamicrequests(eitherthroughGVRPordynamicegress)fortheporttojointheVLANwill beignored.Settingaporttountaggedallowsittotransmitframeswithoutatagheader.This settingisusuallyusedtoconfigureaportconnectedtoanenduserdevice.Framessentbetween VLANawareswitchesaretypicallytagged. ThedefaultVLANdefaultsitsegresstountaggedforallports.

    Commands
    ThecommandsusedtoconfigureVLANegressanddynamicVLANegressarelistedbelow.
    For information about... show port egress set vlan forbidden set vlan egress clear vlan egress show vlan dynamicegress set vlan dynamicegress Refer to page... 7-15 7-15 7-16 7-17 7-18 7-19

    7-14

    802.1Q VLAN Configuration

    show port egress

    show port egress


    UsethiscommandtodisplaytheVLANmembershipforoneormoreports.

    Syntax
    show port egress [port-string]

    Parameters
    portstring (Optional)DisplaysVLANmembershipforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,VLANmembershipwillbedisplayedforallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowsyouhowtoshowVLANegressinformationforfe.1.1through3.Inthiscase, allthreeportsareallowedtotransmitVLAN1framesastaggedandVLAN10framesas untagged.BotharestaticVLANs:
    A2(su)->show port egress fe.1.1-3 Port Vlan Egress Registration Number Id Status Status ------------------------------------------------------fe.1.1 1 tagged static fe.1.1 10 untagged static fe.1.2 1 tagged static fe.1.2 10 untagged static fe.1.3 1 tagged static fe.1.3 10 untagged static

    set vlan forbidden


    UsethiscommandtopreventoneormoreportsfromparticipatinginaVLAN.Thissetting instructsthedevicetoignoredynamicrequests(eitherthroughGVRPordynamicegress)forthe porttojointheVLAN.

    Syntax
    set vlan forbidden vlan-id port-string

    Parameters
    vlanid portstring SpecifiestheVLANforwhichtosetforbiddenport(s). Specifiestheport(s)tosetasforbiddenforthespecifiedvlanid.

    Defaults
    None.

    SecureStack A2 Configuration Guide

    7-15

    set vlan egress

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowsyouhowtosetfe.1.3toforbiddenforVLAN6:
    A2(su)->set vlan forbidden 6 fe.1.3

    set vlan egress


    UsethiscommandtoaddportstotheVLANegresslistforthedevice,ortopreventoneormore portsfromparticipatinginaVLAN.Thisdetermineswhichportswilltransmitframesfora particularVLAN.

    Syntax
    set vlan egress vlan-list port-string [untagged | forbidden | tagged]

    Parameters
    vlanlist portstring
    Specifies the VLAN where a port(s) will be added to the egress list.

    SpecifiesoneormoreportstoaddtotheVLANegresslistofthespecified vlanlist.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 42. (Optional)Addsthespecifiedportsas: untaggedCausestheport(s)totransmitframeswithoutanIEEE 802.1Qheadertag. forbiddenInstructsthedevicetoignoredynamicrequests(either throughGVRPordynamicegress)fromtheport(s)tojointheVLAN anddisallowsegressonthatport. taggedCausestheport(s)totransmit802.1Qtaggedframes.

    untagged| forbidden| tagged

    Defaults
    Ifuntagged,forbiddenortaggedisnotspecified,theportwillbeaddedtotheVLANegresslist astagged.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtoaddfe.1.5through10totheegresslistofVLAN7.Thismeansthat theseportswilltransmitVLAN7framesastagged:
    A2(su)->set vlan egress 7 fe.1.5-10

    ThisexampleshowshowtoforbidFastEthernetports13through15inunit1fromjoiningVLAN 7anddisallowegressonthoseports:
    A2(su)->set vlan egress 7 fe.1.13-15 forbidden

    7-16

    802.1Q VLAN Configuration

    clear vlan egress

    ThisexampleshowshowtoallowFastEthernetport2inunit1totransmitVLAN7framesas untagged:
    A2(su)->set vlan egress 7 fe.1.2 untagged

    clear vlan egress


    UsethiscommandtoremoveportsfromaVLANsegresslist.

    Syntax
    clear vlan egress vlan-list port-string [forbidden]

    Parameters
    vlanlist portstring SpecifiesthenumberoftheVLANfromwhichaport(s)willberemoved fromtheegresslist. SpecifiesoneormoreportstoberemovedfromtheVLANegresslistofthe specifiedvlanlist.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 42. (Optional)Clearstheforbiddensettingfromthespecifiedport(s)andresets theport(s)asabletoegressframesifsoconfiguredbyeitherstaticor dynamicmeans.

    forbidden

    Defaults
    Ifforbiddenisnotspecified,taggedanduntaggedsettingswillbecleared.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtoremovefe.3.14fromtheegresslistofVLAN 9:
    A2(su)->clear vlan egress 9 fe.3.14

    ThisexampleshowshowtoremoveallFastEthernetportsinunit2fromtheegresslistofVLAN 4:
    A2(su)->clear vlan egress 4 fe.2.*

    SecureStack A2 Configuration Guide

    7-17

    show vlan dynamicegress

    show vlan dynamicegress


    Usethiscommandtodisplaythestatusofdynamicegress(enabledordisabled)foroneormore VLANs.

    Syntax
    show vlan dynamicegress [vlan-list]

    Parameters
    vlanlist (Optional)DisplaysdynamicegressstatusforspecificVLAN(s).

    Defaults
    Ifvlanlistisnotspecified,thedynamicegressstatusforallVLANswillbedisplayed.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisplaythedynamicegressstatusforVLANs5055:
    A2(rw)->show vlan dynamicegress 50-55 VLAN 50 is disabled VLAN 51 is disabled VLAN 52 is disabled VLAN 53 is enabled VLAN 54 is enabled VLAN 55 is enabled

    7-18

    802.1Q VLAN Configuration

    set vlan dynamicegress

    set vlan dynamicegress


    UsethiscommandtoadministrativelysetthedynamicegressstatusforoneormoreVLANs.

    Syntax
    set vlan dynamicegress vlan-list {enable | disable}

    Parameters
    vlanlist enable|disable SpecifytheVLANsbyIDtoenableordisabledynamicegress. Enablesordisablesdynamicegress.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    IfdynamicegressisenabledforaparticularVLAN,whenaportreceivesaframetaggedwiththat VLANsID,theswitchwilladdthereceivingporttothatVLANsegresslist.Dynamicegressis disabledontheSecureStackA2bydefault. Forexample,assumeyouhave20AppleTalkusersonyournetworkwhoaremobileusers(thatis, usedifferentportseveryday),butyouwanttokeeptheAppleTalktrafficisolatedinitsown VLAN.YoucancreateanAppleTalkVLANwithaVLANIDof55withaclassificationrulethatall AppleTalktrafficgetstaggedwithVLANID55.Then,youenabledynamicegressforVLAN55. Now,whenanAppleTalkuserplugsintoportge.3.5andsendsanAppleTalkpacket,theswitch willtagthepackettoVLAN55andalsoaddportge.3.5toVLAN55segresslist,whichallowsthe AppleTalkusertoreceiveAppleTalktraffic.

    Example
    ThisexampleshowshowtoenabledynamicegressonVLAN55:
    A2(rw)->set vlan dynamicegress 55 enable

    SecureStack A2 Configuration Guide

    7-19

    Setting the Host VLAN

    Setting the Host VLAN


    Purpose
    ToconfigureahostVLANthatonlyselectdevicesareallowedtoaccess.Thissecuresthehostport formanagementonlytasks.
    Note: The host port is the management entity of the device. Refer to Creating a Secure Management VLAN on page 7-1 for more information.

    Commands
    ThecommandsneededtoconfigurehostVLANsarelistedbelow.
    For information about... show host vlan set host vlan clear host vlan Refer to page... 7-20 7-21 7-22

    show host vlan


    UsethiscommandtodisplaythecurrenthostVLAN.

    Syntax
    show host vlan

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythehostVLAN:
    A2(su)->show host vlan Host vlan is 7.

    7-20

    802.1Q VLAN Configuration

    set host vlan

    set host vlan


    UsethiscommandtoassignhoststatustoaVLAN.

    Syntax
    set host vlan vlan-id

    Parameters
    vlanid SpecifiesthenumberoftheVLANtosetasthehostVLAN.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThehostVLANshouldbeasecureVLANwhereonlydesignatedusersareallowedaccess.For example,ahostVLANcouldbespecificallycreatedfordevicemanagement.Thiswouldallowa managementstationconnectedtothemanagementVLANtomanageallportsonthedeviceand makemanagementsecurebypreventingmanagementviaportsassignedtootherVLANs.
    Note: Before you can designate a VLAN as the host VLAN, you must create a VLAN using the set of commands described in Creating and Naming Static VLANs on page 7-5.

    Example
    ThisexampleshowshowtosetVLAN7asthehostVLAN:
    A2(su)->set host vlan 7

    SecureStack A2 Configuration Guide

    7-21

    clear host vlan

    clear host vlan


    UsethiscommandtoresetthehostVLANtothedefaultsettingof1.

    Syntax
    clear host vlan

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthehostVLANtothedefaultsetting:
    A2(su)->clear host vlan

    7-22

    802.1Q VLAN Configuration

    Enabling/Disabling GVRP (GARP VLAN Registration Protocol)

    Enabling/Disabling GVRP (GARP VLAN Registration Protocol)


    About GARP VLAN Registration Protocol (GVRP)
    Thefollowingsectionsdescribethedeviceoperationwhenitsportsareoperatingunderthe GenericAttributeRegistrationProtocol(GARP)applicationGARPVLANRegistrationProtocol (GVRP).

    Overview
    ThepurposeofGVRPistodynamicallycreateVLANsacrossaswitchednetwork.WhenaVLAN isdeclared,theinformationistransmittedoutGVRPconfiguredportsonthedeviceinaGARP formattedframeusingtheGVRPmulticastMACaddress.Aswitchthatreceivesthisframe, examinestheframe,andextractstheVLANIDs.GVRPthencreatestheVLANsandaddsthe receivingporttoitstaggedmemberlistfortheextractedVLANID(s).Theinformationisthen transmittedouttheotherGVRPconfiguredportsofthedevice.Figure 71showsanexampleof howVLANbluefromendstationAwouldbepropagatedacrossaswitchnetwork.

    How It Works
    InFigure 71onpage 724,Switch4,port1isregisteredasbeingamemberofVLANBlueand thendeclaresthisfactoutallitsports(2and3)toSwitch1andSwitch 2.Thesetwodevices registerthisintheportegresslistsoftheports(Switch1,port1andSwitch2,port1)thatreceived theframeswiththeinformation.Switch2,whichisconnectedtoSwitch3andSwitch5declares thesameinformationtothosetwodevicesandtheportegresslistofeachportisupdatedwiththe newinformation,accordingly. ConfiguringaVLANonan802.1QswitchcreatesastaticVLANentry.Theentrywillalways remainregisteredandwillnottimeout.However,dynamicentrieswilltimeoutandtheir registrationswillberemovedfromthememberlistiftheendstationAisremoved.Thisensures that,ifswitchesaredisconnectedorifendstationsareremoved,theregisteredinformation remainsaccurate. TheendresultisthattheportegresslistofaportisupdatedwithinformationaboutVLANsthat resideonthatport,eveniftheactualstationontheVLANisseveralhopsaway.

    SecureStack A2 Configuration Guide

    7-23

    Enabling/Disabling GVRP (GARP VLAN Registration Protocol)

    Figure 7-1

    Example of VLAN Propagation via GVRP


    Switch 2 Switch 3

    1 Switch 1

    R 2D

    2 End Station A

    D 3 D

    Switch 4

    R Switch 5

    R D

    = Port registered as a member of VLAN Blue = Port declaring VLAN Blue

    Purpose
    TodynamicallycreateVLANsacrossaswitchednetwork.TheGVRPcommandsetisusedto displayGVRPconfigurationinformation,thecurrentglobalGVRPstatesetting,individualport settings(enableordisable)andtimersettings.Bydefault,GVRPisenabledgloballyonthedevice, butdisabledonallports.

    Commands
    ThecommandsusedtoconfigureGVRParelistedbelow.
    For information about... show gvrp show garp timer set gvrp clear gvrp set garp timer Refer to page... 7-25 7-25 7-27 7-27 7-28

    7-24

    802.1Q VLAN Configuration

    show gvrp

    show gvrp
    UsethiscommandtodisplayGVRPconfigurationinformation.

    Syntax
    show gvrp [port-string]

    Parameters
    portstring (Optional)DisplaysGVRPconfigurationinformationforspecificport(s).For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,GVRPconfigurationinformationwillbedisplayedforallportsand thedevice.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayGVRPstatusforthedeviceandforfw.2.1:
    A2(su)->show gvrp fe.2.1 Global GVRP status is enabled. Port Number ----------fe.2.1 GVRP status ----------disabled

    show garp timer


    UsethiscommandtodisplayGARPtimervaluesforoneormoreports.

    Syntax
    show garp timer [port-string]

    Parameters
    portstring (Optional)DisplaysGARPtimerinformationforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,GARPtimerinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    SecureStack A2 Configuration Guide

    7-25

    show garp timer

    Example
    ThisexampleshowshowtodisplayGARPtimerinformationonFastEthernetports1through10 inunit1:
    Note: For a functional description of the terms join, leave, and leaveall timers, refer to the standard IEEE 802.1Q documentation, which is not supplied with this device. A2(su)->show garp timer fe.1.1-10 Port based GARP Configuration: (Timer units are centiseconds) Port Number Join Leave Leaveall ----------- ---------- ---------- ---------fe.1.1 20 60 1000 fe.1.2 20 60 1000 fe.1.3 20 60 1000 fe.1.4 20 60 1000 fe.1.5 20 60 1000 fe.1.6 20 60 1000 fe.1.7 20 60 1000 fe.1.8 20 60 1000 fe.1.9 20 60 1000 fe.1.10 20 60 1000

    Table 73providesanexplanationofthecommandoutput.Fordetailsonusingthesetgvrp commandtoenableordisableGVRP,refertosetgvrponpage 727.Fordetailsonusingtheset garptimercommandtochangedefaulttimervalues,refertosetgarptimeronpage 728. Table 7-3


    Output Port Number Join Leave Leaveall

    show gvrp configuration Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. Join timer setting. Leave timer setting. Leavall timer setting.

    7-26

    802.1Q VLAN Configuration

    set gvrp

    set gvrp
    UsethiscommandtoenableordisableGVRPgloballyonthedeviceorononeormoreports.

    Syntax
    set gvrp {enable | disable} [port-string]

    Parameters
    disable| enable portstring DisablesorenablesGVRPonthedevice. (Optional)DisablesorenablesGVRPonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsedin theCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,GVRPwillbedisabledorenabledforallports.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtoenableGVRPgloballyonthedevice:
    A2(su)->set gvrp enable

    ThisexampleshowshowtodisableGVRPgloballyonthedevice:
    A2(su)->set gvrp disable

    ThisexampleshowshowtoenableGVRPonfe.1.3:
    A2(su)->set gvrp enable fe.1.3

    clear gvrp
    UsethiscommandtoclearGVRPstatusorononeormoreports.

    Syntax
    clear gvrp [port-string]

    Parameters
    portstring (Optional)ClearsGVRPstatusonspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 42.

    Defaults
    Ifportstringisnotspecified,GVRPstatuswillbeclearedforallports.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    7-27

    set garp timer

    Example
    ThisexampleshowshowtoclearGVRPstatusgloballyonthedevice:
    A2(su)->clear gvrp

    set garp timer


    Usethiscommandtoadjustthevaluesofthejoin,leave,andleavealltimers.

    Syntax
    set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]} port-string

    Parameters
    jointimervalue leavetimervalue leavealltimer value portstring SetstheGARPjointimerincentiseconds(Referto802.1Qstandard.) SetstheGARPleavetimerincentiseconds(Referto802.1Qstandard.) SetstheGARPleavealltimerincentiseconds(Referto802.1Qstandard.) Specifiestheport(s)onwhichtoconfigureGARPtimersettings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thesettingofthesetimersiscriticalandshouldonlybechangedbypersonnelfamiliarwiththe 802.1Qstandardsdocumentation,whichisnotsuppliedwiththisdevice.

    Examples
    ThisexampleshowshowtosettheGARPjointimervalueto100centisecondsforallports:
    A2(su)->set garp timer join 100 *.*.*

    Thisexampleshowshowtosettheleavetimervalueto300centisecondsforallports:
    A2(su)->set garp timer leave 300 *.*.*

    Thisexampleshowshowtosettheleavealltimervalueto20000centisecondsforallports:
    A2(su)->set garp timer leaveall 20000 *.*.*

    7-28

    802.1Q VLAN Configuration

    8
    Differentiated Services Configuration
    ThischapterdescribestheDifferentiatedServices(Diffserv)setofcommandsandhowtouse them. SecureStackA2devicessupportDiffservpolicybasedprovisioningofnetworkresourcesby allowingITadministratorsto: Create,changeorremoveDiffservpoliciesbasedonbusinessspecificuseofnetworkservices. Prioritizeandpolicetrafficaccordingtoassignedpoliciesandconditions. AssignorunassignportstoDiffservpoliciessothatonlyportsactivatedforapolicywillbe allowedtotransmitframesaccordingly.
    Refer to page ... 8-2 8-3 8-10 8-17

    For information about ... Globally Enabling or Disabling Diffserv Creating Diffserv Classes and Matching Conditions Configuring Diffserv Policies and Assigning Classes Assigning Policies to Service Ports

    SecureStack A2 Configuration Guide

    8-1

    Globally Enabling or Disabling Diffserv

    Globally Enabling or Disabling Diffserv


    Purpose
    TogloballyenableordisableDiffservonthedevice.

    Command
    ThecommandusedtogloballyenableordisableDiffservonthedeviceislistedbelowand describedintheassociatedsectionasshown.
    For information about... set diffserv adminmode Refer to page...

    82

    set diffserv adminmode


    UsethiscommandtogloballyenableordisableDiffservonthedevice.Bydefault,thisfunctionis disabledatdevicestartup.

    Syntax
    set diffserv adminmode {enable | disable}

    Parameters
    enable|disable EnablesordisablesDiffserv.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenableDiffserv:
    A2(rw)->set diffserv adminmode enable

    8-2

    Differentiated Services Configuration

    Creating Diffserv Classes and Matching Conditions

    Creating Diffserv Classes and Matching Conditions


    Purpose
    Toreview,create,andconfigureDiffservclassesandmatchingconditions.

    Commands
    Thecommandsusedtoreview,create,andconfigureDiffservclassesandmatchingconditionsare listedbelowanddescribedintheassociatedsectionasshown.
    For information about... show diffserv info show diffserv class set diffserv class create set diffserv class delete set diffserv class match set diffserv class rename Refer to page... 8-3 8-4 8-4 8-5 8-6 8-9

    show diffserv info


    UsethiscommandtodisplaygeneralDiffservstatusinformation.

    Syntax
    show diffserv info

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaygeneralDiffservstatusinformation:
    A2(rw)->show diffserv info DiffServ Admin Mode............................ Class Table Size Current/Max................... Class Rule Table Size Current/Max.............. Policy Table Size Current/Max.................. Policy Instance Table Size Current/Max......... Policy Attribute Table Size Current/Max........ Service Table Size Current/Max................. Enable 0 / 25 0 / 150 0 / 12 0 / 120 0 / 120 0 / 48

    SecureStack A2 Configuration Guide

    8-3

    show diffserv class

    show diffserv class


    UsethiscommandtodisplayinformationaboutDiffservclasses.

    Syntax
    show diffserv class {summary | detailed classname}

    Parameters
    summary DisplaysasummaryofDiffservclassinformation. detailedclassname DisplaysdetailedDiffservinformationforaspecificclass.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayasummaryofDiffservclassinformation.Inthiscase,there aretwoclassesconfigured,namedguestandadmin:
    A2(rw)->show diffserv class summary Class Name Class Type Ref Class Name ----------------- ------------ ------------------------------guest All admin All

    set class create


    UsethiscommandtocreateanewDiffservclass.

    Syntax
    set diffserv class create {all classname}

    Parameters
    all classname Specifiesthatallmatchconditionsmustbemetbeforetheassociatedpolicy isexecuted. SpecifiesaclassnameforthisnewDiffservclass.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    8-4

    Differentiated Services Configuration

    set diffserv class delete

    Example
    ThisexampleshowshowtocreateaDiffservclasscalledadmin:
    A2(rw)->set diffserv class create all admin

    set diffserv class delete


    UsethiscommandtodeleteaDiffservclassandremoveanymatchassignedtotheclass.

    Syntax
    set diffserv class delete classname

    Parameters
    classname Specifiestheclassnametobedeleted.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Youcannotusethiscommandtodeleteaclassthathasbeenassignedtoapolicy.Beforedeletinga classwithanassignedpolicyandserviceport(s),youmustfirst: Removetheserviceport(s)assignedtothepolicyusingthesetdiffservserviceremove command(page 819),then Removethespecifiedclassusingthesetdiffservpolicyclassremovecommand(page 812).

    Example
    ThisexampleshowshowtodeletetheDiffservadminclass:
    A2(rw)->set diffserv class delete admin

    SecureStack A2 Configuration Guide

    8-5

    set diffserv class match

    set diffserv class match


    UsethiscommandtomatchaDiffservclasstoaserviceconditionbasedonlayer2,3,and4packet parameters.
    set diffserv class match {[every classname] [dstmac | scrmac classname macaddr macmask] [dstip | srcip classname ipaddr ipmask] [dstl4port | srcl4port{keyword classname keyword | number classname portnumber}] [ipdscp classname dscpval] [ipprecedence classname precedencenumber] [iptos classname tosbits tosmask] [protocol {keyword classname protocol-name | number classname protocol-number}] [refclass {add | remove}{classname refclassname}] [vlan classname vlanid]}

    Parameters
    everyclassname Matchesallpacketstoaspecificclass. dstmac|scrmacclassname MatchestoaspecificclassbasedondestinationorsourceMAC macaddrmacmask address. dstip|srcipclassname ipaddripmask dstl4port|srcl4port keywordclassname keyword|number classnameportnumber MatchestoaspecificclassbasedondestinationorsourceIP address. Matchestoaspecificclassbasedondestinationorsourcelayer4 portnumberorkeyword.Validkeywordvaluesare: ipdscpclassnamedscpval domain echo ftp ftpdata http smtp snmp telnet tftp www

    Validportnumbervaluesare065535. MatchestoaspecificclassbasedonthevalueoftheIPDiffserv CodePoint.Validnumericorkeywordvaluescanbeenteredas listedinTable 81below. MatchestoaspecificclassbasedonthevalueoftheIPprecedence field.Validprecedencenumbervaluesare:07. MatchestoaspecificclassbasedonthevalueoftheIPtypeof service(TOS)field.Validtosbitsvaluesare0255.Validtosmask valuesare18.

    ipprecedenceclassname precedencenumber iptosclassnametosbits tosmask

    8-6

    Differentiated Services Configuration

    set diffserv class match

    protocolkeyword MatchestoaspecificclassbasedonnumberorkeywordintheIP classnameprotocolname| protocolfield.Validprotocolnamekeywordare: numberclassnameprotocol icmp number igmp refclassadd|remove classnamerefclassname vlanclassnamevlanid ip tcp udp

    Validprotocolnumbervaluesare0255. Addsorremovesasetofalreadydefinedmatchconditionstoa specificclass. MatchestoaspecificclassbasedonVLANID.Validvaluesare1 4094.

    Table 8-1

    Valid IP DSCP Numeric and Keyword Values


    Numeric Value 0 0,8,16,24,32,40,48,56 10,12,14 18,20,22 26,28,30 34,36,38 46 Keyword (Usage) be (best effort) cs0 - cs7 (Class Selector PHB) af11, af12, af13 (Assured Forwarding) af21, af22, af23 (Assured Forwarding) af31, af32, af33 (Assured Forwarding) af41, af42, af43 (Assured Forwarding) ef (Expedited Forwarding)

    Code Point Map b'000000 b'xxx000 b'001xx0 b'010xx0 b'011xx0 b'100xx0 b'101110

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Anypolicythatisappliedmustbecomposedofrulesthatcomefromonlyoneofthefollowing fourgroups. Layer3: DestinationIPaddress(dstip) DestinationLayer4port(dstl4port) IPDiffservCodePoint(ipdscp) IPprecedencefield(ipprecedence) IPtypeofservice(TOS)field(iptos) IPprotocolfield(protocol)

    SecureStack A2 Configuration Guide

    8-7

    set diffserv class match

    SourceIPaddress(srcip) SourceLayer4port(srcl4port)

    Layer2: DestinationMACaddress(dstmac) SourceMACaddress(scrmac) VLANID(vlan)

    Layer2Layer3source: SourceMACaddress(scrmac) SourceIPaddress(srcip) VLANID(vlan)

    Layer2Layer3destination: DestinationMACaddress(dstmac) DestinationIPaddress(dstip) VLANID(vlan)


    Note: The match type every will work with any group.

    Youcannotcreateandaddaclasstoapolicybeforeaddinganyrules(matchconditions)tothe class.Onceaclassisaddedtoapolicy,youcannotaddanymorerules(matchconditions)tothe class.Youcannotcreateoutboundpolicies. Youcanonlyaddrulesthatfitintothesamecategory(showninthegroupingsabove)toaclass. Forexample,ifyoucreateaclassandaddthematchconditionsdstipanddstl4port,youwillonly beabletoaddotherrulesfromtheL3group. Classmatchesoflayer4destinationorsourcemustbesequencedbeforethecorresponding protocolmatch,asillustratedinthethirdexamplebelow. Youcanonlyaddclassesofthesamecategorytoapolicy.

    Examples
    ThisexampleshowshowtomatchtheadminclasstosourceIPaddress130.10.0.32andonly thatIPaddresstype:
    A2(rw)->set diffserv class match srcip admin 130.10.0.32 255.255.255.255

    ThisexampleshowshowtomatchtheadminclasstoVLAN10:
    A2(rw)->set diffserv class match vlan admin 10

    ThisexampleshowshowtomatchthehttpclasstoTCPpacketswithadestinationportof80 (HTTP).Thelayer4portmatchmustprecedetheprotocoltype.
    A2(rw)->set diffserv class match dstl4port keyword http http A2(rw)->set diffserv class match protocol keyword http tcp

    8-8

    Differentiated Services Configuration

    set diffserv class rename

    set diffserv class rename


    UsethiscommandtochangethenameofaDiffservclass.

    Syntax
    set diffserv class rename classname newclassname

    Parameters
    classname newclassname SpecifiestheclassnamepreviouslysetforthisnewDiffservclass. Specifiesanewclassname.

    Defaults
    None.

    Mode
    Switchcommand,ReadWrite.

    Example
    ThisexampleshowshowtorenametheDiffservadminclasstosystem:
    A2(rw)->set diffserv class rename admin system

    SecureStack A2 Configuration Guide

    8-9

    Configuring Diffserv Policies and Assigning Classes

    Configuring Diffserv Policies and Assigning Classes


    Purpose
    Toreview,create,andconfigureDiffservpoliciesandassignclasses.

    Commands
    Thecommandsusedtoreview,create,andconfigureDiffservpoliciesandassignclassesarelisted belowanddescribedintheassociatedsectionasshown.
    For information about... show diffserv policy set diffserv policy create set diffserv policy delete set diffserv policy class set diffserv policy mark set diffserv policy police style simple set diffserv policy police action conform set diffserv policy police action nonconform set diffserv policy rename Refer to page... 8-11 8-11 8-12 8-12 8-13 8-14 8-14 8-15 8-16

    8-10

    Differentiated Services Configuration

    show diffserv policy

    show diffserv policy


    UsethiscommandtodisplayinformationaboutDiffservpolicies.

    Syntax
    show diffserv policy {summary | detailed policyname}

    Parameters
    summary detailed policyname DisplaysDiffservpolicysummaryinformation. DisplaysdetailedDiffservinformationforaspecificpolicy.

    Defaults
    None.

    Mode
    Switchcommand.ReadOnly.

    Example
    ThisexampleshowshowtodisplayasummaryofDiffservpolicyinformation.Inthiscase,there isonepolicynamedadmin,towhichmembersoftheadminclasshavebeenassigned.This policyisappliedtoincomingtrafficonitsassignedserviceports:
    A2(rw)->show diffserv policy summary Policy Name Policy Type Class Members -------------------- ----------- ------------------------------admin In admin

    set diffserv policy create


    UsethiscommandtocreateanewDiffservpolicy.

    Syntax
    set diffserv policy create policyname {in}

    Parameters
    policyname in Specifiesapolicyname. Appliesthispolicytoincomingpackets.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    8-11

    set diffserv policy delete

    Example
    ThisexampleshowshowtocreateaDiffservpolicycalledadminandapplyittoincoming packets:
    A2(rw)->set diffserv policy create admin in

    set diffserv policy delete


    UsethiscommandtodeleteaDiffservpolicy.

    Syntax
    set diffserv policy delete policyname

    Parameters
    policyname Specifiesapolicynametobedeleted.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Inordertodeleteapolicyyoumustfirstremovetheserviceport(s)assignedtothepolicyusing thesetdiffservserviceremovecommandasdescribedinsetdiffservserviceonpage819.

    Example
    ThisexampleshowshowtodeletetheDiffservadminpolicy:
    A2(rw)->set diffserv policy delete admin

    set diffserv policy class


    UsethiscommandtoaddorremoveaDiffservclasstoaspecifiedpolicy.Onceadded,policies willbeactiveforthespecifiedclass.

    Syntax
    set diffserv policy class {add | remove} policyname classname

    Parameters
    add|remove policyname classname Addsorremovesthespecifiedclass. Specifiesthepolicynametobeassociatedwiththeclass. Specifiesaclassnametoaddorremove.

    Defaults
    None.

    8-12

    Differentiated Services Configuration

    set diffserv policy mark

    Mode
    Switchcommand,readwrite.

    Usage
    Classmustbeaddedtoapolicyusingthiscommandbeforepolicyparameters,suchas bandwidth,marking,andpolicing,canbeconfigured.

    Example
    Thisexampleshowshowtoaddthesystemclasstotheadminpolicy:
    A2(rw)->set diffserv policy class add admin system

    set diffserv policy mark


    UsethiscommandtomarkallpacketsfortheassociatedDiffservtrafficstreamwithaspecificIP DSCPorIPprecedencevalue.

    Syntax
    set diffserv policy mark {ipdscp | ipprecedence policyname classname value}

    Parameters
    ipdscp| ipprecedence policyname classname value SpecifiesthatpacketswillbemarkedwitheitheranIPDSCPorprecedence value. Specifiesthepolicynamebeingconfigured. SpecifiesaDiffservclasstoassociatetothispolicy. SpecifiesanIPDSCPorprecedencevalue.ValidnumericorkeywordDCSP valuescanbeenteredaslistedinSection 81.Validprecedencevaluesare: 07.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtomarkpacketsmatchingtheadminpolicyinthesystemclassfor DSCPexpeditedforwardingprecedence:
    A2(rw)->set diffserv policy mark ipdscp admin system ef

    SecureStack A2 Configuration Guide

    8-13

    set diffserv policy police style simple

    set diffserv policy police style simple


    UsethiscommandtoestablishthepolicingstyleforaDiffservpolicybasedonlyonbandwidthfor thespecifiedclass.

