Scribd Logo
Hochladen

Willkommen bei Scribd!

  • C2 Config Guide-9033991-17 - C2

    Hochgeladen von

    Peter Briggs
    109 Ansichten698 Seiten
    Enterasys NETWORKS reserves the right to make changes in specifications and other information contained in this document and its WEB SITE without prior notice. Hardware, firmware, or software described in this document is subject to change without notice. In NO EVENT SHALL Enterasys be LIABLE FOR any INCIDENTAL, INDIRECT, SPECIAL, or CONSEQUENTIAL damages whatsoever.

    Originalbeschreibung:

    Originaltitel

    C2 Config guide-9033991-17_C2

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Enterasys NETWORKS reserves the right to make changes in specifications and other information contained in this document and its WEB SITE without prior notice. Hardware, firmware, or software described in this document is subject to change without notice. In NO EVENT SHALL Enterasys be LIABLE FOR any INCIDENTAL, INDIRECT, SPECIAL, or CONSEQUENTIAL damages whatsoever.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    109 Ansichten698 Seiten

    C2 Config Guide-9033991-17 - C2

    Hochgeladen von

    Peter Briggs
    Enterasys NETWORKS reserves the right to make changes in specifications and other information contained in this document and its WEB SITE without prior notice. Hardware, firmware, or software described in this document is subject to change without notice. In NO EVENT SHALL Enterasys be LIABLE FOR any INCIDENTAL, INDIRECT, SPECIAL, or CONSEQUENTIAL damages whatsoever.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 698

    Enterasys SecureStack C2

    Stackable Switches

    Configuration Guide
    Firmware Version 5.02.xx.xxxx

    P/N 9033991-17

    Notice
    EnterasysNetworksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthisdocumentand itswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasysNetworkstodeterminewhetheranysuch changeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYSNETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL,OR CONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS)ARISINGOUTOF ORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDINTHEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWNOF,THEPOSSIBILITYOFSUCH DAMAGES. EnterasysNetworks,Inc. 50MinutemanRoad Andover,MA01810 2008EnterasysNetworks,Inc.Allrightsreserved. PartNumber: 903399117 September2008 ENTERASYS,ENTERASYSNETWORKS,ENTERASYSSECURENETWORKS,SECURESTACK,ENTERASYS SECURESTACK,ENTERASYSNETSIGHT,WEBVIEW,andanylogosassociatedtherewith,aretrademarksorregistered trademarksofEnterasysNetworks,Inc.intheUnitedStatesandothercountries.ForacompletelistofEnterasystrademarks, seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespectivecompanies. DocumentationURL:http://www.enterasys.com/support/manuals DocumentacionURL:http://www.enterasys.com/support/manuals DokumentationimInternet:http://www.enterasys.com/support/manuals

    Version:

    Information in this guide refers to SecureStack C2 firmware version 5.02.xx.xxxx or higher.

    ENTERASYS NETWORKS, INC. FIRMWARE LICENSE AGREEMENT


    BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT.
    Thisdocumentisanagreement(Agreement)betweentheenduser(You)andEnterasysNetworks,Inc.,onbehalf ofitselfanditsAffiliates(ashereinafterdefined)(Enterasys)thatsetsforthYourrightsandobligationswithrespect totheEnterasyssoftwareprogram/firmware(includinganyaccompanyingdocumentation,hardwareormedia) (Program)inthepackageandprevailsoveranyadditional,conflictingorinconsistenttermsandconditions appearingonanypurchaseorderorotherdocumentsubmittedbyYou.Affiliatemeansanyperson,partnership, corporation,limitedliabilitycompany,otherformofenterprisethatdirectlyorindirectlythroughoneormore intermediaries,controls,oriscontrolledby,orisundercommoncontrolwiththepartyspecified.ThisAgreement constitutestheentireunderstandingbetweentheparties,withrespecttothesubjectmatterofthisAgreement.The Programmaybecontainedinfirmware,chipsorothermedia. BYINSTALLINGOROTHERWISEUSINGTHEPROGRAM,YOUREPRESENTTHATYOUAREAUTHORIZEDTO ACCEPTTHESETERMSONBEHALFOFTHEENDUSER(IFTHEENDUSERISANENTITYONWHOSEBEHALF YOUAREAUTHORIZEDTOACT,YOUANDYOURSHALLBEDEEMEDTOREFERTOSUCHENTITY)AND THATYOUAGREETHATYOUAREBOUNDBYTHETERMSOFTHISAGREEMENT,WHICHINCLUDES, AMONGOTHERPROVISIONS,THELICENSE,THEDISCLAIMEROFWARRANTYANDTHELIMITATIONOF LIABILITY.IFYOUDONOTAGREETOTHETERMSOFTHISAGREEMENTORARENOTAUTHORIZEDTO ENTERINTOTHISAGREEMENT,ENTERASYSISUNWILLINGTOLICENSETHEPROGRAMTOYOUANDYOU AGREETORETURNTHEUNOPENEDPRODUCTTOENTERASYSORYOURDEALER,IFANY,WITHINTEN (10)DAYSFOLLOWINGTHEDATEOFRECEIPTFORAFULLREFUND. IFYOUHAVEANYQUESTIONSABOUTTHISAGREEMENT,CONTACTENTERASYSNETWORKS,LEGAL DEPARTMENTAT(978)6841000. YouandEnterasysagreeasfollows: 1. LICENSE. Youhavethenonexclusiveandnontransferablerighttouseonlytheone(1)copyoftheProgram providedinthispackagesubjecttothetermsandconditionsofthisAgreement. 2. RESTRICTIONS. ExceptasotherwiseauthorizedinwritingbyEnterasys,Youmaynot,normayYoupermitany thirdpartyto: (a) Reverseengineer,decompile,disassembleormodifytheProgram,inwholeorinpart,includingforreasons oferrorcorrectionorinteroperability,excepttotheextentexpresslypermittedbyapplicablelawandtothe extentthepartiesshallnotbepermittedbythatapplicablelaw,suchrightsareexpresslyexcluded. InformationnecessarytoachieveinteroperabilityorcorrecterrorsisavailablefromEnterasysuponrequest anduponpaymentofEnterasysapplicablefee. (b) IncorporatethePrograminwholeorinpart,inanyotherproductorcreatederivativeworksbasedonthe Program,inwholeorinpart. (c) Publish,disclose,copyreproduceortransmittheProgram,inwholeorinpart. (d) Assign,sell,license,sublicense,rent,lease,encumberbywayofsecurityinterest,pledgeorotherwisetransfer theProgram,inwholeorinpart. (e) Removeanycopyright,trademark,proprietaryrights,disclaimerorwarningnoticeincludedonorembedded inanypartoftheProgram. 3. APPLICABLELAW. ThisAgreementshallbeinterpretedandgovernedunderthelawsandinthestateand federalcourtsoftheCommonwealthofMassachusettswithoutregardtoitsconflictsoflawsprovisions.Youacceptthe personaljurisdictionandvenueoftheCommonwealthofMassachusettscourts.Noneofthe1980UnitedNations ConventionontheLimitationPeriodintheInternationalSaleofGoods,andtheUniformComputerInformation TransactionsActshallapplytothisAgreement. 4. EXPORTRESTRICTIONS. YouunderstandthatEnterasysanditsAffiliatesaresubjecttoregulationbyagencies oftheU.S.Government,includingtheU.S.DepartmentofCommerce,whichprohibitexportordiversionofcertain technicalproductstocertaincountries,unlessalicensetoexporttheproductisobtainedfromtheU.S.Governmentor anexceptionfromobtainingsuchlicensemayberelieduponbytheexportingparty. IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionCIVundertheU.S.Export AdministrationRegulations,YouagreethatYouareacivilenduseroftheProgramandagreethatYouwillusethe Programforcivilendusesonlyandnotformilitarypurposes.

    ii

    IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionTSRundertheU.S.Export AdministrationRegulations,inadditiontotherestrictionontransfersetforthinSection1or2ofthisAgreement,You agreenotto(i)reexportorreleasetheProgram,thesourcecodefortheProgramortechnologytoanationalofa countryinCountryGroupsD:1orE:2(Albania,Armenia,Azerbaijan,Belarus,Cambodia,Cuba,Georgia,Iraq, Kazakhstan,Laos,Libya,Macau,Moldova,Mongolia,NorthKorea,thePeoplesRepublicofChina,Russia,Tajikistan, Turkmenistan,Ukraine,Uzbekistan,Vietnam,orsuchothercountriesasmaybedesignatedbytheUnitedStates Government),(ii)exporttoCountryGroupsD:1orE:2(asdefinedherein)thedirectproductoftheProgramorthe technology,ifsuchforeignproduceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S. CommerceControlList,or(iii)ifthedirectproductofthetechnologyisacompleteplantoranymajorcomponentofa plant,exporttoCountryGroupsD:1orE:2thedirectproductoftheplantoramajorcomponentthereof,ifsuch foreignproduceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S.CommerceControl ListorissubjecttoStateDepartmentcontrolsundertheU.S.MunitionsList. 5. UNITEDSTATESGOVERNMENTRESTRICTEDRIGHTS. TheenclosedProgram(i)wasdevelopedsolelyat privateexpense;(ii)containsrestrictedcomputersoftwaresubmittedwithrestrictedrightsinaccordancewithsection 52.22719(a)through(d)oftheCommercialComputerSoftwareRestrictedRightsClauseanditssuccessors,and(iii)in allrespectsisproprietarydatabelongingtoEnterasysand/oritssuppliers.ForDepartmentofDefenseunits,the ProgramisconsideredcommercialcomputersoftwareinaccordancewithDFARSsection227.72023anditssuccessors, anduse,duplication,ordisclosurebytheU.S.Governmentissubjecttorestrictionssetforthherein. 6. DISCLAIMEROFWARRANTY. EXCEPTFORTHOSEWARRANTIESEXPRESSLYPROVIDEDTOYOUIN WRITINGBYENTERASYS,ENTERASYSDISCLAIMSALLWARRANTIES,EITHEREXPRESSORIMPLIED, INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITY,SATISFACTORY QUALITY,FITNESSFORAPARTICULARPURPOSE,TITLEANDNONINFRINGEMENTWITHRESPECTTOTHE PROGRAM.IFIMPLIEDWARRANTIESMAYNOTBEDISCLAIMEDBYAPPLICABLELAW,THENANYIMPLIED WARRANTIESARELIMITEDINDURATIONTOTHIRTY(30)DAYSAFTERDELIVERYOFTHEPROGRAMTO YOU. 7. LIMITATIONOFLIABILITY. INNOEVENTSHALLENTERASYSORITSSUPPLIERSBELIABLEFORANY DAMAGESWHATSOEVER(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFBUSINESS, PROFITS,BUSINESSINTERRUPTION,LOSSOFBUSINESSINFORMATION,SPECIAL,INCIDENTAL, CONSEQUENTIAL,ORRELIANCEDAMAGES,OROTHERLOSS)ARISINGOUTOFTHEUSEORINABILITYTO USETHEPROGRAM,EVENIFENTERASYSHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES. THISFOREGOINGLIMITATIONSHALLAPPLYREGARDLESSOFTHECAUSEOFACTIONUNDERWHICH DAMAGESARESOUGHT. THECUMULATIVELIABILITYOFENTERASYSTOYOUFORALLCLAIMSRELATINGTOTHEPROGRAM, INCONTRACT,TORTOROTHERWISE,SHALLNOTEXCEEDTHETOTALAMOUNTOFFEESPAIDTO ENTERASYSBYYOUFORTHERIGHTSGRANTEDHEREIN. 8. AUDITRIGHTS. YouherebyacknowledgethattheintellectualpropertyrightsassociatedwiththeProgramare ofcriticalvaluetoEnterasys,and,accordingly,Youherebyagreetomaintaincompletebooks,recordsandaccounts showing(i)licensefeesdueandpaid,and(ii)theuse,copyinganddeploymentoftheProgram.Youalsograntto Enterasysanditsauthorizedrepresentatives,uponreasonablenotice,therighttoauditandexamineduringYour normalbusinesshours,Yourbooks,records,accountsandhardwaredevicesuponwhichtheProgrammaybedeployed toverifycompliancewiththisAgreement,includingtheverificationofthelicensefeesdueandpaidEnterasysandthe use,copyinganddeploymentoftheProgram.Enterasysrightofexaminationshallbeexercisedreasonably,ingood faithandinamannercalculatedtonotunreasonablyinterferewithYourbusiness.Intheeventsuchauditdiscovers noncompliancewiththisAgreement,includingcopiesoftheProgrammade,usedordeployedinbreachofthis Agreement,YoushallpromptlypaytoEnterasystheappropriatelicensefees.Enterasysreservestheright,tobe exercisedinitssolediscretionandwithoutpriornotice,toterminatethislicense,effectiveimmediately,forfailureto complywiththisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramandshall returntoEnterasystheProgramandallcopiesoftheProgram. 9. OWNERSHIP. Thisisalicenseagreementandnotanagreementforsale.Youacknowledgeandagreethatthe Programconstitutestradesecretsand/orcopyrightedmaterialofEnterasysand/oritssuppliers.Youagreeto implementreasonablesecuritymeasurestoprotectsuchtradesecretsandcopyrightedmaterial.Allright,titleand interestinandtotheProgramshallremainwithEnterasysand/oritssuppliers.Allrightsnotspecificallygrantedto YoushallbereservedtoEnterasys.

    iii

    10. ENFORCEMENT. YouacknowledgeandagreethatanybreachofSections2,4,or9ofthisAgreementbyYoumay causeEnterasysirreparabledamageforwhichrecoveryofmoneydamageswouldbeinadequate,andthatEnterasys maybeentitledtoseektimelyinjunctiverelieftoprotectEnterasysrightsunderthisAgreementinadditiontoanyand allremediesavailableatlaw. 11. ASSIGNMENT. Youmaynotassign,transferorsublicensethisAgreementoranyofYourrightsorobligations underthisAgreement,exceptthatYoumayassignthisAgreementtoanypersonorentitywhichacquiressubstantially allofYourstockassets.EnterasysmayassignthisAgreementinitssolediscretion.ThisAgreementshallbebinding uponandinuretothebenefitoftheparties,theirlegalrepresentatives,permittedtransferees,successorsandassignsas permittedbythisAgreement.Anyattemptedassignment,transferorsublicenseinviolationofthetermsofthis AgreementshallbevoidandabreachofthisAgreement. 12. WAIVER. AwaiverbyEnterasysofabreachofanyofthetermsandconditionsofthisAgreementmustbein writingandwillnotbeconstruedasawaiverofanysubsequentbreachofsuchtermorcondition.Enterasysfailureto enforceatermuponYourbreachofsuchtermshallnotbeconstruedasawaiverofYourbreachorpreventenforcement onanyotheroccasion. 13. SEVERABILITY. IntheeventanyprovisionofthisAgreementisfoundtobeinvalid,illegalorunenforceable,the validity,legalityandenforceabilityofanyoftheremainingprovisionsshallnotinanywaybeaffectedorimpaired thereby,andthatprovisionshallbereformed,construedandenforcedtothemaximumextentpermissible.Anysuch invalidity,illegality,orunenforceabilityinanyjurisdictionshallnotinvalidateorrenderillegalorunenforceablesuch provisioninanyotherjurisdiction. 14. TERMINATION. EnterasysmayterminatethisAgreementimmediatelyuponYourbreachofanyoftheterms andconditionsofthisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramand shallreturntoEnterasystheProgramandallcopiesoftheProgram.

    iv

    Contents
    About This Guide
    Using This Guide ........................................................................................................................................... xxix Structure of This Guide .................................................................................................................................. xxix Related Documents ....................................................................................................................................... xxxi Conventions Used in This Guide ................................................................................................................... xxxi Getting Help .................................................................................................................................................. xxxii

    Chapter 1: Introduction
    SecureStack C2 CLI Overview ....................................................................................................................... 1-1 Switch Management Methods ........................................................................................................................ 1-1 Factory Default Settings ................................................................................................................................. 1-2 Using the Command Line Interface ................................................................................................................ 1-6 Starting a CLI Session ............................................................................................................................. 1-6 Logging In ................................................................................................................................................ 1-7 Navigating the Command Line Interface .................................................................................................. 1-8

    Chapter 2: Configuring Switches in a Stack


    About SecureStack C2 Switch Operation in a Stack ...................................................................................... 2-1 Installing a New Stackable System of Up to Eight Units ................................................................................ 2-2 Installing Previously-Configured Systems in a Stack ..................................................................................... 2-3 Adding a New Unit to an Existing Stack ......................................................................................................... 2-3 Creating a Virtual Switch Configuration .......................................................................................................... 2-3 Considerations About Using Clear Config in a Stack ..................................................................................... 2-5 Issues Related to Mixed Type Stacks ............................................................................................................ 2-5 Feature Support ....................................................................................................................................... 2-5 Configuration ............................................................................................................................................ 2-5 Stacking Configuration and Management Commands ................................................................................... 2-6 Purpose .................................................................................................................................................... 2-6 Commands ............................................................................................................................................... 2-6 show switch ........................................................................................................................................ 2-6 show switch switchtype ...................................................................................................................... 2-7 show switch stack-ports...................................................................................................................... 2-8 set switch ............................................................................................................................................ 2-9 set switch copy-fw ............................................................................................................................ 2-10 set switch description ....................................................................................................................... 2-10 set switch movemanagement ........................................................................................................... 2-11 set switch member............................................................................................................................ 2-11 clear switch member......................................................................................................................... 2-12

    Chapter 3: Basic Configuration


    Quick Start Setup Commands ........................................................................................................................ 3-1 Setting User Accounts and Passwords .......................................................................................................... 3-2 Purpose .................................................................................................................................................... 3-2 Commands ............................................................................................................................................... 3-2 show system login .............................................................................................................................. 3-3 set system login .................................................................................................................................. 3-4 clear system login ............................................................................................................................... 3-4 set password ...................................................................................................................................... 3-5 set system password length ............................................................................................................... 3-6 set system password aging ................................................................................................................3-6

    set system password history .............................................................................................................. 3-7 show system lockout .......................................................................................................................... 3-7 set system lockout .............................................................................................................................. 3-8 Setting Basic Switch Properties ...................................................................................................................... 3-9 Purpose .................................................................................................................................................... 3-9 Commands ............................................................................................................................................... 3-9 show ip address................................................................................................................................ 3-10 set ip address ................................................................................................................................... 3-11 clear ip address ................................................................................................................................ 3-11 show ip protocol................................................................................................................................ 3-12 set ip protocol ................................................................................................................................... 3-12 show system..................................................................................................................................... 3-13 show system hardware..................................................................................................................... 3-14 show system utilization..................................................................................................................... 3-15 show system enhancedbuffermode .................................................................................................. 3-16 set system enhancedbuffermode ..................................................................................................... 3-16 set system temperature .................................................................................................................... 3-17 clear system temperature ................................................................................................................. 3-18 show time ......................................................................................................................................... 3-19 set time ............................................................................................................................................. 3-19 show summertime ............................................................................................................................ 3-20 set summertime ................................................................................................................................ 3-20 set summertime date ........................................................................................................................ 3-21 set summertime recurring ................................................................................................................. 3-21 clear summertime ............................................................................................................................. 3-22 set prompt......................................................................................................................................... 3-23 show banner motd ............................................................................................................................ 3-23 set banner motd................................................................................................................................ 3-24 clear banner motd............................................................................................................................. 3-24 show version..................................................................................................................................... 3-25 set system name .............................................................................................................................. 3-26 set system location ........................................................................................................................... 3-26 set system contact............................................................................................................................ 3-27 set width ........................................................................................................................................... 3-27 set length .......................................................................................................................................... 3-28 show logout ...................................................................................................................................... 3-28 set logout ......................................................................................................................................... 3-29 show console .................................................................................................................................... 3-29 set console baud .............................................................................................................................. 3-30 Downloading a Firmware Image ................................................................................................................... 3-30 Downloading from a TFTP Server .......................................................................................................... 3-31 Downloading via the Serial Port ............................................................................................................. 3-31 Reverting to a Previous Image ............................................................................................................... 3-33 Reviewing and Selecting a Boot Firmware Image ........................................................................................ 3-33 Purpose .................................................................................................................................................. 3-33 Commands ............................................................................................................................................. 3-33 show boot system ............................................................................................................................. 3-34 set boot system ................................................................................................................................ 3-34 Starting and Configuring Telnet .................................................................................................................... 3-35 Purpose .................................................................................................................................................. 3-35 Commands ............................................................................................................................................. 3-35 show telnet ....................................................................................................................................... 3-36 set telnet ........................................................................................................................................... 3-36 telnet................................................................................................................................................. 3-37 Managing Switch Configuration and Files .................................................................................................... 3-37 Configuration Persistence Mode ............................................................................................................ 3-37
    vi

    Purpose .................................................................................................................................................. 3-38 Commands ............................................................................................................................................. 3-38 show snmp persistmode ................................................................................................................... 3-38 set snmp persistmode ...................................................................................................................... 3-39 save config ....................................................................................................................................... 3-39 dir...................................................................................................................................................... 3-40 show file............................................................................................................................................ 3-41 show config....................................................................................................................................... 3-41 configure ........................................................................................................................................... 3-42 copy .................................................................................................................................................. 3-43 delete................................................................................................................................................ 3-44 show tftp settings.............................................................................................................................. 3-44 set tftp timeout .................................................................................................................................. 3-45 clear tftp timeout ............................................................................................................................... 3-45 set tftp retry....................................................................................................................................... 3-46 clear tftp retry.................................................................................................................................... 3-46 Clearing and Closing the CLI ........................................................................................................................ 3-47 Purpose .................................................................................................................................................. 3-47 Commands ............................................................................................................................................. 3-47 cls (clear screen) .............................................................................................................................. 3-47 exit .................................................................................................................................................... 3-47 Resetting the Switch ..................................................................................................................................... 3-48 Purpose .................................................................................................................................................. 3-48 Commands ............................................................................................................................................. 3-48 reset.................................................................................................................................................. 3-48 clear config ....................................................................................................................................... 3-49 Using and Configuring WebView .................................................................................................................. 3-50 Purpose .................................................................................................................................................. 3-50 Commands ............................................................................................................................................. 3-50 show webview .................................................................................................................................. 3-50 set webview ...................................................................................................................................... 3-51 show ssl............................................................................................................................................ 3-51 set ssl ............................................................................................................................................... 3-52 Gathering Technical Support Information ..................................................................................................... 3-52 Purpose .................................................................................................................................................. 3-52 Command ............................................................................................................................................... 3-52 show support .................................................................................................................................... 3-53

    Chapter 4: Activating Licensed Features


    Purpose .................................................................................................................................................... 4-1 Commands ............................................................................................................................................... 4-1 license advanced ................................................................................................................................ 4-1 show license ....................................................................................................................................... 4-2 no license advanced........................................................................................................................... 4-2

    Chapter 5: Configuring System Power and PoE


    Commands ..................................................................................................................................................... 5-1 show inlinepower ................................................................................................................................ 5-1 set inlinepower threshold.................................................................................................................... 5-2 set inlinepower trap ............................................................................................................................ 5-3 set inlinepower detectionmode ........................................................................................................... 5-3 show port inlinepower ......................................................................................................................... 5-4 set port inlinepower ............................................................................................................................ 5-5

    vii

    Chapter 6: Discovery Protocol Configuration


    Configuring CDP ............................................................................................................................................. 6-1 Purpose .................................................................................................................................................... 6-1 Commands ............................................................................................................................................... 6-1 show cdp ............................................................................................................................................ 6-2 set cdp state ....................................................................................................................................... 6-3 set cdp auth ........................................................................................................................................ 6-4 set cdp interval ................................................................................................................................... 6-4 set cdp hold-time ................................................................................................................................ 6-5 clear cdp ............................................................................................................................................. 6-5 show neighbors .................................................................................................................................. 6-6 Configuring Cisco Discovery Protocol ............................................................................................................ 6-7 Purpose .................................................................................................................................................... 6-7 Commands ............................................................................................................................................... 6-7 show ciscodp ...................................................................................................................................... 6-7 show ciscodp port info ........................................................................................................................ 6-8 set ciscodp status ............................................................................................................................... 6-9 set ciscodp timer................................................................................................................................. 6-9 set ciscodp holdtime ......................................................................................................................... 6-10 set ciscodp port ................................................................................................................................ 6-10 clear ciscodp..................................................................................................................................... 6-12 Configuring Link Layer Discovery Protocol and LLDP-MED ........................................................................ 6-13 Overview ................................................................................................................................................ 6-13 Purpose .................................................................................................................................................. 6-13 Commands ............................................................................................................................................. 6-13 Configuration Tasks ............................................................................................................................... 6-14 show lldp........................................................................................................................................... 6-14 show lldp port status......................................................................................................................... 6-15 show lldp port trap ............................................................................................................................ 6-16 show lldp port tx-tlv........................................................................................................................... 6-16 show lldp port location-info ............................................................................................................... 6-17 show lldp port local-info .................................................................................................................... 6-18 show lldp port remote-info ................................................................................................................ 6-20 set lldp tx-interval.............................................................................................................................. 6-22 set lldp hold-multiplier ....................................................................................................................... 6-22 set lldp trap-interval .......................................................................................................................... 6-23 set lldp med-fast-repeat .................................................................................................................... 6-23 set lldp port status ............................................................................................................................ 6-24 set lldp port trap................................................................................................................................ 6-24 set lldp port med-trap........................................................................................................................ 6-25 set lldp port tx-tlv .............................................................................................................................. 6-25 clear lldp ........................................................................................................................................... 6-27 clear lldp port status ......................................................................................................................... 6-27 clear lldp port trap ............................................................................................................................. 6-28 clear lldp port med-trap..................................................................................................................... 6-28 clear lldp port tx-tlv ........................................................................................................................... 6-29

    Chapter 7: Port Configuration


    Port Configuration Summary .......................................................................................................................... 7-1 C2H124-48 and C2H124-48P Switch Ports ............................................................................................. 7-1 C2G124-24, C2G124-48, and C2G124-48P Switch Ports ....................................................................... 7-1 C2G134-24P Switch Ports ....................................................................................................................... 7-2 C2K122-24 Switch Ports .......................................................................................................................... 7-2 C2G170-24 Switch Ports .......................................................................................................................... 7-2 Port String Syntax Used in the CLI .......................................................................................................... 7-2

    viii

    Reviewing Port Status .................................................................................................................................... 7-3 Purpose .................................................................................................................................................... 7-3 Commands ............................................................................................................................................... 7-3 show port ............................................................................................................................................ 7-3 show port status ................................................................................................................................. 7-4 show port counters ............................................................................................................................. 7-5 Disabling / Enabling and Naming Ports .......................................................................................................... 7-6 Purpose .................................................................................................................................................... 7-6 Commands ............................................................................................................................................... 7-7 set port disable ................................................................................................................................... 7-7 set port enable.................................................................................................................................... 7-7 show port alias.................................................................................................................................... 7-8 set port alias ....................................................................................................................................... 7-8 Setting Speed and Duplex Mode .................................................................................................................. 7-10 Purpose .................................................................................................................................................. 7-10 Commands ............................................................................................................................................. 7-10 show port speed ............................................................................................................................... 7-10 set port speed................................................................................................................................... 7-11 show port duplex .............................................................................................................................. 7-11 set port duplex .................................................................................................................................. 7-12 Enabling / Disabling Jumbo Frame Support ................................................................................................. 7-13 Purpose .................................................................................................................................................. 7-13 Commands ............................................................................................................................................. 7-13 show port jumbo ............................................................................................................................... 7-13 set port jumbo................................................................................................................................... 7-14 clear port jumbo ................................................................................................................................ 7-14 Setting Auto-Negotiation and Advertised Ability ........................................................................................... 7-15 Purpose .................................................................................................................................................. 7-15 Commands ............................................................................................................................................. 7-15 show port negotiation ....................................................................................................................... 7-15 set port negotiation ........................................................................................................................... 7-16 show port advertise .......................................................................................................................... 7-16 set port advertise .............................................................................................................................. 7-17 clear port advertise ........................................................................................................................... 7-18 Setting Flow Control ..................................................................................................................................... 7-19 Purpose .................................................................................................................................................. 7-19 Commands ............................................................................................................................................. 7-19 show flowcontrol ............................................................................................................................... 7-19 set flowcontrol................................................................................................................................... 7-19 Setting Port Link Traps and Link Flap Detection .......................................................................................... 7-21 Purpose .................................................................................................................................................. 7-21 Commands ............................................................................................................................................. 7-21 show port trap................................................................................................................................... 7-21 set port trap ...................................................................................................................................... 7-22 show linkflap ..................................................................................................................................... 7-22 set linkflap globalstate ...................................................................................................................... 7-25 set linkflap portstate.......................................................................................................................... 7-25 set linkflap interval ............................................................................................................................ 7-26 set linkflap action .............................................................................................................................. 7-26 clear linkflap action ........................................................................................................................... 7-27 set linkflap threshold......................................................................................................................... 7-27 set linkflap downtime ........................................................................................................................ 7-28 clear linkflap down ............................................................................................................................ 7-28 clear linkflap...................................................................................................................................... 7-29 Configuring Broadcast Suppression ............................................................................................................. 7-30 Purpose .................................................................................................................................................. 7-30
    ix

    Commands ............................................................................................................................................. 7-30 show port broadcast ......................................................................................................................... 7-30 set port broadcast............................................................................................................................. 7-31 clear port broadcast.......................................................................................................................... 7-31 Port Mirroring ................................................................................................................................................ 7-33 Mirroring Features .................................................................................................................................. 7-33 Configuring SMON MIB Port Mirroring ................................................................................................... 7-33 Purpose .................................................................................................................................................. 7-34 Commands ............................................................................................................................................. 7-34 show port mirroring........................................................................................................................... 7-35 set port mirroring .............................................................................................................................. 7-35 clear port mirroring ........................................................................................................................... 7-36 Link Aggregation Control Protocol (LACP) ................................................................................................... 7-38 LACP Operation ..................................................................................................................................... 7-38 LACP Terminology ................................................................................................................................. 7-39 SecureStack C2 Usage Considerations ................................................................................................. 7-39 Commands ............................................................................................................................................. 7-40 show lacp.......................................................................................................................................... 7-41 set lacp ............................................................................................................................................. 7-42 set lacp asyspri................................................................................................................................. 7-43 set lacp aadminkey........................................................................................................................... 7-43 clear lacp .......................................................................................................................................... 7-44 set lacp static.................................................................................................................................... 7-44 clear lacp static ................................................................................................................................. 7-45 set lacp singleportlag........................................................................................................................ 7-46 clear lacp singleportlag..................................................................................................................... 7-46 show port lacp .................................................................................................................................. 7-47 set port lacp ...................................................................................................................................... 7-48 clear port lacp ................................................................................................................................... 7-50 Configuring Protected Ports ......................................................................................................................... 7-52 Protected Port Operation ....................................................................................................................... 7-52 Commands ............................................................................................................................................. 7-52 set port protected.............................................................................................................................. 7-52 show port protected .......................................................................................................................... 7-53 clear port protected........................................................................................................................... 7-53 set port protected name.................................................................................................................... 7-54 show port protected name ................................................................................................................ 7-54 clear port protected name................................................................................................................. 7-55

    Chapter 8: SNMP Configuration


    SNMP Configuration Summary ...................................................................................................................... 8-1 SNMPv1 and SNMPv2c ........................................................................................................................... 8-1 SNMPv3 ................................................................................................................................................... 8-2 About SNMP Security Models and Levels ............................................................................................... 8-2 Using SNMP Contexts to Access Specific MIBs ...................................................................................... 8-3 Configuration Considerations ................................................................................................................... 8-3 Reviewing SNMP Statistics ............................................................................................................................ 8-3 Purpose .................................................................................................................................................... 8-3 Commands ............................................................................................................................................... 8-4 show snmp engineid........................................................................................................................... 8-4 show snmp counters........................................................................................................................... 8-5 Configuring SNMP Users, Groups, and Communities .................................................................................... 8-8 Purpose .................................................................................................................................................... 8-8 Commands ............................................................................................................................................... 8-8 show snmp user ................................................................................................................................. 8-8

    set snmp user ..................................................................................................................................... 8-9 clear snmp user ................................................................................................................................ 8-10 show snmp group ............................................................................................................................. 8-11 set snmp group ................................................................................................................................. 8-12 clear snmp group .............................................................................................................................. 8-12 show snmp community ..................................................................................................................... 8-13 set snmp community......................................................................................................................... 8-14 clear snmp community...................................................................................................................... 8-14 Configuring SNMP Access Rights ................................................................................................................ 8-15 Purpose .................................................................................................................................................. 8-15 Commands ............................................................................................................................................. 8-15 show snmp access ........................................................................................................................... 8-15 set snmp access............................................................................................................................... 8-17 clear snmp access............................................................................................................................ 8-18 Configuring SNMP MIB Views ...................................................................................................................... 8-19 Purpose .................................................................................................................................................. 8-19 Commands ............................................................................................................................................. 8-19 show snmp view ............................................................................................................................... 8-19 show snmp context........................................................................................................................... 8-20 set snmp view................................................................................................................................... 8-21 clear snmp view................................................................................................................................ 8-22 Configuring SNMP Target Parameters ......................................................................................................... 8-22 Purpose .................................................................................................................................................. 8-22 Commands ............................................................................................................................................. 8-22 show snmp targetparams ................................................................................................................. 8-22 set snmp targetparams..................................................................................................................... 8-24 clear snmp targetparams.................................................................................................................. 8-24 Configuring SNMP Target Addresses .......................................................................................................... 8-25 Purpose .................................................................................................................................................. 8-25 Commands ............................................................................................................................................. 8-25 show snmp targetaddr ...................................................................................................................... 8-25 set snmp targetaddr.......................................................................................................................... 8-26 clear snmp targetaddr....................................................................................................................... 8-28 Configuring SNMP Notification Parameters ................................................................................................. 8-28 About SNMP Notify Filters ..................................................................................................................... 8-28 Purpose .................................................................................................................................................. 8-28 Commands ............................................................................................................................................. 8-29 show newaddrtrap ............................................................................................................................ 8-29 set newaddrtrap................................................................................................................................ 8-30 show snmp notify .............................................................................................................................. 8-30 set snmp notify ................................................................................................................................. 8-31 clear snmp notify .............................................................................................................................. 8-32 show snmp notifyfilter ....................................................................................................................... 8-33 set snmp notifyfilter........................................................................................................................... 8-34 clear snmp notifyfilter........................................................................................................................ 8-34 show snmp notifyprofile .................................................................................................................... 8-35 set snmp notifyprofile........................................................................................................................ 8-36 clear snmp notifyprofile..................................................................................................................... 8-36 Creating a Basic SNMP Trap Configuration ................................................................................................. 8-37 Example ................................................................................................................................................. 8-38

    xi

    Chapter 9: Spanning Tree Configuration


    Spanning Tree Configuration Summary ......................................................................................................... 9-1 Overview: Single, Rapid, and Multiple Spanning Tree Protocols ............................................................. 9-1 Spanning Tree Features .......................................................................................................................... 9-2 Loop Protect ............................................................................................................................................. 9-2 Configuring Spanning Tree Bridge Parameters .............................................................................................. 9-3 Purpose .................................................................................................................................................... 9-3 Commands ............................................................................................................................................... 9-4 show spantree stats............................................................................................................................ 9-5 set spantree........................................................................................................................................ 9-7 show spantree version........................................................................................................................ 9-7 set spantree version ........................................................................................................................... 9-8 clear spantree version ........................................................................................................................ 9-8 show spantree bpdu-forwarding ......................................................................................................... 9-9 set spantree bpdu-forwarding............................................................................................................. 9-9 show spantree bridgeprioritymode ................................................................................................... 9-10 set spantree bridgeprioritymode ....................................................................................................... 9-10 clear spantree bridgeprioritymode .................................................................................................... 9-11 show spantree mstilist ...................................................................................................................... 9-12 set spantree msti .............................................................................................................................. 9-12 clear spantree msti ........................................................................................................................... 9-13 show spantree mstmap .................................................................................................................... 9-13 set spantree mstmap ........................................................................................................................ 9-14 clear spantree mstmap ..................................................................................................................... 9-14 show spantree vlanlist ...................................................................................................................... 9-15 show spantree mstcfgid .................................................................................................................... 9-15 set spantree mstcfgid ....................................................................................................................... 9-16 clear spantree mstcfgid .................................................................................................................... 9-16 set spantree priority .......................................................................................................................... 9-17 clear spantree priority ....................................................................................................................... 9-17 set spantree hello ............................................................................................................................. 9-18 clear spantree hello .......................................................................................................................... 9-18 set spantree maxage ........................................................................................................................ 9-19 clear spantree maxage ..................................................................................................................... 9-19 set spantree fwddelay....................................................................................................................... 9-20 clear spantree fwddelay.................................................................................................................... 9-21 show spantree backuproot ............................................................................................................... 9-21 set spantree backuproot ................................................................................................................... 9-22 clear spantree backuproot ................................................................................................................ 9-22 show spantree tctrapsuppress.......................................................................................................... 9-23 set spantree tctrapsuppress ............................................................................................................. 9-23 clear spantree tctrapsuppress .......................................................................................................... 9-24 set spantree protomigration .............................................................................................................. 9-24 show spantree spanguard ................................................................................................................ 9-25 set spantree spanguard .................................................................................................................... 9-25 clear spantree spanguard ................................................................................................................. 9-26 show spantree spanguardtimeout .................................................................................................... 9-27 set spantree spanguardtimeout ........................................................................................................ 9-27 clear spantree spanguardtimeout ..................................................................................................... 9-28 show spantree spanguardlock .......................................................................................................... 9-28 clear / set spantree spanguardlock................................................................................................... 9-29 show spantree spanguardtrapenable ............................................................................................... 9-29 set spantree spanguardtrapenable ................................................................................................... 9-30 clear spantree spanguardtrapenable ................................................................................................ 9-30 show spantree legacypathcost ......................................................................................................... 9-31

    xii

    set spantree legacypathcost............................................................................................................. 9-31 clear spantree legacypathcost .......................................................................................................... 9-32 Configuring Spanning Tree Port Parameters ............................................................................................... 9-33 Purpose .................................................................................................................................................. 9-33 Commands ............................................................................................................................................. 9-33 set spantree portadmin..................................................................................................................... 9-33 clear spantree portadmin.................................................................................................................. 9-34 show spantree portadmin ................................................................................................................. 9-34 show spantree portpri ....................................................................................................................... 9-35 set spantree portpri........................................................................................................................... 9-35 clear spantree portpri........................................................................................................................ 9-36 show spantree adminpathcost .......................................................................................................... 9-37 set spantree adminpathcost ............................................................................................................. 9-37 clear spantree adminpathcost .......................................................................................................... 9-38 show spantree adminedge ............................................................................................................... 9-38 set spantree adminedge ................................................................................................................... 9-39 clear spantree adminedge ................................................................................................................ 9-39 Configuring Spanning Tree Loop Protect Parameters .................................................................................. 9-41 Purpose .................................................................................................................................................. 9-41 Commands ............................................................................................................................................. 9-41 set spantree lp .................................................................................................................................. 9-42 show spantree lp .............................................................................................................................. 9-42 clear spantree lp ............................................................................................................................... 9-43 show spantree lplock ........................................................................................................................ 9-43 clear spantree lplock......................................................................................................................... 9-44 set spantree lpcapablepartner .......................................................................................................... 9-45 show spantree lpcapablepartner ...................................................................................................... 9-45 clear spantree lpcapablepartner ....................................................................................................... 9-46 set spantree lpthreshold ................................................................................................................... 9-46 show spantree lpthreshold................................................................................................................ 9-47 clear spantree lpthreshold ................................................................................................................ 9-47 set spantree lpwindow ...................................................................................................................... 9-48 show spantree lpwindow .................................................................................................................. 9-48 clear spantree lpwindow ................................................................................................................... 9-49 set spantree lptrapenable ................................................................................................................. 9-49 show spantree lptrapenable ............................................................................................................. 9-50 clear spantree lptrapenable .............................................................................................................. 9-50 set spantree disputedbpduthreshold ................................................................................................ 9-51 show spantree disputedbpduthreshold ............................................................................................. 9-52 clear spantree disputedbpduthreshold ............................................................................................. 9-52 show spantree nonforwardingreason ............................................................................................... 9-53

    Chapter 10: 802.1Q VLAN Configuration


    VLAN Configuration Summary ..................................................................................................................... 10-1 Port String Syntax Used in the CLI ........................................................................................................ 10-1 Creating a Secure Management VLAN .................................................................................................. 10-1 Viewing VLANs ............................................................................................................................................. 10-2 Purpose .................................................................................................................................................. 10-2 Command ............................................................................................................................................... 10-3 show vlan.......................................................................................................................................... 10-3 Creating and Naming Static VLANs ............................................................................................................. 10-5 Purpose .................................................................................................................................................. 10-5 Commands ............................................................................................................................................. 10-5 set vlan ............................................................................................................................................. 10-5 set vlan name ................................................................................................................................... 10-6

    xiii

    clear vlan .......................................................................................................................................... 10-6 clear vlan name ................................................................................................................................ 10-7 Assigning Port VLAN IDs (PVIDs) and Ingress Filtering .............................................................................. 10-8 Purpose .................................................................................................................................................. 10-8 Commands ............................................................................................................................................. 10-8 show port vlan .................................................................................................................................. 10-8 set port vlan ...................................................................................................................................... 10-9 clear port vlan ................................................................................................................................... 10-9 show port ingress filter.................................................................................................................... 10-10 set port ingress filter ....................................................................................................................... 10-11 show port discard ........................................................................................................................... 10-11 set port discard ............................................................................................................................... 10-12 Configuring the VLAN Egress List .............................................................................................................. 10-13 Purpose ................................................................................................................................................ 10-13 Commands ........................................................................................................................................... 10-13 show port egress ............................................................................................................................ 10-13 set vlan forbidden ........................................................................................................................... 10-14 set vlan egress ............................................................................................................................... 10-15 clear vlan egress ............................................................................................................................ 10-15 show vlan dynamicegress .............................................................................................................. 10-16 set vlan dynamicegress .................................................................................................................. 10-17 Setting the Host VLAN ................................................................................................................................ 10-18 Purpose ................................................................................................................................................ 10-18 Commands ........................................................................................................................................... 10-18 show host vlan................................................................................................................................ 10-18 set host vlan ................................................................................................................................... 10-18 clear host vlan ................................................................................................................................ 10-19 Enabling/Disabling GVRP (GARP VLAN Registration Protocol) ................................................................ 10-20 About GARP VLAN Registration Protocol (GVRP) .............................................................................. 10-20 Purpose ................................................................................................................................................ 10-21 Commands ........................................................................................................................................... 10-21 show gvrp ....................................................................................................................................... 10-22 show garp timer .............................................................................................................................. 10-22 set gvrp........................................................................................................................................... 10-23 clear gvrp ........................................................................................................................................ 10-24 set garp timer.................................................................................................................................. 10-24

    Chapter 11: Policy Classification Configuration


    Policy Classification Configuration Summary ............................................................................................... 11-1 Configuring Policy Profiles ............................................................................................................................ 11-1 Purpose .................................................................................................................................................. 11-1 Commands ............................................................................................................................................. 11-2 show policy profile ............................................................................................................................ 11-2 set policy profile ................................................................................................................................ 11-3 clear policy profile ............................................................................................................................. 11-4 Configuring Classification Rules ................................................................................................................... 11-6 Purpose .................................................................................................................................................. 11-6 Commands ............................................................................................................................................. 11-6 show policy rule ................................................................................................................................ 11-6 show policy capability ....................................................................................................................... 11-8 set policy rule.................................................................................................................................. 11-10 clear policy rule............................................................................................................................... 11-13 clear policy all-rules ........................................................................................................................ 11-14 Assigning Ports to Policy Profiles ............................................................................................................... 11-15 Purpose ................................................................................................................................................ 11-15

    xiv

    Commands ........................................................................................................................................... 11-15 set policy port ................................................................................................................................. 11-15 clear policy port .............................................................................................................................. 11-16 Configuring Policy Class of Service (CoS) ................................................................................................. 11-17 About Policy-Based CoS Configurations .............................................................................................. 11-17 About CoS-Based Flood Control .......................................................................................................... 11-19 Commands ........................................................................................................................................... 11-20 set cos state ................................................................................................................................... 11-20 show cos state................................................................................................................................ 11-21 clear cos state ................................................................................................................................ 11-21 set cos settings............................................................................................................................... 11-22 clear cos settings ............................................................................................................................ 11-23 show cos settings ........................................................................................................................... 11-23 set cos port-config .......................................................................................................................... 11-24 show cos port-config....................................................................................................................... 11-25 clear cos port-config ....................................................................................................................... 11-26 set cos port-resource irl .................................................................................................................. 11-27 set cos port-resource flood-ctrl ....................................................................................................... 11-28 show cos port-resource .................................................................................................................. 11-29 clear cos port-resource irl ............................................................................................................... 11-30 clear cos port-resource flood-ctrl .................................................................................................... 11-31 set cos reference ............................................................................................................................ 11-31 show cos reference ........................................................................................................................ 11-32 clear cos reference ......................................................................................................................... 11-33 show cos unit.................................................................................................................................. 11-34 clear cos all-entries......................................................................................................................... 11-35 show cos port-type ......................................................................................................................... 11-35

    Chapter 12: Port Priority and Rate Limiting Configuration


    Port Priority Configuration Summary ............................................................................................................ 12-1 Configuring Port Priority ............................................................................................................................... 12-1 Purpose .................................................................................................................................................. 12-1 Commands ............................................................................................................................................. 12-2 show port priority .............................................................................................................................. 12-2 set port priority.................................................................................................................................. 12-2 clear port priority............................................................................................................................... 12-3 Configuring Priority to Transmit Queue Mapping ......................................................................................... 12-4 Purpose .................................................................................................................................................. 12-4 Commands ............................................................................................................................................. 12-4 show port priority-queue ................................................................................................................... 12-4 set port priority-queue....................................................................................................................... 12-5 clear port priority-queue.................................................................................................................... 12-6 Configuring Quality of Service (QoS) ........................................................................................................... 12-6 Purpose .................................................................................................................................................. 12-6 Commands ............................................................................................................................................. 12-6 show port txq .................................................................................................................................... 12-6 set port txq........................................................................................................................................ 12-7 clear port txq..................................................................................................................................... 12-8 Configuring Port Traffic Rate Limiting ......................................................................................................... 12-10 Purpose ................................................................................................................................................ 12-10 Commands ........................................................................................................................................... 12-10 show port ratelimit .......................................................................................................................... 12-10 set port ratelimit .............................................................................................................................. 12-12 clear port ratelimit ........................................................................................................................... 12-13

    xv

    Chapter 13: IGMP Configuration


    IGMP Overview ............................................................................................................................................ 13-1 About IP Multicast Group Management ................................................................................................. 13-1 About Multicasting .................................................................................................................................. 13-2 Configuring IGMP at Layer 2 ........................................................................................................................ 13-2 Purpose .................................................................................................................................................. 13-2 Commands ............................................................................................................................................. 13-2 show igmpsnooping .......................................................................................................................... 13-2 set igmpsnooping adminmode.......................................................................................................... 13-3 set igmpsnooping interfacemode...................................................................................................... 13-4 set igmpsnooping groupmembershipinterval .................................................................................... 13-4 set igmpsnooping maxresponse ....................................................................................................... 13-5 set igmpsnooping mcrtrexpiretime.................................................................................................... 13-6 set igmpsnooping add-static ............................................................................................................. 13-6 set igmpsnooping remove-static ....................................................................................................... 13-7 show igmpsnooping static ................................................................................................................ 13-8 show igmpsnooping mfdb ................................................................................................................. 13-8 clear igmpsnooping .......................................................................................................................... 13-9 Configuring IGMP on Routing Interfaces .................................................................................................... 13-10 Purpose ................................................................................................................................................ 13-10 Commands ........................................................................................................................................... 13-10 ip igmp ............................................................................................................................................ 13-10 ip igmp enable ................................................................................................................................ 13-11 ip igmp version ............................................................................................................................... 13-11 show ip igmp interface .................................................................................................................... 13-12 show ip igmp groups....................................................................................................................... 13-13 ip igmp query-interval ..................................................................................................................... 13-13 ip igmp query-max-response-time .................................................................................................. 13-14 ip igmp startup-query-interval ......................................................................................................... 13-14 ip igmp startup-query-count ............................................................................................................13-15 ip igmp last-member-query-interval ................................................................................................ 13-15 ip igmp last-member-query-count ................................................................................................... 13-16 ip igmp robustness ......................................................................................................................... 13-16

    Chapter 14: Logging and Network Management


    Configuring System Logging ........................................................................................................................ 14-1 Purpose .................................................................................................................................................. 14-1 Commands ............................................................................................................................................. 14-1 show logging server.......................................................................................................................... 14-2 set logging server ............................................................................................................................. 14-3 clear logging server .......................................................................................................................... 14-4 show logging default......................................................................................................................... 14-4 set logging default ............................................................................................................................ 14-5 clear logging default ......................................................................................................................... 14-6 show logging application .................................................................................................................. 14-6 set logging application ...................................................................................................................... 14-7 clear logging application ................................................................................................................... 14-8 show logging local ............................................................................................................................ 14-9 set logging local................................................................................................................................ 14-9 clear logging local........................................................................................................................... 14-10 show logging buffer ........................................................................................................................ 14-10 Monitoring Network Events and Status ...................................................................................................... 14-12 Purpose ................................................................................................................................................ 14-12 Commands ........................................................................................................................................... 14-12 history ............................................................................................................................................. 14-12

    xvi

    show history.................................................................................................................................... 14-13 set history ....................................................................................................................................... 14-13 ping................................................................................................................................................. 14-14 show users ..................................................................................................................................... 14-14 disconnect ...................................................................................................................................... 14-15 show netstat ................................................................................................................................... 14-15 Managing Switch Network Addresses and Routes ..................................................................................... 14-17 Purpose ................................................................................................................................................ 14-17 Commands ........................................................................................................................................... 14-17 show arp ......................................................................................................................................... 14-17 set arp............................................................................................................................................. 14-18 clear arp.......................................................................................................................................... 14-19 traceroute ....................................................................................................................................... 14-19 show mac ....................................................................................................................................... 14-20 show mac agetime.......................................................................................................................... 14-21 set mac agetime ............................................................................................................................. 14-22 clear mac agetime .......................................................................................................................... 14-22 set mac algorithm ........................................................................................................................... 14-23 show mac algorithm........................................................................................................................ 14-23 clear mac algorithm ........................................................................................................................ 14-24 set mac multicast ............................................................................................................................ 14-24 clear mac address .......................................................................................................................... 14-25 show mac unreserved-flood ........................................................................................................... 14-26 set mac unreserved-flood ............................................................................................................... 14-26 Configuring Simple Network Time Protocol (SNTP) ................................................................................... 14-27 Purpose ................................................................................................................................................ 14-27 Commands ........................................................................................................................................... 14-27 show sntp ....................................................................................................................................... 14-27 set sntp client.................................................................................................................................. 14-29 clear sntp client............................................................................................................................... 14-29 set sntp server ................................................................................................................................ 14-30 clear sntp server ............................................................................................................................. 14-30 set sntp poll-interval........................................................................................................................ 14-31 clear sntp poll-interval..................................................................................................................... 14-31 set sntp poll-retry ............................................................................................................................ 14-32 clear sntp poll-retry ......................................................................................................................... 14-32 set sntp poll-timeout ....................................................................................................................... 14-33 clear sntp poll-timeout .................................................................................................................... 14-33 set timezone ................................................................................................................................... 14-33 Configuring Node Aliases ........................................................................................................................... 14-35 Purpose ................................................................................................................................................ 14-35 Commands ........................................................................................................................................... 14-35 show nodealias config .................................................................................................................... 14-35 set nodealias .................................................................................................................................. 14-36 clear nodealias config ..................................................................................................................... 14-37