    Syntax
    set diffserv policy police style simple policyname classname bandwidth burstsize

    Parameters
    policyname classname bandwidth burstsize Specifiesthepolicynamebeingconfigured. SpecifiesaDiffservclasstoassociatetothispolicy. Specifiesabandwidthvalue.Validvaluesare14294967295. Specifiesaburstsizevalue.Validvaluesare1128.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoconfigureabandwidthbasedpolicingstylefortheadminDiffserv policy:
    A2(rw)->set diffserv policy police style simple admin system 1000 128

    set diffserv policy police action conform


    Usethiscommandtoconfiguretrafficpolicingactionsforpacketsthatconformtoassociated Diffservclassifications.

    Syntax
    set diffserv policy police action conform {drop | send policyname classname} | {markdscp | markprec policyname classname value}

    Parameters
    drop|send policyname classname value Specifieswhetherthepolicingactionforpacketsconformingtothe classificationparameterswillbetodroporsendpackets. Specifiesthepolicynamebeingconfigured. SpecifiesaDiffservclasstoassociatetothispolicingaction. SpecifiesanIPDHCPorprecedencevaluesetwiththesetdiffserv policymarkcommand(page813).

    markdscp|markprec SpecifiesapolicingactionbasedonIPDHCPorprecedence.

    Defaults
    None.

    8-14

    Differentiated Services Configuration

    set diffserv policy police action nonconform

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthepolicingactiontosendforpacketsconformingtoDiffserv policyadmin,classsystem.
    A2(rw)->set diffserv policy police action conform send admin system

    set diffserv policy police action nonconform


    Usethiscommandtoconfiguretrafficpolicingactionsforpacketsthatdonotconformto associatedDiffservclassifications.

    Syntax
    set diffserv policy police action nonconform {drop | send policyname classname} | {markdscp | markprec policyname classname value}

    Parameters
    drop|send policyname classname value Specifieswhetherthepolicingactionforpacketsnotconformingtothe classificationparameterswillbetodroporsendpackets. Specifiesthepolicynamebeingconfigured. SpecifiesaDiffservclasstoassociatetothispolicingaction. SpecifiesanIPDHCPorprecedencevaluesetwiththesetdiffserv policymarkcommand(page813).

    markdscp|markprec SpecifiesapolicingactionbasedonIPDHCPorprecedence.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthepolicyingactiontodropforpacketsnotconformingtothe Diffservpolicyadmin,classsystem.
    A2(rw)->set diffserv policy police action nonconform drop admin system

    SecureStack A2 Configuration Guide

    8-15

    set diffserv policy rename

    set diffserv policy rename


    UsethiscommandtochangethenameofaDiffservpolicy.

    Syntax
    set diffserv policy rename policyname newpolicyname

    Parameters
    policyname newpolicyname SpecifiesthepolicynamepreviouslysetforthisnewDiffservclass. Specifiesanewpolicyname.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtorenametheadminDiffservpolicytosystem:
    A2(rw)->set diffserv policy rename admin system

    8-16

    Differentiated Services Configuration

    Assigning Policies to Service Ports

    Assigning Policies to Service Ports


    Purpose
    ToreviewandassignDiffservpoliciesandtheirassociatedclassestoserviceports.

    Commands
    ThecommandsusedtoreviewandassignDiffservpoliciestoserviceportsarelistedbelowand describedintheassociatedsectionasshown.
    For information about... show diffserv service info show diffserv service stats set diffserv service Refer to page... 8-17 8-18 8-19

    show diffserv service info


    UsethiscommandtodisplayinformationaboutDiffservserviceports.

    Syntax
    show diffserv service info {summary | detailed port-string} {in}

    Parameters
    summary detailedportstring in DisplaysDiffservserviceportsummaryinformation. Displaysdetailedinformationforaspecificport(s). Displaysinformationaboutincomingtraffic.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayasummaryofincomingDiffservserviceporttraffic:
    A2(rw)->show diffserv service info summary in DiffServ Admin Mode............................ Enable Interface Direction ----------- ----------ge.1.1 In ge.1.2 In ge.1.3 In OperStatus ---------Up Up Up Policy Name ---------------------admin admin admin

    SecureStack A2 Configuration Guide

    8-17

    show diffserv service stats

    show diffserv service stats


    UsethiscommandtodisplayDiffservpolicyservicestatistics.

    Syntax
    show diffserv service stats {summary | detailed port-string} {in}

    Parameters
    summary detailedportstring in DisplaysDiffservasummaryofservicestatistics. Displaysdetailedstatisticsforaspecificport. Displaysinformationaboutincomingtraffic.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayadetailedincomingtrafficstatisticsaboutserviceportge.1.1:
    A2(rw)->show diffserv service stats detailed ge.1.1 in Interface...................................... ge.1.1 Direction...................................... In Operational Status............................. Up Policy Name.................................... admin Class Name..................................... system In Discarded Packets........................... 0

    8-18

    Differentiated Services Configuration

    set diffserv service

    set diffserv service


    UsethiscommandtoaddorremoveaDiffservpolicytoincomingtrafficononeormoreports.

    Syntax
    set diffserv service {add | remove} {in} port-string policyname

    Parameters
    add|remove in portstring policyname Addsorremovesthespecifiedpolicy. Addsorremovesthespecifiedpolicytoincomingtraffic. Specifiestheport(s)towhichthispolicyconfigurationwillbeapplied. Specifiesthepolicynametobeaddedtoorremovedfromporttraffic.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoapplytheDiffservpolicynamedadmintoincomingtrafficonports ge1.110:
    A2(rw)->set diffserv service add in ge.1.5 admin

    SecureStack A2 Configuration Guide

    8-19

    set diffserv service

    8-20

    Differentiated Services Configuration

    9
    Port Priority and Rate Limiting Configuration
    ThischapterdescribesthePortPriorityandRateLimitingsetofcommandsandhowtousethem.
    For information about... Port Priority Configuration Summary Configuring Port Priority Configuring Priority to Transmit Queue Mapping Configuring Quality of Service (QoS) Configuring Port Traffic Rate Limiting Refer to page... 9-1 9-2 9-5 9-8 9-12

    Port Priority Configuration Summary


    TheSecureStackA2devicesupportsClassofService(CoS),whichallowsyoutoassignmission criticaldatatohigherprioritythroughthedevicebydelayinglesscriticaltrafficduringperiodsof congestion.Thehigherprioritytrafficthroughthedeviceisservicedfirstbeforelowerpriority traffic.TheClassofServicecapabilityofthedeviceisimplementedbyapriorityqueueing mechanism.ClassofServiceisbasedontheIEEE802.1D(802.1p)standardspecification,and allowsyoutodefineeightpriorities(0 through 7)andassignthemtotransmitqueuesforeach port. Apriority0 through 7canbesetoneachport,with0beingthelowestpriority.Aportreceivinga framewithoutpriorityinformationinitstagheaderisassignedapriorityaccordingtothedefault prioritysettingontheport.Forexample,ifthepriorityofaportissetto4,theframesreceived throughthatportwithoutapriorityindicatedintheirtagheaderareclassifiedasapriority4and transmittedaccordingtothatpriority. Inaddition,thedevicesratelimitingcapabilitiesallowyoutofurtherprioritizetrafficbylimiting therateofinboundtrafficonaperport/prioritybasis.
    Note: When CoS override is enabled using the set policy profile command as described in set policy profile on page 8-4, CoS-based classification rules will take precedence over priority settings configured with the set port priority command described in this section.

    SecureStack A2 Configuration Guide

    9-1

    Configuring Port Priority

    Configuring Port Priority


    Purpose
    Tovieworconfigureportprioritycharacteristicsasfollows: DisplayorchangetheportdefaultClassofService(CoS)transmitpriority(0through7)of eachportforframesthatarereceived(ingress)withoutpriorityinformationintheirtag header. Displaythecurrenttrafficclassmappingtopriorityofeachport. Seteachporttotransmitframesaccordingto802.1D(802.1p)prioritysetintheframeheader.

    Commands
    Thecommandstoconfigureportpriorityarelistedbelow.
    For information about... show port priority set port priority clear port priority Refer to page... 9-5 9-3 9-4

    show port priority


    Usethiscommandtodisplaythe802.1Dpriorityforoneormoreports.

    Syntax
    show port priority [port-string]

    Parameters
    portstring (Optional)Displayspriorityinformationforaspecificport.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    If port-string is not specified, priority for all ports will be displayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheportpriorityforthefe.2.1through5.
    A2(su)->show port priority fe.2.1-5 fe.2.1 is set to 0 fe.2.2 is set to 0 fe.2.3 is set to 0 fe.2.4 is set to 0 fe.2.5 is set to 0

    9-2

    Port Priority and Rate Limiting Configuration

    set port priority

    set port priority


    Usethiscommandtosetthe802.1D(802.1p)ClassofServicetransmitpriority(0 through 7)on eachport.Aportreceivingaframewithoutpriorityinformationinitstagheaderisassigneda priorityaccordingtotheprioritysettingontheport.Forexample,ifthepriorityofaportissetto 5,theframesreceivedthroughthatportwithoutapriorityindicatedintheirtagheaderare classifiedasapriority5. Aframewithpriorityinformationinitstagheaderistransmittedaccordingtothatpriority.

    Syntax
    set port priority port-string priority

    Parameters
    portstring Specifiestheportforwhichtosetpriority.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 42. Specifiesavalueof0to7tosettheCoSpriorityfortheportenteredinthe portstring.Priorityvalueof0isthelowestpriority.

    priority

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetadefaultpriorityof6onfe.1.3.Framesreceivedbythisport withoutpriorityinformationintheirframeheaderaresettothedefaultsettingof6:
    A2(su)->set port priority fe.1.3 6

    SecureStack A2 Configuration Guide

    9-3

    clear port priority

    clear port priority


    UsethiscommandtoresetthecurrentCoSportprioritysettingto0.Thiswillcauseallframes receivedwithoutapriorityvalueinitsheadertobesettopriority0.

    Syntax
    clear port priority port-string

    Parameters
    portstring Specifiestheportforwhichtoclearpriority.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetfe.1.11tothedefaultpriority:
    A2(rw)->clear port priority fe.1.11

    9-4

    Port Priority and Rate Limiting Configuration

    Configuring Priority to Transmit Queue Mapping

    Configuring Priority to Transmit Queue Mapping


    Purpose
    Toperformthefollowing: Viewthecurrentprioritytotransmitqueuemappingofeachphysicalport. Configureeachporttoeithertransmitframesaccordingtotheportpriority,setusingtheset portprioritycommanddescribedinsetportpriorityonpage 93,oraccordingtoapriority basedonapercentageofporttransmissioncapacity,assignedtotransmitqueuesusingtheset porttxqcommanddescribedinsetporttxqonpage 99. Clearcurrentportpriorityqueuesettingsforoneormoreports.
    Note: Priority to transmit queue mapping on an individual port basis can only be configured on Gigabit Ethernet ports (ge.x.x). When you use the set port priority-queue command to configure a Fast Ethernet port (fe.x.x), the mapping values are applied globally to all Fast Ethernet ports on the stack.

    Commands
    Thecommandsusedinconfiguringtransmitpriorityqueuesarelistedbelow.
    For information about... show port priority-queue set port priority-queue clear port priority-queue Refer to page... 9-5 9-6 9-7

    show port priority-queue


    Usethiscommandtodisplaytheportprioritylevels(0through7,with0asthelowestlevel) associatedwiththecurrenttransmitqueues(0beingthelowestpriority)foreachselectedport.A framewithacertainportpriorityistransmittedaccordingtothesettingsenteredusingtheset portpriorityqueuecommanddescribedinsetportpriorityqueueonpage 96.

    Syntax
    show port priority-queue [port-string]

    Parameters
    portstring (Optional)Displaysthemappingofprioritiestotransmitqueuesforone ormoreports.

    Defaults
    If port-string is not specified, priority queue information for all ports will be displayed.

    Mode
    Switchcommand,readonly.

    SecureStack A2 Configuration Guide

    9-5

    set port priority-queue

    Example
    Thisexampleshowshowtodisplaypriorityqueueinformationforge.1.1.Inthiscase,frameswith apriorityof0areassociatedwithtransmitqueue1;frameswith1or2priority,areassociatedwith transmitqueue0;andsoforth:
    A2(su)->show Port P0 --------- -ge.1.1 1 port priority-queue ge.1.1 P1 P2 P3 P4 P5 P6 P7 -- -- -- -- -- -- -0 0 2 3 4 5 5

    set port priority-queue


    Usethiscommandtomap802.1D(802.1p)prioritiestotransmitqueues.Thisenablesyouto changethetransmitqueue(0to5,with0beingthelowestpriorityqueue)foreachportpriorityof theselectedport.Youcanapplythenewsettingstooneormoreports.

    Syntax
    set port priority-queue port-string priority queue

    Parameters
    portstring Specifiestheport(s)forwhichtosetprioritytoqueuemappings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42. Specifiesavalueof0through7(0isthelowestlevel)thatdetermines whatpriorityframeswillbetransmittedonthetransmitqueueenteredin thiscommand. Specifiesavalueof0through5(0isthelowestlevel)thatdeterminesthe queueonwhichtotransmittheframeswiththeportpriorityenteredin thiscommand.

    priority

    queue

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Althoughthereareeightqueuesimplementedintheswitchhardware,onlysixareavailablefor useinprioritizingvariousdataandcontroltraffic.The7thand8thqueuesarereservedfor stackingandnetworkcontrolrelatedcommunications.RefertoConfiguringQualityofService (QoS)onpage 98formoreinformationaboutconfiguringtheprioritymodeandweightforthese queues. PrioritytotransmitqueuemappingonanindividualportbasiscanonlybeconfiguredonGigabit Ethernetports(ge.x.x).WhenyouusethesetportpriorityqueuecommandtoconfigureaFast Ethernetport(fe.x.x),themappingvaluesareappliedgloballytoallFastEthernetportsonthe stack.

    9-6

    Port Priority and Rate Limiting Configuration

    clear port priority-queue

    Example
    Thisexampleshowshowtosetpriority5framesreceivedonge.2.12totransmitonqueue0.
    A2(su)->set port priority-queue ge.2.12 5 0

    clear port priority-queue


    Usethiscommandtoresetportpriorityqueuesettingsbacktodefaultsforoneormoreports.

    Syntax
    clear port priority-queue port-string

    Parameters
    portstring Specifiestheportforwhichtoclearprioritytoqueuemappings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthepriorityqueuesettingsonge.2.12:
    A2(su)->clear port priority-queue ge.2.12

    SecureStack A2 Configuration Guide

    9-7

    Configuring Quality of Service (QoS)

    Configuring Quality of Service (QoS)


    Purpose
    Eighttransmitqueuesareimplementedintheswitchhardwareforeachport,butonlysixare availableforuseinprioritizingvariousdataandcontroltraffic.Theseventhandeighthqueuesare reservedforstackingandnetworkcontrolrelatedcommunications. Thecommandsinthissectionallowyoutosettheprioritymodeandweightforeachofthe availablesixqueues(queues0through5)foreachphysicalportontheswitch.Prioritymodeand weightcannotbeconfiguredonLAGs,onlyonthephysicalportsthatmakeuptheLAG.

    Commands
    ThecommandstoconfiguretheQualityofServicearelistedbelow.
    For information about... show port txq set port txq clear port txq Refer to page... 9-8 9-9 9-10

    show port txq


    UsethiscommandtodisplayQoStransmitqueueinformationforoneormorephysicalports.

    Syntax
    show port txq [port-string]

    Parameters
    portstring (Optional)Specifiesport(s)forwhichtodisplayQoSsettings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42. Onlyphysicalportswillbedisplayed.LAGportshavenotransmitqueue information.

    Defaults
    Iftheportstringisnotspecified,theQoSsettingofallphysicalportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    9-8

    Port Priority and Rate Limiting Configuration

    set port txq

    Example
    Thisexampleshowshowtodisplaythecurrentalgorithmandtransmitqueueweightsconfigured onportsge.1.10through24:
    A2(su)->show port txq ge.1.10-24 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 ------- --- --- --- --- --- --ge.1.10 WRR 2 10 15 20 24 29 ge.1.11 WRR 2 10 15 20 24 29 ge.1.12 WRR 2 10 15 20 24 29 ge.1.13 WRR 2 10 15 20 24 29 ge.1.14 WRR 2 10 15 20 24 29 ge.1.15 WRR 2 10 15 20 24 29 ge.1.16 WRR 2 10 15 20 24 29 ge.1.17 WRR 2 10 15 20 24 29 ge.1.18 WRR 2 10 15 20 24 29 ge.1.19 WRR 2 10 15 20 24 29 ge.1.20 WRR 2 10 15 20 24 29 ge.1.21 WRR 2 10 15 20 24 29 ge.1.22 WRR 2 10 15 20 24 29 ge.1.23 WRR 2 10 15 20 24 29 ge.1.24 WRR 2 10 15 20 24 29 Q6 --SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP Q7 --SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP

    set port txq


    UsethiscommandtosetQoStransmitqueuearbitrationvaluesforphysicalports.

    Syntax
    set port txq port-string value0 value1 value2 value3 value4 value5

    Parameters
    portstring Specifiesport(s)onwhichtosetqueuearbitrationvalues.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42. Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports cannotbeconfigured. value0value5 Specifiespercentagetoallocatetoaspecifictransmitqueue.Thevalues musttotal100percent.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Eighttransmitqueuesareimplementedintheswitchhardwareforeachphysicalport,butonlysix areavailableforuseinprioritizingvariousdataandcontroltraffic.Theseventhandeighthqueues arereservedforstackingandnetworkcontrolrelatedcommunicationsandcannotbeconfigured.

    SecureStack A2 Configuration Guide

    9-9

    clear port txq

    Queuescanbesetforstrictpriority(SP)orweightedroundrobin(WRR).IfsetforWRRmode, weightsmaybeassignedtothosequeueswiththiscommand.Weightsarespecifiedintherange of0to100percent.Weightsspecifiedforqueues0through5onanyportmusttotal100percent. Queues0through5canbechangedtostrictprioritybyconfiguringqueues0through4at0 percentandqueue5at100percent.QueuescanbechangedbacktoWRRbychangingtheweight ofqueues0through5,orbyissuingtheclearporttxqcommand.

    Examples
    Thisexampleshowshowtochangethearbitrationvaluesforthesixtransmitqueuesbelongingto ge.1.1:
    A2(su)->set port txq ge.1.1 17 17 17 17 16 16

    Thisexampleshowshowtochangethealgorithmtostrictpriorityforthesixtransmitqueues belongingtoge.1.1:
    A2(su)->set port txq ge.1.1 0 0 0 0 0 100 A2(su)->show port txq ge.1.1 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 ------- --- --- --- --- --- --- --- --ge.1.1 STR SP SP SP SP SP SP SP SP

    clear port txq


    Usethiscommandtoclearporttransmitqueuevaluesbacktotheirdefaultvalues.

    Syntax
    clear port txq port-string

    Parameters
    portstring Clearstransmitqueuevaluesonspecificport(s)backtotheirdefault values.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 42. Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports cannotbeconfigured.

    Defaults
    Bydefault,transmitqueuesaredefinedasfollows:
    Queue 0 1 2 3 Mode WRR WRR WRR WRR Weight 1 2 3 4 Queue 4 5 6 7 Mode WRR WRR Strict (not configurable) Strict (not configurable) Weight 5 6

    Mode
    Switchcommand,readwrite.

    9-10

    Port Priority and Rate Limiting Configuration

    clear port txq

    Example
    Thisexampleshowshowtocleartransmitqueuevaluesonge.1.1:
    A2(su)->clear port txq ge.1.1 A2(su)->show port txq ge.1.1 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 ------- --- --- --- --- --- --- --- --ge.1.1 WRR 2 10 15 20 24 29 SP SP

    SecureStack A2 Configuration Guide

    9-11

    Configuring Port Traffic Rate Limiting

    Configuring Port Traffic Rate Limiting


    Purpose
    TolimittherateofinboundtrafficontheSecureStackA2deviceonaperport/prioritybasis.The allowablerangefortheratelimitingis64kilobytespersecondminimumuptothemaximum transmissionrateallowableontheinterfacetype. Ratelimitisconfiguredforagivenportandlistofpriorities.Thelistofprioritiescanincludeone, some,oralloftheeight802.1pprioritylevels.Onceconfigured,therateofalltrafficenteringthe portwiththeprioritiesconfiguredtothatportisnotallowedtoexceedtheprogrammedlimit.If therateexceedstheprogrammedlimit,framesaredroppeduntiltheratefallsbelowthelimit.

    Commands
    Thecommandstoconfiguretrafficratelimitingarelistedbelow.
    For information about... show port ratelimit set port ratelimit clear port ratelimit Refer to page... 9-12 9-14 9-15

    show port ratelimit


    Usethiscommandtoshowthetrafficratelimitingconfigurationononeormoreports.

    Syntax
    show port ratelimit [port-string]

    Parameters
    portstring (Optional)Displaysratelimitinginformationforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,ratelimitinginformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    9-12

    Port Priority and Rate Limiting Configuration

    show port ratelimit

    Example
    Thisexampleshowshowtodisplaythecurrentratelimitinginformationforfe.2.1:
    A2(su)->show port ratelimit fe.2.1 Global Ratelimiting status is disabled. Port Number ----------fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 Threshold (kB/s) --------64 64 64 64 64 64 64 64 Priority List ----------0 0 0 0 0 0 0 0

    Index ----1 2 3 4 5 6 7 8

    Action -----------discard discard discard discard discard discard discard discard

    Direction --------inbound inbound inbound inbound inbound inbound inbound inbound

    Status -------disabled disabled disabled disabled disabled disabled disabled disabled

    Table 91showsadetailedexplanationofthecommandoutput. Table 9-1


    Output Port Number Index Threshold (kB/s) Action Direction Priority List Status

    show port ratelimit Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. Resource index for this port. Port rate limiting threshold in kilobytes per second. Whether or not frames not conforming to rate limiting will be discarded. Currently rules can only be applied to inbound traffic. 802.1D (802.1p) port priority level. Whether or not this rule is active or disabled.

    SecureStack A2 Configuration Guide

    9-13

    set port ratelimit

    set port ratelimit


    Usethiscommandtoconfigurethetrafficratelimitingstatusandthreshold(inkilobytesper second)foroneormoreports.

    Syntax
    set port ratelimit {disable | enable} | port-string priority threshold {disable | enable} [inbound] [index]

    Parameters
    disable|enable Whenenteredwithoutaportstring,globallydisablesorenablestheport ratelimitingfunction.Whenenteredwithaportstring,disablesor enablesratelimitingonspecificport(s)whentheglobalfunctionis enabled. Specifiesaportonwhichtosettheratelimitingthresholdandother parameters.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 42. Specifiesthe802.1D(802.1p)portprioritylevelassociatedwiththeport string.Thevaluecanbe0to7,with0specifyingthelowestpriority. Specifiesaportratelimitingthresholdinkilobytespersecond.Rangeis 64uptoamaximumof2,147,483,647kilobytespersecond. (Optional)Appliesthisratepolicingruletoinboundtraffic. (Optional)Assignsaresourceindexforthisport.

    portstring

    priority threshold inbound index

    Defaults
    Thresholdwillbeappliedtoinboundtrafficontheport/priority. Ifindexisnotspecified,settingswillbeappliedtoindex1,andwilloverwriteindex1forany subsequentratelimitsconfigured.

    Mode
    Switch command, read-write.

    Example
    Thisexampleshowshowto: globallyenableratelimiting configureratelimitingforinboundtrafficonportfe.2.1,index1,priority5,toathresholdof 125 KBps:

    A2(rw)->set port ratelimit enable A2(rw)->set port ratelimit fe.2.1 5 125 enable inbound

    9-14

    Port Priority and Rate Limiting Configuration

    clear port ratelimit

    clear port ratelimit


    Usethiscommandtoclearratelimitingparametersforoneormoreports.

    Syntax
    clear port ratelimit port-string [index]

    Parameters
    portstring Specifiestheport(s)onwhichtoclearratelimiting.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage 42. (Optional)Specifiestheassociatedresourceindextobereset.

    index

    Defaults
    Ifnotspecified,allindexentrieswillbereset.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearallratelimitingparametersonportfe.2.1.
    A2(su)->clear port ratelimit fe.2.1

    SecureStack A2 Configuration Guide

    9-15

    clear port ratelimit

    9-16

    Port Priority and Rate Limiting Configuration

    10
    IGMP Configuration
    ThischapterdescribestheIGMPConfigurationsetofcommandsandhowtousethem.
    For information about... IGMP Overview Configuring IGMP at Layer 2 Refer to page... 10-1 10-2

    IGMP Overview
    About IP Multicast Group Management
    TheInternetGroupManagementProtocol(IGMP)runsbetweenhostsandtheirimmediately neighboringmulticastdevice.Theprotocolsmechanismsallowahosttoinformitslocaldevice thatitwantstoreceivetransmissionsaddressedtoaspecificmulticastgroup. Amulticastenableddevicecanperiodicallyaskitshostsiftheywanttoreceivemulticasttraffic.If thereismorethanonedeviceontheLANperformingIPmulticasting,oneofthesedevicesis electedquerierandassumestheresponsibilityofqueryingtheLANforgroupmembers. BasedonthegroupmembershipinformationlearnedfromIGMP,adevicecandeterminewhich(if any)multicasttrafficneedstobeforwardedtoeachofitsports.AtLayer3,multicastdevicesuse thisinformation,alongwithamulticastroutingprotocol,tosupportIPmulticastingacrossthe Internet. IGMPprovidesthefinalstepinanIPmulticastpacketdeliveryservice,sinceitisonlyconcerned withforwardingmulticasttrafficfromthelocaldevicetogroupmembersonadirectlyattached subnetworkorLANsegment. ThisdevicesupportsIPmulticastgroupmanagementbypassivelysnoopingontheIGMPquery andIGMPreportpacketstransferredbetweenIPmulticastdevicesandIPmulticasthostgroupsto learnIPmulticastgroupmembers. ThepurposeofIPmulticastgroupmanagementistooptimizeaswitchednetworksperformance somulticastpacketswillonlybeforwardedtothoseportscontainingmulticastgrouphostsor multicastdevicesinsteadoffloodingtoallportsinthesubnet(VLAN).

    About Multicasting
    Multicastingisusedtosupportrealtimeapplicationssuchasvideoconferencesorstreaming audio.Amulticastserverdoesnothavetoestablishaseparateconnectionwitheachclient.It merelybroadcastsitsservicetothenetwork,andanyhoststhatwanttoreceivethemulticast registerwiththeirlocalmulticastswitch/router.Althoughthisapproachreducesthenetwork overheadrequiredbyamulticastserver,thebroadcasttrafficmustbecarefullyprunedatevery
    SecureStack A2 Configuration Guide 10-1

    Configuring IGMP at Layer 2

    multicastswitch/routeritpassesthroughtoensurethattrafficisonlypassedtothehoststhat subscribedtothisservice.

    Configuring IGMP at Layer 2


    Purpose
    ToconfigureIGMPsnoopingfromtheswitchCLI.

    Commands
    ThecommandsusedtoconfigureswitchrelatedIGMPsnoopingarelistedbelow.
    For information about... show igmpsnooping set igmpsnooping adminmode set igmpsnooping interfacemode set igmpsnooping groupmembershipinterval set igmpsnooping maxresponse set igmpsnooping mcrtrexpiretime set igmpsnooping add-static set igmpsnooping remove-static show igmpsnooping static show igmpsnooping mfdb clear igmpsnooping Refer to page... 10-3 10-3 10-4 10-5 10-5 10-6 10-7 10-7 10-8 10-9 10-10

    10-2

    IGMP Configuration

    show igmpsnooping

    show igmpsnooping
    UsethiscommandtodisplayIGMPsnoopinginformation.

    Syntax
    show igmpsnooping

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    ConfiguredinformationisdisplayedwhetherornotIGMPsnoopingisenabled.Status informationisdisplayedonlywhenthefunctionisenabled.ForinformationonenablingIGMPon thesystem,refertosetigmpsnoopingadminmodeonpage 103.Forinformationonenabling IGMPononeormoreports,refertosetigmpsnoopinginterfacemodeonpage 104.

    Example
    ThisexampleshowshowtodisplayIGMPsnoopinginformation:
    A2(su)->show igmpsnooping Admin Mode..................................... Group Membership Interval...................... Max Response Time.............................. Multicast Router Present Expiration Time....... Interfaces Enabled for IGMP Snooping........... Enable 260 100 0 fe.1.1,fe.1.2,fe.1.3 fe.1.4,fe.1.5,fe.1.6 Multicast Control Frame Count..................0 Data Frames Forwarded by the CPU...............0

    set igmpsnooping adminmode


    UsethiscommandtoenableordisableIGMPonthesystem.

    Syntax
    set igmpsnooping adminmode {enable | disable}

    Parameters
    enable|disable EnablesordisablesIGMPsnoopingonthesystem.

    Defaults
    None.

    SecureStack A2 Configuration Guide

    10-3

    set igmpsnooping interfacemode

    Mode
    Switchcommand,readwrite.

    Usage
    InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe devicewiththiscommand,andthenenabledonaport(s)usingthesetigmpsnoopinginterface modecommandasdescribedinsetigmpsnoopinginterfacemodeonpage 104.

    Example
    ThisexampleshowshowtoenableIGMPonthesystem:
    A2(su)->set igmpsnooping adminmode enable

    set igmpsnooping interfacemode


    UsethiscommandtoenableordisableIGMPononeorallports.

    Syntax
    set igmpsnooping interfacemode port-string {enable | disable}

    Parameters
    portstring enable|disable SpecifiesoneormoreportsonwhichtoenableordisableIGMP. EnablesordisablesIGMP.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe deviceusingthesetigmpsnoopingadminmodecommandasdescribedinsetigmpsnooping adminmodeonpage 103,andthenenabledonaport(s)usingthiscommand.

    Example
    ThisexampleshowshowtoenableIGMPonportsge.110:
    A2(su)->set igmpsnooping interfacemode ge.1-10 enable

    10-4

    IGMP Configuration

    set igmpsnooping groupmembershipinterval

    set igmpsnooping groupmembershipinterval


    UsethiscommandtoconfiguretheIGMPgroupmembershipintervaltimeforthesystem.

    Syntax
    set igmpsnooping groupmembershipinterval time

    Parameters
    time SpecifiestheIGMPgroupmembershipinterval.Validvaluesare23600 seconds. Thisvalueworkstogetherwiththesetigmpsnoopingmaxresponsetime commandtoremoveportsfromanIGMPgroupandmustbegreaterthan themaxresponsetimevalue.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheIGMPgroupmembershipintervaltimesetsthefrequencyofhostqueryframetransmissions andmustbegreaterthantheIGMPmaximumresponsetimeasdescribedinsetigmpsnooping maxresponseonpage 105.

    Example
    ThisexampleshowshowtosettheIGMPgroupmembershipintervalto250seconds:
    A2(su)->set igmpsnooping groupmembershipinterval 250

    set igmpsnooping maxresponse


    UsethiscommandtoconfiguretheIGMPquerymaximumresponsetimeforthesystem.

    Syntax
    set igmpsnooping maxresponse time

    Parameters
    time SpecifiestheIGMPmaximumqueryresponsetime.Validvaluesare100 255seconds.Thedefaultvalueis100seconds. Thisvalueworkstogetherwiththesetigmpsnooping groupmembershipintervalcommandtoremoveportsfromanIGMPgroup andmustbelesserthanthegroupmembershipintervalvalue.

    Defaults
    None.

    SecureStack A2 Configuration Guide

    10-5

    set igmpsnooping mcrtrexpiretime

    Mode
    Switchcommand,readwrite.

    Usage
    ThisvaluemustbelessthantheIGMPmaximumresponsetimedescribedinsetigmpsnooping groupmembershipintervalonpage 105.

    Example
    ThisexampleshowshowtosettheIGMPmaximumresponsetimeto100seconds:
    A2(su)->set igmpsnooping maxresponse 100

    set igmpsnooping mcrtrexpiretime


    UsethiscommandtoconfiguretheIGMPmulticastrouterexpirationtimeforthesystem.

    Syntax
    set igmpsnooping mcrtrexpire time

    Parameters
    time SpecifiestheIGMPmulticastrouterexpirationtime.Validvaluesare0 3600seconds.Avalueof0willconfigurethesystemwithaninfinite expirationtime.Thedefaultvalueis0.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thistimerisforexpiringtheswitchfromthemulticastdatabase.Ifthetimerexpires,andtheonly addressleftisthemulticastswitch,thentheentrywillberemoved.

    Example
    ThisexampleshowshowtosettheIGMPmulticastrouterexpirationtimetoinfinity:
    A2(su)->set igmpsnooping mcrtrexpiretime 0

    10-6

    IGMP Configuration

    set igmpsnooping add-static

    set igmpsnooping add-static


    ThiscommandcreatesanewstaticIGMPentryoraddsoneormorenewportstoanexistingentry.

    Syntax
    set igmpsnooping add-static group vlan-list [modify] [port-string]

    Parameters
    group vlanlist modify portstring SpecifiesthemulticastgroupIPaddressfortheentry. SpecifiestheVLANsonwhichtoconfiguretheentry. (Optional)Addsthespecifiedportorportstoanexistingentry. (Optional)Specifiestheportorportstoaddtotheentry.

    Defaults
    Ifnoportsarespecified,allportsareaddedtotheentry. Ifmodifyisnotspecified,anewentryiscreated.

    Mode
    Switchcommand,readwrite.

    Usage
    UsethiscommandtocreateandconfigureLayer2IGMPentries.

    Example
    ThisexamplecreatesanIGMPentryforthemulticastgroupwithIPaddressof233.11.22.33 configuredonVLAN20configuredwiththeportge.1.1.
    A2(su)->set igmpsnooping add-static 233.11.22.33 20 ge.1.1

    set igmpsnooping remove-static


    ThiscommanddeletesastaticIGMPentryorremovesoneormorenewportsfromanexisting entry.

    Syntax
    set igmpsnooping remove-static group vlan-list [modify] [port-string]

    Parameters
    group vlanlist modify portstring SpecifiesthemulticastgroupIPaddressoftheentry. SpecifiestheVLANsonwhichtheentryisconfigured. (Optional)Removesthespecifiedportorportsfromanexistingentry. (Optional)Specifiestheportorportstoremovefromtheentry.

    Defaults
    Ifnoportsarespecified,allportsareremovedfromtheentry.

    SecureStack A2 Configuration Guide

    10-7

    show igmpsnooping static

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesportge.1.1fromtheentryforthemulticastgroupwithIPaddressof 233.11.22.33configuredonVLAN20.
    A2(su)->set igmpsnooping remove-static 233.11.22.33 20 ge.1.1

    show igmpsnooping static


    ThiscommanddisplaysstaticIGMPportsforoneormoreVLANsorIGMPgroups.

    Syntax
    show igmpsnooping static vlan-list [group group]

    Parameters
    vlanlist groupgroup SpecifiestheVLANforwhichtodisplaystaticIGMPports. (Optional)SpecifiestheIGMPgroupforwhichtodisplaystaticIGMP ports.

    Defaults
    Ifnogroupisspecified,informationforallgroupsisdisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampledisplaysthestaticIGMPportsforVLAN20.
    120.8.10.1(su)->show igmpsnooping static 20 -------------------------------------------------------------------------------Vlan Id = 20 Static Multicast Group Address = 233.11.22.33 Type = IGMP IGMP Port List = ge.1.1

    10-8

    IGMP Configuration

    show igmpsnooping mfdb

    show igmpsnooping mfdb


    Usethiscommandtodisplaymulticastforwardingdatabase(MFDB)information.

    Syntax
    show igmpsnooping mfdb [stats]

    Parameters
    stats (Optional)DisplaysMFDBstatistics.

    Defaults
    Ifstatsisnotspecified,allMFDBtableentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowshowtodisplaymulticastforwardingdatabaseentries:
    A2(su)->show igmpsnooping mfdb MAC Address Type Description Interfaces ----------------------- ------- ---------------- ------------------------00:14:01:00:5E:02:CD:B0 Dynamic Network Assist Fwd: ge.1.1,ge.3.1,ge.4.1, ge.5.1,ge.6.2,ge.6.3, ge.7.1,ge.8.1 00:32:01:00:5E:37:96:D0 Dynamic Network Assist Fwd: ge.4.7 00:32:01:00:5E:7F:FF:FA Dynamic Network Assist Fwd: ge.4.7

    Thisexampleshowshowtodisplaymulticastforwardingdatabasestatistics:
    A2(su)->show igmpsnooping mfdb stats Max MFDB Table Entries......................... 256 Most MFDB Entries Since Last Reset............. 1 Current Entries................................ 0

    SecureStack A2 Configuration Guide

    10-9

    clear igmpsnooping

    clear igmpsnooping
    UsethiscommandtoclearallIGMPsnoopingentries.

    Syntax
    clear igmpsnooping

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearallIGMPsnoopingentries:
    A2(su)->clear igmpsnooping Are you sure you want to clear all IGMP snooping entries? (y/n)y IGMP Snooping Entries Cleared.

    10-10

    IGMP Configuration

    11
    Logging and Network Management
    Thischapterdescribesswitchrelatedloggingandnetworkmanagementcommandsandhowto usethem.
    Note: The commands in this chapter pertain to network management of the SecureStack A2 device from the switch CLI only. For information about... Configuring System Logging Monitoring Network Events and Status Managing Switch Network Addresses and Routes Configuring Simple Network Time Protocol (SNTP) Configuring Node Aliases Refer to page... 11-1 11-12 11-17 11-24 11-31

    Configuring System Logging


    Purpose
    Todisplayandconfiguresystemlogging,includingSyslogserversettings,Syslogdefaultsettings, andtheloggingbuffer.

    Commands
    Commandstoconfiguresystemloggingarelistedbelow.
    For information about... show logging server set logging server clear logging server show logging default set logging default clear logging default show logging application Refer to page... 11-2 11-3 11-4 11-4 11-5 11-6 11-7

    SecureStack A2 Configuration Guide

    11-1

    show logging server

    For information about... set logging application clear logging application show logging local set logging local clear logging local show logging buffer

    Refer to page... 11-8 11-9 11-9 11-10 11-10 11-11

    show logging server


    UsethiscommandtodisplaytheSyslogconfigurationforaparticularserver.

    Syntax
    show logging server [index]

    Parameters
    index (Optional)DisplaysSysloginformationpertainingtoaspecificserver tableentry.Validvaluesare18.

    Defaults
    Ifindexisnotspecified,allSyslogserverinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySyslogserverconfigurationinformation:
    A2(ro)->show logging server IP Address Facility Severity Description Port Status ------------------------------------------------------------------------1 132.140.82.111 local4 warning(5) default 514 enabled 2 132.140.90.84 local4 warning(5) default 514 enabled

    Table 111providesanexplanationofthecommandoutput. Table 11-1


    Output IP Address Facility Severity Description

    show logging server Output Details


    What It Displays... Syslog servers IP address. For details on setting this using the set logging server command, refer to set logging server on page 11-3. Syslog facility that will be encoded in messages sent to this server. Valid values are: local0 to local7. Severity level at which the server is logging messages. Text string description of this facility/server.

    11-2

    Logging and Network Management

    set logging server

    Table 11-1
    Output Port Status

    show logging server Output Details (Continued)


    What It Displays... UDP port the client uses to send to the server. Whether or not this Syslog configuration is currently enabled or disabled.

    set logging server


    UsethiscommandtoconfigureaSyslogserver.

    Syntax
    set logging server index [ip-addr ip-addr] [facility facility] [severity severity] [descr descr] [port port] [state {enable | disable}]

    Parameters
    index ipaddripaddr facilityfacility severityseverity Specifiestheservertableindexnumberforthisserver.Validvaluesare1 8. (Optional)SpecifiestheSyslogmessageserversIPaddress. (Optional)Specifiestheserversfacilityname.Validvaluesare:local0to local7. (Optional)Specifiestheseveritylevelatwhichtheserverwilllog messages.Validvaluesandcorrespondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages descrdescr portport stateenable| disable (Optional)Specifiesatextualstringdescriptionofthisfacility/server. (Optional)SpecifiesthedefaultUDPporttheclientusestosendtothe server. (Optional)Enablesordisablesthisfacility/serverconfiguration.

    Defaults
    Ifipaddrisnotspecified,anentryintheSyslogservertablewillbecreatedwiththespecified indexnumberandamessagewilldisplayindicatingthatnoIPaddresshasbeenassigned. Ifnotspecified,facility,severityandportwillbesettodefaultsconfiguredwiththesetlogging defaultcommand(setloggingdefaultonpage 115). Ifstateisnotspecified,theserverwillnotbeenabledordisabled.

    SecureStack A2 Configuration Guide

    11-3

    clear logging server

    Mode
    Switchcommand,readwrite.

    Example
    ThiscommandshowshowtoenableaSyslogserverconfigurationforindex1,IPaddress 134.141.89.113,facilitylocal4,severitylevel3onport514:
    A2(su)->set logging server 1 ip-addr 134.141.89.113 facility local4 severity 3 port 514 state enable

    clear logging server


    UsethiscommandtoremoveaserverfromtheSyslogservertable.

    Syntax
    clear logging server index

    Parameters
    index Specifiestheservertableindexnumberfortheservertoberemoved. Validvaluesare18.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThiscommandshowshowtoremovetheSyslogserverwithindex1fromtheservertable:
    A2(su)->clear logging server 1

    show logging default


    UsethiscommandtodisplaytheSyslogserverdefaultvalues.

    Syntax
    show logging default

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    11-4

    Logging and Network Management

    set logging default

    Example
    ThiscommandshowshowtodisplaytheSyslogserverdefaultvalues.Foranexplanationofthe commandoutput,referbacktoTable 111onpage 112.
    A2(su)->show logging default Facility Severity Port ----------------------------------------local4 warning(5) 514

    Defaults:

    set logging default


    Usethiscommandtosetloggingdefaultvalues.

    Syntax
    set logging default {[facility facility] [severity severity] port port]}

    Parameters
    facilityfacility severityseverity Specifiesthedefaultfacilityname.Validvaluesare:local0tolocal7. Specifiesthedefaultloggingseveritylevel.Validvaluesand correspondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages portport SpecifiesthedefaultUDPporttheclientusestosendtotheserver.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheSyslogdefaultfacilitynametolocal2andtheseveritylevelto4 (errorlogging):
    A2(su)->set logging default facility local2 severity 4

    SecureStack A2 Configuration Guide

    11-5

    clear logging default

    clear logging default


    Usethiscommandtoresetloggingdefaultvalues.

    Syntax
    clear logging default {[facility] [severity] [port]}

    Parameters
    facility severity port (Optional)Resetsthedefaultfacilitynametolocal4. (Optional)Resetsthedefaultloggingseveritylevelto6(notificationsof significantconditions). (Optional)ResetsthedefaultUDPporttheclientusestosendtotheserver to514.

    Defaults
    Atleastoneoptionalparametermustbeentered. Allthreeoptionalkeywordsmustbeenteredtoresetallloggingvaluestodefaults.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheSyslogdefaultseveritylevelto6:
    A2(su)->clear logging default severity

    11-6

    Logging and Network Management

    show logging application

    show logging application


    UsethiscommandtodisplaytheseveritylevelofSyslogmessagesforoneorallapplications configuredforloggingonyoursystem.

    Syntax
    show logging application [mnemonic | all]

    Parameters
    mnemonic (Optional)Displaysseveritylevelforoneapplicationconfiguredfor logging.Mnemonicswillvarydependingonthenumberandtypesof applicationsrunningonyoursystem.Samplemnemonicsandtheir correspondingapplicationsarelistedinTable 113onpage 118.
    Note: Mnemonic values are case sensitive and must be typed as they appear in Table 11-3.

    all

    (Optional)Displaysseveritylevelforallapplicationsconfiguredfor logging.

    Defaults
    Ifnoparameterisspecified,informationforallapplicationswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaysystemlogginginformationpertainingtotheSNMP application.Table 112describestheoutputofthiscommand.
    A2(ro)->show logging application SNMP Application Current Severity Level --------------------------------------------90 SNMP 6 1(emergencies) 4(errors) 7(information) 2(alerts) 5(warnings) 8(debugging) 3(critical) 6(notifications)

    Table 11-2
    Output... Application

    show logging application Output Details


    What it displays... A mnemonic abbreviation of the textual description for applications being logged. Severity level at which the server is logging messages for the listed application. This range (from 1 to 8) and its associated severity list is shown in the CLI output. For a description of these entries, which are set using the set logging application command, refer to set logging application on page 11-8.

    Current Severity Level

    SecureStack A2 Configuration Guide

    11-7

    set logging application

    set logging application


    Usethiscommandtosettheseverityleveloflogmessagesforoneorallapplications.

    Syntax
    set logging application {[mnemonic | all]} [level level]

    Parameters
    mnemonic Specifiesacasesensitivemnemonicabbreviationofanapplicationtobe logged.Thisparameterwillvarydependingonthenumberandtypesof applicationsrunningonyoursystem.Todisplayacompletelist,usethe showloggingapplicationcommandasdescribedinshowlogging applicationonpage 117.Samplemnemonicsandtheircorresponding applicationsarelistedinTable 113onpage 118.
    Note: Mnemonic values are case sensitive and must be typed as they appear in Table 11-3.

    all levellevel

    Setstheloggingseveritylevelforallapplications. (Optional)Specifiestheseveritylevelatwhichtheserverwilllog messagesforapplications.Validvaluesandcorrespondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages

    Table 11-3
    Mnemonic CLIWEB SNMP STP Driver System Stacking UPN Router

    Mnemonic Values for Logging Applications


    Application Command Line Interface and Webview management Simple Network Management Protocol Spanning Tree Protocol Hardware drivers Non-application items such as general chassis management Stacking management User Personalized Networking Router

    Defaults
    Iflevelisnotspecified,nonewillbeapplied.
    11-8 Logging and Network Management

    clear logging application

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheseveritylevelforSNMPto4sothaterrorconditionswillbe loggedforthatapplication.
    A2(rw)->set logging application SNMP level 4

    clear logging application


    Usethiscommandtoresettheloggingseveritylevelforoneorallapplicationstothedefaultvalue of6(notificationsofsignificantconditions).

    Syntax
    clear logging application {mnemonic | all}

    Parameters
    mnemonic Resetstheseveritylevelforaspecificapplicationto6.Validmnemonic valuesandtheircorrespondingapplicationsarelistedinTable 113on page 118. Resetstheseveritylevelforallapplicationsto6.

    all

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresettheloggingseveritylevelto6forSNMP.
    A2(rw)->clear logging application SNMP

    show logging local


    Usethiscommandtodisplaythestateofmessageloggingtotheconsoleandapersistentfile.

    Syntax
    show logging local

    Parameters
    None.

    Defaults
    None.

    SecureStack A2 Configuration Guide

    11-9

    set logging local

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythestateofmessagelogging.Inthiscase,loggingtothe consoleisenabledandloggingtoapersistentfileisdisabled.
    A2(su)->show logging local Syslog Console Logging enabled Syslog File Logging disabled

    set logging local


    Usethiscommandtoconfigurelogmessagestotheconsoleandapersistentfile.

    Syntax
    set logging local console {enable | disable} file {enable | disable}

    Parameters
    consoleenable|disable fileenable|disable Enablesordisablesloggingtotheconsole. Enablesordisablesloggingtoapersistentfile.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thiscommandshowshowtoenableloggingtotheconsoleanddisableloggingtoapersistentfile:
    A2(su)->set logging local console enable file disable

    clear logging local


    Usethiscommandtocleartheconsoleandpersistentstoreloggingforthelocalsession.

    Syntax
    clear logging local

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.
    11-10 Logging and Network Management

    show logging buffer

    Example
    Thisexampleshowshowtoclearlocallogging:
    A2(su)->clear logging local

    show logging buffer


    Usethiscommandtodisplaythelast256messageslogged.

    Syntax
    show logging buffer

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowsaportionoftheinformationdisplayedwiththeshowloggingbuffer command:
    A2(su)->show logging buffer <165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.122 (telnet) <165>Sep 4 07:43:24 10.42.71.13 CLI[5]User: debug failed login from 10.4.1.100 (telnet)

    SecureStack A2 Configuration Guide

    11-11

    Monitoring Network Events and Status

    Monitoring Network Events and Status


    Purpose
    Todisplayswitcheventsandcommandhistory,tosetthesizeofthehistorybuffer,andtodisplay anddisconnectcurrentusersessions.

    Commands
    Commandstomonitorswitchnetworkeventsandstatusarelistedbelow.
    For information about... history show history set history ping show users disconnect Refer to page... 11-12 11-13 11-13 11-14 11-15 11-15

    history
    Usethiscommandtodisplaythecontentsofthecommandhistorybuffer.Thecommandhistory bufferincludesalltheswitchcommandsentereduptoamaximumof100,asspecifiedintheset historycommand(sethistoryonpage 1113).

    Syntax
    history

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythecontentsofthecommandhistorybuffer.Itshowsthereare fivecommandsinthebuffer:
    A2(su)->history 1 hist 2 show gvrp 3 show vlan 4 show igmp 5 show ip address

    11-12

    Logging and Network Management

    show history

    show history
    Usethiscommandtodisplaythesize(inlines)ofthehistorybuffer.

    Syntax
    show history

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythesizeofthehistorybuffer:
    A2(su)->show history History buffer size: 20

    set history
    Usethiscommandtosetthesizeofthehistorybuffer.

    Syntax
    set history size [default]

    Parameters
    size default Specifiesthesizeofthehistorybufferinlines.Validvaluesare1to100. (Optional)Makesthissettingpersistentforallfuturesessions.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesizeofthecommandhistorybufferto30lines:
    A2(su)->set history 30

    SecureStack A2 Configuration Guide

    11-13

    ping

    ping
    UsethiscommandtosendICMPechorequestpacketstoanothernodeonthenetworkfromthe switchCLI.

    Syntax
    ping host

    Parameters
    host SpecifiestheIPaddressofthedevicetowhichthepingwillbesent.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtopingIPaddress134.141.89.29.Inthiscase,thishostisalive:
    A2(su)->ping 134.141.89.29 134.141.89.29 is alive

    Inthisexample,thehostatIPaddressisnotresponding:
    A2(su)->ping 134.141.89.255 no answer from 134.141.89.255

    11-14

    Logging and Network Management

    show users

    show users
    UsethiscommandtodisplayinformationabouttheactiveconsoleportorTelnetsession(s)logged intotheswitch.

    Syntax
    show users

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtousetheshowuserscommand.Inthisoutput,therearetwoTelnet usersloggedinwithReadWriteaccessprivilegesfromIPaddresses134.141.192.119and 134.141.192.18:
    A2(su)->show users Session User Location -------- ----- -------------------------* telnet rw 134.141.192.119 telnet rw 134.141.192.18

    disconnect
    UsethiscommandtocloseanactiveconsoleportorTelnetsessionfromtheswitchCLI.

    Syntax
    disconnect { ip-addr | console }

    Parameters
    ipaddr console SpecifiestheIPaddressoftheTelnetsessiontobedisconnected.This addressisdisplayedintheoutputshowninshowusersonpage 1215. Closesanactiveconsoleport.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    11-15

    disconnect

    Examples
    ThisexampleshowshowtocloseaTelnetsessiontohost134.141.192.119:
    A2(su)->disconnect 134.141.192.119

    Thisexampleshowshowtoclosethecurrentconsolesession:
    A2(su)->disconnect console

    11-16

    Logging and Network Management

    Managing Switch Network Addresses and Routes

    Managing Switch Network Addresses and Routes


    Purpose
    TodisplayordeleteswitchARPtableentries,andtodisplayMACaddressinformation.

    Commands
    Commandstomanageswitchnetworkaddressesandroutesarelistedbelow.
    For information about... show arp set arp clear arp traceroute show mac show mac agetime set mac agetime clear mac agetime Refer to page... 11-17 11-18 11-18 11-19 11-20 11-22 11-22 11-23

    show arp
    UsethiscommandtodisplaytheswitchsARPtable.

    Syntax
    show arp

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheARPtable:
    A2(su)->show arp LINK LEVEL ARP TABLE IP Address Phys Address Flags Interface ----------------------------------------------------10.20.1.1 00-00-5e-00-01-1 S host 134.142.21.194 00-00-5e-00-01-1 S host

    SecureStack A2 Configuration Guide

    11-17

    set arp

    134.142.191.192 00-00-5e-00-01-1 S host 134.142.192.18 00-00-5e-00-01-1 S host 134.142.192.119 00-00-5e-00-01-1 S host -----------------------------------------------------

    Table 114providesanexplanationofthecommandoutput. Table 11-4


    Output IP Address Phys Address Flags

    show arp Output Details


    What It Displays... IP address mapped to MAC address. MAC address mapped to IP address. Route status. Possible values and their definitions include: S - manually configured entry (static) P - respond to ARP requests for this entry

    set arp
    UsethiscommandtoaddmappingentriestotheswitchsARPtable.

    Syntax
    set arp ip-address mac-address

    Parameters
    ipaddress macaddress SpecifiestheIPaddresstomaptotheMACaddressandaddtotheARP table. SpecifiestheMACaddresstomaptotheIPaddressandaddtotheARP table.TheMACaddresscanbeformattedasxx:xx:xx:xx:xx:xxorxxxx xxxxxxxx.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtomapIPaddress192.168.219.232toMACaddress00000c400fbc:
    A2(su)->set arp 192.168.219.232 00-00-0c-40-0f-bc

    clear arp
    UsethiscommandtodeleteaspecificentryorallentriesfromtheswitchsARPtable.

    Syntax
    clear arp {ip-address | all}

    11-18

    Logging and Network Management

    traceroute

    Parameters
    ipaddress|all SpecifiestheIPaddressintheARPtabletobecleared,orclearsallARP entries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodeleteentry10.1.10.10fromtheARPtable:
    A2(su)->clear arp 10.1.10.10

    traceroute
    UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa specificdestinationhost.ThreeUDPorICMPprobeswillbetransmittedforeachhopbetweenthe sourceandthetraceroutedestination.

    Syntax
    traceroute [-w waittime] [-f first-ttl] [-m max-ttl] [-p port] [-q nqueries] [-r] [-d] [-n] [-v] host

    Parameters
    wwaittime ffirstttl mmaxttl pport qnqueries r d n v host (Optional)Specifiestimeinsecondstowaitforaresponsetoaprobe. (Optional)Specifiesthetimetolive(TTL)ofthefirstoutgoingprobe packet. (Optional)Specifiesthemaximumtimetolive(TTL)usedinoutgoing probepackets. (Optional)SpecifiesthebaseUDPportnumberusedinprobes. (Optional)Specifiesthenumberofprobeinquiries. (Optional)Bypassesthenormalhostroutingtables. (Optional)Setsthedebugsocketoption. (Optional)Displayshopaddressesnumerically.(Supportedinafuture release.) (Optional)Displaysverboseoutput,includingthesizeanddestinationof eachresponse. SpecifiesthehosttowhichtherouteofanIPpacketwillbetraced.

    Defaults
    Ifnotspecified,waittimewillbesetto5seconds. Ifnotspecified,firstttlwillbesetto1second. Ifnotspecified,maxttlwillbesetto30seconds.

    SecureStack A2 Configuration Guide

    11-19

    show mac

    Ifnotspecified,portwillbesetto33434. Ifnotspecified,nquerieswillbesetto3. Ifrisnotspecified,normalhostroutingtableswillbeused. Ifdisnotspecified,thedebugsocketoptionwillnotbeused. Ifvisnotspecified,summaryoutputwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.167.252.17.In thiscase,hop1istheSecureStackA2switch,hop2is14.1.0.45,andhop3isbacktothehostIP address.RoundtriptimesforeachofthethreeUDPprobesaredisplayednexttoeachhop:
    A2(su)->traceroute 192.167.252.17 traceroute to 192.167.252.17 (192.167.252.17), 30 hops max, 40 byte packets 1 matrix.enterasys.com (192.167.201.40) 20.000 ms 20.000 ms 20.000 ms 2 14.1.0.45 (14.1.0.45) 40.000 ms 10.000 ms 20.000 ms 3 192.167.252.17 (192.167.252.17) 50.000 ms 0.000 ms 20.000 ms

    show mac
    UsethiscommandtodisplayMACaddressesintheswitchsfilteringdatabase.Theseare addresseslearnedonaportthroughtheswitchingprocess.

    Syntax
    show mac [address mac-address] [fid fid] [port port-string] [type {other | learned | self | mgmt}]

    Parameters
    addressmacaddress fidfid portportstring typeother|learned| self|mgmt (Optional)DisplaysaspecificMACaddress(ifitisknownbythe device). (Optional)DisplaysMACaddressesforaspecificfilterdatabase identifier. (Optional)DisplaysMACaddressesforspecificport(s). (Optional)Displaysinformationrelatedtoother,learned,selfor mgmt(management)addresstype.

    Defaults
    Ifnoparametersarespecified,allMACaddressesforthedevicewillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    ThisexampleshowshowtodisplayMACaddressinformationforge.3.1:
    A2(su)->show mac port ge.3.1

    11-20

    Logging and Network Management

    show mac

    MAC Address FID Port Type ----------------- ---- ------------- -------00-09-6B-0F-13-E6 15 ge.3.1 Learned MAC Address VLAN Port Type Status Egress Ports ----------------- ---- ------------- ------- ------- --------------------------01-01-23-34-45-56 20 any mcast perm ge.3.1

    Table 115providesanexplanationofthecommandoutput. Table 11-5


    Output MAC Address FID Port Type

    show mac Output Details


    What It Displays... MAC addresses mapped to the port(s) shown. Filter database identifier. Port designation. Address type. Valid types are: Learned Self Management Other mcast (multicast)

    VLAN Status Egress Ports

    The VLAN ID configured for the multicast MAC address. The status of the multicast address. The ports which have been added to the egress ports list.

    SecureStack A2 Configuration Guide

    11-21

    show mac agetime

    show mac agetime


    UsethiscommandtodisplaythetimeoutperiodforaginglearnedMACentries.

    Syntax
    show mac agetime

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheMACtimeoutperiod:
    A2(su)->show mac agetime Aging time: 300 seconds

    set mac agetime


    UseThiscommandtosetthetimeoutperiodforaginglearnedMACentries.

    Syntax
    set mac agetime time

    Parameters
    time SpecifiesthetimeoutperiodinsecondsforagoninglearnedMAC addresses.Validvaluesare10to1,000,000seconds.Defaultvalueis300 seconds.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtosettheMACtimeoutperiod:
    A2(su)->set mac agetime 250

    11-22

    Logging and Network Management

    clear mac agetime

    clear mac agetime


    UsethiscommandtoresetthetimeoutperiodforaginglearnedMACentriestothedefaultvalue of300seconds.

    Syntax
    clear mac agetime

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtoresettheMACtimeoutperiodtothedefaultvalueof300seconds.
    A2(su)->clear mac agetime

    SecureStack A2 Configuration Guide

    11-23

    Configuring Simple Network Time Protocol (SNTP)

    Configuring Simple Network Time Protocol (SNTP)


    Purpose
    ToconfiguretheSimpleNetworkTimeProtocol(SNTP),whichsynchronizesdeviceclocksina network.

    Commands
    For information about... show sntp set sntp client clear sntp client set sntp server clear sntp server set sntp poll-interval clear sntp poll-interval set sntp poll-retry clear sntp poll-retry set sntp poll-timeout clear sntp poll-timeout Refer to page... 11-24 11-26 11-26 11-27 11-27 11-28 11-28 11-29 11-29 11-30 11-30

    show sntp
    UsethiscommandtodisplaySNTPclientsettings.

    Syntax
    show sntp

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNTPclientsettings:
    A2(su)->show sntp SNTP Version: 3 Current Time: TUE SEP 09 16:13:33 2003

    11-24

    Logging and Network Management

    show sntp

    Timezone: 'EST', offset from UTC is -4 hours and 0 minutes Client Mode: unicast Broadcast Count: 0 Poll Interval: 512 seconds Poll Retry: 1 Poll Timeout: 5 seconds SNTP Poll Requests: 1175 Last SNTP Update: TUE SEP 09 16:05:24 2003 Last SNTP Request: TUE SEP 09 16:05:24 2003 Last SNTP Status: Success SNTP-Server Precedence Status ------------------------------------------10.2.8.6 2 Active 144.111.29.19 1 Active

    Table 116providesanexplanationofthecommandoutput. Table 11-6


    Output SNTP Version Current Time Timezone Client Mode Broadcast Count Poll Interval Poll Retry Poll Timeout

    show sntp Output Details


    What It Displays... SNTP version number. Current time on the system clock. Time zone name and amount it is offset from UTC (Universal Time). Whether SNTP client is operating in unicast or broadcast mode. Set using set sntp client command (set sntp client on page 11-26). Number of SNTP broadcast frames received. Interval between SNTP unicast requests. Default of 512 seconds can be reset using the set sntp poll-interval command (set sntp poll-interval on page 11-28). Number of poll retries to a unicast SNTP server. Default of 1 can be reset using the set sntp poll-retry command (set sntp poll-retry on page 11-29). Timeout for a response to a unicast SNTP request. Default of 5 seconds can be reset using set sntp poll-timeout command (set sntp poll-timeout on page 11-30).

    SNTP Poll Requests Total number of SNTP poll requests. Last SNTP Update Last SNTP Request Last SNTP Status SNTP-Server Precedence Date and time of most recent SNTP update. Date and time of most recent SNTP request. Whether or not broadcast reception or unicast transmission and reception was successful. IP address(es) of SNTP server(s). Precedence level of SNTP server in relation to its peers. Highest precedence is 1 and lowest is 10. Default of 1 can be reset using the set sntp server command (set sntp server on page 11-27). Whether or not the SNTP server is active.

    Status

    SecureStack A2 Configuration Guide

    11-25

    set sntp client

    set sntp client


    UsethiscommandtosettheSNTPoperationmode.

    Syntax
    set sntp client {broadcast | unicast | disable}

    Parameters
    broadcast unicast disable EnablesSNTPinbroadcastclientmode. EnablesSNTPinunicast(pointtopoint)clientmode.Inthismode,the clientmustsupplytheIPaddressfromwhichtoretrievethecurrenttime. DisablesSNTP.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenableSNTPinbroadcastmode:
    A2(su)->set sntp client broadcast

    clear sntp client


    UsethiscommandtocleartheSNTPclientsoperationalmode.