    Chapter 15: RMON Configuration


    RMON Monitoring Group Functions ............................................................................................................. 15-1 Design Considerations ................................................................................................................................. 15-2 Statistics Group Commands ......................................................................................................................... 15-3 Purpose .................................................................................................................................................. 15-3 Commands ............................................................................................................................................. 15-3 show rmon stats ............................................................................................................................... 15-4 set rmon stats ................................................................................................................................... 15-4 clear rmon stats ................................................................................................................................ 15-5

    xvii

    History Group Commands ............................................................................................................................ 15-6 Purpose .................................................................................................................................................. 15-6 Commands ............................................................................................................................................. 15-6 show rmon history ............................................................................................................................ 15-6 set rmon history ................................................................................................................................ 15-7 clear rmon history ............................................................................................................................. 15-7 Alarm Group Commands .............................................................................................................................. 15-9 Purpose .................................................................................................................................................. 15-9 Commands ............................................................................................................................................. 15-9 show rmon alarm .............................................................................................................................. 15-9 set rmon alarm properties............................................................................................................... 15-10 set rmon alarm status ..................................................................................................................... 15-11 clear rmon alarm............................................................................................................................. 15-12 Event Group Commands ............................................................................................................................ 15-13 Purpose ................................................................................................................................................ 15-13 Commands ........................................................................................................................................... 15-13 show rmon event ............................................................................................................................ 15-13 set rmon event properties ............................................................................................................... 15-14 set rmon event status ..................................................................................................................... 15-15 clear rmon event............................................................................................................................. 15-15 Filter Group Commands ............................................................................................................................. 15-17 Commands ........................................................................................................................................... 15-17 show rmon channel ........................................................................................................................ 15-17 set rmon channel ............................................................................................................................ 15-18 clear rmon channel ......................................................................................................................... 15-19 show rmon filter .............................................................................................................................. 15-19 set rmon filter .................................................................................................................................. 15-20 clear rmon filter ............................................................................................................................... 15-21 Packet Capture Commands ....................................................................................................................... 15-22 Purpose ................................................................................................................................................ 15-22 Commands ........................................................................................................................................... 15-22 show rmon capture ......................................................................................................................... 15-22 set rmon capture............................................................................................................................. 15-23 clear rmon capture.......................................................................................................................... 15-24

    Chapter 16: DHCP Server Configuration


    DHCP Overview ........................................................................................................................................... 16-1 DHCP Relay Agent ................................................................................................................................ 16-1 DHCP Server ......................................................................................................................................... 16-1 Configuring a DHCP Server ................................................................................................................... 16-2 Configuring General DHCP Server Parameters ........................................................................................... 16-3 Purpose .................................................................................................................................................. 16-3 Commands ............................................................................................................................................. 16-3 set dhcp ............................................................................................................................................ 16-4 set dhcp bootp .................................................................................................................................. 16-4 set dhcp conflict logging ................................................................................................................... 16-5 show dhcp conflict ............................................................................................................................ 16-5 clear dhcp conflict............................................................................................................................. 16-6 set dhcp exclude............................................................................................................................... 16-7 clear dhcp exclude............................................................................................................................ 16-7 set dhcp ping .................................................................................................................................... 16-8 clear dhcp ping ................................................................................................................................. 16-8 show dhcp binding............................................................................................................................ 16-9 clear dhcp binding ............................................................................................................................ 16-9 show dhcp server statistics............................................................................................................. 16-10

    xviii

    clear dhcp server statistics ............................................................................................................. 16-10 Configuring IP Address Pools ..................................................................................................................... 16-12 Manual Pool Configuration Considerations .......................................................................................... 16-12 Purpose ................................................................................................................................................ 16-12 Commands ........................................................................................................................................... 16-12 set dhcp pool .................................................................................................................................. 16-13 clear dhcp pool ............................................................................................................................... 16-14 set dhcp pool network..................................................................................................................... 16-14 clear dhcp pool network.................................................................................................................. 16-15 set dhcp pool hardware-address .................................................................................................... 16-15 clear dhcp pool hardware-address ................................................................................................. 16-16 set dhcp pool host .......................................................................................................................... 16-16 clear dhcp pool host ....................................................................................................................... 16-17 set dhcp pool client-identifier .......................................................................................................... 16-17 clear dhcp pool client-identifier ....................................................................................................... 16-18 set dhcp pool client-name............................................................................................................... 16-19 clear dhcp pool client-name............................................................................................................16-19 set dhcp pool bootfile...................................................................................................................... 16-20 clear dhcp pool bootfile................................................................................................................... 16-20 set dhcp pool next-server ............................................................................................................... 16-21 clear dhcp pool next-server ............................................................................................................16-21 set dhcp pool lease......................................................................................................................... 16-22 clear dhcp pool lease...................................................................................................................... 16-22 set dhcp pool default-router ............................................................................................................16-23 clear dhcp pool default-router......................................................................................................... 16-23 set dhcp pool dns-server ................................................................................................................ 16-24 clear dhcp pool dns-server ............................................................................................................. 16-24 set dhcp pool domain-name ........................................................................................................... 16-25 clear dhcp pool domain-name ........................................................................................................ 16-25 set dhcp pool netbios-name-server ................................................................................................ 16-26 clear dhcp pool netbios-name-server ............................................................................................. 16-26 set dhcp pool netbios-node-type .................................................................................................... 16-27 clear dhcp pool netbios-node-type ................................................................................................. 16-27 set dhcp pool option ....................................................................................................................... 16-28 clear dhcp pool option .................................................................................................................... 16-29 show dhcp pool configuration ......................................................................................................... 16-29

    Chapter 17: DHCP Snooping and Dynamic ARP Inspection


    DHCP Snooping Overview ........................................................................................................................... 17-1 DHCP Message Processing ................................................................................................................... 17-1 Building and Maintaining the Database .................................................................................................. 17-2 Rate Limiting .......................................................................................................................................... 17-3 Basic Configuration ................................................................................................................................ 17-3 DHCP Snooping Commands ........................................................................................................................ 17-4 set dhcpsnooping ............................................................................................................................. 17-4 set dhcpsnooping vlan...................................................................................................................... 17-5 set dhcpsnooping database write-delay ........................................................................................... 17-5 set dhcpsnooping trust ..................................................................................................................... 17-6 set dhcpsnooping binding ................................................................................................................. 17-7 set dhcpsnooping verify .................................................................................................................... 17-7 set dhcpsnooping log-invalid ............................................................................................................ 17-8 set dhcpsnooping limit ...................................................................................................................... 17-9 show dhcpsnooping ........................................................................................................................ 17-10 show dhcpsnooping database ........................................................................................................ 17-11 show dhcpsnooping port................................................................................................................. 17-11

    xix

    show dhcpsnooping binding ........................................................................................................... 17-12 show dhcpsnooping statistics ......................................................................................................... 17-13 clear dhcpsnooping binding ............................................................................................................17-14 clear dhcpsnooping statistics.......................................................................................................... 17-14 clear dhcpsnooping database......................................................................................................... 17-14 clear dhcpsnooping limit ................................................................................................................. 17-15 Dynamic ARP Inspection Overview ............................................................................................................ 17-16 Functional Description .......................................................................................................................... 17-16 Basic Configuration .............................................................................................................................. 17-18 Example Configuration ......................................................................................................................... 17-18 Dynamic ARP Inspection Commands ........................................................................................................ 17-20 set arpinspection vlan ..................................................................................................................... 17-20 set arpinspection trust .................................................................................................................... 17-21 set arpinspection validate ............................................................................................................... 17-22 set arpinspection limit ..................................................................................................................... 17-22 set arpinspection filter..................................................................................................................... 17-23 show arpinspection access-list ....................................................................................................... 17-24 show arpinspection ports................................................................................................................ 17-25 show arpinspection vlan ................................................................................................................. 17-25 show arpinspection statistics .......................................................................................................... 17-26 clear arpinspection validate ............................................................................................................17-27 clear arpinspection vlan .................................................................................................................. 17-27 clear arpinspection filter.................................................................................................................. 17-29 clear arpinspection limit .................................................................................................................. 17-30 clear arpinspection statistics........................................................................................................... 17-30

    Chapter 18: Preparing for Router Mode


    Pre-Routing Configuration Tasks ................................................................................................................. 18-1 Example ................................................................................................................................................. 18-2 Enabling Router Configuration Modes .......................................................................................................... 18-2

    Chapter 19: IP Configuration


    Configuring Routing Interface Settings ......................................................................................................... 19-1 Purpose .................................................................................................................................................. 19-1 Commands ............................................................................................................................................. 19-1 show interface .................................................................................................................................. 19-2 interface............................................................................................................................................ 19-2 show ip interface............................................................................................................................... 19-4 ip address ......................................................................................................................................... 19-5 show running-config ......................................................................................................................... 19-6 no shutdown ..................................................................................................................................... 19-6 no ip routing...................................................................................................................................... 19-7 Reviewing and Configuring the ARP Table .................................................................................................. 19-8 Purpose .................................................................................................................................................. 19-8 Commands ............................................................................................................................................. 19-8 show ip arp ....................................................................................................................................... 19-8 arp .................................................................................................................................................... 19-9 ip proxy-arp..................................................................................................................................... 19-10 arp timeout...................................................................................................................................... 19-11 clear arp-cache ............................................................................................................................... 19-11 Configuring Broadcast Settings .................................................................................................................. 19-12 Purpose ................................................................................................................................................ 19-12 Commands ........................................................................................................................................... 19-12 ip directed-broadcast ...................................................................................................................... 19-12 ip forward-protocol.......................................................................................................................... 19-13

    xx

    ip helper-address ............................................................................................................................ 19-14 Reviewing IP Traffic and Configuring Routes ............................................................................................. 19-15 Purpose ................................................................................................................................................ 19-15 Commands ........................................................................................................................................... 19-15 show ip route .................................................................................................................................. 19-15 ip route............................................................................................................................................ 19-17 ping................................................................................................................................................. 19-17 traceroute ....................................................................................................................................... 19-18 Configuring ICMP Redirects ....................................................................................................................... 19-19 Purpose ................................................................................................................................................ 19-19 Commands ........................................................................................................................................... 19-19 ip icmp redirect enable ................................................................................................................... 19-19 show ip icmp redirect...................................................................................................................... 19-20

    Chapter 20: IPv4 Routing Protocol Configuration


    Activating Advanced Routing Features ........................................................................................................ 20-1 Configuring RIP ............................................................................................................................................ 20-1 Purpose .................................................................................................................................................. 20-1 RIP Configuration Task List and Commands ......................................................................................... 20-2 router rip ........................................................................................................................................... 20-2 ip rip enable ...................................................................................................................................... 20-3 distance ............................................................................................................................................ 20-3 ip rip send version ............................................................................................................................ 20-4 ip rip receive version......................................................................................................................... 20-5 ip rip authentication-key.................................................................................................................... 20-5 ip rip message-digest-key................................................................................................................. 20-6 no auto-summary.............................................................................................................................. 20-6 split-horizon poison........................................................................................................................... 20-7 passive-interface .............................................................................................................................. 20-8 receive-interface ............................................................................................................................... 20-8 redistribute........................................................................................................................................ 20-9 Configuring OSPF ...................................................................................................................................... 20-11 Purpose ................................................................................................................................................ 20-11 OSPF Configuration Task List and Commands ................................................................................... 20-11 router id .......................................................................................................................................... 20-12 router ospf ...................................................................................................................................... 20-13 1583compatibility ............................................................................................................................ 20-13 ip ospf enable ................................................................................................................................. 20-14 ip ospf areaid .................................................................................................................................. 20-14 ip ospf cost ..................................................................................................................................... 20-15 ip ospf priority ................................................................................................................................. 20-15 timers spf ........................................................................................................................................ 20-16 ip ospf retransmit-interval ............................................................................................................... 20-17 ip ospf transmit-delay ..................................................................................................................... 20-17 ip ospf hello-interval........................................................................................................................ 20-18 ip ospf dead-interval ....................................................................................................................... 20-18 ip ospf authentication-key ............................................................................................................... 20-19 ip ospf message digest key md5 .................................................................................................... 20-20 distance ospf .................................................................................................................................. 20-20 area range ...................................................................................................................................... 20-21 area stub......................................................................................................................................... 20-22 area default cost ............................................................................................................................. 20-23 area nssa........................................................................................................................................ 20-23 area virtual-link ............................................................................................................................... 20-24 redistribute...................................................................................................................................... 20-25

    xxi

    show ip ospf.................................................................................................................................... 20-26 show ip ospf database.................................................................................................................... 20-27 show ip ospf interface ..................................................................................................................... 20-28 show ip ospf neighbor..................................................................................................................... 20-30 show ip ospf virtual-links................................................................................................................. 20-31 clear ip ospf process....................................................................................................................... 20-31 Configuring DVMRP ................................................................................................................................... 20-33 Purpose ................................................................................................................................................ 20-33 Commands ........................................................................................................................................... 20-33 Enabling DVMRP on an Interface ........................................................................................................ 20-33 ip dvmrp.......................................................................................................................................... 20-34 ip dvmrp enable .............................................................................................................................. 20-34 ip dvmrp metric ............................................................................................................................... 20-35 show ip dvmrp ................................................................................................................................ 20-35 Configuring IRDP ........................................................................................................................................ 20-37 Purpose ................................................................................................................................................ 20-37 Commands ........................................................................................................................................... 20-37 ip irdp enable .................................................................................................................................. 20-37 ip irdp maxadvertinterval ................................................................................................................ 20-38 ip irdp minadvertinterval ................................................................................................................. 20-38 ip irdp holdtime ............................................................................................................................... 20-39 ip irdp preference............................................................................................................................ 20-39 ip irdp broadcast ............................................................................................................................. 20-40 show ip irdp .................................................................................................................................... 20-40 Configuring VRRP ...................................................................................................................................... 20-42 Purpose ................................................................................................................................................ 20-42 Commands ........................................................................................................................................... 20-42 router vrrp ....................................................................................................................................... 20-42 create.............................................................................................................................................. 20-43 address........................................................................................................................................... 20-44 priority............................................................................................................................................. 20-45 advertise-interval ............................................................................................................................ 20-45 preempt .......................................................................................................................................... 20-46 enable............................................................................................................................................. 20-47 ip vrrp authentication-key ............................................................................................................... 20-48 show ip vrrp .................................................................................................................................... 20-48 Configuring PIM-SM ................................................................................................................................... 20-49 Design Considerations ......................................................................................................................... 20-49 Purpose ................................................................................................................................................ 20-49 Commands ........................................................................................................................................... 20-49 ip pimsm ......................................................................................................................................... 20-50 ip pimsm staticrp............................................................................................................................. 20-50 ip pimsm enable ............................................................................................................................. 20-51 ip pimsm query-interval .................................................................................................................. 20-52 show ip pimsm................................................................................................................................ 20-52 show ip pimsm componenttable ..................................................................................................... 20-53 show ip pimsm interface ................................................................................................................. 20-54 show ip pimsm neighbor ................................................................................................................. 20-55 show ip pimsm rp............................................................................................................................ 20-56 show ip pimsm rphash .................................................................................................................... 20-57 show ip pimsm staticrp ................................................................................................................... 20-58 show ip mroute ............................................................................................................................... 20-59

    xxii

    Chapter 21: IPv6 Management


    Purpose .................................................................................................................................................. 21-1 Commands ............................................................................................................................................. 21-1 show ipv6 status ............................................................................................................................... 21-1 set ipv6 ............................................................................................................................................. 21-2 set ipv6 address ............................................................................................................................... 21-3 show ipv6 address............................................................................................................................ 21-4 clear ipv6 address ............................................................................................................................ 21-4 set ipv6 gateway............................................................................................................................... 21-5 clear ipv6 gateway............................................................................................................................ 21-6 show ipv6 neighbors......................................................................................................................... 21-6 show ipv6 netstat.............................................................................................................................. 21-7 ping ipv6 ........................................................................................................................................... 21-8 traceroute ipv6.................................................................................................................................. 21-9

    Chapter 22: IPv6 Proxy Routing


    Overview ....................................................................................................................................................... 22-1 Limitations .............................................................................................................................................. 22-2 Preparing a Mixed Stack for IPv6 Proxy Routing ......................................................................................... 22-2 Commands ................................................................................................................................................... 22-3 ipv6 proxy-routing ............................................................................................................................. 22-3 show ipv6 proxy-routing.................................................................................................................... 22-3

    Chapter 23: Authentication and Authorization Configuration


    Overview of Authentication and Authorization Methods ............................................................................... 23-1 RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment ...................................................... 23-2 Configuring RADIUS ..................................................................................................................................... 23-3 Purpose .................................................................................................................................................. 23-3 Commands ............................................................................................................................................. 23-4 show radius ...................................................................................................................................... 23-4 set radius .......................................................................................................................................... 23-5 clear radius ....................................................................................................................................... 23-7 show radius accounting .................................................................................................................... 23-7 set radius accounting........................................................................................................................ 23-8 clear radius accounting..................................................................................................................... 23-9 Configuring 802.1X Authentication ............................................................................................................. 23-11 Purpose ................................................................................................................................................ 23-11 Commands ........................................................................................................................................... 23-11 show dot1x ..................................................................................................................................... 23-11 show dot1x auth-config................................................................................................................... 23-13 set dot1x ......................................................................................................................................... 23-14 set dot1x auth-config ...................................................................................................................... 23-15 clear dot1x auth-config ................................................................................................................... 23-16 show eapol ..................................................................................................................................... 23-17 set eapol ......................................................................................................................................... 23-19 clear eapol ...................................................................................................................................... 23-19 Configuring MAC Authentication ................................................................................................................ 23-21 Purpose ................................................................................................................................................ 23-21 Commands ........................................................................................................................................... 23-21 show macauthentication ................................................................................................................. 23-21 show macauthentication session .................................................................................................... 23-23 set macauthentication..................................................................................................................... 23-24 set macauthentication password .................................................................................................... 23-24 clear macauthentication password ................................................................................................. 23-25 set macauthentication port ............................................................................................................. 23-25
    xxiii

    set macauthentication portinitialize................................................................................................. 23-26 set macauthentication portquietperiod............................................................................................ 23-26 clear macauthentication portquietperiod......................................................................................... 23-27 set macauthentication macinitialize ................................................................................................ 23-27 set macauthentication reauthentication .......................................................................................... 23-28 set macauthentication portreauthenticate.......................................................................................23-28 set macauthentication macreauthenticate ...................................................................................... 23-29 set macauthentication reauthperiod ...............................................................................................23-29 clear macauthentication reauthperiod ............................................................................................ 23-30 set macauthentication significant-bits ............................................................................................. 23-31 clear macauthentication significant-bits .......................................................................................... 23-31 Configuring Multiple Authentication Methods ............................................................................................. 23-33 About Multiple Authentication Types .................................................................................................... 23-33 Configuring Multi-User Authentication (User + IP phone) .................................................................... 23-33 Commands ........................................................................................................................................... 23-33 show multiauth................................................................................................................................ 23-34 set multiauth mode ......................................................................................................................... 23-35 clear multiauth mode ...................................................................................................................... 23-35 set multiauth precedence ............................................................................................................... 23-36 clear multiauth precedence ............................................................................................................23-36 show multiauth port ........................................................................................................................ 23-37 set multiauth port ............................................................................................................................ 23-37 clear multiauth port ......................................................................................................................... 23-38 show multiauth station .................................................................................................................... 23-39 show multiauth session .................................................................................................................. 23-39 show multiauth idle-timeout ............................................................................................................23-40 set multiauth idle-timeout................................................................................................................ 23-41 clear multiauth idle-timeout............................................................................................................. 23-42 show multiauth session-timeout ..................................................................................................... 23-42 set multiauth session-timeout ......................................................................................................... 23-43 clear multiauth session-timeout ...................................................................................................... 23-44 Configuring VLAN Authorization (RFC 3580) ............................................................................................. 23-45 Purpose ................................................................................................................................................ 23-45 Commands ........................................................................................................................................... 23-45 show policy maptable response ..................................................................................................... 23-45 set policy maptable response ......................................................................................................... 23-46 set vlanauthorization....................................................................................................................... 23-47 set vlanauthorization egress ........................................................................................................... 23-48 clear vlanauthorization.................................................................................................................... 23-48 show vlanauthorization ................................................................................................................... 23-49 Configuring MAC Locking ........................................................................................................................... 23-50 Purpose ................................................................................................................................................ 23-50 Commands ........................................................................................................................................... 23-50 show maclock ................................................................................................................................. 23-51 show maclock stations.................................................................................................................... 23-52 set maclock enable......................................................................................................................... 23-53 set maclock disable ........................................................................................................................ 23-54 set maclock..................................................................................................................................... 23-54 clear maclock.................................................................................................................................. 23-55 set maclock static ........................................................................................................................... 23-56 clear maclock static ........................................................................................................................ 23-56 set maclock firstarrival .................................................................................................................... 23-57 clear maclock firstarrival ................................................................................................................. 23-58 set maclock agefirstarrival .............................................................................................................. 23-58 clear maclock agefirstarrival ........................................................................................................... 23-59 set maclock move ........................................................................................................................... 23-59
    xxiv

    set maclock trap ............................................................................................................................. 23-60 Configuring Port Web Authentication (PWA) .............................................................................................. 23-61 About PWA ........................................................................................................................................... 23-61 Purpose ................................................................................................................................................ 23-61 Commands ........................................................................................................................................... 23-61 show pwa........................................................................................................................................ 23-62 set pwa ........................................................................................................................................... 23-63 show pwa banner ........................................................................................................................... 23-64 set pwa banner ............................................................................................................................... 23-64 clear pwa banner ............................................................................................................................ 23-65 set pwa displaylogo ........................................................................................................................ 23-65 set pwa ipaddress........................................................................................................................... 23-66 set pwa protocol ............................................................................................................................. 23-66 set pwa guestname ........................................................................................................................ 23-67 clear pwa guestname ..................................................................................................................... 23-67 set pwa guestpassword .................................................................................................................. 23-68 set pwa gueststatus........................................................................................................................ 23-68 set pwa initialize ............................................................................................................................. 23-69 set pwa quietperiod ........................................................................................................................ 23-69 set pwa maxrequest ....................................................................................................................... 23-70 set pwa portcontrol ......................................................................................................................... 23-70 show pwa session .......................................................................................................................... 23-71 set pwa enhancedmode ................................................................................................................. 23-72 Configuring Secure Shell (SSH) ................................................................................................................. 23-73 Purpose ................................................................................................................................................ 23-73 Commands ........................................................................................................................................... 23-73 show ssh status .............................................................................................................................. 23-73 set ssh ............................................................................................................................................ 23-73 set ssh hostkey............................................................................................................................... 23-74 Configuring Access Lists ............................................................................................................................ 23-75 Purpose ................................................................................................................................................ 23-75 Commands ........................................................................................................................................... 23-75 show access-lists............................................................................................................................ 23-75 access-list (standard) ..................................................................................................................... 23-76 access-list (extended)..................................................................................................................... 23-77 ip access-group .............................................................................................................................. 23-79

    Index Figures
    1-1 1-2 1-3 1-4 1-5 1-6 10-1 SecureStack C2 Startup Screen......................................................................................................... 1-6 Sample CLI Defaults Description........................................................................................................ 1-8 Performing a Keyword Lookup ........................................................................................................... 1-8 Performing a Partial Keyword Lookup ................................................................................................ 1-9 Scrolling Screen Output...................................................................................................................... 1-9 Abbreviating a Command ................................................................................................................. 1-10 Example of VLAN Propagation via GVRP ...................................................................................... 10-21

    Tables
    1-1 1-2 1-3 3-1 3-2 3-3 Default Settings for Basic Switch Operation ....................................................................................... 1-2 Default Settings for Router Operation ................................................................................................ 1-4 Basic Line Editing Commands.......................................................................................................... 1-10 Required CLI Setup Commands......................................................................................................... 3-1 Optional CLI Setup Commands.......................................................................................................... 3-2 show system lockout Output Details................................................................................................... 3-8
    xxv

    3-4 3-5 5-1 6-1 6-2 6-3 6-4 6-5 7-1 7-2 7-3 7-4 7-5 7-6 8-1 8-2 8-3 8-4 8-5 8-6 8-7 8-8 8-9 8-10 8-11 9-1 10-1 10-2 10-3 11-1 11-2 11-3 12-1 14-1 14-2 14-3 14-4 14-5 14-6 14-7 14-8 15-1 15-2 15-3 18-1 18-2 19-1 19-2 20-1 20-2 20-3 20-4 20-5 20-6 20-7 20-8
    xxvi

    show system Output Details ............................................................................................................. 3-14 show version Output Details ............................................................................................................. 3-25 show inlinepower Output Details ........................................................................................................ 5-2 show cdp Output Details..................................................................................................................... 6-2 show ciscodp Output Details .............................................................................................................. 6-8 show ciscodp port info Output Details ................................................................................................ 6-9 show lldp port local-info Output Details ............................................................................................ 6-19 show lldp port remote-info Output Display........................................................................................ 6-21 show port status Output Details.......................................................................................................... 7-5 show port counters Output Details ..................................................................................................... 7-6 show linkflap parameters Output Details .......................................................................................... 7-24 show linkflap metrics Output Details................................................................................................. 7-24 LACP Terms and Definitions ............................................................................................................ 7-39 show lacp Output Details.................................................................................................................. 7-42 SNMP Security Levels........................................................................................................................ 8-2 show snmp engineid Output Details ................................................................................................... 8-4 show snmp counters Output Details ................................................................................................... 8-6 show snmp user Output Details.......................................................................................................... 8-9 show snmp group Output Details ..................................................................................................... 8-12 show snmp access Output Details ................................................................................................... 8-16 show snmp view Output Details ....................................................................................................... 8-20 show snmp targetparams Output Details ......................................................................................... 8-23 show snmp targetaddr Output Details .............................................................................................. 8-26 show snmp notify Output Details ...................................................................................................... 8-31 Basic SNMP Trap Configuration....................................................................................................... 8-37 show spantree Output Details ............................................................................................................ 9-6 Command Set for Creating a Secure Management VLAN ............................................................... 10-2 show vlan Output Details.................................................................................................................. 10-4 show gvrp configuration Output Details .......................................................................................... 10-23 show policy profile Output Details .................................................................................................... 11-3 show policy rule Output Details ........................................................................................................ 11-8 Valid Values for Policy Classification Rules ................................................................................... 11-12 show port ratelimit Output Details................................................................................................... 12-11 show logging server Output Details.................................................................................................. 14-2 show logging application Output Details........................................................................................... 14-7 Mnemonic Values for Logging Applications...................................................................................... 14-8 show netstat Output Details............................................................................................................ 14-16 show arp Output Details ................................................................................................................. 14-18 show mac Output Details................................................................................................................ 14-21 show sntp Output Details................................................................................................................ 14-28 show nodealias config Output Details ............................................................................................ 14-36 RMON Monitoring Group Functions and Commands ....................................................................... 15-1 show rmon alarm Output Details .................................................................................................... 15-10 show rmon event Output Details .................................................................................................... 15-14 Enabling the Switch for Routing ....................................................................................................... 18-2 Router CLI Configuration Modes ...................................................................................................... 18-2 show ip interface Output Details ....................................................................................................... 19-4 show ip arp Output Details ............................................................................................................... 19-9 RIP Configuration Task List and Commands ................................................................................... 20-2 OSPF Configuration Task List and Commands.............................................................................. 20-11 show ip ospf database Output Details ............................................................................................ 20-28 show ip ospf interface Output Details ............................................................................................. 20-29 show ip ospf neighbor Output Details............................................................................................. 20-30 show ip ospf virtual links Output Details ......................................................................................... 20-31 show ip pimsm Output Details ........................................................................................................ 20-53 show ip pimsm componenettable Output Details ........................................................................... 20-54

    20-9 20-10 20-11 20-12 20-13 23-1 23-2 23-3 23-4 23-5 23-6 23-7 23-8

    show ip pimsm interface vlan Output Details.................................................................................. 20-55 show ip pimsm interface stats Output Details................................................................................. 20-55 show ip pimsm neighbor Output Details ......................................................................................... 20-56 show ip pimsm rp Output Details .................................................................................................... 20-57 show ip pimsm staticrp Output Details ........................................................................................... 20-59 show radius Output Details............................................................................................................... 23-5 show eapol Output Details.............................................................................................................. 23-18 show macauthentication Output Details ......................................................................................... 23-22 show macauthentication session Output Details ............................................................................ 23-23 show vlanauthorization Output Details ........................................................................................... 23-49 show maclock Output Details ......................................................................................................... 23-52 show maclock stations Output Details............................................................................................ 23-53 show pwa Output Details................................................................................................................ 23-62

    xxvii

    xxviii

    About This Guide


    WelcometotheEnterasysSecureStackC2ConfigurationGuide.Thismanualexplainshowto accessthedevicesCommandLineInterface(CLI)andhowtouseittoconfigureSecureStackC2 switchdevices.

    Important Notice
    Depending on the firmware version used in your SecureStack device, some features described in this document may not be supported. Refer to the Release Notes shipped with your device to determine which features are supported.

    Using This Guide


    AgeneralworkingknowledgeofbasicnetworkoperationsandanunderstandingofCLI managementapplicationsishelpfulbeforeconfiguringtheSecureStackdevice. Thismanualdescribeshowtodothefollowing: AccesstheSecureStackCLI. UseCLIcommandstoperformnetworkmanagementanddeviceconfigurationoperations EstablishandmanageVirtualLocalAreaNetworks(VLANs). Establishandmanagestaticanddynamicallyassignedpolicyclassifications. Establishandmanagepriorityclassification. ConfigureIProutingandroutingprotocols,includingRIPversions1and2,OSPF,DVMRP, IRDP,andVRRP. Configuresecurityprotocols,including802.1XandRADIUS,SSHv2,MAClocking,andMAC authentication. Configureaccesscontrollists(ACLs).

    Structure of This Guide


    Theguideisorganizedasfollows: Chapter 1,Introduction,providesanoverviewofthetasksthatcanbeaccomplishedusingthe CLIinterface,anoverviewoflocalmanagementrequirements,anoverviewofthedevicesfactory defaultsettings,andinformationaboutusingtheCommandLineInterface(CLI). Chapter 2,ConfiguringSwitchesinaStack,providesinformationabouthowtoconfigureand managestackedswitches. Chapter 3,BasicConfiguration,provideshowtosetbasicsystemproperties,howtodownloada firmwareimage,howtoconfigureWebViewandTelnet,howtomanageconfigurationfiles,how tosettheloginpassword,andhowtoexittheCLI. Chapter 4,ActivatingLicensedFeatures,describesthecommandsusedtoenablelicensed features.

    SecureStack C2 Configuration Guide

    xxix

    Structure of This Guide

    Chapter 5,ConfiguringSystemPowerandPoE,describesthecommandsusedtoreviewandset systempowerandPoEparametersondevicesthatofferPoweroverEthernet. Chapter 6,DiscoveryProtocolConfigurationprovideshowtoconfigurediscoveryprotocols supportedbythedevice. Chapter 7,PortConfiguration,describeshowtoreviewandconfigureconsoleportsettings,and howtoenableordisableswitchportsandconfigureswitchportsettings,includingportspeed, duplexmode,autonegotiation,flowcontrol,portmirroring,linkaggegationandbroadcast suppression. Chapter 8,SNMPConfiguration,describeshowtoconfigureSNMPusersandusergroups,access rights,targetaddresses,andnotificationparameters. Chapter 9,SpanningTreeConfiguration,describeshowtoreviewandsetSpanningTreebridge parametersforthedevice,includingbridgepriority,hellotime,maximumagingtimeandforward delay;andhowtoreviewandsetSpanningTreeportparameters,includingportpriorityandpath costs.ConfiguringtheSpanGuardandLoopProtectfunctionsisalsodescribed. Chapter 10,802.1QVLANConfiguration,describeshowtocreatestaticVLANs,selectthemode ofoperationforeachport,establishVLANforwarding(egress)lists,routeframesaccordingto VLANID,displaythecurrentportsandporttypesassociatedwithaVLANandprotocol,createa securemanagementVLAN,andconfigureportsonthedeviceasGVRPawareports. Chapter 11,PolicyClassificationConfiguration,describeshowtocreate,changeorremoveuser rolesorprofilesbasedonbusinessspecificuseofnetworkservices;howtopermitordenyaccess tospecificservicesbycreatingandassigningclassificationruleswhichmapuserprofilestoframe filteringpolicies;howtoclassifyframestoaVLANorClassofService(CoS);andhowtoassignor unassignportstopolicyprofilessothatonlyportsactivatedforaprofilewillbeallowedto transmitframesaccordingly. Chapter 12,PortPriorityandRateLimitingConfiguration,describeshowtosetthetransmit priorityofeachportandconfigurearatelimitforagivenportandlistofpriorities. Chapter 13,IGMPConfiguration,describeshowtoconfigureInternetGroupManagement Protocol(IGMP)settingsformulticastfiltering. Chapter 14,LoggingandNetworkManagement,describeshowtoconfigureSyslog,howto managegeneralswitchsettings,howtomonitornetworkeventsandstatus,andhowtoconfigure SNTPandnodealiases. Chapter 15,RMONConfiguration,describeshowtouseRMON(RemoteNetworkMonitoring), whichprovidescomprehensivenetworkfaultdiagnosis,planning,andperformancetuning informationandallowsforinteroperabilitybetweenSNMPmanagementstationsandmonitoring agents. Chapter 16,DHCPServerConfiguration,describeshowtoreviewandconfigureDHCPserver parameters,howtoreviewandconfigureDHCPaddresspools,andhowtodisplayDHCPserver information. Chapter 17,DHCPSnoopingandDynamicARPInspection,describestwosecurityfeatures: DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserverto filterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings,and DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping featuretorejectinvalidandmaliciousARPpackets. Chapter 18,PreparingforRouterMode,providesinformationaboutroutermodesandhowto activatealicense. Chapter 19,IPConfiguration,describeshowtoenableIProutingforroutermodeoperation,how toconfigureIPinterfacesettings,howtoreviewandconfiguretheroutingARPtable,howto reviewandconfigureroutingbroadcasts,howtoconfigurePIM,andhowtoconfigureIProutes.

    xxx

    About This Guide

    Related Documents

    Chapter 20,IPv4RoutingProtocolConfiguration,describeshowtoconfigureIProutingand routingprotocols,includingRIP,OSPF,DVMRP,IRDP,andVRRP. Chapter 21,IPv6Management,describesthecommandsusedtoconfigureIPv6attheswitch level. Chapter 22,IPv6ProxyRouting,describesthecommandsusedtoenableIPv6proxyroutingand thesuggestedproceduretoconfigureamixedC2andC3stacktouseIPv6proxyrouting. Chapter 23,AuthenticationandAuthorizationConfiguration,describeshowtoconfigure802.1X authenticationusingEAPOL,howtoconfigureRADIUSserver,SecureShellserver,MAC authentication,MAClocking,PortWebAuthentication,andIPaccesscontrollists(ACLs).

    Related Documents
    ThefollowingEnterasysNetworksdocumentsmayhelpyoutosetup,control,andmanagethe SecureStackdevice: EnterasysFirmwareFeatureGuides SecureStackC2InstallationGuide(s) SecureStackC2RedundantPowerSystemInstallationGuide

    Documentslistedabove,canbeobtainedfromtheWorldWideWebinAdobeAcrobatPortable DocumentFormat(PDF)atthefollowingwebsite: http://www.enterasys.com/support/manuals/

    Conventions Used in This Guide


    Thefollowingconventionsareusedinthetextofthisdocument:
    Convention Bold font italic font Courier font Courier font in italics [] {} | [x | y | z] {x | y | z} [x {y | z} ] Description Indicates mandatory keywords, parameters or keyboard keys. Indicates complete document titles. Used for examples of information displayed on the screen. Indicates a user-supplied value, either required or optional. Square brackets indicate an optional value. Braces indicate required values. One or more values may be required. A vertical bar indicates a choice in values. Square brackets with a vertical bar indicate a choice of a value. Braces with a vertical bar indicate a choice of a required value. A combination of square brackets with braces and vertical bars indicates a required choice of an optional value.

    Thefollowingiconsareusedinthisguide:

    Note: Calls the readers attention to any item of information that may be of special importance.

    SecureStack C2 Configuration Guide

    xxxi

    Getting Help

    Router: Calls the readers attention to router-specific commands and information.

    Caution: Contains information essential to avoid damage to the equipment. Precaucin: Contiene informacin esencial para prevenir daar el equipo. Achtung: Verweit auf wichtige Informationen zum Schutz gegen Beschdigungen.

    Getting Help
    Foradditionalsupportrelatedtothisswitchordocument,contactEnterasysNetworksusingone ofthefollowingmethods:
    World Wide Web Phone http://www.enterasys.com/services/support 1-800-872-8440 (toll-free in U.S. and Canada) or 1-978-684-1000 For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/services/support Internet mail support@enterasys.com To expedite your message, type [C-Series] in the subject line. To send comments or suggestions concerning this document to the Technical Publications Department: techpubs@enterasys.com Make sure to include the document Part Number in the email message.

    BeforecallingEnterasysNetworks,havethefollowinginformationready: YourEnterasysNetworksservicecontractnumber Adescriptionofthefailure Adescriptionofanyaction(s)alreadytakentoresolvetheproblem(forexample,changing modeswitchesorrebootingtheunit) TheserialandrevisionnumbersofallinvolvedEnterasysNetworksproductsinthenetwork Adescriptionofyournetworkenvironment(forexample,layout,cabletype) Networkloadandframesizeatthetimeoftrouble(ifknown) Theswitchhistory(forexample,haveyoureturnedtheswitchbefore,isthisarecurring problem?) AnypreviousReturnMaterialAuthorization(RMA)numbers

    xxxii

    About This Guide

    1
    Introduction
    ThischapterprovidesanoverviewoftheSecureStackC2suniquefeaturesandfunctionality,an overviewofthetasksthatmaybeaccomplishedusingtheCLIinterface,anoverviewofwaysto managetheswitch,factorydefaultsettings,andinformationabouthowtousetheCommandLine Interfacetoconfiguretheswitch.
    For information about... SecureStack C2 CLI Overview Switch Management Methods Factory Default Settings Using the Command Line Interface Refer to page... 1-1 1-1 1-2 1-6

    SecureStack C2 CLI Overview


    TheEnterasysNetworksSecureStackC2CLIinterfaceallowsyoutoperformavarietyofnetwork managementtasks,includingthefollowing: UseCLIcommandstoperformnetworkmanagementandswitchconfigurationoperations. Downloadanewfirmwareimage. AssignIPaddressandsubnetmask. Selectadefaultgateway. EstablishandmanageVirtualLocalAreaNetworks(VLANs). Establishandmanagepolicyprofilesandclassifications. Establishandmanagepriorityclassification. ConfigureIPv4routingandroutingprotocols. ConfigureIPv6routingandroutingprotocols,includingOSPFv3. Configuresecurityprotocols,including802.1XandRADIUS,SSHv2,PWA,MAClocking,and MACauthentication. Configureaccesscontrollists(ACLs).

    Switch Management Methods


    TheSecureStackC2switchcanbemanagedusingthefollowingmethods: LocallyusingaVTtypeterminalconnectedtotheconsoleport. RemotelyusingaVTtypeterminalconnectedthroughamodem.
    SecureStack C2 Configuration Guide 1-1

    Factory Default Settings

    RemotelyusinganSNMPmanagementstation. InbandthroughaTelnetconnection. InbandusingtheEnterasysNetSightmanagementapplication. RemotelyusingWebView,EnterasysNetworksembeddedwebserverapplication.

    TheInstallationGuideforyourSecureStackC2deviceprovidessetupinstructionsforconnectinga terminalormodemtotheswitch.

    Factory Default Settings


    ThefollowingtableslistfactorydefaultsettingsavailableontheSecureStackC2switch. Table 1-1
    Feature Switch Mode Defaults CDP discovery protocol CDP authentication code CDP hold time CDP interval Cisco discovery protocol Cisco DP hold time Cisco DP interval timer Community name Console (serial) port required settings Auto enabled on all ports. Set to 00-00-00-00-00-00-00-00 Set to 180 seconds. Transmit frequency of CDP messages set to 60 seconds. Auto enabled on all ports. Set to 180 seconds. Set to 60 seconds. Public. Baud rate: 9600 Data bits: 8 Flow control: disabled Stop bits: 1 Parity: none DHCP server EAPOL EAPOL authentication mode GARP timer GVRP History buffer size IEEE 802.1 authentication IGMP snooping IP mask and gateway IP routes Jumbo frame support Disabled. Disabled. When enabled, set to auto for all ports. Join timer set to 20 centiseconds; leave timer set to 60 centiseconds; leaveall timer set to 1000 centiseconds. Globally enabled. 20 lines. Disabled. Disabled. When enabled, query interval is set to 260 seconds and response time is set to 10 seconds. Subnet mask set to 0.0.0.0; default gateway set to 0.0.0.0. No static routes configured. Enabled on all ports.

    Default Settings for Basic Switch Operation


    Default Setting

    1-2

    Introduction

    Factory Default Settings

    Table 1-1
    Feature

    Default Settings for Basic Switch Operation (Continued)


    Default Setting Enabled. Set to 32768 for all ports. Disabled. Set to 32768 for all ports. Set to DIP-SIP. Set to disable Read-Write and Read-Only users, and to lockout the default admin (Super User) account for 15 minutes, after 3 failed login attempts. Syslog port set to UDP port number 514. Logging severity level set to 6 (significant conditions) for all applications. Set to 300 seconds. Disabled (globally and on all ports). Set to an empty string for all default user accounts. User must press ENTER at the password prompt to access CLI. Disabled. No passwords are checked for duplication. Classification rules are automatically enabled when created. Enabled on all ports. Maximum ability advertised on all ports.

    Link aggregation control protocol (LACP) Link aggregation admin key Link aggregation flow regeneration Link aggregation system priority Link aggregation outport algorithm Lockout Logging MAC aging time MAC locking Passwords Password aging Password history Policy classification Port auto-negotiation Port advertised ability

    Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch ports. Port duplex mode Port enable/disable Port priority Port speed Port trap Power over Ethernet port admin state Priority classification RADIUS client RADIUS last resort action RADIUS retries RADIUS timeout Rate limiting Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to full duplex. Enabled. Set to 0. Set to 10 Mbps, except for 1000BASE-X, which is set to 1000 Mbps, and 100BASE-FX, which is set to 100 Mbps. All ports are enabled to send link traps. Administrative state is on (auto). Classification rules are automatically enabled when created. Disabled. When the client is enabled, set to Challenge. When the client is enabled, set to 3. When the client is enabled, set to 20 seconds. Disabled (globally and on all ports).

    SecureStack C2 Configuration Guide

    1-3

    Factory Default Settings

    Table 1-1
    Feature SNMP SNTP

    Default Settings for Basic Switch Operation (Continued)


    Default Setting Enabled. Disabled. Globally enabled and enabled on all ports. Edge port administrative status begins with the value set to false initially after the device is powered up. If a Spanning Tree BDPU is not received on the port within a few seconds, the status setting changes to true. Enabled. Set to 15 seconds. Set to 2 seconds. Set to 0. Set to 20 seconds. All ports with bridge priority are set to 128 (medium priority). Bridge priority is set to 32768. Enabled. Set to mstp (Multiple Spanning Tree Protocol). Disabled. Set to 9600 baud. Set to empty string. Set to empty string. Set to empty string. CLI display set to 80 columns and 24 rows. Set to 5 minutes. Login accounts set to ro for Read-Only access; rw for Read-Write access; and admin for Super User access. Disabled on all VLANs. All ports use a VLAN identifier of 1. Default host VLAN is 1.

    Spanning Tree Spanning Tree edge port administrative status Spanning Tree edge port delay Spanning Tree forward delay Spanning Tree hello interval Spanning Tree ID (SID) Spanning Tree maximum aging time Spanning Tree port priority Spanning Tree priority Spanning Tree topology change trap suppression Spanning Tree version SSH System baud rate System contact System location System name Terminal Timeout User names VLAN dynamic egress VLAN ID Host VLAN

    Notallofthefollowingroutingfeaturesareavailableonallplatforms.ChecktheReleaseNotesfor yourspecificplatformsfordetails. Table 1-2


    Output... Access groups (IP security) Access lists (IP security)

    Default Settings for Router Operation


    What it displays... None configured. None configured.

    1-4

    Introduction

    Factory Default Settings

    Table 1-2
    Output...

    Default Settings for Router Operation (Continued)


    What it displays... Disabled. Set to 1. None configured. None configured. No permanent entries configured. Set to 14,400 seconds. None configured. None configured. Set to 40 seconds. Triggered updates allowed. No filters applied. Disabled. Metric set to 1. Set to 10 seconds for broadcast and point-to-point networks. Set to 30 seconds for non-broadcast and point-to-multipoint networks. Enabled for echo-reply and mask-reply modes. Disabled. Enabled with no port specified. Disabled with no IP addresses specified. Disabled on all interfaces. When enabled, maximum advertisement interval is set to 600 seconds, minimum advertisement interval is set to 450 seconds, holdtime is set to 1800 seconds, and address preference is set to 0. Disabled with no password set. Set to 1500 bytes on all interfaces. Disabled. Set to 10 for all interfaces. None configured. Set to 1. None configured. Enabled on all interfaces. Enabled on all interfaces. Set to 1 second. Set to 5 seconds. Set to accept both version 1 and version 2. Set to version 1. No value applied. Enabled.

    Area authentication (OSPF) Area default cost (OSPF) Area NSSA (OSPF) Area range (OSPF) ARP table ARP timeout Authentication key (RIP and OSPF) Authentication mode (RIP and OSPF) Dead interval (OSPF) Disable triggered updates (RIP) Distribute list (RIP) DVMRP Hello interval (OSPF) ICMP IP-directed broadcasts IP forward-protocol IP interfaces IRDP

    MD5 authentication (OSPF) MTU size OSPF OSPF cost OSPF network OSPF priority Passive interfaces (RIP) Proxy ARP Receive interfaces (RIP) Retransmit delay (OSPF) Retransmit interval (OSPF) RIP receive version RIP send version RIP offset SNMP

    SecureStack C2 Configuration Guide

    1-5

    Using the Command Line Interface

    Table 1-2
    Output...

    Default Settings for Router Operation (Continued)


    What it displays... Enabled for RIP packets without poison reverse. None configured. Enabled. Set to port number 23. SPF delay set to 5 seconds. SPF holdtime set to 10 seconds. Set to 1 second. Disabled.

    Split horizon Stub area (OSPF) Telnet Telnet port (IP) Timers (OSPF) Transmit delay (OSPF) VRRP

    Using the Command Line Interface


    Starting a CLI Session
    Connecting Using the Console Port
    ConnectaterminaltothelocalconsoleportasdescribedinyourSecureStackC2InstallationGuide. Thestartupscreen,Figure 11,willdisplayontheterminal.YoucannowstarttheCommandLine Interface(CLI)by usingadefaultuseraccount,asdescribedinUsingaDefaultUserAccountonpage 17,or usinganadministrativelyassigneduseraccountasdescribedinUsinganAdministratively ConfiguredUserAccountonpage 17. SecureStack C2 Startup Screen

    Figure 1-1

    Username:admin Password: Enterasys SecureStack C2 Command Line Interface Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A. Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com (c) Copyright Enterasys Networks, Inc. 2008 Chassis Serial Number: Chassis Firmware Revision: 041800249041 5.02.xx.xxxx

    C2(su)->

    1-6

    Introduction

    Using the Command Line Interface

    Connecting Using Telnet


    OncetheSecureStackC2devicehasavalidIPaddress,youcanestablishaTelnetsessionfromany TCP/IPbasednodeonthenetwork.ForinformationaboutsettingtheswitchsIPaddress,referto setipaddressonpage 311. ToestablishaTelnetsession: 1. 2. TelnettotheswitchsIPaddress. Enterlogin(username)andpasswordinformationinoneofthefollowingways: Iftheswitchsdefaultloginandpasswordsettingshavenotbeenchanged,followthe stepslistedinUsingaDefaultUserAccountonpage 17,or Enteranadministrativelyconfiguredusernameandpassword.

    ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11. ForinformationaboutconfiguringTelnetsettings,refertoStartingandConfiguringTelneton page 335. RefertotheinstructionsincludedwiththeTelnetapplicationforinformationaboutestablishinga Telnetsession.

    Logging In
    Bydefault,theSecureStackC2switchisconfiguredwiththreeuserloginaccountsrofor ReadOnlyaccess,rwforReadWriteaccess,andadminforsuperuseraccesstoallmodifiable parameters.Thedefaultpasswordissettoablankstring.Forinformationonchangingthese defaultsettings,refertoSettingUserAccountsandPasswordsonpage 32.

    Using a Default User Account


    IfthisisthefirsttimeyouareloggingintotheSecureStackC2switch,orifthedefaultuser accountshavenotbeenadministrativelychanged,proceedasfollows: 1. Attheloginprompt,enteroneofthefollowingdefaultusernames: 2. 3. roforReadOnlyaccess. rwforReadWriteaccess. adminforSuperUseraccess.

    PressENTER.ThePasswordpromptdisplays. LeavethisstringblankandpressENTER.Theswitchinformationandpromptdisplaysas showninFigure 11.

    Using an Administratively Configured User Account


    Iftheswitchsdefaultuseraccountsettingshavebeenchanged,proceedasfollows: 1. 2. Attheloginprompt,enteryouradministrativelyassignedusernameandpressENTER. AtthePasswordprompt,enteryourpasswordandpressENTER.

    ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11.
    Note: Users with Read-Write (rw) and Read-Only access can use the set password command (page 3-5) to change their own passwords. Administrators with Super User (su) access can use the set system login command (page 3-4) to create and change user accounts, and the set password command to change any local account password.

    SecureStack C2 Configuration Guide

    1-7

    Using the Command Line Interface

    Navigating the Command Line Interface


    Getting Help with CLI Syntax
    TheSecureStackC2switchallowsyoutodisplayusageandsyntaxinformationforindividual commandsbytypinghelpor?afterthecommand.

    CLI Command Defaults Descriptions


    EachcommanddescriptioninthisguideincludesasectionentitledDefaultswhichcontains differentinformationfromthefactorydefaultsettingsontheswitchdescribedinTable 11.The sectiondefinesCLIbehavioriftheuserentersacommandwithouttypingoptionalparameters (indicatedbysquarebrackets[]).Forcommandswithoutoptionalparameters,thedefaults sectionlistsNone.Forcommandswithoptionalparameters,thissectiondescribeshowtheCLI respondsiftheuseroptstoenteronlythekeywordsofthecommandsyntax.Figure 12provides anexample. Figure 1-2 Sample CLI Defaults Description

    Syntax
    show port status [port-string]

    Defaults
    Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.

    CLI Command Modes


    EachcommanddescriptioninthisguideincludesasectionentitledModewhichstateswhether thecommandisexecutableinAdmin(SuperUser),ReadWrite,orReadOnlymode.Userswith ReadOnlyaccesswillonlybepermittedtoviewReadOnly(show)commands.UserswithRead Writeaccesswillbeabletomodifyallmodifiableparametersinsetandshowcommands,aswell asviewReadOnlycommands.AdministratorsorSuperUserswillbeallowedallReadWriteand ReadOnlyprivileges,andwillbeabletomodifylocaluseraccounts.TheSecureStackC2switch indicateswhichmodeauserisloggedinasbydisplayingoneofthefollowingprompts: Admin:C2(su)> ReadWrite:C2(rw)> ReadOnly:C2(ro)>

    Performing Keyword Lookups


    Enteringaspaceandaquestionmark(?)afterakeywordwilldisplayallcommandsbeginning withthekeyword.Figure 13showshowtoperformakeywordlookupfortheshowsnmp command.Inthiscase,fouradditionalkeywordsareusedbytheshowsnmpcommand.Entering aspaceandaquestionmark(?)afteranyoftheseparameters(suchasshowsnmpcommunity) willdisplayadditionalparametersnestedwithinthesyntax. Figure 1-3 Performing a Keyword Lookup

    C2(su)->show snmp ? community notify targetaddr targetparams SNMP SNMP SNMP SNMP v1/v2c notify target target community name configuration configuration address configuration parameters configuration

    1-8

    Introduction

    Using the Command Line Interface

    Enteringaquestionmark(?)withoutaspaceafterapartialkeywordwilldisplayalistof commandsthatbeginwiththepartialkeyword.Figure 14showshowtousethisfunctionforall commandsbeginningwithco: Figure 1-4 Performing a Partial Keyword Lookup
    copy

    C2(rw)->co? configure C2(su)->co

    Note: At the end of the lookup display, the system will repeat the command you entered without the ?.

    Displaying Scrolling Screens


    IftheCLIscreenlengthhasbeensetusingthesetlengthcommandasdescribedonpage328,CLI outputrequiringmorethanonescreenwilldisplay--More-- toindicatecontinuingscreens.To displayadditionalscreenoutput: PressanykeyotherthanENTERtoadvancetheoutputonescreenatatime. PressENTERtoadvancetheoutputonelineatatime.

    TheexampleinFigure 15showshowtheshowmaccommandindicatesthatoutputcontinueson morethanonescreen. Figure 1-5 Scrolling Screen Output

    C2(su)->show mac MAC Address FID Port Type ---------------------------------------------------------00-00-1d-67-68-69 1 host Management 00-00-02-00-00-00 1 ge.1.2 Learned 00-00-02-00-00-01 1 ge.1.3 Learned 00-00-02-00-00-02 1 ge.1.4 Learned 00-00-02-00-00-03 1 ge.1.5 Learned 00-00-02-00-00-04 1 ge.1.6 Learned 00-00-02-00-00-05 1 ge.1.7 Learned 00-00-02-00-00-06 1 ge.1.8 Learned 00-00-02-00-00-07 1 ge.1.9 Learned 00-00-02-00-00-08 1 ge.1.10 Learned --More--

    Abbreviating and Completing Commands


    TheSecureStackC2switchallowsyoutoabbreviateCLIcommandsandkeywordsdowntothe numberofcharactersthatwillallowforauniqueabbreviation.Figure 16showshowto abbreviatetheshownetstatcommandtoshnet.

    SecureStack C2 Configuration Guide

    1-9

    Using the Command Line Interface

    Figure 1-6

    Abbreviating a Command

    C2(su)->sh net Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address ----- ------ ------ --------------------- --------------------TCP 0 0 10.21.73.13.23 134.141.190.94.51246 TCP 0 275 10.21.73.13.23 134.141.192.119.4724 TCP 0 0 *.80 *.* TCP 0 0 *.23 *.* UDP 0 0 10.21.73.13.1030 134.141.89.113.514 UDP 0 0 *.161 *.* UDP 0 0 *.1025 *.* UDP 0 0 *.123 *.*

    State ------ESTABLISHED ESTABLISHED LISTEN LISTEN

    Basic Line Editing Commands


    TheCLIsupportsEMACslikelineeditingcommands.Table 13listssomecommonlyused commands. Table 1-3 Basic Line Editing Commands
    Command Move cursor to beginning of line. Move cursor back one character. Delete a character. Move cursor to end of line. Move cursor forward one character. Delete character to left of cursor. Complete word. Delete all characters after cursor. Scroll to next command in command history (use the CLI history command to display the history). Scroll to previous command in command history. Resume the CLI process. Pause the CLI process (for scrolling). Transpose characters. Delete all characters before cursor. Delete word to the left of cursor. Restore the most recently deleted item.

    Key Sequence Ctrl+A Ctrl+B Ctrl+D Ctrl+E Ctrl+F Ctrl+H Ctrl+I or TAB Ctrl+K Ctrl+N Ctrl+P Ctr1+Q Ctr1+S Ctrl+T Ctrl+U or Ctrl+X Ctrl+W Ctrl+Y

    1-10

    Introduction

    2
    Configuring Switches in a Stack
    ThischapterprovidesinformationaboutconfiguringSecureStackC2switchesinastack.
    For information about ... About SecureStack C2 Switch Operation in a Stack Installing a New Stackable System of Up to Eight Units Installing Previously-Configured Systems in a Stack Adding a New Unit to an Existing Stack Creating a Virtual Switch Configuration Considerations About Using Clear Config in a Stack Issues Related to Mixed Type Stacks Stacking Configuration and Management Commands Refer to page ... 2-1 2-2 2-3 2-3 2-3 2-5 2-5 2-6

    About SecureStack C2 Switch Operation in a Stack


    TheSecureStackC2productsarestackableswitchesthatcanbeadaptedandscaledtohelpmeet yournetworkneeds.Theseswitchesprovideamanagementplatformanduplinktoanetwork backboneforastackedgroupofuptoeightSecureStackC2switches.
    Note: You can mix SecureStack C2 and C3 switches in a single stack, although only the lowest common denominator of functionality will be supported in a mixed stack. Refer to Issues Related to Mixed Type Stacks on page 2-5 for information about configuring a mixed stack.

    Onceinstalledinastack,theswitchesbehaveandperformasasingleswitchproduct.Assuch, youcanstartwithasingleunitandaddmoreunitsasyournetworkexpands.Youcanalsomix differentproductsinthefamilyinasinglestacktoprovideadesiredcombinationofporttypes andfunctionstomatchtherequirementsofindividualapplications.Inallcases,astackofunits performsasonelargeproduct,andismanagedasasinglenetworkentity. WhenswitchesareinstalledandconnectedasdescribedintheSecureStackC2InstallationGuides, thefollowingoccursduringinitialization: Theswitchthatwillmanagethestackisautomaticallyestablished.Thisisknownasthe managerswitch. Allotherswitchesareestablishedasmembersinthestack. Thehierarchyoftheswitchesthatwillassumethefunctionofbackupmanagerisalso determinedincasethecurrentmanagermalfunctions,ispowereddown,orisdisconnected fromthestack.

    SecureStack C2 Configuration Guide

    2-1

    Installing a New Stackable System of Up to Eight Units

    Theconsoleportonthemanagerswitchremainsactiveforoutofband(local)switch management,buttheconsoleportoneachmemberswitchisdeactivated.Thisenablesyouto settheIPaddressandsystempasswordusingasingleconsoleport.Noweachswitchcanbe configuredlocallyusingonlythemanagersconsoleport,orinbandusingaremotedeviceand theCLIsetofcommandsdescribedinthissection.

    Onceastackiscreated(morethanoneswitchisinterconnected),thefollowingprocedureoccurs: 1. 2. Bydefault,unitIDsarearbitrarilyassignedonafirstcome,firstservedbasis. UnitIDsaresavedagainsteachmodule.Then,everytimeaboardispowercycled,itwill initializewiththesameunitID.Thisisimportantforportspecificinformation(forexample: ge.4.12isthe12thGigabitEthernetportonUnit#4). Themanagementelectionprocessusesthefollowingprecedencetoassignamanagement switch: a. b. c. Previouslyassigned/electedmanagementunit Managementassignedpriority(values115) Hardwarepreferencelevel

    3.

    d. HighestMACAddress Usethefollowingrecommendedprocedureswheninstallinganewstackablesystemoraddinga newunittoanexistingstack.

    Important
    The following procedures assume that all units have a clean configuration from manufacturing. When adding a new unit to an already running stack, it is also assumed that the new unit is using the same firmware image version as other units in the stack.

    Installing a New Stackable System of Up to Eight Units


    Usethefollowingprocedureforinstallinganewstackofuptoeightunitsoutofthebox. 1. 2. Beforeapplyingpower,makeallphysicalconnectionswiththestackcablesasdescribedinthe SecureStackC2InstallationGuides. Onceallofthestackcableshavebeenconnected,individuallypoweroneachunitfromtopto bottom.
    Notes: Ensure that each switch is fully operational before applying power to the next switch. Since unit IDs are assigned on a first-come, first-served basis, this will ensure that unit IDs are ordered sequentially. Once unit IDs are assigned, they are persistent and will be retained during a power cycle to any or all of the units.

    3. 4. 5.

    (Optional)Ifdesired,changethemanagementunitusingthesetswitchmovemanagement commandasdescribedinsetswitchmovemanagementonpage211. Oncethedesiredmasterunithasbeenselected,resetthesystemusingtheresetcommand (page348). Afterthestackhasbeenconfigured,youcanusetheshowswitchunitcommand(page26)to physicallyidentifyeachunit.Whenyouenterthecommandwithaunitnumber,theMGR LEDofthespecifiedswitchwillblinkfor10seconds.ThenormalstateofthisLEDisofffor memberunitsandsteadygreenforthemanagerunit.

    2-2

    Configuring Switches in a Stack

    Installing Previously-Configured Systems in a Stack

    Installing Previously-Configured Systems in a Stack


    Ifmemberunitsinastackhavebeenpreviousmembersofadifferentstack,youmayneedto configuretherenumberingofthestackasfollows: 1. 2. 3. 4. 5. 6. Stacktheunitsinthemethoddesired,andconnectthestackcables. Poweruponlytheunityouwishtobemanager. Oncethemanagementunitispoweredup,logintotheCLI,andusetheshowswitch commandasdescribedinshowswitchonpage26todisplaystackinginformation. Clearanyswitcheswhicharelistedasunassignedusingtheclearswitchmember commandasdescribedinclearswitchmemberonpage212. Powerupthememberofthestackyouwishtobecomeunit2.Oncethesecondunitisfully powered,theCOMsessionoftheCLIwillstatethatanewCPUwasadded. Usetheshowswitchcommandtoredisplaystackinginformation. a. b. Ifthenewmemberdisplaysasunit2,youcanproceedtorepeatthisstepwiththenext unit. Ifthenewmemberdisplaysadifferentunitnumber,youmust: (1) Renumberthestackusingthesetswitchrenumbercommandasdescribedinset switchonpage29,then (2) Cleartheoriginalunitnumberusingtheclearswitchmembercommand. 7. 8. RepeatStep6untilallmembershavebeenrenumberedintheorderyoudesire. Afterthestackhasbeenreconfigured,youcanusetheshowswitchunitcommand(show switchonpage26)tophysicallyconfirmtheidentityofeachunit.Whenyouenterthe commandwithaunitnumber,theMGRLEDofthespecifiedswitchwillblinkfor10seconds. ThenormalstateofthisLEDisoffformemberunitsandsteadygreenforthemanagerunit.

    Adding a New Unit to an Existing Stack


    Usethefollowingprocedureforinstallinganewunittoanexistingstackconfiguration.This procedureassumesthatthenewunitbeingaddedhasacleanconfigurationfrommanufacturing andisrunningthesamefirmwareimageversionasotherunitsinthestack. 1. 2. Ensurethatpowerisoffonthenewunitbeinginstalled. Useoneofthefollowingmethodstocompletestackcableconnections: Iftherunningstackusesadaisychaintopology,makethestackcableconnectionsfrom thebottomofthestacktothenewunit(thatis,STACKDOWNportfromthebottomunit oftherunningstacktotheSTACKUPportonthenewunit). Iftherunningstackusesaringstacktopology,breaktheringandmakethestackcable connectionstothenewunittoclosethering.

    3.

    Applypowertothenewunit.

    Creating a Virtual Switch Configuration


    YoucancreateaconfigurationforaSecureStackC2switchbeforeaddingtheactualphysical devicetoastack.Thispreconfigurationfeatureincludesconfiguringprotocolsontheportsofthe virtualswitch.

    SecureStack C2 Configuration Guide

    2-3

    Creating a Virtual Switch Configuration

    Tocreateavirtualswitchconfigurationinastackenvironment: 1. 2. 3. Displaythetypesofswitchessupportedinthestack,usingtheshowswitchswitchtype command(page27). Usingtheoutputoftheshowswitchswitchtypecommand,determinetheswitchindex(SID) ofthemodelofswitchbeingconfigured. Addthevirtualswitchtothestackusingthesetswitchmembercommand(page211).Use theSIDoftheswitchmodel,determinedinthepreviousstep,andtheunitIDthatyouwantto assigntothisswitchmember. Proceedtoconfiguretheportsofthevirtualswitchasyouwoulddoforphysicallypresent devices.

    4.

    ThefollowingexampleaddsaC2G12424modetoastackasunit2ofthestack.Thefirstporton thatvirtualswitchisthenassociatedwithVLAN555.
    C2(su)->show switch switchtype SID --1 2 3 4 5 6 7 8 9 10 11 12 13 15 17 Switch Model ID -------------------------------C2G124-24 C2K122-24 C2G124-48 C2G124-48P C2H124-48 C2H124-48P C2G134-24P C2G170-24 C3G124-24P C3G124-48P C3G124-48 C3G124-24 C3K172-24 C3K122-24 C3K122-24P Mgmt Pref ---1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Code Version --------0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245

    C2(su)->set switch member 2 1 C2(su)->show switch Management Preconfig Plugged-in Switch Code Switch Status Model ID Model ID Status Version ------ ------------ ------------- ------------- --------------------- -------1 Mgmt Switch C2G124-48 C2G124-48 OK 5.02.xx.xxxx 2 Unassigned C2G124-24 Not Present 00.00.00 C2(su)->set vlan create 555 C2(su)->clear vlan egress 1 ge.2.1 C2(su)->set port vlan ge.2.1 555 untagged C2(su)->show port vlan ge.2.1 ge.2.1 is set to 555 Note: If you preconfigure a virtual switch and then add a physical switch of a different type to the stack as that unit number, any configured functionality that cannot be supported on the physical switch will cause a configuration mismatch status for that device and the ports of the new device will join detached. You must clear the mismatch before the new device will properly join the stack.

    2-4

    Configuring Switches in a Stack

    Considerations About Using Clear Config in a Stack

    Considerations About Using Clear Config in a Stack


    Whenusingtheclearconfigcommand(page349)toclearconfigurationparametersinastack,it isimportanttorememberthefollowing: UseclearconfigtoclearconfigparameterswithoutclearingstackunitIDs.Thiscommand WILLNOTclearstackparametersortheIPaddressandavoidstheprocessofrenumbering thestack. Useclearconfigallwhenitisnecessarytoclearallconfigparameters,includingstackunit IDsandswitchpriorityvalues.ThiscommandwillnotcleartheIPaddressnorwillitremove anappliedadvancedfeaturelicense. UseclearipaddresstoremovetheIPaddressofthestack. Useclearlicensetoremoveanappliedlicensefromaswitch.

    Configurationparametersandstackinginformationcanalsobeclearedonthemasterunitonly byselectingtherestoreconfigurationtofactorydefaultsoptionfromthebootmenuonswitch startup.Thisselectionwillleavestackingprioritiesonallotherunits.

    Issues Related to Mixed Type Stacks


    Feature Support
    BecausetheSecureStackC2andC3switcheshavedifferenthardwarearchitectures,the functionalitysupportedbythetwoswitchtypesisdifferent.Whenthetwotypesofswitchesare mixedinastack,thefunctionalitysupportedwillbethelowestcommondenominatoroffeatures supportedonallplatforms.RefertothefirmwareReleaseNotesforinformationaboutsupported features.

    Configuration
    Common Firmware Version
    MixedstackingisonlysupportedbySecureStackC2firmwareversion5.00.xxandhigher.(Ifyou areusingaC3Kswitch,thefirmwareversionmustbe5.02.xxorhigher.)Inordertomix SecureStackC3switcheswithC2switches,youmustinstalltheC2firmware(version5.00.xxor higher,orversion5.02.xxorhigherforC3Kdevices)ontheC3switch.YoucaninstalltheC2 firmwarefirst,withtheC3switchinstandalonemode,oryoucanaddtheC3switchtothestack andthencopytheC2firmwaretotheC3switchusingthesetswitchcopyfwcommand(page2 10).AftercopyingtheC2firmwaretotheC3switch,youmustresetthestack.

    Switch Manager
    ItisrecommendedthataSecureStackC3switchbemadethemanagerofamixedstack.Usetheset switchmovemanagementcommand(page211)tochangethemanagerunit.

    SecureStack C2 Configuration Guide

    2-5

    Stacking Configuration and Management Commands

    Stacking Configuration and Management Commands


    Purpose
    Toreview,individuallyconfigureandmanageswitchesinaSecureStackC2stack.

    Commands
    For information about... show switch show switch switchtype show switch stack-ports set switch set switch copy-fw set switch description set switch movemanagement set switch member clear switch member Refer to page... 2-6 2-7 2-8 2-9 2-10 2-10 2-11 2-11 2-12

    show switch
    Usethiscommandtodisplayinformationaboutoneormoreunitsinthestack.

    Syntax
    show switch [status] [unit]

    Parameters
    status unit (Optional)Displayspowerandadministrativestatusinformationforone ormoreunitsinthestack. (Optional)Specifiestheunit(s)forwhichinformationwilldisplay.

    Defaults
    Ifnotspecified,statusandotherconfigurationinformationaboutallunitswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    Afterastackhasbeenconfigured,youcanusethiscommandtophysicallyconfirmtheidentityof eachunit.Whenyouenterthecommandwithaunitnumber,theMGRLEDofthespecified switchwillblinkfor10seconds.ThenormalstateofthisLEDisoffformemberunitsandsteady greenforthemanagerunit.

    2-6

    Configuring Switches in a Stack

    show switch switchtype

    Examples
    Thisexampleshowshowtodisplayinformationaboutallswitchunitsinthestack:
    C2(rw)->show switch Management Preconfig Plugged-in Switch Code Switch Status Model ID Model ID Status Version ------ ------------ ------------- ------------- --------------------- -------1 Mgmt Switch C2G124-24 C2G124-24 OK 05.02.xx.xxxx 2 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 3 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 4 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 5 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 6 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 7 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 8 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx

    Thisexampleshowshowtodisplayinformationaboutswitchunit1inthestack:
    C2(ro)->show switch 1 Switch Management Status Hardware Management Preference Admin Management Preference Switch Type Preconfigured Model Identifier Plugged-in Model Identifier Switch Status Switch Description Detected Code Version Detected Code in Flash Detected Code in Back Image Up Time 1 Management Switch Unassigned Unassigned C2G124-24 C2G124-24 C2G124-24 OK Enterasys Networks, Inc. C2 -- Model C2G124-24 05.02.xx.xxxx 03.01.20 02.01.37 0 days 6 hrs 37 mins 54 secs

    Thisexampleshowshowtodisplaystatusinformationforswitchunit1inthestack:
    C2(ro)->show switch status 1 Switch Switch Status Admin State Power State Inserted Switch: Model Identifier Description Configured Switch: Model Identifier Description 1 Full

    C2G124-24 Enterasys Networks, Inc. C2 -- Model C2G124-24 C2G124-24 Enterasys Networks, Inc. C2 -- Model C2G124-24

    show switch switchtype


    Usethiscommandtodisplayinformationaboutsupportedswitchtypesinthestack.

    Syntax
    show switch switchtype [switchindex]

    SecureStack C2 Configuration Guide

    2-7

    show switch stack-ports

    Parameters
    switchindex (Optional)Specifiestheswitchindex(SID)oftheswitchtypetodisplay.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowshowtodisplayswitchtypeinformationaboutallswitchesinthestack:
    C2(ro)->show switch switchtype SID --1 2 3 4 5 6 7 8 9 10 11 12 13 15 17 Switch Model ID -------------------------------C2G124-24 C2K122-24 C2G124-48 C2G124-48P C2H124-48 C2H124-48P C2G134-24P C2G170-24 C3G124-24P C3G124-48P C3G124-48 C3G124-24 C3K172-24 C3K122-24 C3K122-24P Mgmt Pref ---1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Code Version --------0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245

    ThisexampleshowshowtodisplayswitchtypeinformationaboutSID1:
    C2(ro)->show switch switchtype 1 Switch Type Model Identifier Switch Description Management Preference Expected Code Version Supported Cards: Slot Card Index (CID) Model Identifier 0 1 C2G124-24 0x56950200 C2G124-24 Enterasys Networks, Inc. C2 -Model C2G124-24 1 0xa08245

    show switch stack-ports


    Usethiscommandtodisplayvariousdataflowanderrorcountersonstackports.

    Syntax
    show switch stack-ports [unit]

    2-8

    Configuring Switches in a Stack

    set switch

    Parameters
    unit (Optional)SpecifiestheswitchunitID,anintegerrangingfrom1to8.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaydataanderrorinformationonstackports:
    C2(ro)->show switch stack-ports ------------TX-------------- ------------RX----------Data Error Data Error Stacking Rate Rate Total Rate Rate Total Switch Port (Mb/s) (Errors/s) Errors (Mb/s) (Errors/s) Errors ------ ---------- ------ ---------- ---------- ------ ---------- -------1 Up 0 0 0 0 0 0 Down 0 0 0 0 0 0

    set switch
    UsethiscommandtoassignaswitchID,tosetaswitchspriorityforbecomingthemanagement switchifthepreviousmanagementswitchfails,ortochangetheswitchunitIDforaswitchinthe stack.

    Syntax
    set switch {unit [priority value | renumber newunit]}

    Parameters
    unit priorityvalue renumbernewunit Specifiesaunitnumberfortheswitch.Valuecanrangefrom1to8. Specifiesapriorityvaluefortheunit.Validvaluesare1to15withhigher valuesassigninghigherpriority. Specifiesanewnumberfortheunit.
    Note: This number must be a previously unassigned unit ID number.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    2-9

    set switch copy-fw

    Examples
    Thisexampleshowshowtoassignpriority3toswitch5:
    C2(su)->set switch 5 priority 3

    Thisexampleshowshowtorenumberswitch5toswitch7:
    C2(su)->set switch 5 renumber 7

    set switch copy-fw


    Usethiscommandtoreplicatethecodeimagefilefromthemanagementswitchtoother switch(es)inthestack.

    Syntax
    set switch copy-fw [destination-system unit]

    Parameters
    destinationsystem (Optional)Specifiestheunitnumberofunitonwhichtocopythe unit managementimagefile.

    Defaults
    Ifdestinationsystemisnotspecified,themanagementimagefilewillbereplicatedtoallswitches inthestack.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoreplicatethemanagementimagefiletoallswitchesinthestack:
    C2(su)->set switch copy-fw Are you sure you want to copy firmware? (y/n) y Code transfer completed successfully.

    set switch description


    Usethiscommandtoassignanametoaswitchinthestack.

    Syntax
    set switch description unit description

    Parameters
    unit description Specifiesaunitnumberfortheswitch. Specifiesatextdescriptionfortheunit.

    Defaults
    None.

    2-10

    Configuring Switches in a Stack

    set switch movemanagement

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoassignthenameFirstUnittoswitchunit1inthestack:
    C2(su)->set switch description 1 FirstUnit

    set switch movemanagement


    Usethiscommandtomovemanagementswitchfunctionalityfromoneswitchtoanother.

    Syntax
    set switch movemanagement fromunit tounit

    Parameters
    fromunit tounit Specifiestheunitnumberofthecurrentmanagementswitch. Specifiestheunitnumberofthenewlydesignatedmanagementswitch.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtomovemanagementfunctionalityfromswitch1toswitch2:
    C2(su)->set switch movemenagement 1 2 Moving stack management will unconfigure entire stack including all interfaces. Are you sure you want to move stack management? (y/n) y

    set switch member


    Usethiscommandtoaddavirtualmembertoastack.Thisallowsyoutopreconfigureaswitch beforethephysicaldeviceisactuallyaddedtothestack.

    Syntax
    set switch member unit switch-id

    Parameters
    unit switchid Specifiesaunitnumberfortheswitch. SpecifiesaswitchID(SID)fortheswitch.SIDscanbedisplayedwiththe showswitchswitchtypecommand.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    2-11

    clear switch member

    Mode
    Switchcommand,readwrite.

    Usage
    RefertoCreatingaVirtualSwitchConfigurationonpage23formoreinformationabouthowto addavirtualswitchtoastack.

    Example
    Thisexampleshowshowtospecifyaswitchasunit1withaswitchIDof1:
    C2(su)->set switch member 1 1

    clear switch member


    Usethiscommandtoremoveamemberentryfromthestack.

    Syntax
    clear switch member unit

    Parameters
    unit Specifiestheunitnumberoftheswitch.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoremovetheswitch5entryfromthestack:
    C2(su)->clear switch member 5

    2-12

    Configuring Switches in a Stack

    3
    Basic Configuration
    Atstartup,theSecureStackC2switchisconfiguredwithmanydefaultsandstandardfeatures. Thischapterdescribeshowtocustomizebasicsystemsettingstoadapttoyourworkenvironment.
    For information about... Quick Start Setup Commands Setting User Accounts and Passwords Setting Basic Switch Properties Downloading a Firmware Image Reviewing and Selecting a Boot Firmware Image Starting and Configuring Telnet Managing Switch Configuration and Files Clearing and Closing the CLI Resetting the Switch Using and Configuring WebView Gathering Technical Support Information Refer to page... 3-1 3-2 3-9 3-30 3-33 3-35 3-37 3-47 3-48 3-50 3-52

    Quick Start Setup Commands


    ThetablesinthissectionprovideaquickreferencefortheCLIcommandsneededtobeginbasic C2switchoperation.Table 31liststasksandtheirassociatedCLIcommandsrequiredforsetting uptheswitchwiththelatestfirmware.Table 32listsoptionalCLIcommandsthatwillhelpyou performadditionalbasicconfigurationontheswitch.Refertothepageslistedformore informationabouteachcommand. Table 3-1
    Step Task 1 2 3 Set a new password. Set the switch IP address. Download, activate, and verify new firmware on the switch using TFTP copy.

    Required CLI Setup Commands


    CLI commands set password [username] set ip address ip-address [mask ip-mask] [gateway ip-gateway] copy tftp://tftp_server_ip_address/ filename system:image set boot system filename show version Refer to page... 3-5 3-11 3-43 3-34 3-25

    SecureStack C2 Configuration Guide

    3-1

    Setting User Accounts and Passwords

    Table 3-2
    Task

    Optional CLI Setup Commands


    CLI commands save config set ssh enable | disable set telnet {enable | disable} [inbound | outbound | all] set webview {enable | disable} set port trap port-string {enable | disable} set port broadcast port-string threshold-value set vlan create vlan-id set port vlan port-string vlan-id modify-egress set logging server index ip-addr ip-addr severity severity state enable set radius server index ip-addr port [secret-value]{realm {management-access | any | network-access} set radius enable Refer to page... 3-39 23-73 3-36 3-51 7-22 7-31 10-5 10-9 10-9 23-5

    Save the active configuration. Enable or disable SSH. Enable or disable Telnet. Enable or disable HTTP management (WebView). Enable or disable SNMP port link traps. Set the per port broadcast limit Configure a VLAN. Set a Syslog server IP and severity Configure and enable a RADIUS server.

    23-5

    Setting User Accounts and Passwords


    Purpose
    Tochangetheswitchsdefaultuserloginandpasswordsettings,andtoaddnewuseraccounts andpasswords.

    Commands
    For information about... show system login set system login clear system login set password set system password length set system password aging set system password history show system lockout set system lockout Refer to page... 3-3 3-4 3-4 3-5 3-6 3-6 3-7 3-7 3-8

    3-2

    Basic Configuration

    show system login

    show system login


    Usethiscommandtodisplayuserloginaccountinformation.

    Syntax
    show system login

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtodisplayloginaccountinformation.Inthiscase,switchdefaultshave notbeenchanged:
    C2(su)->show system login Password history size: 0 Password aging : disabled Username admin ro rw Access super-user read-only read-write State enabled enabled enabled

    Table 31providesanexplanationofthecommandoutput. Table 3-1 show system login Output Details


    What It Displays... Number of previously used user login passwords that will be checked for duplication when the set password command is executed. Configured with set system password history (page 3-7). Number of days user passwords will remain valid before aging out. Configured with set system password aging (page 3-6). Login user names. Access assigned to this user account: super-user, read-write or read-only. Whether this user account is enabled or disabled.

    Output Field Password history size

    Password aging Username Access State

    SecureStack C2 Configuration Guide

    3-3

    set system login

    set system login


    Usethiscommandtocreateanewuserloginaccount,ortodisableorenableanexistingaccount. TheSecureStackC2switchsupportsupto16useraccounts,includingtheadminaccount,which cannotbedeleted.

    Syntax
    set system login username {super-user | read-write | read-only} {enable | disable}

    Parameters
    username Specifiesaloginnameforaneworexistinguser.Thisstringcanbea maximumof80characters,althoughamaximumof16charactersis recommendedforproperviewingintheshowsystemlogindisplay. Specifiestheaccessprivilegesforthisuser.

    superuser| readwrite| readonly enable|disable

    Enablesordisablestheuseraccount.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Usage
    Loginaccounts,includingtheadminuseraccount,canbelockedoutaftermultiplefailedattempts tologintothesystem.Refertoshowsystemlockoutonpage37andsetsystemlockouton page38formoreinformationaboutlockoutparameters. Iftheadminuseraccounthasbeenlockedout,youmustwaituntiltheconfiguredlockouttime periodhasexpiredoryoucanpowercycletheswitchtorebootit,whichwillreenabletheadmin useraccount.

    Example
    Thisexampleshowshowtoenableanewuseraccountwiththeloginnamenetopswithsuper useraccessprivileges:
    C2(su)->set system login netops super-user enable

    clear system login


    Usethiscommandtoremovealocalloginuseraccount.

    Syntax
    clear system login username

    3-4

    Basic Configuration

    set password

    Parameters
    username Specifiestheloginnameoftheaccounttobecleared.
    Note: The default admin (su) account cannot be deleted.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtoremovethenetopsuseraccount:
    C2(su)->clear system login netops

    set password
    UsethiscommandtochangesystemdefaultpasswordsortosetanewloginpasswordontheCLI.

    Syntax
    set password [username]

    Parameters
    username (Onlyavailabletouserswithsuperuseraccess.)Specifiesasystemdefault orauserconfiguredloginaccountname.Bydefault,theSecureStackC2 switchprovidesthefollowingaccountnames: roforReadOnlyaccess. rwforReadWriteaccess. adminforSuperUseraccess.(ThisaccesslevelallowsReadWriteaccess toallmodifiableparameters,includinguseraccounts.)

    Defaults
    None.

    Mode
    Switchcommand,readwrite. Switchcommand,superuser.

    Usage
    ReadWriteuserscanchangetheirownpasswords. SuperUsers(Admin)canchangeanypasswordonthesystem. Ifyouforgetthepasswordfortheadminuseraccount,youcanresetthepasswordtothedefault passwordvaluebypressingthepasswordresetbuttonontheswitch.

    SecureStack C2 Configuration Guide

    3-5

    set system password length

    Examples
    ThisexampleshowshowasuperuserwouldchangetheReadWritepasswordfromthesystem default(blankstring):
    C2(su)->set password rw Please enter new password: ******** Please re-enter new password: ******** Password changed. C2(su)->

    ThisexampleshowshowauserwithReadWriteaccesswouldchangehispassword:
    C2(su)->set password Please enter old password: ******** Please enter new password: ******** Please re-enter new password: ******** Password changed. C2(su)->

    set system password length


    Usethiscommandtosettheminimumuserloginpasswordlength.

    Syntax
    set system password length characters

    Parameters
    characters Specifiestheminimumnumberofcharactersforauseraccountpassword. Validvaluesare0to40.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtosettheminimumsystempasswordlengthto8characters:
    C2(su)->set system password length 8

    set system password aging


    Usethiscommandtosetthenumberofdaysuserpasswordswillremainvalidbeforeagingout,or todisableuseraccountpasswordaging.

    Syntax
    set system password aging {days | disable}

    3-6

    Basic Configuration

    set system password history

    Parameters
    days disable Specifiesthenumberofdaysuserpasswordswillremainvalidbefore agingout.Validvaluesare1to365. Disablespasswordaging.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtosetthesystempasswordagetimeto45days:
    C2(su)->set system password aging 45

    set system password history


    Usethiscommandtosetthenumberofpreviouslyuseduserloginpasswordsthatwillbechecked forpasswordduplication.Thispreventsduplicatepasswordsfrombeingenteredintothesystem withthesetpasswordcommand.

    Syntax
    set system password history size

    Parameters
    size Specifiesthenumberofpasswordscheckedforduplication.Validvalues are0to10.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtoconfigurethesystemtocheckthelast10passwordsforduplication
    C2(su)->set system password history 10

    show system lockout


    Usethiscommandtodisplaysettingsforlockingoutusersafterfailedattemptstologintothe system.

    Syntax
    show system lockout

    SecureStack C2 Configuration Guide

    3-7

    set system lockout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    Example
    Thisexampleshowshowtodisplayuserlockoutsettings.Inthiscase,switchdefaultshavenot beenchanged:
    C2(su)->show system lockout Lockout attempts: 3 Lockout time: 15 minutes.

    Table 33providesanexplanationofthecommandoutput.Thesesettingsareconfiguredwiththe setsystemlockoutcommand(setsystemlockoutonpage38). Table 3-3 show system lockout Output Details
    What It Displays... Number of failed login attempts allowed before a read-write or read-only users account will be disabled. Number of minutes the default admin user account will be locked out after the maximum login attempts.

    Output Field Lockout attempts Lockout time

    set system lockout


    Usethiscommandtosetthenumberoffailedloginattemptsbeforelockingout(disabling)aread writeorreadonlyuseraccount,andthenumberofminutestolockoutthedefaultadminsuper useraccountaftermaximumloginattempts.

    Syntax
    set system lockout {[attempts attempts] [time time]}

    Parameters
    attemptsattempts timetime Specifiesthenumberoffailedloginattemptsallowedbeforeareadwrite orreadonlyusersaccountwillbedisabled.Validvaluesare1to10. Specifiesthenumberofminutesthedefaultadminuseraccountwillbe lockedoutafterthemaximumloginattempts.Validvaluesare0to60.

    Defaults
    None.

    Mode
    Switchcommand,superuser.

    3-8

    Basic Configuration

    Setting Basic Switch Properties

    Usage
    Onceauseraccountislockedout,itcanonlybereenabledbyasuperuserwiththesetsystem logincommand(page34). Ifthedefaultadminsuperuseraccounthasbeenlockedout,youcanwaituntilthelockouttime hasexpiredoryoucanresettheswitchinordertoreenabletheadminaccount.

    Example
    Thisexampleshowshowtosetloginattemptsto5andlockouttimeto30minutes:
    C2(su)->set system lockout attempts 5 time 30

    Setting Basic Switch Properties


    Purpose
    TodisplayandsetthesystemIPaddressandotherbasicsystem(switch)properties.

    Commands
    For information about... show ip address set ip address clear ip address show ip protocol set ip protocol show system show system hardware show system utilization show system enhancedbuffermode set system enhancedbuffermode set system temperature clear system temperature show time set time show summertime set summertime set summertime date set summertime recurring clear summertime set prompt Refer to page... 3-10 3-11 3-11 3-12 3-12 3-13 3-14 3-15 3-16 3-16 3-17 3-18 3-19 3-19 3-20 3-20 3-21 3-21 3-22 3-23

    SecureStack C2 Configuration Guide

    3-9

    show ip address

    For information about... show banner motd set banner motd clear banner motd show version set system name set system location set system contact set width set length show logout set logout show console set console baud

    Refer to page... 3-23 3-24 3-24 3-25 3-26 3-26 3-27 3-27 3-28 3-28 3-29 3-29 3-30

    show ip address
    UsethiscommandtodisplaythesystemIPaddressandsubnetmask.

    Syntax
    show ip address

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythesystemIPaddressandsubnetmask:
    C2(su)->show ip address Name ---------------host Address ---------------10.42.13.20 Mask ---------------255.255.0.0

    3-10

    Basic Configuration

    set ip address

    set ip address
    UsethiscommandtosetthesystemIPaddress,subnetmaskanddefaultgateway.
    Note: The C2 does not support the ability for a user to configure the host's gateway to be a local routed interface IP. The host's gateway must exist on a different device in the network if one is configured.

    Syntax
    set ip address ip-address [mask ip-mask] [gateway ip-gateway]

    Parameters
    ipaddress SetstheIPaddressforthesystem.ForSecureStackC2systems,thisisthe IPaddressofthemanagementswitchasdescribedinAboutSecureStack C2SwitchOperationinaStackonpage21. (Optional)Setsthesystemssubnetmask. (Optional)Setsthesystemsdefaultgateway(nexthopdevice).

    maskipmask gatewayipgateway

    Defaults
    Ifnotspecified,ipmaskwillbesettothenaturalmaskoftheipaddressandipgatewaywillbesetto theipaddress.

    Mode
    Switchcommand,readwrite.

    Usage
    Parametersmustbeenteredintheordershown(hostIP,thenmask,thengateway)forthe commandtobeaccepted.

    Example
    ThisexampleshowshowtosetthesystemIPaddressto10.1.10.1withamaskof255.255.128.0:
    C2(su)->set ip address 10.1.10.1 mask 255.255.128.0

    clear ip address
    UsethiscommandtoclearthesystemIPaddress.

    Syntax
    clear ip address

    Parameters
    None.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    3-11

    show ip protocol

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearthesystemIPaddress:
    C2(rw)->clear ip address

    show ip protocol
    UsethiscommandtodisplaythemethodusedtoacquireanetworkIPaddressforswitch management.

    Syntax
    show ip protocol

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythemethodusedtoacquireanetworkIPaddress:
    C2(su)->show ip protocol System IP address acquisition method: dhcp

    set ip protocol
    UsethiscommandtospecifytheprotocolusedtoacquireanetworkIPaddressforswitch management.

    Syntax
    set ip protocol {bootp | dhcp | none}

    Parameters
    bootp dhcp none SelectsBOOTPastheprotocoltousetoacquirethesystemIPaddress. SelectsDHCPastheprotocoltousetoacquirethesystemIPaddress. NoprotocolwillbeusedtoacquirethesystemIPaddress.

    Defaults
    None.

    3-12

    Basic Configuration

    show system

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthemethodusedtoacquireanetworkIPaddresstoDHCP.
    C2(su)->set ip protocol dhcp

    show system
    Usethiscommandtodisplaysysteminformation,includingcontactinformation,powerandfan traystatusanduptime.

    Syntax
    show system

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaysysteminformation:
    C2(su)->show system System contact: System location: System name: Switch 1 -------PS1-Status ---------Ok Fan1-Status ----------Ok Temp-Alarm ----------off Thermal Threshold: 58% Temp alarm max threshold: 100% Temp alarm trap: disabled Temp alarm syslog: disabled Uptime d,h:m:s -------------0,20:36:49 Logout ------0 min
    SecureStack C2 Configuration Guide 3-13

    PS2-Status ---------Not Installed and/or Not Operating Fan2-Status ----------Ok

    show system hardware

    Thefollowingtableprovidesanexplanationofthecommandoutput. Table 3-4


    Output System contact System location System name Switch x PS1-Status PS2-Status Fanx-Status Temp-Alarm Thermal Threshold Temp alarm max threshold Temp alarm trap Temp alarm syslog Uptime d,h:m:s Logout

    show system Output Details


    What It Displays... Contact person for the system. Default of a blank string can be changed with the set system contact command (set system contact on page 3-27). Where the system is located. Default of a blank string can be changed with the set system location command (set system location on page 3-26). Name identifying the system. Default of a blank string can be changed with the set system name command (set system name on page 3-26). Indicates the switch position in the stack. When multiple switches are in a stack, information for each switch is displayed. Operational status for the primary power supply. Operational status for the secondary power supply, if installed. Operational status of the fan(s). Indicates status of temperature alarm on, off. The status will show NA (not available) on switches that do not support this functionality. Percentage of thermal threshold reached. The status will show NA (not available) on switches that do not support this functionality. The temperature alarm threshold expressed as a percentage of the maximum rated. The default value is 100%. Indicates whether the sending of temperature alarm traps is enabled or disabled. The default is disabled. Indicates whether temperature alarm syslog messages are enabled or disabled. The default is disabled. System uptime. Time an idle console or Telnet CLI session will remain connected before timing out. Default of 5 minutes can be changed with the set logout command (set logout on page 3-29).

    show system hardware


    Usethiscommandtodisplaythesystemshardwareconfiguration.

    Syntax
    show system hardware

    Parameters
    None.

    Defaults
    None.

    3-14

    Basic Configuration

    show system utilization

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythesystemshardwareconfiguration.Pleasenotethatthe informationyouseedisplayedmaydifferfromthisexample.
    C2(su)->show system hardware SLOT 1 HARDWARE INFORMATION --------------------------Model: Serial Number: Vendor ID: Base MAC Address: Hardware Version: FirmWare Version: Boot Code Version:

    777777777777 0xbc00 00:11:88:B1:76:C0 BCM56514 REV 1 01.00.00.0052 01.00.42

    show system utilization


    Usethiscommandtodisplaydetailedinformationabouttheprocessorrunningontheswitch,or theoverallmemoryusageoftheFlashandSDRAMstoragedevicesontheunit,ortheprocesses runningontheswitch.Onlythememoryusageinthemasterunitofastackisshown.

    Syntax
    show system utilization {cpu | storage | process}

    Parameters
    cpu storage process Displayinformationabouttheprocessorrunningontheswitch. Displayinformationabouttheoverallmemoryusageontheswitch. Displayinformationabouttheprocessesrunningontheswitch.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Examples
    ThisexampleshowshowtodisplaythesystemsCPUutilization:
    C2(ro)->show system utilization cpu Total CPU Utilization: Switch CPU 5 sec 1 min 5 min ----------------------------------------------1 1 50% 49% 49%

    Thisexampleshowshowtodisplaythesystemsoverallmemoryusage:
    C2(ro)->show system utilization storage Storage Utilization:

    SecureStack C2 Configuration Guide

    3-15

    show system enhancedbuffermode

    Type Description Size(Kb) Available (Kb) --------------------------------------------------------------RAM RAM device 262144 97173 Flash Images, Config, Other 31095 8094

    Thisexampleshowshowtodisplayinformationabouttheprocessesrunningonthesystem.Only partialoutputisshown.
    C2(ro)->show system utilization process Switch:1 CPU:1 TID Name 5Sec 1Min 5Min ---------------------------------------------------------c157930 ipMapForwardingTask 3.60% 3.02% 3.48% cc70000 RMONTask 0.00% 0.00% 0.00% ccb0b60 SNMPTask 34.80% 34.06% 31.78% d4847a0 tEmWeb 0.00% 0.03% 0.01% d4ca360 hapiRxTask 3.20% 4.80% 5.00% dec8600 lvl7TaskUtilMonitorTas 0.40% 0.40% 0.40% eb74120 bcmRX 2.00% 2.91% 4.48% eb7fbc8 bcmLINK.0 0.40% 0.22% 0.32% f00c9a0 bcmTX 0.00% 0.33% 0.53% f027648 bcmCNTR.0 0.00% 0.00% 0.03% f034858 bcmL2X.0 0.00% 0.02% 0.04%

    show system enhancedbuffermode


    Usethiscommandtodisplaythestatusofenhancedbuffermode,whichoptimizesbuffer distributionintoasingleCoSqueueoperationforstandaloneswitchesornonstackedSecureStack switches.

    Syntax
    show system enhancedbuffermode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodisplayenhancedbuffermodestatus:
    C2(su)->show system enhancedbuffermode enable Optimized system buffer distribution Disable

    set system enhancedbuffermode


    Usethiscommandtoenableordisableenhancedbuffermode,whichoptimizesbuffer distributionintoasingleCoSqueueoperationforstandaloneswitchesornonstackedSecureStack

    3-16

    Basic Configuration

    set system temperature

    switches..Executingthiscommandwillresettheswitch,sothesystempromptsyoutoconfirm whetheryouwanttoproceed.

    Syntax
    set system enhancedbuffermode {enable | disable}

    Parameters
    enable|disable Enablesordisablesenhancedbuffermode.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoenableenhancedbuffermode:
    C2(su)->set system enhancedbuffermode enable Changes in the enhanced buffer mode will require resetting this unit. Are you sure you want to continue? (y/n)

    set system temperature


    Usethiscommandtosetthesystemhightemperaturethresholdlimitandthehightemperature alertparameters,ontheplatformsthatsupportthisfeature.

    Syntax
    set system temperature {[syslog enable | disable] [trap enable | disable] [overtemp-threshold value]}

    Parameters
    syslogenable| disable trapenable|disable overtempthreshold value Enablesordisableslogginghightemperaturealertstothesystemlog whenthesystemtransitionsintoanalarmstate. EnablesordisablessendinghightemperaturealertsbymeansofSNMP trapswhenthesystemtransitionsintoanalarmstate. Setsthethermalthresholdasapercentageofthemaximumratedforthe specificplatform.Valuecanrangefrom0to100%.

    Defaults
    Syslogalertsaredisabledbydefault. Trapalertsaredisabledbydefault. Overtempthresholdis100%bydefault.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    3-17

    clear system temperature

    Usage
    Ontheplatformsthatsupportthisfeature,temperaturesensorsarelocatedinseveraldifferent locationswithinthedevice.Thresholdcalibrationshavebeencalculatedseparatelyforeach platform.Thethermalovertempthresholdisthehighwatermarkthat,whenreached,triggersan alerttowarnthesystemadministratorthatthedeviceisoperatingathightemperatures. Thevaluessetwiththiscommandcanbeviewedwiththeshowsystemcommand. RefertotheReleaseNoteforyourplatformtodetermineifthisfeatureissupportedonyour platform.

    Example
    ThefollowingexampleenablessendingSNMPtrapsandsetstheovertempthresholdto60%.
    C2(su)->set system temperature trap enable overtemp-threshold 60

    clear system temperature


    Usethiscommandtoresetsystemhightemperatureparameterstotheirdefaultvalues,onthe platformsthatsupportthisfeature.

    Syntax
    clear system temperature

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thiscommandresetsallthehightemperatureparameterstotheirdefaultvalues: Syslogalertsaredisabledbydefault. Trapalertsaredisabledbydefault. Overtempthresholdis100%bydefault.

    Example
    Thisexampleresetsallhightemperatureparameterstotheirdefaults.
    C2(su)->clear system temperature

    3-18

    Basic Configuration

    show time

    show time
    Usethiscommandtodisplaythecurrenttimeofdayinthesystemclock.

    Syntax
    show time

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythecurrenttime.Theoutputshowsthedayoftheweek, month,day,andthetimeofdayinhours,minutes,andsecondsandtheyear:
    C2(su)->show time THU SEP 05 09:21:57 2002

    set time
    Usethiscommandtochangethetimeofdayonthesystemclock.

    Syntax
    set time [mm/dd/yyyy] [hh:mm:ss]

    Parameters
    [mm/dd/yyyy] [hh:mm:ss] Setsthetimein: month,day,yearand/or 24hourformat Atleastonesetoftimeparametersmustbeentered.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesystemclockto7:50a.m:
    C2(su)->set time 7:50:00

    SecureStack C2 Configuration Guide

    3-19

    show summertime

    show summertime
    Usethiscommandtodisplaydaylightsavingstimesettings.

    Syntax
    show summertime

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaydaylightsavingstimesettings:
    C2(su)->show summertime Summertime is disabled and set to '' Start : SUN APR 04 02:00:00 2004 End : SUN OCT 31 02:00:00 2004 Offset: 60 minutes (1 hours 0 minutes) Recurring: yes, starting at 2:00 of the first Sunday of April and ending at 2:00 of the last Sunday of October

    set summertime
    Usethiscommandtoenableordisablethedaylightsavingstimefunction.

    Syntax
    set summertime {enable | disable} [zone]

    Parameters
    enable|disable zone Enablesordisablesthedaylightsavingstimefunction. (Optional)Appliesanametothedaylightsavingstimesettings.

    Defaults
    Ifazonenameisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtoenabledaylightsavingstimefunction:
    C2(su)->set summertime enable

    3-20

    Basic Configuration

    set summertime date

    set summertime date


    Usethiscommandtoconfigurespecificdatestostartandstopdaylightsavingstime.These settingswillbenonrecurringandwillhavetoberesetannually.

    Syntax
    set summertime date start_month start_date start_year start_hr_min end_month end_date end_year end_hr_min [offset_minutes]

    Parameters
    start_month start_date start_year start_hr_min end_month end_date end_year end_hr_min offset_minutes Specifiesthemonthoftheyeartostartdaylightsavingstime. Specifiesthedayofthemonthtostartdaylightsavingstime. Specifiestheyeartostartdaylightsavingstime. Specifiesthetimeofdaytostartdaylightsavingstime.Formatishh:mm. Specifiesthemonthoftheyeartoenddaylightsavingstime. Specifiesthedayofthemonthtoenddaylightsavingstime. Specifiestheyeartoenddaylightsavingstime. Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm. (Optional)Specifiestheamountoftimeinminutestooffsetdaylight savingstimefromthenondaylightsavingstimesystemsetting.Valid valuesare11440.

    Defaults
    Ifanoffsetisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetadaylightsavingstimestartdateofApril4,2004at2a.m.andan endingdateofOctober31,2004at2a.m.withanoffsettimeofonehour:
    C2(su)->set summertime date April 4 2004 02:00 October 31 2004 02:00 60

    set summertime recurring


    Usethiscommandtoconfigurerecurringdaylightsavingstimesettings.Thesesettingswillstart andstopdaylightsavingstimeatthespecifieddayofthemonthandhoureachyearandwillnot havetoberesetannually.

    Syntax
    set summertime recurring start_week start_day start_month start_hr_min end_week end_day end_month end_hr_min [offset_minutes]

    SecureStack C2 Configuration Guide

    3-21

    clear summertime

    Parameters
    start_week start_day start_hr_min end_week end_day end_hr_min offset_minutes Specifiestheweekofthemonthtorestartdaylightsavingstime.Valid valuesare:first,second,third,fourth,andlast. Specifiesthedayoftheweektorestartdaylightsavingstime. Specifiesthetimeofdaytorestartdaylightsavingstime.Formatis hh:mm. Specifiestheweekofthemonthtoenddaylightsavingstime. Specifiesthedayoftheweektoenddaylightsavingstime. Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm. (Optional)Specifiestheamountoftimeinminutestooffsetdaylight savingstimefromthenondaylightsavingstimesystemsetting.Valid valuesare11440.

    Defaults
    Ifanoffsetisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowsetdaylightsavingstimetorecurstartingonthefirstSundayofAprilat 2a.m.andendingthelastSundayofOctoberat2a.m.withanoffsettimeofonehour:
    C2(su)->set summertime recurring first Sunday April 02:00 last Sunday October 02:00 60

    clear summertime
    Usethiscommandtoclearthedaylightsavingstimeconfiguration.

    Syntax
    clear summertime

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthedaylightsavingstimeconfiguration:
    C2(su)->clear summertime

    3-22

    Basic Configuration

    set prompt

    set prompt
    Usethiscommandtomodifythecommandprompt.

    Syntax
    set prompt prompt_string

    Parameters
    prompt_string Specifiesatextstringforthecommandprompt.
    Note: A prompt string containing a space in the text must be enclosed in quotes as shown in the example below.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthecommandprompttoSwitch1:
    C2(su)->set prompt Switch 1 Switch 1(su)->

    show banner motd


    Usethiscommandtoshowthebannermessageofthedaythatwilldisplayatsessionlogin.

    Syntax
    show banner motd

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythebannermessageoftheday:
    C2(rw)->show banner motd This system belongs to XYZ Corporation. Use of this system is strictly limited to authorized personnel.

    SecureStack C2 Configuration Guide

    3-23

    set banner motd

    set banner motd


    Usethiscommandtosetthebannermessageofthedaydisplayedatsessionlogin.
    Note: Banner message text must be enclosed in beginning and ending double quotation marks. The message itself cannot contain any additional double quotation marks.