    Syntax
    clear sntp client

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheSNTPclientsoperationalmode:
    A2(su)->clear sntp client

    11-26

    Logging and Network Management

    set sntp server

    set sntp server


    UsethiscommandtoaddaserverfromwhichtheSNTPclientwillretrievethecurrenttimewhen operatinginunicastmode.Upto10serverscanbesetasSNTPservers.

    Syntax
    set sntp server ip-address [precedence]

    Parameters
    ipaddress precedence SpecifiestheSNTPserversIPaddress. (Optional)SpecifiesthisSNTPserversprecedenceinrelationtoitspeers. Validvaluesare1(highest)to10(lowest).

    Defaults
    Ifprecedenceisnotspecified,1willbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheserveratIPaddress10.21.1.100 asan SNTPserver:
    A2(su)->set sntp server 10.21.1.100

    clear sntp server


    UsethiscommandtoremoveoneorallserversfromtheSNTPserverlist.

    Syntax
    clear sntp server {ip-address | all}

    Parameters
    ipaddress all SpecifiestheIPaddressofaservertoremovefromtheSNTPserverlist. RemovesallserversfromtheSNTPserverlist.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoremovetheserveratIPaddress10.21.1.100 fromtheSNTPserverlist:
    A2(su)->clear sntp server 10.21.1.100

    SecureStack A2 Configuration Guide

    11-27

    set sntp poll-interval

    set sntp poll-interval


    UsethiscommandtosetthepollintervalbetweenSNTPunicastrequests.

    Syntax
    set sntp poll-interval interval

    Parameters
    interval Specifiesthepollintervalinseconds.Validvaluesare16to16284.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheSNTPpollintervalto30seconds:
    A2(su)->set sntp poll-interval 30

    clear sntp poll-interval


    UsethiscommandtoclearthepollintervalbetweenunicastSNTPrequests.

    Syntax
    clear sntp poll-interval

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheSNTPpollinterval:
    A2(su)->clear sntp poll-interval

    11-28

    Logging and Network Management

    set sntp poll-retry

    set sntp poll-retry


    UsethiscommandtosetthenumberofpollretriestoaunicastSNTPserver.

    Syntax
    set sntp poll-retry retry

    Parameters
    retry Specifiesthenumberofretries.Validvaluesare0to10.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthenumberofSNTPpollretriesto5:
    A2(su)->set sntp poll-retry 5

    clear sntp poll-retry


    UsethiscommandtoclearthenumberofpollretriestoaunicastSNTPserver.

    Syntax
    clear sntp poll-retry

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearthenumberofSNTPpollretries:
    A2(su)->clear sntp poll-retry

    SecureStack A2 Configuration Guide

    11-29

    set sntp poll-timeout

    set sntp poll-timeout


    Usethiscommandtosetthepolltimeout(inseconds)foraresponsetoaunicastSNTPrequest.

    Syntax
    set sntp poll-timeout timeout

    Parameters
    timeout Specifiesthepolltimeoutinseconds.Validvaluesare1to30.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheSNTPpolltimeoutto10seconds:
    A2(su)->set sntp poll-timeout 10

    clear sntp poll-timeout


    UsethiscommandtocleartheSNTPpolltimeout.

    Syntax
    clear sntp poll-timeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheSNTPpolltimeout:
    A2(su)->clear sntp poll-timeout

    11-30

    Logging and Network Management

    Configuring Node Aliases

    Configuring Node Aliases


    Purpose
    Toreview,disable,andreenablenode(port)aliasfunctionality,which determineswhatnetwork protocolsarerunningononeormoreports.

    Commands
    For information about... show nodealias config set nodealias clear nodealias config Refer to page... 11-31 11-32 11-33

    show nodealias config


    Usethiscommandtodisplaynodealiasconfigurationsettingsononeormoreports.

    Syntax
    show nodealias config [port-string]

    Parameters
    portstring (Optional)Displaysnodealiasconfigurationsettingsforspecificport(s).

    Defaults
    Ifportstringisnotspecified,nodealiasconfigurationswillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaynodealiasconfigurationsettingsforportsfe.2.1through9:
    A2(rw)->show nodealias config fe.2.1-9 Port Number Max Entries --------------------fe.2.1 16 fe.2.2 47 fe.2.3 47 fe.2.4 47 fe.2.5 47 fe.2.6 47 fe.2.7 47 fe.2.8 47 fe.2.9 4000 Used Entries -----------0 0 2 0 0 2 0 0 1 Status -----Enable Enable Enable Enable Enable Enable Enable Enable Enable

    Table 117providesanexplanationofthecommandoutput.

    SecureStack A2 Configuration Guide

    11-31

    set nodealias

    Table 11-7
    Output Port Number Max Entries Used Entries Status

    show nodealias config Output Details


    What It Displays... Port designation. Maximum number of alias entries configured for this port. Number of alias entries (out of the maximum amount configured) already used by this port. Whether or not a node alias agent is enabled (default) or disabled on this port.

    set nodealias
    Usethiscommandtoenableordisableanodealiasagentononeormoreports,orsetthe maximumnumberofaliasentriesperport.

    Syntax
    set nodealias {enable | disable | maxentries maxentries} port-string

    Parameters
    enable|disable maxentriesmaxentries portstring Enablesordisablesanodealiasagent. Setthemaximumnumberofaliasentriesperports.Validrangeis0to 4096.Thedefaultvalueis32. Specifiestheport(s)onwhichtoenable/disablenodealiasagentorset amaximumnumberofentries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Uponpacketreception,nodealiasesaredynamicallyassignedtoportsenabledwithanalias agent,whichisthedefaultsettingonSecureStackA2devices.Nodealiasescannotbestatically created,butcanbedeletedusingtheclearnodealiascommandasdescribedinclearnodealias configonpage 1133.

    Example
    Thisexampleshowshowtodisablethenodealiasagentonfe.1.3:
    A2(su)->set nodealias disable fe.1.3

    11-32

    Logging and Network Management

    clear nodealias config

    clear nodealias config


    Usethiscommandtoresetnodealiasstatetoenabledandclearthemaximumentriesvalue.

    Syntax
    clear nodealias config port-string

    Parameters
    portstring Specifiestheport(s)onwhichtoresetthenodealiasconfiguration.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetthenodealiasconfigurationonfe.1.3:
    A2(su)->clear nodealias config fe.1.3

    SecureStack A2 Configuration Guide

    11-33

    clear nodealias config

    11-34

    Logging and Network Management

    12
    Configuring RMON
    ThischapterdescribesthecommandsusedtoconfigureRMONonaSecureStackA2switch.
    For information about... RMON Monitoring Group Functions Statistics Group Commands History Group Commands Alarm Group Commands Event Group Commands Filter Group Commands Packet Capture Commands Refer to page... 12-1 12-3 12-7 12-10 12-15 12-19 12-24

    RMON Monitoring Group Functions


    RMON(RemoteNetworkMonitoring)providescomprehensivenetworkfaultdiagnosis, planning,andperformancetuninginformationandallowsforinteroperabilitybetweenSNMP managementstationsandmonitoringagents.RMONextendstheSNMPMIBcapabilityby definingadditionalMIBsthatgenerateamuchrichersetofdataaboutnetworkusage.TheseMIB groupseachgatherspecificsetsofdatatomeetcommonnetworkmonitoringrequirements. Table 121liststheRMONmonitoringgroupssupportedonSecureStackA2devices,eachgroups functionandtheelementsitmonitors,andtheassociatedconfigurationcommandsneeded. Table 12-1
    RMON Group Statistics

    RMON Monitoring Group Functions and Commands


    What It Does... Records statistics measured by the RMON probe for each monitored interface on the device. What It Monitors... Packets dropped, packets sent, bytes sent (octets), broadcast and multicast packets, CRC errors, oversized and undersized packets, fragments, jabbers, and counters for packets. CLI Command(s) show rmon stats on page 12-3 set rmon stats on page 12-5 clear rmon stats on page 12-6

    SecureStack A2 Configuration Guide

    12-1

    RMON Monitoring Group Functions

    Table 12-1
    RMON Group History

    RMON Monitoring Group Functions and Commands (Continued)


    What It Does... Records periodic statistical samples from a network. What It Monitors... Sample period, number of samples and item(s) sampled. CLI Command(s) show rmon history on page 12-7 set rmon history on page 12-8 clear rmon history on page 12-9

    Alarm

    Periodically gathers statistical samples from variables in the probe and compares them with previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. Controls the generation and notification of events from the device.

    Alarm type, interval, starting threshold, stop threshold.

    show rmon alarm on page 12-10 set rmon alarm properties on page 12-11 set rmon alarm status on page 12-13 clear rmon alarm on page 12-14

    Event

    Event type, description, last time event was sent.

    show rmon event on page 12-15 set rmon event properties on page 12-16 set rmon event status on page 12-17 clear rmon event on page 12-18

    Filter

    Allows packets to be matched by a filter equation. These matched packets form a data stream or channel that may be captured.

    Packets matching the filter configuration.

    show rmon channel on page 12-19 set rmon channel on page 12-20 clear rmon channel on page 12-21 show rmon filter on page 12-21 set rmon filter on page 12-22 clear rmon filter on page 12-23

    Packet Capture

    Allows packets to be captured upon a filter match.

    Packets matching the filter configuration.

    show rmon capture on page 12-24 set rmon capture on page 12-25 clear rmon capture on page 12-26

    12-2

    Configuring RMON

    Statistics Group Commands

    Statistics Group Commands


    Purpose
    Todisplay,configure,andclearRMONstatistics.
    Note: Due to hardware limitations, the only frame error counted is oversized frames.

    Commands
    For information about... show rmon stats set rmon stats clear rmon stats Refer to page... 12-3 12-5 12-6

    show rmon stats


    UsethiscommandtodisplayRMONstatisticsmeasuredforoneormoreports.

    Syntax
    show rmon stats [port-string]

    Parameters
    portstring (Optional)DisplaysRMONstatisticsforspecificport(s).

    Defaults
    Ifportstringisnotspecified,RMONstatswillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONstatisticsforGigabitEthernetport1inswitch1.
    :

    A2(su)->show rmon stats ge.1.1 Port: ge.1.1 ------------------------------------Index = 1 Owner = monitor Data Source = ifIndex.1 Drop Events Collisions Jabbers Broadcast Pkts = = = = 0 0 0 0 Packets Octets 0 64 Octets 65 - 127 Octets = = = = 0 0 0 0

    SecureStack A2 Configuration Guide

    12-3

    show rmon stats

    Multicast Pkts CRC Errors Undersize Pkts Oversize Pkts Fragments

    = = = = =

    0 0 0 0 0

    128 256 512 1024

    - 255 Octets - 511 Octets - 1023 Octets - 1518 Octets

    = = = =

    0 0 0 0

    Table 122providesanexplanationofthecommandoutput. Table 12-2


    Output Port Owner Data Source Drop Events

    show rmon stats Output Details


    What It Displays... Port designation. Name of the entity that configured this entry. Monitor is default. Data source of the statistics being displayed. Total number of times that the switch was forced to discard frames due to lack of available switch device resources. This does not display the number of frames dropped, only the number of times the switch was forced to discard frames. Total number of collisions that have occurred on this interface. Total number of frames that were greater than 1518 bytes and had either a bad FCS or a bad CRC. Total number of frames (including bad frames, broadcast frames, and multicast frames) received on this interface. Total number of good frames that were directed to the broadcast address. This value does not include multicast frames. Total number of good frames that were directed to the multicast address. This value does not include broadcast frames. Number of frames with bad Cyclic Redundancy Checks (CRC) received from the network. The CRC is a 4-byte field in the data frame that ensures that the data received is the same as the data that was originally sent. Number of frames received containing less than the minimum Ethernet frame size of 64 bytes (not including the preamble) but having a valid CRC. Number of frames received that exceeded 1518 data bytes (not including the preamble) but had a valid CRC. Number of received frames that are not the minimum number of bytes in length, or received frames that had a bad or missing Frame Check Sequence (FCS), were less than 64 bytes in length (excluding framing bits, but including FCS bytes) and had an invalid CRC. It is normal for this value to increment since fragments are a normal result of collisions in a half-duplex network. Total number of packets, including bad, broadcast and multicast. Total number of octets (bytes) of data, including those in bad frames, received on this interface. Total number of frames, including bad frames, received that were 64 bytes in length (excluding framing bits, but including FCS bytes). Total number of frames, including bad frames, received that were between 65 and 127 bytes in length (excluding framing bits, but including FCS bytes). Total number of frames, including bad frames, received that were between 128 and 255 bytes in length (excluding framing bits, but including FCS bytes). Total number of frames, including bad frames, received that were between 256 and 511 bytes in length (excluding framing bits, but including FCS bytes).

    Collisions Jabbers Packets Broadcast Pkts Multicast Pkts CRC Errors

    Undersize Pkts Oversize Pkts Fragments

    Packets Octets 0 64 Octets 65 127 Octets 128 255 Octets 256 511 Octets

    12-4

    Configuring RMON

    set rmon stats

    Table 12-2
    Output

    show rmon stats Output Details (Continued)


    What It Displays... Total number of frames, including bad frames, received that were between 512 and 1023 bytes in length (excluding framing bits, but including FCS bytes). Total number of frames, including bad frames, received that were between 1024 and 1518 bytes in length (excluding framing bits, but including FCS bytes).

    512 1023 Octets 1024 1518 Octets

    set rmon stats


    UsethiscommandtoconfigureanRMONstatisticsentry.

    Syntax
    set rmon stats index port-string [owner]

    Parameters
    index portstring owner Specifiesanindexforthisstatisticsentry. Specifiesport(s)towhichthisentrywillbeassigned. (Optional)Assignsanownerforthisentry.

    Defaults
    Ifownerisnotspecified,monitorwillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoconfigureRMONstatisticsentry2forge.1.20:
    A2(rw)->set rmon stats 2 ge.1.20

    SecureStack A2 Configuration Guide

    12-5

    clear rmon stats

    clear rmon stats


    UsethiscommandtodeleteoneormoreRMONstatisticsentries.

    Syntax
    clear rmon stats {index-list | to-defaults}

    Parameters
    indexlist todefaults Specifiesoneormorestatsentriestobedeleted,causingthemtodisappear fromanyfutureRMONqueries. Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto reappearinRMONqueries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteRMONstatisticsentry2:
    A2(rw)->clear rmon stats 2

    12-6

    Configuring RMON

    History Group Commands

    History Group Commands


    Purpose
    Todisplay,configure,andclearRMONhistorypropertiesandstatistics.

    Commands
    For information about... show rmon history set rmon history clear rmon history Refer to page... 12-7 12-8 12-9

    show rmon history


    UsethiscommandtodisplayRMONhistorypropertiesandstatistics.TheRMONhistorygroup recordsperiodicstatisticalsamplesfromanetwork.

    Syntax
    show rmon history [port-string]

    Parameters
    portstring (Optional)DisplaysRMONhistoryentriesforspecificport(s).

    Defaults
    Ifportstringisnotspecified,informationaboutallRMONhistoryentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONhistoryentriesforGigabitEthernetport1inswitch1. Acontrolentrydisplaysfirst,followedbyactualentriescorrespondingtothecontrolentry.Inthis case,thedefaultsettingsforentryowner,samplinginterval,andmaximumnumberofentries. (buckets)havenotbeenchangedfromtheirdefaultvalues.Foradescriptionofthetypesof statisticsshown,refertoTable 122.
    :

    A2(su)->show rmon history ge.1.1 Port: ge.1.1 ------------------------------------Index 1 Owner = monitor Status = valid Data Source = ifIndex.1 Interval = 30 Buckets Requested = 50 Buckets Granted = 10
    SecureStack A2 Configuration Guide 12-7

    set rmon history

    Sample 2779 Drop Events Octets Packets Broadcast Pkts Multicast Pkts CRC Align Errors

    = = = = = =

    Interval Start: 1 days 0 hours 2 minutes 22 seconds 0 Undersize Pkts = 0 0 Oversize Pkts = 0 0 Fragments = 0 0 Jabbers = 0 0 Collisions = 0 0 Utilization(%) = 0

    set rmon history


    UsethiscommandtoconfigureanRMONhistoryentry.

    Syntax
    set rmon history index [port-string] [buckets buckets] [interval interval] [owner owner]

    Parameters
    indexlist portstring bucketsbuckets intervalinterval ownerowner Specifiesanindexnumberforthisentry. (Optional)Assignsthisentrytoaspecificport. (Optional)Specifiesthemaximumnumberofentriestomaintain. (Optional)Specifiesthesamplingintervalinseconds. (Optional)Specifiesanownerforthisentry.

    Defaults
    Ifbucketsisnotspecified,themaximumnumberofentriesmaintainedwillbe50. Ifnotspecified,intervalwillbesetto30seconds. Ifownerisnotspecified,monitorwillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowconfigureRMONhistoryentry1onportfe.2.1tosampleevery20 seconds:
    A2(rw)->set rmon history 1 fe.2.1 interval 20

    12-8

    Configuring RMON

    clear rmon history

    clear rmon history


    UsethiscommandtodeleteoneormoreRMONhistoryentriesorresetoneormoreentriesto defaultvalues.Forspecificvalues,refertosetrmonhistoryonpage 128.

    Syntax
    clear rmon history {index-list | to-defaults}

    Parameters
    indexlist todefaults Specifiesoneormorehistoryentriestobedeleted,causingthemto disappearfromanyfutureRMONqueries. Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto reappearinRMONqueries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteRMONhistoryentry1:
    A2(rw)->clear rmon history 1

    SecureStack A2 Configuration Guide

    12-9

    Alarm Group Commands

    Alarm Group Commands


    Purpose
    Todisplay,configure,andclearRMONalarmentriesandproperties.

    Commands
    For information about... show rmon alarm set rmon alarm properties set rmon alarm status clear rmon alarm Refer to page... 12-10 12-11 12-13 12-14

    show rmon alarm


    UsethiscommandtodisplayRMONalarmentries.TheRMONalarmgroupperiodicallytakes statisticalsamplesfromRMONvariablesandcomparesthemwithpreviouslyconfigured thresholds.IfthemonitoredvariablecrossesathresholdanRMONeventisgenerated.

    Syntax
    show rmon alarm [index]

    Parameters
    index (Optional)DisplaysRMONalarmentriesforaspecificentryindexID.

    Defaults
    Ifindexisnotspecified,informationaboutallRMONalarmentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONalarmentry3:
    A2(rw)->show rmon alarm 3 Index 3 --------------------Owner = Status = Variable = Sample Type = Interval = Rising Threshold = Rising Event Index =

    Manager valid 1.3.6.1.4.1.5624.1.2.29.1.2.1.0 delta Startup Alarm 30 Value 1 Falling Threshold 2 Falling Event Index

    = = = =

    rising 0 0 0

    Table 123providesanexplanationofthecommandoutput.
    12-10 Configuring RMON

    set rmon alarm properties

    Table 12-3
    Output Index Owner Status Variable Sample Type

    show rmon alarm Output Details


    What It Displays... Index number for this alarm entry. Text string identifying who configured this entry. Whether this event entry is enabled (valid) or disabled. MIB object to be monitored. Whether the monitoring method is an absolute or a delta sampling. Whether alarm generated when this entry is first enabled is rising, falling, or either. Interval in seconds at which RMON will conduct sample monitoring. Minimum threshold for causing a rising alarm. Maximum threshold for causing a falling alarm. Index number of the RMON event to be triggered when the rising threshold is crossed. Index number of the RMON event to be triggered when the falling threshold is crossed.

    Startup Alarm Interval Rising Threshold Falling Threshold Rising Event Index Falling Event Index

    set rmon alarm properties


    UsethiscommandtoconfigureanRMONalarmentry,ortocreateanewalarmentrywithan unusedalarmindexnumber.

    Syntax
    set rmon alarm properties index [interval interval] [object object] [type {absolute | delta}] [startup {rising | falling | either}] [rthresh rthresh] [fthresh fthresh] [revent revent] [fevent fevent] [owner owner]

    Parameters
    index intervalinterval objectobject Specifiesanindexnumberforthisentry.Maximumnumberorentriesis 50.Maximumvalueis65535. (Optional)Specifiesaninterval(inseconds)forRMONtoconductsample monitoring. (Optional)SpecifiesaMIBobjecttobemonitored.
    Note: This parameter is not mandatory for executing the command, but must be specified in order to enable the alarm entry configuration.

    typeabsolute| delta

    (Optional)Specifiesthemonitoringmethodas:samplingtheabsolute valueoftheobject,orthedifference(delta)betweenobjectsamples.

    SecureStack A2 Configuration Guide

    12-11

    set rmon alarm properties

    startuprising| falling|either

    (Optional)Specifiesthetypeofalarmgeneratedwhenthiseventisfirst enabledas: RisingSendsalarmwhenanRMONeventreachesamaximum thresholdconditionisreached,forexample,morethan30collisions persecond. FallingSendsalarmwhenRMONeventfallsbelowaminimum thresholdcondition,forexamplewhenthenetworkisbehaving normallyagain. EitherSendsalarmwheneitherarisingorfallingthresholdis reached.

    rthreshrthresh fthreshfthresh reventrevent feventfevent ownerowner

    (Optional)Specifiesaminimumthresholdforcausingarisingalarm. Specifiesamaximumthresholdforcausingafallingalarm. SpecifiestheindexnumberoftheRMONeventtobetriggeredwhenthe risingthresholdiscrossed. SpecifiestheindexnumberoftheRMONeventtobetriggeredwhenthe fallingthresholdiscrossed. (Optional)Specifiesthenameoftheentitythatconfiguredthisalarm entry.

    Defaults
    interval3600seconds typeabsolute startuprising rthresh0 fthresh0 revent0 fevent0 ownermonitor

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoconfigurearisingRMONalarm.Thisentrywillconductmonitoring ofthedeltabetweensamplesevery30seconds:
    A2(rw)->set rmon alarm properties 3 interval 30 object 1.3.6.1.4.1.5624.1.2.29.1.2.1.0 type delta rthresh 1 revent 2 owner Manager

    12-12

    Configuring RMON

    set rmon alarm status

    set rmon alarm status


    UsethiscommandtoenableanRMONalarmentry.Analarmisanotificationthatastatistical sampleofamonitoredvariablehascrossedaconfiguredthreshold.

    Syntax
    set rmon alarm status index enable

    Parameters
    index enable Specifiesanindexnumberforthisentry.Maximumnumberorentriesis 50.Maximumvalueis65535. Enablesthisalarmentry.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    AnRMONalarmentrycanbecreatedusingthiscommand,configuredusingthesetrmonalarm propertiescommand(setrmonalarmpropertiesonpage 1211),thenenabledusingthis command.AnRMONalarmentrycanbecreatedandconfiguredatthesametimebyspecifying anunusedindexwiththesetrmonalarmpropertiescommand.

    Example
    ThisexampleshowshowtoenableRMONalarmentry3:
    A2(rw)->set rmon alarm status 3 enable

    SecureStack A2 Configuration Guide

    12-13

    clear rmon alarm

    clear rmon alarm


    UsethiscommandtodeleteanRMONalarmentry.

    Syntax
    clear rmon alarm index

    Parameters
    index Specifiestheindexnumberofentrytobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONalarmentry1:
    A2(rw)->clear rmon alarm 1

    12-14

    Configuring RMON

    Event Group Commands

    Event Group Commands


    Purpose
    TodisplayandclearRMONevents,andtoconfigureRMONeventproperties.

    Commands
    For information about... show rmon event set rmon event properties set rmon event status clear rmon event Refer to page... 12-15 12-16 12-17 12-18

    show rmon event


    UsethiscommandtodisplayRMONevententryproperties.

    Syntax
    show rmon event [index]

    Parameters
    index (Optional)DisplaysRMONpropertiesandlogentriesforaspecificentry indexID.

    Defaults
    Ifindexisnotspecified,informationaboutallRMONentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONevententry3:
    A2(rw)->show rmon event 3 Index 3 ---------------Owner = Status = Description = Type = Community = Last Time Sent =

    Manager valid STP Topology change log-and-trap public 0 days 0 hours 0 minutes 37 seconds

    Table 124providesanexplanationofthecommandoutput.

    SecureStack A2 Configuration Guide

    12-15

    set rmon event properties

    Table 12-4
    Output Index Owner Status Description Type Community

    show rmon event Output Details


    What It Displays... Index number for this event entry. Text string identifying who configured this entry. Whether this event entry is enabled (valid) or disabled. Text string description of this event. Whether the event notification will be a log entry, and SNMP trap, both, or none. SNMP community name if message type is set to trap. When an event notification matching this entry was sent.

    Last Time Sent

    set rmon event properties


    UsethiscommandtoconfigureanRMONevententry,ortocreateanewevententrywithan unusedeventindexnumber.

    Syntax
    set rmon event properties index [description description] [type {none | log | trap | both}] [community community] [owner owner]

    Parameters
    index description description typenone|log| trap|both community community Specifiesanindexnumberforthisentry.Maximumnumberofentriesis 100.Maximumvalueis65535. (Optional)Specifiesatextstringdescriptionofthisevent. (Optional)SpecifiesthetypeofRMONeventnotificationas:none,alog tableentry,anSNMPtrap,orbothalogentryandatrapmessage. (Optional)SpecifiesanSNMPcommunitynametouseifthemessage typeissettotrap.FordetailsonsettingSNMPtrapsandcommunity names,refertoCreatingaBasicSNMPTrapConfigurationon page 541. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.

    ownerowner

    Defaults
    Ifdescriptionisnotspecified,nonewillbeapplied. Ifnotspecified,typenonewillbeapplied. Ifownerisnotspecified,monitorwillbeapplied.

    Mode
    Switchcommand,readwrite.

    12-16

    Configuring RMON

    set rmon event status

    Example
    ThisexampleshowshowtocreateandenableanRMONevententrycalledSTPtopology changethatwillsendbothalogentryandanSNMPtrapmessagetothepubliccommunity:
    A2(rw)->set rmon event properties 2 description "STP topology change" type both community public owner Manager

    set rmon event status


    UsethiscommandtoenableanRMONevententry.Anevententrydescribestheparametersofan RMONeventthatcanbetriggered.EventscanbefiredbyRMONalarmsandcanbeconfiguredto createalogentry,generateatrap,orboth.

    Syntax
    set rmon event status index enable

    Parameters
    index enable Specifiesanindexnumberforthisentry.Maximumnumberofentriesis 100.Maximumvalueis65535. Enablesthisevententry.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    AnRMONevententrycanbecreatedusingthiscommand,configuredusingthesetrmonevent propertiescommand(setrmoneventpropertiesonpage 1216),thenenabledusingthis command.AnRMONevententrycanbecreatedandconfiguredatthesametimebyspecifyingan unusedindexwiththesetrmoneventpropertiescommand.

    Example
    ThisexampleshowshowtoenableRMONevententry1:
    A2(rw)->set rmon event status 1 enable

    SecureStack A2 Configuration Guide

    12-17

    clear rmon event

    clear rmon event


    UsethiscommandtodeleteanRMONevententryandanyassociatedlogentries.

    Syntax
    clear rmon event index

    Parameters
    index Specifiestheindexnumberoftheentrytobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONevent1:
    A2(rw)->clear rmon event 1

    12-18

    Configuring RMON

    Filter Group Commands

    Filter Group Commands


    Thepacketcaptureandfilterfunctionisdisabledbydefault.Onlyoneinterfacecanbeconfigured forcapturingandfilteringatatime. Whenpacketcaptureisenabledonaninterface,theSecureStackA2switchwillcapture100frames asclosetosequentiallyaspossible.These100frameswillbeplacedintoabufferforinspection.If thereisdatainthebufferwhenthefunctionisstarted,thebufferwillbeoverwritten.Once100 frameshavebeencaptured,thecapturewillstop.Filteringwillbeperformedontheframes capturedinthebuffer.Therefore,onlyasubsetoftheframescapturedwillbeavailablefordisplay.
    Note: Packet capture is sampling only and does not guarantee receipt of back to back packets.

    Onechannelatatimecanbesupported,withuptothreefilters.Configuredchannel,filter,and buffercontrolinformationwillbesavedacrossresets,butcapturedframeswithinthebufferwill notbesaved. Thisfunctioncannotbeusedconcurrentlywithportmirroring.Thesystemwillchecktoprevent concurrentlyenablingbothfunctions,andawarningwillbegeneratedintheCLIifattempted.

    Commands
    For information about... show rmon channel set rmon channel clear rmon channel show rmon filter set rmon filter clear rmon filter Refer to page... 12-19 12-20 12-21 12-21 12-22 12-23

    show rmon channel


    UsethiscommandtodisplayRMONchannelentriesforoneormoreports.

    Syntax
    show rmon channel [port-string]

    Parameters
    portstring (Optional)DisplaysRMONchannelentriesforaspecificport(s).

    Defaults
    Ifportstringisnotspecified,informationaboutallchannelswillbedisplayed.

    Mode
    Switchcommand,readonly.

    SecureStack A2 Configuration Guide

    12-19

    set rmon channel

    Example
    ThisexampleshowshowtodisplayRMONchannelinformationforfe.2.12:
    A2(rw)->show rmon channel fe.2.12 Port fe.2.12 Channel index= 628 EntryStatus= valid ---------------------------------------------------------Control off AcceptType matched OnEventIndex 0 OffEventIndex 0 EventIndex 0 Status ready Matches 4498 Description Thu Dec 16 12:57:32 EST 2004 Owner NetSight smith

    set rmon channel


    UsethiscommandtoconfigureanRMONchannelentry.

    Syntax
    set rmon channel index port-string [accept {matched | failed}] [control {on | off}] [description description] [owner owner]

    Parameters
    index Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe createdifanunusedindexnumberischosen.Maximumnumberof entriesis2.Maximumvalueis65535. Specifiestheportonwhichtrafficwillbemonitored. (Optional)Specifiestheactionofthefiltersonthischannelas: controlon|off description description ownerowner matchedPacketswillbeacceptedonfiltermatches failedPacketswillbeacceptediftheyfailamatch

    portstring acceptmatched| failed

    (Optional)Enablesordisablescontroloftheflowofdatathroughthe channel. (Optional)Specifiesadescriptionforthischannel. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.

    Defaults
    Ifanactionisnotspecified,packetswillbeacceptedonfiltermatches. Ifnotspecified,controlwillbesettooff. Ifadescriptionisnotspecified,nonewillbeapplied. Ifownerisnotspecified,itwillbesettomonitor.

    Mode
    Switchcommand,readwrite.

    12-20

    Configuring RMON

    clear rmon channel

    Example
    ThisexampleshowshowtocreateanRMONchannelentry:
    A2(rw)->set rmon channel 54313 fe.2.12 accept failed control on description "capture all"

    clear rmon channel


    UsethiscommandtoclearanRMONchannelentry.

    Syntax
    clear rmon channel index

    Parameters
    index Specifiesthechannelentrytobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONchannelentry2:
    A2(rw)->clear rmon channel 2

    show rmon filter


    UsethiscommandtodisplayoneormoreRMONfilterentries.