    Syntax
    set banner motd message

    Parameters
    message Specifiesamessageoftheday.Thisisatextstringthatneedstobein doublequotesifanyspacesareused.Usea\nforanewlineand\tfora tab(eightspaces).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthemessageofthedaybannertoread:Thissystembelongsto XYZCorporation.Useofthissystemisstrictlylimitedtoauthorizedpersonnel.
    C2(rw)->set banner motd "\tThis system belongs to XYZ Corporation.\nUse of this system is strictly limited to authorized personnel."

    clear banner motd


    Usethiscommandtoclearthebannermessageofthedaydisplayedatsessionlogintoablank string.

    Syntax
    clear banner motd

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    3-24

    Basic Configuration

    show version

    Example
    Thisexampleshowshowtoclearthemessageofthedaybannertoablankstring:
    C2(rw)->clear banner motd

    show version
    Usethiscommandtodisplayhardwareandfirmwareinformation.RefertoDownloadinga FirmwareImageonpage330forinstructionsonhowtodownloadafirmwareimage.

    Syntax
    show version

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayversioninformation.Pleasenotethatyoumayseedifferent informationdisplayed,dependingonthetypeofhardware.
    C2(su)->show version Copyright (c) 2007 by Enterasys Networks, Inc. Model -------------C2G124-48P Serial # ----------------001188021035 Versions ------------------Hw:BCM5665 REV 17 Bp:01.00.29 Fw:5.02.xx.xxxx BuFw:03.01.13 PoE:500_3

    Table 35providesanexplanationofthecommandoutput. Table 3-5 show version Output Details


    What It Displays... Switchs model number. Serial number of the switch. Hw: Hardware version number. Bp: BootPROM version. Fw: Current firmware version number. BuFw: Backup firmware version number. PoE: Power over Ethernet driver version. (Displays only for PoE switches.)

    Output Field Model Serial # Versions

    SecureStack C2 Configuration Guide

    3-25

    set system name

    set system name


    Usethiscommandtoconfigureanameforthesystem.

    Syntax
    set system name [string]

    Parameters
    string (Optional)Specifiesatextstringthatidentifiesthesystem.
    Note: A name string containing a space in the text must be enclosed in quotes as shown in the example below.

    Defaults
    Ifstringisnotspecified,thesystemnamewillbecleared.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthesystemnametoInformationSystems:
    C2(su)->set system name Information Systems

    set system location


    Usethiscommandtoidentifythelocationofthesystem.

    Syntax
    set system location [string]

    Parameters
    string (Optional)Specifiesatextstringthatindicateswherethesystemis located.
    Note: A location string containing a space in the text must be enclosed in quotes as shown in the example below.

    Defaults
    Ifstringisnotspecified,thelocationnamewillbecleared.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesystemlocationstring:
    C2(su)->set system location Bldg N32-04 Closet 9

    3-26

    Basic Configuration

    set system contact

    set system contact


    Usethiscommandtoidentifyacontactpersonforthesystem.

    Syntax
    set system contact [string]

    Parameters
    string (Optional)Specifiesatextstringthatcontainsthenameofthepersonto contactforsystemadministration.
    Note: A contact string containing a space in the text must be enclosed in quotes as shown in the example below.

    Defaults
    Ifstringisnotspecified,thecontactnamewillbecleared.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesystemcontactstring:
    C2(su)->set system contact Joe Smith

    set width
    Usethiscommandtosetthenumberofcolumnsfortheterminalconnectedtotheswitchsconsole port.

    Syntax
    set width screenwidth [default]

    Parameters
    screenwidth default Setsthenumberofterminalcolumns.Validvaluesare50to150. (Optional)Makesthissettingpersistentforallfuturesessions(writtento NVRAM).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThenumberofrowsofCLIoutputdisplayedissetusingthesetlengthcommandasdescribedin setlengthonpage328.

    SecureStack C2 Configuration Guide

    3-27

    set length

    Example
    Thisexampleshowshowtosettheterminalcolumnsto50:
    C2(su)->set width 50

    set length
    UsethiscommandtosetthenumberoflinestheCLIwilldisplay.Thiscommandispersistent (writtentoNVRAM).

    Syntax
    set length screenlength

    Parameters
    screenlength SetsthenumberoflinesintheCLIdisplay.Validvaluesare0,which disablesthescrollingscreenfeaturedescribedinDisplayingScrolling Screensonpage19,andfrom5to512.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosettheterminallengthto50:
    C2(su)->set length 50

    show logout
    Usethiscommandtodisplaythetime(inseconds)anidleconsoleorTelnetCLIsessionwill remainconnectedbeforetimingout.

    Syntax
    show logout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    3-28

    Basic Configuration

    set logout

    Example
    ThisexampleshowshowtodisplaytheCLIlogoutsetting:
    C2(su)->show logout Logout currently set to: 10 minutes.

    set logout
    Usethiscommandtosetthetime(inminutes)anidleconsoleorTelnetCLIsessionwillremain connectedbeforetimingout.

    Syntax
    set logout timeout

    Parameters
    timeout Setsthenumberofminutesthesystemwillremainidlebeforetimingout.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesystemtimeoutto10minutes:
    C2(su)->set logout 10

    show console
    Usethiscommandtodisplayconsolesettings.

    Syntax
    show console [baud] [bits] [flowcontrol] [parity] [stopbits]

    Parameters
    baud bits flowcontrol parity stopbits (Optional)Displaystheinput/outputbaudrate. (Optional)Displaysthenumberofbitspercharacter. (Optional)Displaysthetypeofflowcontrol. (Optional)Displaysthetypeofparity. (Optional)Displaysthenumberofstopbits.

    Defaults
    Ifnoparametersarespecified,allsettingswillbedisplayed.

    SecureStack C2 Configuration Guide

    3-29

    set console baud

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayallconsolesettings:
    C2(su)->show console Baud Flow Bits ------ ------- ---9600 Disable 8 StopBits ---------1 Parity -----none

    set console baud


    Usethiscommandtosettheconsoleportbaudrate.

    Syntax
    set console baud rate

    Parameters
    rate Setstheconsolebaudrate.Validvaluesare:300,600,1200,2400,4800,5760, 9600,14400,19200,38400,and115200.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosettheconsoleportbaudrateto19200:
    C2(su)->set console baud 19200

    Downloading a Firmware Image


    YoucanupgradetheoperationalfirmwareintheSecureStackC2switchwithoutphysically openingtheswitchorbeinginthesamelocation.Therearetwowaystodownloadfirmwaretothe switch: ViaTFTPdownload.ThisprocedureusesaTFTPserverconnectedtothenetworkand downloadsthefirmwareusingtheTFTPprotocol.FordetailsonhowtoperformaTFTP downloadusingthecopycommand,refertocopyonpage343.Forinformationonsetting TFTPtimeoutandretryparameters,refertosettftptimeoutonpage345andsettftp retryonpage346. Viatheserial(console)port.Thisprocedureisanoutofbandoperationthatcopiesthe firmwarethroughtheserialporttotheswitch.Itshouldbeusedincaseswhenyoucannot connecttheswitchtoperformtheinbandcopydownloadprocedureviaTFTP.Serialconsole downloadhasbeensuccessfullytestedwiththefollowingapplications: HyperTerminalCopyright1999

    3-30

    Basic Configuration

    Downloading a Firmware Image

    TeraTermProVersion2.3

    Anyotherterminalapplicationsmayworkbutarenotexplicitlysupported. TheC2switchallowsyoutodownloadandstoredualimages.Thebackupimagecanbe downloadedandselectedasthestartupimagebyusingthecommandsdescribedinthissection.

    Downloading from a TFTP Server


    ToperformaTFTPdownload,proceedasfollows: 1. 2. Ifyouhavenotalreadydoneso,settheswitchsIPaddressusingthesetipaddresscommand asdetailedinsetipaddressonpage311. Downloadanewimagefileusingthecopycommandasdetailedincopyonpage343.

    Downloading via the Serial Port


    Todownloadswitchfirmwareviatheserial(console)port,proceedasfollows: 1. Withtheconsoleportconnected,poweruptheswitch.Thefollowingmessagedisplays:
    Version 01.00.29 05-09-2005 Computing MD5 Checksum of operational code... Select an option. If no selection in 2 seconds then operational code will start. 1 - Start operational code. 2 - Start Boot Menu. Select (1, 2):2 Password: *************

    2.

    Beforethebootupcompletes,type2toselectStartBootMenu.Useadministratorfor thePassword.

    Note: The Boot Menu password administrator can be changed using boot menu option 11.

    Boot Menu Version 01.00.29 05-09-2005

    Options available 1 - Start operational code 2 - Change baud rate 3 - Retrieve event log using XMODEM (64KB). 4 - Load new operational code using XMODEM 5 - Display operational code vital product data 6 - Run Flash Diagnostics 7 - Update Boot Code 8 - Delete operational code 9 - Reset the system 10 - Restore Configuration to factory defaults (delete config files) 11 - Set new Boot Code password [Boot Menu] 2

    SecureStack C2 Configuration Guide

    3-31

    Downloading a Firmware Image

    3.

    Type2.Thefollowingbaudrateselectionscreendisplays:
    1 2 3 4 5 6 7 8 0 1200 2400 4800 9600 19200 38400 57600 115200 no change

    4.

    Type8tosettheswitchbaudrateto115200.Thefollowingmessagedisplays:
    Setting baud rate to 115200, you must change your terminal baud rate.

    5. 6.

    Settheterminalbaudrateto115200andpressENTER. Fromthebootmenuoptionsscreen,type4toloadnewoperationalcodeusingXMODEM. WhentheXMODEMtransferiscomplete,thefollowingmessageandheaderinformationwill display:


    [Boot Menu] 4 Ready to receive the file with XMODEM/CRC.... Ready to RECEIVE File xcode.bin in binary mode Send several Control-X characters to cCKCKCKCKCKCKCK XMODEM transfer complete, checking CRC.... Verified operational code CRC. The following Enterasys Header is in the image: MD5 Checksum....................fe967970996c4c8c43a10cd1cd7be99a Boot File Identifier............0x0517 Header Version..................0x0100 Image Type......................0x82 Image Offset....................0x004d Image length....................0x006053b3 Ident Strings Length............0x0028 Ident Strings................... C2G124-24 C2G124-48 C2H124-48 C2K124_24 Image Version Length............0x7 Image Version Bytes.............0x30 0x2e 0x35 0x2e 0x30 0x2e 0x34 (0.5.0.4)

    7. 8.

    Fromthebootmenuoptionsscreen,type2todisplaythebaudrateselectionscreenagain. Type4settheswitchbaudrateto9600.Thefollowingmessagedisplays:
    Setting baud rate to 9600, you must change your terminal baud rate.

    9.

    Settheterminalbaudrateto9600andpressENTER.

    10. Fromthebootmenuoptionsscreen,type1tostartthenewoperationalcode.Thefollowing messagedisplays:


    Operational Code Date: Tue Jun 29 08:34:05 2004 Uncompressing.....

    3-32

    Basic Configuration

    Reviewing and Selecting a Boot Firmware Image

    Reverting to a Previous Image


    Intheeventthatyouneedtodowngradetoapreviousversionofcode,youcandosoby completingthefollowingstepsasdescribedinthischapter.
    Caution: Before reverting to a previous image, always back up your configuration by saving it to a file (show config outfile on page 3-41). You can then copy the file to a remote location (copy on page 3-43).

    Note: You will not be able to peform these steps remotely unless you have remote console support.

    1. 2. 3.

    Saveyourrunningconfigurationwiththesaveconfigcommand. Makeacopyofthecurrentconfigurationwiththeshowconfigoutfileconfigs/filename command.Usethedircommandtoconfirmthatthefilewascreated. Ifdesired,copythefiletoaremoteTFTPserverwiththecopycommand: copytftp://configs/filename server_ipaddr/pathandfilename

    4. 5. 6. 7.

    Loadyourpreviousversionofcodeonthedevice,asdescribedinDownloadingaFirmware Image(page 330). Setthisolderversionofcodetobethebootcodewiththesetbootsystemcommand(page3 34).Whenthesystemasksifyouwanttoresetthedevice,specifyno(n). Reloadthesavedconfigurationontothedevicewiththeconfigurecommand,describedon page342. Rebootthesystemusingtheresetcommand(page348).


    Caution: If you do not follow the steps above, you may lose remote connectivity to the switch.

    Reviewing and Selecting a Boot Firmware Image


    Purpose
    Todisplayandsettheimagefiletheswitchloadsatstartup.TheC2switchallowsyouto downloadandstoreabackupimage,whichcanbeselectedasthestartupimagebyusingthe commandsdescribedinthissection.

    Commands
    For information about... show boot system set boot system Refer to page... 3-34 3-34

    SecureStack C2 Configuration Guide

    3-33

    show boot system

    show boot system


    Usethiscommandtodisplaythefirmwareimagetheswitchloadsatstartup.

    Syntax
    show boot system

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheswitchsbootfirmwareimage:
    C2(su)->show boot system Current system image to boot: bootfile

    set boot system


    Usethiscommandtosetthefirmwareimagetheswitchloadsatstartup.

    Syntax
    set boot system filename

    Parameters
    filename Specifiesthenameofthefirmwareimagefile.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thiscommandallowsyoutosetthefirmwareimagetobeloadedatstartup.Youcanchooseto resetthesystemtousethenewfirmwareimageimmediately,oryoucanchoosetoonlyspecifythe newimagetobeloadedthenexttimetheswitchisrebooted. YoucanusethedircommandtodisplaytheActiveimageandtheBootimage,whichwillbe theimageloadedatthenextsystemreboot.
    Note: If you are changing the firmware image to a version earlier than the current version, refer to Reverting to a Previous Image on page 3-33 for the correct steps to follow.

    3-34

    Basic Configuration

    Starting and Configuring Telnet

    Example
    Thisexampleshowshowtosetthebootfirmwareimagefileandresetthesystem.
    C2(su)->set boot system c2_05.02.01.0005 This command requires resetting the entire system. Do you want to continue (y/n) [n]?y Checking firmware version Saving Configuration

    Thisexampleshowshowtosetthebootfirmwareimagefiletobeusedatthenextrebootofthe system,byansweringntotheprompt.ThedircommandisthenexecutedtodisplaytheActive andBootimages.


    C2(su)->set boot system c2_05.02.03.0007 This command can optionally reset the system to boot the new image. Do you want to reset now (y/n) [n]?n C2(su)->dir Images: ================================================================== Filename: c2_05.02.00.0026 (Active) Version: 05.02.00.0026 Size: 9405440 (bytes) Date: Fri Jul 18 12:48:35 2008 CheckSum: f1626ccf10d8f48cd6c3e79ab602342a Compatibility: <platform specific> Filename: c2_05.02.03.0007 (Boot) Version: 05.02.03.0007 Size: 8290304 (bytes) Date: Fri May 9 11:35:27 2008 CheckSum: 9f820d79239f10890442f8ff1f2bc914 Compatibility: <platform specific>

    Starting and Configuring Telnet


    Purpose
    ToenableordisableTelnet,andtostartaTelnetsessiontoaremotehost.TheSecureStackC2 switchallowsatotaloffourinboundand/oroutboundTelnetsessiontorunsimultaneously.

    Commands
    For information about... show telnet set telnet telnet Refer to page... 3-36 3-36 3-37

    SecureStack C2 Configuration Guide

    3-35

    show telnet

    show telnet
    UsethiscommandtodisplaythestatusofTelnetontheswitch.

    Syntax
    show telnet

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayTelnetstatus:
    C2(su)->show telnet Telnet inbound is currently: ENABLED Telnet outbound is currently: ENABLED

    set telnet
    UsethiscommandtoenableordisableTelnetontheswitch.

    Syntax
    set telnet {enable | disable} [inbound | outbound | all]

    Parameters
    enable|disable inbound| outbound|all EnablesordisablesTelnetservices. (Optional)Specifiesinboundservice(theabilitytoTelnettothisswitch), outboundservice(theabilitytoTelnettootherdevices),orall(both inboundandoutbound).

    Defaults
    Ifnotspecified,bothinboundandoutboundTelnetservicewillbeenabled.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableinboundandoutboundTelnetservices:
    C2(su)->set telnet disable all Disconnect all telnet sessions and disable now (y/n)? [n]: y All telnet sessions have been terminated, telnet is now disabled.

    3-36

    Basic Configuration

    telnet

    telnet
    UsethiscommandtostartaTelnetconnectiontoaremotehost.TheSecureStackC2switchallows atotaloffourinboundand/oroutboundTelnetsessiontorunsimultaneously.

    Syntax
    telnet host [port]

    Parameters
    host port SpecifiesthenameorIPaddressoftheremotehost. (Optional)Specifiestheserverportnumber.

    Defaults
    Ifnotspecified,thedefaultportnumber23willbeused.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtostartaTelnetsessiontoahostat10.21.42.13:
    C2(su)->telnet 10.21.42.13

    Managing Switch Configuration and Files


    Configuration Persistence Mode
    Thedefaultstateofconfigurationpersistencemodeisauto,whichmeansthatwhenCLI configurationcommandsareentered,orwhenaconfigurationfilestoredontheswitchis executed,theconfigurationissavedtoNVRAMautomaticallyatthefollowingintervals: Onastandaloneunit,theconfigurationischeckedeverytwominutesandsavediftherehas beenachange. Onastack,theconfigurationissavedacrossthestackevery30minutesiftherehasbeena change.

    IfyouwanttosavearunningconfigurationtoNVRAMmoreoftenthantheautomaticintervals, executethesaveconfigcommandandwaitforthesystemprompttoreturn.Aftertheprompt returns,theconfigurationwillbepersistent. Youcanchangethepersistencemodefromautotomanualwiththesetsnmppersistmode command.Ifthepersistencemodeissettomanual,configurationcommandswillnotbe automaticallywrittentoNVRAM.Althoughtheconfigurationcommandswillactivelymodifythe runningconfiguration,theywillnotpersistacrossaresetunlessthesaveconfigcommandhas beenexecuted.


    Note: When your device is configured for manual SNMP persistence mode, and you attempt to change the boot system image, the device will not prompt you to save changes or warn you that changes will be lost.

    SecureStack C2 Configuration Guide

    3-37

    show snmp persistmode

    Purpose
    TosetandviewthepersistencemodeforCLIconfigurationcommands,manuallysavethe runningconfiguration,view,manage,andexecuteconfigurationfilesandimagefiles,andsetand viewTFTPparameters.

    Commands
    For information about... show snmp persistmode set snmp persistmode save config dir show file show config configure copy delete show tftp settings set tftp timeout clear tftp timeout set tftp retry clear tftp retry Refer to page... 3-38 3-39 3-39 3-40 3-41 3-41 3-42 3-43 3-44 3-44 3-45 3-45 3-46 3-46

    show snmp persistmode


    Usethiscommandtodisplaytheconfigurationpersistencemodesetting.

    Syntax
    show snmp persistmode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    Bydefault,themodeissettoautosave,whichautomaticallysavesconfigurationchangesat specificintervals.Ifthemodeissettomanual,configurationcommandsareneverautomatically
    3-38 Basic Configuration

    set snmp persistmode

    saved.Inordertomakeconfigurationchangespersistentwhenthemodeismanual,thesave configcommandmustbeissuedasdescribedinConfigurationPersistenceModeonpage337.

    Example
    Thisexampleshowshowtodisplaytheconfigurationpersistencemodesetting.Inthiscase, persistencemodeissettomanual,whichmeansconfigurationchangesarenotbeing automaticallysaved.
    C2(su)->show snmp persistmode persistmode is manual

    set snmp persistmode


    Usethiscommandtosettheconfigurationpersistencemode,whichdetermineswhetheruser definedconfigurationchangesaresavedautomatically,orrequireissuingthesaveconfig command.SeeConfigurationPersistenceModeonpage337formoreinformation.

    Syntax
    set snmp persistmode {auto | manual}

    Parameters
    auto manual Setstheconfigurationpersistencemodetoautomatic.Thisisthedefault state. Setstheconfigurationpersistencemodetomanual.Inordertomake configurationchangespersistent,thesaveconfigcommandmustbe issuedasdescribedinsaveconfigonpage339.Thismodeisusefulfor revertingbacktooldconfigurations.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosettheconfigurationpersistencemodetomanual:
    C2(su)->set snmp persistmode manual

    save config
    Usethiscommandtosavetherunningconfiguration.Ifapplicable,thiscommandwillsavethe configurationtoallswitchmembersinastack.

    Syntax
    save config

    Parameters
    None.

    SecureStack C2 Configuration Guide

    3-39

    dir

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosavetherunningconfiguration:
    C2(su)->save config

    dir
    Usethiscommandtolistconfigurationandimagefilesstoredinthefilesystem.

    Syntax
    dir [filename]

    Parameters
    filename (Optional)Specifiesthefilenameordirectorytolist.

    Defaults
    Iffilenameisnotspecified,allfilesinthesystemwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtolistalltheconfigurationandimagefilesinthesystem.Thedisplay indicateswhichimagefileistheActivefileandwhichimagefileistheBootfilethatwillbeused thenexttimethesystemreboots.
    C2(su)->dir Images: ================================================================== Filename: c2-series_05.02.00.0029 (Active) Version: 05.02.00.0029 Size: 9411584 (bytes) Date: Fri Aug 1 06:55:23 2008 CheckSum: 6126a7aadfdf05150afb6eca51982302 Compatibility: <platform specific> Filename: Version: Size: Date: CheckSum: Compatibility: c2-series_05.02.00.0030 (Boot) 05.02.00.0030 9411584 (bytes) Fri Aug 8 08:44:04 2008 627938b785fa7fdb8eed74672af1edcc <platform specific>

    Files: Size ================================ ======== configs:

    3-40

    Basic Configuration

    show file

    base_may base_apr base_july base_june logs: current.log

    22629 22629 20581 20581 2065

    show file
    Usethiscommandtodisplaythecontentsofafile.

    Syntax
    show file filename

    Parameters
    filename Specifiesthenameofthefiletodisplay.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayatextfilenamedmypolicyintheconfigs/directory.Note thatonlyaportionofthefileisshowninthisexample.
    C2(rw)->show file configs/mypolicy 1 : 2 : 3 : #policy 4 : 5 : set policy profile 1 name "Check GUEST" pvid-status enable pvid 4095 untaggedvlans 1 6 : 7 : set policy profile 2 name "User LABORATORIES" pvid-status enable pvid 680 cosstatus enable cos 4 untagged-vlans 680 8 : 9 : set policy profile 3 name "Administrator" pvid-status enable pvid 4095 10 : 11 : set policy profile 4 name "Guest" pvid-status enable pvid 999 cos-status enable cos 3 untagged-vlans 999 12 : 13 : set policy port ge.1.1 4 14 : 15 : set policy port ge.1.2 4

    show config
    Usethiscommandtodisplaythesystemconfigurationorwritetheconfigurationtoafile.

    Syntax
    show config [all | facility] [outfile {configs/filename}]
    SecureStack C2 Configuration Guide 3-41

    configure

    Parameters
    all facility (Optional)Displaysdefaultandnondefaultconfigurationsettings. (Optional)Specifiestheexactnameofonefacilityforwhichtoshow configuration.Forexample,enterroutertoshowonlyrouter configuration. (Optional)Specifiesthatthecurrentconfigurationwillbewrittentoatext fileintheconfigs/directory. Specifiesafilenameintheconfigs/directorytodisplay.

    outfile configs/filename

    Defaults
    Bydefault,showconfigwilldisplayallnondefaultconfigurationinformationforallfacilities.

    Mode
    Switchcommand,readonly.

    Usage
    Theseparatefacilitiesthatcanbedisplayedbythiscommandareidentifiedinthedisplayofthe currentconfigurationbya#precedingthefacilityname.Forexample,#portindicatesthefacility nameport.

    Examples
    Thisexampleshowshowtowritethecurrentconfigurationtoafilenamedsave_config2:
    C2(rw)->show config all outfile configs/save_config2

    Thisexampleshowshowtodisplayconfigurationforthefacilityport.
    C2(rw)->show config port This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. begin ! #***** NON-DEFAULT CONFIGURATION ***** ! ! #port set port jumbo disable ge.1.1 ! end

    configure
    Usethiscommandtoexecuteapreviouslydownloadedconfigurationfilestoredontheswitch.

    Syntax
    configure filename [append]

    3-42

    Basic Configuration

    copy

    Parameters
    filename append Specifiesthepathandfilenameoftheconfigurationfiletoexecute. (Optional)Appendstheconfigurationfilecontentstothecurrent configuration.Thisisequivalenttotypingthecontentsoftheconfigfile directlyintotheCLIandcanbeused,forexample,tomakeincremental adjustmentstothecurrentconfiguration.

    Defaults
    Ifappendisnotspecified,thecurrentrunningconfigurationwillbereplacedwiththecontentsof theconfigurationfile,whichwillrequireanautomatedresetofthechassis.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoexecutetheJan1_2004.cfgconfigurationfile:
    C2(su)->configure configs/Jan1_2004.cfg

    copy
    UsethiscommandtouploadordownloadanimageoraCLIconfigurationfile.

    Syntax
    copy source destination

    Parameters
    source destination Specifieslocationandnameofthesourcefiletocopy.Optionsarealocalfile pathintheconfigsdirectory,ortheURLofaTFTPserver. Specifieslocationandnameofthedestinationwherethefilewillbecopied. Optionsareaslotlocationandfilename,ortheURLofaTFTPserver.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtodownloadanimageviaTFTP:
    C2(su)->copy tftp://10.1.192.34/version01000 system:image

    Thisexampleshowshowtodownloadaconfigurationfiletotheconfigsdirectory:
    C2(su)->copy tftp://10.1.192.1/Jan1_2004.cfg configs/Jan1_2004.cfg

    SecureStack C2 Configuration Guide

    3-43

    delete

    delete
    UsethiscommandtoremoveanimageoraCLIconfigurationfilefromtheswitch.

    Syntax
    delete filename

    Parameters
    filename Specifiesthelocalpathnametothefile.Validdirectoriesare/imagesand /configs.44.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Usethedircommand(page340)todisplaycurrentimageandconfigurationfilenames.

    Example
    ThisexampleshowshowtodeletetheJan1_2004.cfgconfigurationfile:
    C2(su)->delete configs/Jan1_2004.cfg

    show tftp settings


    UsethiscommandtodisplayTFTPsettingsusedbytheswitchduringdatatransfersusingTFTP.

    Syntax
    show tftp settings

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    TheTFTPtimeoutvaluecanbesetwiththesettftptimeoutcommand.TheTFTPretryvaluecan besetwiththesettftpretrycommand.

    3-44

    Basic Configuration

    set tftp timeout

    Example
    Thisexampleshowstheoutputofthiscommand.
    C2(ro)->show tftp settings TFTP packet timeout (seconds): 2 TFTP max retry: 5

    set tftp timeout


    UsethiscommandtoconfigurehowlongTFTPwillwaitforareplyofeitheranacknowledgement packetoradatapacketduringadatatransfer.

    Syntax
    set tftp timeout seconds

    Parameters
    seconds Specifiesthenumberofsecondstowaitforareply.Thevalidrangeis from1to30seconds.Defaultvalueis2seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsthetimeoutperiodto4seconds.
    C2(rw)->set tftp timeout 4

    clear tftp timeout


    UsethiscommandtoresettheTFTPtimeoutvaluetothedefaultvalueof2seconds.

    Syntax
    clear tftp timeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    3-45

    set tftp retry

    Example
    Thisexampleshowshowtoclearthetimeoutvaluetothedefaultof2seconds.
    C2(rw)-> clear tftp timeout

    set tftp retry


    UsethiscommandtoconfigurehowmanytimesTFTPwillresendapacket,eitheran acknowledgementpacketoradatapacket.

    Syntax
    set tftp retry retry

    Parameters
    retry Specifiesthenumberoftimesapacketwillberesent.Thevalidrangeis from1to1000.Defaultvalueis5retries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetstheretrycountto3.
    C2(rw)->set tftp retry 3

    clear tftp retry


    UsethiscommandtoresettheTFTPretryvaluetothedefaultvalueof5retries.

    Syntax
    clear tftp retry

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtocleartheretryvaluetothedefaultof5retries.
    C2(rw)-> clear tftp retry

    3-46

    Basic Configuration

    Clearing and Closing the CLI

    Clearing and Closing the CLI


    Purpose
    TocleartheCLIscreenortocloseyourCLIsession.

    Commands
    For information about... cls exit Refer to page... 3-47 3-47

    cls (clear screen)


    UsethiscommandtoclearthescreenforthecurrentCLIsession.

    Syntax
    cls

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtocleartheCLIscreen:
    C2(su)->cls

    exit
    UseeitherofthesecommandstoleaveaCLIsession.

    Syntax
    exit

    Parameters
    None.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    3-47

    Resetting the Switch

    Mode
    Switchcommand,readonly.

    Usage
    Bydefault,switchtimeoutoccursafter15minutesofuserinactivity,automaticallyclosingyour CLIsession.Usethesetlogoutcommand(page329)tochangethisdefault.

    Example
    ThisexampleshowshowtoexitaCLIsession:
    C2(su)->exit

    Resetting the Switch


    Purpose
    Toresetoneormoreswitches,andtocleartheuserdefinedconfigurationparameters.

    Commands
    For information about... reset clear config Refer to page... 3-48 3-49

    reset
    Usethiscommandtoresettheswitchwithoutlosinganyuserdefinedconfigurationsettings.

    Syntax
    reset [unit]

    Parameters
    unit (Optional)Specifiesaunittobereset.

    Defaults
    IfnounitIDisspecified,theentiresystemwillbereset.

    Mode
    Switchcommand,readwrite.

    Usage
    ASecureStackC2switchcanalsoberesetwiththeRESETbuttonlocatedonitsfrontpanel.For informationonhowtodothis,refertotheSecureStackC2InstallationGuideshippedwithyour switch.

    3-48

    Basic Configuration

    clear config

    Examples
    Thisexampleshowshowtoresetthesystem:
    C2(su)->reset Are you sure you want to reload the stack? (y/n) y Saving Configuration to stacking members Reloading all switches.

    Thisexampleshowshowtoresetunit1:
    C2(su)->reset 1 Are you sure you want to reload the switch? (y/n) y Reloading switch 1. This switch is manager of the stack. STACK: detach 3 units

    clear config
    Usethiscommandtocleartheuserdefinedconfigurationparameters.

    Syntax
    clear config [all]

    Parameters
    all (Optional)Clearsuserdefinedconfigurationparameters(andstackunit numbersandpriorities,ifapplicable).

    Defaults
    Ifallisnotspecified,stackingconfigurationparameterswillnotbecleared.

    Mode
    Switchcommand,readwrite.

    Usage
    Whenusingtheclearconfigcommandtoclearconfigurationparametersinastack,itisimportant torememberthefollowing: UseclearconfigtoclearconfigurationparameterswithoutclearingstackunitIDs.This commandWILLNOTclearstackparametersandavoidstheprocessofrenumberingthe stack. Useclearconfigallwhenitisnecessarytoclearallconfigurationparameters,includingstack unitIDs(ifapplicable)andswitchpriorityvalues. UsetheclearipaddresscommandtocleartheIPaddress.

    Configurationparametersandstackinginformationcanalsobeclearedonthemasterunitonlyby selectingoption10(restoreconfigurationtofactorydefaults)fromthebootmenuonswitch startup.Thisselectionwillleavestackingprioritiesonallotherunits,ifapplicable.

    SecureStack C2 Configuration Guide

    3-49

    Using and Configuring WebView

    Example
    Thisexampleshowshowtoclearconfigurationparameters(includingstackingparameters,if applicable):
    C2(su)->clear config all

    Using and Configuring WebView


    Purpose
    Bydefault,WebView(TheEnterasysNetworksembeddedwebserverforswitchconfiguration andmanagementtasks)isenabledonTCPportnumber80ontheSecureStackC2switch.Youcan verifyWebViewstatus,andenableordisableWebViewusingthecommandsdescribedinthis section.WebViewcanalsobesecurelyusedoverSSLport443,ifSSLisenabledontheswitch.By default,SSLisdisabled. TouseWebView,typetheIPaddressoftheswitchinyourbrowser.TouseWebViewoverSSL, typeinhttps://thentheIPaddressoftheswitch.Forexample,https://172.16.2.10.

    Commands
    For information about... show webview set webview show ssl set ssl Refer to page... 3-50 3-51 3-51 3-52

    show webview
    UsethiscommandtodisplayWebViewstatus.

    Syntax
    show webview

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    3-50

    Basic Configuration

    set webview

    Example
    ThisexampleshowshowtodisplayWebViewstatus:
    C2(rw)->show webview WebView is Enabled.

    set webview
    UsethiscommandtoenableordisableWebViewontheswitch.

    Syntax
    set webview {enable | disable}

    Parameters
    enable|disable EnableordisableWebViewontheswitch.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ItisgoodpracticeforsecurityreasonstodisableHTTPaccessontheswitchwhenfinished configuringwithWebView,andthentoonlyenableWebViewontheswitchwhenchangesneedto bemade.

    Example
    ThisexampleshowshowtodisableWebViewontheswitch:
    C2(rw)->set webview disable

    show ssl
    UsethiscommandtodisplaySSLstatus.

    Syntax
    show ssl

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    SecureStack C2 Configuration Guide

    3-51

    set ssl

    Example
    ThisexampleshowshowtodisplaySSLstatus:
    C2(rw)->show ssl SSL status: Enabled

    set ssl
    UsethiscommandtoenableordisabletheuseofWebViewoverSSLport443.Bydefault,SSLis disabledontheswitch.Thiscommandcanalsobeusedtoreinitializethehostkeythatisusedfor encryption.

    Syntax
    set ssl {enabled | disabled | reinitialize | hostkey reinitialize}

    Parameters
    enabled|disabled reinitialize hostkeyreinitialize EnableordisabletheabilitytouseWebViewoverSSL. StopsandthenrestartstheSSLprocess. StopsSSL,regeneratesnewkeys,andthenrestartsSSL.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenableSSL:
    C2(rw)->set ssl enabled

    Gathering Technical Support Information


    Purpose
    Togathercommontechnicalsupportinformation.

    Command
    For information about... show support Refer to page... 3-53

    3-52

    Basic Configuration

    show support

    show support
    Usethiscommandtodisplayswitchinformationfortroubleshooting.

    Syntax
    show support

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    Thiscommandinitiatesanumberofshowcommandstoeasilygatherbasicinformationfroman installeddevice.Tousethiscommand,setyourconsoletocapturetheoutputtoafilefirst,before executingthecommand,sincetheoutputisextensive. Outputfromthefollowingcommandsisgatheredbythiscommand: showversion showloggingbuffer showportstatus showsystemutilizationprocess showsystemutilizationstorage showconfig

    Example
    Thereisnodisplayexamplebecausetheoutputofthiscommandisquitelengthy.

    SecureStack C2 Configuration Guide

    3-53

    show support

    3-54

    Basic Configuration

    4
    Activating Licensed Features
    Inordertoenableadvancedfeatures,suchasadvancedroutingprotocols,youmustpurchaseand activatealicensekey.Ifyouhavepurchasedalicense,youcanproceedtoactivateyourlicenseas describedinthissection.Ifyouwishtopurchasealicense,contacttheEnterasysNetworksSales Department.

    Purpose
    Toactivateandverifylicensedfeatures.

    Commands
    For information about... license advanced show license no license advanced Refer to page... 4-1 4-2 4-2

    license advanced
    Whenanadvancedlicenseisavailable,usethiscommandtoactivatelicensedfeatures.Ifthisis availableonyourSecureStackC2switch,auniquelicensekeywilldisplayintheshowlicense commandoutput.

    Syntax
    license advanced activation-key

    Parameters
    activationkey Specifiesyourunique16digithexadecimaladvancedlicensingkey.
    Note: When available, the licensing key will display at the top of the show runningconfig command output. .

    Defaults
    None.

    Mode
    Globalconfiguration:router(Config)#
    SecureStack C2 Configuration Guide 4-1

    show license

    Example
    Thisexampleshowshowtouselicensekeyabcdefg123456789toactivateadvancedrouting features:
    C2(su)->router# configure Enter configuration commands: C2(su)->router(Config)# license advanced abcdefg123456789

    show license
    Whenavailableandactivated,usethiscommandtodisplayyourlicensekey.

    Syntax
    show license

    Parameters
    None.

    Defaults
    None.

    Mode
    PrivilegedEXEC:router#

    Example
    Thisexampleshowshowtodisplayyourlicensekeyinformation:
    C2(su)->router# show license license advanced abcdefg123456789

    no license advanced
    Usethiscommandtoremovethelicensekey.

    Syntax
    no license advanced

    Parameters
    None.

    Defaults
    None.

    Mode
    Globalconfiguration:router(Config)#

    Example
    Thisexampleshowshowtoremoveanadvancedlicensekey:

    4-2

    Activating Licensed Features

    no license advanced

    C2(su)->router# configure Enter configuration commands: C2(su)->router(Config)# no license advanced

    SecureStack C2 Configuration Guide

    4-3

    no license advanced

    4-4

    Activating Licensed Features

    5
    Configuring System Power and PoE
    Important Notice
    The commands in this section apply only to PoE-equipped devices. Consult the Installation Guide for your product to determine if it is PoE-equipped.

    ThecommandsinthischapterallowyoutoreviewandsetsystempowerandPoE(Powerover Ethernet)parameters,includingthepoweravailabletothesystem,theusagethresholdforeach module,whetherornotSNMPtrapmessageswillbesentwhenpowerstatuschanges,andper portPoEsettings.

    Commands
    For information about... show inlinepower set inlinepower threshold set inlinepower trap set inlinepower detectionmode show port inlinepower set port inlinepower Refer to page... 5-1 5-2 5-3 5-3 5-4 5-5

    show inlinepower
    Usethiscommandtodisplaysystempowerproperties.

    Syntax
    show inlinepower

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    SecureStack C2 Configuration Guide

    5-1

    set inlinepower threshold

    Example
    Thisexampleshowshowtodisplaysystempowerproperties:
    C2(su)->show inlinepower Detection Mode : auto Unit ---1 Status -----auto Power(W) -------480 Consumption(W) -------------0.00 Usage(%) -------0.00 Threshold(%) -----------80 Trap ---enable

    Table 51providesanexplanationofthecommandoutput. Table 5-1


    Output Detection Mode Unit Status Power (W) Consumption (W) Usage (%) Threshold (%) Trap

    show inlinepower Output Details


    What It Displays... Displays the PD detection mode used by the switch. The detection mode can be configured with the command set inlinepower detectionmode (page 5-3). Number of PoE-capable module. Whether the PoE administrative state is off (disabled) or auto (on). This state is not configurable. Units available power wattage. Units power wattage consumed. Units percentage of total system PoE power usage. Units alloted percentage of total PoE power available in the system. The threshold can be configured with the command set inlinepower threshold (page 5-2). Whether PoE trap messaging is enabled or disabled on this unit. Trap messaging can be configured with the command set inlinepower trap (page 5-3).

    set inlinepower threshold


    Usethiscommandtosetthepowerusagethresholdonaspecifiedunitormodule.

    Syntax
    set inlinepower threshold usage-threshold module-number

    Parameters
    usagethreshold modulenumber Specifiesapowerthresholdasapercentageofavailablesystempower. Validvaluesare11to100. Specifiesthemoduleorunitonwhichtosetthepowerthreshold.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    5-2

    Configuring System Power and PoE

    set inlinepower trap

    Usage
    ThethresholdisexpressedasapercentageoftheavailablePoEpower.Whenthisthresholdis reached,atrapwillbesentiftrapsareenabledwiththesetinlinepowertrapcommand.

    Example
    Thisexampleshowshowtosetthepowerthresholdto90onmodule/unit1:
    C2(su)->set inlinepower threshold 90 1

    set inlinepower trap


    UsethiscommandtoenableordisablethesendingofanSNMPtrapmessageforaunitormodule wheneverthestatusofitsportschanges,orwhenevertheunitspowerusagethresholdiscrossed.

    Syntax
    set inlinepower trap {disable | enable} module-number

    Parameters
    disable|enable modulenumber Disablesorenablesinlinepowertrapmessaging. Specifiesthemoduleorunitonwhichtodisableorenabletrapmessaging.

    Defaults
    Sendingoftrapsisdisabledbydefault.

    Mode
    Switchcommand,readwrite.

    Usage
    Themodulesorunitspowerusagethresholdmustbesetusingthesetinlinepowerthreshold commandasdescribedonpage52.

    Example
    Thisexampleshowshowtoenableinlinepowertrapmessagingonmodule1:
    C2(su)->set inlinepower trap enable 1

    set inlinepower detectionmode


    UsethiscommandtospecifythemethodtheswitchwillusetodetectPDs(powereddevices) connectedtoitsports.

    Syntax
    set inlinepower detectionmode {auto | ieee)

    SecureStack C2 Configuration Guide

    5-3

    show port inlinepower

    Parameters
    auto Specifiesthattheswitchwillusethestandard802.3afdetectionmethod first.Ifthatfails,thentheswtichwillusethelegacy(pre802.3af standard)capacitancemethodofdetection. Specifiesthattheswitchwillonlythestandard802.3afdetection method.

    ieee

    Defaults
    Defaultdetectionmodeisauto.

    Mode
    Switchcommand,readwrite.

    Usage
    ThiscommandisusedtospecifyhowtheswitchshoulddetectPDsconnectedtoitsports.ThePoE hardwareintheswitchescanusetheIEEEstandard802.3af(resistorbased)methodora proprietarymethodusingcapacitordetection. Ifautoisconfigured,theswitchwillfirstusetheIEEEresistorbaseddetectionmethod,andifthat fails,theswitchwillusethecapacitorbaseddetectionmethod.Ifieeeisconfigured,onlytheIEEE resistorbaseddetectionmethodwillbeused.

    Example
    ThisexamplesetstheswitchsPDdetectionmodetoIEEEstandard802.3afonly. C2(su)->set inlinepower detectionmode ieee

    show port inlinepower


    UsethiscommandtodisplayallportssupportingPoE.

    Syntax
    show port inlinepower [port-string]

    Parameters
    portstring (Optional)DisplaysinformationforspecificPoEport(s).

    Defaults
    Ifnotspecified,informationforallPoEportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayPoEinformationforportge.2.1.Inthiscase,theports administrativestate,PoEpriorityandclasshavenotbeenchangedfromdefaultvalues:

    5-4

    Configuring System Power and PoE

    set port inlinepower

    C2(su)->show port inlinepower ge.2.1 Port ---ge.2.1 Type ---wireless Admin ----auto Oper ---searching Priority -------low Class ----0 Power(W) -------15.4

    set port inlinepower


    UsethiscommandtoconfigurePoEparametersononeormoreports.

    Syntax
    set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]}

    Parameters
    portstring adminoff|auto prioritycritical| high|low typetype Specifiestheport(s)onwhichtoconfigurePoE. SetsthePoEadministrativestatetooff(disabled)orauto(on). Setstheport(s)priorityforthePoEallocationalgorithmtocritical (highest),highorlow. Specifiesastringdescribingthetypeofdeviceconnectedtoaport.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenablePoEonportge.3.1withcriticalpriority:
    C2(su)->set port inlinepower ge.3.1 admin auto priority critical

    SecureStack C2 Configuration Guide

    5-5

    set port inlinepower

    5-6

    Configuring System Power and PoE

    6
    Discovery Protocol Configuration
    Thischapterdescribeshowtoconfigurediscoveryprotocols.
    For information about... Configuring CDP Configuring Cisco Discovery Protocol Configuring Link Layer Discovery Protocol and LLDP-MED Refer to page... 6-1 6-7 6-13

    Configuring CDP
    Purpose
    ToreviewandconfiguretheEnterasysCDPdiscoveryprotocol.Thisprotocolisusedtodiscover networktopology.Whenenabled,thisprotocolallowsEnterasysdevicestosendperiodicPDUs aboutthemselvestoneighboringdevices.

    Commands
    ThecommandsusedtoreviewandconfiguretheCDPdiscoveryprotocolarelistedbelow.
    For information about... show cdp set cdp state set cdp auth set cdp interval set cdp hold-time clear cdp show neighbors Refer to page... 6-2 6-3 6-4 6-4 6-5 6-5 6-6

    SecureStack C2 Configuration Guide

    6-1

    show cdp

    show cdp
    UsethiscommandtodisplaythestatusoftheCDPdiscoveryprotocolandmessageintervalon oneormoreports.

    Syntax
    show cdp [port-string]

    Parameters
    portstring (Optional)DisplaysCDPstatusforaspecificport.Foradetaileddescription ofpossibleportstringvalues,refertoPort String Syntax Used in the CLIon page72.

    Defaults
    Ifportstringisnotspecified,allCDPinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayCDPinformationforportsge.1.1throughge.1.9:
    C2(su)->show cdp ge.1.1-9 CDP Global Status CDP Version Supported CDP Hold Time CDP Authentication Code CDP Transmit Frequency Port Status ----------------ge.1.1 auto-enable ge.1.2 auto-enable ge.1.3 auto-enable ge.1.4 auto-enable ge.1.5 auto-enable ge.1.6 auto-enable ge.1.7 auto-enable ge.1.8 auto-enable ge.1.9 auto-enable :auto-enable :30 hex :180 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 hex :60

    Table 61providesanexplanationofthecommandoutput. Table 6-1 show cdp Output Details


    What It Displays... Whether CDP is globally auto-enabled, enabled or disabled. The default state of auto-enabled can be reset with the set cdp state command. For details, refer to set cdp state on page 6-3. CDP version number(s) supported by the switch. Minimum time interval (in seconds) at which CDP configuration messages can be set. The default of 180 seconds can be reset with the set cdp hold-time command. For details, refer to set cdp hold-time on page 6-5.

    Output Field CDP Global Status

    CDP Versions Supported CDP Hold Time

    6-2

    Discovery Protocol Configuration

    set cdp state

    Table 6-1

    show cdp Output Details (Continued)


    What It Displays... Authentication code for CDP discovery protocol. The default of 00-00-00-00-00-0000-00 can be reset using the set cdp auth command. For details, refer to set cdp auth on page 6-4. Frequency (in seconds) at which CDP messages can be transmitted. The default of 60 seconds can be reset with the set cdp interval command. For details, refer to set cdp interval on page 6-4. Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. Whether CDP is enabled, disabled or auto-enabled on the port.

    Output Field CDP Authentication Code CDP Transmit Frequency Port Status

    set cdp state


    UsethiscommandtoenableordisabletheCDPdiscoveryprotocolononeormoreports.

    Syntax
    set cdp state {auto | disable | enable} [port-string]

    Parameters
    auto|disable| enable portstring Autoenables,disablesorenablestheCDPprotocolonthespecifiedport(s). Inautoenablemode,whichisthedefaultmodeforallports,aport automaticallybecomesCDPenableduponreceivingitsfirstCDPmessage. (Optional)EnablesordisablesCDPonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,theCDPstatewillbegloballyset.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtogloballyenableCDP:
    C2(su)->set cdp state enable

    ThisexampleshowshowtoenabletheCDPforportge.1.2:
    C2(su)->set cdp state enable ge.1.2

    ThisexampleshowshowtodisabletheCDPforportge.1.2:
    C2(su)->set cdp state disable ge.1.2

    SecureStack C2 Configuration Guide

    6-3

    set cdp auth

    set cdp auth


    UsethiscommandtosetaglobalCDPauthenticationcode.

    Syntax
    set cdp auth auth-code

    Parameters
    authcode SpecifiesanauthenticationcodefortheCDPprotocol.Thiscanbeupto16 hexadecimalvaluesseparatedbycommas.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheauthenticationcodevaluedeterminesaswitchsCDPdomain.Iftwoormoreswitcheshave thesameCDPauthenticationcode,theywillbeenteredintoeachothersCDPneighbortables.If theyhavedifferentauthenticationcodes,theyareindifferentdomainsandwillnotbeentered intoeachothersCDPneighbortables. Aswitchwiththedefaultauthenticationcode(16nullcharacters)willrecognizeallswitches,no matterwhattheirauthenticationcode,andenterthemintoitsCDPneighbortable.

    Example
    ThisexampleshowshowtosettheCDPauthenticationcodeto1,2,3,4,5,6,7,8:
    C2(su)->set cdp auth 1,2,3,4,5,6,7,8:

    set cdp interval


    Usethiscommandtosetthemessageintervalfrequency(inseconds)oftheCDPdiscovery protocol.

    Syntax
    set cdp interval frequency

    Parameters
    frequency SpecifiesthetransmitfrequencyofCDPmessagesinseconds.Validvalues arefrom5to900seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    6-4

    Discovery Protocol Configuration

    set cdp hold-time

    Example
    ThisexampleshowshowtosettheCDPintervalfrequencyto15seconds:
    C2(su)->set cdp interval 15

    set cdp hold-time


    UsethiscommandtosettheholdtimevalueforCDPdiscoveryprotocolconfigurationmessages.

    Syntax
    set cdp hold-time hold-time

    Parameters
    holdtime SpecifiestheholdtimevalueforCDPmessagesinseconds.Validvaluesare from15to600.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetCDPholdtimeto60seconds:
    C2(su)->set cdp hold-time 60

    clear cdp
    UsethiscommandtoresetCDPdiscoveryprotocolsettingstodefaults.

    Syntax
    clear cdp {[state] [port-state port-string] [interval] [hold-time] [auth-code]}

    Parameters
    state portstateportstring interval holdtime authcode (Optional)ResetstheglobalCDPstatetoautoenabled. (Optional)Resetstheportstateonspecificport(s)toautoenabled. (Optional)Resetsthemessagefrequencyintervalto60seconds. (Optional)Resetstheholdtimevalueto180seconds. (Optional)Resetstheauthenticationcodeto16bytesof00(000000 0000000000).

    Defaults
    Atleastoneoptionalparametermustbeentered.

    SecureStack C2 Configuration Guide

    6-5

    show neighbors

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheCDPstatetoautoenabled:
    C2(su)->clear cdp state

    show neighbors
    ThiscommanddisplaysNeighborDiscoveryinformationforeithertheCDPorCiscoDP protocols.

    Syntax
    show neighbors [port-string]

    Parameters
    portstring (Optional)SpecifiestheportorportsforwhichtodisplayNeighbor Discoveryinformation.

    Defaults
    Ifnoportisspecified,allNeighborDiscoveryinformationisdisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    ThiscommanddisplaysinformationdiscoveredbyboththeCDPandtheCiscoDPprotocols.

    Example
    ThisexampledisplaysNeighborDiscoveryinformationforallports.
    C2(su)->show neighbors Port Device ID Port ID Type Network Address -----------------------------------------------------------------------------ge.1.1 00036b8b1587 12.227.1.176 ciscodp 12.227.1.176 ge.1.6 0001f496126f 140.2.3.1 ciscodp 140.2.3.1 ge.1.6 00-01-f4-00-72-fe 140.2.4.102 cdp 140.2.4.102 ge.1.6 00-01-f4-00-70-8a 140.2.4.104 cdp 140.2.4.104 ge.1.6 00-01-f4-c5-f7-20 140.2.4.101 cdp 140.2.4.101 ge.1.6 00-01-f4-89-4f-ae 140.2.4.105 cdp 140.2.4.105 ge.1.6 00-01-f4-5f-1f-c0 140.2.1.11 cdp 140.2.1.11 ge.1.19 0001f400732e 165.32.100.10 ciscodp 165.32.100.10

    6-6

    Discovery Protocol Configuration

    Configuring Cisco Discovery Protocol

    Configuring Cisco Discovery Protocol


    Purpose
    ToreviewandconfiguretheCiscodiscoveryprotocol.Discoveryprotocolsareusedtodiscover networktopology.Whenenabled,theyallowCiscodevicestosendperiodicPDUsabout themselvestoneighboringdevices.Specifically,thisfeatureenablesrecognizingPDUsfromCisco phones.Atableofinformationaboutdetectedphonesiskeptbytheswitchandcanbequeriedby thenetworkadministrator.

    Commands
    ThecommandsusedtoreviewandconfiguretheCiscodiscoveryprotocolarelistedbelow.Refer alsotoshowneighborsonpage66.
    For information about... show ciscodp show ciscodp port info set ciscodp status set ciscodp timer set ciscodp holdtime set ciscodp port clear ciscodp Refer to page... 6-7 6-8 6-9 6-9 6-10 6-10 6-12

    show ciscodp
    UsethiscommandtodisplayglobalCiscodiscoveryprotocolinformation.

    Syntax
    show ciscodp

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayglobalCiscoDPinformation.
    C2(su)->show ciscodp CiscoDP :Enabled Timer :5 Holdtime (TTl): 180
    SecureStack C2 Configuration Guide 6-7

    show ciscodp port info

    Device ID : 001188554A60 Last Change : WED NOV 08 13:19:56 2006

    Table 62providesanexplanationofthecommandoutput. Table 6-2 show ciscodp Output Details


    What It Displays... Whether Cisco DP is globally enabled or disabled. Auto indicates that Cisco DP will be globally enabled only if Cisco DP PDUs are received. Default setting of auto-enabled can be reset with the set ciscodp status command. Timer Holdtime The number of seconds between Cisco discovery protocol PDU transmissions. The default of 60 seconds can be reset with the set ciscodp timer command. Number of seconds neighboring devices will hold PDU transmissions from the sending device. Default value of 180 can be changed with the set ciscodp holdtime command. The MAC address of the switch. The time that the last Cisco DP neighbor was discovered.

    Output Field CiscoDP

    Device ID Last Change

    show ciscodp port info


    UsethiscommandtodisplaysummaryinformationabouttheCiscodiscoveryprotocolononeor moreports.

    Syntax
    show ciscodp port info [port-string]

    Parameters
    portstring (Optional)DisplaysCiscoDPinformationforaspecificport.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,CiscoDPinformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayCiscoDPinformationforGigabitEthernetport1inslot1.
    C2(su)->show ciscodp port info ge.1.1 port state vvid trusted cos ---------------------------------------------ge.1.1 enable none yes 0

    Table 63providesanexplanationofthecommandoutput.

    6-8

    Discovery Protocol Configuration

    set ciscodp status

    Table 6-3

    show ciscodp port info Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. Whether Cisco DP is enabled, disabled or auto-enabled on the port. Default state of enabled can be changed using the set ciscodp port command. Whether a voice VLAN ID has been set on this port. Default of none can be changed using the set ciscodp port command. The trust mode of the port. Default of trusted can be changed using the set ciscodp port command. The Class of Service priority value for untrusted traffic. The default of 0 can be changed using the set ciscodp port command.

    Output Field Port State vvid trusted cos

    set ciscodp status


    UsethiscommandtoenableordisabletheCiscodiscoveryprotocolgloballyontheswitch.

    Syntax
    set ciscodp state {auto | disable | enable}

    Parameters
    auto disable enable GloballyenableonlyifCiscoDPPDUsarereceived. GloballydisableCiscodiscoveryprotocol. GloballyenableCiscodiscoveryprotocol.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtogloballyenableCiscoDP:
    C2(su)->set ciscodp state enable

    set ciscodp timer


    UsethiscommandtosetthenumberofsecondsbetweenCiscodiscoveryprotocolPDU transmissions.

    Syntax
    set ciscodp timer seconds

    SecureStack C2 Configuration Guide

    6-9

    set ciscodp holdtime

    Parameters
    seconds SpecifiesthenumberofsecondsbetweenCiscoDPPDUtransmissions. Validvaluesarefrom5to254seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheCiscoDPtimerto120seconds.
    C2(su)->set ciscodp timer 120

    set ciscodp holdtime


    Usethiscommandtosetthetimetolive(TTL)forCiscodiscoveryprotocolPDUs.Thisisthe amountoftime,inseconds,neighboringdeviceswillholdPDUtransmissionsfromthesending device.

    Syntax
    set ciscodp holdtime hold-time

    Parameters
    holdtime SpecifiesthetimetoliveforCiscoDPPDUs.Validvaluesarefrom10to255 seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetCiscoDPholdtimeto180seconds:
    C2(su)->set ciscodp hold-time 180

    set ciscodp port


    Usethiscommandtosetthestatus,voiceVLAN,extendedtrustmode,andCoSpriorityfor untrustedtrafficfortheCiscoDiscoveryProtocolononeormoreports.

    Syntax
    set ciscodp port {[status {disable | enable}] [vvid {vlan-id | none | dot1p | untagged}] [trusted {yes | no}] [cos value]} port-string

    6-10

    Discovery Protocol Configuration

    set ciscodp port

    Parameters
    status disable enable vvid vlanid none dot1p untagged trusted yes SetstheCiscoDPportoperationalstatus. DoesnottransmitorprocessCiscoDPPDUs. TransmitsandprocessesCiscoDPPDUs. SetstheportvoiceVLANforCiscoDPPDUtransmission. SpecifiestheVLANID,range14094. NovoiceVLANwillbeusedinCiscoDPPDUs.Thisisthedefault. Instructsattachedphonetosend802.1ptaggedframes. Instructsattachedphonetosenduntaggedframes. Setstheextendedtrustmodeontheport. Instructsattachedphonetoallowthedeviceconnectedtoittotransmit trafficcontaininganyCoSorLayer2802.1pmarking.Thisisthedefault value. Instructsattachedphonetooverwritethe802.1ptagoftraffic transmittedbythedeviceconnectedtoitto0,bydefault,ortothevalue configuredwiththecosparameter. Instructsattachedphonetooverwritethe802.1ptagoftraffic transmittedbythedeviceconnectedtoitwiththespecifiedvalue,when thetrustmodeoftheportissettountrusted.Valuecanrangefrom0to 7,with0indicatingthelowestpriority. Specifiestheport(s)onwhichstatuswillbeset.

    no

    cosvalue

    portstring

    Defaults
    Status:enabled VoiceVLAN:none Trustmode:trusted CoSvalue:0

    Mode
    Switchmode,readwrite.

    Usage
    ThefollowingpointsdescribehowtheCiscoDPextendedtrustsettingsworkontheswitch. ACiscoDPporttruststatusoftrustedoruntrustedisonlymeaningfulwhenaCiscoIPphone isconnectedtoaswitchportandaPCorotherdeviceisconnectedtothebackoftheCiscoIP phone. ACiscoDPportstateoftrustedoruntrustedonlyaffectstaggedtraffictransmittedbythe deviceconnectedtotheCiscoIPphone.Untaggedtraffictransmittedbythedeviceconnected totheCiscoIPphoneisunaffectedbythissetting. IftheswitchportisconfiguredtoaCiscoDPtruststateoftrusted(withthetrustedyes parameterofthiscommand),thissettingiscommunicatedtotheCiscoIPphoneinstructingit toallowthedeviceconnectedtoittotransmittrafficcontaininganyCoSorLayer2802.1p marking.

    SecureStack C2 Configuration Guide

    6-11

    clear ciscodp

    IftheswitchportisconfiguredtoaCiscoDPtruststateofuntrusted(trustedno),thissetting iscommunicatedtotheCiscoIPphoneinstructingittooverwritethe802.1ptagoftraffic transmittedbythedeviceconnectedtoitto0,bydefault,ortothevaluespecifiedbythecos parameterofthiscommand. Thereisaonetoonecorrelationbetweenthevaluesetwiththecosparameterandthe802.1p valueassignedtoingressedtrafficbytheCiscoIPphone.Avalueof0equatestoan802.1p priorityof0.Therefore,avalueof7isgiventhehighestpriority.


    Note: The Cisco Discovery Protocol must be globally enabled using the set ciscodp status command before operational status can be set on individual ports.

    Examples
    ThisexampleshowshowtosettheCiscoDPportvoiceVLANIDto3onportge.1.6andenable theportoperationalstate.
    C2(rw)->set ciscodp port status enable vvid 3 ge.1.6

    ThisexampleshowshowtosettheCiscoDPextendedtrustmodetountrustedonportge.1.5and settheCoSpriorityto1.
    C2(rw)->set ciscodp port trusted no cos 1 ge.1.5

    clear ciscodp
    UsethiscommandtocleartheCiscodiscoveryprotocolbacktothedefaultvalues.

    Syntax
    clear ciscodp [status | timer | holdtime | {port {status | vvid | trust | cos} [port-string]}]

    Parameters
    status timer holdtime port status vvid trust cos portstring ClearsglobalCiscoDPenablestatustodefaultofauto. ClearsthetimebetweenCiscoDPPDUtransmissionstodefaultof60 seconds. ClearsthetimetoliveforCiscoDPPDUdatatodefaultof180seconds. ClearstheCiscoDPportconfiguration. Clearstheindividualportoperationalstatustothedefaultofenabled. ClearstheindividualportvoiceVLANforCiscoDPPDUtransmission to0. Clearsthetrustmodeconfigurationoftheporttotrusted. ClearstheCoSpriorityforuntrustedtrafficoftheportto0. (Optional)Specifiestheport(s)onwhichstatuswillbeset.

    Defaults
    Ifnoparametersareentered,allCiscoDPparametersareresettothedefaultsgloballyandforall ports.

    Mode
    Switchmode,readwrite.
    6-12 Discovery Protocol Configuration

    Configuring Link Layer Discovery Protocol and LLDP-MED

    Examples
    ThisexampleshowshowtoclearalltheCiscoDPparametersbacktothedefaultsettings.
    C2(rw)->clear ciscodp

    ThisexampleshowshowtocleartheCiscoDPstatusonportge.1.5.
    C2(rw)->clear ciscodp port status ge.1.5

    Configuring Link Layer Discovery Protocol and LLDP-MED


    Overview
    TheLinkLayerDiscoveryProtocol(LLPD)providesanindustrystandard,vendorneutralwayto allownetworkdevicestoadvertisetheiridentitiesandcapabilitiesonalocalareanetwork,andto discoverthatinformationabouttheirneighbors. LLDPMEDisanenhancementtoLLDPthatprovidesthefollowingbenefits: ExtendedandautomatedpowermanagementofPoweroverEthernetendpoints Inventorymanagement,allowingnetworkadministratorstotracktheirnetworkdevicesand todeterminetheircharacteristics,suchasmanufacturer,softwareandhardwareversions,and serialorassetnumbers

    TheinformationsentbyanLLDPenableddeviceisextractedandtabulatedbyitspeers.The communicationcanbedonewheninformationchangesoronaperiodicbasis.Theinformation tabulatedisagedtoensurethatitiskeptuptodate.Portscanbeconfiguredtosendthis information,receivethisinformation,orbothsendandreceive. EitherLLDPorLLDPMED,butnotboth,canbeusedonaninterfacebetweentwodevices.A switchportusesLLDPMEDwhenitdetectsthatanLLDPMEDcapabledeviceisconnectedtoit. LLDPinformationiscontainedwithinaLinkLayerDiscoveryProtocolDataUnit(LLDPDU)sent inasingle802.3Ethernetframe.TheinformationfieldsinLLDPDUareasequenceofshort, variablelength,informationelementsknownasTLVstype,length,andvaluefieldswhere: Typeidentifieswhatkindofinformationisbeingsent Lengthindicatesthelengthoftheinformationstringinoctets Valueistheactualinformationthatneedstobesent

    TheLLDPstandardspecifiesthatcertainTLVsaremandatoryintransmittedLLDPDUs,while othersareoptional.YoucanconfigureonaportspecificbasiswhichoptionalLLDPandLLDP MEDTLVsshouldbesentinLLDPDUs.

    Purpose
    ToreviewandconfigureLLPDandLLPDMED.

    Commands
    ThecommandsusedtoreviewandconfiguretheCDPdiscoveryprotocolarelistedbelow.
    For information about... show lldp Refer to page... 6-14

    SecureStack C2 Configuration Guide

    6-13

    show lldp

    For information about... show lldp port status show lldp port trap show lldp port tx-tlv show lldp port location-info show lldp port local-info show lldp port remote-info set lldp tx-interval set lldp hold-multiplier set lldp trap-interval set lldp med-fast-repeat set lldp port status set lldp port trap set lldp port med-trap set lldp port tx-tlv clear lldp clear lldp port status clear lldp port trap clear lldp port med-trap clear lldp port tx-tlv

    Refer to page... 6-15 6-16 6-16 6-17 6-18 6-20 6-22 6-22 6-23 6-23 6-24 6-24 6-25 6-25 6-27 6-27 6-28 6-28 6-29

    Configuration Tasks
    Thecommandsincludedinthisimplementationallowyoutoperformthefollowingconfiguration tasks:
    Step 1. Task Configure global system LLDP parameters Command(s) set lldp tx-interval set lldp hold-multiplier set lldp trap-interval set lldp med-fast-repeat clear lldp 2. Enable/disable specific ports to: Transmit and process received LLDPDUs Send LLDP traps Send LLDP-MED traps set/clear lldp port status set/clear lldp port trap set/clear lldp port med-trap

    show lldp
    UsethiscommandtodisplayLLDPconfigurationinformation.

    6-14

    Discovery Protocol Configuration

    show lldp port status

    Syntax
    show lldp

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayLLDPconfigurationinformation.
    C2(ro)->show lldp Message Tx Interval Message Tx Hold Multiplier Notification Tx Interval MED Fast Start Count Tx-Enabled Ports Rx-Enabled Ports Trap-Enabled Ports MED Trap-Enabled Ports : : : : 30 4 5 3

    : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12; : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12; : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12; : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12;

    show lldp port status


    UsethiscommandtodisplaytheLLDPstatusofoneormoreports.Thecommandliststheports thatareenabledtosendandreceiveLLDPPDUs.Portsareenabledordisabledwiththesetlldp portstatuscommand.

    Syntax
    show lldp port status [port-string]

    Parameters
    portstring (Optional)DisplaysLLDPstatusforoneorarangeofports.

    Defaults
    Ifportstringisnotspecified,LLDPstatusinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayLLDPportstatusinformationforallports.
    C2(ro)->show lldp port status

    SecureStack C2 Configuration Guide

    6-15

    show lldp port trap

    Tx-Enabled Ports Rx-Enabled Ports

    : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12 : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12

    show lldp port trap


    UsethiscommandtodisplaytheportsthatareenabledtosendanLLDPnotificationwhena remotesystemchangehasbeendetectedoranLLDPMEDnotificationwhenachangeinthe topologyhasbeensensed.PortsareenabledtosendLLDPnotificationswiththesetlldpporttrap commandandtosendLLDPMEDnotificationswiththesetlldpportmedtrapcommand.

    Syntax
    show lldp port trap [port-string]

    Parameters
    portstring (Optional)Displaystheportorrangeofportsthathavebeenenabled tosendLLDPand/orLLDPMEDnotifications.

    Defaults
    Ifportstringisnotspecified,LLDPporttrapinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayLLDPporttrapinformationforallports.
    C2(ro)->show lldp port trap Trap-Enabled Ports : MED Trap-Enabled Ports:

    show lldp port tx-tlv


    UsethiscommandtodisplayinformationaboutwhichoptionalTLVshavebeenconfiguredtobe transmittedonports.PortsareconfiguredtosendoptionalTLVswiththesetlldpporttxtlv command.

    Syntax
    showlldpporttxtlv[portstring]

    Parameters
    portstring (Optional)DisplaysinformationaboutTLVconfigurationforoneora rangeofports.

    Defaults
    Ifportstringisnotspecified,TLVconfigurationinformationwillbedisplayedforallports.

    6-16

    Discovery Protocol Configuration

    show lldp port location-info

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytransmitTLVinformationforthreeports.
    C2(ro)->show lldp port tx-tlv ge.1.1-3 * Means TLV is supported and enabled on this port o Means TLV is supported on this port Means TLV is not supported on this port Column Pro Id uses letter notation for enable: s-stp, l-lacp, g-gvrp Ports ------ge.1.1 ge.1.2 ge.1.3 Port Desc ---* * * Sys Name ---* * * Sys Desc ---* * * Sys Cap --* * * Mgmt Addr ---* * * Vlan Id ---* * * Pro Id ---slg slg slg MAC PoE Link Max PHY Aggr Frame --- --- ---- ---* * * * * * * * * MED MED MED MED Cap Pol Loc PoE --- --- --- --* * * *

    show lldp port location-info


    Usethiscommandtodisplayconfiguredlocationinformationforoneormoreports.

    Syntax
    show lldp port location-info [port-string]

    Parameters
    portstring (Optional)Displaysportlocationinformationforoneorarangeof ports.

    Defaults
    Ifportstringisnotspecified,portlocationconfigurationinformationwillbedisplayedforall ports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayportlocationinformationforthreeports.
    C2(ro)->show lldp port location-info ge.1.1-3 Ports -------ge.1.1 ge.1.2 ge.1.3 Type ------------ELIN ELIN ELIN Location ------------------------1234567890 1234567890 1234567890

    SecureStack C2 Configuration Guide

    6-17

    show lldp port local-info

    show lldp port local-info


    Usethiscommandtodisplaythelocalsysteminformationstoredforoneormoreports.Youcan usethisinformationtodetectmisconfigurationsorincompatibilitiesbetweenthelocalportand theattachedendpointdevice(remoteport).

    Syntax
    show lldp port local-info [port-string]

    Parameters
    portstring (Optional)Displayslocalsysteminformationforoneorarangeof ports.

    Defaults
    Ifportstringisnotspecified,localsysteminformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythelocalsysteminformationstoredforportge.4.1.Table 64 describestheoutputfieldsofthiscommand.
    C2(rw)->show lldp port local-info ge.4.1 Local Port : ge.4.1 Local Port Id: ge.4.1 -------------------Port Desc : ... 1000BASE-TX RJ45 Gigabit Ethernet Frontpanel Port Mgmt Addr : 10.21.64.100 Chassis ID : 00-E0-63-93-74-A5 Sys Name : LLDP PoE test Chassis Sys Desc : Enterasys Networks, Inc. Sys Cap Supported/Enabled : bridge,router/bridge Auto-Neg Supported/Enabled Auto-Neg Advertised : yes/yes : 10BASE-T, 10BASE-TFD, 100BASE-TX, 100BASE-TXFD, 1000BASE-TFD, Bpause Operational Speed/Duplex/Type : 100 full tx Max Frame Size (bytes) : 1522 Vlan Id : 1 LAG Supported/Enabled/Id : no/no/0 Protocol Id : Spanning Tree v-3 (IEEE802.1s) LACP v-1 GVRP PoE PoE PoE PoE PoE PoE PoE Device Power Source MDI Supported/Enabled Pair Controllable/Used Power Class Power Limit (mW) Power Priority : : : : : : : PSE device primary yes/yes false/spare 2 15400 high

    6-18

    Discovery Protocol Configuration

    show lldp port local-info

    Table 64describestheinformationdisplayedbytheshowlldpportlocalinfocommand. Table 6-4 show lldp port local-info Output Details
    What it Displays... Identifies the port for which local system information is displayed. Mandatory basic LLDP TLV that identifies the port transmitting the LLDPDU. Value is ifName object defined in RFC 2863. Optional basic LLDP TLV. Value is ifDescr object defined in RFC 2863. Optional basic LLDP TLV. IPv4 address of host interface. Mandatory basic LLDP TLV that identifies the chassis transmitting the LLDPDU. Value is MAC address of chassis. Optional basic LLDP TLV. Value is the administratively assigned name for the system. Optional basic LLDP TLV. Value is sysDescr object defined in RFC 3418. Optional basic LLDP TLV. System capabilities, value can be bridge and/or router. IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Autonegotiation supported and enabled settings should be the same on the two systems attached to the same link. IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Lists the configured advertised values on the port. IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Lists the operational MAU type, duplex, and speed of the port. If the received TLV indicates that auto-negotiation is supported but not enabled, these values will be used by the port. IEEE 802.3 Extensions Maximum Frame Size TLV. Value indicates maximum frame size capability of the devices MAC and PHY. In normal mode, max frame size is 1522 bytes. In jumbo mode, max frame size is 10239 bytes. IEEE 802.1 Extensions Port VLAN ID TLV. Value is port VLAN ID (pvid). IEEE 802.3 Extensions Link Aggregation TLV. Values indicate whether the link associated with this port can be aggregated, whether it is currently aggregated, and if aggregated, the aggregated port identifier. IEEE 802.1 Extensions Protocol Identity TLV. Values can include Spanning tree, LACP, and GARP protocols and versions. Only those protocols enabled on the port are displayed. LLDP-MED Extensions Location Identification TLV. Emergency Call Services (ECS) Emergency Location Identification Number (ELIN) is currently the only type supported. Value is the ELIN configured on this port. LLDP-MED Extensions Extended Power via MDI TLV. Displayed only when a port has PoE capabilities. Value is the Power Type of the device. On a switch port, the value is Power Sourcing Entity (PSE). LLDP-MED Extensions Extended Power via MDI TLV. Displayed only when a port has PoE capabilities. Value can be primary or backup, indicating whether the PSE is using its primary or backup power source. IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port has PoE capabilities. Indicates whether sending the Power via MDI TLV is supported/enabled. Value can be yes or no.

    Output Field Local Port Local Port Id Port Desc Mgmt Addr Chassis ID Sys Name Sys Desc Sys Cap Supported/Enabled Auto-Neg Supported/Enabled

    Auto-Neg Advertised Operational Speed/Duplex/ Type

    Max Frame Size (bytes)

    Vlan Id LAG Supported/Enabled/Id

    Protocol Id

    ECS ELIN

    PoE Device

    PoE Power Source

    PoE MDI Supported/Enabled

    SecureStack C2 Configuration Guide

    6-19

    show lldp port remote-info

    Table 6-4

    show lldp port local-info Output Details (Continued)


    What it Displays... IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port has PoE capabilities. Indicates whether pair selection can be controlled on the given port (refer to RFC 3621). Value for Controllable can be true or false. Value of Used can be signal (signal pairs only are in use) or spare (spare pairs only are in use). IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port has PoE capabilities. Indicates the power class supplied by the port. Value can range from 0 to 4. LLDP-MED Extensions Extended Power via MDI TLV. Displayed only when a port has PoE capabilities. Indicates the total power the port is capable of sourcing over a maximum length cable, based on its current configuration, in milli-Watts. LLDP-MED Extensions Extended Power via MDI TLV. Displayed only when a port has PoE capabilities. Indicates the power priority configured on the port. Value can be critical, high, or low.

    Output Field PoE Pair Controllable/Used

    PoE Power Class

    PoE Power Limit (mW)

    PoE Power Priority

    show lldp port remote-info


    Usethiscommandtodisplaytheremotesysteminformationstoredforaremotedeviceconnected toalocalport.Youcanusethisinformationtodetectmisconfigurationsorincompatibilities betweenthelocalportandtheattachedendpointdevice(remoteport).

    Syntax
    show lldp port remote-info [port-string]

    Parameters
    portstring (Optional)Displaysremotesysteminformationforoneorarangeof ports.

    Defaults
    Ifportstringisnotspecified,remotesysteminformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    6-20

    Discovery Protocol Configuration

    show lldp port remote-info

    Example
    Thisexampleshowshowtodisplaytheremotesysteminformationstoredforportge.3.1.The remotesysteminformationwasreceivedfromanIPphone,whichisanLLDPMEDenabled device.Table 65describestheoutputfieldsthatareuniquetotheremotesysteminformation displayedforaMEDenableddevice.
    C2(ro)->show lldp port remote-info ge.3.1 Local Port : ge.3.1 Remote Port Id : 00-09-6e-0e-14-3d --------------------Mgmt Addr : 0.0.0.0 Chassis ID : 0.0.0.0 Device Type : Communication Device Endpoint (class III) Sys Name : AVE0E143D Sys Cap Supported/Enabled : bridge,telephone/bridge Auto-Neg Supported/Enabled Auto-Neg Advertised : : : : yes/yes 10BASE-T, 10BASE-TFD 100BASE-TX, 100BASE-TXFD pause, Spause

    Operational Speed/Duplex/Type : 100/full/TX Hardware Revision Firmware Revision Software Revision Serial Number Manufacturer Model Number : : : : : : 4610D01A b10d01b2_7.bin a10d01b2_7.bin 05GM42004348 Avaya 4610

    Notethattheinformationfieldsdisplayedbytheshowlldpportremoteinfocommandwillvary, dependingonthetypeofremotedevicethatisconnectedtotheport. Table 65describestheoutputfieldsthatareuniquetotheremotesysteminformationdatabase. RefertoTable 64onpage 19fordescriptionsoftheinformationfieldsthatarecommontoboththe localandtheremotesysteminformationdatabases. Table 6-5 show lldp port remote-info Output Display
    What it Displays... Displays whatever port Id information received in the LLDPDU from the remote device. In this case, the port Id is MAC address of remote device. Mandatory LLDP-MED Capabilities TLV. Displayed only when the port is connected to an LLDP-MED-capable endpoint device. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. In the above example, no asset ID was received from the remote device so the field is not displayed.

    Output Field Remote Port Id Device Type Hardware Revision Firmware Revision Software Revision Serial Number Manufacturer Model Number Asset ID

    SecureStack C2 Configuration Guide

    6-21

    set lldp tx-interval

    set lldp tx-interval


    Usethiscommandtosetthetime,inseconds,betweensuccessiveLLDPframetransmissions initiatedbychangesintheLLDPlocalsysteminformation.

    Syntax
    set lldp tx-interval frequency

    Parameters
    frequency SpecifiesthenumberofsecondsbetweentransmissionsofLLDP frames.Valuecanrangefrom5to32,768seconds.Thedefaultis30 seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsthetransmitintervalto20seconds.
    C2(rw)->set lldp tx-interval 20

    set lldp hold-multiplier


    UsethiscommandtosetthetimetolivevalueusedinLLDPframessentbythisdevice.Thetime toliveforLLDPDUdataiscalculatedbymultiplyingthetransmitintervalbytheholdmultiplier value.

    Syntax
    set lldp hold-multiplier multiplier-val

    Parameters
    multiplierval Specifiesthemultipliertoapplytothetransmitintervaltodetermine thetimetolivevalue.Valuecanrangefrom2to10.Defaultvalueis4.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsthetransmitintervalto20secondsandtheholdmultiplierto5,whichwill configureatimetoliveof100tobeusedintheTTLfieldintheLLDPDUheader.
    C2(rw)->set lldp tx-interval 20 C2(rw)->set lldp hold-multiplier 5
    6-22 Discovery Protocol Configuration

    set lldp trap-interval

    set lldp trap-interval


    UsethiscommandtosettheminimumintervalbetweenLLDPnotificationssentbythisdevice. LLDPnotificationsaresentwhenaremotesystemchangehasbeendetected.

    Syntax
    set lldp trap-interval frequency

    Parameters
    frequency SpecifiestheminimumtimebetweenLLDPtraptransmissions,in seconds.Thevaluecanrangefrom5to3600seconds.Thedefault valueis5seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexamplesetstheminimumintervalbetweenLLDPtrapsto10seconds.
    C2(rw)->set lldp trap-interval 10

    set lldp med-fast-repeat


    NetworkconnectivitydevicestransmitonlyLLDPTLVsinLLDPDUsuntiltheydetectthatan LLDPMEDendpointdevicehasconnectedtoaport.Atthatpoint,thenetworkconnectivity devicestartssendingLLDPMEDTLVsatafaststartrateonthatport.Usethiscommandtosetthe numberofsuccessiveLLDPDUs(withLLDPMEDTLVs)tobesentforonecompletefaststart interval.

    Syntax
    set lldp med-fast-repeat count

    Parameters
    count SpecifiesthenumberoffaststartLLDPDUstobesentwhenan LLDPMEDendpointdeviceisdetected.Valuecanrangefrom1to 10.Defaultis3.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    6-23

    set lldp port status

    Example
    ThisexamplesetsthenumberoffaststartLLDPDUstobesentto4.
    C2(rw)->set lldp med-fast-repeat 4

    set lldp port status


    UsethiscommandtoenableordisabletransmittingandprocessingreceivedLLDPDUsonaport orrangeofports.

    Syntax
    set lldp port status {tx-enable | rx-enable | both | disable} port-string

    Parameters
    txenable rxenable both disable portstring EnablestransmittingLLDPDUsonthespecifiedports. EnablesreceivingandprocessingLLDPDUsfromremotesystemson thespecifiedports. EnablesbothtransmittingandprocessingreceivedLLDPDUsonthe specifiedports. DisablesbothtransmittingandprocessingreceivedLLDPDUsonthe specifiedports. Specifiestheportorrangeofportstobeaffected.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleenablesbothtransmittingLLDPDUsandreceivingandprocessingLLDPDUsfrom remotesystemsonportsge.1.1throughge.1.6.
    C2(rw)->set lldp port status both ge.1.1-6

    set lldp port trap


    UsethiscommandtoenableordisablesendingLLDPnotifications(traps)whenaremotesystem changeisdetected.

    Syntax
    set lldp port trap {enable | disable} port-string

    Parameters
    enable disable portstring
    6-24 Discovery Protocol Configuration

    EnabletransmittingLLDPtrapsonthespecifiedports. DisabletransmittingLLDPtrapsonthespecifiedports. Specifiestheportorrangeofportstobeaffected.

    set lldp port med-trap

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleenablestransmittingLLDPtrapsonportsge.1.1throughge.1.6.
    C2(rw)->set lldp port trap enable ge.1.1-6

    set lldp port med-trap


    UsethiscommandtoenableordisablesendinganLLDPMEDnotificationwhenachangeinthe topologyhasbeensensedontheport(thatis,aremoteendpointdevicehasbeenattachedor removedfromtheport).

    Syntax
    set lldp port med-trap {enable | disable} port-string

    Parameters
    enable disable portstring EnablestransmittingLLDPMEDtrapsonthespecifiedports. DisablestransmittingLLDPMEDtrapsonthespecifiedports. Specifiestheportorrangeofportstobeaffected.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleenablestransmittingLLDPMEDtrapsonportsge.1.1throughge.1.6.
    C2(rw)->set lldp port med-trap enable ge.1.1-6

    set lldp port tx-tlv


    UsethiscommandtoselecttheoptionalLLDPandLLDPMEDTLVstobetransmittedin LLDPDUsbythespecifiedportorports.Usetheshowlldpportlocalinfocommandtodisplay thevaluesoftheseTLVsfortheport.

    Syntax
    set lldp port tx-tlv {[all] | [port-desc] [sys-name] [sys-desc] [sys-cap] [mgmtaddr] [vlan-id] [stp] [lacp] [gvrp] [mac-phy] [poe] [link-aggr] [max-frame] [medcap] [med-loc] [med-poe]} port-string

    SecureStack C2 Configuration Guide

    6-25

    set lldp port tx-tlv

    Parameters
    all portdesc sysname sysdesc syscap mgmtaddr vlanid stp AddsalloptionalTLVstotransmittedLLDPDUs. PortDescriptionoptionalbasicLLDPTLV.ValuesentisifDescrobject definedinRFC2863. SystemNameoptionalbasicLLDPTLV.Valuesentisthe administrativelyassignednameforthesystem. SystemDescriptionoptionalbasicLLDPTLV.ValuesentissysDescr objectdefinedinRFC3418. SystemCapabilitiesoptionalbasicLLDPTLV.Foranetwork connectivitydevice,valuesentcanbebridgeand/orrouter. ManagementAddressoptionalbasicLLDPTLV.ValuesentisIPv4 addressofhostinterface. PortVLANIDIEEE802.1ExtensionsTLV.ValuesentisportVLAN ID(PVID). SpanningTreeinformationdefinedbyProtocolIdentityIEEE802.1 ExtensionsTLV.IfSTPisenabledontheport,valuesentincludes versionofprotocolbeingused. LACPinformationdefinedbyProtocolIdentityIEEE802.1 ExtensionsTLV.IfLACPisenabledontheport,valuesentincludes versionofprotocolbeingused. GVRPinformationdefinedbyProtocolIdentityIEEE802.1 ExtensionsTLV.IfLACPisenabledontheport,valuesentincludes versionofprotocolbeingused. MACPHYConfiguration/StatusIEEE802.3ExtensionsTLV.Value sentincludestheoperationalMAUtype,duplex,andspeedofthe port. PowerviaMDIIEEE802.3ExtensionsTLV.Valuessentinclude whetherpairselectioncanbecontrolledonport,andthepowerclass suppliedbytheport.OnlyvalidforPoEenabledports. LinkAggregationIEEE802.3ExtensionsTLV.Valuessentindicate whetherthelinkassociatedwiththisportcanbeaggregated, whetheritiscurrentlyaggregated,andifaggregated,theaggregated portidentifier. MaximumFrameSizeIEEE802.3ExtensionsTLV.Valuesent indicatesmaximumframesizeoftheportsMACandPHY. LLDPMEDCapabilitiesTLV.Valuesentindicatesthecapabilities (whetherthedevicesupportslocationinformation,extendedpower viaMDI)andDeviceType(networkconnectivitydevice)ofthe sendingdevice. LLDPMEDLocationIdentificationTLV.ValuesentistheECSELIN valueconfiguredontheport. LLDPMEDExtendedPowerviaMDITLV.Valuessentincludethe PowerLimit(totalpowertheportiscapableofsourcingovera maximumlengthcable)andthepowerpriorityconfiguredonthe port.OnlyvalidforPoEenabledports. Specifiestheportorrangeofportstobeaffected.

    lacp

    gvrp

    macphy

    poe

    linkaggr

    maxframe medcap

    medloc medpoe

    portstring

    6-26

    Discovery Protocol Configuration

    clear lldp

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleconfiguresthemanagementaddress,MEDcapability,andMEDlocation identificationTLVstobesentinLLDPDUsbyportge.1.1.
    C2(rw)->set lldp port tx-tlv mgmt-addr med-cap med-loc ge.1.1

    clear lldp
    UsethiscommandtoreturnLLDPparameterstotheirdefaultvalues.

    Syntax
    clear lldp {all | tx-interval | hold-multiplier | trap-interval | med-fast-repeat}

    Parameters
    all txinterval holdmultiplier trapinterval medfastrepeat ReturnsallLLDPconfigurationparameterstotheirdefaultvalues, includingportLLDPconfigurationparameters. ReturnsthenumberofsecondsbetweentransmissionsofLLDP frames.tothedefaultof30seconds. Returnsthemultipliertoapplytothetransmitintervaltodetermine thetimetolivevaluetothedefaultvalueof4. ReturnstheminimumtimebetweenLLSPtraptransmissionstothe defaultvalueof5seconds. ReturnsthenumberoffaststartLLDPDUstobesentwhenanLLDP MEDendpointdeviceisdetectedtothedefaultof3.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplereturnsthetransmitintervaltothedefaultvalueof30seconds.
    C2(rw)->clear lldp tx-interval

    clear lldp port status


    Usethiscommandtoreturntheportstatustothedefaultvalueofboth(bothtransmittingand processingreceivedLLDPDUsareenabled).

    SecureStack C2 Configuration Guide

    6-27

    clear lldp port trap

    Syntax
    clear lldp port status port-string

    Parameters
    portstring Specifiestheportorrangeofportstobeaffected.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplereturnsportge.1.1tothedefaultstateofenabledforbothtransmittingand processingreceivedLLDPDUs.
    C2(rw)->clear lldp port status ge.1.1

    clear lldp port trap


    UsethiscommandtoreturntheportLLDPtrapsettingtothedefaultvalueofdisabled.

    Syntax
    clear lldp port trap port-string

    Parameters
    portstring Specifiestheportorrangeofportstobeaffected.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplereturnsportge.1.1tothedefaultLLDPtrapstateofdisabled.
    C2(rw)->clear lldp port trap ge.1.1

    clear lldp port med-trap


    UsethiscommandtoreturntheportLLDPMEDtrapsettingtothedefaultvalueofdisabled.

    Syntax
    clear lldp port med-trap port-string

    6-28

    Discovery Protocol Configuration

    clear lldp port tx-tlv

    Parameters
    portstring Specifiestheportorrangeofportstobeaffected.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplereturnsportge.1.1tothedefaultLLDPMEDtrapstateofdisabled.
    C2(rw)->clear lldp port med-trap ge.1.1

    clear lldp port tx-tlv


    UsethiscommandtocleartheoptionalLLDPandLLDPMEDTLVstobetransmittedin LLDPDUsbythespecifiedportorportstothedefaultvalueofdisabled.

    Syntax
    clear lldp port tx-tlv {[all] | [port-desc] [sys-name] [sys-desc] [sys-cap] [mgmtaddr] [vlan-id] [stp] [lacp] [gvrp] [mac-phy] [poe] [link-aggr] [max-frame] [medcap] [med-loc] [med-poe]} port-string

    Parameters
    all portdesc sysname sysdesc syscap mgmtaddr vlanid stp lacp gvrp macphy DisablesalloptionalTLVsfrombeingtransmittedinLLDPDUs. DisablesthePortDescriptionoptionalbasicLLDPTLVfrombeing transmittedinLLDPDUs. DisablestheSystemNameoptionalbasicLLDPTLVfrombeing transmittedinLLDPDUs. DisablestheSystemDescriptionoptionalbasicLLDPTLVfrombeing transmittedinLLDPDUs. DisablestheSystemCapabilitiesoptionalbasicLLDPTLVfrom beingtransmittedinLLDPDUs. DisablestheManagementAddressoptionalbasicLLDPTLVfrom beingtransmittedinLLDPDUs. DisablesthePortVLANIDIEEE802.1ExtensionsTLVfrombeing transmittedinLLDPDUs. DisablestheSpanningTreeinformationdefinedbyProtocolIdentity IEEE802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs. DisablestheLACPinformationdefinedbyProtocolIdentityIEEE 802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs. DisablestheGVRPinformationdefinedbyProtocolIdentityIEEE 802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs. DisablestheMACPHYConfiguration/StatusIEEE802.3Extensions TLVfrombeingtransmittedinLLDPDUs.

    SecureStack C2 Configuration Guide

    6-29

    clear lldp port tx-tlv

    poe linkaggr maxframe medcap medloc medpoe portstring

    DisablesthePowerviaMDIIEEE802.3ExtensionsTLVfrombeing transmittedinLLDPDUs.OnlyvalidforPoEenabledports. DisablestheLinkAggregationIEEE802.3ExtensionsTLVfrombeing transmittedinLLDPDUs. DisablestheMaximumFrameSizeIEEE802.3ExtensionsTLVfrom beingtransmittedinLLDPDUs. DisablestheLLDPMEDCapabilitiesTLVfrombeingtransmittedin LLDPDUs. DisablestheLLDPMEDLocationIdentificationTLVfrombeing transmittedinLLDPDUs. DisablestheLLDPMEDExtendedPowerviaMDITLVfrombeing transmittedinLLDPDUs.OnlyvalidforPoEenabledports. Specifiestheportorrangeofportstobeaffected.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledisablesthemanagementaddress,MEDcapability,andMEDlocationidentification TLVsfrombeingsentinLLDPDUsbyportge.1.1.
    C2(rw)->clear lldp port tx-tlv mgmt-addr med-cap med-loc ge.1.1

    6-30

    Discovery Protocol Configuration

    Port Configuration
    ThischapterdescribesthePortConfigurationsetofcommandsandhowtousethem.
    For information about... Port Configuration Summary Reviewing Port Status Disabling / Enabling and Naming Ports Setting Speed and Duplex Mode Enabling / Disabling Jumbo Frame Support Setting Auto-Negotiation and Advertised Ability Setting Flow Control Setting Port Link Traps and Link Flap Detection Configuring Broadcast Suppression Port Mirroring Link Aggregation Control Protocol (LACP) Configuring Protected Ports Refer to page... 7-1 7-3 7-6 7-10 7-13 7-15 7-19 7-21 7-30 7-33 7-38 7-52

    Port Configuration Summary


    C2H124-48 and C2H124-48P Switch Ports
    TheC2H12448stackabledevicesprovidethefollowingtypesoffrontpanelconnections: FortyeightfixedRJ4510/100MbpscopperFastEthernetports FourSFPslotsthatprovidetheoptionofinstallingSmallFormPluggable(SFP)MiniGBICs for1000BASETcompliantcopperconnectionsor1000BASESX\LX\ELXfiberoptic connections

    C2G124-24, C2G124-48, and C2G124-48P Switch Ports


    TheC2G12424,C2G12448andC2G12448Pstackabledevicesprovidethefollowingtypesof switchportconnections: TwentyfourorfortyeightRJ4510/100/1000Mbps1000BASETFastEthernetcopperports

    SecureStack C2 Configuration Guide

    7-1

    Port Configuration Summary

    FourSFPslotsthatprovidetheoptionofinstallingSmallFormPluggable(SFP)MiniGBICs for1000BASETcompliantcopperconnectionsor1000BASESX\LX\ELXfiberoptic connections.

    C2G134-24P Switch Ports


    TheC2G13424Pstackabledevicesprovidethefollowingtypesofswitchportconnections: Twentyfour10/100/1000Mbps1000BASETFastEthernetcopperportsconnectedthrough fourRJ21connectors(sixportsperRJ21). FourSFPslotsthatprovidetheoptionofinstallingSmallFormPluggable(SFP)MiniGBICs for1000BASETcompliantcopperconnectionsor1000BASESX\LX\ELXfiberoptic connections.

    C2K122-24 Switch Ports


    TheC2K12224stackabledevicesprovidethefollowingtypesofswitchportconnections: TwentyfourRJ4510/100/1000Mbps1000BASETFastEthernetcopperports TwoXFPslotsthatprovidetheoptionofinstallingXFPMSAcompliantmodulesfor10 Gigabit,10GBASEL/LR/ERfiberopticconnections.

    C2G170-24 Switch Ports


    TheC2G17024stackabledevicesprovidethefollowingtypesofswitchportconnections: TwentyfourSFPslotsthatprovidetheoptionofinstallingSmallFormPluggable(SFP)Mini GBICsfor1000BASETcompliantcopperconnectionsor1000BASESX\LX\ELX.

    Important Notice About C2G1x4-xx 10/100/100 and SFP Mini-GBIC Ports


    SFP Mini-GBIC uplink ports are used in an either / or configuration with the C2 front panel RJ45 10/100/1000 Mbps 1000BASE-T Fast Ethernet copper ports. If all Mini-GBIC ports are used, four of the RJ45 ports will be disabled. The maximum number of active ports can be 24 on the C2G124-24, and 48 on the C2G124-48 and C2G124-48P, in any combination of RJ45s and Mini-GBICs.

    Port String Syntax Used in the CLI


    Commandsrequiringaportstringparameterusethefollowingsyntaxtodesignateporttype,slot location,andportnumber: porttype.unit_or_slotnumber.portnumber Whereporttypecanbe: fefor100MbpsEthernet gefor1GbpsEthernet tgfor10GbpsEthernet hostforthehostport vlanforvlaninterfaces lagforIEEE802.3linkaggregationports Whereunit_or_slotnumbercanbe: 18forswitchunitsinastack

    7-2

    Port Configuration

    Reviewing Port Status

    Whereportnumberdependsonthedevice.Thehighestvalidportnumberisdependentonthe numberofportsinthedeviceandtheporttype.

    Port Slot/Unit Parameters Used in the CLI


    TheunitparameterisoftenusedinterchangeablywithmoduleinthestandaloneswitchCLI toindicateamoduleslotlocation.

    Examples
    Note: You can use a wildcard (*) to indicate all of an item. For example, fe.3.* would represent all 100Mbps Ethernet (fe) ports in slot 3, and ge.3 * would represent all 1-Gigabit Ethernet (ge) ports in slot 3.

    Thisexampleshowstheportstringsyntaxforspecifyingthe1GigabitEthernetport14inslotunit 3.
    ge.3.14

    Thisexampleshowstheportstringsyntaxforspecifyingall1GigabitEthernetportsinslotunit3 inthesystem.
    ge.3.*

    Thisexampleshowstheportstringsyntaxforspecifyingallports(ofanyinterfacetype)inthe system.
    *.*.*

    Reviewing Port Status


    Purpose
    Todisplayoperatingstatus,duplexmode,speed,porttype,andstatisticalinformationabout trafficreceivedandtransmittedthroughoneorallswitchportsonthedevice.

    Commands
    For information about... show port show port status show port counters Refer to page... 7-3 7-4 7-5

    show port
    Usethiscommandtodisplaywhetherornotoneormoreportsareenabledforswitching.

    Syntax
    show port [port-string]

    SecureStack C2 Configuration Guide

    7-3

    show port status

    Parameters
    portstring (Optional)Displaysoperationalstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,operationalstatusinformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayoperationalstatusinformationforge.3.14:
    C2(su)->show port ge.3.14 Port ge.3.14 enabled

    show port status


    Usethiscommandtodisplayoperatingandadminstatus,speed,duplexmodeandporttypefor oneormoreportsonthedevice.

    Syntax
    show port status [port-string]

    Parameters
    portstring (Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page72.

    Defaults
    Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaystatusinformationforge.3.14:
    C2(su)->show port status ge.3.14 Port Alias Oper (truncated) Status ------------ -------------- ------ge.3.14 up Admin Status ------up Speed Duplex Type

    -------- ------- ------------N/A N/A BaseT RJ45

    Table 71providesanexplanationofthecommandoutput.

    7-4

    Port Configuration

    show port counters

    Table 7-1

    show port status Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. Alias configured for the port. For details on using the set port alias command, refer to set port alias on page 7-8. Operating status (up or down). Whether the specified port is enabled (up) or disabled (down). For details on using the set port disable command to change the default port status of enabled, refer to set port disable on page 7-7. For details on using the set port enable command to re-enable ports, refer to set port enable on page 7-7. Operational speed in Mbps or Kbps of the specified port. For details on using the set port speed command to change defaults, refer to set port speed on page 7-11. Duplex mode (half or full) of the specified port. For details on using the set port duplex command to change defaults, refer to Setting Auto-Negotiation and Advertised Ability on page 7-15. Physical port and interface type.

    Output Field Port Alias (truncated) Oper Status Admin Status

    Speed Duplex

    Type

    show port counters


    Usethiscommandtodisplayportcounterstatisticsdetailingtrafficthroughthedeviceand throughallMIB2networkdevices.

    Syntax
    show port counters [port-string] [switch | mib2]

    Parameters
    portstring (Optional)Displayscounterstatisticsforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72. (Optional)DisplaysswitchorMIB2statistics.Switchstatisticsdetail performanceoftheSecureStackC2device.MIB2interfacestatisticsdetail performanceofallnetworkdevices.

    switch|mib2

    Defaults
    Ifportstringisnotspecified,counterstatisticswillbedisplayedforallports. Ifmib2orswitcharenotspecified,allcounterstatisticswillbedisplayedforthespecifiedport(s).

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowshowtodisplayallcounterstatistics,includingMIB2networktrafficand trafficthroughthedeviceforge.3.1:
    C2(su)->show port counters ge.3.1 Port: ge.3.1 MIB2 Interface: 1

    SecureStack C2 Configuration Guide

    7-5

    Disabling / Enabling and Naming Ports

    No counter discontinuity time ----------------------------------------------------------------MIB2 Interface Counters ----------------------In Octets In Unicast Pkts In Multicast Pkts In Broadcast Pkts In Discards In Errors Out Octets Out Unicasts Pkts Out Multicast Pkts Out Broadcast Pkts Out Errors 802.1Q Switch Counters ---------------------Frames Received Frames Transmitted

    0 0 0 0 0 0 0 0 0 0 0

    0 0

    Thisexampleshowshowtodisplayallge.3.1portcounterstatisticsrelatedtotrafficthroughthe device.
    C2(su)->show port counters ge.3.1 switch Port: ge.3.1 Bridge Port: 2

    802.1Q Switch Counters ----------------------Frames Received Frames Transmitted

    0 0

    Table 72providesanexplanationofthecommandoutput. Table 7-2 show port counters Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. MIB2 interface designation. IEEE 802.1D bridge port designation. MIB2 network traffic counts Counts of frames received, transmitted, and filtered.

    Output Field Port MIB2 Interface Bridge Port MIB2 Interface Counters 802.1Q Switch Counters

    Disabling / Enabling and Naming Ports


    Purpose
    Todisableandreenableoneormoreports,andtoassignanaliastoaport.Bydefault,allportsare enabledatdevicestartup.Youmaywanttodisableportsforsecurityortotroubleshootnetwork issues.Portsmayalsobeassignedanaliasforconvenience.
    7-6 Port Configuration

    set port disable

    Commands
    For information about... set port disable set port enable show port alias set port alias Refer to page... 7-7 7-7 7-8 7-8

    set port disable


    Usethiscommandtoadministrativelydisableoneormoreports.Whenthiscommandis executed,inadditiontodisablingthephysicalEthernetlink,theportwillnolongerlearnentries intheforwardingdatabase.

    Syntax
    set port disable port-string

    Parameters
    portstring Specifiestheport(s)todisable.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodisablege.1.1:
    C2(su)->set port disable ge.1.1

    set port enable


    Usethiscommandtoadministrativelyenableoneormoreports.

    Syntax
    set port enable port-string

    Parameters
    portstring Specifiestheport(s)toenable.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage72.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    7-7

    show port alias

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoenablege.1.3:
    C2(su)->set port enable ge.1.3

    show port alias


    Usethiscommandtodisplaythealiasnameforoneormoreports.

    Syntax
    show port alias [port-string]

    Parameters
    portstring (Optional)Displaysaliasname(s)forspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,aliasesforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayaliasinformationforports13onslot3:
    C2(rw)->show Port ge.3.1 Port ge.3.2 Port ge.3.3 port alias ge.3.1-3 user user Admin

    set port alias


    Usethiscommandtoassignanaliasnametoaport.

    Syntax
    set port alias port-string [name]

    Parameters
    portstring Specifiestheporttowhichanaliaswillbeassigned.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage72. (Optional)Assignsanaliasnametotheport.Ifthealiasnamecontains spaces,thetextstringmustbesurroundedbydoublequotes.Maximum lengthis60characters.

    name

    7-8

    Port Configuration

    set port alias

    Defaults
    Ifnameisnotspecified,thealiasassignedtotheportwillbecleared.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtoassignthealiasAdmintoge.3.3:
    C2(rw)->set port alias ge.3.3 Admin

    Thisexampleshowshowtoclearthealiasforge.3.3:
    C2(rw)->set port alias ge.3.3

    SecureStack C2 Configuration Guide

    7-9

    Setting Speed and Duplex Mode

    Setting Speed and Duplex Mode


    Purpose
    ToreviewandsettheoperationalspeedinMbpsandthedefaultduplexmode:Half,forhalf duplex,orFull,forfullduplexforoneormoreports.

    Note: These settings only take effect on ports that have auto-negotiation disabled.

    Commands
    For information about... show port speed set port speed show port duplex set port duplex Refer to page... 7-10 7-11 7-11 7-15

    show port speed


    Usethiscommandtodisplaythedefaultspeedsettingononeormoreports.

    Syntax
    show port speed [port-string]

    Parameters
    portstring (Optional)Displaysdefaultspeedsetting(s)forspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,defaultspeedsettingsforallportswilldisplay.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythedefaultspeedsettingfor1GigabitEthernetport14in slot 3:
    C2(su)->show port speed ge.3.14 default speed is 10 on port ge.3.14.

    7-10

    Port Configuration

    set port speed

    set port speed


    Usethiscommandtosetthedefaultspeedofoneormoreports.Thissettingonlytakeseffecton portsthathaveautonegotiationdisabled.

    Syntax
    set port speed port-string {10 | 100 | 1000}

    Parameters
    portstring Specifiestheport(s)forwhichtoaspeedvaluewillbeset.Fora detaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage72. Specifiestheportspeed.Validvaluesare:10 Mbps,100 Mbps,or 1000 Mbps.