    Syntax
    show rmon filter [index index | channel channel]

    Parameters
    indexindex| channelchannel (Optional)Displaysinformationaboutaspecificfilterentry,oraboutall filterswhichbelongtoaspecificchannel.

    Defaults
    Ifnooptionsarespecified,informationforallfilterentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayallRMONfilterentriesandchannelinformation:
    A2(rw)->show rmon filter

    SecureStack A2 Configuration Guide

    12-21

    set rmon filter

    Index= 55508 Channel Index= 628 EntryStatus= valid ---------------------------------------------------------Data Offset 0 PktStatus 0 PktStatusMask 0 PktStatusNotMask 0 Owner ETS,NAC-D ----------------------------Data ff ff ff ff ff ff ----------------------------DataMask ff ff ff ff ff ff ----------------------------DataNotMask 00 00 00 00 00 00

    set rmon filter


    UsethiscommandtoconfigureanRMONfilterentry.

    Syntax
    set rmon filter index channel-index [offset offset] [status status] [smask smask] [snotmask snotmask] [data data] [dmask dmask] [dnotmask dnotmask] [owner owner]

    Parameters
    index Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe createdifanunusedindexnumberischosen.Maximumnumberof entriesis10.Maximumvalueis65535. Specifiesthechanneltowhichthisfilterwillbeapplied. (Optional)Specifiesanoffsetfromthebeginningofthepackettolookfor matches. (Optional)Specifiespacketstatusbitsthataretobematched. (Optional)Specifiesthemaskappliedtostatustoindicatewhichbitsare significant. (Optional)Specifiestheinversionmaskthatindicateswhichbitsshould besetornotset (Optional)Specifiesthedatatobematched. (Optional)Specifiesthemaskappliedtodatatoindicatewhichbitsare significant. (Optional)Specifiestheinversionmaskthatindicateswhichbitsshould besetornotset. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.

    channelindex offsetoffset statusstatus smasksmask snotmasksnotmask datadata dmaskdmask dnotmaskdnotmask owner

    Defaults
    Ifownerisnotspecified,itwillbesettomonitor. Ifnootheroptionsarespecified,none(0)willbeapplied.

    Mode
    Switchcommand,readwrite.

    12-22

    Configuring RMON

    clear rmon filter

    Example
    ThisexampleshowshowtocreateRMONfilter1andapplyittochannel9:
    A2(rw)->set rmon filter 1 9 offset 30 data 0a154305 dmask ffffffff

    clear rmon filter


    UsethiscommandtoclearanRMONfilterentry.

    Syntax
    clear rmon filter {index index | channel channel}

    Parameters
    indexindex| channelchannel Clearsaspecificfilterentry,orallentriesbelongingtoaspecificchannel.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONfilterentry1:
    A2(rw)->clear rmon filter index 1

    SecureStack A2 Configuration Guide

    12-23

    Packet Capture Commands

    Packet Capture Commands


    Notethatpacketcapturefilterissamplingonlyanddoesnotguaranteereceiptofbacktoback packets.

    Purpose
    TodisplayRMONcaptureentries,configure,enable,ordisablecaptureentries,andclearcapture entries.

    Commands
    For information about... show rmon capture set rmon capture clear rmon capture Refer to page... 12-24 12-25 12-26

    show rmon capture


    UsethiscommandtodisplayRMONcaptureentriesandassociatedbuffercontrolentries.

    Syntax
    show rmon capture [index [nodata]]

    Parameters
    index nodata (Optional)Displaysthespecifiedbuffercontrolentryandallcaptured packetsassociatedwiththatentry. (Optional)Displaysonlythebuffercontrolentryspecifiedbyindex.

    Defaults
    Ifnooptionsarespecified,allbuffercontrolentriesandassociatedcapturedpacketswillbe displayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONcaptureentriesandassociatedbufferentries:
    A2(rw)->show rmon capture Buf.control= 28062 Channel= 38283 EntryStatus= valid ---------------------------------------------------------FullStatus avail FullAction lock Captured packets 251 Capture slice 1518 Download size 100 Download offset 0 Max Octet Requested 50000 Max Octet Granted 50000 Start time 1 days 0 hours 51 minutes 15 seconds

    12-24

    Configuring RMON

    set rmon capture

    Owner

    monitor

    captureEntry= 1 Buff.control= 28062 -------------------------------------------Pkt ID 9 Pkt time 1 days 0 hours 51 minutes 15 seconds Pkt Length 93 Pkt status 0 Data: 00 00 5e 00 01 01 00 01 f4 00 7d ce 08 00 45 00 00 4b b4 b9 00 00 40 11 32 5c 0a 15 43 05 86 8d bf e5 00 a1 0e 2b 00 37 cf ca 30 2d 02 01 00 04 06 70 75 62 6c 69 63 a2 20 02 02 0c 92 02 01 00 02 01 00 30 14 30 12 06 0d 2b 06 01 02 01 10 07 01 01 0b 81 fd 1c 02 01 01 00 11 0b 00

    set rmon capture


    UsethiscommandtoconfigureanRMONcaptureentry.

    Syntax
    set rmon capture index {channel [action {lock}] [slice slice] [loadsize loadsize] [offset offset] [asksize asksize] [owner owner]}

    Parameters
    index channel actionlock Specifiesabuffercontrolentry. Specifiesthechanneltowhichthiscaptureentrywillbeapplied. (Optional)Specifiestheactionofthebufferwhenitisfullas: sliceslice loadsizeloadsize offsetoffset asksizeasksize lockPacketswillceasetobeaccepted

    (Optional)Specifiesthemaximumoctetsfromeachpackettobesavedin abuffer.Currently,theonlyvalueallowedis1518. (Optional)Specifiesthemaximumoctetsfromeachpackettobe downloadedfromthebuffer.Thedefaultis100. (Optional)Specifiesthefirstoctetfromeachpacketthatwillberetrieved. (Optional)Specifiestherequestedmaximumoctetstobesavedinthis buffer.Currently,theonlyvalueacceptedis1,whichrequestsasmany octetsaspossible. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.

    owner

    Defaults
    Ifnotspecified,actiondefaultstolock. Ifnotspecified,offsetdefaultsto0. Ifnotspecified,asksizedefaultsto1(whichwillrequestasmanyoctetsaspossible) Ifsliceisnotspecified,1518willbeapplied. Ifloadsizeisnotspecified,100willbeapplied. Ifownerisnotspecified,itwillbesettomonitor.

    SecureStack A2 Configuration Guide

    12-25

    clear rmon capture

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateRMONcaptureentry1tolistenonchannel628:
    A2(rw)->set rmon capture 1 628

    clear rmon capture


    UsethiscommandtoclearsanRMONcaptureentry.

    Syntax
    clear rmon capture index

    Parameters
    index Specifiesthecaptureentrytobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONcaptureentry1:
    A2(rw)->clear rmon capture 1

    12-26

    Configuring RMON

    13
    Configuring DHCP Server
    ThischapterdescribesthecommandstoconfiguretheIPv4DHCPserverfunctionalityona SecureStackA2switch.
    For information about... DHCP Overview Configuring General DHCP Server Parameters Configuring IP Address Pools Refer to page... 13-1 13-3 13-11

    DHCP Overview
    DynamicHostConfigurationProtocol(DHCP)forIPv4isanetworklayerprotocolthat implementsautomaticormanualassignmentofIPaddressesandotherconfigurationinformation toclientdevicesbyservers.ADHCPservermanagesauserconfiguredpoolofIPaddressesfrom whichitcanmakeassignmentsuponclientrequests.ArelayagentpassesDHCPmessages betweenclientsandserverswhichareondifferentphysicalsubnets.

    DHCP Server
    DHCPserverfunctionalityallowstheSecureStackA2switchtoprovidebasicIPconfiguration informationtoaclientonthenetworkwhorequestssuchinformationusingtheDHCPprotocol. DHCPprovidesthefollowingmechanismsforIPaddressallocationbyaDHCPserver: AutomaticDHCPserverassignsanIPaddresstoaclientforalimitedperiodoftime(or untiltheclientexplicitlyrelinquishestheaddress)fromadefinedpoolofIPaddresses configuredontheserver. ManualAclientsIPaddressisassignedbythenetworkadministrator,andDHCPisused simplytoconveytheassignedaddresstotheclient.Thisismanagedbymeansofstatic addresspoolsconfiguredontheserver.

    TheamountoftimethataparticularIPaddressisvalidforasystemiscalledalease.The SecureStackA2maintainsaleasedatabasewhichcontainsinformationabouteachassignedIP address,theMACaddresstowhichitisassigned,theleaseexpiration,andwhethertheaddress assignmentisdynamic(automatic)orstatic(,manual).TheDHCPleasedatabaseisstoredinflash memory. InadditiontoassigningIPaddresses,theDHCPservercanalsobeconfiguredtoassignthe followingtorequestingclients: Defaultrouter(s) DNSserver(s)anddomainname

    SecureStack A2 Configuration Guide

    13-1

    DHCP Overview

    NetBIOSWINSserver(s)andnodename Bootfile DHCPoptionsasdefinedbyRFC2132


    Note: A total of 16 address pools, dynamic and/or static, can be configured on the SecureStack A2.

    Configuring a DHCP Server


    ForDHCPtofunctiononSecureStackA2systems,thesystemhastoknowabouttheIPnetwork forwhichtheDHCPpoolistobecreated.ThisisdonebyassociatingtheDHCPaddresspoolwith theswitchshostportIPaddress. ThefollowingtasksprovidebasicDHCPserverfunctionalitywhentheDHCPpoolisassociated withthesystemshostIPaddress. 1. Configurethesystem(stack)hostportIPaddresswiththesetipaddresscommand.Oncethe systemsIPaddressisconfigured,thesystemthenknowsabouttheconfiguredsubnet.For example:
    set ip address 192.0.0.50 mask 255.255.255.0

    2. 3.

    EnableDHCPserverfunctionalityonthesystemwiththesetdhcpenablecommand. ConfigureanIPaddresspoolfordynamicIPaddressassignment.Theonlyrequiredstepsare tonamethepoolanddefinethenetworknumberandmaskforthepool.Notethatthepool hastobeinthesamesubnetandusethesamemaskasthesystemhostportIPaddress.For example:


    set dhcp pool auto-pool network 192.0.0.0 255.255.255.0

    AllDHCPclientsservedbythisswitchmustbeinthesameVLANasthesystemshostport. OptionalDHCPservertasksinclude: Youcanlimitthescopeofaddressesassignedtoapoolfordynamicaddressassignmentwith thesetdhcpexcludecommand.Upto128nonoverlappingaddressrangescanbeexcluded ontheSecureStackA2.Forexample:


    set dhcp exclude 192.0.0.1 192.0.0.10 Note: The IP address of the systems host port is automatically excluded.

    Configurestaticaddresspoolsformanualaddressassignment.Theonlyrequiredstepsareto namethepool,configureeitherthehardwareaddressoftheclientortheclientidentifier,and configuretheIPaddressandmaskforthemanualbinding.Forexample:


    set dhcp pool static-pool hardware-address 0011.2233.4455 set dhcp pool static-pool host 192.0.0.200 255.255.255.0

    SetotherDHCPserverparameterssuchasthenumberofpingpacketstobesentbefore assigninganIPaddress,orenablingconflictlogging.

    13-2

    Configuring DHCP Server

    Configuring General DHCP Server Parameters

    Configuring General DHCP Server Parameters


    Purpose
    ToconfigureDHCPserverparameters,andtodisplayandclearaddressbindinginformation, serverstatistics,andconflictinformation.

    Commands
    CommandstoconfigureDHCPserverparametersandtodisplayandclearDHCPserver informationarelistedbelow.
    For information about... set dhcp set dhcp bootp set dhcp conflict logging show dhcp conflict clear dhcp conflict set dhcp exclude clear dhcp exclude set dhcp ping clear dhcp ping show dhcp binding clear dhcp binding show dhcp server statistics clear dhcp server statistics Refer to page... 13-3 13-4 13-4 13-5 13-5 13-6 13-7 13-7 13-8 13-8 13-9 13-9 13-10

    set dhcp
    UsethiscommandtoenableordisabletheDHCPserverfunctionalityontheSecureStackA2.

    Syntax
    set dhcp {enable | disable}

    Parameters
    enable|disable EnableordisableDHCPserverfunctionality.Bydefault,DHCPserveris disabled.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.
    SecureStack A2 Configuration Guide 13-3

    set dhcp bootp

    Example
    ThisexampleenablesDHCPserverfunctionality.
    A2(rw)->set dhcp enable

    set dhcp bootp


    UsethiscommandtoenableordisableautomaticaddressallocationforBOOTPclients.By default,addressallocationforBOOTPclientsisdisabled.RefertoRFC1534,Interoperation BetweenDHCPandBOOTP,formoreinformation.

    Syntax
    set dhcp bootp {enable | disable}

    Parameters
    enable|disable EnableordisableaddressallocationforBOOTPclients.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleenablesaddressallocationforBOOTPclients.
    A2(rw)->set dhcp bootp enable

    set dhcp conflict logging


    Usethiscommandtoenableconflictlogging.Bydefault,conflictloggingisenabled.Usetheclear dhcpconflictloggingcommandtodisableconflictlogging.

    Syntax
    set dhcp conflict logging

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleenablesDHCPconflictlogging.
    A2(rw)->set dhcp conflict logging
    13-4 Configuring DHCP Server

    show dhcp conflict

    show dhcp conflict


    Usethiscommandtodisplayconflictinformation,foroneaddressoralladdresses.

    Syntax
    show dhcp conflict [address]

    Parameters
    address [Optional]Specifiestheaddressforwhichtodisplayconflictinformation.

    Defaults
    Ifnoaddressisspecified,conflictinformationforalladdressesisdisplayed.

    Mode
    Readonly.

    Example
    Thisexampledisplaysconflictinformationforalladdresses.Notethatpingistheonlydetection methodused.
    A2(ro)->show dhcp conflict IP address ----------192.0.0.2 192.0.0.3 192.0.0.4 192.0.0.12 Detection Method ----------------Ping Ping Ping Ping Detection Time --------------0 days 19h:01m:23s 0 days 19h:00m:46s 0 days 19h:01m:25s 0 days 19h:01m:26s

    clear dhcp conflict


    Usethiscommandtoclearconflictinformationforoneoralladdresses,ortodisableconflict logging.

    Syntax
    clear dhcp conflict {logging | ip-address| *}

    Parameters
    logging ipaddress * Disableconflictlogging. CleartheconflictinformationforthespecifiedIPaddress. CleartheconflictinformationforallIPaddresses.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    13-5

    set dhcp exclude

    Examples
    ThisexampledisablesDHCPconflictlogging.
    A2(rw)->clear dhcp conflict logging

    ThisexampleclearstheconflictinformationfortheIPaddress192.0.0.2.
    A2(rw)->clear dhcp conflict 192.0.0.2

    set dhcp exclude


    UsethiscommandtoconfiguretheIPaddressesthattheDHCPservershouldnotassigntoDHCP clients.Multipleaddressrangescanbeconfiguredbuttherangescannotoverlap.Upto128non overlappingaddressrangescanbeexcluded.

    Syntax
    set dhcp exclude low-ipaddr [high-ipaddr]

    Parameters
    lowipaddr highipaddr SpecifiesthefirstIPaddressintheaddressrangetobeexcludedfrom assignment. (Optional)SpecifiesthelastIPaddressintheaddressrangetobe excluded.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplefirstconfigurestheaddresspoolnamedauto1with255addressesfortheClassC network172,20.28.0,withthesetdhcppoolnetworkcommand.Then,theexamplelimitsthe scopeoftheaddressesthatcanbeassignedbyaDHCPserverbyexcludingaddresses172.20.28.80 100,withthesetdhcpexcludecommand.
    A2(rw)set dhcp pool auto1 network 172.20.28.0 24 A2(rw)->set dhcp exclude 172.20.28.80 172.20.28.100

    13-6

    Configuring DHCP Server

    clear dhcp exclude

    clear dhcp exclude


    UsethiscommandtocleartheconfiguredIPaddressesthattheDHCPservershouldnotassignto DHCPclients.

    Syntax
    clear dhcp exclude low-ipaddr [high-ipaddr]

    Parameters
    lowipaddr highipaddr SpecifiesthefirstIPaddressintheaddressrangetobecleared. (Optional)SpecifiesthelastIPaddressintheaddressrangetobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleclearsthepreviouslyexcludedrangeofIPaddressesbetween192.168.1.88through 192.168.1.100.
    A2(rw)->clear dhcp exclude 192.168.1.88 192.168.1.100

    set dhcp ping


    UsethiscommandtoconfigurethenumberofpingpacketstheDHCPserversendstoanIP addressbeforeassigningtheaddresstoarequestingclient.

    Syntax
    set dhcp ping packets number

    Parameters
    packetsnumber Specifiesthenumberofpingpacketstobesent.Thevalueofnumbercan be0,orrangefrom2to10.Entering0disablesthisfunction.Thedefault valueis2packets.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsthenumberofpingpacketssentto3.
    A2(rw)->set dhcp ping packets 3

    SecureStack A2 Configuration Guide

    13-7

    clear dhcp ping

    clear dhcp ping


    UsethiscommandtoresetthenumberofpingpacketssentbytheDHCPserverbacktothe defaultvalueof2.

    Syntax
    clear dhcp ping packets

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleresetsthenumberofpingpacketssentbacktothedefaultvalue.
    A2(rw)->clear dhcp ping packets

    show dhcp binding


    UsethiscommandtodisplaybindinginformationforoneorallIPaddresses.

    Syntax
    show dhcp binding [ip-address]

    Parameters
    ipaddress (Optional)SpecifiestheIPaddressforwhichtodisplaybinding information.

    Defaults
    IfnoIPaddressisspecified,bindinginformationforalladdressesisdisplayed.

    Mode
    Readonly.

    Example
    Thisexampledisplaysbindinginformationaboutalladdresses.
    A2(rw)->show dhcp binding IP address Hardware Address --------------------------192.0.0.6 00:33:44:56:22:39 192.0.0.8 00:33:44:56:22:33 192.0.0.10 00:33:44:56:22:34 192.0.0.11 00:33:44:56:22:35 192.0.0.12 00:33:44:56:22:36
    13-8 Configuring DHCP Server

    Lease Expiration ----------------00:11:02 00:10:22 00:09:11 00:10:05 00:10:30

    Type ----Automatic Automatic Automatic Automatic Automatic

    clear dhcp binding

    192.0.0.13 00:33:44:56:22:37 192.0.0.1400:33:44:56:22:38

    infinite infinite

    Manual Manual

    clear dhcp binding


    Usethiscommandtoclear(delete)oneorallDHCPaddressbindings.

    Syntax
    clear dhcp binding {ip-addr | *}

    Parameters
    ipaddr * SpecifiestheIPaddressforwhichtoclear/deletetheDHCPbinding. Deletealladdressbindings.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampledeletestheDHCPaddressbindingforIPaddress192.168.1.1.
    A2(rw)->clear dhcp binding 192.168.1.1

    show dhcp server statistics


    UsethiscommandtodisplayDHCPserverstatistics.

    Syntax
    show dhcp server statistics

    Parameters
    None.

    Defaults
    None.

    Mode
    Readonly.

    Example
    Thisexampledisplaysserverstatistics.
    A2(ro)->show dhcp server statistics Automatic Bindings Expired Bindings Malformed Bindings 36 6 0
    SecureStack A2 Configuration Guide 13-9

    clear dhcp server statistics

    Messages ---------DHCP DISCOVER DHCP REQUEST DHCP DECLINE DHCP RELEASE DHCP INFORM Messages ---------DHCP OFFER DHCP ACK DHCP NACK

    Received ---------382 3855 0 67 1 Sent -----381 727 2

    clear dhcp server statistics


    UsethiscommandtoclearallDHCPservercounters.

    Syntax
    clear dhcp server statistics

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleclearsallDHCPservercounters.
    A2(rw)->clear dhcp server statistics

    13-10

    Configuring DHCP Server

    Configuring IP Address Pools

    Configuring IP Address Pools


    Manual Pool Configuration Considerations
    ThesubnetoftheIPaddressbeingissuedshouldbeonthesamesubnetastheingress interface(thatis,thesubnetofthehostIPaddressoftheswitch,orifroutinginterfacesare configured,thesubnetoftheroutinginterface). Amanualpoolcanbeconfiguredusingeithertheclientshardwareaddress(setdhcppool hardwareaddress)ortheclientsclientidentifier(setdhcppoolclientidentifier),butusing bothisnotrecommended. IftheincomingDHCPrequestpacketcontainsaclientidentifier,thenamanualpool configuredwiththatclientidentifiermustexistontheswitchinorderfortherequesttobe processed.Thehardwareaddressisnotchecked. Ifamanualpoolisconfiguredwithaclientidentifier,thentheincomingDHCPrequestpacket fromthatclientmustincludethatclientidentifierinorderfortherequesttobeprocessed.The hardwareaddressisnotchecked. Ahardwareaddressandtype(EthernetorIEEE802)configuredinamanualpoolischecked onlywhenaclientidentifierisnotalsoconfiguredforthepoolandtheincomingDHCP requestpacketdoesnotincludeaclientidentifieroption.

    Purpose
    ToconfigureandclearDHCPaddresspoolparameters,andtodisplayaddresspoolconfiguration information.
    Note: A total of 16 address pools, dynamic and/or static, can be configured on the SecureStack A2.

    Commands
    CommandstoconfigureDHCPdynamic(automatic)andstatic(manual)addresspoolsandto displayDHCPaddresspoolconfigurationsarelistedbelow.
    For information about... set dhcp pool clear dhcp pool set dhcp pool network clear dhcp pool network set dhcp pool hardware-address clear dhcp pool hardware-address set dhcp pool host clear dhcp pool host set dhcp pool client-identifier clear dhcp pool client-identifier Refer to page... 13-13 13-13 13-14 13-14 13-15 13-16 13-16 13-17 13-17 13-18

    SecureStack A2 Configuration Guide

    13-11

    Configuring IP Address Pools

    For information about... set dhcp pool client-name clear dhcp pool client-name set dhcp pool bootfile clear dhcp pool bootfile set dhcp pool next-server clear dhcp pool next-server set dhcp pool lease clear dhcp pool lease set dhcp pool default-router clear dhcp pool default-router set dhcp pool dns-server clear dhcp pool dns-server set dhcp pool domain-name clear dhcp pool domain-name set dhcp pool netbios-name-server clear dhcp pool netbios-name-server set dhcp pool netbios-node-type clear dhcp pool netbios-node-type set dhcp pool option clear dhcp pool option show dhcp pool configuration

    Refer to page... 13-19 13-19 13-20 13-20 13-21 13-21 13-22 13-22 13-23 13-24 13-24 13-25 13-25 13-26 13-26 13-27 13-27 13-28 13-28 13-29 13-30

    13-12

    Configuring DHCP Server

    set dhcp pool

    set dhcp pool


    UsethiscommandtocreateandassignanametoaDHCPserverpoolofaddresses.Upto16 addresspoolsmaybeconfiguredonaSecureStackA2.Notethatenteringthiscommandisnot requiredtocreateanaddresspoolbeforeconfiguringotheraddresspoolparameters.

    Syntax
    set dhcp pool poolname

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplecreatesanaddresspoolnamedauto1.
    A2(rw)->set dhcp pool auto1

    clear dhcp pool


    UsethiscommandtodeleteaDHCPserverpoolofaddresses.

    Syntax
    clear dhcp pool poolname

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletestheaddresspoolnamedauto1.
    A2(rw)->clear dhcp pool auto1

    SecureStack A2 Configuration Guide

    13-13

    set dhcp pool network

    set dhcp pool network


    UsethiscommandtoconfigurethesubnetnumberandmaskforanautomaticDHCPaddress pool.

    Syntax
    set dhcp pool poolname network number {mask | prefix-length}

    Parameters
    poolname number mask prefixlength Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiesanIPsubnetfortheaddresspool. Specifiesthesubnetmaskindottedquadnotation. Specifiesthesubnetmaskasaninteger.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    UsethiscommandtoconfigureasetofIPaddressestobeassignedbytheDHCPserverusingthe specifiedaddresspool.Inordertolimitthescopeoftheaddressesconfiguredwiththiscommand, usethesetdhcpexcludecommanddescribedonpage136.

    Examples
    ThisexampleconfigurestheIPsubnet172.20.28.0withaprefixlengthof24fortheautomatic DHCPpoolnamedauto1.Alternatively,themaskcouldhavebeenspecifiedas255.255.255.0.
    A2(rw)set dhcp pool auto1 network 172.20.28.0 24

    Thisexamplelimitsthescopeof255addressescreatedfortheClassCnetwork172,20.28.0bythe previousexample,byexcludingaddresses172.20.28.80100.
    A2(rw)set dhcp exclude 172.20.28.80 172.20.28.100

    clear dhcp pool network


    UsethiscommandtoremovethenetworknumberandmaskofaDHCPserverpoolofaddresses.

    Syntax
    clear dhcp pool poolname network

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    13-14

    Configuring DHCP Server

    set dhcp pool hardware-address

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletesthenetworkandmaskfromtheaddresspoolnamedauto1.
    A2(rw)->clear dhcp pool auto1 network

    set dhcp pool hardware-address


    UsethiscommandtoconfiguretheMACaddressoftheDHCPclientandcreateanaddresspool formanualbinding.Youcanuseeitherthiscommandorthesetdhcppoolclientidentifier commandtocreateamanualbindingpool,butusingbothisnotrecommended.

    Syntax
    set dhcp pool poolname hardware-address hw-addr [type]

    Parameters
    poolname hwaddr type Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheMACaddressoftheclientshardwareplatform.Thisvalue canbeenteredusingdottedhexadecimalnotationorcolons. (Optional)Specifiestheprotocolofthehardwareplatform.Validvalues are1forEthernetor6forIEEE802.Defaultvalueis1,Ethernet.

    Defaults
    Ifnotypeisspecified,Ethernetisassumed.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplespecifies0001.f401.2710astheEthernetMACaddressforthemanualaddresspool namedmanual1.Alternatively,theMACaddresscouldhavebeenteredas00:01:f4:01:27:10.
    A2(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710

    SecureStack A2 Configuration Guide

    13-15

    clear dhcp pool hardware-address

    clear dhcp pool hardware-address


    UsethiscommandtoremovethehardwareaddressofaDHCPclientfromamanualbinding addresspool.

    Syntax
    clear dhcp pool poolname hardware-address

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletestheclienthardwareaddressfromtheaddresspoolnamedmanual1.
    A2(rw)->clear dhcp pool manual1 hardware-address

    set dhcp pool host


    UsethiscommandtoconfigureanIPaddressandnetworkmaskforamanualDHCPbinding.

    Syntax
    set dhcp pool poolname host ip-address [mask | prefix-length]

    Parameters
    poolname ipaddress mask prefixlength Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressformanualbinding. (Optional)Specifiesthesubnetmaskindottedquadnotation. (Optional)Specifiesthesubnetmaskasaninteger.

    Defaults
    Ifamaskorprefixisnotspecified,theclassA,B,orCnaturalmaskwillbeused.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress pool.First,thehardwareaddressoftheclientshardwareplatformisconfigured,followedby configurationoftheaddresstobeassignedtothatclientmanually.
    13-16 Configuring DHCP Server

    clear dhcp pool host

    A2(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710 A2(rw)->set dhcp pool manual1 host 15.12.1.99 255.255.248.0

    clear dhcp pool host


    UsethiscommandtoremovethehostIPaddressfromamanualbindingaddresspool.

    Syntax
    clear dhcp pool poolname host

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampledeletesthehostIPaddressfromtheaddresspoolnamedmanual1.
    A2(rw)->clear dhcp pool manual1 host

    set dhcp pool client-identifier


    UsethiscommandtoconfiguretheclientidentifieroftheDHCPclientandcreateanaddresspool formanualbinding.Youcanuseeitherthiscommandorthesetdhcppoolhardwareaddress commandtocreateamanualbindingpool,butusingbothisnotrecommended.

    Syntax
    set dhcp pool poolname client-identifier id

    Parameters
    poolname id Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiestheuniqueclientidentifierforthisclient.Thevaluemustbe enteredinxx:xx:xx:xx:xx:xxformat.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    13-17

    clear dhcp pool client-identifier

    Usage
    TheclientidentifierisformedbyconcatenatingthemediatypeandtheMACaddress.For example,iftheclienthardwaretypeisEthernetandtheclientMACaddressis00:01:22:33:44:55, thentheclientidentifierconfiguredwiththiscommandmustbe01:00:01:22:33:44:55.

    Example
    Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress pool,usingaclientidentifierratherthanthehardwareaddressoftheclientshardwareplatform.
    A2(rw)->set dhcp pool manual2 client-identifier 01:00:01:22:33:44:55 A2(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0

    clear dhcp pool client-identifier


    UsethiscommandtoremovetheuniqueidentifierofaDHCPclientfromamanualbinding addresspool.

    Syntax
    clear dhcp pool poolname client-identifier

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletestheclientidentifierfromtheaddresspoolnamedmanual1.
    A2(rw)->clear dhcp pool manual1 client-identifier

    13-18

    Configuring DHCP Server

    set dhcp pool client-name

    set dhcp pool client-name


    UsethiscommandtoassignanametoaDHCPclientwhencreatinganaddresspoolformanual binding.

    Syntax
    set dhcp pool poolname client-name name

    Parameters
    poolname name Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthenametobeassignedtothisclient.Clientnamesmaybeupto 31charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleconfigurestheclientnameappsvr1tothemanualbindingpoolmanual2.
    A2(rw)->set dhcp pool manual2 client-identifier 01:22:33:44:55:66 A2(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0 A2(rw)->set dhcp pool manual2 client-name appsvr1

    clear dhcp pool client-name


    UsethiscommandtodeleteaDHCPclientnamefromanaddresspoolformanualbinding.

    Syntax
    clear dhcp pool poolname client-name

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletestheclientnamefromthemanualbindingpoolmanual2.
    A2(rw)->clear dhcp pool manual2 client-name

    SecureStack A2 Configuration Guide

    13-19

    set dhcp pool bootfile

    set dhcp pool bootfile


    UsethiscommandtospecifyadefaultbootimagefortheDHCPclientswhowillbeservedbythe addresspoolbeingconfigured.

    Syntax
    set dhcp pool poolname bootfile filename

    Parameters
    poolname filename Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthebootimagefilename.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsthebootimagefilenameforaddresspoolnamedauto1.
    A2(rw)->set dhcp pool auto1 bootfile image1.img

    clear dhcp pool bootfile


    Usethiscommandtoremoveadefaultbootimagefromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname bootfile

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesthebootimagefilenamefromaddresspoolnamedauto1.
    A2(rw)->clear dhcp pool auto1 bootfile

    13-20

    Configuring DHCP Server

    set dhcp pool next-server

    set dhcp pool next-server


    Usethiscommandtospecifythefileserverfromwhichthedefaultbootimageistobeloadedby theclient.