    10|100|1000

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetge.3.3toaportspeedof10 Mbps:
    C2(su)->set port speed ge.3.3 10

    show port duplex


    Usethiscommandtodisplaythedefaultduplexsetting(halforfull)foroneormoreports.

    Syntax
    show port duplex [port-string]

    Parameters
    portstring (Optional)Displaysdefaultduplexsetting(s)forspecificport(s). Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,defaultduplexsettingsforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    SecureStack C2 Configuration Guide

    7-11

    set port duplex

    Example
    ThisexampleshowshowtodisplaythedefaultduplexsettingforEthernetport14inslot 3:
    C2(su)->show port duplex ge.3.14 default duplex mode is full on port ge.3.14.

    set port duplex


    Usethiscommandtosetthedefaultduplextypeforoneormoreports.Thiscommandwillonly takeeffectonportsthathaveautonegotiationdisabled.

    Syntax
    set port duplex port-string {full | half}

    Parameters
    portstring Specifiestheport(s)forwhichduplextypewillbeset.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage72. Setstheport(s)tofullduplexorhalfduplexoperation.

    full|half

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetge.1.17tofullduplex:
    C2(su)->set port duplex ge.1.17 full

    7-12

    Port Configuration

    Enabling / Disabling Jumbo Frame Support

    Enabling / Disabling Jumbo Frame Support


    Purpose
    Toreview,enable,anddisablejumboframesupportononeormoreports.ThisallowsGigabit Ethernetportstotransmitframesupto10KBinsize.

    Commands
    For information about... show port jumbo set port jumbo clear port jumbo Refer to page... 7-13 7-14 7-14

    show port jumbo


    Usethiscommandtodisplaythestatusofjumboframesupportandmaximumtransmissionunits (MTU)ononeormoreports.

    Syntax
    show port jumbo [port-string]

    Parameters
    portstring (Optional)Displaysthestatusofjumboframesupportforspecific port(s).Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,jumboframesupportstatusforallportswilldisplay.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythestatusofjumboframesupportforge.1.1:
    C2(su)->show port jumbo ge.1.1 Port Number Jumbo Status Max Frame Size ------------- --------------- -----------------ge.1.1 Enable 9216

    SecureStack C2 Configuration Guide

    7-13

    set port jumbo

    set port jumbo


    Usethiscommandtoenableordisablejumboframesupportononeormoreports.

    Syntax
    set port jumbo {enable | disable}[port-string]

    Parameters
    enable|disable portstring Enablesordisablesjumboframesupport. (Optional)Specifiestheport(s)onwhichtodisableorenablejumbo framesupport.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,jumboframesupportwillbeenabledordisabledonallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenablejumboframesupportforGigabitEthernetport14inslot3:
    C2(su)->set port jumbo enable ge.3.14

    clear port jumbo


    Usethiscommandtoresetjumboframesupportstatustoenabledononeormoreports.

    Syntax
    clear port jumbo [port-string]

    Parameters
    portstring (Optional)Specifiestheport(s)onwhichtoresetjumboframe supportstatustoenabled.Foradetaileddescriptionofpossible portstringvalues,refertoPortStringSyntaxUsedintheCLIon page72.

    Defaults
    Ifportstringisnotspecified,jumboframesupportstatuswillberesetonallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetjumboframesupportstatusforGigabitEthernetport14inslot 3:
    C2(su)->clear port jumbo ge.3.14

    7-14

    Port Configuration

    Setting Auto-Negotiation and Advertised Ability

    Setting Auto-Negotiation and Advertised Ability


    Purpose
    Toreview,disableorenableautonegotiation,andtoconfigureportadvertisementforspeedand duplex. Duringautonegotiation,theporttellsthedeviceattheotherendofthesegmentwhatits capabilitiesandmodeofoperationare.Ifautonegotiationisdisabled,theportrevertstothe valuesspecifiedbydefaultspeed,defaultduplex,andtheportflowcontrolcommands. Innormaloperation,withallcapabilitiesenabled,advertisedabilityenablesaporttoadvertise thatithastheabilitytooperateinanymode.Theusermaychoosetoconfigureaportsothatonly aportionofitscapabilitiesareadvertisedandtheothersaredisabled.

    Note: Advertised ability can be activated only on ports that have auto-negotiation enabled.

    Commands
    For information about... show port negotiation set port negotiation show port advertise set port advertise clear port advertise Refer to page... 7-15 7-16 7-16 7-17 7-18

    show port negotiation


    Usethiscommandtodisplaythestatusofautonegotiationforoneormoreports.

    Syntax
    show port negotiation [port-string]

    Parameters
    portstring (Optional)Displaysautonegotiationstatusforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,autonegotiationstatusforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    SecureStack C2 Configuration Guide

    7-15

    set port negotiation

    Example
    Thisexampleshowshowtodisplayautonegotiationstatusfor1GigabitEthernetport14inslot 3:
    C2(su)->show port negotiation ge.3.14 auto-negotiation is enabled on port ge.3.14.

    set port negotiation


    Usethiscommandtoenableordisableautonegotiationononeormoreports.

    Syntax
    set port negotiation port-string {enable | disable}

    Parameters
    portstring Specifiestheport(s)forwhichtoenableordisableautonegotiation.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72. Enablesordisablesautonegotiation.

    enable|disable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodisableautonegotiationon1GigabitEthernetport3inslot14:
    C2(su)->set port negotiation ge.3.14 disable

    show port advertise


    Usethiscommandtodisplayportcapabilityandadvertisementasfarasspeedandduplexfor autonegotiation.

    Syntax
    show port advertise [port-string]

    Parameters
    portstring (Optional)Displaysadvertisedabilityforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,advertisementforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.
    7-16 Port Configuration

    set port advertise

    Example
    ThisexampleshowshowtodisplayadvertisementstatusforGigabitports13and14:
    C2(su)->show port advertise ge.1.13-14 ge.1.13 capability advertised remote ------------------------------------------------10BASE-T yes yes yes 10BASE-TFD yes yes yes 100BASE-TX yes yes yes 100BASE-TXFD yes yes yes 1000BASE-T no no no 1000BASE-TFD yes yes yes pause yes yes no ge.1.14 capability advertised remote ------------------------------------------------10BASE-T yes yes yes 10BASE-TFD yes yes yes 100BASE-TX yes yes yes 100BASE-TXFD yes yes yes 1000BASE-T no no no 1000BASE-TFD yes yes yes pause yes yes no

    set port advertise


    Usethiscommandtoconfigurewhataportwilladvertiseforspeed/duplexcapabilitiesinauto negotiation.

    Syntax
    set port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause}

    Parameters
    portstring Selecttheportsforwhichtoconfigureadvertisements.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72. Advertise10BASEThalfduplexmode. Advertise10BASETfullduplexmode. Advertise100BASETXhalfduplexmode. Advertise100BASETXfullduplexmode. Advertise1000BASEThalfduplexmode. Advertise1000BASETfullduplexmode. AdvertisePAUSEforfullduplexlinks.

    10t 10tfd 100tx 100txfd 1000t 1000tfd pause

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    7-17

    clear port advertise

    Example
    Thisexampleshowshowtoconfigureport1toadvertise1000BASETfullduplex:
    C2(su)->set port advertise ge.1.1 1000tfd

    clear port advertise


    Usethiscommandtoconfigureaporttonotadvertiseaspecificspeed/duplexcapabilitywhen autonegotiatingwithanotherport.

    Syntax
    clear port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause}

    Parameters
    portstring Clearadvertisementsforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedinthe CLIonpage72. Donotadvertise10BASEThalfduplexmode. Donotadvertise10BASETfullduplexmode. Donotadvertise100BASETXhalfduplexmode. Donotadvertise100BASETXfullduplexmode. Donotadvertise1000BASEThalfduplexmode. Donotadvertise1000BASETfullduplexmode. DonotadvertisePAUSEforfullduplexlinks.

    10t 10tfd 100tx 100txfd 1000t 1000tfd pause

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoconfigureport1tonotadvertise10MBcapabilityforauto negotiation:
    C2(su)->clear port advertise ge.1.1 10t 10tfd

    7-18

    Port Configuration

    Setting Flow Control

    Setting Flow Control


    Purpose
    Toreview,enableordisableportflowcontrol.Flowcontrolisusedtomanagethetransmission betweentwodevicesasspecifiedbyIEEE 802.3xtopreventreceivingportsfrombeing overwhelmedbyframesfromtransmittingdevices.

    Commands
    For information about... show flowcontrol set flowcontrol Refer to page... 7-19 7-19

    show flowcontrol
    Usethiscommandtodisplaytheflowcontrolstate.

    Syntax
    show flowcontrol

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheportflowcontrolstate:
    C2(su)->show flowcontrol Flow control status: enabled

    set flowcontrol
    Usethiscommandtoenableordisableflowcontrol.

    Syntax
    set flowcontrol {enable | disable}

    Parameters
    enable|disable Enablesordisablesflowcontrolsettings.

    SecureStack C2 Configuration Guide

    7-19

    set flowcontrol

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoenableflowcontrol:
    C2(su)->set flowcontrol enable

    7-20

    Port Configuration

    Setting Port Link Traps and Link Flap Detection

    Setting Port Link Traps and Link Flap Detection


    Purpose
    Todisableorreenablelinktraps,displaylinktrapstatus,andtoconfigurethelinkflapping detectionfunction.Bydefault,allportsareenabledtosendSNMPtrapmessagesindicating changestotheirlinkstatus(upordown). Thelinkflapfunctiondetectswhenalinkisgoingupanddownrapidly(alsocalledlink flapping)onaphysicalport,andtakestherequiredactions(disableport,andeventuallysend notificationtrap)tostopsuchacondition.Ifleftunresolved,thelinkflappingconditioncanbe detrimentaltonetworkstabilitybecauseitcantriggerSpanningTreeandroutingtable recalculation.

    Commands
    For information about... show port trap set port trap show linkflap set linkflap globalstate set linkflap portstate set linkflap interval set linkflap action clear linkflap action set linkflap threshold set linkflap downtime clear linkflap down clear linkflap Refer to page... 7-21 7-22 7-22 7-25 7-25 7-26 7-26 7-27 7-27 7-28 7-28 7-29

    show port trap


    UsethiscommandtodisplaywhethertheportisenabledforgeneratinganSNMPtrapmessageif itslinkstatechanges.

    Syntax
    show port trap [port-string]

    Parameters
    portstring (Optional)Displayslinktrapstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72.

    SecureStack C2 Configuration Guide

    7-21

    set port trap

    Defaults
    Ifportstringisnotspecified,thetrapstatusforallportswillbedisplayed.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodisplaylinktrapstatusforge.3.1through4:
    C2(su)->show port trap ge.3.1-4 Link traps enabled on port ge.3.1. Link traps enabled on port ge.3.2. Link traps enabled on port ge.3.3. Link traps enabled on port ge.3.4.

    set port trap


    UsethiscommandtoenableofdisableportsforsendingSNMPtrapmessageswhentheirlink statuschanges.

    Syntax
    set port trap port-string {enable | disable}

    Parameters
    portstring Specifiestheport(s)forwhichtoenableordisableporttraps.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72. Enablesordisablessendingtrapmessageswhenlinkstatuschanges.

    enable|disable

    Defaults
    Sendingtrapswhenlinkstatuschangesisenabledbydefault.

    Mode
    Switchcommand,readwrite.

    Example
    Thefollowingexampledisablessendingtraponge.3.1.
    C2(su)->set port trap ge.3.1 disable

    show linkflap
    Usethiscommandtodisplaylinkflapdetectionstateandconfigurationinformation.

    Syntax
    show linkflap {globalstate | portstate | parameters | metrics | portsupported | actsupported | maximum | downports | action | operstatus | threshold | interval] | downtime | currentcount | totalcount | timelapsed | violations [port-string]}

    7-22

    Port Configuration

    show linkflap

    Parameters
    globalstate portstate parameters metrics portsupported actsupported maximum downports action operstatus threshold interval downtime currentcount totalcount timelapsed violations portstring Displaystheglobalenablestateoflinkflapdetection. Displaystheportenablestateoflinkflapdetection. Displaysthecurrentvalueofsettablelinkflapdetectionparameters. Displayslinkflapdetectionmetrics. Displaysportswhichcansupportthelinkflapdetectionfunction. Displayslinkflapdetectionactionssupportedbysystemhardware. Displaysthemaximumallowedlinkdownsper10secondssupported bysystemhardware. Displaysportsdisabledbylinkflapdetectionduetoaviolation. Displayslinkflapactionstakenonviolatingport(s). Displayswhetherlinkflaphasdeactivatedport(s). Displaysthenumberofallowedlinkdowntransitionsbeforeactionis taken. Displaysthetimeperiodforcountinglinkdowntransitions. Displayshowlongviolatingport(s)aredeactivated. Displayshowmanylinkdowntransitionsareinthecurrentinterval. Displayshowmanylinkdowntransitionshaveoccurredsincethelast reset. Displaysthetimeperiodsincethelastlinkdowneventorreset. Displaysthenumberoflinkflapviolationssincethelastreset. (Optional)Displaysinformationforspecificport(s).

    Defaults
    Ifnotspecified,informationaboutalllinkflapdetectionsettingswillbedisplayed. Ifportstringisnotspecified,informationforallportswillbedisplayed.

    Mode
    Switchmode,readonly.

    Usage
    Thelinkflapdefaultconditionsareshowninthefollowingtable.
    Linkflap Parameter Linkflap global state Linkflap port state Linkflap action Linkflap interval Linkflap maximum allowed link downs per 10 seconds Linkflap threshold (number of allowed link down transitions before action is taken) Default Condition Disabled Disabled None 5 20 10

    SecureStack C2 Configuration Guide

    7-23

    show linkflap

    Examples
    Thisexampleshowshowtodisplaytheglobalstatusofthelinktrapdetectionfunction:
    C2(rw)->show linkflap globalstate Linkflap feature globally disabled

    Thisexampleshowshowtodisplayportsdisabledbylinkflapdetectionduetoaviolation:
    C2(rw)->show linkflap downports Ports currently held DOWN for Linkflap violations: None.

    Thisexampleshowshowtodisplaythelinkflapparameterstable:
    C2(rw)->show linkflap parameters Linkflap Port Settable Parameter Table (X Port LF Status Actions Threshold -------- --------- ------- ---------ge.1.1 disabled ....... 10 ge.1.2 enabled D..S..T 3 ge.1.3 disabled ...S..T 10 means error Interval ---------5 5 5 occurred) Downtime ---------300 300 300

    Table 73providesanexplanationoftheshowlinkflapparameterscommandoutput. Table 7-3 show linkflap parameters Output Details


    What it displays... Port designation. Link flap enabled state. Actions to be taken if the port violates allowed link flap behavior. D = disabled, S = Syslog entry will be generated, T= SNMP trap will be generated. Threshold Interval Downtime Number of link down transitions necessary to trigger the link flap action. Time interval (in seconds) for accumulating link down transitions. Interval (in seconds) port(s) will be held down after a link flap violation.

    Output Field Port LF Status Actions

    Thisexampleshowshowtodisplaythelinkflapmetricstable:
    C2(rw)->show linkflap metrics Port LinkStatus CurrentCount -------- ----------- -----------ge.1.1 operational 0 ge.1.2 disabled 4 ge.1.3 operational 3 TotalCount ---------0 15 3 TimeElapsed Violations ----------- ------------241437 0 147 5 241402 0

    Table 74providesanexplanationoftheshowlinkflapmetricscommandoutput. Table 7-4 show linkflap metrics Output Details


    What it displays... Port designation. Link status according to the link flap function. Link down count accruing toward the link flap threshold. Number of link downs since system start,

    Output Field Port LinkStatus CurrentCount TotalCount

    7-24

    Port Configuration

    set linkflap globalstate

    Table 7-4

    show linkflap metrics Output Details (Continued)


    What it displays... Time (in seconds) since the last link down event. Number of link flap violations on listed ports since system start.

    Output Field TimeElapsed Violations

    set linkflap globalstate


    Usethiscommandtogloballyenableordisablethelinkflapdetectionfunction.

    Syntax
    set linkflap globalstate {disable | enable}

    Parameters
    disable|enable Globallydisablesorenablesthelinkflapdetectionfunction.

    Defaults
    Bydefault,thefunctionisdisabledgloballyandonallports.

    Mode
    Switchmode,readwrite.

    Usage
    Bydefault,thefunctionisdisabledgloballyandonallports.Ifdisabledgloballyafterperport settingshavebeenconfiguredusingthelinkflapcommands,perportsettingswillberetained.

    Example
    Thisexampleshowshowtogloballyenablethelinktrapdetectionfunction.
    C2(rw)->set linkflap globalstate enable

    set linkflap portstate


    Usethiscommandtoenableordisablelinkflapmonitoringononeormoreports.

    Syntax
    set linkflap portstate {disable | enable} [port-string]

    Parameters
    disable|enable portstring Disablesorenablesthelinkflapdetectionfunction. (Optional)Specifiestheportorportsonwhichtodisableorenable monitoring.

    Defaults
    Ifportstringisnotspecified,allportsareenabledordisabled.

    SecureStack C2 Configuration Guide

    7-25

    set linkflap interval

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoenablethelinktrapmonitoringonallports.
    C2(rw)->set linkflap portstate enable

    set linkflap interval


    Usethiscommandtosetthetimeinterval(inseconds)foraccumulatinglinkdowntransitions.

    Syntax
    set linkflap interval port-string interval-value

    Parameters
    portstring intervalvalue Specifiestheport(s)onwhichtosetthelinkflapinterval. Specifiesanintervalinseconds.Avalueof0willsettheintervalto forever.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthelinkflapintervalonportge.1.4to1000seconds.
    C2(rw)->set linkflap interval ge.1.4 1000

    set linkflap action


    Usethiscommandtosetreactionstoalinkflapviolation.

    Syntax
    set linkflap action port-string {disableInterface | gensyslogentry | gentrap | all}

    Parameters
    portstring disableInterface gensyslogentry gentrap all Specifiestheport(s)onwhichtosetthelinkflapaction. Setsthereactionasdisablingtheinterface. Setsthereactionasgeneratingasyslogentry. SetsthereactionasgeneratinganSNMPtrap. Setsthereactionasalloftheabove.

    7-26

    Port Configuration

    clear linkflap action

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Example
    Thisexampleshowshowtosetthelinkflapviolationactiononportge.1.4togeneratingaSyslog entry.
    C2(rw)->set linkflap action ge.1.4 gensyslogentry

    clear linkflap action


    Usethiscommandtoclearreactionstoalinkflapviolation.

    Syntax
    clear linkflap action [port-string] {disableInterface | gensyslogentry | gentrap | all}

    Parameters
    portstring disableInterface gensyslogentry gentrap all (Optional)Specifiestheport(s)onwhichtoclearthelinkflapaction. Clearsthereactionasdisablingtheinterface. Clearsthereactionasgeneratingasyslogentry. ClearsthereactionasgeneratinganSNMPtrap. Clearsthereactionasalloftheabove.

    Defaults
    Ifportstringisnotspecified,actionswillbeclearedonallports.

    Mode
    Switchmode,readwrite.

    Example
    Thisexampleshowshowtoclearthelinkflapviolationactiononportge.1.4togeneratinga Syslogentry.
    C2(rw)->clear linkflap action ge.1.4 gensyslogentry

    set linkflap threshold


    Usethiscommandtosetthelinkflapactiontriggercount.

    Syntax
    set linkflap threshold port-string threshold-value

    SecureStack C2 Configuration Guide

    7-27

    set linkflap downtime

    Parameters
    portstring thresholdvalue Specifiestheport(s)onwhichtosetthelinkflapactiontriggercount. Specifiesthenumberoflinkdowntransitionsnecessarytotriggerthe linkflapaction.Aminimumof1mustbeconfigured.

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Example
    Thisexampleshowshowtosetthelinkflapthresholdonportge.1.4to5.
    C2(rw)->set linkflap threshold ge.1.4 5

    set linkflap downtime


    Usethiscommandtosetthetimeinterval(inseconds)oneormoreportswillbehelddownaftera linkflapviolation.

    Syntax
    set linkflap downtime port-string downtime-value

    Parameters
    portstring downtimevalue Specifiestheport(s)onwhichtosetthelinkflapdowntime. Specifiesadowntimeinseconds.Avalueof0willsetthedowntimeto forever.

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Example
    Thisexampleshowshowtosetthelinkflapdowntimeonportge.1.4to5000seconds.
    C2(rw)->set linkflap downtime ge.1.4 5000

    clear linkflap down


    Usethiscommandtotogglelinkflapdisabledportstooperational.

    Syntax
    clear linkflap down [port-string]

    7-28

    Port Configuration

    clear linkflap

    Parameters
    portstring (Optional)Specifiestheportstomakeoperational.

    Defaults
    Ifportstringisnotspecified,allportsdisabledbyalinkflapviolationwillbemadeoperational.

    Mode
    Switchmode,readwrite.

    Example
    Thisexampleshowshowtomakedisabledportge.1.4operational.
    C2(rw)->clear linkflap down ge.1.4

    clear linkflap
    Usethiscommandtoclearalllinkflapoptionsand/orstatisticsononeormoreports.

    Syntax
    clear linkflap {all | stats [port-string] | parameter port-string {threshold | interval | downtime | all}

    Parameters
    all|stats parameter Clearsalloptionsandstatistics,orclearsonlystatistics. Clearslinkflapparameters.

    threshold|interval| Clearslinkflapthreshold,interval,downtimeorallparameters. downtime|all portstring (Optionalunlessparameterisspecified)Specifiestheport(s)onwhich toclearsettings.

    Defaults
    Ifportstringisnotspecified,settingsand/orstatisticswillbeclearedonallports.

    Mode
    Switchmode,readwrite.

    Example
    Thisexampleshowshowtoclearalllinkflapoptionsonportge.1.4.
    C2(rw)->clear linkflap all ge.1.4

    SecureStack C2 Configuration Guide

    7-29

    Configuring Broadcast Suppression

    Configuring Broadcast Suppression


    Purpose
    Toreviewandsetthebroadcastsuppressionthresholdforoneormoreports.Thisfeaturelimits thenumberofreceivedbroadcastframestheswitchwillacceptperport.Broadcastsuppression thresholdsapplyonlytobroadcasttrafficmulticasttrafficisnotaffected.Bydefault,abroadcast suppressionthresholdof14881packetspersecond(pps)willbeused,regardlessofactualport speed.BroadcastsuppressionprotectsagainstbroadcaststormsandARPsweeps.

    Commands
    For information about... show port broadcast set port broadcast clear port broadcast Refer to page... 7-30 7-31 7-31

    show port broadcast


    Usethiscommandtodisplayportbroadcastsuppressionthresholds.

    Syntax
    show port broadcast [port-string]

    Parameters
    portstring (Optional)Selecttheportsforwhichtoshowbroadcastsuppression thresholds.Foradetaileddescriptionofpossibleportstringvalues,refer toPortStringSyntaxUsedintheCLIonpage72.

    Defaults
    Ifportstringisnotspecified,broadcaststatusofallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythebroadcastsuppressionthresholdsforports1through4:
    C2(su)->show port broadcast ge.1.1-4 Port Total BC Threshold Packets (pkts/s) ---------------------------------------ge.1.1 0 50 ge.1.2 0 50 ge.1.3 0 40 ge.1.4 0 14881

    7-30

    Port Configuration

    set port broadcast

    set port broadcast


    Usethiscommandtosetthebroadcastsuppressionthreshold,inpacketspersecond,ononeor moreports.Thissetsathresholdonthebroadcasttrafficthatisreceivedandswitchedouttoother ports.

    Syntax
    set port broadcast port-string threshold-val

    Parameters
    portstring Selecttheportsforwhichtoconfigurebroadcastsuppressionthresholds. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage72. Setsthepacketspersecondthresholdonbroadcasttraffic.Maximum valueis 148810forFastEthernetports 1488100for1Gigabitports. 14881000for10Gigabitports

    thresholdval

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    PerportbroadcastsuppressionishardsettobegloballyenabledontheC2.Ifyouwouldliketo disablebroadcastsuppression,youcangetthesameresultbysettingthethresholdlimitforeach porttothemaximumnumberofpacketswhichcanbereceivedpersecondaslistedinthe parameterssection,above.Thedefaultbroadcastsuppressionthresholdforallportsissetto 14881.

    Example
    Thisexampleconfiguresports1through5withabroadcastlimitof50pps:
    C2(su)->set port broadcast ge.1.1-5 50

    clear port broadcast


    Usethiscommandtoclearthebroadcastthresholdlimittothedefaultvalueof14881forthe selectedport.

    Syntax
    clear port broadcast port-string threshold

    Parameters
    portstring Selecttheportsforwhichtoclearbroadcastsuppressionthresholds.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72.

    SecureStack C2 Configuration Guide

    7-31

    clear port broadcast

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleclearsthebroadcastthresholdlimitto14881ppsforports1through5:
    C2(su)->clear port broadcast ge.1.1-5 threshold

    7-32

    Port Configuration

    Port Mirroring

    Port Mirroring
    Caution: Port mirroring configuration should be performed only by personnel who are knowledgeable about the effects of port mirroring and its impact on network operation.

    TheSecureStackC2deviceallowsyoutomirror(orredirect)thetrafficbeingswitchedonaport forthepurposesofnetworktrafficanalysisandconnectionassurance.Whenportmirroringis enabled,oneportbecomesamonitorportforanotherportwithinthedevice.

    Mirroring Features
    TheSecureStackC2devicesupportsthefollowingmirroringfeatures: Mirroringcanbeconfiguredinamanytooneconfigurationsothatonetarget(destination) portcanmonitortrafficonupto8sourceports.Onlyonemirrordestinationportcanbe configuredperstack,ifapplicable. Bothtransmitandreceivetrafficwillbemirrored. Adestinationportwillonlyactasamirroringportwhenthesessionisoperationallyactive. Whenaportmirroriscreated,themirrordestinationportisremovedfromtheegresslistof VLAN1afterareboot. MACaddresseswillbelearnedforpacketstaggedwiththemirrorVLANID.Thiswill preventtheabilitytosnooptrafficacrossmultiplehops.
    Caution: Traffic mirrored to a VLAN may contain control traffic. This may be interpreted by the downstream neighbor as legal control frames. It is recommended that you disable any protocols (such as Spanning Tree) on inter-switch connections that might be affected .

    Configuring SMON MIB Port Mirroring


    Overview
    SMONportmirroringsupportonEnterasysSecureStackB2,B3,C2andC3devicesallowsyouto redirecttrafficonportsremotelyusingSMONMIBs.Thisisusefulfortroubleshootingorproblem solvingwhennetworkmanagementthroughtheconsoleport,telnet,orSSHisnotfeasible.

    Procedures
    PerformthefollowingstepstoconfigureandmonitorportmirroringusingSMONMIBobjects. Tocreateandenableaportmirroringinstance: 1. 2. 3. 4. OpenaMIBbrowser,suchasNetsightMIBTools IntheMIBdirectorytree,navigatetotheportCopyEntryfolderandexpandit. SelecttheportCopyStatusMIB. EnteradesiredsourceandtargetportintheInstancefieldusingtheformatsource.target. Forexample,3.2wouldcreatearelationshipwheresourceportge.1.3wouldbemirroredto targetportge.1.2.
    Note: In order to configure a port mirroring relationship, both source and destination interfaces must be enabled and operational (up).

    SecureStack C2 Configuration Guide

    7-33

    Port Mirroring

    5. 6.

    EnterMIBoption4(createAndGo)andperformanSNMPSetoperation. (Optional)UsetheCLItoverifytheportmirroringinstancehasbeencreatedandenabledas showninthefollowingexample:


    C2(su)->show port mirroring Port Mirroring ============== Source Port = ge.1.3 Target Port = ge.1.2 Frames Mirrored = Rx and Tx Port Mirroring status enabled

    Tocreateaportmirroringinstancewithoutautomaticallyenablingit: 1. 2. 3. Completesteps14above. EnterMIBoption5(createAndWait)andperformanSNMPSetoperation. (Optional)UsetheCLItoverifytheportmirroringinstancehasbeencreatedsettodisabled modeasshowninthefollowingexample:


    C2(su)->show port mirroring Port Mirroring ============== Source Port = ge.1.3 Target Port = ge.1.2 Frames Mirrored = Rx and Tx Port Mirroring status disabled

    4. 5.

    Whenyouarereadytoenablethisinstance,enterMIBoption1(active)andperformanSNMP Setoperation. (Optional)UsetheCLItoverifytheportmirroringinstancehasbeenenabled.

    Todeleteaportmirroringinstance: 1. 2. 3. SelectapreviouslycreatedportmirroringinstanceinyourMIBbrowser. EnterMIBoption6(destroy)andperformanSNMPSetoperation. (Optional)UsetheCLItoverifytheportmirroringinstancehasbeendeletedasshowninthe followingexample:


    C2(su)->show port mirroring No Port Mirrors configured.

    Purpose
    Toreviewandconfigureportmirroringonthedevice.

    Commands
    For information about... show port mirroring set port mirroring clear port mirroring Refer to page... 7-35 7-35 7-36

    7-34

    Port Configuration

    show port mirroring

    show port mirroring


    Usethiscommandtodisplaythesourceandtargetportsformirroring,andwhethermirroringis currentlyenabledordisabledforthoseports.

    Syntax
    show port mirroring

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplayportmirroringinformation.Inthiscase,ge.1.4isconfigured asasourceportandge.1.11isatargetandmirroringhasbeenenabledbetweentheseports:
    C2(su)->show port mirroring Port Mirroring ============== Source Port = ge.1.4 Target Port = ge.1.11 Frames Mirrored = Rx and Tx Port Mirroring status enabled.

    set port mirroring


    Usethiscommandtocreateanewmirroringrelationshiportoenableordisableanexisting mirroringrelationshipbetweentwoports.
    Notes: When a port mirror is created, the mirror destination port is removed from VLAN 1s egress list after a reboot. "MAC addresses will be learned for packets tagged with the mirror VLAN ID. This will prevent the ability to snoop traffic across multiple hops.

    Syntax
    set port mirroring {create | disable | enable} source destination}

    SecureStack C2 Configuration Guide

    7-35

    clear port mirroring

    Parameters
    create|disable| enable source Creates,disablesorenablesmirroringsettingsonthespecifiedports. Specifiesthesourceportdesignation.Thisistheportonwhichthetraffic willbemonitored.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage72. Specifiesthetargetportdesignation.Thisistheportthatwillduplicateor mirrorallthetrafficonthemonitoredport.Onlyonedestinationport canbeconfiguredperstack,ifapplicable. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage72.

    destination

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    NotethatLAGportsandtheirunderlyingphysicalports,asdescribedinLinkAggregation ControlProtocol(LACP)onpage738,cannotbemirrored.

    Example
    Thisexampleshowshowtocreateandenableportmirroringwithge.1.4asthesourceport,and ge.1.11asthetargetport:
    C2(su)->set port mirroring create ge.1.4 ge.1.11 C2(su)->set port mirroring enable ge.1.4 ge.1.11

    clear port mirroring


    Usethiscommandtoclearaportmirroringrelationship.

    Syntax
    clear port mirroring source destination

    Parameters
    source Specifiesthesourceportofthemirroringconfigurationtobecleared.For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72. Specifiesthetargetportofthemirroringconfigurationtobecleared.

    destination

    Defaults
    None.

    Mode
    Switchcommand,readwrite.
    7-36 Port Configuration

    clear port mirroring

    Example
    Thisexampleshowshowtoclearportmirroringbetweensourceportge.1.4andtargetport ge.1.11:
    C2(su)->clear port mirroring ge.1.4 ge.1.11

    SecureStack C2 Configuration Guide

    7-37

    Link Aggregation Control Protocol (LACP)

    Link Aggregation Control Protocol (LACP)


    Caution: Link aggregation configuration should only be performed by personnel who are knowledgeable about Spanning Tree and Link Aggregation, and fully understand the ramifications of modifications beyond device defaults. Otherwise, the proper operation of the network could be at risk.

    Usingmultiplelinkssimultaneouslytoincreasebandwidthisadesirableswitchfeature,which canbeaccomplishedifbothsidesagreeonasetofportsthatarebeingusedasaLinkAggregation Group(LAG).OnceaLAGisformedfromselectedports,problemswithloopingcanbeavoided sincetheSpanningTreecantreatthisLAGasasingleport. Enabledbydefault,theLinkAggregationControlProtocol(LACP)logicallygroupsinterfaces togethertocreateagreaterbandwidthuplink,orlinkaggregation,accordingtotheIEEE802.3ad standard.ThisstandardallowstheswitchtodeterminewhichportsareinLAGsandconfigure themdynamically.SincetheprotocolisbasedontheIEEE802.3adspecification,anyswitchfrom anyvendorthatsupportsthisstandardcanaggregatelinksautomatically. 802.3adLACPaggregationscanalsoberuntoendusers(thatis,aserver)ortoarouter.
    Note: Earlier (proprietary) implementations of port aggregation referred to groups of aggregated ports as trunks.

    LACP Operation
    Foreachaggregatableportinthedevice,LACP: Maintainsconfigurationinformation(reflectingtheinherentpropertiesoftheindividuallinks aswellasthoseestablishedbymanagement)tocontrolaggregation. ExchangesconfigurationinformationwithotherdevicestoallocatethelinktoaLink AggregationGroup(LAG).
    Note: A given link is allocated to, at most, one Link Aggregation Group (LAG) at a time. The allocation mechanism attempts to maximize aggregation, subject to management controls.

    AttachestheporttotheaggregatorusedbytheLAG,anddetachestheportfromthe aggregatorwhenitisnolongerusedbytheLAG. Usesinformationfromthepartnerdeviceslinkaggregationcontrolentitytodecidewhether toaggregateports.

    TheoperationofLACPinvolvesthefollowingactivities: Checkingthatcandidatelinkscanactuallybeaggregated. ControllingtheadditionofalinktoaLAG,andthecreationofthegroupifnecessary. Monitoringthestatusofaggregatedlinkstoensurethattheaggregationisstillvalid. RemovingalinkfromaLAGifitsmembershipisnolongervalid,andremovingthegroupifit nolongerhasanymemberlinks.

    InordertoallowLACPtodeterminewhetherasetoflinksconnecttothesamedevice,andto determinewhetherthoselinksarecompatiblefromthepointofviewofaggregation,itis necessarytobeabletoestablish Agloballyuniqueidentifierforeachdevicethatparticipatesinlinkaggregation.

    7-38

    Port Configuration

    Link Aggregation Control Protocol (LACP)

    Ameansofidentifyingthesetofcapabilitiesassociatedwitheachportandwitheach aggregator,asunderstoodbyagivendevice. AmeansofidentifyingaLAGanditsassociatedaggregator.

    Note: The path cost of a LAG port will be displayed as zero when it is not an active link.

    LACP Terminology
    Table 75defineskeyterminologyusedinLACPconfiguration. Table 7-5
    Term Aggregator

    LACP Terms and Definitions


    Definition Virtual port that controls link aggregation for underlying physical ports. Each SecureStack C2 module provides 6 aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6. Link Aggregation Group. Once underlying physical ports (for example, fe.x.x) are associated with an aggregator port, the resulting aggregation will be represented as one LAG with a lag.x.x port designation. SecureStack C2 LAGs can have up to 8 associated physical ports.

    LAG

    LACPDU

    Link Aggregation Control Protocol Data Unit. The protocol exchanges aggregation state/mode information by way of a ports actor and partner operational states. LACPDUs sent by the first party (the actor) convey to the second party (the actors protocol partner) what the actor knows, both about its own state and that of its partner. An actor is the local device sending LACPDUs. Its protocol partner is the device on the other end of the link aggregation. Each maintains current status of the other via LACPDUs containing information about their ports LACP status and operational state. Value assigned to aggregator ports and physical ports that are candidates for joining a LAG. The LACP implementation on SecureStack C2 devices will use this value to form an oper key and will determine which underlying physical ports are capable of aggregating by comparing oper keys. Aggregator ports allow only underlying ports with oper keys matching theirs to join their LAG. On SecureStack C2 devices, the default admin key value is 32768. Value used to build a LAG ID, which determines aggregation precedence. If there are two partner devices competing for the same aggregator, LACP compares the LAG IDs for each grouping of ports. The LAG with the lower LAG ID is given precedence and will be allowed to use the aggregator. Note: Only one LACP system priority can be set on a SecureStack C2 device, using either the set lacp asyspri command (page 7-43), or the set port lacp command (page 7-48).

    Actor and Partner

    Admin Key

    System Priority

    SecureStack C2 Usage Considerations


    Innormalusage(andtypicalimplementations)thereisnoneedtomodifyanyofthedefault LACPparametersontheswitch.Thedefaultvalueswillresultinthemaximumnumberof aggregationspossible.Iftheswitchisplacedinaconfigurationwithitspeersnotrunningthe protocol,nodynamiclinkaggregationswillbeformedandtheswitchwillfunctionnormally(that

    SecureStack C2 Configuration Guide

    7-39

    Link Aggregation Control Protocol (LACP)

    is,willblockredundantpaths).Forinformationaboutbuildingstaticaggregations,refertoset lacpstatic(page 744). EachSecureStackC2moduleprovidessixvirtuallinkaggregatorports,whicharedesignatedin theCLIaslag.0.1throughlag.0.6.EachLAGcanhaveuptoeightassociatedphysicalports.Once underlyingphysicalports(forexample,fe.x.x,orge.x.x)areassociatedwithanaggregatorport, theresultingaggregationwillberepresentedasoneLAGwithalag.0.xportdesignation.LACP determineswhichunderlyingphysicalportsarecapableofaggregatingbycomparingoperational keys.AggregatorportsallowonlyunderlyingportswithkeysmatchingtheirstojointheirLAG. LACPusesasystempriorityvaluetobuildaLAGID,whichdeterminesaggregationprecedence. Iftherearetwopartnerdevicescompetingforthesameaggregator,LACPcomparestheLAGIDs foreachgroupingofports.TheLAGwiththelowerLAGIDisgivenprecedenceandwillbe allowedtousetheaggregator. Thereareafewcasesinwhichportswillnotaggregate: Anunderlyingphysicalportisattachedtoanotherportonthissameswitch(loopback). ThereisnoavailableaggregatorfortwoormoreportswiththesameLAGID.Thiscan happeniftherearesimplynoavailableaggregators,orifnoneoftheaggregatorshavea matchingadminkeyandsystempriority. 802.1xauthenticationisenabledusingtheseteapolcommand(page 2319)andportsthat wouldotherwiseaggregatearenot802.1Xauthorized.

    TheLACPimplementationontheSecureStackC2devicewillallowuptoeightphysicalportsinto aLAG.ThedevicewiththelowestLAGIDdetermineswhichunderlyingphysicalportsare allowedintoaLAGbasedontheportsLAGportpriority.PortswiththelowestLAGportpriority valuesareallowedintotheLAGandallotherspeedgroupingsgointoastandbystate. MultiportLAGswillcontinuetooperateaslongasthereisatleastoneactiveportintheLAG. Therefore,thereisnoneedtocreatebackupsingleportLAGsortospecificallyassigntheLAGand allitsphysicalportstotheegresslistoftheLAGsVLAN. Typically,twoormoreportsarerequiredtoformaLAG.However,youcanenablethecreationof singleportLAGsasdescribedinsetlacpsingleportlagonpage746.IfasingleportLAGgoes downandtheswitchstaysup,theswitchwillreconfiguretheLAGtothesameLAGnumberifthe portcomesbackup.
    Note: To aggregate, underlying physical ports must be running in full duplex mode and must be of the same operating speed.

    Commands
    For information about... show lacp set lacp set lacp asyspri set lacp aadminkey clear lacp set lacp static clear lacp static Refer to page... 7-41 7-42 7-43 7-43 7-44 7-44 7-45

    7-40

    Port Configuration

    show lacp

    For information about... set lacp singleportlag clear lacp singleportlag show port lacp set port lacp clear port lacp

    Refer to page... 7-46 7-45 7-47 7-48 7-50

    show lacp
    Usethiscommandtodisplayinformationaboutoneormoreaggregatorports.

    Syntax
    show lacp [port-string]

    Parameters
    portstring (Optional)DisplaysLACPinformationforspecificLAGport(s).Valid portdesignationsarelag.0.16.

    Defaults
    Ifportstringisnotspecified,linkaggregationinformationforallLAGswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    EachSecureStackC2moduleprovides6virtuallinkaggregatorports,whicharedesignatedinthe CLIaslag.0.1throughlag.0.6.Onceunderlyingphysicalports(thatis,ge.x.x)areassociatedwith anaggregatorport,theresultingaggregationwillberepresentedasoneLinkAggregationGroup (LAG)withalag.x.xportdesignation.

    Example
    Thisexampleshowshowtodisplaylacpinformationforlag.0.1.Thefollowingtabledescribesthe outputfields.
    C2(su)->show lacp lag.0.1 Global Link Aggregation state: enabled Single Port LAGs: disabled Aggregator: lag.0.1 System Identifier: System Priority: Admin Key: Oper Key: Attached Ports: Actor 00:01:F4:5F:1E:20 32768 32768 32768 ge.1.1 ge.1.3 Partner 00:11:88:11:74:F9 32768 0

    Table 76providesanexplanationofthecommandoutput.

    SecureStack C2 Configuration Guide

    7-41

    set lacp

    Table 7-6

    show lacp Output Details


    What It Displays... Shows if LACP is enabled or disabled on the switch. Displays if the single port LAG feature has been enabled on the switch. See set lacp singleportlag on page 7-46 for more about single port LAG. LAG port designation. Each SecureStack C2 module provides 6 virtual link aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6. Once underlying physical ports (for example, fe.x.x) are associated with an aggregator port, the resulting Link Aggregation Group (LAG) is represented with a lag.x.x port designation. Local device participating in LACP negotiation. Remote device participating in LACP negotiation. MAC addresses for actor and partner. System priority value which determines aggregation precedence. Only one LACP system priority can be set on a SecureStack C2 device, using either the set lacp asyspri command (page 7-43), or the set port lacp command (page 7-48). Ports assigned key. SecureStack C2 devices provide a default admin key value of 32768 for all LAG ports (lag.0.1 though lag.0.6). Ports operational key, derived from the admin key. Only underlying physical ports with oper keys matching the aggregators will be allowed to aggregate. Underlying physical ports associated with this aggregator.

    Output Field Global Link Aggregation state Single Port LAGs Aggregator

    Actor Partner System Identifier System Priority

    Admin Key Oper Key Attached Ports

    set lacp
    UsethiscommandtodisableorenabletheLinkAggregationControlProtocol(LACP)onthe device.

    Syntax
    set lacp {disable | enable}

    Parameters
    disable|enable DisablesorenablesLACP.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableLACP:
    C2(su)->set lacp disable

    7-42

    Port Configuration

    set lacp asyspri

    set lacp asyspri


    UsethiscommandtosettheLACPsystempriority.

    Syntax
    set lacp asyspri value

    Parameters
    asyspri value SetsthesystemprioritytobeusedincreatingaLAG(LinkAggregation Group)ID.Validvaluesare0to65535. Specifiesasystempriorityvalue.Validvaluesare0to65535,with precedencegiventolowervalues.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    LACPusesthisvaluetodetermineaggregationprecedence.Iftherearetwopartnerdevices competingforthesameaggregator,LACPcomparestheLAGIDsforeachgroupingofports.The LAGwiththelowerLAGIDisgivenprecedenceandwillbeallowedtousetheaggregator.

    Example
    ThisexampleshowshowtosettheLACPsystempriorityto1000:
    C2(su)->set lacp asyspri 1000

    set lacp aadminkey


    Usethiscommandtosettheadministrativelyassignedkeyforoneormoreaggregatorports.

    Syntax
    set lacp aadminkey port-string value

    Parameters
    portstring value SpecifiestheLAGport(s)onwhichtoassignanadminkey. Specifiesanadminkeyvaluetoset.Validvaluesare0to65535.The defaultadminkeyvalueis32768.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    7-43

    clear lacp

    Usage
    LACPwillusethisvaluetoformanoperkey.Onlyunderlyingphysicalportswithoperkeys matchingthoseoftheiraggregatorswillbeallowedtoaggregate.Thedefaultadminkeyvaluefor allLAGportsis32768.

    Example
    ThisexampleshowshowtosettheLACPadminkeyto2000forLAGport6:
    C2(su)->set lacp aadminkey lag.0.6 2000

    clear lacp
    UsethiscommandtoclearLACPsystempriorityoradminkeysettings.

    Syntax
    clear lacp {[asyspri] [aadminkey port-string]}

    Parameters
    asyspri aadminkeyportstring Clearssystempriority. Resetsadminkeysforoneormoreportstothedefaultvalueof32768.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheactoradminkeyforLAGport6:
    C2(su)->clear lacp aadminkey lag.0.6

    set lacp static


    Usethiscommandtodisableorenablestaticlinkaggregation,ortoassignoneormoreunderlying physicalportstoaLinkAggregationGroup(LAG).

    Syntax
    set lacp static {disable | enable} | lagportstring [key] port-string

    Parameters
    disable|enable lagportstring Disablesorenablesstaticlinkaggregation. SpecifiestheLAGaggregatorporttowhichnewportswillbeassigned.

    7-44

    Port Configuration

    clear lacp static

    key

    (Optional)SpecifiesthenewmemberportandLAGportaggregator adminkeyvalue.Onlyportswithmatchingkeysareallowedto aggregate.Validvaluesare065535.


    Note: This key value must be unique. If ports other than the desired underlying physical ports share the same admin key value, aggregation will fail or undesired aggregations will form.

    portstring

    Specifiesthememberport(s)toaddtotheLAG.Foradetaileddescription ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage72.

    Defaults
    Ifnotspecified,akeywillbeassignedaccordingtothespecifiedaggregator.Forexampleakeyof4 wouldbeassignedtolag.0.4.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoaddportge.1.6totheLAGofaggregatorport6:
    C2(su)->set lacp static lag.0.6 ge.1.6

    clear lacp static


    UsethiscommandtoremovespecificportsfromaLinkAggregationGroup.

    Syntax
    clear lacp static lagportstring port-string

    Parameters
    lagportstring portstring SpecifiestheLAGaggregatorportfromwhichportswillberemoved. Specifiestheport(s)toremovefromtheLAG.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoremovege.1.6fromtheLAGofaggregatorport6:
    C2(su)->clear lacp static lag.0.6 ge.1.6

    SecureStack C2 Configuration Guide

    7-45

    set lacp singleportlag

    set lacp singleportlag


    UsethiscommandtoenableordisabletheformationofsingleportLAGs.

    Syntax
    set lacp singleportlag {enable | disable}

    Parameters
    disable|enable EnablesordisablestheformationofsingleportLAGs.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    WhensingleportLAGsareenabled,LinkAggregrationGroupscanbeformedwhenonlyone portisreceivingprotocoltransmissionsfromapartner.Whenthissettingisdisabled,twoormore portsarerequiredtoformaLAG. ThissettinghasnoeffectonexistingLAGscreatedwithmultiplememberports.Italsodoesnot preventpreviouslyformedLAGsfromcomingupaftertheyhavegonedown,aslongasany previousLAGmemberportscomeupconnectedtothesameswitchasbeforetheLAGwent down.

    Example
    ThisexampleenablestheformationofsingleportLAGs:
    C2(su)->set lacp singleportlag enable

    clear lacp singleportlag


    UsethiscommandtoresetthesingleportLAGfunctionbacktothedefaultstateofdisabled.

    Syntax
    clear lacp singleportlag

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    7-46

    Port Configuration

    show port lacp

    Example
    ThisexampleshowshowtoresetthesingleportLAGfunctionbacktodisabled:
    C2(su)->clear lacp singleportlag

    show port lacp


    Usethiscommandtodisplaylinkaggregationinformationforoneormoreunderlyingphysical ports.

    Syntax
    show port lacp port port-string {[status {detail | summary}] | [counters]}

    Parameters
    portportstring DisplaysLACPinformationforspecificport(s).Foradetaileddescription ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage72. DisplaysLACPstatusindetailedorsummaryinformation. DisplaysLACPcounterinformation.

    statusdetail| summary counters

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    Statedefinitions,suchasActorAdminStateandPartnerAdminState,areindicatedwithletter abbreviations.Iftheshowportlacpcommanddisplaysoneormoreofthefollowingletters,it meansthestateistruefortheassociatedactororpartnerports: E=Expired F=Defaulted D=Distributing(txenabled) C=Collecting(rxenabled) S=Synchronized(actorandpartneragree) G=Aggregationallowed S/l=Short/LongLACPtimeout A/p=Active/PassiveLACP

    Formoreinformationaboutthesestates,refertosetportlacp(page 748)andtheIEEE802.32002 specification.

    Examples
    ThisexampleshowshowtodisplaydetailedLACPstatusinformationforportge.1.12:
    C2(su)-> show port lacp port ge.1.12 status detail
    SecureStack C2 Configuration Guide 7-47

    set port lacp

    Port Instance: ge.1.12 ActorPort: 1411 ActorSystemPriority: 32768 ActorPortPriority: 32768 ActorAdminKey: 32768 ActorOperKey: 32768 ActorAdminState: -----GlA ActorOperState: -F----lA ActorSystemID: 00-e0-63-9d-b5-87 SelectedAggID: none AttachedAggID: none MuxState: Detached DebugRxState: port Disabled

    PartnerAdminPort: 1411 PartnerOperPort: 1411 PartnerAdminSystemPriority: 32768 PartnerOperSystemPriority: 32768 PartnerAdminPortPriority: 32768 PartnerOperPortPriority: 32768 PartnerAdminKey: 1411 PartnerOperKey: 1411 PartnerAdminState: --DCSGlp PartnerOperState: --DC-Glp PartnerAdminSystemID: 00-00-00-00-00-00 PartnerOperSystemID: 00-00-00-00-00-00

    ThisexampleshowshowtodisplaysummarizedLACPstatusinformationforportge.1.12:
    C2(su)->show port lacp port ge.1.12 status summary Port Aggr Actor System Partner System Pri: System ID: Key: Pri: System ID: Key: ge.1.12 none [(32768,00e0639db587,32768),(32768,000000000000, 1411)]

    ThisexampleshowshowtodisplayLACPcountersforportge.1.12:
    C2(su)->show port lacp port ge.1.12 counters Port Instance: ge.1.12 LACPDUsRx: 11067 LACPDUsTx: 0 IllegalRx: 0 UnknownRx: 0 MarkerPDUsRx: 0 MarkerPDUsTx: 0 MarkerResponsePDUsRx: 0 MarkerResponsePDUsTx: 374

    set port lacp


    Usethiscommandtosetlinkaggregationparametersforoneormoreports.Thesesettingswill determinethespecifiedunderlyingphysicalportsabilitytojoinaLAG,andtheiradministrative stateonceaggregated.

    Syntax
    set port lacp port port-string {[aadminkey aadminkey] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}] [aportpri aportpri] [asyspri asyspri] [enable | [disable] [padminkey padminkey] [padminport padminport] [padminportpri padminportpri] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}] [padminsysid padminsysid] [padminsyspri padminsyspri]

    Parameters
    portportstring Specifiesthephysicalport(s)onwhichtoconfigureLACP.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72. Setstheportsactoradminkey.LACPwillusethisvaluetoformanoper keyandwilldeterminewhichunderlyingphysicalportsarecapableof aggregatingbycomparingoperkeys.Aggregatorportsallowonly underlyingportswithoperkeysmatchingtheirstojointheirLAG.Valid valuesare165535.Thedefaultkeyvalueis32768.

    aadminkey aadminkey

    7-48

    Port Configuration

    set port lacp

    aadminstate lacpactive| lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire

    SetstheportsactorLACPadministrativestatetoallowfor: lacpactiveTransmittingLACPPDUs. lacptimeoutTransmittingLACPPDUsevery1sec.vs30sec.(default). lacpaggAggregationonthisport. lacpsyncTransitiontosynchronizationstate. lacpcollectTransitiontocollectionstate. lacpdistTransitiontodistributionstate. lacpdefTransitiontodefaultedstate. lacpexpireTransitiontoexpiredstate.

    aportpriaportpri asyspriasyspri

    Setstheportsactorportpriority.Validvaluesare065535,withlower valuesdesignatinghigherpriority. Setstheportsactorsystempriority.TheLACPimplementationonthe SecureStackC2deviceusesthisvaluetodetermineaggregation precedencewhentherearetwodevicescompetingforthesame aggregator.Validvaluesare065535,withhigherprecedencegivento lowervalues.