    Syntax
    set dhcp pool poolname next-server ip-address

    Parameters
    poolname ipaddress Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofthefileservertheDHCPclientshouldcontact toloadthedefaultbootimage.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplespecifiesthefileserverfromwhichclientsbeingservedbyaddresspoolauto1 shoulddownloadthebootimagefileimage1.img.
    A2(rw)->set dhcp pool auto1 bootfile image1.img A2(rw)->set dhcp pool auto1 next-server 10.1.1.10

    clear dhcp pool next-server


    Usethiscommandtoremovethebootimagefileserverfromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname next-server

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesthefileserverfromaddresspoolauto1.
    A2(rw)->clear dhcp pool auto1 next-server

    SecureStack A2 Configuration Guide

    13-21

    set dhcp pool lease

    set dhcp pool lease


    UsethiscommandtospecifythedurationoftheleaseforanIPaddressassignedbytheDHCP serverfromtheaddresspoolbeingconfigured.

    Syntax
    set dhcp pool poolname lease {days [hours [minutes]] | infinite}

    Parameters
    poolname days hours minutes Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthenumberofdaysanaddressleasewillremainvalid.Valuecan rangefrom0to59. (Optional)Whenadaysvaluehasbeenassigned,specifiesthenumberof hoursanaddressleasewillremainvalid.Valuecanrangefrom0to1439. (Optional)Whenadaysvalueandanhoursvaluehavebeenassigned, specifiesthenumberofminuteanaddressleasewillremainvalid.Value canrangefrom0to86399. Specifiesthatthedurationoftheleasewillbeunlimited.

    infinite

    Defaults
    Ifnoleasetimeisspecified,aleasedurationof1dayisconfigured.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleconfiguresaleasedurationof12hoursfortheaddresspoolbeingconfigured.Note thattoconfigurealeasetimelessthanoneday,enter0fordays,thenthenumberofhoursand minutes.
    A2(rw)->set dhcp pool auto1 lease 0 12

    clear dhcp pool lease


    Usethiscommandtorestorethedefaultleasetimevalueofonedayfortheaddresspoolbeing configured.

    Syntax
    clear dhcp pool poolname lease

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    Clearstheleasetimeforthisaddresspooltothedefaultvalueofoneday.

    13-22

    Configuring DHCP Server

    set dhcp pool default-router

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplerestoresthedefaultleasedurationofonedayforaddresspoolauto1.
    A2(rw)->clear dhcp pool auto1 lease

    set dhcp pool default-router


    UsethiscommandtospecifyadefaultrouterlistfortheDHCPclientsservedbytheaddresspool beingconfigured.Upto8defaultrouterscanbeconfigured.

    Syntax
    set dhcp pool poolname default-router address [address2 ... address8]

    Parameters
    poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofadefaultrouter. (Optional)Specifies,inorderofpreference,upto7additionaldefault routeraddresses.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleassignsadefaultrouterat10.10.10.1totheaddresspoolnamedauto1.
    A2(rw)->set dhcp pool auto1 default-router 10.10.10.1

    SecureStack A2 Configuration Guide

    13-23

    clear dhcp pool default-router

    clear dhcp pool default-router


    Usethiscommandtodeletethedefaultroutersconfiguredforthisaddresspool.

    Syntax
    clear dhcp pool poolname default-router

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesthedefaultrouterfromtheaddresspoolauto1.
    A2(rw)->clear dhcp pool auto1 default-router

    set dhcp pool dns-server


    UsethiscommandtospecifyoneormoreDNSserversfortheDHCPclientsservedbytheaddress poolbeingconfigured.Upto8DNSserverscanbeconfigured.

    Syntax
    set dhcp pool poolname dns-server address [address2 ... address8]

    Parameters
    poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofaDNSserver. (Optional)Specifies,inorderofpreference,upto7additionalDNS serveraddresses.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleassignsaDNSserverat10.14.10.1totheaddresspoolauto1.
    A2(rw)->set dhcp pool auto1 dns-server 10.14.10.1

    13-24

    Configuring DHCP Server

    clear dhcp pool dns-server

    clear dhcp pool dns-server


    UsethiscommandtoremovetheDNSserverlistfromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname dns-server

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleremovestheDNSserverlistfromtheaddresspoolauto1.
    A2(rw)->clear dhcp pool auto1 dns-server

    set dhcp pool domain-name


    UsethiscommandtospecifyadomainnametobeassignedtoDHCPclientsservedbytheaddress poolbeingconfigured.

    Syntax
    set dhcp pool poolname domain-name domain

    Parameters
    poolname domain Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthedomainnamestring.Thedomainnamecanbeupto255 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleassignsthemycompany.comdomainnametotheaddresspoolauto1.
    A2(rw)->set dhcp pool auto1 domain-name mycompany.com

    SecureStack A2 Configuration Guide

    13-25

    clear dhcp pool domain-name

    clear dhcp pool domain-name


    Usethiscommandtoremovethedomainnamefromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname domain-name

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesthedomainnamefromtheaddresspoolauto1.
    A2(rw)->clear dhcp pool auto1 domain-name

    set dhcp pool netbios-name-server


    UsethiscommandtoassignoneormoreNetBIOSnameserversfortheDHCPclientsservedby theaddresspoolbeingconfigured.Upto8NetBIOSnameserverscanbeconfigured.

    Syntax
    set dhcp pool poolname netbios-name-server address [address2 ... address8]

    Parameters
    poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofaNetBIOSnameserver. (Optional)Specifies,inorderofpreference,upto7additionalNetBIOS nameserveraddresses.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleassignsaNetBIOSnameserverat10.15.10.1totheaddresspoolbeingconfigured.
    A2(rw)->set dhcp pool auto1 netbios-name-server 10.15.10.1

    13-26

    Configuring DHCP Server

    clear dhcp pool netbios-name-server

    clear dhcp pool netbios-name-server


    UsethiscommandtoremovetheNetBIOSnamerserverlistfromtheaddresspoolbeing configured.
    clear dhcp pool poolname netbios-name-server

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleremovestheNetBIOSnameserverlistfromtheaddresspoolauto1.
    A2(rw)->clear dhcp pool auto1 netbios-name-server

    set dhcp pool netbios-node-type


    UsethiscommandtospecifyaNetBIOSnode(server)typefortheDHCPclientsservedbythe addresspoolbeingconfigured.

    Syntax
    set dhcp pool poolname netbios-node-type {b-node | h-node | p-node | m-node}

    Parameters
    poolname bnode hnode pnode mnode Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheNetBIOsnodetypetobebroadcast(noWINS). SpecifiestheNetBIOsnodetypetobehybrid(WINS,thenbroadcast). SpecifiestheNetBIOsnodetypetobepeer(WINSonly). SpecifiestheNetBIOsnodetypetobemixed(broadcast,thenWINS).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexamplespecifieshybridastheNetBIOSnodetypefortheaddresspoolauto1.
    A2(rw)->set dhcp pool auto1 netbios-node-type h-node

    SecureStack A2 Configuration Guide

    13-27

    clear dhcp pool netbios-node-type

    clear dhcp pool netbios-node-type


    UsethiscommandtoremovetheNetBIOSnodetypefromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname netbios-node-type

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleremovestheNetBIOSnodetypefromtheaddresspoolauto1.
    A2(rw)->clear dhcp pool auto1 netbios-node-type

    set dhcp pool option


    UsethiscommandtoconfigureDHCPoptions,describedinRFC2132.

    Syntax
    set dhcp pool poolname option code {ascii string | hex string-list | ip addresslist}

    Parameters
    poolname code asciistring hexstringlist ipaddresslist Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange from1to254. SpecifiesthedatainASCIIformat.AnASCIIcharacterstringcontaininga spacemustbeenclosedinquotations. SpecifiesthedatainHEXformat.Upto8HEXstringscanbeentered. SpecifiesthedatainIPaddressformat.Upto8IPaddressescanbeentered.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    13-28

    Configuring DHCP Server

    clear dhcp pool option

    Examples
    ThisexampleconfiguresDHCPoption19,whichspecifieswhethertheclientshouldconfigureits IPlayerforpacketforwarding.Inthiscase,IPforwardingisenabledwiththe01value.
    A2(rw)->set dhcp pool auto1 option 19 hex 01

    ThisexampleconfiguresDHCPoption72,whichassignsoneormoreWebserversforDHCP clients.Inthiscase,twoWebserveraddressesareconfigured.
    A2(rw)->set dhcp pool auto1 option 72 ip 168.24.3.252 168.24.3.253

    clear dhcp pool option


    UsethiscommandtoremoveaDHCPoptionfromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname option code

    Parameters
    poolname code Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange from1to254.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesoption19fromaddresspoolauto1.
    A2(rw)->clear dhcp pool auto1 option 19

    SecureStack A2 Configuration Guide

    13-29

    show dhcp pool configuration

    show dhcp pool configuration


    Usethiscommandtodisplayconfigurationinformationforoneoralladdresspools.

    Syntax
    show dhcp pool configuration {poolname | all}

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Readonly.

    Example
    Thisexampledisplaysconfigurationinformationforalladdresspools.
    A2(rw)->show dhcp pool configuration all Pool: Atg_Pool Pool Type Network Lease Time Default Routers Pool: static1 Pool Type Client Name Client Identifier Host Lease Time Option Pool: static2 Pool Type Hardware Address Hardware Address Type Host Lease Time

    Dynamic 192.0.0.0 255.255.255.0 1 days 0 hrs 0 mins 192.0.0.1

    Manual appsvr1 01:00:01:f4:01:27:10 10.1.1.1 255.0.0.0 infinite 19 hex 01

    Manual 00:01:f4:01:27:10 ieee802 192.168.10.1 255.255.255.0 infinite

    13-30

    Configuring DHCP Server

    14
    Security Configuration
    ThischapterdescribestheSecurityConfigurationsetofcommandsandhowtousethem.
    For information about... Overview of Security Methods Configuring RADIUS Configuring 802.1X Authentication Configuring MAC Authentication Configuring Multiple Authentication Methods Configuring VLAN Authorization (RFC 3580) Configuring MAC Locking Configuring Secure Shell (SSH) Configuring Layer 2 Access Control Lists Refer to page... 14-1 14-3 14-11 14-22 14-34 14-41 14-45 14-55 14-57

    Overview of Security Methods


    Thefollowingsecuritymethodsareavailableforcontrollingwhichusersareallowedtoaccess, monitor,andmanagetheswitch. LoginuseraccountsandpasswordsusedtologintotheCLIviaaTelnetconnectionorlocal COMportconnection.Fordetails,refertoSettingUserAccountsandPasswordson page 32. HostAccessControlAuthentication(HACA)authenticatesuseraccessofTelnet management,consolelocalmanagementandWebViewviaacentralRADIUSClient/Server application.WhenRADIUSisenabled,thisessentiallyoverridesloginuseraccounts.When HACAisactiveperavalidRADIUSconfiguration,theusernamesandpasswordsusedto accesstheswitchviaTelnet,SSH,WebView,andCOMportswillbevalidatedagainstthe configuredRADIUSserver.OnlyinthecaseofaRADIUStimeoutwillthosecredentialsbe comparedagainstcredentialslocallyconfiguredontheswitch.Fordetails,referto ConfiguringRADIUSonpage 143. SNMPuserorcommunitynamesallowsaccesstotheSecureStackA2switchviaanetwork SNMPmanagementapplication.Toaccesstheswitch,youmustenteranSNMPuseror communitynamestring.Thelevelofmanagementaccessisdependentontheassociated accesspolicy.Fordetails,refertoChapter 5. 802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol) providesamechanismviaaRADIUSserverforadministratorstosecurelyauthenticateand

    SecureStack A2 Configuration Guide

    14-1

    Overview of Security Methods

    grantappropriateaccesstoenduserdevicescommunicatingwithSecureStackA2ports.For detailsonusingCLIcommandstoconfigure802.1X,refertoConfiguring802.1X Authenticationonpage 1411.


    Note: To configure EAP pass-through, which allows client authentication packets to be forwarded through the switch to an upstream device, 802.1X authentication must be globally disabled with the set dot1x command.

    MACAuthenticationprovidesamechanismforadministratorstosecurelyauthenticate sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith SecureStackA2ports.Fordetails,refertoConfiguringMACAuthenticationonpage 1422. MultipleAuthenticationMethodsallowsuserstoauthenticateusingmultiplemethodsof authenticationonthesameport.Fordetails,refertoConfiguringMultipleAuthentication Methodsonpage 1434. RFC3580TunnelAttributesprovideamechanismtocontainan802.1Xauthenticatedusertoa VLANregardlessofthePVID.RefertoConfiguringVLANAuthorization(RFC3580)on page 1441. MACLockinglocksaporttooneormoreMACaddresses,preventingtheuseof unauthorizeddevicesandMACspoofingontheportFordetails,refertoConfiguringMAC Lockingonpage 1445. SecureShell(SSH)providessecureTelnet.Fordetails,refertoConfiguringSecureShell (SSH)onpage 1455. Layer2AccessControlListsallowsfilteringingressingpacketsbasedonIPorMACaddress. Fordetails,refertoConfiguringLayer2AccessControlListsonpage 1457.

    14-2

    Security Configuration

    Configuring RADIUS

    Configuring RADIUS
    Purpose
    Toperformthefollowing: ReviewtheRADIUSclient/serverconfigurationontheswitch. EnableordisabletheRADIUSclient. Setlocalandremoteloginoptions. Setprimaryandsecondaryserverparameters,includingIPaddress,timeoutperiod, authenticationrealm,andnumberofuserloginattemptsallowed. ResetRADIUSserversettingstodefaultvalues. ConfigureaRADIUSaccountingserver.

    Commands
    ThecommandsusedtoreviewandconfigureRADIUSarelistedbelow:
    For information about... show radius set radius clear radius show radius accounting set radius accounting clear radius accounting Refer to page... 14-4 14-5 14-7 14-8 14-9 14-10

    SecureStack A2 Configuration Guide

    14-3

    show radius

    show radius
    UsethiscommandtodisplaythecurrentRADIUSclient/serverconfiguration.

    Syntax
    show radius [status | retries | timeout | server [index | all]]

    Parameters
    status retries timeout server index|all (Optional)DisplaystheRADIUSserversenablestatus. (Optional)DisplaysthenumberofretryattemptsbeforetheRADIUSserver timesout. (Optional)Displaysthemaximumamountoftime(inseconds)toestablish contactwiththeRADIUSserverbeforeretryattemptsbegin. (Optional)DisplaysRADIUSserverconfigurationinformation. Forusewiththeserverparametertoshowserverconfigurationforall serversoraspecificRADIUSserverasdefinedbyanindex.

    Defaults
    Ifnoparametersarespecified,allRADIUSconfigurationinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRADIUSconfigurationinformation:
    A2(rw)->show radius RADIUS status: Enabled RADIUS retries: 3 RADIUS timeout: 20 seconds RADIUS Server IP Address ----------------------10 172.16.20.10

    Auth-Port --------1812

    Realm-Type ----------------management-access

    Table 141providesanexplanationofthecommandoutput. Table 14-1


    Output RADIUS status RADIUS retries

    show radius Output Details


    What It Displays... Whether RADIUS is enabled or disabled. Number of retry attempts before the RADIUS server times out. The default value of 3 can be reset using the set radius command as described in set radius on page 14-5. Maximum amount of time (in seconds) to establish contact with the RADIUS server before retry attempts begin. The default value of 20 can be reset using the set radius command as described in set radius on page 14-5. RADIUS servers index number, IP address, and UDP authentication port.

    RADIUS timeout

    RADIUS Server

    14-4

    Security Configuration

    set radius

    Table 14-1
    Output Realm-Type

    show radius Output Details (Continued)


    What It Displays... Realm defines who has to go through the RADIUS server for authentication. Management-access: This means that anyone trying to access the switch (Telnet, SSH, Local Management) has to authenticate through the RADIUS server. Network-access: This means that all the users have to authenticate to a RADIUS server before they are allowed access to the network. Any-access: Means that both Management-access and Network-access have been enabled.

    set radius
    Usethiscommandtoenable,disable,orconfigureRADIUSauthentication.

    Syntax
    set radius {enable | disable} | {retries number-of-retries} | {timeout timeout} | {server index ip-address port [secret-value] [realm {management-access | any | network-access}} | {realm {management-access | any | network-access} {index| all}}

    Parameters
    enable|disable retriesnumberof retries timeouttimeout EnablesordisablestheRADIUSclient. SpecifiesthenumberofretryattemptsbeforetheRADIUSservertimesout. Validvaluesarefrom1to10.Defaultis3. Specifiesthemaximumamountoftime(inseconds)toestablishcontact withtheRADIUSserverbeforeretryattemptsbegin.Validvaluesarefrom1 to30.Defaultis20seconds. Specifiestheindexnumber,IPaddressandtheUDPauthenticationportfor theRADIUSserver. (Optional)Specifiesanencryptionkeytobeusedforauthentication betweentheRADIUSclientandserver. RealmallowsyoutodefinewhohastogothroughtheRADIUSserverfor authentication. managementaccess:Thismeansthatanyonetryingtoaccesstheswitch (Telnet,SSH,LocalManagement)hastoauthenticatethroughthe RADIUSserver. networkaccess:Thismeansthatalltheusershavetoauthenticatetoa RADIUSserverbeforetheyareallowedaccesstothenetwork. any:Meansthatbothmanagementaccessandnetworkaccesshave beenenabled.

    serverindex ip_addressport secretvalue realm management access|any| networkaccess

    Note: If the management-access or any access realm has been configured, the local admin account is disabled for access to the switch using the console, Telnet, or Local Management. Only the network-access realm allows access to the local admin account.

    index|all

    Appliestherealmsettingtoaspecificserverortoallservers.

    Defaults
    Ifsecretvalueisnotspecified,nonewillbeapplied.
    SecureStack A2 Configuration Guide 14-5

    set radius

    Ifrealmisnotspecified,theanyaccessrealmwillbeused.

    Mode
    Switchcommand,readwrite.

    Usage
    TheSecureStackA2deviceallowsupto10RADIUSaccountingserverstobeconfigured,withup totwoserversactiveatanygiventime. TheRADIUSclientcanonlybeenabledontheswitchonceaRADIUSserverisonline,anditsIP address(es)hasbeenconfiguredwiththesamepasswordtheRADIUSclientwilluse.

    Examples
    ThisexampleshowshowtoenabletheRADIUSclientforauthenticatingwithRADIUSserver1at IPaddress192.168.6.203,UDPauthenticationport1812,andanauthenticationpasswordof pwsecret.Aspreviouslynoted,theserversecretpasswordenteredheremustmatchthat alreadyconfiguredastheReadWrite(rw)passwordontheRADIUSserver:
    A2(su)->set radius server 1 192.168.6.203 1812 pwsecret

    ThisexampleshowshowtosettheRADIUStimeoutto5seconds:
    A2(su)->set radius timeout 5

    ThisexampleshowshowtosetRADIUSretriesto10:
    A2(su)->set radius retries 10

    Thisexampleshowshowtoforceanymanagementaccesstotheswitch(Telnet,web,SSH)to authenticatethroughaRADIUSserver.Theallparameterattheendofthecommandmeansthat anyofthedefinedRADIUSserverscanbeusedforthisAuthentication.


    A2(rw)->set radius realm management-access all

    14-6

    Security Configuration

    clear radius

    clear radius
    UsethiscommandtoclearRADIUSserversettings.

    Syntax
    clear radius [retries] | [timeout] | [server {index | all | realm {index | all}}]

    Parameters
    retries timeout server index|all realm ResetsthemaximumnumberofattemptsausercancontacttheRADIUS serverbeforetimingoutto3. ResetsthemaximumamountoftimetoestablishcontactwiththeRADIUS serverbeforetimingoutto20seconds. Deletesserversettings. Forusewiththeserverparametertocleartheserverconfigurationforall serversoraspecificRADIUSserverasdefinedbyanindex. ResetstherealmsettingforallserversoraspecificRADIUSserveras definedbyanindex.

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Examples
    ThisexampleshowshowtoclearallsettingsonallRADIUSservers:
    A2(su)->clear radius server all

    ThisexampleshowshowtoresettheRADIUStimeouttothedefaultvalueof20seconds:
    A2(su)->clear radius timeout

    SecureStack A2 Configuration Guide

    14-7

    show radius accounting

    show radius accounting


    UsethiscommandtodisplaytheRADIUSaccountingconfiguration.Thistransmitsaccounting informationbetweenanetworkaccessserverandasharedaccountingserver.

    Syntax
    show radius accounting [server] | [counter ip-address] | [retries] | [timeout]

    Parameters
    server counteripaddress retries timeout (Optional)DisplaysoneorallRADIUSaccountingserverconfigurations. (Optional)DisplayscountersforaRADIUSaccountingserver. (Optional)Displaysthemaximumnumberofattemptstocontactthe RADIUSaccountingserverbeforetimingout. (Optional)Displaysthemaximumamountoftimebeforetimingout.

    Mode
    Switchcommand,readonly.

    Defaults
    Ifnoparametersarespecified,allRADIUSaccountingconfigurationinformationwillbe displayed.

    Example
    ThisexampleshowshowtodisplayRADIUSaccountingconfigurationinformation.Inthiscase, RADIUSaccountingisnotcurrentlyenabledandglobaldefaultsettingshavenotbeenchanged. Oneserverhasbeenconfigured. FordetailsonenablingandconfiguringRADIUSaccounting,refertosetradiusaccountingon page 149:
    A2(ro)->show radius accounting RADIUS accounting status: Disabled RADIUS Acct Server IP Address Acct-Port Retries Timeout Status ------------------ ---------- --------- ------- ------- -----1 172.16.2.10 1856 3 20 Disabled

    14-8

    Security Configuration

    set radius accounting

    set radius accounting


    UsethiscommandtoconfigureRADIUSaccounting.

    Syntax
    set radius accounting {[enable | disable][retries retries] [timeout timeout] [server ip_address port [server-secret]

    Parameters
    enable|disable retriesretries timeouttimeout EnablesordisablestheRADIUSaccountingclient. SetsthemaximumnumberofattemptstocontactaspecifiedRADIUS accountingserverbeforetimingout.Validretryvaluesare110. Setsthemaximumamountoftime(inseconds)toestablishcontactwitha specifiedRADIUSaccountingserverbeforetimingout.Validtimeout valuesare130. Specifiestheaccountingservers: IPaddress UDPauthenticationport(065535) serversecret(ReadWritepasswordtoaccessthisaccountingserver. Devicewillpromptforthisentryuponcreatingaserverinstance,as shownintheexamplebelow.)

    serverip_address portserversecret

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Examples
    ThisexampleshowshowtoenabletheRADIUSaccountingclientforauthenticatingwiththe accountingserveratIPaddress10.2.4.12,UDPauthenticationport1800.Aspreviouslynoted,the serversecretpasswordenteredheremustmatchthatalreadyconfiguredastheReadWrite(rw) passwordontheRADIUSaccountingserver:
    A2(su)->set radius accounting server 10.2.4.12 1800 Enter secret: Re-enter secret:

    ThisexampleshowshowtosettheRADIUSaccountingtimeoutto30seconds:
    A2(su)->set radius accounting timeout 30

    ThisexampleshowshowtosetRADIUSaccountingretriesto10:
    A2(su)->set radius accounting retries 10

    SecureStack A2 Configuration Guide

    14-9

    clear radius accounting

    clear radius accounting


    UsethiscommandtoclearRADIUSaccountingconfigurationsettings.

    Syntax
    clear radius accounting {server ip-address | retries | timeout | counter}

    Parameters
    serveripaddress retries timeout counter Clearstheconfigurationononeormoreaccountingservers. Resetstheretriestothedefaultvalueof2. Resetsthetimeoutto5seconds. Clearscounters.

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Example
    ThisexampleshowshowtoresettheRADIUSaccountingtimeoutto5seconds.
    A2(su)->clear radius accounting timeout

    14-10

    Security Configuration

    Configuring 802.1X Authentication

    Configuring 802.1X Authentication


    Purpose
    Toreviewandconfigure802.1XauthenticationforoneormoreportsusingEAPOL(Extensible AuthenticationProtocol).802.1Xcontrolsnetworkaccessbyenforcinguserauthorizationon selectedports,whichresultsinallowingordenyingnetworkaccessaccordingtoRADIUSserver configuration.
    Note: One user per EAPOL-configured port can be authenticated on SecureStack A2 devices. Only one method of authentication can be deployed per port. Note: To configure EAP pass-through, which allows client authentication packets to be forwarded through the switch to an upstream device, 802.1X authentication must be globally disabled with the set dot1x command (set dot1x on page 14-15).

    Commands
    Thecommandsusedtoreviewandconfigure802.1Xarelistedbelow:
    For information about... show dot1x show dot1x auth-config set dot1x set dot1x auth-config clear dot1x auth-config show eapol set eapol clear eapol Refer to page... 14-12 14-13 14-15 14-16 14-17 14-18 14-20 14-21

    SecureStack A2 Configuration Guide

    14-11

    show dot1x

    show dot1x
    Usethiscommandtodisplay802.1Xstatus,diagnostics,statistics,andreauthenticationor initializationcontrolinformationforoneormoreports.

    Syntax
    show dot1x [auth-diag] [auth-stats] [port [init | reauth]] [port-string]

    Parameters
    authdiag authstats portinit|reauth portstring (Optional)Displaysauthenticationdiagnosticsinformation. (Optional)Displaysauthenticationstatistics. (Optional)Displaysthestatusofportinitializationandreauthentication controlfortheport. (Optional)Displaysinformationforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    Ifnoparametersarespecified,802.1Xstatuswillbedisplayed. Ifportstringisnotspecified,informationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowshowtodisplay802.1Xstatus:
    A2(su)->show dot1x DOT1X is disabled.

    Thisexampleshowshowtodisplayauthenticationdiagnosticsinformationforfe.1.1:
    A2(su)->show dot1x auth-diag fe.1.1 Port : 1 Auth-Diag Enter Connecting: EAP Logoffs While Connecting: Enter Authenticating: Success While Authenticating Timeouts While Authenticating: Fails While Authenticating: ReAuths While Authenticating: EAP Starts While Authenticating: EAP logoff While Authenticating: Backend Responses: Backend Access Challenges: Backend Others Requests To Supp: Backend NonNak Responses From: Backend Auth Successes: Backend Auth Fails:

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

    14-12

    Security Configuration

    show dot1x auth-config

    Thisexampleshowshowtodisplayauthenticationstatisticsforfe.1.1:
    A2(su)->show dot1x auth-stats Port: 1 Auth-Stats EAPOL Frames Rx: EAPOL Frames Tx: EAPOL Start Frames Rx: EAPOL Logoff Frames Rx: EAPOL RespId Frames Rx: EAPOL Resp Frames Rx: EAPOL Req Frames Tx: EAP Length Error Frames Rx: Last EAPOL Frame Version: Last EAPOL Frame Source: fe.1.1 0 0 0 0 0 0 0 0 0 00:00:00:00:00:00

    Thisexampleshowshowtodisplaythestatusofportreauthenticationcontrolforfe.1.1through fe.1.6:
    A2(su)->show dot1x port reauth fe.1.1-6 Port 1: Port reauthenticate: FALSE Port 2: Port reauthenticate: FALSE Port 3: Port reauthenticate: FALSE Port 4: Port reauthenticate: FALSE Port 5: Port reauthenticate: FALSE Port 6: Port reauthenticate: FALSE

    show dot1x auth-config


    Usethiscommandtodisplay802.1Xauthenticationconfigurationsettingsforoneormoreports.

    Syntax
    show dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [port-string]

    Parameters
    authcontrolled portcontrol maxreq quietperiod reauthenabled reauthperiod servertimeout supptimeout txperiod (Optional)DisplaysthecurrentvalueofthecontrolledPortcontrol parameterfortheport. (Optional)Displaysthevaluesetformaximumrequestscurrentlyinuseby thebackendauthenticationstatemachine. (Optional)Displaysthevaluesetforquietperiodcurrentlyinusebythe authenticatorPAEstatemachine. (Optional)Displaysthestateofreauthenticationcontrolusedbythe ReauthenticationTimerstatemachine. (Optional)Displaysthevalue,inseconds,setforthereauthentication periodusedbythereauthenticationtimerstatemachine. (Optional)Displaystheservertimeoutvalue,inseconds,currentlyinuse bythebackendauthenticationstatemachine. (Optional)Displaystheauthenticationsupplicanttimeoutvalue,in seconds,currentlyinusebythebackendauthenticationstatemachine. (Optional)Displaysthetransmissionperiodvalue,inseconds,currentlyin usebytheauthenticatorPAEstatemachine.

    SecureStack A2 Configuration Guide

    14-13

    show dot1x auth-config

    portstring

    (Optional)Limitsthedisplayofdesiredinformationinformationtospecific port(s).Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 42.

    Defaults
    Ifnoparametersarespecified,all802.1Xsettingswillbedisplayed. Ifportstringisnotspecified,informationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    ThisexampleshowshowtodisplaytheEAPOLportcontrolmodeforfe.1.1:
    A2(su)->show dot1x auth-config authcontrolled-portcontrol fe.1.1 Port 1: Auth controlled port control: Auto

    Thisexampleshowshowtodisplaythe802.1Xquietperiodsettingsforfe.1.1:
    A2(su)->show dot1x auth-config quietperiod fe.1.1 Port 1: Quiet period: 30

    Thisexampleshowshowtodisplayall802.1Xauthenticationconfigurationsettingsforge.1.1:
    A2(ro)->show dot1x auth-config Port : 1 Auth-Config PAE state: Backend auth state: Admin controlled directions: Oper controlled directions: Auth controlled port status: Auth controlled port control: Quiet period: Transmission period: Supplicant timeout: Server timeout: Maximum requests: Reauthentication period: Reauthentication control: ge.1.1 Initialize Initialize Both Both Authorized Auto 60 30 30 30 2 3600 Disabled

    14-14

    Security Configuration

    set dot1x

    set dot1x
    Usethiscommandtoenableordisable802.1Xauthentication,toreauthenticateoneormoreaccess entities,ortoreinitializeoneormoresupplicants.

    Syntax
    set dot1x {enable | disable | port {init | reauth} {true | false} [port-string]}

    Parameters
    enable|disable port init|reauth true|false portstring Enablesordisables802.1X. Enableordisable802.1Xreauthenticationorinitializationcontrolononeor moreports. Configureinitializationorreauthenticationcontrol. Enable(true)ordisable(false)reinitialization/reauthentication. (Optional)Specifiestheport(s)toreinitializeorreauthenticate.

    Defaults
    Ifnoportsarespecified,thereinitializationorreauthenticationsettingwillbeappliedtoallports.

    Mode
    Switchcommand,readwrite.

    Usage
    Disabling802.1Xauthenticationglobally,bynotenteringaspecificportstringvalue,willenable theEAPpassthroughfeature.EAPpassthroughallowsclientauthenticationpacketstobe forwardedunmodifiedthroughtheswitchtoanupstreamdevice.

    Examples
    Thisexampleshowshowtoenable802.1X:
    A2(su)->set dot1x enable

    Thisexampleshowshowtoreinitializege.1.2:
    A2(rw)->set dot1x port init true ge.1.2

    SecureStack A2 Configuration Guide

    14-15

    set dot1x auth-config

    set dot1x auth-config


    Usethiscommandtoconfigure802.1Xauthentication.

    Syntax
    set dot1x auth-config {[authcontrolled-portcontrol {auto | forced-auth | forced-unauth}] [maxreq value] [quietperiod value] [reauthenabled {false | true}] [reauthperiod value] [servertimeout timeout] [supptimeout timeout] [txperiod value]} [port-string]

    Parameters
    authcontrolled portcontrol auto|forcedauth| forcedunauth Specifiesthe802.1Xportcontrolmode. maxreqvalue autoSetportcontrolmodetoautocontrolledportcontrol.This isthedefaultvalue. forcedauthSetportcontrolmodetoForcedAuthorized controlledportcontrol. forcedunauthSetportcontrolmodetoForcedUnauthorized controlledportcontrol.

    Specifiesthemaximumnumberofauthenticationrequestsallowed bythebackendauthenticationstatemachine.Validvaluesare110. Defaultvalueis2. Specifiesthetime(inseconds)followingafailedauthentication beforeanotherattemptcanbemadebytheauthenticatorPAEstate machine.Validvaluesare065535.Defaultvalueis60seconds. Enables(true)ordisables(false)reauthenticationcontrolofthe reauthenticationtimerstatemachine.Defaultvalueisfalse. Specifiesthetimelapse(inseconds)betweenattemptsbythe reauthenticationtimerstatemachinetoreauthenticateaport.Valid valuesare065535.Defaultvalueis3600seconds. Specifiesatimeoutperiod(inseconds)fortheauthenticationserver, usedbythebackendauthenticationstatemachine.Validvaluesare1 300.Defaultvalueis30seconds. Specifiesatimeoutperiod(inseconds)fortheauthentication supplicantusedbythebackendauthenticationstatemachine.Valid valuesare1300.Defaultvalueis30seconds. Specifiestheperiod(inseconds)whichpassesbetweenauthenticator PAEstatemachineEAPtransmissions.Validvaluesare065535. Defaultvalueis30seconds. (Optional)Limitstheconfigurationofdesiredsettingstospecified port(s).Foradetaileddescriptionofpossibleportstringvalues,refer toPortStringSyntaxUsedintheCLIonpage 42.

    quietperiodvalue

    reauthenabledfalse| true reauthperiodvalue

    servertimeouttimeout

    supptimeouttimeout

    txperiodvalue

    portstring

    Defaults
    Ifportstringisnotspecified,authenticationparameterswillbesetonallports.

    Mode
    Switchcommand,readwrite.

    14-16

    Security Configuration

    clear dot1x auth-config

    Examples
    Thisexampleshowshowtoenablereauthenticationcontrolonportsfe.1.13:
    A2(su)->set dot1x auth-config reauthenabled true fe.1.1-3

    Thisexampleshowshowtosetthe802.1Xquietperiodto120secondsonportsfe.1.13:
    A2(su)->set dot1x auth-config quietperiod 120 fe.1.1-3

    clear dot1x auth-config


    Usethiscommandtoreset802.1Xauthenticationparameterstodefaultvaluesononeormore ports.

    Syntax
    clear dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [portstring]

    Parameters
    authcontrolled portcontrol maxreq quietperiod reauthenabled reauthperiod servertimeout supptimeout txperiod portstring (Optional)Resetsthe802.1Xportcontrolmodetoauto. (Optional)Resetsthemaximumrequestsvalueto2. (Optional)Resetsthequietperiodvalueto60seconds. (Optional)Resetsthereauthenticationcontrolstatetodisabled(false). (Optional)Resetsthereauthenticationperiodvalueto3600seconds. (Optional)Resetstheservertimeoutvalueto30seconds. (Optional)Resetstheauthenticationsupplicanttimeoutvalueto30 seconds. (Optional)Resetsthetransmissionperiodvalueto30seconds. (Optional)Resetssettingsonspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 42.

    Defaults
    Ifnoparametersarespecified,allauthenticationparameterswillbereset. Ifportstringisnotspecified,parameterswillbesetonallports.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtoresetthe802.1Xportcontrolmodetoautoonallports:
    A2(su)->clear dot1x auth-config authcontrolled-portcontrol

    SecureStack A2 Configuration Guide

    14-17

    show eapol

    Thisexampleshowshowtoresetreauthenticationcontroltodisabledonportsfe.1.13:
    A2(su)->clear dot1x auth-config reauthenabled fe.1.1-3

    Thisexampleshowshowtoresetthe802.1Xquietperiodto60secondsonportsfe.1.13:
    A2(su)->clear dot1x auth-config quietperiod fe.1.1-3

    show eapol
    UsethiscommandtodisplayEAPOLstatusorsettingsforoneormoreports.

    Syntax
    show eapol [port-string]

    Parameters
    portstring (Optional)DisplaysEAPOLstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,onlyEAPOLenablestatuswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayEAPOLstatusforportsfe.1.13:
    A2(su)->show eapol fe.1.1-3 EAPOL is disabled. Port -------fe.1.1 fe.1.2 fe.1.3 Authentication State -------------------Initialize Initialize Initialize Authentication Mode -------------------Auto Auto Auto

    Table 142providesanexplanationofthecommandoutput.Fordetailsonusingtheseteapol commandtoenabletheprotocolandassignanauthenticationmode,refertoseteapolon page 1420.

    14-18

    Security Configuration

    show eapol

    Table 14-2
    Output Port

    show eapol Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. Current EAPOL authentication state for each port. Possible internal states for the authenticator (switch) are: initialize: A port is in the initialize state when:

    Authentication State

    authentication is disabled, authentication is enabled and the port is not linked, or authentication is enabled and the port is linked. (In this case very little time is spent in this state, it immediately transitions to the connecting state, via disconnected.

    disconnected: The port passes through this state on its way to connected whenever the port is reinitialized, via link state change, reauthentication failure, or management intervention. connecting: While in this state, the authenticator sends request/ID messages to the end user. authenticating: The port enters this state from connecting after receiving a response/ID from the end user. It remains in this state until the entire authentication exchange between the end user and the authentication server completes. authenticated: The port enters this state from authenticating state after the exchange completes with a favorable result. It remains in this state until linkdown, logoff, or until a reauthentication begins. aborting: The port enters this state from authenticating when any event occurs that interrupts the login exchange. held: After any login failure the port remains in this state for the number of seconds equal to quietPeriod (can be set using MIB). forceAuth: Management is allowing normal, unsecured switching on this port. forceUnauth: Management is preventing any frames from being forwarded to or from this port. Authentication Mode Mode enabling network access for each port. Modes include: Auto: Frames are forwarded according to the authentication state of each port. Forced Authorized Mode: Meant to disable authentication on a port. It is intended for ports that support ISLs and devices that cannot authenticate, such as printers and file servers. If a default policy is applied to the port via the policy profile MIB, then frames are forwarded according to the configuration set by that policy, otherwise frames are forwarded according to the current configuration for that port. Authentication using 802.1X is not possible on a port in this mode. Forced Unauthorized Mode: All frames received on the port are discarded by a filter. Authentication using 802.1X is not possible on a port in this mode.

    SecureStack A2 Configuration Guide

    14-19

    set eapol

    set eapol
    UsethiscommandtoenableordisableEAPOLportbaseduserauthenticationwiththeRADIUS serverandtosettheauthenticationmodeforoneormoreports.

    Syntax
    set eapol [enable | disable] [auth-mode {auto | forced-auth | forced-unauth} port-string

    Parameters
    enable|disable authmode auto| forcedauth| forcedunauth EnablesordisablesEAPOL. Specifiestheauthenticationmodeas: autoAutoauthorizationmode.Thisisthedefaultmodeandwill forwardframesaccordingtotheauthenticationstateoftheport.For detailsonthismode,refertoTable 142. forcedauthForcedauthorizedmode,whichdisablesauthentication ontheport. forcedunauthForcedunauthorizedmode,whichfiltersanddiscards allframesreceivedontheport.

    portstring

    Specifiestheport(s)onwhichtosetEAPOLparameters.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtoenableEAPOL:
    A2(su)->set eapol enable

    ThisexampleshowshowtoenableEAPOLwithforcedauthorizedmodeonportfe.1.1:
    A2(su)->set eapol auth-mode forced-auth fe.1.1

    14-20

    Security Configuration

    clear eapol

    clear eapol
    UsethiscommandtogloballycleartheEAPOLauthenticationmode,ortoclearsettingsforoneor moreports.

    Syntax
    clear eapol [auth-mode] [port-string]

    Parameters
    authmode portstring (Optional)GloballyclearstheEAPOLauthenticationmode. Specifiestheport(s)onwhichtoclearEAPOLparameters.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    Ifauthmodeisnotspecified,allEAPOLsettingswillbecleared. Ifportstringisnotspecified,settingswillbeclearedforallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheEAPOLauthenticationmodeforportge.1.3:
    A2(su)->clear eapol auth-mode ge.1.3

    SecureStack A2 Configuration Guide

    14-21

    Configuring MAC Authentication

    Configuring MAC Authentication


    Purpose
    Toreview,disable,enableandconfigureMACauthentication.Thisauthenticationmethodallows thedevicetoauthenticatesourceMACaddressesinanexchangewithanauthenticationserver. Theauthenticator(switch)selectsasourceMACseenonaMACauthenticationenabledportand submitsittoabackendclientforauthentication.ThebackendclientusestheMACaddressstored password,ifrequired,ascredentialsforanauthenticationattempt.Ifaccepted,astring representinganaccesspolicymaybereturned.Ifpresent,theswitchappliestheassociatedpolicy rules. YoucanspecifyamasktoapplytoMACaddresseswhenauthenticatingusersthroughaRADIUS server(seesetmacauthenticationsignificantbitsonpage 1432).Themostcommonuseof significantbitmasksisforauthenticationofallMACaddressesforaspecificvendor.

    Commands
    Thecommandsneededtoreview,enable,disable,andconfigureMACauthenticationarelisted below:
    For information about... show macauthentication show macauthentication session set macauthentication set macauthentication password clear macauthentication password set macauthentication port set macauthentication portinitialize set macauthentication portquietperiod clear macauthentication portquietperiod set macauthentication macinitialize set macauthentication reauthentication set macauthentication portreauthenticate set macauthentication macreauthenticate set macauthentication reauthperiod clear macauthentication reauthperiod set macauthentication significant-bits clear macauthentication significant-bits Refer to page... 14-23 14-24 14-25 14-26 14-26 14-27 14-27 14-28 14-28 14-29 14-29 14-30 14-30 14-31 14-32 14-32 14-33

    14-22

    Security Configuration

    show macauthentication

    show macauthentication
    UsethiscommandtodisplayMACauthenticationinformationforoneormoreports.

    Syntax
    show macauthentication [port-string]

    Parameters
    portstring (Optional)DisplaysMACauthenticationinformationforspecificport(s). Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,MACauthenticationinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayMACauthenticationinformationforge.2.1through8:
    A2(su)->show macauthentication ge.2.1-8 MAC authentication: - enabled MAC user password: - NOPASSWORD Port username significant bits - 48 Port ------ge.2.1 ge.2.2 ge.2.3 ge.2.4 ge.2.5 ge.2.6 ge.2.7 ge.2.8 Port State -------disabled disabled disabled disabled disabled disabled disabled disabled Reauth Period ---------3600 3600 3600 3600 3600 3600 3600 3600 Auth Allowed -------1 1 1 1 1 1 1 1 Auth Allocated --------1 1 1 1 1 1 1 1 Reauthentications ----------------disabled disabled disabled disabled disabled disabled disabled disabled

    Table 143providesanexplanationofthecommandoutput. Table 14-3


    Output MAC authentication

    show macauthentication Output Details


    What It Displays... Whether MAC authentication is globally enabled or disabled. Set using the set macauthentication command as described in set macauthentication on page 14-25. User password associated with MAC authentication on the device. Set using the set macauthentication password command as described in set macauthentication password on page 14-26.

    MAC user password

    SecureStack A2 Configuration Guide

    14-23

    show macauthentication session

    Table 14-3
    Output

    show macauthentication Output Details (Continued)


    What It Displays... Number of significant bits in the MAC addresses to be used starting with the left-most bit of the vendor portion of the MAC address. The significant portion of the MAC address is sent as a user-name credential when the primary attempt to authenticate the full MAC address fails. Any other failure to authenticate the full address, (i.e., authentication server timeout) causes the next attempt to start once again with a full MAC authentication. Default value of 48 can be changed with the set macauthentication significant-bits command. Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. Whether or not MAC authentication is enabled or disabled on this port. Reauthentication period for this port. Default value of 30 can be changed using the set macauthentication reauthperiod command (page 14-31). Number of concurrent authentications supported on this port. Default is 1 and cannot be reset. Maximum number of MAC authentications permitted on this port. Default is 1 and cannot be reset Whether or not reauthentication is enabled or disabled on this port. Set using the set macauthentication reauthentication command (page 14-29).

    Port username significant bits

    Port Port State Reauth Period Auth Allowed Auth Allocated Reauthentications

    show macauthentication session


    UsethiscommandtodisplaytheactiveMACauthenticatedsessions.

    Syntax
    show macauthentication session

    Parameters
    None.

    Defaults
    Ifportstringisnotspecified,MACsessioninformationwillbedisplayedforallMAC authenticationports.

    Mode
    Switchcommand,readonly.

    Usage
    ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot affectcurrentsessions.Newsessionsdisplaythecorrectperiod.

    Example
    ThisexampleshowshowtodisplayMACsessioninformation:
    A2(su)->show macauthentication session Port MAC Address Duration Reauth Period --------------------- ---------- ------------Reauthentications -----------------

    14-24

    Security Configuration

    set macauthentication

    ge.1.2

    00:60:97:b5:4c:07

    0,00:52:31

    3600

    disabled

    Table 144providesanexplanationofthecommandoutput. Table 14-4


    Output Port MAC Address Duration Reauth Period

    show macauthentication session Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. MAC address associated with the session. Time this session has been active. Reauthentication period for this port, set using the set macauthentication reauthperiod command described in set macauthentication reauthperiod on page 14-31. Whether or not reauthentication is enabled or disabled on this port. Set using the set macauthentication reauthentication command described in set macauthentication reauthentication on page 14-29.

    Reauthentications

    set macauthentication
    UsethiscommandtogloballyenableordisableMACauthentication.

    Syntax
    set macauthentication {enable | disable}

    Parameters
    enable|disable GloballyenablesordisablesMACauthentication.

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Example
    ThisexampleshowshowtogloballyenableMACauthentication:
    A2(su)->set macauthentication enable

    SecureStack A2 Configuration Guide

    14-25

    set macauthentication password

    set macauthentication password


    UsethiscommandtosetaMACauthenticationpassword.

    Syntax
    set macauthentication password password

    Parameters
    password SpecifiesatextstringMACauthenticationpassword.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheMACauthenticationpasswordtomacauth:
    A2(su)->set macauthentication password macauth

    clear macauthentication password


    UsethiscommandtocleartheMACauthenticationpassword.

    Syntax
    clear macauthentication password

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheMACauthenticationpassword:
    A2(su)->clear macauthentication password

    14-26

    Security Configuration

    set macauthentication port

    set macauthentication port


    UsethiscommandtoenableordisableoneormoreportsforMACauthentication.

    Syntax
    set macauthentication port {enable | disable} port-string

    Parameters
    enable|disable portstring EnablesordisablesMACauthentication. Specifiesport(s)onwhichtoenableordisableMACauthentication.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Enablingport(s)forMACauthenticationrequiresgloballyenablingMACauthenticationonthe switchasdescribedinsetmacauthenticationonpage 1425,andthenenablingitonaportby portbasis.Bydefault,MACauthenticationisgloballydisabledanddisabledonallports.

    Example
    ThisexampleshowshowtoenableMACauthenticationonge.2.1though5:
    A2(su)->set macauthentication port enable ge.2.1-5

    set macauthentication portinitialize


    UsethiscommandtoforceoneormoreMACauthenticationportstoreinitializeandremoveany currentlyactivesessionsonthoseports.

    Syntax
    set macauthentication portinitialize port-string

    Parameters
    portstring SpecifiestheMACauthenticationport(s)toreinitialize.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    14-27

    set macauthentication portquietperiod

    Example
    Thisexampleshowshowtoforcege.2.1through5toinitialize:
    A2(su)->set macauthentication portinitialize ge.2.1-5

    set macauthentication portquietperiod


    Thissetsthenumberofsecondsfollowingafailedauthenticationbeforeanotherattemptmaybe madeontheport.

    Syntax
    set macauthentication portquietperiod time port-string

    Parameters
    time portstring Periodinsecondstowaitafterafailedauthentication Specifiestheportsforwhichthequitperiodistobeapplied.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsport1towait5secondsafterafailedauthenticationattemptbeforeanew attemptcanbemade:
    A2(su)->set macauthentication portquietperiod 5 ge.1.1

    clear macauthentication portquietperiod


    Thissetsthequietperiodbacktothedefaultvalue.

    Syntax
    clear macauthentication portquietperiod [port-string]

    Parameters
    portstring (Optional)Specifiestheportsforwhichthequietperiodistobereset.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifaportstringisnotspecifiedthenallportswillbesettothedefaultportquietperiod.

    14-28

    Security Configuration

    set macauthentication macinitialize

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleresetsthedefaultquitperiodonport1:
    A2(su)->clear macauthentication portquietperiod ge.1.1

    set macauthentication macinitialize


    UsethiscommandtoforceacurrentMACauthenticationsessiontoreinitializeandremovethe session.

    Syntax
    set macauthentication macinitialize mac-addr

    Parameters
    macaddr SpecifiestheMACaddressofthesessiontoreinitialize.

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Example
    ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07 toreinitialize:
    A2(su)->set macauthentication macinitialize 00-60-97-b5-4c-07

    set macauthentication reauthentication


    UsethiscommandtoenableordisablereauthenticationofallcurrentlyauthenticatedMAC addressesononeormoreports.

    Syntax
    set macauthentication reauthentication {enable | disable} port-string

    Parameters
    enable|disable portstring EnablesordisablesMACreauthentication. Specifiesport(s)onwhichtoenableordisableMACreauthentication.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    SecureStack A2 Configuration Guide

    14-29

    set macauthentication portreauthenticate

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenableMACreauthenticationonge.4.1though5:
    A2(su)->set macauthentication reauthentication enable ge.4.1-5

    set macauthentication portreauthenticate


    Usethiscommandtoforceanimmediatereauthenticationofthecurrentlyactivesessionsonone ormoreMACauthenticationports.

    Syntax
    set macauthentication portreauthenticate port-string

    Parameters
    portstring SpecifiesMACauthenticationport(s)tobereauthenticated.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoforcege.2.1though5toreauthenticate:
    A2(su)->set macauthentication portreauthentication ge.2.1-5

    set macauthentication macreauthenticate


    UsethiscommandtoforceanimmediatereauthenticationofaMACaddress.

    Syntax
    set macauthentication macreauthenticate mac-addr

    Parameters
    macaddr SpecifiestheMACaddressofthesessiontoreauthenticate.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    14-30

    Security Configuration

    set macauthentication reauthperiod

    Example
    ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07 toreauthenticate:
    A2(su)->set macauthentication macreauthenticate 00-60-97-b5-4c-07

    set macauthentication reauthperiod


    UsethiscommandtosettheMACreauthenticationperiod(inseconds).Thisisthetimelapse betweenattemptstoreauthenticateanycurrentMACaddressauthenticatedtoaport.

    Syntax
    set macauthentication reauthperiod time port-string

    Parameters
    time portstring Specifiesthenumberofsecondsbetweenreauthenticationattempts.Valid valuesare14294967295. Specifiestheport(s)onwhichtosettheMACreauthenticationperiod.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot affectcurrentsessions.Newsessionswillusethecorrectperiod.

    Example
    ThisexampleshowshowtosettheMACreauthenticationperiodto7200seconds(2hours)on ge.2.1through5:
    A2(su)->set macauthentication reauthperiod 7200 ge.2.1-5

    SecureStack A2 Configuration Guide

    14-31

    clear macauthentication reauthperiod

    clear macauthentication reauthperiod


    UsethiscommandtocleartheMACreauthenticationperiodononeormoreports.

    Syntax
    clear macauthentication reauthperiod [port-string]

    Parameters
    portstring (Optional)ClearstheMACreauthenticationperiodonspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,thereauthenticationperiodwillbeclearedonallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtogloballycleartheMACreauthenticationperiod:
    A2(su)->clear macauthentication reauthperiod

    set macauthentication significant-bits


    UsethiscommandtosetthenumberofsignificantbitsoftheMACaddresstousefor authentication.

    Syntax
    set macauthentication significant-bits number

    Parameters
    number Specifiesthenumberofsignificantbitstobeusedforauthentication.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThiscommandallowsyoutospecifyamasktoapplytoMACaddresseswhenauthenticating usersthroughaRADIUSserver.Themostcommonuseofsignificantbitmasksisfor authenticationofallMACaddressesforaspecificvendor. OnSecureStackswitchesusingMACauthentication,theMACaddressofauserattemptingtolog inissenttotheRADIUSserverastheusername.Ifaccessisdenied,andifasignificantbitmask hasbeenconfigured(otherthan48)withthiscommand,theswitchwillapplythemaskand

    14-32

    Security Configuration

    clear macauthentication significant-bits

    resendthemaskedaddresstotheRADIUSserver.Forexample,ifauserwithMACaddressof00 16CF123456isdeniedaccess,anda32bitmaskhasbeenconfigured,theswitchwillapplythe maskandresendaMACaddressof0016CF120000totheRADIUSserver. Touseasignificantbitsmaskforauthenticationofdevicesbyaparticularvendor,specifya24bit mask,tomaskouteverythingexceptthevendorportionoftheMACaddress.

    Example
    ThisexamplesetstheMACauthenticationsignificantbitsmaskto24.
    A2(su)->set macauthentication significant-bits 24

    clear macauthentication significant-bits


    UsethiscommandtoresetthenumberofsignificantbitsoftheMACaddresstousefor authenticationtothedefaultof48.

    Syntax
    clear macauthentication significant-bits

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleresetstheMACauthenticationsignificantbitsto48.
    A2(su)->clear macauthentication significant-bits

    SecureStack A2 Configuration Guide

    14-33

    Configuring Multiple Authentication Methods

    Configuring Multiple Authentication Methods


    About Multiple Authentication Types
    Whenenabled,multipleauthenticationtypesallowsuserstoauthenticateusinguptotwo methodsonthesameport.Inorderformultipleauthenticationtofunctiononthedevice,each possiblemethodofauthentication(MACauthentication,802.1X)mustbeenabledgloballyand configuredappropriatelyonthedesiredportswithitscorrespondingcommandsetdescribedin thischapter. Multipleauthenticationmodemustbegloballyenabledonthedeviceusingthesetmultiauth modecommand.

    Commands
    Thecommandsneededtoreview,enable,disable,andconfiguremultipleauthenticationarelisted below:
    For information about... show multiauth set multiauth mode clear multiauth mode set multiauth precedence clear multiauth precedence show multiauth port set multiauth port clear multiauth port show multiauth station Refer to page... 14-35 14-36 14-36 14-37 14-37 14-38 14-39 14-39 14-40

    14-34

    Security Configuration

    show multiauth

    show multiauth
    Usethiscommandtodisplaymultipleauthenticationsystemconfiguration.

    Syntax
    show multiauth

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaymultipleauthenticationsystemconfiguration:
    A2(rw)->show multiauth Multiple authentication system configuration ------------------------------------------------Supported types : dot1x, mac Maximum number of users : 192 Current number of users : 0 System mode : multi Default precedence : dot1x, mac Admin precedence Operational precedence : dot1x, mac

    SecureStack A2 Configuration Guide

    14-35

    set multiauth mode

    set multiauth mode


    Usethiscommandtosetthesystemauthenticationmodetoallowmultipleauthenticators simultaneously(802.1xandMACAuthentication)onasingleport,ortostrictlyadhereto802.1x authentication.

    Syntax
    set multiauth mode {multi | strict}

    Parameters
    multi strict Allowthesystemtousemultipleauthenticatorssimultaneously(802.1xand MACAuthentication)onaport.Thisisthedefaultmode. Usermustauthenticateusing802.1xauthenticationbeforenormaltraffic (anythingotherthanauthenticationtraffic)canbeforwarded.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    MultiauthmultimoderequiresthatMACand802.1Xauthenticationbeenabledglobally,and configuredappropriatelyonthedesiredportsaccordingtotheircorrespondingcommandsets describedinthischapter.RefertoConfiguring802.1XAuthenticationonpage 1411and ConfiguringMACAuthenticationonpage 1422.

    Example
    Thisexampleshowshowtoenablesimultaneousmultipleauthentications:
    A2(rw)->set multiauth mode multi

    clear multiauth mode


    Usethiscommandtoclearthesystemauthenticationmode.

    Syntax
    clear multiauth mode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    14-36

    Security Configuration

    set multiauth precedence

    Example
    Thisexampleshowshowtoclearthesystemauthenticationmode:
    A2(rw)->clear multiauth mode

    set multiauth precedence


    Usethiscommandtosetthesystemsmultipleauthenticationadministrativeprecedence.

    Syntax
    set multiauth precedence {[dot1x] [mac]}

    Parameters
    dot1x mac Setsprecedencefor802.1Xauthentication. SetsprecedenceforMACauthentication.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Whenauserissuccessfullyauthenticatedbymorethanonemethodatthesametime,the precedenceoftheauthenticationmethodswilldeterminewhichRADIUSreturnedfilterIDwillbe processedandresultinanappliedtrafficpolicyprofile.

    Example
    ThisexampleshowshowtosetprecedenceforMACauthentication:
    A2(rw)->set multiauth precedence mac dot1x

    clear multiauth precedence


    Usethiscommandtoclearthesystemsmultipleauthenticationadministrativeprecedence.

    Syntax
    clear multiauth precedence

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    14-37

    show multiauth port

    Example
    Thisexampleshowshowtoclearthemultipleauthenticationprecedence:
    A2(rw)->clear multiauth precedence

    show multiauth port


    Usethiscommandtodisplaymultipleauthenticationpropertiesforoneormoreports.

    Syntax
    show multiauth port [port-string]

    Parameters
    portstring (Optional)Displaysmultipleauthenticationinformationforspecificport(s).

    Defaults
    Ifportstringisnotspecified,multipleauthenticationinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaymultipleauthenticationinformationforportsge.3.14:
    A2(rw)->show multiauth port ge.3.1-4 Port Max users ------------ ------------ ---------ge.3.1 auth-opt 2 ge.3.2 auth-opt 2 ge.3.3 auth-opt 2 ge.3.4 auth-opt 2 Mode Allowed users ---------1 1 1 1 Current users ---------0 0 0 0

    14-38

    Security Configuration

    set multiauth port

    set multiauth port


    Usethiscommandtosetmultipleauthenticationpropertiesforoneormoreports.

    Syntax
    set multiauth port mode {auth-opt | auth-reqd | force-auth | force-unauth} | numusers numusers port-string

    Parameters
    mode authopt| authreqd| forceauth| forceunauth Specifiestheport(s)multipleauthenticationmodeas: authoptAuthenticationoptional(nonstrictbehavior).Ifauser doesnotattempttoauthenticateusing802.1x,orif802.1x authenticationfails,theportwillallowtraffictobeforwarded accordingtothedefineddefaultVLAN. authreqdAuthenticationisrequired. forceauthAuthenticationconsidered. forceunauthAuthenticationdisabled.

    numusers numusers portstring

    Specifiesthenumberofusersallowedauthenticationonport(s).Currently, validvaluesare1or2. Specifiestheport(s)onwhichtosetmultipleauthenticationproperties.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosettheportmultipleauthenticationmodetorequiredonge.3.14:
    A2(rw)->set multiauth port mode auth-reqd ge.3.14

    clear multiauth port


    Usethiscommandtoclearmultipleauthenticationpropertiesforoneormoreports.

    Syntax
    clear multiauth port {mode | numusers} port-string

    Parameters
    mode numusers portstring Clearsthespecifiedportsmultipleauthenticationmode. Clearsthevaluesetforthenumberofusersallowedauthenticationonthe specifiedport. Specifiestheportorportsonwhichtoclearmultipleauthentication properties.

    SecureStack A2 Configuration Guide

    14-39

    show multiauth station

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtocleartheportmultipleauthenticationmodeonportge.3.14:
    A2(rw)->clear multiauth port mode ge.3.14

    Thisexampleshowshowtoclearthenumberofusersonportge.3.14:
    A2(rw)->clear multiauth port numusers ge.3.14

    show multiauth station


    Usethiscommandtodisplaymultipleauthenticationstation(enduser)entries.

    Syntax
    show multiauth station [mac address] [port port-string]

    Parameters
    macaddress portportstring (Optional)DisplaysmultipleauthenticationstationentriesforspecificMAC address(es). (Optional)Displaysmultipleauthenticationstationentriesforspecific port(s).

    Mode
    Switchcommand,readonly.

    Defaults
    Ifnooptionsarespecified,multipleauthenticationstationentrieswillbedisplayedforallMAC addressesandports.

    Example
    Thisexampleshowshowtodisplaymultipleauthenticationstationentries.Inthiscase,twoend userMACaddressesareshown:
    A2(rw)->show Port -----------fe.1.20 fe.2.16 multiauth station Address type Address ------------ -----------------------mac 00-10-a4-9e-24-87 mac 00-b0-d0-e5-0c-d0

    Syntax

    14-40

    Security Configuration

    Configuring VLAN Authorization (RFC 3580)

    Configuring VLAN Authorization (RFC 3580)


    Purpose
    Pleaseseesection331ofRFC3580fordetailsonconfiguringaRADIUSservertoreturnthe desiredtunnelattributes.FromRFC3580,...itmaybedesirabletoallowaporttobeplacedintoa particularVirtualLAN(VLAN),definedin[IEEE8021Q],basedontheresultofthe authentication. TheRADIUSservertypicallyindicatesthedesiredVLANbyincludingtunnelattributeswithin theAccessAccept.However,theIEEE802.1XAuthenticatormayalsoprovideahintastothe VLANtobeassignedtotheSupplicantbyincludingTunnelattributeswithintheAccessRequest. ForuseinVLANassignment,thefollowingtunnelattributesareused: TunnelType=VLAN(13) TunnelMediumType=802 TunnelPrivateGroupID=VLANID

    Commands
    ThecommandsusedtoconfigureRADIUStunnelattributesarelistedbelow.
    For information about... set vlanauthorization set vlanauthorization egress clear vlanauthorization show vlanauthorization Refer to page... 14-42 14-42 14-43 14-44

    SecureStack A2 Configuration Guide

    14-41

    set vlanauthorization

    set vlanauthorization
    EnableordisabletheuseoftheRADIUSVLANtunnelattributetoputaportintoaparticular VLANbasedontheresultofauthentication.

    Syntax
    set vlanauthorization {enable | disable} [port-string]

    Parameters
    enable|disable portstring Enablesordisablesvlanauthorization/tunnelattributes (Optional)SpecifieswhichportstoenableordisabletheuseofVLAN tunnelattributes/authorization.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage 42.

    Defaults
    VLANauthenticationisdisabledbydefault.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtoenableVLANauthenticationforallFastEthernetports:
    A2(rw)-> set vlanauthorization enable fe.*.*

    ThisexampleshowshowtodisableVLANauthenticationforallFastEthernetportsonstack unit 3:
    A2(rw)-> set vlanauthorization disable fe.3.*

    set vlanauthorization egress


    ControlsthemodificationofthecurrentVLANegresslistof802.1xauthenticatedportsforthe VLANsreturnedintheRADIUSauthorizationfilteridstring.