    Note: Only one LACP system priority can be set on a SecureStack C2 device, using either this command, or the set lacp asyspri command (set lacp asyspri on page 7-43).

    enable disable padminkey padminkey padminport padminport padminportpri padminportpri

    (Optional)EnablesLACPDUprocessingonthisport. (Optional)DisablesLACPDUprocessingonthisport. Setsadefaultvaluetouseastheportspartneradminkey.Onlyportswith matchingadminkeysareallowedtoaggregate.Validvaluesare165535. Setsadefaultvaluetouseastheportspartneradminvalue.Validvalues are165535. Setsadefaultvaluetouseastheportspartnerportpriority.Validvalues are065535,withlowervaluesgivenhigherpriority.

    padminstate SetsaportspartnerLACPadministrativestate.Seeaadminstateforvalid lacpactive| options. lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire padminsysid padminsysid padminsyspri padminsyspri SetsadefaultvaluetouseastheportspartnersystemID.ThisisaMAC address. Setsadefaultvaluetouseastheportspartnerpriority.Validvaluesare0 65535,withlowervaluesgivenhigherpriority.

    Defaults
    Atleastoneparametermustbeenteredperportstring. Ifenableordisablearenotspecified,port(s)willbeenabledwiththeLACPparametersentered.

    SecureStack C2 Configuration Guide

    7-49

    clear port lacp

    Mode
    Switchcommand,readwrite.

    Usage
    LACPcommandsandparametersbeginningwithana(suchasaadminkey)setactorvalues. Correspondingcommandsandparametersbeginningwithap(suchaspadminkey)set correspondingpartnervalues.ActorreferstothelocaldeviceparticipatinginLACPnegotiation, whilepartnerreferstoitsremotedevicepartnerattheotherendofthenegotiation.Actorsand partnersmaintaincurrentstatusoftheotherviaLACPDUscontaininginformationabouttheir portsLACPstatusandoperationalstate.

    Example
    Thisexampleshowshowtosettheactoradminkeyto3555forportge.3.16:
    C2(su)->set port lacp ge.3.16 aadminkey 3555

    clear port lacp


    Usethiscommandtoclearlinkaggregationsettingsforoneormoreports.

    Syntax
    clear port lacp port port-string {[aadminkey] [aportpri] [asyspri] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all}] [padminsyspri] [padminsysid] [padminkey] [padminportpri] [padminport] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all}]}

    Parameters
    portportstring Specifiesthephysicalport(s)onwhichLACPsettingswillbecleared.For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72. Clearsaportsactoradminkey. Clearsaportsactorportpriority. Clearstheportsactorsystempriority.

    aadminkey aportpri asyspri

    Clearsaportsspecificactoradminstate,orallactoradminstate(s).For aadminstate descriptionsofspecificstates,refertothesetportlacpcommand(set lacpactive| portlacponpage748). lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire|all padminsyspri padminsysid padminkey padminportpri Clearstheportsdefaultpartnerpriorityvalue. ClearstheportsdefaultpartnersystemID. Clearstheportsdefaultpartneradminkey. Clearstheportsdefaultpartnerportpriority.

    7-50

    Port Configuration

    clear port lacp

    padminport

    DeletesapartnerportfromtheLACPconfiguration.

    Clearstheportsspecificpartneradminstate,orallpartneradminstate(s). padminstate lacpactive| lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire|all

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    IfyousetaporttoLACPpassiveusingthecommandclearportlacpport<portstring> aadminstatelacpactive,thecommandclearportlacpport<portstring>aadminstatelacptimeout willalsobeaddedtotheconfiguration.Ifyouunsetthefirstcommand,itwillremovethesecond commandautomaticallyfromtheconfigurationfile.

    Example
    Thisexampleshowshowtoclearalllinkaggregationparametersforportge.3.16:
    C2(su)->clear port lacp port ge.3.16

    SecureStack C2 Configuration Guide

    7-51

    Configuring Protected Ports

    Configuring Protected Ports


    TheProtectedPortfeatureisusedtopreventportsfromforwardingtraffictoeachother,even whentheyareonthesameVLAN.Portsmaybedesignatedaseitherprotectedorunprotected. Portsareunprotectedbydefault.Multiplegroupsofprotectedportsaresupported.

    Protected Port Operation


    Portsthatareconfiguredtobeprotectedcannotforwardtraffictootherprotectedportsinthe samegroup,regardlessofhavingthesameVLANmembership.However,protectedportscan forwardtraffictoportswhichareunprotected(notlistedinanygroup).Protectedportscanalso forwardtraffictoprotectedportsinadifferentgroup,iftheyareinthesameVLAN.Unprotected portscanforwardtraffictobothprotectedandunprotectedports.Aportmaybelongtoonlyone groupofprotectedports. Thisfeatureonlyappliestoportswithinaswitchorastack.Itdoesnotapplyacrossmultiple switchesinanetwork.

    Commands
    For information about... set port protected show port protected clear port protected set port protected name show port protected name clear port protected name Refer to page... 7-52 7-53 7-53 7-54 7-54 7-55

    set port protected


    Usethiscommandtospecifyaporttobeprotectedandassigntheporttoagroupofprotected ports.Aportcanbeassignedtoonlyonegroup.

    Syntax
    set port protected port-string group-id

    Parameters
    portstring groupid Specifiestheportorportstobeprotected. Specifiestheidofthegrouptowhichtheportsshouldbeassigned.Idcan rangefrom0to2.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    7-52

    Port Configuration

    show port protected

    Example
    Thisexampleshowshowtoassignportsge.1.1throughge.1.3toprotectedportgroup1:
    C2(rw)->set port protected ge.1.1-3 1

    show port protected


    Usethiscommandtodisplayinformationabouttheportsconfiguredforprotectedmode.

    Syntax
    show port protected [port-string] | [group-id]

    Parameters
    portstring groupid (Optional)Specifiestheportorportsforwhichtodisplayinformation. (Optional)Specifiestheidofthegroupforwhichtodisplayinformation. Idcanrangefrom0to2.

    Defaults
    Ifnoparametersareentered,informationaboutallprotectedportsisdisplayed.

    Mode
    Readonly.

    Example
    Thisexampleshowshowtodisplayinformationaboutallprotectedports:
    C2(ro)->show port protected Group id Port ---------------------1 ge.1.1 1 ge.1.2 1 ge.1.3

    clear port protected


    Usethiscommandtoremoveaportorgroupfromprotectedmode.

    Syntax
    clear port protected [port-string] | [group-id]

    Parameters
    portstring groupid (Optional)Specifiestheportorportstoremovefromprotectedmode. (Optional)Specifiestheidofthegrouptoremovefromprotectedmode. Idcanrangefrom0to2.

    Defaults
    Ifnoparametersareentered,allprotectedportsandgroupsarecleared.

    SecureStack C2 Configuration Guide

    7-53

    set port protected name

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearprotectedportsge.1.1throughge.1.3:
    C2(rw)->clear port protected ge.1.1-3

    set port protected name


    Usethiscommandtoassignanametoaprotectedportgroupid.

    Syntax
    set port protected name group-id name

    Parameters
    groupid name Specifiestheidofthisgroup.Idcanrangefrom0to2. Specifiesanameforthegroup.Thenamecanbeupto32charactersin length.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoassignthenamegroup1toprotectedportgroup1:
    C2(rw)->set port protected name 1 group1

    show port protected name


    Usethiscommandtodisplaythenameforthegroupidsspecified.

    Syntax
    show port protected name group-id

    Parameters
    groupid Specifiestheidofthegrouptodisplay.Idcanrangefrom0to2.

    Defaults
    None.

    Mode
    Readonly.
    7-54 Port Configuration

    clear port protected name

    Example
    Thisexampleshowshowtoshowthenameofprotectedportgroup1:
    C2(ro)->show port protected name 1 Group ID Group Name ----------------------------1 group1

    clear port protected name


    Usethiscommandtoclearthenameofaprotectedgroup.

    Syntax
    clear port protected name group-id

    Parameters
    groupid Specifiestheidofthegroupforwhichtoclearthename.Idcanrange from0to2.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthenameofprotectedportgroup1:
    C2(rw)->clear port protected name 1

    SecureStack C2 Configuration Guide

    7-55

    clear port protected name

    7-56

    Port Configuration

    8
    SNMP Configuration
    ThischapterdescribestheSimpleNetworkManagementProtocol(SNMP)setofcommandsand howtousethem.
    For information about... SNMP Configuration Summary Reviewing SNMP Statistics Configuring SNMP Users, Groups, and Communities Configuring SNMP Access Rights Configuring SNMP MIB Views Configuring SNMP Target Parameters Configuring SNMP Target Addresses Configuring SNMP Notification Parameters Creating a Basic SNMP Trap Configuration Refer to page... 8-1 8-3 8-8 8-15 8-19 8-22 8-25 8-28 8-37

    SNMP Configuration Summary


    SNMPisanapplicationlayerprotocolthatfacilitatestheexchangeofmanagementinformation betweennetworkdevices.SNMPenablesnetworkadministratorstomanagenetwork performance,findandsolvenetworkproblems,andplanfornetworkgrowth. SecureStackC2devicessupportthreeversionsofSNMP: Version1(SNMPv1)ThisistheinitialimplementationofSNMP.RefertoRFC1157forafull descriptionoffunctionality. Version2(SNMPv2c)ThesecondreleaseofSNMP,describedinRFC1907,hasadditions andenhancementstodatatypes,countersize,andprotocoloperations. Version3(SNMPv3)ThisisthemostrecentversionofSNMP,andincludessignificant enhancementstoadministrationandsecurity.SNMPv3isfullydescribedinRFC2571, RFC 2572,RFC2573,RFC2574,andRFC2575.

    SNMPv1 and SNMPv2c


    ThecomponentsofSNMPv1andSNMPv2cnetworkmanagementfallintothreecategories: Manageddevices(suchasaswitch). SNMPagentsandMIBs,includingSNMPtraps,communitystrings,andRemoteMonitoring (RMON)MIBs,whichrunonmanageddevices.
    SecureStack C2 Configuration Guide 8-1

    SNMP Configuration Summary

    SNMPnetworkmanagementapplications,suchastheEnterasysNetSightapplication,which communicatewithagentstogetstatisticsandalertsfromthemanageddevices.

    SNMPv3
    SNMPv3isaninteroperablestandardsbasedprotocolthatprovidessecureaccesstodevicesby authenticatingandencryptingframesoverthenetwork.Theadvancedsecurityfeaturesprovided inSNMPv3areasfollows: MessageintegrityCollectsdatasecurelywithoutbeingtamperedwithorcorrupted. AuthenticationDeterminesthemessageisfromavalidsource. EncryptionScramblesthecontentsofaframetopreventitfrombeingseenbyan unauthorizedsource.

    UnlikeSNMPv1andSNMPv2c,inSNMPv3,theconceptofSNMPagentsandSNMPmanagersno longerapply.TheseconceptshavebeencombinedintoanSNMPentity.AnSNMPentityconsists ofanSNMPengineandSNMPapplications.AnSNMPengineconsistsofthefollowingfour components: DispatcherThiscomponentsendsandreceivesmessages. MessageprocessingsubsystemThiscomponentacceptsoutgoingPDUsfromthe dispatcherandpreparesthemfortransmissionbywrappingtheminamessageheaderand returningthemtothedispatcher.Themessageprocessingsubsystemalsoacceptsincoming messagesfromthedispatcher,processeseachmessageheader,andreturnstheenclosedPDU tothedispatcher. SecuritysubsystemThiscomponentauthenticatesandencryptsmessages. AccesscontrolsubsystemThiscomponentdetermineswhichusersandwhichoperations areallowedaccesstomanagedobjects.

    About SNMP Security Models and Levels


    AnSNMPsecuritymodelisanauthenticationstrategythatissetupforauserandthegroupin whichtheuserresides.Asecuritylevelisthepermittedlevelofsecuritywithinasecuritymodel. ThethreelevelsofSNMPsecurityare:Noauthenticationrequired(NoAuthNoPriv); authenticationrequired(AuthNoPriv);andprivacy(authPriv).Acombinationofasecuritymodel andasecurityleveldetermineswhichsecuritymechanismisemployedwhenhandlinganSNMP frame.Table 81identifiesthelevelsofSNMPsecurityavailableonSecureStackC2devicesand authenticationrequiredwithineachmodel. Table 8-1
    Model v1 v2c

    SNMP Security Levels


    Security Level NoAuthNoPriv NoAuthNoPriv Authentication Community string Community string Encryption None None How It Works Uses a community string match for authentication. Uses a community string match for authentication.

    8-2

    SNMP Configuration

    Reviewing SNMP Statistics

    Table 8-1
    Model v3

    SNMP Security Levels (Continued)


    Security Level NoAuthNoPriv AuthNoPriv Authentication User name MD5 or SHA Encryption None None How It Works Uses a user name match for authentication. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBCDES (DES-56) standard.

    authPriv

    MD5 or SHA

    DES

    Using SNMP Contexts to Access Specific MIBs


    Bydefault,whenoperatingfromtheswitchCLI,SecureStackC2devicesallowaccesstoallSNMP MIBsorcontexts.AcontextisacollectionofMIBobjects,oftenassociatedwithaparticular physicalorlogicaldevice. Ifnooptionalcontextparametersareconfiguredforv1andv2communitynamesandv3user groups,thesegroupsareabletoaccessallSNMPMIBobjectswheninswitchmode. SpecifyingacontextparameterwhensettingupSNMPusergroupwouldpermitorrestrictthe groupsswitchmanagementaccesstotheMIB(s)specifiedbythecontext(MIBobjectID)value. AllSNMPcontextsknowntothedevicecanbedisplayedusingtheshowsnmpcontextcommand asdescribedinshowsnmpcontextonpage 820.

    Example
    ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
    C2(su)->set snmp access powergroup security-model usm

    Configuration Considerations
    CommandsforconfiguringSNMPontheSecureStackC2deviceareindependentduringthe SNMPsetupprocess.Forinstance,targetparameterscanbespecifiedwhensettingupoptional notificationfilterseventhoughtheseparametershavenotyetbeencreatedwiththesetsnmp targetparamscommand.

    Reviewing SNMP Statistics


    Purpose
    ToreviewSNMPstatistics.

    SecureStack C2 Configuration Guide

    8-3

    show snmp engineid

    Commands
    For information about... show snmp engineid show snmp counters Refer to page... 8-4 8-5

    show snmp engineid


    UsethiscommandtodisplaytheSNMPlocalengineID.ThisistheSNMPv3engines administrativelyuniqueidentifier.

    Syntax
    show snmp engineid

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPengineproperties:
    C2(su)->show snmp engineid EngineId: 80:00:15:f8:03:00:e0:63:9d:b5:87 Engine Boots = 12 Engine Time = 162181 Max Msg Size = 2048

    Table 82providesanexplanationofthecommandoutput. Table 8-2 show snmp engineid Output Details


    What It Displays... String identifying the SNMP agent on the device. Number of times the SNMP engine has been started or reinitialized. Time in seconds since last reboot. Maximum accepted length, in bytes, of SNMP frame.

    Output Field EngineId Engine Boots Engine Time Max Msg Size

    8-4

    SNMP Configuration

    show snmp counters

    show snmp counters


    UsethiscommandtodisplaySNMPtrafficcountervalues.

    Syntax
    show snmp counters

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPcountervalues
    C2(su)->show snmp counters --- mib2 SNMP group counters: snmpInPkts = 396601 snmpOutPkts = 396601 snmpInBadVersions = 0 snmpInBadCommunityNames = 0 snmpInBadCommunityUses = 0 snmpInASNParseErrs = 0 snmpInTooBigs = 0 snmpInNoSuchNames = 0 snmpInBadValues = 0 snmpInReadOnlys = 0 snmpInGenErrs = 0 snmpInTotalReqVars = 403661 snmpInTotalSetVars = 534 snmpInGetRequests = 290 snmpInGetNexts = 396279 snmpInSetRequests = 32 snmpInGetResponses = 0 snmpInTraps = 0 snmpOutTooBigs = 0 snmpOutNoSuchNames = 11 snmpOutBadValues = 0 snmpOutGenErrs = 0 snmpOutGetRequests = 0 snmpOutGetNexts = 0 snmpOutSetRequests = 0 snmpOutGetResponses = 396601 snmpOutTraps = 0 snmpSilentDrops = 0 snmpProxyDrops = 0 --- USM Stats counters: usmStatsUnsupportedSecLevels = 0 usmStatsNotInTimeWindows = 0 usmStatsUnknownUserNames = 0

    SecureStack C2 Configuration Guide

    8-5

    show snmp counters

    usmStatsUnknownEngineIDs usmStatsWrongDigests usmStatsDecryptionErrors

    = 0 = 0 = 0

    Table 83providesanexplanationofthecommandoutput. Table 8-3 show snmp counters Output Details


    What It Displays... Number of messages delivered to the SNMP entity from the transport service. Number of SNMP messages passed from the SNMP protocol entity to the transport service. Number of SNMP messages delivered to the SNMP entity for an unsupported SNMP version. Number of SNMP messages delivered to the SNMP entity that used an SNMP community name not known to the entity. Number of SNMP messages delivered to the SNMP entity that represented an SNMP operation not allowed by the SNMP community named in the message. Number of ASN.1 (Abstract Syntax Notation) or BER (Basic Encoding Rules) errors encountered by the SNMP entity when decoding received SNMP messages. Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as tooBig. Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as noSuchName. Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as badValue. Number of valid SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "readOnly." Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "genErr." Number of MIB objects retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs. Number of MIB objects altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs. Number of SNMP Get-Request PDUs accepted and processed by the SNMP protocol entity. Number of SNMP Get-Next PDUs accepted and processed by the SNMP protocol entity. Number of SNMP Set-Request PDUs accepted and processed by the SNMP protocol entity. Number of SNMP Get-Response PDUs accepted and processed by the SNMP protocol entity. Number of SNMP Trap PDUs accepted and processed by the SNMP protocol entity. Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "tooBig." Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status as "noSuchName."

    Output Field snmpInPkts snmpOutPkts snmpInBadVersions snmpInBadCommunityNames snmpInBadCommunityUses

    snmpInASNParseErrs

    snmpInTooBigs snmpInNoSuchNames snmpInBadValues snmpInReadOnlys snmpInGenErrs snmpInTotalReqVars

    snmpInTotalSetVars snmpInGetRequests snmpInGetNexts snmpInSetRequests snmpInGetResponses snmpInTraps snmpOutTooBigs snmpOutNoSuchNames

    8-6

    SNMP Configuration

    show snmp counters

    Table 8-3

    show snmp counters Output Details (Continued)


    What It Displays... Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "badValue." Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "genErr." Number of SNMP Get-Request PDUs generated by the SNMP protocol entity. Number of SNMP Get-Next PDUs generated by the SNMP protocol entity. Number of SNMP Set-Request PDUs generated by the SNMP protocol entity. Number of SNMP Get-Response PDUs generated by the SNMP protocol entity. Number of SNMP Trap PDUs generated by the SNMP protocol entity. Number of SNMP Get, Set, or Inform request error messages that were dropped because the reply was larger than the requestors maximum message size. Number of SNMP Get, Set, or Inform request error messages that were dropped because the reply was larger than the proxy targets maximum message size. Number of packets received by the SNMP engine that were dropped because they requested a security level that was unknown to the SNMP engine or otherwise unavailable. Number of packets received by the SNMP engine that were dropped because they appeared outside of the authoritative SNMP engine's window. Number of packets received by the SNMP engine that were dropped because they referenced a user that was not known to the SNMP engine. Number of packets received by the SNMP engine that were dropped because they referenced an snmpEngineID that was not known to the SNMP engine. Number of packets received by the SNMP engine that were dropped because they did not contain the expected digest value. Number of packets received by the SNMP engine that were dropped because they could not be decrypted.

    Output Field snmpOutBadValues snmpOutGenErrs snmpOutGetRequests snmpOutGetNexts snmpOutSetRequests snmpOutGetResponses snmpOutTraps snmpSilentDrops

    snmpProxyDrops

    usmStatsUnsupportedSec Levels usmStatsNotInTimeWindows

    usmStatsUnknownUserNames

    usmStatsUnknownEngineIDs

    usmStatsWrongDigests usmStatsDecriptionErrors

    SecureStack C2 Configuration Guide

    8-7

    Configuring SNMP Users, Groups, and Communities

    Configuring SNMP Users, Groups, and Communities


    Purpose
    ToreviewandconfigureSNMPusers,groups,andv1andv2communities.Thesearedefinedas follows: UserApersonregisteredinSNMPv3toaccessSNMPmanagement. GroupAcollectionofuserswhosharethesameSNMPaccessprivileges. CommunityAnameusedtoauthenticateSNMPv1andv2users.

    Commands
    For information about... show snmp user set snmp user clear snmp user show snmp group set snmp group clear snmp group show snmp community set snmp community clear snmp community Refer to page... 8-8 8-9 8-10 8-11 8-12 8-12 8-13 8-14 8-14

    show snmp user


    UsethiscommandtodisplayinformationaboutSNMPusers.Thesearepeopleregisteredto accessSNMPmanagement.

    Syntax
    show snmp user [list] | [user] | [remote remote] [volatile | nonvolatile | readonly]

    Parameters
    list user remoteremote (Optional)DisplaysalistofregisteredSNMPusernames. (Optional)Displaysinformationaboutaspecificuser. (Optional)DisplaysinformationaboutusersonaspecificremoteSNMP engine.

    volatile|nonvolatile (Optional)Displaysuserinformationforaspecifiedstoragetype. |readonly

    Defaults
    Iflistisnotspecified,detailedSNMPinformationwillbedisplayed.

    8-8

    SNMP Configuration

    set snmp user

    Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed. Ifremoteisnotspecified,userinformationaboutthelocalSNMPenginewillbedisplayed. Ifnotspecified,userinformationforallstoragetypeswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    ThisexampleshowshowtodisplayanSNMPuserlist:
    C2(su)->show snmp user list --- SNMP user information ----- List of registered users: Guest admin1 admin2 netops

    ThisexampleshowshowtodisplayinformationfortheSNMPguestuser:
    (su)->show snmp user guest --- SNMP user information --EngineId: 00:00:00:63:00:00:00:a1:00:00:00:00 Username = Guest Auth protocol = usmNoAuthProtocol Privacy protocol = usmNoPrivProtocol Storage type = nonVolatile Row status = active

    Table 84providesanexplanationofthecommandoutput. Table 8-4 show snmp user Output Details


    Output Field EngineId Username Auth protocol Privacy protocol Storage type Row status What It Displays... SNMP local engine identifier. SNMPv1 or v2 community name or SNMPv3 user name. Type of authentication protocol applied to this user. Whether a privacy protocol is applied when authentication protocol is in use. Whether entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    set snmp user


    UsethiscommandtocreateanewSNMPv3user.

    Syntax
    set snmp user user [remote remoteid] [authentication {md5 | sha}] [authpassword] [privacy privpassword] [volatile | nonvolatile]

    SecureStack C2 Configuration Guide

    8-9

    clear snmp user

    Parameters
    user remoteremoteid SpecifiesanamefortheSNMPv3user. (Optional)RegisterstheuseronaspecificremoteSNMPengine.

    authenticationmd5 (Optional)SpecifiestheauthenticationtyperequiredforthisuserasMD5 |sha orSHA. authpassword (Optional)Specifiesapasswordforthisuserwhenauthenticationis required.Minimumof8characters.

    privacyprivpassword (Optional)Appliesencryptionandspecifiesanencryptionpassword. Minimumof8characters. volatile| nonvolatile (Optional)Specifiesastoragetypeforthisuserentry.

    Defaults
    Ifremoteisnotspecified,theuserwillberegisteredforthelocalSNMPengine. Ifauthenticationisnotspecified,noauthenticationwillbeapplied. Ifprivacyisnotspecified,noencryptionwillbeapplied. Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateanewSNMPusernamednetops.Bydefault,thisuserwillbe registeredonthelocalSNMPenginewithoutauthenticationandencryption.Entriesrelatedtothis userwillbestoredinpermanent(nonvolatile)memory:
    C2(su)->set snmp user netops

    clear snmp user


    UsethiscommandtoremoveauserfromtheSNMPv3securitymodellist.

    Syntax
    clear snmp user user [remote remote]

    Parameters
    user remoteremote SpecifiesanSNMPv3usertoremove. (Optional)RemovestheuserfromaspecificremoteSNMPengine.

    Defaults
    Ifremoteisnotspecified,theuserwillberemovedfromthelocalSNMPengine.

    Mode
    Switchcommand,readwrite.

    8-10

    SNMP Configuration

    show snmp group

    Example
    ThisexampleshowshowtoremovetheSNMPusernamedbill:
    C2(su)->clear snmp user bill

    show snmp group


    UsethiscommandtodisplayanSNMPgroupconfiguration.AnSNMPgroupisacollectionof SNMPv3userswhosharethesameaccessprivileges.

    Syntax
    show snmp group [groupname groupname] [user user] [security-model {v1 | v2c | usm}] [volatile | nonvolatile | read-only]

    Parameters
    groupname groupname useruser (Optional)DisplaysinformationforaspecificSNMPgroup. (Optional)Displaysinformationaboutuserswithinthespecifiedgroup.

    securitymodelv1| (Optional)Displaysinformationaboutgroupsassignedtoaspecific v2c|usm securitySNMPmodel. volatile| nonvolatile|read only (Optional)DisplaysSNMPgroupinformationforaspecifiedstoragetype.

    Defaults
    Ifgroupnameisnotspecified,informationaboutallSNMPgroupswillbedisplayed. Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed. Ifsecuritymodelisnotspecified,userinformationaboutallSNMPversionswillbedisplayed. Ifnotspecified,informationforallstoragetypeswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPgroupinformation:
    C2(su)->show snmp group --- SNMP group information --Security model = SNMPv1 Security/user name = public Group name = Anyone Storage type = nonVolatile Row status = active Security model Security/user name Group name Storage type Row status = = = = = SNMPv1 public.router1 Anyone nonVolatile active

    SecureStack C2 Configuration Guide

    8-11

    set snmp group

    Table 85providesanexplanationofthecommandoutput. Table 8-5 show snmp group Output Details


    Output Field Security model Security/user name Group name Storage type Row status What It Displays... SNMP version associated with this group. User belonging to the SNMP group. Name of SNMP group. Whether entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    set snmp group


    UsethiscommandtocreateanSNMPgroup.ThisassociatesSNMPv3userstoagroupthatshares commonaccessprivileges.

    Syntax
    set snmp group groupname user user security-model {v1 | v2c | usm} [volatile | nonvolatile]

    Parameters
    groupname useruser SpecifiesanSNMPgroupnametocreate. SpecifiesanSNMPv3usernametoassigntothegroup.

    securitymodelv1| SpecifiesanSNMPsecuritymodeltoassigntothegroup. v2c|usm volatile| nonvolatile (Optional)SpecifiesastoragetypeforSNMPentriesassociatedwiththe group.

    Defaults
    Ifstoragetypeisnotspecified,nonvolatilestoragewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateanSNMPgroupcalledanyone,assignausernamedpublic andassignSNMPv3securitytothegroup:
    C2(su)->set snmp group anyone user public security-model usm

    clear snmp group


    UsethiscommandtoclearSNMPgroupsettingsgloballyorforaspecificSNMPgroupanduser.

    Syntax
    clear snmp group groupname user [security-model {v1 | v2c | usm}]

    8-12

    SNMP Configuration

    show snmp community

    Parameters
    groupname user SpecifiestheSNMPgrouptobecleared. SpecifiestheSNMPusertobecleared.

    securitymodelv1| (Optional)Clearsthesettingsassociatedwithaspecificsecuritymodel. v2c|usm

    Defaults
    If not specified, settings related to all security models will be cleared.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearallsettingsassignedtothepublicuserwithintheSNMPgroup anyone:
    C2(su)->clear snmp group anyone public

    show snmp community


    UsethiscommandtodisplaySNMPcommunitynamesandstatus.InSNMPv1andv2, communitynamesactaspasswordstoremotemanagement.

    Syntax
    show snmp community [name]

    Parameters
    name (Optional)DisplaysSNMPinformationforaspecificcommunityname.

    Defaults
    Ifnameisnotspecified,informationwillbedisplayedforallSNMPcommunities.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayinformationabouttheSNMPpubliccommunityname.For adescriptionofthisoutput,refertosetsnmpcommunity(page814).
    C2(su)->show snmp community public --- Configured community strings --Name Security name Context Transport tag Storage type Status = = = = = = ********* public

    nonVolatile active

    SecureStack C2 Configuration Guide

    8-13

    set snmp community

    set snmp community


    UsethiscommandtoconfigureanSNMPcommunitygroup.

    Syntax
    set snmp community community [securityname securityname] [context context] [transport transport] [volatile | nonvolatile]

    Parameters
    community securityname securityname contextcontext Specifiesacommunitygroupname. (Optional)SpecifiesanSNMPsecuritynametoassociatewiththis community. (Optional)Specifiesasubsetofmanagementinformationthiscommunity willbeallowedtoaccess.Validvaluesarefullorpartialcontextnames.To reviewallcontextsconfiguredforthedevice,usetheshowsnmpcontext commandasdescribedinshowsnmpcontextonpage 820. (Optional)SpecifiesthesetoftransportendpointsfromwhichSNMP requestwiththiscommunitynamewillbeaccepted.Makesalinktoa targetaddresstable. (Optional)Specifiesthestoragetypefortheseentries.

    transporttransport

    volatile| nonvolatile

    Defaults
    Ifsecuritynameisnotspecified,thecommunitynamewillbeused. Ifcontextisnotspecified,accesswillbegrantedforthedefaultcontext. Iftransporttagisnotspecified,nonewillbeapplied. Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetanSNMPcommunitynamecalledvip
    C2(su)->set snmp community vip

    clear snmp community


    UsethiscommandtodeleteanSNMPcommunityname.

    Syntax
    clear snmp community name

    Parameters
    name SpecifiestheSNMPcommunitynametoclear.

    8-14

    SNMP Configuration

    Configuring SNMP Access Rights

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodeletethecommunitynamevip.
    C2(su)->clear snmp community vip

    Configuring SNMP Access Rights


    Purpose
    ToreviewandconfigureSNMPaccessrights,assigningviewingprivilegesandsecuritylevelsto SNMPusergroups.

    Commands
    For information about... show snmp access set snmp access clear snmp access Refer to page... 8-15 8-17 8-18

    show snmp access


    UsethiscommandtodisplayaccessrightsandsecuritylevelsconfiguredforSNMPoneormore groups.

    Syntax
    show snmp access [groupname] [security-model {v1 | v2c | usm}] [noauthentication | authentication | privacy] [context context] [volatile | nonvolatile | read-only]

    Parameters
    groupname (Optional)DisplaysaccessinformationforaspecificSNMPv3group. securitymodelv1| (Optional)DisplaysaccessinformationforSNMPsecuritymodelversion v2c|usm 1,2cor3(usm). noauthentication| authentication| privacy (Optional)Displaysaccessinformationforaspecificsecuritylevel.

    SecureStack C2 Configuration Guide

    8-15

    show snmp access

    contextcontext

    (Optional)Displaysaccessinformationforaspecificcontext.Fora descriptionofhowtospecifySNMPcontexts,refertoUsingSNMP ContextstoAccessSpecificMIBsonpage 83. (Optional)Displaysaccessentriesforaspecificstoragetype.

    volatile| nonvolatile|read only

    Defaults
    Ifgroupnameisnotspecified,accessinformationforallSNMPgroupswillbedisplayed. Ifsecuritymodelisnotspecified,accessinformationforallSNMPversionswillbedisplayed. Ifnoauthentication,authenticationorprivacyarenotspecified,accessinformationforall securitylevelswillbedisplayed. Ifcontextisnotspecified,allcontextswillbedisplayed. Ifvolatile,nonvolatileorreadonlyarenotspecified,allentriesofallstoragetypeswillbe displayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPaccessinformation:
    C2(su)->show snmp Group = Security model = Security level = Read View = Write View = Notify View = Context match = Storage type = Row status = Group Security model Security level Read View Write View Notify View Context match Storage type Row status = = = = = = = = = access SystemAdmin USM noAuthNoPriv All All exact match nonVolatile active NightOperator USM noAuthNoPriv All All exact match nonVolatile active

    Table 86providesanexplanationofthecommandoutput. Table 8-6 show snmp access Output Details


    What It Displays... SNMP group name. Security model applied to this group. Valid types are: SNMPv1, SNMPv2c, and SNMPv3 (User based - USM).

    Output Field Group Security model

    8-16

    SNMP Configuration

    set snmp access

    Table 8-6

    show snmp access Output Details (Continued)


    What It Displays... Security level applied to this group. Valid levels are: noAuthNoPrivacy (no authentication required) AuthNoPrivacy (authentication required) authPriv (privacy -- most secure level)

    Output Field Security level

    Read View Write View Notify View Context match Storage type Row status

    Name of the view that allows this group to view SNMP MIB objects. Name of the view that allows this group to configure the contents of the SNMP agent. Name of the view that allows this group to send an SNMP trap message. Whether or not SNMP context match must be exact (full context name match) or a partial match with a given prefix. Whether access entries for this group are stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    set snmp access


    UsethiscommandtosetanSNMPaccessconfiguration.

    Syntax
    set snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context] [exact | prefix] [read read] [write write] [notify notify] [volatile | nonvolatile]

    Parameters
    groupname SpecifiesanameforanSNMPv3group. securitymodelv1| SpecifiesSNMPversion1,2cor3(usm). v2c|usm noauthentication| authentication| privacy (Optional)AppliesSNMPsecuritylevelasnoauthentication, authentication(withoutprivacy)orprivacy.Privacyspecifiesthat messagessentonbehalfoftheuserareprotectedfromdisclosure.

    contextcontextexact (Optional)Setsthecontextforthisaccessconfigurationandspecifiesthat |prefix thematchmustbeexact(matchingthewholecontextstring)oraprefix matchonly.ContextisasubsetofmanagementinformationthisSNMP groupwillbeallowedtoaccess.Validvaluesarefullorpartialcontext names.Toreviewallcontextsconfiguredforthedevice,usetheshow snmpcontextcommandasdescribedinshowsnmpcontexton page 820. readread writewrite notifynotify volatile| nonvolatile|read only (Optional)Specifiesareadaccessview. (Optional)Specifiesawriteaccessview. (Optional)Specifiesanotifyaccessview. (Optional)StoresassociatedSNMPentriesastemporaryorpermanent,or readonly.

    SecureStack C2 Configuration Guide

    8-17

    clear snmp access

    Defaults
    Ifsecuritylevelisnotspecified,noauthenticationwillbeapplied. Ifcontextisnotspecified,accesswillbeenabledforthedefaultcontext.Ifcontextisspecified withoutacontextmatch,exactmatchwillbeapplied. Ifreadviewisnotspecifiednonewillbeapplied. Ifwriteviewisnotspecified,nonewillbeapplied. Ifnotifyviewisnotspecified,nonewillbeapplied. Ifstoragetypeisnotspecified,entrieswillbestoredaspermanentandwillbeheldthroughdevice reboot.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
    C2(su)->set snmp access powergroup security-model usm

    clear snmp access


    UsethiscommandtocleartheSNMPaccessentryofaspecificgroup,includingitssetSNMP securitymodel,andlevelofsecurity.

    Syntax
    clear snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context]

    Parameters
    groupname SpecifiesthenameoftheSNMPgroupforwhichtoclearaccess. securitymodelv1| SpecifiesthesecuritymodeltobeclearedfortheSNMPaccessgroup. v2c|usm noauthentication| authentication| privacy contextcontext (Optional)ClearsaspecificsecuritylevelfortheSNMPaccessgroup.

    (Optional)ClearsaspecificcontextfortheSNMPaccessgroup.Enter// toclearthedefaultcontext.

    Defaults
    Ifsecuritylevelisnotspecified,alllevelswillbecleared. Ifcontextisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    8-18

    SNMP Configuration

    Configuring SNMP MIB Views

    Example
    ThisexampleshowshowtoclearSNMPversion3accessforthemisgroupviathe authenticationprotocol:
    C2(su)->clear snmp access mis-group security-model usm authentication

    Configuring SNMP MIB Views


    Purpose
    ToreviewandconfigureSNMPMIBviews.SNMPviewsmapSNMPobjectstoaccessrights.

    Commands
    For information about... show snmp view show snmp context set snmp view clear snmp view Refer to page... 8-19 8-20 8-21 8-22

    show snmp view


    UsethiscommandtodisplaytheMIBconfigurationforSNMPv3viewbasedaccess(VACM).

    Syntax
    show snmp view [viewname] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only]

    Parameters
    viewname subtreeoidormibobject volatile|nonvolatile| readonly (Optional)DisplaysinformationforaspecificMIBview. (Optional)DisplaysinformationforaspecificMIBsubtreewhen viewnameisspecified. (Optional)Displaysentriesforaspecificstoragetype.

    Defaults
    Ifnoparametersarespecified,allSNMPMIBviewconfigurationinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    SecureStack C2 Configuration Guide

    8-19

    show snmp context

    Example
    ThisexampleshowshowtodisplaySNMPMIBviewconfigurationinformation:
    C2(su)->show snmp view --- SNMP MIB View information --View Name = All Subtree OID = 1 Subtree mask = View Type = included Storage type = nonVolatile Row status = active View Name Subtree OID Subtree mask View Type Storage type Row status View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = = = = = = = All 0.0 included nonVolatile active Network 1.3.6.1.2.1 included nonVolatile active

    Table 87providesanexplanationofthecommandoutput.Fordetailsonusingthesetsnmpview commandtoassignvariables,refertosetsnmpviewonpage 821. Table 8-7 show snmp view Output Details
    What It Displays... Name assigned to a MIB view. Name identifying a MIB subtree. Bitmask applied to a MIB subtree. Whether or not subtree use must be included or excluded for this view. Whether storage is in nonVolatile or Volatile memory Status of this entry: active, notInService, or notReady.

    Output Field View Name Subtree OID Subtree mask View Type Storage type Row status

    show snmp context


    UsethiscommandtodisplaythecontextlistconfigurationforSNMPsviewbasedaccesscontrol.

    Syntax
    show snmp context

    Parameters
    None.

    Defaults
    None.

    8-20

    SNMP Configuration

    set snmp view

    Mode
    Switchcommand,readonly.

    Usage
    AnSNMPcontextisacollectionofmanagementinformationthatcanbeaccessedbyanSNMP agentorentity.ThedefaultcontextallowsallSNMPagentstoaccessallmanagementinformation (MIBs).Whencreatedusingthesetsnmpaccesscommand(setsnmpaccessonpage 817),other contextscanbeappliedtolimitaccesstoasubsetofmanagementinformation.

    Example
    ThisexampleshowshowtodisplayalistofallSNMPcontextsknowntothedevice:
    C2(su)->show snmp context --- Configured contexts: default context (all mibs)

    set snmp view


    UsethiscommandtosetaMIBconfigurationforSNMPv3viewbasedaccess(VACM).

    Syntax
    set snmp view viewname viewname subtree subtree [mask mask] [included | excluded] [volatile | nonvolatile]

    Parameters
    viewnameviewname SpecifiesanameforaMIBview. subtreesubtree maskmask included| excluded volatile| nonvolatile SpecifiesaMIBsubtreename. (Optional)Specifiesabitmaskforasubtree. (Optional)Specifiessubtreeuse(default)ornosubtreeuse. (Optional)Specifiestheuseoftemporaryorpermanent(default)storage.

    Defaults
    Ifnotspecified,maskwillbesetto255.255.255.255 Ifnotspecified,subtreeusewillbeincluded. Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetanSNMPMIBviewtopublicwithasubtreenameof1.3.6.1 included:
    C2(su)->set snmp view viewname public subtree 1.3.6.1 included

    SecureStack C2 Configuration Guide

    8-21

    clear snmp view

    clear snmp view


    UsethiscommandtodeleteanSNMPv3MIBview.

    Syntax
    clear snmp view viewname subtree

    Parameters
    viewname subtree SpecifiestheMIBviewnametobedeleted. SpecifiesthesubtreenameoftheMIBviewtobedeleted.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteSNMPMIBviewpublic:
    C2(su)->clear snmp view public 1.3.6.1

    Configuring SNMP Target Parameters


    Purpose
    ToreviewandconfigureSNMPtargetparameters.Thiscontrolswhereandunderwhat circumstancesSNMPnotificationswillbesent.Atargetparameterentrycanbeboundtoatarget IPaddressallowedtoreceiveSNMPnotificationmessageswiththesetsnmptargetaddr command(setsnmptargetaddronpage 826).

    Commands
    For information about... show snmp targetparams set snmp targetparams clear snmp targetparams Refer to page... 8-22 8-24 8-24

    show snmp targetparams


    UsethiscommandtodisplaySNMPparametersusedtogenerateamessagetoatarget.

    Syntax
    show snmp targetparams [targetParams] [volatile | nonvolatile | read-only]

    8-22

    SNMP Configuration

    show snmp targetparams

    Parameters
    targetParams volatile|nonvolatile| readonly (Optional)Displaysentriesforaspecifictargetparameter. (Optional)Displaystargetparameterentriesforaspecificstorage type.

    Defaults
    IftargetParamsisnotspecified,entriesassociatedwithalltargetparameterswillbedisplayed. Ifnotspecified,entriesofallstoragetypeswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPtargetparametersinformation:
    C2(su)->show snmp targetparams --- SNMP TargetParams information --Target Parameter Name = v1ExampleParams Security Name = public Message Proc. Model = SNMPv1 Security Level = noAuthNoPriv Storage type = nonVolatile Row status = active Target Parameter Name = v2cExampleParams Security Name = public Message Proc. Model = SNMPv2c Security Level = noAuthNoPriv Storage type = nonVolatile Row status = active Target Parameter Name Security Name Message Proc. Model Security Level Storage type Row status = = = = = = v3ExampleParams CharlieDChief USM authNoPriv nonVolatile active

    Table 88providesanexplanationofthecommandoutput. Table 8-8 show snmp targetparams Output Details


    Output Field Target Parameter Name Security Name Message Proc. Model Security Level What It Displays... Unique identifier for the parameter in the SNMP target parameters table. Maximum length is 32 bytes. Security string definition. SNMP version. Type of security level (auth: security level is set to use authentication protocol, noauth: security level is not set to use authentication protocol, or privacy). Whether entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    Storage type Row status

    SecureStack C2 Configuration Guide

    8-23

    set snmp targetparams

    set snmp targetparams


    UsethiscommandtosetSNMPtargetparameters,anamedsetofsecurity/authorizationcriteria usedtogenerateamessagetoatarget.

    Syntax
    set snmp targetparams paramsname user user security-model {v1 | v2c | usm} messageprocessing {v1 | v2c | v3} [noauthentication | authentication | privacy] [volatile | nonvolatile]

    Parameters
    paramsname useruser SpecifiesanameidentifyingparametersusedtogenerateSNMPmessages toaparticulartarget. SpecifiesanSNMPv1orv2communitynameoranSNMPv3username. Maximumlengthis32bytes.

    securitymodelv1| SpecifiestheSNMPsecuritymodelappliedtothistargetparameteras v2c|usm version1,2cor3(usm). message SpecifiestheSNMPmessageprocessingmodelappliedtothistarget processingv1|v2c parameterasversion1,2cor3. |v3 noauthentication| authentication| privacy volatile| nonvolatile (Optional)SpecifiestheSNMPsecuritylevelappliedtothistarget parameterasnoauthentication,authentication(withoutprivacy)or privacy.Privacyspecifiesthatmessagessentonbehalfoftheuserare protectedfromdisclosure. (Optional)Specifiesthestoragetypeappliedtothistargetparameter.

    Defaults
    None. Ifnotspecified,securitylevelwillbesettonoauthentication. Ifnotspecified,storagetypewillbesettononvolatile.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetSNMPtargetparametersnamedv1ExampleParamsforauser namedfredusingversion3securitymodelandmessageprocessing,andauthentication:
    C2(su)->set snmp targetparams v1ExampleParams user fred security-model usm message-processing v3 authentication

    clear snmp targetparams


    UsethiscommandtocleartheSNMPtargetparameterconfiguration.

    Syntax
    clear snmp targetparams targetParams

    8-24

    SNMP Configuration

    Configuring SNMP Target Addresses

    Parameters
    targetParams SpecifiesthenameoftheparameterintheSNMPtargetparameterstable tobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearSNMPtargetparametersnamedv1ExampleParams:
    C2(su)->clear snmp targetparams v1ExampleParams

    Configuring SNMP Target Addresses


    Purpose
    ToreviewandconfigureSNMPtargetaddresseswhichwillreceiveSNMPnotificationmessages. AnaddressconfigurationcanbelinkedtooptionalSNMPtransmit,ortarget,parameters(suchas timeout,retrycount,andUDPport)setwiththesetsnmptargetparamscommand(page824).

    Commands
    For information about... show snmp targetaddr set snmp targetaddr clear snmp targetaddr Refer to page... 8-25 8-26 8-28

    show snmp targetaddr


    UsethiscommandtodisplaySNMPtargetaddressinformation.

    Syntax
    show snmp targetaddr [targetAddr] [volatile | nonvolatile | read-only]

    Parameters
    targetAddr (Optional)Displaysinformationforaspecifictargetaddressname. volatile|nonvolatile (Optional)Whentargetaddressisspecified,displaystargetaddress |readonly informationforaspecificstoragetype.

    Defaults
    IftargetAddrisnotspecified,entriesforalltargetaddressnameswillbedisplayed.

    SecureStack C2 Configuration Guide

    8-25

    set snmp targetaddr

    Ifnotspecified,entriesofallstoragetypeswillbedisplayedforatargetaddress.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPtargetaddressinformation:
    C2(su)->show snmp targetaddr Target Address Name = labmachine Tag List = v2cTrap IP Address = 10.2.3.116 UDP Port# = 162 Target Mask = 255.255.255.255 Timeout = 1500 Retry count = 4 Parameters = v2cParams Storage type = nonVolatile Row status = active

    Table 89providesanexplanationofthecommandoutput. Table 8-9 show snmp targetaddr Output Details


    What It Displays... Unique identifier in the snmpTargetAddressTable. Tags a location to the target address as a place to send notifications. Target IP address. Number of the UDP port of the target host to use. Target IP address mask. Timeout setting for the target address. Retry setting for the target address. Entry in the snmpTargetParamsTable. Whether entry is stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.

    Output Field Target Address Name Tag List IP Address UDP Port# Target Mask Timeout Retry count Parameters Storage type Row status

    set snmp targetaddr


    UsethiscommandtoconfigureanSNMPtargetaddress.Thetargetaddressisauniqueidentifier andaspecificIPaddressthatwillreceiveSNMPnotificationmessagesanddeterminewhich communitystringswillbeaccepted.ThisaddressconfigurationcanbelinkedtooptionalSNMP transmitparameters(suchastimeout,retrycount,andUDPport).

    Syntax
    set snmp targetaddr targetaddr ipaddr param param [udpport udpport] [mask mask] [timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile]

    8-26

    SNMP Configuration

    set snmp targetaddr

    Parameters
    targetaddr ipaddr paramparam udpportudpport maskmask timeouttimeout SpecifiesauniqueidentifiertoindexthesnmpTargetAddrTable. Maximumlengthis32bytes. SpecifiestheIPaddressofthetarget. SpecifiesanentryintheSNMPtargetparameterstable,whichisused whengeneratingamessagetothetarget.Maximumlengthis32bytes. (Optional)SpecifieswhichUDPportofthetargethosttouse. (Optional)SpecifiestheIPmaskofthetarget. (Optional)Specifiesthemaximumroundtriptimeallowedto communicatetothistargetaddress.Thisvalueisin.01secondsandthe defaultis1500(15seconds.) (Optional)Specifiesthenumberofmessageretriesallowedifaresponseis notreceived.Defaultis3. (Optional)SpecifiesalistofSNMPnotifytagvalues.Thistagsalocation tothetargetaddressasaplacetosendnotifications.Listmustbeenclosed inquotesandtagvaluesmustbeseparatedbyaspace(forexample, tag1tag2). (Optional)Specifiestemporary(default),orpermanentstorageforSNMP entries.

    retriesretries taglisttaglist

    volatile| nonvolatile

    Defaults
    Ifnotspecified,udpportwillbesetto162. Ifnotspecified,maskwillbesetto255.255.255.255 Ifnotspecified,timeoutwillbesetto1500. Ifnotspecified,numberofretrieswillbesetto3. Iftaglistisnotspecified,nonewillbeset. Ifnotspecified,storagetypewillbenonvolatile.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoconfigureatrapnotificationcalledTrapSink.Thistrapnotification willbesenttotheworkstation192.168.190.80(whichistargetaddresstr).Itwillusesecurity andauthorizationcriteriacontainedinatargetparametersentrycalledv2cExampleParams.For moreinformationonconfiguringabasicSNMPtrap,refertoCreatingaBasicSNMPTrap Configurationonpage 837:
    C2(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist TrapSink

    SecureStack C2 Configuration Guide

    8-27

    clear snmp targetaddr

    clear snmp targetaddr


    UsethiscommandtodeleteanSNMPtargetaddressentry.

    Syntax
    clear snmp targetaddr targetAddr

    Parameters
    targetAddr Specifiesthetargetaddressentrytodelete.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearSNMPtargetaddressentrytr:
    C2(su)->clear snmp targetaddr tr

    Configuring SNMP Notification Parameters


    About SNMP Notify Filters
    ProfilesindicatingwhichtargetsshouldnotreceiveSNMPnotificationmessagesarekeptinthe NotifyFiltertable.Ifthistableisempty,meaningthatnofilteringisassociatedwithanySNMP target,thennofilteringwilltakeplace.Trapsorinformsnotificationswillbesenttoall destinationsintheSNMPtargetAddrTablethathavetagsmatchingthosefoundinthe NotifyTable. WhentheNotifyFiltertablecontainsprofileentries,theSNMPagentwillfindanyfilterprofile namethatcorrespondstothetargetparameternamecontainedinanoutgoingnotification message.Itwillthenapplytheappropriatesubtreespecificfilterwhengeneratingnotification messages.

    Purpose
    ToconfigureSNMPnotificationparametersandoptionalfilters.Notificationsareentitieswhich handlethegenerationofSNMPv1andv2trapsorSNMPv3informsmessagestoselect managementtargets.Optionalnotificationfiltersidentifywhichtargetsshouldnotreceive notifications.ForasampleSNMPtrapconfigurationshowinghowSNMPnotificationparameters areassociatedwithsecurityandauthorizationcriteria(targetparameters)andmappedtoa managementtargetaddress,refertoCreatingaBasicSNMPTrapConfigurationonpage 837.

    8-28

    SNMP Configuration

    show newaddrtrap

    Commands
    For information about... show newaddrtrap set newaddrtrap show snmp notify set snmp notify clear snmp notify show snmp notifyfilter set snmp notifyfilter clear snmp notifyfilter show snmp notifyprofile set snmp notifyprofile clear snmp notifyprofile Refer to page... 8-29 8-30 8-30 8-31 8-32 8-33 8-34 8-34 8-35 8-36 8-36

    show newaddrtrap
    UsethiscommandtodisplaytheglobalandportspecificstatusoftheSNMPnewMACaddresses trapfunction.