    Syntax
    set vlanauthorization egress {none | tagged | untagged} port-string

    Parameters
    none tagged untagged portstring Noegressmanipulationwillbemade. Theauthenticatingportwillbeaddedtothecurrenttaggedegressforthe VLANIDreturned. Theauthenticatingportwillbeaddedtothecurrentuntaggedegressfor theVLANIDreturned(default). Theportorlistofports.towhichthiscommandwillapply.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage 42.

    14-42

    Security Configuration

    clear vlanauthorization

    Defaults
    Bydefault,administrativeegressissettountagged.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenabletheinsertionoftheRADIUSassignedVLANtoan802.1qtag foralloutboundframesforports10through15onunitnumber3.
    A2(rw)->set vlanauthorization egress tagged ge.3.10-15

    clear vlanauthorization
    Usethiscommandtoreturnport(s)tothedefaultconfigurationofVLANauthorizationdisabled, egressuntagged.

    Syntax
    clear vlanauthorization [port-string]

    Parameters
    portstring (Optional)Specifieswhichportsaretoberestoredtodefault configuration.Ifnoportstringisentered,theactionwillbeaglobal setting.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 42.

    Defaults
    Ifnoportstringisentered,allportsacrossthestackwillberesettodefaultconfigurationwith VLANauthorizationdisabledandegressframesuntagged.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowhowtoclearVLANauthorizationforallportsonslots3,4,and5:
    A2(rw)->clear vlanauthorization ge.3-5.*

    SecureStack A2 Configuration Guide

    14-43

    show vlanauthorization

    show vlanauthorization
    DisplaystheVLANauthenticationstatusandconfigurationinformationforthespecifiedports.

    Syntax
    show vlanauthorization [port-string]

    Parameters
    portstring (Optional)DisplaysVLANauthenticationstatusforthespecifiedports.If noportstringisentered,thentheglobalstatusofthesettingisdisplayed. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage 42.

    Defaults
    Ifnoportstringisentered,thestatusforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThiscommandshowshowtodisplayVLANauthorizationstatusforFastEthernetport1on unit 1:
    A2(rw)-> show vlanauthorization fe.1.1 port ----fe.1.1 status ------enabled administrative egress ------------------------untagged operational egress --------------------none vlan id -------0

    Table 145providesanexplanationofcommandoutput.Fordetailsonenablingandassigning protocolandegressattributes,refertosetvlanauthorizationonpage 1442andset vlanauthorizationegressonpage 1442. Table 14-5


    Output port status administrative egress operational egress vlan id

    show vlanauthorization Output Details


    What It Displays... Port identification Port status as assigned by set vlanauthorization command Port status as assigned by the set vlanauthorization egress command If authentication has succeeded, displays the VLAN id assigned for egress. If authentication has succeeded, displays the assigned VLAN id for ingress.

    14-44

    Security Configuration

    Configuring MAC Locking

    Configuring MAC Locking


    ThisfeaturelocksaMACaddresstooneormoreports,preventingconnectionofunauthorized devicesthroughtheport(s).WhensourceMACaddressesarereceivedonspecifiedports,the switchdiscardsallsubsequentframesnotcontainingtheconfiguredsourceaddresses.Theonly framesforwardedonalockedportarethosewiththelockedMACaddress(es)forthatport. TherearetwomethodsoflockingaMACtoaport:firstarrivalandstatic.Thefirstarrivalmethod isdefinedtobelockingthefirstnnumberofMACswhicharriveonaportconfiguredwithMAC lockingenabled.Thevaluenisconfiguredwiththesetmaclockfirstarrivalcommand. ThestaticmethodisdefinedtobestaticallyprovisioningaMACportlockusingthesetmaclock createcommand.ThemaximumnumberofstaticMACaddressesallowedforMAClockingona portcanbeconfiguredwiththesetmaclockstaticcommand. YoucanconfiguretheswitchtoissueaviolationtrapifapacketarriveswithasourceMAC addressdifferentfromanyofthecurrentlylockedMACaddressesforthatport. MACsareunlockedasaresultof: Alinkdownevent WhenMAClockingisdisabledonaport

    Whenproperlyconfigured,MAClockingisanexcellentsecuritytoolasitpreventsMACspoofing onconfiguredports.AlsoifaMACweretobesecuredbysomethinglikeDragonDynamic IntrusionDetection,MAClockingwouldmakeitmoredifficultforahackertosendpacketsinto thenetworkbecausethehackerwouldhavetochangetheirMACaddressandmovetoanother port.Inthemeantimethesystemadministratorwouldbereceivingamaclocktrapnotification.

    Purpose
    Toreview,disable,enable,andconfigureMAClocking.

    Commands
    For information about... show maclock show maclock stations set maclock enable set maclock disable set maclock clear maclock set maclock static clear maclock static set maclock firstarrival clear maclock firstarrival set maclock move set maclock trap Refer to page... 14-46 14-47 14-48 14-49 14-49 14-50 14-51 14-51 14-52 14-53 14-53 14-54

    SecureStack A2 Configuration Guide

    14-45

    show maclock

    show maclock
    UsethiscommandtodisplaythestatusofMAClockingononeormoreports.

    Syntax
    show maclock [port-string]

    Parameters
    portstring (Optional)DisplaysMAClockingstatusforspecifiedport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,MAClockingstatuswillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayMAClockinginformationforge.1.1.
    A2(su)->show maclock ge.1.1 MAC locking is globally enabled Port Number ------ge.1.1 Port Status ------enabled Trap Max Static Max FirstArrival Violating Status Allocated Allocated MAC Address -------- ---------- --------------- --------------disabled 20 1 00:a0:c9:39:5c:b4

    Table 146providesanexplanationofthecommandoutput. Table 14-6


    Output Port Number Port Status

    show maclock Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. Whether MAC locking is enabled or disabled on the port. MAC locking is globally disabled by default. For details on enabling MAC locking on the switch and on one or more ports, refer to set maclock enable on page 14-48 and set maclock on page 14-49. Whether MAC lock trap messaging is enabled or disabled on the port. For details on setting this status, refer to set maclock trap on page 14-54. The maximum static MAC addresses allowed locked to the port. For details on setting this value, refer to set maclock static on page 14-51. The maximum end station MAC addresses allowed locked to the port. For details on setting this value, refer to set maclock firstarrival on page 14-52. Most recent MAC address(es) violating the maximum static and first arrival value(s) set for the port.

    Trap Status Max Static Allocated Max FirstArrival Allocated Violating MAC Address

    14-46

    Security Configuration

    show maclock stations

    show maclock stations


    UsethiscommandtodisplayMAClockinginformationaboutendstationsconnectedtothe switch.

    Syntax
    show maclock stations [firstarrival | static] [port-string]

    Parameters
    firstarrival static portstring (Optional)DisplaysMAClockinginformationaboutendstationsfirst connectedtoMAClockedports. (Optional)DisplaysMAClockinginformationaboutstatic(management defined)endstationsconnectedtoMAClockedports. (Optional)Displaysendstationinformationforspecifiedport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 42.

    Defaults
    Ifnoparametersarespecified,MAClockinginformationwillbedisplayedforallendstations.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayMAClockinginformationfortheendstationsconnectedtoall FastEthernetportsinunit2:
    A2(su)->show maclock stations fe.2.* Port Number MAC Address Status ------------ -----------------------------fe.2.1 00:a0:c9:39:5c:b4 active fe.2.7 00:a0:c9:39:1f:11 active State -------------first arrival static

    Table 147providesanexplanationofthecommandoutput. Table 14-7


    Output Port Number MAC address Status State

    show maclock stations Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 4-2. MAC address of the end station(s) locked to the port. Whether the end stations are active or inactive. Whether the end station locked to the port is a first arrival or static connection.

    SecureStack A2 Configuration Guide

    14-47

    set maclock enable

    set maclock enable


    UsethiscommandtoenableMAClockingononeormoreports.

    Syntax
    setmaclockenable[portstring]

    Parameters
    portstring (Optional)EnablesMAClockingonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,MAClockingwillbeenabledonallports.

    Mode
    Switchcommand,readwrite.

    Usage
    WhenenabledandconfiguredforaspecificMACaddressandportstring,thislocksaportsothat onlyoneendstationaddressisallowedtoparticipateinframerelay. MAClockingisdisabledbydefaultatdevicestartup.ConfiguringoneormoreportsforMAC lockingrequiresgloballyenablingitonthedeviceandthenenablingitonthedesiredports.

    Example
    ThisexampleshowshowtoenableMAClockingonfe.2.3:
    A2(su)->set maclock enable fe.2.3

    14-48

    Security Configuration

    set maclock disable

    set maclock disable


    UsethiscommandtodisableMAClockingononeormoreports.

    Syntax
    set maclock disable [port-string]

    Parameters
    portstring (Optional)DisablesMAClockingonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    Ifportstringisnotspecified,MAClockingwillbedisabledonallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableMAClockingonfe.2.3:
    A2(su)->set maclock disable fe.2.3

    set maclock
    UsethiscommandtocreateastaticMACaddresstoportlocking,andtoenableordisableMAC lockingforthespecifiedMACaddressandport.

    Syntax
    set maclock mac-address port-string {create | enable | disable}

    Parameters
    macaddress portstring SpecifiestheMACaddressforwhichMAClockingwillbecreated, enabledordisabled. Specifiestheportonwhichtocreate,enableordisableMAClockingfor thespecifiedMAC.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 42. EstablishesaMAClockingassociationbetweenthespecifiedMAC addressandport.CreateautomaticallyenablesMAClockingbetweenthe specifiedMACaddressandport. EnablesordisablesMAClockingbetweenthespecifiedMACaddressand port.

    create

    enable|disable

    Defaults
    None.

    SecureStack A2 Configuration Guide

    14-49

    clear maclock

    Mode
    Switchcommand,readwrite.

    Usage
    ConfiguringoneormoreportsforMAClockingrequiresgloballyenablingitontheswitchfirst usingthesetmaclockenablecommandasdescribedinsetmaclockenableonpage 1448.

    Example
    ThisexampleshowshowtocreateaMAClockingassociationbetweenMACaddress0e03efd8 4455andportge.3.2:
    A2(rw)->set maclock 0e-03-ef-d8-44-55 ge.3.2 create

    clear maclock
    UsethiscommandtoremoveastaticMACaddresstoportlockingentry.

    Syntax
    clear maclock mac-address port-string

    Parameters
    macaddress portstring SpecifiestheMACaddressthatwillberemovedfromthelistofstatic MACsallowedtocommunicateontheport. SpecifiestheportonwhichtocleartheMACaddress.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheMACaddressthatisclearedwillnolongerbeabletocommunicateontheportunlessthefirst arrivallimithasbeensettoavaluegreaterthan0andthislimithasnotyetbeenmet. Forexample,ifuserBsMACisremovedfromthestaticMACaddresslistandthefirstarrival limithasbeensetto0,thenuserBwillnotbeabletocommunicateontheport.IfuserAsMACis removedfromthestaticMACaddresslistandthefirstarrivallimithasbeensetto10,butonlyhas 7entries,userAwillbecomethe8thentryandallowedtocommunicateontheport.

    Example
    ThisexampleshowshowtoremoveaMACfromthelistofstaticMACsallowedtocommunicate onportge.3.2:
    A2(rw)->clear maclock 0e-03-ef-d8-44-55 ge.3.2

    14-50

    Security Configuration

    set maclock static

    set maclock static


    UsethiscommandtosetthemaximumnumberofstaticMACaddressesallowedperport.Static MACsareadministrativelydefined.

    Syntax
    set maclock static port-string value

    Parameters
    portstring SpecifiestheportonwhichtosetthemaximumnumberofstaticMACs allowed.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 42. SpecifiesthemaximumnumberofstaticMACaddressesallowedper port.Validvaluesare0to20.

    value

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthemaximumnumberofallowablestaticMACsto2onge.3.1:
    A2(rw)->set maclock static ge.3.1 2

    clear maclock static


    UsethiscommandtoresetthenumberofstaticMACaddressesallowedperporttothedefault valueof20.

    Syntax
    clear maclock static port-string

    Parameters
    portstring SpecifiestheportonwhichtoresetnumberofstaticMACaddresses allowed.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack A2 Configuration Guide

    14-51

    set maclock firstarrival

    Example
    ThisexampleshowshowtoresetthenumberofallowablestaticMACsonfe.2.3:
    A2(rw)->clear maclock static fe.2.3

    set maclock firstarrival


    UsethiscommandtorestrictMAClockingonaporttoamaximumnumberofendstation addressesfirstconnectedtothatport.

    Syntax
    set maclock firstarrival port-string value

    Parameters
    portstring SpecifiestheportonwhichtolimitMAClocking.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42. SpecifiesthenumberoffirstarrivalendstationMACaddressestobe allowedconnectionstotheport.Validvaluesare0to600.

    value

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Themaclockfirstarrivalcountresetswhenthelinkgoesdown.Thisfeatureisbeneficialifyou haveroamingusersthefirstarrivalcountwillbereseteverytimeausermovestoanotherport, butwillstillprotectagainstconnectingmultipledevicesonasingleportandwillprotectagainst MACaddressspoofing. IfyouwishtohaveonlystaticallysetMACs,setaportsfirstarrivallimitto0.

    Example
    ThisexampleshowshowtorestrictMAClockingto6MACaddressesonfe.2.3:
    A2(su)->set maclock firstarrival fe.2.3 6

    14-52

    Security Configuration

    clear maclock firstarrival

    clear maclock firstarrival


    UsethiscommandtoresetthenumberoffirstarrivalMACaddressesallowedperporttothe defaultvalueof600.

    Syntax
    clear maclock firstarrival port-string

    Parameters
    portstring Specifiestheportonwhichtoresetthefirstarrivalvalue.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetMACfirstarrivalsonfe.2.3:
    A2(su)->clear maclock firstarrival fe.2.3

    set maclock move


    UsethiscommandtomoveallcurrentfirstarrivalMACstostaticentries.

    Syntax
    set maclock move port-string

    Parameters
    portstring SpecifiestheportonwhichMACwillbemovedfromfirstarrivalMACs tostaticentries.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 42.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    IftherearemorefirstarrivalMACsthantheallowedmaximumstaticMACs,thenonlythelatest firstarrivalMACswillbemovedtostaticentries.Forexample,ifyousetthemaximumnumberof staticMACsto2withthesetmaclockstaticcommand,andthenexecutedthesetmaclockmove command,eventhoughtherewerefiveMACsinthefirstarrivaltable,onlythetwomostrecent MACentrieswouldbemovedtostaticentries.
    SecureStack A2 Configuration Guide 14-53

    set maclock trap

    Example
    ThisexampleshowshowtomoveallcurrentfirstarrivalMACstostaticentriesonportsge.3.140:
    A2(rw)->set maclock move ge.3.1-40

    set maclock trap


    UsethiscommandtoenableordisableMAClocktrapmessaging.

    Syntax
    set maclock trap port-string {enable | disable}

    Parameters
    portstring SpecifiestheportonwhichMAClocktrapmessagingwillbeenabledor disabled.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 42. EnablesordisablesMAClocktrapmessaging.

    enable|disable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Whenenabled,thisfeatureauthorizestheswitchtosendanSNMPtrapmessageifanendstation isconnectedthatexceedsthemaximumvaluesconfiguredusingthesetmaclockfirstarrivaland setmaclockstaticcommands.ViolatingMACaddressesaredroppedfromthedevicesrouting table.

    Example
    ThisexampleshowshowtoenableMAClocktrapmessagingonfe.2.3:
    A2(su)->set maclock trap fe.2.3 enable

    14-54

    Security Configuration

    Configuring Secure Shell (SSH)

    Configuring Secure Shell (SSH)


    Purpose
    Toreview,enable,disable,andconfiguretheSecureShell(SSH)protocol,whichprovidessecure Telnet.

    Commands
    ThecommandsusedtoreviewandconfigureSSHarelistedbelow:
    For information about... show ssh status set ssh set ssh hostkey Refer to page... 14-55 14-56 14-56

    show ssh status


    UsethiscommandtodisplaythecurrentstatusofSSHontheswitch.

    Syntax
    show ssh status

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySSHstatusontheswitch:
    A2(su)->show ssh status SSH Server status: Disabled

    SecureStack A2 Configuration Guide

    14-55

    set ssh

    set ssh
    Usethiscommandtoenable,disableorreinitializeSSHserverontheswitch.Bydefault,theSSH serverisdisabled.

    Syntax
    set ssh {enable | disable | reinitialize}

    Parameters
    enable|disable reinitialize EnablesordisablesSSH,orreinitializestheSSHserver. ReinitializestheSSHserver.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableSSH:
    A2(su)->set ssh disable

    set ssh hostkey


    UsethiscommandtosetorreinitializenewSSHauthenticationkeys.

    Syntax
    set ssh hostkey [reinitialize]

    Parameters
    reinitialize (Optional)Reinitializestheserverhostauthenticationkeys.

    Defaults
    Ifreinitializeisnotspecified,theusermustsupplySSHauthenticationkeyvalues.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoregenerateSSHkeys:
    A2(su)->set ssh hostkey reinitialize

    14-56

    Security Configuration

    Configuring Layer 2 Access Control Lists

    Configuring Layer 2 Access Control Lists


    Layer2accesscontrollists(ACLs)areessentiallyLayer2/Layer3filtersimplementedatLayer2 (theSecureStackA2isaLayer2switch).TheSecureStackA2supportsaccesscontrolliststhatcan filteringressingframesbasedonIPorMACaddress.EachACLiscomposedofasequentiallistof permitanddenyconditions,calledrules. EachACLhastobedefinedaseitheraMACorIPtypeoflist,andeachtypeoflistcancontain onlyonetypeofrulesMAClistscancontainMACSA(sourceaddress),DA(destination address)rulesandIPlistscancontainIPSIP(sourceIPaddress),DIP(destinationIPaddress) rules. AmaximumoftwoACLscanbeappliedtoaport.TheACLscanbeMAC,IP,orboth. PrecedenceisthenbasedonTable 148,wherehighestpriorityhasprecedence. Table 14-8
    ACL Type MAC SA DA exact MAC SA exact DA any MAC SA any DA exact IP SIP DIP exact IP SIP exact DIP any IP SIP any DIP exact IP SIP any DIP any MAC SA any DA any

    ACL Rule Precedence


    Priority Level 14 13 12 11 10 9 8 7 Example permit 00-01-01-00-00-01 00-01-02-00-00-23 deny 00:01:01:00:00:05 any deny any 00:01:01:00:00:01 deny 10.0.1.15 10.0.1.5 deny 10.0.1.8 any permit any 10.0.1.22 deny any any deny any any

    ThefollowingconditionsapplytoLayer2accesscontrollists: Upto35accesscontrollistscanbeconfiguredpersystem(A2stack). Amaximumof20rulesmaybecontainedinasingleACL. Layer2ACLscanbeboundtoportsonly. Amaximumof20rulesmaybeboundtoaport.MultipleACLscanbeboundtooneport,but thetotalnumberofrulesforallACLscannotexceed20. Onlyonerulematchcanoccuronaport. Theanywildcardissupported,butwhenaddressesarespecified,onlyexactmatchesare made. Thereisnoimplicitdenyfortheaccesscontrollists.

    ToconfigureanACLontheSecureStackA2: 1. 2. Createtheaccesscontrollist,asaMACorIPtypeoflist,andgiveitaname.Forexample:
    set access-list {mac | ip} name

    CreatetherulesfortheACL.
    set access-list name {permit | deny} {src-address | any} {dest-address | any}

    3.

    ApplytheACLtothedesiredportorports.
    set access-list name port-string

    SecureStack A2 Configuration Guide

    14-57

    set access-list (create list)

    Commands
    For information about... set access-list (create list) set access-list (create rules) set access-list (ports) show access-list show access-list ports clear access-list Refer to page... 14-58 14-59 14-60 14-60 14-61 14-62

    set access-list (create list)


    Usethiscommandtocreateanaccesscontrollistofagiventype.Anaccesslistmustbecreated first,beforerulescanbeaddedtoit.

    Syntax
    set access-list {mac | ip} name

    Parameters
    mac|ip name Specifythetypeofaccesslisttocreate.Youcanfilterpacketsbasedon MACaddressesoronIPaddresses. Specifythenameoftheaccesslist.Thenamecanbeastringupto31 alphanumericcharactersinlength,andmuststartwithaletter.

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Examples
    TheexamplecreatesanaccesslistnamedmymaclistthatwillacceptrulesbasedonMACsource anddestinationaddresses.
    A2(rw)-> set access-list mac mymaclist

    ThisexamplecreatesanaccesslistnamedmyiplistthatwillacceptrulesbasedonIPsourceand destinationaddresses.
    A2(rw)-> set access-list ip myiplist

    14-58

    Security Configuration

    set access-list (create rules)

    set access-list (create rules)


    Usethiscommandtoaddpermitanddenyrulestoanexistingaccesscontrollist.

    Syntax
    set access-list name {permit | deny} {src-address | any} {dest-address | any}

    Parameters
    name permit|deny Specifythenameoftheaccesslisttobeconfigured.Theaccesslistmust havebeencreatedbeforeitcanhaverulesaddedtoit. Specifythetypeofrule.Permitrulesallowforwardingofanypackets matchingthespecifiedsourceanddestinationaddresses. Denyrulescausepacketsmatchingthespecifiedsourceanddestination addressestobedropped. srcaddress|any Specifythesourceaddresstobematched,orspecifythatanysource addresswillmatch. WhenanIPaccesslistisbeingconfigured,aspecificsourceaddress mustbeanIPaddressindotteddecimalformat. WhenaMACaccesslistisbeingconfigured,aspecificsourceaddress mustbeaMACaddressenteredusinghyphensorcolons. destaddress|any Specifythedestinationaddresstobematched,orspecifythatany destinationaddresswillmatch. WhenanIPaccesslistisbeingconfigured,aspecificdestinationaddress mustbeanIPaddressindotteddecimalformat. WhenaMACaccesslistisbeingconfigured,aspecificdestination addressmustbeaMACaddressenteredusinghyphensorcolons.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleaddsapermitruletotheIPaccesslistnamedmyiplist.Therulepermitspackets fromthesourceaddressof192.168.1.0toanydestinationaddress.
    A2(rw)-> set access-list myiplist permit 192.168.1.0 any

    ThisexampleaddsadenyruletotheMACaccesslistnamedmymaclist.Theruledropspackets fromanysourceaddressdestinedfortheMACaddress00:01:22:33:44:55.
    A2(rw)-> set access-list mymaclist deny any 00-01-22-33-44-55

    SecureStack A2 Configuration Guide

    14-59

    set access-list (ports)

    set access-list (ports)


    Usethiscommandtobindanaccesslisttooneormoreports.

    Syntax
    set access-list name port-string

    Parameters
    name portstring Specifythenameoftheaccesscontrollisttobebound. Specifytheportorportstowhichtheaccesslististobebound.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    AmaximumoftwoACLscanbeboundtoanygivenport.TheACLscanbeofthesametypeor mixedtype(MACandIP).

    Example
    Thisexamplebindstheaccesslistnamedmyipacltoportsfe.1.1throughfe.1.3.
    A2(rw)-> set access-list myipacl fe.1.1-3

    show access-list
    Usethiscommandtodisplayinformationaboutoneorallconfiguredaccesslists.Theinformation displayedincludestherulesconfiguredfortheaccesslistandtheportstowhichtheaccesslistwas bound.

    Syntax
    show access-list [name]

    Parameters
    name (Optional)Specifythenameoftheaccesscontrollisttobedisplayed.

    Defaults
    Ifnoaccesslistnameisentered,informationaboutallconfiguredaccesslistsisdisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampledisplaysinformationaboutallconfiguredaccesslists.

    14-60

    Security Configuration

    show access-list ports

    A2(ro)-> show access-list Access-list: mymacacl mac permit 00:00:11:22:33:44 any mac permit 00:01:44:55:66:01 any mac deny any 00:01:22:33:44:55 ports fe.2.1-3 Access-list: myipacl ip permit 10.10.10.0 any ip permit 20.20.20.0 any ip deny 30.30.30.1 10.10.10.0 ports fe.1.1-2

    show access-list ports


    Usethiscommandtodisplayportaccesslistassociations.

    Syntax
    show access-list ports [port-string]

    Parameters
    portstring (Optional)Displaytheaccesslistassociatedwiththespecifiedports.

    Defaults
    Ifnoportsarespecified,allportaccesslistassociationsaredisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampledisplaysallportaccesslistassociationsinthesystem.
    A2(ro)-> show access-list ports Port string ----------fe.1.1 fe.1.2 fe.2.1 fe.2.2 fe.2.3 Access-list ----------myipacl myipacl mymacacl mymacacl mymacacl

    ThisexampledisplaysalltheACLsassociatedwithportfe.1.1.
    A2(ro)-> show access-list ports Port string ----------fe.1.1 Access-list ----------IPACL1 IPACL3

    SecureStack A2 Configuration Guide

    14-61

    clear access-list

    clear access-list
    Usethiscommandtoremove(delete)anaccesslistfromthesystem,ortounbindanaccesslist fromoneormoreports.

    Syntax
    clear access-list name [port-string]

    Parameters
    name portstring Specifythenameoftheaccesslist. (Optional)Unbindthespecifiedaccesslistfromthespecifiedportor ports.

    Defaults
    Ifnoportsarespecified,theaccesslistisdeletedfromthesystem.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleunbindstheaccesslistnamedmymacaclfromtheportfe.2.1.
    A2(rw)-> clear access-list mymacacl fe.2.1

    Thisexampledeletestheaccesslistnamedmyipacl.
    A2(rw)-> clear access-list myipacl

    14-62

    Security Configuration

    Index
    Numerics
    802.1D 6-1 802.1p 9-1 802.1Q 7-1 802.1s 6-1 802.1w 6-1 802.1x 14-5, 14-20 Differentiated Services adding classes to policies 8-12 assigning policies to service ports 8-17 configuring policies 8-10 creating classes and matching conditions 8-3 deleting classes 8-5 deleting policies 8-12 displaying class information 8-4 displaying status information 8-3 globally enabling or disabling 8-2 marking packets 8-13 matching classes to conditions 8-6 setting policing styles for policies 8-14 Diffserv, see Differentiated Services

    L
    Line Editing Commands 1-9 Lockout set system 3-7 Logging 11-1 Login administratively configured 1-6 default 1-6 setting accounts 3-2 via Telnet 1-5

    A
    access control lists (ACLs) 14-57 Advertised Ability 4-15 Alias node 11-31 Authentication EAPOL 14-20 MAC 14-22 RADIUS server 14-5, 14-9 SSH 14-56 Auto-negotiation 4-15

    M
    MAC Addresses displaying 11-20 MAC Authentication 14-22 MAC Locking 14-45 maximum static entries 14-51 static 14-51 Management VLAN 7-1 motd 3-21 Multicast Filtering 10-1 Multiple Spanning Tree Protocol (MSTP) 6-1

    E
    EAP pass-through 14-2, 14-15 EAPOL 14-20

    B
    banner motd 3-21 Baud Rate 3-27 Broadcast suppression, enabling on ports 4-22

    F
    Flow Control 4-19 Forbidden VLAN port 7-15

    N
    Name setting for a VLAN 7-6 setting for the system 3-23 Network Management addresses and routes 11-17 monitoring switch events and status 11-12 Node Alias 11-31 NVRAM clearing 3-58

    C
    CDP Discovery Protocol 3-49 Class of Service 9-1 Clearing NVRAM 3-58 CLI closing 3-55 scrolling screens 1-8 starting 1-5 Command History Buffer 11-12, 11-13 Command Line Interface. See also CLI Configuration clearing switch parameters 3-58 Configuration Files copying 3-45 deleting 3-45 displaying 3-43 executing 3-44 show running config 3-45 Contexts (SNMP) 5-3 Copying Configuration or Image Files 3-45 Cost Spanning Tree port 6-38

    G
    Getting Help xxvi GVRP enabling and disabling 7-27 purpose of 7-23 timer 7-28

    H
    Hardware show system 3-13, 3-22 Help keyword lookups 1-7 Host VLAN 7-20

    P
    Password aging 3-6 history 3-6 set new 3-4 setting the login 3-4 Ping 11-14 Port Mirroring 4-25 Port Priority configuring 9-2 Port String syntax used in the CLI 4-2 Port Trunking 4-28 Port(s) alias 4-9 assignment scheme 4-2 auto-negotiation and advertised ability 4-15 broadcast suppression 4-22 counters, reviewing statistics 4-6 duplex mode, setting 4-10
    Index-1

    I
    ICMP 11-14 IGMP 10-1 enabling and disabling 10-2 Image File copying 3-45 downloading 3-32 Ingress Filtering 7-8, 7-11 IP routes, managing in switch mode 11-17

    D
    Defaults CLI behavior, described 1-6 factory installed 1-2 DHCP server, configuring 13-1

    J
    Jumbo Frame Support 4-13

    K
    Keyword Lookups 1-7

    flow control 4-19 link traps, configuring 4-21 MAC lock 14-48 priority, configuring 9-2 speed, setting 4-10 status, reviewing 4-4 Power over Ethernet (PoE), configuring 3-28 Priority to Transmit Queue Mapping 9-5 Prompt set 3-20

    System Information displaying basic 3-12 setting basic 3-9

    T
    Technical Support xxvi Telnet disconnecting 11-15 enabling in switch mode 3-38 Terminal Settings 3-24 TFTP downloading firmware upgrades via 3-32 Timeout CLI, system 3-26 RADIUS 14-5 Trap SNMP configuration example 5-41 Tunnel Attributes RFC 3580 RADIUS attributes 14-41

    R
    RADIUS 14-3 realm 14-5 RADIUS server 14-5, 14-9 Rapid Spanning Tree Protocol (RSTP) 6-1 Rate Limiting 9-12 Related Manuals xxiv Reset 3-57 RFC 3580 14-41

    U
    User Accounts default 1-6 setting 3-2

    S
    Scrolling Screens 1-8 Secure Shell (SSH) 14-55 enabling 14-56 regenerating new keys 14-56 Security methods, overview of 14-1 Serial Port downloading upgrades via 3-32 show system utilization cpu 3-14 SNMP access rights 5-16 accessing in router mode 5-3 enabling on the switch 5-18 MIB views 5-20 notification parameters 5-33 notify filters 5-33 security models and levels 5-2 statistics 5-4 target addresses 5-29 target parameters 5-25 trap configuration example 5-41 users, groups and communities 5-8 SNTP 11-24 Spanning Tree 6-1 backup root 6-21 bridge parameters 6-3 features 6-2 port parameters 6-32 Rapid Spanning Tree Protocol (RSTP) 6-1 SSL WebView 3-61 stacks installing units 2-2 operation 2-1 virtual switch configuration 2-4 Syslog 11-1

    V
    Version Information 3-22 virtual switch, configuring 2-4 VLANs assigning ingress filtering 7-11 assigning port VLAN IDs 7-8 authentication 14-41, 14-44 creating static 7-5 dynamic egress 7-19 egress lists 7-14, 14-42 enabling GVRP 7-23 forbidden ports 7-15 host, setting 7-20 ingress filtering 7-8 naming 7-6 RADIUS 14-41 secure management, creating 7-1

    W
    WebView 1-2, 3-59 WebView SSL 3-61

    Index-2

    Das könnte Ihnen auch gefallen