    Syntax
    show newaddrtrap [port-string]

    Parameters
    portstring (Optional)DisplaysthestatusofthenewMACaddressestrapfunction onspecificports.

    Defaults
    Ifportstringisnotspecified,thestatusofthenewMACaddressestrapfunctionwillbedisplayed forallports.

    Mode
    Switchcommand,readonly.

    Usage
    Bydefault,thisfunctionisdisabledgloballyandperport.

    Example
    ThisexampledisplaysthestatusforGigabitEthernetports1through5inslot1.
    C2(ro)->show newaddrtrap ge.1.1-5 New Address Traps Globally disabled Port Enable State --------- ------------

    SecureStack C2 Configuration Guide

    8-29

    set newaddrtrap

    ge.1.1 ge.1.2 ge.1.3 ge.1.4 ge.1.5

    disabled disabled disabled disabled disabled

    set newaddrtrap
    UsethiscommandtoenableordisableSNMPtrapmessaging,globallyorononeormoreports, whennewsourceMACaddressesaredetected.

    Syntax
    set newaddrtrap [port-string] {enable | disable}

    Parameters
    portstring enable|disable (Optional)EnableordisablethenewMACaddressestrapfunctionon specificports. EnableordisablethenewMACaddressestrapfunction.Ifentered withouttheportstringparameter,enablesordisablesthefunction globally.Whenenteredwiththeportstringparameter,enablesor disablesthefunctiononspecificports.

    Defaults
    Ifportstringisnotspecified,thetrapfunctionissetglobally.

    Mode
    Switchmode,readwrite.

    Usage
    ThiscommandenablesanddisablessendingSNMPtrapmessageswhenanewsourceMAC addressisdetectedbyaport.IftheportisaCDPport,however,trapsfornewsourceMAC addresseswillnotbesent. Thedefaultmodeisdisabledgloballyandperport.

    Example=
    ThisexampleenablesthetrapfunctiongloballyandthenonGigabitEthernetports1through5in slot1.
    C2(rw)->set newaddrtrap enable C2(rw)->set newaddrtrap ge.1.1-5 enable

    show snmp notify


    UsethiscommandtodisplaytheSNMPnotifyconfiguration,whichdeterminesthemanagement targetsthatwillreceiveSNMPnotifications.

    Syntax
    show snmp notify [notify] [volatile | nonvolatile | read-only]

    8-30

    SNMP Configuration

    set snmp notify

    Parameters
    notify volatile| nonvolatile|read only (Optional)Displaysnotifyentriesforaspecificnotifyname. (Optional)Displaysnotifyentriesforaspecificstoragetype.

    Defaults
    Ifanotifynameisnotspecified,allentrieswillbedisplayed. Ifvolatile,nonvolatile,orreadonlyarenotspecified,allstoragetypeentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSNMPnotifyinformation:
    C2(su)->show snmp notify --- SNMP notifyTable information --Notify name = 1 Notify Tag = Console Notify Type = trap Storage type = nonVolatile Row status = active Notify name Notify Tag Notify Type Storage type Row status = = = = = 2 TrapSink trap nonVolatile active

    Table 810providesanexplanationofthecommandoutput. Table 8-10


    Output Field Notify name Notify Tag Notify Type Storage type Row status

    show snmp notify Output Details


    What It Displays... A unique identifier used to index the SNMP notify table. Name of the entry in the SNMP notify table. Type of notification: SNMPv1 or v2 trap or SNMPv3 InformRequest message. Whether access entry is stored in volatile, nonvolatile, or read-only memory. Status of this entry: active, notInService, or notReady.

    set snmp notify


    UsethiscommandtosettheSNMPnotifyconfiguration.ThiscreatesanentryintheSNMPnotify table,whichisusedtoselectmanagementtargetswhoshouldreceivenotificationmessages.This

    SecureStack C2 Configuration Guide

    8-31

    clear snmp notify

    commandstagparametercanbeusedtobindeachentrytoatargetaddressusingthesetsnmp targetaddrcommand(setsnmptargetaddronpage 826).

    Syntax
    set snmp notify notify tag tag [trap | inform] [volatile | nonvolatile]

    Parameters
    notify tagtag trap|inform volatile| nonvolatile SpecifiesanSNMPnotifyname. SpecifiesanSNMPnotifytag.ThisbindsthenotifynametotheSNMP targetaddresstable. (Optional)SpecifiesSNMPv1orv2Trapmessages(default)orSNMPv3 InformRequestmessages. (Optional)Specifiestemporary(default),orpermanentstorageforSNMP entries.

    Defaults
    Ifnotspecified,messagetypewillbesettotrap. Ifnotspecified,storagetypewillbesettononvolatile.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetanSNMPnotifyconfigurationwithanotifynameofhelloanda notifytagofworld.Notificationswillbesentastrapmessagesandstoragetypewill automaticallydefaulttopermanent:
    C2(su)->set snmp notify hello tag world trap

    clear snmp notify


    UsethiscommandtoclearanSNMPnotifyconfiguration.

    Syntax
    clear snmp notify notify

    Parameters
    notify SpecifiesanSNMPnotifynametoclear.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    8-32

    SNMP Configuration

    show snmp notifyfilter

    Example
    ThisexampleshowshowtocleartheSNMPnotifyconfigurationforhello:
    C2(su)->clear snmp notify hello

    show snmp notifyfilter


    UsethiscommandtodisplaySNMPnotifyfilterinformation,identifyingwhichprofileswillnot receiveSNMPnotifications.

    Syntax
    show snmp notifyfilter [profile] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only]

    Parameters
    profile subtreeoidor mibobject volatile| nonvolatile|read only (Optional)Displaysaspecificnotifyfilter. (Optional)Displaysanotifyfilterwithinaspecificsubtree. (Optional)Displaysnotifyfilterentriesofaspecificstoragetype.

    Defaults
    Ifnoparametersarespecified,allnotifyfilterinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    SeeAboutSNMPNotifyFiltersonpage 828formoreinformationaboutnotifyfilters.

    Example
    ThisexampleshowshowtodisplaySNMPnotifyfilterinformation.Inthiscase,thenotifyprofile pilot1insubtree1.3.6willnotreceiveSNMPnotificationmessages:
    C2(su)->show snmp notifyfilter --- SNMP notifyFilter information --Profile = pilot1 Subtree = 1.3.6 Filter type = included Storage type = nonVolatile Row status = active

    SecureStack C2 Configuration Guide

    8-33

    set snmp notifyfilter

    set snmp notifyfilter


    UsethiscommandtocreateanSNMPnotifyfilterconfiguration.Thisidentifieswhich managementtargetsshouldNOTreceivenotificationmessages,whichisusefulforfinetuningthe amountofSNMPtrafficgenerated.

    Syntax
    set snmp notifyfilter profile subtree oid-or-mibobject [mask mask] [included | excluded] [volatile | nonvolatile]

    Parameters
    profile subtreeoidor mibobject maskmask included| excluded volatile| nonvolatile SpecifiesanSNMPfilternotifyname. SpecifiesaMIBsubtreeIDtargetforthefilter. (Optional)Appliesasubtreemask. (Optional)Specifiesthatsubtreeisincludedorexcluded. (Optional)Specifiesastoragetype.

    Defaults
    Ifnotspecified,maskisnotset. Ifnotspecified,subtreewillbeincluded. Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.

    Mode
    Switchcommand,readwrite.

    Usage
    SeeAboutSNMPNotifyFiltersonpage 828formoreinformationaboutnotifyfilters.

    Example
    ThisexampleshowshowtocreateanSNMPnotifyfiltercalledpilot1withaMIBsubtreeIDof 1.3.6:
    C2(su)->set snmp notifyfilter pilot1 subtree 1.3.6

    clear snmp notifyfilter


    UsethiscommandtodeleteanSNMPnotifyfilterconfiguration.

    Syntax
    clear snmp notifyfilter profile subtree oid-or-mibobject

    8-34

    SNMP Configuration

    show snmp notifyprofile

    Parameters
    profile subtreeoidor mibobject SpecifiesanSNMPfilternotifynametodelete. SpecifiesaMIBsubtreeIDcontainingthefiltertobedeleted.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeletetheSNMPnotifyfilterpilot1:
    C2(su)->clear snmp notifyfilter pilot1 subtree 1.3.6

    show snmp notifyprofile


    UsethiscommandtodisplaySNMPnotifyprofileinformation.Thisassociatestargetparameters toanSNMPnotifyfiltertodeterminewhoshouldnotreceiveSNMPnotifications.

    Syntax
    show snmp notifyprofile [profile] [targetparam targetparam] [volatile | nonvolatile | read-only]

    Parameters
    profile targetparam targetparam volatile| nonvolatile|read only (Optional)Displaysaspecificnotifyprofile. (Optional)Displaysentriesforaspecifictargetparameter. (Optional)Displaysnotifyfilterentriesofaspecificstoragetype.

    Defaults
    Ifnoparametersarespecified,allnotifyprofileinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNMPnotifyinformationfortheprofilenamedarea51:
    C2(su)->show snmp notifyprofile area51 --- SNMP notifyProfile information --Notify Profile = area51 TargetParam = v3ExampleParams Storage type = nonVolatile

    SecureStack C2 Configuration Guide

    8-35

    set snmp notifyprofile

    Row status

    = active

    set snmp notifyprofile


    UsethiscommandtocreateanSNMPnotifyfilterprofileconfiguration.Thisassociatesa notificationfilter,createdwiththesetsnmpnotifyfiltercommand(setsnmpnotifyfilteron page 834),toasetofSNMPtargetparameterstodeterminewhichmanagementtargetsshould notreceiveSNMPnotifications.

    Syntax
    set snmp notifyprofile profile targetparam targetparam [volatile | nonvolatile]

    Parameters
    profile targetparam targetparam volatile| nonvolatile SpecifiesanSNMPfilternotifyname. SpecifiesanassociatedentryintheSNMPTargetParamsTable. (Optional)Specifiesastoragetype.

    Defaults
    Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateanSNMPnotifyprofilenamedarea51andassociateatarget parametersentry.
    C2(su)->set snmp notifyprofile area51 targetparam v3ExampleParams

    clear snmp notifyprofile


    UsethiscommandtodeleteanSNMPnotifyprofileconfiguration.

    Syntax
    clear snmp notifyprofile profile targetparam targetparam

    Parameters
    profile targetparam targetparam SpecifiesanSNMPfilternotifynametodelete. SpecifiesanassociatedentryinthesnmpTargetParamsTable.

    Defaults
    None.

    8-36

    SNMP Configuration

    Creating a Basic SNMP Trap Configuration

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteSNMPnotifyprofilearea51:
    C2(su)->clear snmp notifyprofile area51 targetparam v3ExampleParams

    Creating a Basic SNMP Trap Configuration


    TrapsarenotificationmessagessentbyanSNMPv1orv2agenttoanetworkmanagementstation, aconsole,oraterminaltoindicatetheoccurrenceofasignificantevent,suchaswhenaportor devicegoesupordown,whenthereareauthenticationfailures,andwhenpowersupplyerrors occur.ThefollowingconfigurationexampleshowshowtouseCLIcommandstoassociateSNMP notificationparameterswithsecurityandauthorizationcriteria(targetparameters),andmapthe parameterstoamanagementtargetaddress.
    Note: This example illustrates how to configure an SNMPv2 trap notification. Creating an SNMPv1 or v3 Trap, or an SNMPv3 Inform notification would require using the same commands with different parameters, where appropriate. Always ensure that v1/v2 communities or v3 users used for generating traps or informs are pre-configured with enough privileges to access corresponding MIBs.

    CompleteanSNMPv2trapconfigurationonaSecureStackC2deviceasfollows: 1. 2. 3. CreateacommunitynamethatwillactasanSNMPuserpassword. CreateanSNMPtargetparametersentrytoassociatesecurityandauthorizationcriteriatothe usersinthecommunitycreatedinStep1. VerifyifanyapplicableSNMPnotificationentriesexist,orcreateanewone.Youwillusethis entrytosendSNMPnotificationmessagestotheappropriatemanagementtargetscreatedin Step 2. CreateatargetaddressentrytobindamanagementIPaddressto: ThenotificationentryandtagnamecreatedinStep3and ThetargetparametersentrycreatedinStep2.

    4.

    Table 811showsthecommandsusedtocompleteanSNMPv2trapconfigurationona SecureStackC2device. Table 8-11


    To do this... Create a community name. Create an SNMP target parameters entry. Verify if any applicable SNMP notification entries exist. Create a new notification entry. Create a target address entry.

    Basic SNMP Trap Configuration


    Use these commands... set snmp community set snmp targetparams show snmp notify set snmp notify set snmp targetaddr

    SecureStack C2 Configuration Guide

    8-37

    Creating a Basic SNMP Trap Configuration

    Example
    Thisexampleshowshowto: CreateanSNMPcommunitycalledmgmt. ConfigureatrapnotificationcalledTrapSink.

    Thistrapnotificationwillbesentwiththecommunitynamemgmttotheworkstation 192.168.190.80(whichistargetaddresstr).Itwillusesecurityandauthorizationcriteriacontained inatargetparametersentrycalledv2cExampleParams.


    C2(su)->set snmp community mgmt C2(su)->set snmp targetparams v2cExampleParams user mgmt security-model v2c message-processing v2c C2(su)->set snmp notify entry1 tag TrapSink C2(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist TrapSink

    How SNMP Will Use This Configuration


    Inordertosendatrap/notificationrequestedbyaMIBcode,theSNMPagentrequiresthe equivalentofatrapdoor,akeytounlockthedoor,andaprocedureforcrossingthe doorstep.Todetermineifalltheseelementsareinplace,theSNMPagentproceedsasfollows: 1. Determinesifthekeysfortrapdoorsdoexist.Intheexampleconfigurationabove,the keythatSNMPislookingforisthenotificationentrycreatedwiththesetsnmpnotify commandwhich,inthiscase,isakeylabeledentry1. Searchesforthedoorsmatchingsuchakey.Forexample,theparameterssetfortheentry1key showsthatitopensonlythedoorTrapSink. VerifiesthatthespecifieddoorTrapSinkis,infact,available.Inthiscaseitwasbuiltusingthe setsnmptargetaddrcommand.Thiscommandalsospecifiesthatthisdoorleadstothe managementstation192.168.190.80,andtheprocedure(targetparams)tocrossthedoorstep iscalledv2ExampleParams. Verifiesthatthev2ExampleParamsdescriptionofhowtostepthroughthedooris,infact, there.Theagentcheckstargetparamsentriesanddeterminesthisdescriptionwasmadewith thesetsnmptargetparamscommand,whichtellsexactlywhichSNMPprotocoltouseand whatcommunitynametoprovide.Inthiscase,thecommunitynameismgmt. Verifiesthatthemgmtcommunitynameisavailable.Inthiscase,ithasbeenconfiguredusing thesetsnmpcommunitycommand. Sendsthetrapnotificationmessage.

    2. 3.

    4.

    5. 6.

    8-38

    SNMP Configuration

    9
    Spanning Tree Configuration
    ThischapterdescribestheSpanningTreeConfigurationsetofcommandsandhowtousethem.
    For information about... Spanning Tree Configuration Summary Configuring Spanning Tree Bridge Parameters Configuring Spanning Tree Port Parameters Configuring Spanning Tree Loop Protect Parameters Refer to page... 9-1 9-3 9-33 9-41

    Caution: Spanning Tree configuration should be performed only by personnel who are very knowledgeable about Spanning Trees and the configuration of the Spanning Tree Algorithm. Otherwise, the proper operation of the network could be at risk.

    Spanning Tree Configuration Summary


    Overview: Single, Rapid, and Multiple Spanning Tree Protocols
    TheIEEE802.1DSpanningTreeProtocol(STP)resolvestheproblemsofphysicalloopsina networkbyestablishingoneprimarypathbetweenanytwodevicesinanetwork.Anyduplicate pathsarebarredfromuseandbecomestandbyorblockedpathsuntiltheoriginalpathfails,at whichpointtheycanbebroughtintoservice.

    RSTP
    TheIEEE802.1wRapidSpanningProtocol(RSTP),anevolutionof802.1D,canachievemuch fasterconvergencethanlegacySTPinaproperlyconfigurednetwork.RSTPsignificantlyreduces thetimetoreconfigurethenetworksactivetopologywhenphysicaltopologyorconfiguration parameterchangesoccur.ItselectsoneswitchastherootofaSpanningTreeconnectedactive topologyandassignsportrolestoindividualportsontheswitch,dependingonwhetherthatport ispartoftheactivetopology. RSTPprovidesrapidconnectivityfollowingthefailureofaswitch,switchport,oraLAN.Anew rootportandthedesignatedportontheothersideofthebridgetransitiontoforwardingthrough anexplicithandshakebetweenthem.Bydefault,userportsareconfiguredtorapidlytransitionto forwardinginRSTP.

    MSTP
    TheIEEE802.1sMultipleSpanningTreeProtocol(MSTP)buildsupon802.1DandRSTPby optimizingutilizationofredundantlinksbetweenswitchesinanetwork.Whenredundantlinks existbetweenapairofswitchesrunningsingleSTP,onelinkisforwardingwhiletheothersare

    SecureStack C2 Configuration Guide

    9-1

    Spanning Tree Configuration Summary

    blockingforalltrafficflowingbetweenthetwoswitches.Theblockinglinksareeffectivelyused onlyiftheforwardinglinkgoesdown.MSTPassignseachVLANpresentonthenetworktoa particularSpanningTreeinstance,allowingeachswitchporttobeinadistinctstateforeachsuch instance:blockingforoneSpanningTreewhileforwardingforanother.Thus,trafficassociated withonesetofVLANscantraverseaparticularinterswitchlink,whiletrafficassociatedwith anothersetofVLANscanbeblockedonthatlink.IfVLANsareassignedtoSpanningTrees wisely,nointerswitchlinkwillbecompletelyidle,maximizingnetworkutilization. FordetailsoncreatingSpanningTreeinstances,refertosetspantreemstionpage 912. FordetailsonmappingSpanningTreeinstancestoVLANs,refertosetspantreemstmapon page 914.
    Note: MSTP and RSTP are fully compatible and interoperable with each other and with legacy STP 802.1D.

    Spanning Tree Features


    TheSecureStackC2devicemeetstherequirementsoftheSpanningTreeProtocolsbyperforming thefollowingfunctions: CreatingasingleSpanningTreefromanyarrangementofswitchingorbridgingelements. Compensatingautomaticallyforthefailure,removal,oradditionofanydeviceinanactive datapath. Achievingportchangesinshorttimeintervals,whichestablishesastableactivetopology quicklywithminimalnetworkdisturbance. Usingaminimumamountofcommunicationsbandwidthtoaccomplishtheoperationofthe SpanningTreeProtocol. Reconfiguringtheactivetopologyinamannerthatistransparenttostationstransmittingand receivingdatapackets. ManagingthetopologyinaconsistentandreproduciblemannerthroughtheuseofSpanning TreeProtocolparameters.

    Note: The term bridge is used as an equivalent to the term switch or device in this document.

    Loop Protect
    TheLoopProtectfeaturepreventsorshortcircuitsloopformationinanetworkwithredundant pathsbyrequiringportstoreceivetype2BPDUs(RSTP/MSTP)onpointtopointinterswitch links(ISLs)beforetheirstatesareallowedtobecomeforwarding.Further,ifaBPDUtimeout occursonaport,itsstatebecomeslisteninguntilaBPDUisreceived. Bothupstreamanddownstreamfacingportsareprotected.Whenarootoralternateportlosesits pathtotherootbridgeduetoamessageageexpirationittakesontheroleofdesignatedport.It willnotforwardtrafficuntilaBPDUisreceived.Whenaportisintendedtobethedesignatedport inanISLitconstantlyproposesandwillnotforwarduntilaBPDUisreceived,andwillrevertto listeningifitfailstogetaresponse.Thisprotectsagainstmisconfigurationandprotocolfailureby theconnectedbridge. TheDisputedBPDUmechanismprotectsagainstloopinginsituationswherethereisoneway communication.AdisputedBPDUisoneinwhichtheflagsfieldindicatesadesignatedroleand

    9-2

    Spanning Tree Configuration

    Configuring Spanning Tree Bridge Parameters

    learningandthepriorityvectorisworsethanthatalreadyheldbytheport.IfadisputedBPDUis received,theportisforcedtothelisteningstate.WhenaninferiordesignatedBPDUwiththe learningbitsetisreceivedonadesignatedport,itsstateissettodiscardingtopreventloop formation.NotethattheDisputemechanismisalwaysactiveregardlessoftheconfiguration settingofLoopProtection. LoopProtectoperatesasaperport,perMSTinstancefeature.Itshouldbesetoninterswitch links.Itiscomprisedofseveralrelatedfunctions: ControlofportforwardingstatebasedonreceptionofagreementBPDUs ControlofportforwardingstatebasedonreceptionofdisputedBPDUs Communicatingportnonforwardingstatusthroughtrapsandsyslogmessages Disablingaportbasedonfrequencyoffailureevents

    PortforwardingstateinthedesignatedportisgatedbyatimerthatissetuponBPDUreception.It isanalogoustothercvdInfoWhiletimertheportuseswhenreceivingrootinformationintheroot/ alternate/backuprole. TherearetwooperationalmodesforLoopProtectonaport.Iftheportisconnectedtoadevice knowntoimplementLoopProtect,itusesfullfunctionalmode.Otherwisetheportoperatesin limitedfunctionalmode. ConnectiontoaLoopProtectswitchguaranteesthatthealternateagreementmechanismis implemented.Thismeansthedesignatedportcanrelyonreceivingaresponsetoitsproposal regardlessoftheroleoftheconnectedport,whichhastwoimportantimplications.First,the designatedportconnectedtoanonrootportmaytransitiontoforwarding.Second,thereisno ambiguitywhenatimeouthappens;aLoopProtecteventhasoccurred. Infullfunctionalmode,whenatype2BPDUisreceivedandtheportisdesignatedandpointto point,thetimerissetto3timeshelloTime.Inlimitedfunctionalmodethereistheadditional requirementthattheflagsfieldindicatearootrole.IftheportisaboundaryporttheMSTIsfor thatportfollowtheCIST,thatis,theMSTIporttimersaresetaccordingtotheCISTporttimer.If theportisinternaltotheregionthentheMSTIporttimersaresetindependentlyusingthe particularMSTImessage. MessageageexpirationandtheexpirationoftheLoopProtecttimerarebothLoopProtectevents. Anoticelevelsyslogmessageisproducedforeachsuchevent.Trapsmaybeconfiguredtoreport theseeventsaswell.AsyslogmessageandtrapmaybeconfiguredfordisputedBPDUs. ItisalsoconfigurabletoforcethelockingofaSID/portfortheoccurrenceofoneormoreevents. Whentheconfigurednumberofeventshappenwithinagivenwindowoftime,theportisforced intoblockingandheldthereuntilitismanuallyunlockedviamanagement.

    Configuring Spanning Tree Bridge Parameters


    Purpose
    TodisplayandsetSpanningTreebridgeparameters,includingdevicepriorities,hellotime, maximumwaittime,forwarddelay,pathcost,andtopologychangetrapsuppression.

    SecureStack C2 Configuration Guide

    9-3

    Configuring Spanning Tree Bridge Parameters

    Commands
    For information about... show spantree stats set spantree show spantree version set spantree version clear spantree version show spantree bpdu-forwarding set spantree bpdu-forwarding show spantree bridgeprioritymode set spantree bridgeprioritymode clear spantree bridgeprioritymode show spantree mstilist set spantree msti clear spantree msti show spantree mstmap set spantree mstmap clear spantree mstmap show spantree vlanlist show spantree mstcfgid set spantree mstcfgid clear spantree mstcfgid set spantree priority clear spantree priority set spantree hello clear spantree hello set spantree maxage clear spantree maxage set spantree fwddelay clear spantree fwddelay show spantree backuproot set spantree backuproot clear spantree backuproot show spantree tctrapsuppress set spantree tctrapsuppress clear spantree tctrapsuppress Refer to page... 9-5 9-7 9-7 9-8 9-8 9-9 9-9 9-10 9-10 9-11 9-12 9-12 9-13 9-13 9-14 9-14 9-15 9-15 9-16 9-16 9-17 9-17 9-18 9-18 9-19 9-19 9-20 9-21 9-21 9-22 9-22 9-23 9-23 9-24

    9-4

    Spanning Tree Configuration

    show spantree stats

    For information about... set spantree protomigration show spantree spanguard set spantree spanguard clear spantree spanguard show spantree spanguardtimeout set spantree spanguardtimeout clear spantree spanguardtimeout show spantree spanguardlock clear/set spantree spanguardlock show spantree spanguardtrapenable set spanstree spanguardtrapenable clear spanstree spanguardtrapenable show spantree legacypathcost set spantree legacypathcost clear spantree legacypathcost

    Refer to page... 9-24 9-25 9-25 9-26 9-27 9-27 9-28 9-28 9-29 9-29 9-30 9-30 9-31 9-31 9-32

    show spantree stats


    UsethiscommandtodisplaySpanningTreeinformationforoneormoreports.

    Syntax
    show spantree stats [port port-string] [sid sid] [active]

    Parameters
    portportstring (Optional)Displaysinformationforthespecifiedport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. (Optional)DisplaysinformationforaspecificSpanningTreeidentifier.If notspecified,SID0isassumed. (Optional)DisplaysinformationforportsthathavereceivedSTPBPDUs sinceboot.

    sidsid active

    Defaults
    Ifportstringisnotspecified,SpanningTreeinformationforallportswillbedisplayed. Ifsidisnotspecified,informationforSpanningTree0willbedisplayed. Ifactiveisnotspecifiedinformationforallportswillbedisplayedregardlessofwhetherornot theyhavereceivedBPDUs.

    Mode
    Switchcommand,readonly.

    SecureStack C2 Configuration Guide

    9-5

    show spantree stats

    Example
    ThisexampleshowshowtodisplaythedevicesSpanningTreeconfiguration:
    C2(su)->show spantree stats Spanning tree status Spanning tree instance Designated Root MacAddr Designated Root Priority Designated Root Cost Designated Root Port Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge ID Priority Bridge Max Age Bridge Hello Time Bridge Forward Delay Topology Change Count Time Since Top Change Max Hops enabled 0 00-e0-63-9d-c1-c8 0 10000 lag.0.1 20 sec 2 sec 15 sec 00-01-f4-da-5e-3d 32768 20 sec 2 sec 15 sec 7 00 days 03:19:15 20

    Table 91showsadetailedexplanationofcommandoutput. Table 9-1


    Output Spanning tree instance Spanning tree status Designated Root MacAddr Designated Root Port Designated Root Priority Designated Root Cost Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge ID Priority

    show spantree Output Details


    What It Displays... Spanning Tree ID. Whether Spanning Tree is enabled or disabled. MAC address of the designated Spanning Tree root bridge. Port through which the root bridge can be reached. Priority of the designated root bridge. Total path cost to reach the root. Amount of time (in seconds) a BPDU packet should be considered valid. Interval (in seconds) at which the root device sends BPDU (Bridge Protocol Data Unit) packets. Amount of time (in seconds) the root device spends in listening or learning mode. Unique bridge MAC address, recognized by all bridges in the network. Bridge priority, which is a default value, or is assigned using the set spantree priority command. For details, refer to set spantree priority on page 9-17. Maximum time (in seconds) the bridge can wait without receiving a configuration message (bridge hello) before attempting to reconfigure. This is a default value, or is assigned using the set spantree maxage command. For details, refer to set spantree maxage on page 9-19. Amount of time (in seconds) the bridge sends BPDUs. This is a default value, or is assigned using the set spantree hello command. For details, refer to set spantree hello on page 9-18.

    Bridge Max Age

    Bridge Hello Time

    9-6

    Spanning Tree Configuration

    set spantree

    Table 9-1
    Output

    show spantree Output Details (Continued)


    What It Displays... Amount of time (in seconds) the bridge spends in listening or learning mode. This is a default value, or is assigned using the set spantree fwddelay command. For details, refer to set spantree fwddelay on page 9-20. Number of times topology has changed on the bridge. Amount of time (in days, hours, minutes and seconds) since the last topology change. Maximum number of hops information for a particular Spanning Tree instance may traverse (via relay of BPDUs within the applicable MST region) before being discarded.

    Bridge Forward Delay

    Topology Change Count Time Since Top Change Max Hops

    set spantree
    UsethiscommandtogloballyenableordisabletheSpanningTreeprotocolontheswitch.

    Syntax
    set spantree {disable | enable}

    Parameters
    disable|enable GloballydisablesorenablesSpanningTree.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableSpanningTreeonthedevice:
    C2(su)->set spantree disable

    show spantree version


    UsethiscommandtodisplaythecurrentversionoftheSpanningTreeprotocolrunningonthe device.

    Syntax
    show spantree version

    Parameters
    None.

    Defaults
    None.
    SecureStack C2 Configuration Guide 9-7

    set spantree version

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySpanningTreeversioninformationforthedevice:
    C2(su)->show spantree version Force Version is mstp

    set spantree version


    UsethiscommandtosettheversionoftheSpanningTreeprotocoltoMSTP(MultipleSpanning TreeProtocol),RSTP(RapidSpanningTreeProtocol)ortoSTP802.1Dcompatible.

    Syntax
    set spantree version {mstp | stpcompatible | rstp}

    Parameters
    mstp stpcompatible rstp SetstheversiontoSTP802.1scompatible. SetstheversiontoSTP802.1Dcompatible. Setstheversionto802.1wcompatible.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Inmostnetworks,SpanningTreeversionshouldnotbechangedfromitsdefaultsettingofmstp (MultipleSpanningTreeProtocol)mode.MSTPmodeisfullycompatibleandinteroperablewith legacySTP802.1DandRapidSpanningTree(RSTP)bridges.Settingtheversiontostpcompatible modewillcausethebridgetotransmitonly802.1DBPDUs,andwillpreventnonedgeportsfrom rapidlytransitioningtoforwardingstate.

    Example
    ThisexampleshowshowtogloballychangetheSpanningTreeversionfromthedefaultofMSTP toRSTP:
    C2(su)->set spantree version rstp

    clear spantree version


    UsethiscommandtoresettheSpanningTreeversiontoMSTPmode.

    Syntax
    clear spantree version

    9-8

    Spanning Tree Configuration

    show spantree bpdu-forwarding

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheSpanningTreeversion:
    C2(su)->clear spantree version

    show spantree bpdu-forwarding


    Use this command to display the Spanning Tree BPDU forwarding mode.

    Syntax
    show spantree bpdu-forwarding

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSpanningTreeBPDUforwardingmode:
    C2(su)->show spantree bpdu-forwarding BPDU forwarding is disabled.

    set spantree bpdu-forwarding


    UsethiscommandtoenableordisableSpanningTreeBPDUforwarding.BydefaultBPDU forwardingisdisabled.

    Syntax
    set spantree bpdu-forwarding {disable | enable}

    Parameters
    disable|enable DisablesorenablesBPDUforwarding;.

    SecureStack C2 Configuration Guide

    9-9

    show spantree bridgeprioritymode

    Defaults
    BydefaultBPDUforwardingisdisabled.

    Mode
    Switchcommand,readwrite.

    Usage
    TheSpanningTreeprotocolmustbedisabled(setspantreedisable)forthisfeaturetotakeeffect.

    Example
    ThisexampleshowshowtoenableBPDUforwarding:
    C2(rw)-> set spantree bpdu-forwarding enable

    show spantree bridgeprioritymode


    UsethiscommandtodisplaytheSpanningTreebridgeprioritymodesetting.

    Syntax
    show spantree bridgeprioritymode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSpanningTreebridgeprioritymodesetting:
    C2(rw)->show spantree bridgeprioritymode Bridge Priority Mode is set to IEEE802.1t mode.

    set spantree bridgeprioritymode


    UsethiscommandtosettheSpanningTreebridgeprioritymodeto802.1D(legacy)or802.1t.

    Syntax
    set spantree bridgeprioritymode {8021d | 8021t}

    9-10

    Spanning Tree Configuration

    clear spantree bridgeprioritymode

    Parameters
    8021d 8021t Setsthebridgeprioritymodetouse802.1D(legacy)values,whichare0 65535. Setsthebridgeprioritymodetouse802.1tvalues,whichare0to61440,in incrementsof4096.Valueswillautomaticallyberoundedupordown, dependingonthe802.1tvaluetowhichtheenteredvalueisclosest. Thisisthedefaultbridgeprioritymode.

    Defaults
    None

    Mode
    Switchcommand,readwrite.

    Usage
    Themodeaffectstherangeofpriorityvaluesusedtodeterminewhichdeviceisselectedasthe SpanningTreerootasdescribedinsetspantreepriority(setspantreepriorityonpage 917).The defaultfortheswitchistouse802.1tbridgeprioritymode.

    Example
    Thisexampleshowshowtosetthebridgeprioritymodeto802.1D:
    C2(rw)->set spantree bridgeprioritymode 8021d

    clear spantree bridgeprioritymode


    UsethiscommandtoresettheSpanningTreebridgeprioritymodetothedefaultsettingof802.1t.

    Syntax
    clear spantree bridgeprioritymode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetthebridgeprioritymodeto802.1t:
    C2(rw)->clear spantree bridgeprioritymode

    SecureStack C2 Configuration Guide

    9-11

    show spantree mstilist

    show spantree mstilist


    UsethiscommandtodisplayalistofMultipleSpanningTree(MST)instancesconfiguredonthe device.

    Syntax
    show spantree mstilist

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayalistofMSTinstances.Inthiscase,SID2hasbeenconfigured:
    C2(su)->show spantree mstilist Configured Multiple Spanning Tree instances: 2

    set spantree msti


    UsethiscommandtocreateordeleteaMultipleSpanningTreeinstance.

    Syntax
    set spantree msti sid sid {create | delete}

    Parameters
    sidsid create|delete SetstheMultipleSpanningTreeID.Validvaluesare14094. SecureStackC2deviceswillsupportupto4MSTinstances. CreatesordeletesanMSTinstance.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateanMSTinstance2:
    C2(su)->set spantree msti sid 2 create

    9-12

    Spanning Tree Configuration

    clear spantree msti

    clear spantree msti


    UsethiscommandtodeleteoneormoreMultipleSpanningTreeinstances.

    Syntax
    clear spantree msti [sid sid]

    Parameters
    sidsid (Optional)DeletesaspecificmultipleSpanningTreeID.

    Defaults
    Ifsidisnotspecified,allMSTinstanceswillbecleared.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteallMSTinstances:
    C2(su)->clear spantree msti

    show spantree mstmap


    UsethiscommandtodisplaythemappingofafilteringdatabaseID(FID)toaSpanningTrees. SinceVLANsaremappedtoFIDs,thisshowstowhichSIDaVLANismapped.

    Syntax
    show spantree mstmap [fid fid]

    Parameters
    fidfid (Optional)DisplaysinformationforspecificFIDs.

    Defaults
    Iffidisnotspecified,informationforallassignedFIDswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySIDtoFIDmappinginformationforFID1.Inthiscase,no newmappingshavebeenconfigured:
    C2(su)->show spantree mstmap fid 1 FID: SID: 1 0

    SecureStack C2 Configuration Guide

    9-13

    set spantree mstmap

    set spantree mstmap


    UsethiscommandtomaponeormorefilteringdatabaseIDs(FIDs)toaSID.SinceVLANsare mappedtoFIDs,thisessentiallymapsoneormoreVLANIDstoaSpanningTree(SID).
    Note: Since any MST maps that are associated with GVRP-generated VLANs will be removed from the configuration if GVRP communication is lost, it is recommended that you only create MST maps on statically-created VLANs.

    Syntax
    set spantree mstmap fid [sid sid]

    Parameters
    fid sidsid SpecifiesoneormoreFIDstoassigntotheMST.Validvaluesare14093, andmustcorrespondtoaVLANIDcreatedusingthesetvlancommand. (Optional)SpecifiesaMultipleSpanningTreeID.Validvaluesare14094, andmustcorrespondtoaSIDcreatedusingthesetmsticommand.

    Defaults
    Ifsidisnotspecified,FID(s)willbemappedtoSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtomapFID3toSID2:
    C2(su)->set spantree mstmap 3 sid 2

    clear spantree mstmap


    UsethiscommandtomapaFIDbacktoSID0.

    Syntax
    clear spantree mstmap fid

    Parameters
    fid SpecifiesoneormoreFIDstoresetto0.

    Defaults
    Iffidisnotspecified,allSIDtoFIDmappingswillbereset.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtomapFID2backtoSID0:

    9-14

    Spanning Tree Configuration

    show spantree vlanlist

    C2(su)->clear spantree mstmap 2

    show spantree vlanlist


    UsethiscommandtodisplaytheSpanningTreeID(s)assignedtooneormoreVLANs.

    Syntax
    show spantree vlanlist [vlan-list]

    Parameters
    vlanlist (Optional)DisplaysSIDsassignedtospecificVLAN(s).

    Defaults
    Ifnotspecified,SIDassignmentwillbedisplayedforallVLANs.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSIDsmappedtoVLAN1.Inthiscase,SIDs2,16and42 aremappedtoVLAN1.Forthisinformationtodisplay,theSIDinstancemustbecreatedusingthe setspantreemsticommandasdescribedinsetspantreemstionpage 912,andtheFIDsmust bemappedtoSID 1usingthesetspantreemstmapcommandasdescribedinsetspantree mstmaponpage 914:
    C2(su)->show spantree vlanlist 1 The following SIDS are assigned to VLAN 1: 2 16 42

    show spantree mstcfgid


    UsethiscommandtodisplaytheMSTconfigurationidentifierelements,includingformatselector, configurationname,revisionlevel,andconfigurationdigest.

    Syntax
    show spantree mstcfgid

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheMSTconfigurationidentifierelements.Inthiscase,the defaultrevisionlevelof0,andthedefaultconfigurationname(astringrepresentingthebridge

    SecureStack C2 Configuration Guide

    9-15

    set spantree mstcfgid

    MACaddress)havenotbeenchanged.Forinformationonusingthesetspantreemstcfgid commandtochangethesesettings,refertosetspantreemstcfgidonpage 916:


    C2(su)->show spantree mstcfgid MST Configuration Identifier: Format Selector: 0 Configuration Name: 00:01:f4:89:51:94 Revision Level: 0 Configuration Digest: ac:36:17:7f:50:28:3c:d4:b8:38:21:d8:ab:26:de:62

    set spantree mstcfgid


    UsethiscommandtosettheMSTconfigurationnameand/orrevisionlevel.

    Syntax
    set spantree mstcfgid {cfgname name | rev level}

    Parameters
    cfgnamename revlevel SpecifiesanMSTconfigurationname. SpecifiesanMSTrevisionlevel.Validvaluesare065535.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheMSTconfigurationnametomstconfig:
    C2(su)->set spantree mstconfigid cfgname mstconfig

    clear spantree mstcfgid


    UsethiscommandtoresettheMSTrevisionleveltoadefaultvalueof0,andtheconfiguration nametoadefaultstringrepresentingthebridgeMACaddress.

    Syntax
    clear spantree mstcfgid

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    9-16

    Spanning Tree Configuration

    set spantree priority

    Example
    ThisexampleshowshowtoresettheMSTconfigurationidentifierelementstodefaultvalues:
    C2(su)->clear spantree mstcfgid

    set spantree priority


    UsethiscommandtosetthedevicesSpanningTreepriority.

    Syntax
    set spantree priority priority [sid]

    Parameters
    priority Specifiesthepriorityofthebridge.Validvaluesarefrom0to61440(in incrementsof4096),with0indicatinghighestpriorityand61440 lowestpriority. (Optional)SetsthepriorityonaspecificSpanningTree.Validvalues are04094.Ifnotspecified,SID 0isassumed.

    sid

    Defaults
    Ifsidisnotspecified,prioritywillbesetonSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Usage
    Thedevicewiththehighestpriority(lowestnumericalvalue)becomestheSpanningTreeroot device.Ifalldeviceshavethesamepriority,thedevicewiththelowestMACaddresswillthen becometherootdevice.Dependingonthebridgeprioritymode(setwiththesetspantree bridgeprioritymodecommanddescribedinsetspantreebridgeprioritymodeonpage 910, somepriorityvaluesmayberoundedupordown.

    Example
    Thisexampleshowshowtosetthebridgepriorityto4096onSID1:
    C2(su)->set spantree priority 4096 1

    clear spantree priority


    UsethiscommandtoresettheSpanningTreeprioritytothedefaultvalueof32768.

    Syntax
    clear spantree priority [sid]

    Parameters
    sid (Optional)ResetsthepriorityonaspecificSpanningTree.Validvalues are04094.Ifnotspecified,SID 0isassumed.

    SecureStack C2 Configuration Guide

    9-17

    set spantree hello

    Defaults
    Ifsidisnotspecified,prioritywillberesetonSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthebridgepriorityonSID1:
    C2(su)->clear spantree priority 1

    set spantree hello


    UsethiscommandtosetthedevicesSpanningTreehellotime,Thisisthetimeinterval(in seconds)thedevicewilltransmitBPDUsindicatingitisactive.

    Syntax
    set spantree hello interval

    Parameters
    interval Specifiesthenumberofsecondsthesystemwaitsbeforebroadcastinga bridgehellomessage(amulticastmessageindicatingthatthesystemis active).Validvaluesare110.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtogloballysettheSpanningTreehellotimeto10seconds:
    C2(su)->set spantree hello 10

    clear spantree hello


    UsethiscommandtoresettheSpanningTreehellotimetothedefaultvalueof2seconds.

    Syntax
    clear spantree hello

    Parameters
    None.

    Defaults
    None.

    9-18

    Spanning Tree Configuration

    set spantree maxage

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtogloballyresettheSpanningTreehellotime:
    C2(su)->clear spantree hello

    set spantree maxage


    Usethiscommandtosetthebridgemaximumagingtime.

    Syntax
    set spantree maxage agingtime

    Parameters
    agingtime Specifiesthemaximumnumberofsecondsthatthesystemretainsthe informationreceivedfromotherbridgesthroughSTP.Validvaluesare6 40.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thebridgemaximumagingtimeisthemaximumtime(inseconds)adevicecanwaitwithout receivingaconfigurationmessage(bridgehello)beforeattemptingtoreconfigure.Alldevice ports(exceptfordesignatedports)shouldreceiveconfigurationmessagesatregularintervals. AnyportthatagesoutSTPinformationprovidedinthelastconfigurationmessagebecomesthe designatedportfortheattachedLAN.Ifitisarootport,anewrootportisselectedfromamong thedeviceportsattachedtothenetwork.

    Example
    Thisexampleshowshowtosetthemaximumagingtimeto25seconds:
    C2(su)->set spantree maxage 25

    clear spantree maxage


    UsethiscommandtoresetthemaximumagingtimeforaSpanningTreetothedefaultvalueof20 seconds.

    Syntax
    clear spantree maxage

    SecureStack C2 Configuration Guide

    9-19

    set spantree fwddelay

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtogloballyresetthemaximumagingtime:
    C2(su)->clear spantree maxage

    set spantree fwddelay


    UsethiscommandtosettheSpanningTreeforwarddelay.

    Syntax
    set spantree fwddelay delay

    Parameters
    delay Specifiesthenumberofsecondsforthebridgeforwarddelay.Validvalues are430.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Theforwarddelayisthemaximumtime(inseconds)therootdevicewillwaitbeforechanging states(i.e.,listeningtolearningtoforwarding).Thisdelayisrequiredbecauseeverydevicemust receiveinformationabouttopologychangesbeforeitstartstoforwardframes.Inaddition,each portneedstimetolistenforconflictinginformationthatwouldmakeitreturntoablockingstate; otherwise,temporarydataloopsmightresult.

    Example
    Thisexampleshowshowtogloballysetthebridgeforwarddelayto16seconds:
    C2(su)->set spantree fwddelay 16

    9-20

    Spanning Tree Configuration

    clear spantree fwddelay

    clear spantree fwddelay


    UsethiscommandtoresettheSpanningTreeforwarddelaytothedefaultsettingof15seconds.

    Syntax
    clear spantree fwddelay

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtogloballyresetthebridgeforwarddelay:
    C2(su)->clear spantree fwddelay

    show spantree backuproot


    UsethiscommandtodisplaythebackuprootstatusforanMSTinstance.

    Syntax
    show spantree backuproot [sid]

    Parameters
    sid (Optional)DisplaybackuprootstatusforaspecificSpanningTree identifier.Validvaluesare04094.Ifnotspecified,SID0isassumed.

    Defaults
    IfaSIDisnotspecified,thenstatuswillbeshownforSpanningTreeinstance0.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythestatusofthebackuprootfunctiononSID0:
    C2(rw)->show spantree backuproot Backup root is set to disable on sid 0

    SecureStack C2 Configuration Guide

    9-21

    set spantree backuproot

    set spantree backuproot


    UsethiscommandtoenableordisabletheSpanningTreebackuprootfunctionontheswitch.

    Syntax
    set spantree backuproot sid {disable | enable}

    Parameters
    sid disable|enable SpecifiestheSpanningTreeinstanceonwhichtoenableordisablethe backuprootfunction.Validvaluesare04094. Enablesordisablesthebackuprootfunction.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheSpanningTreebackuprootfunctionisdisabledbydefaultontheSecureStackC2.Whenthis featureisenabledandtheswitchisdirectlyconnectedtotherootbridge,staleSpanningTree informationispreventedfromcirculatingiftherootbridgeislost.Iftherootbridgeislost,the backuprootwilldynamicallyloweritsbridgeprioritysothatitwillbeselectedasthenewroot overthelostrootbridge.

    Example
    ThisexampleshowshowtoenablethebackuprootfunctiononSID2:
    C2(rw)->set spantree backuproot 2 enable

    clear spantree backuproot


    UsethiscommandtoresettheSpanningTreebackuprootfunctiontothedefaultstateofdisabled.

    Syntax
    clear spantree backuproot sid

    Parameters
    sid SpecifiestheSpanningTreeonwhichtoclearthebackuproot function.Validvaluesare04094.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    9-22

    Spanning Tree Configuration

    show spantree tctrapsuppress

    Example
    ThisexampleshowshowtoresetthebackuprootfunctiontodisabledonSID2:
    C2(rw)->clear spantree backuproot 2

    show spantree tctrapsuppress


    UsethiscommandtodisplaythestatusoftopologychangetrapsuppressiononRapidSpanning Treeedgeports.

    Syntax
    show spantree tctrapsuppress

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythestatusoftopologychangetrapsuppression:
    C2(rw)->show spantree tctrapsuppress Topology change Trap Suppression is set to enabled

    set spantree tctrapsuppress


    UsethiscommandtodisableorenabletopologychangetrapsuppressiononRapidSpanningTree edgeports.

    Syntax
    set spantree tctrapsuppress {disable | enable}

    Parameters
    disable|enable Disablesorenablestopologychangetrapsuppression.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    9-23

    clear spantree tctrapsuppress

    Usage
    Bydefault,RSTPnonedge(bridge)portsthattransitiontoforwardingorblockingcausethe switchtoissueatopologychangetrap.Whentopologychangetrapsuppressionisenabled,which isthedevicedefault,edgeports(suchasendstationPCs)arepreventedfromsendingtopology changetraps.Thisisbecausethereisusuallynoneedfornetworkmanagementtomonitoredge portSTPtransitionstates,suchaswhenPCsarepoweredon.Whentopologychangetrap suppressionisdisabled,allports,includingedgeandbridgeports,willtransmittopologychange traps.

    Example
    ThisexampleshowshowtoallowRapidSpanningTreeedgeportstotransmittopologychange traps:
    C2(rw)->set spantree tctrapsuppress disable

    clear spantree tctrapsuppress


    UsethiscommandtoclearthestatusoftopologychangetrapsuppressiononRapidSpanningTree edgeportstothedefaultstateofenabled(edgeporttopologychangesdonotgeneratetraps).

    Syntax
    clear spantree tctrapsuppress

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtocleartopologychangetrapsuppressionsetting:
    C2(rw)->clear spantree tctrapsuppress

    set spantree protomigration


    UsethiscommandtoresettheprotocolstatemigrationmachineforoneormoreSpanningTree ports.WhenoperatinginRSTPmode,thisforcesaporttotransmitMSTPBPDUs.

    Syntax
    set spantree protomigration <port-string>

    Parameters
    portstring Resettheprotocolstatemigrationmachineforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    9-24

    Spanning Tree Configuration

    show spantree spanguard

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresettheprotocolstatemigrationmachineonport20:
    C2(su)->set spantree protomigration ge.1.20

    show spantree spanguard


    UsethiscommandtodisplaythestatusoftheSpanningTreeSpanGuardfunction.

    Syntax
    show spantree spanguard

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSpanGuardfunctionstatus:
    C2(su)->show spantree spanguard Spanguard is disabled

    set spantree spanguard


    UsethiscommandtoenableordisabletheSpanningTreeSpanGuardfunction.

    Syntax
    set spantree spanguard {enable | disable}

    Parameters
    enable|disable EnablesordisablestheSpanGuardfunction.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    9-25

    clear spantree spanguard

    Mode
    Switchcommand,readwrite.

    Usage
    SpanGuardisdesignedtodisable,orlockoutanedgeportwhenanunexpectedBPDUis received.Theportcanbeconfiguredtobereenabledafterasettimeperiod,oronlyaftermanual intervention. Aportcanbedefinedasanedge(user)portusingthesetspantreeadminedgecommand, describedinsetspantreeadminedgeonpage 939.Aportdesignatedasanedgeportis expectedtobeconnectedtoaworkstationorotherendusertypeofdevice,andnottoanother switchinthenetwork.WhenSpanGuardisenabled,ifanonloopbackBPDUisreceivedonan edgeport,theSpanningTreestateofthatportwillbechangedtoblockingandwillnolonger forwardtraffic.Theportwillremaindisableduntiltheamountoftimedefinedbysetspantree spanguardtimeout(setspantreespanguardtimeoutonpage 927)haspassedsincethelastseen BPDU,theportismanuallyunlocked(setorclearspantreespanguardlock,clear/setspantree spanguardlockonpage 929),theconfigurationoftheportischangedsoitisnotlongeranedge port,ortheSpanGuardfunctionisdisabled. SpanGuardisenabledanddisabledonlyonaglobalbasis(acrossthestack,ifapplicable).By default,SpanGuardisdisabledandSpanGuardtrapsareenabled.

    Example
    ThisexampleshowshowtoenabletheSpanGuardfunction:
    C2(rw)->set spantree spanguard enable

    clear spantree spanguard


    UsethiscommandtoresetthestatusoftheSpanningTreeSpanGuardfunctiontodisabled.

    Syntax
    clear spantree spanguard

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthestatusoftheSpanGuardfunctiontodisabled:
    C2(rw)->clear spantree spanguard

    9-26

    Spanning Tree Configuration

    show spantree spanguardtimeout

    show spantree spanguardtimeout


    UsethiscommandtodisplaytheSpanningTreeSpanGuardtimeoutsetting.

    Syntax
    show spantree spanguardtimeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSpanGuardtimeoutsetting:
    C2(su)->show spantree spanguardtimeout Spanguard timeout: 300

    set spantree spanguardtimeout


    Usethiscommandtosettheamountoftime(inseconds)anedgeportwillremainlockedbythe SpanGuardfunction.

    Syntax
    set spantree spanguardtimeout timeout

    Parameters
    timeout Specifiesatimeoutvalueinseconds.Validvaluesare0to65535. Avalueof0willkeeptheportlockeduntilmanuallyunlocked.Thedefault valueis300seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheSpanGuardtimeoutto600seconds:
    C2(su)->set spantree spanguardtimeout 600

    SecureStack C2 Configuration Guide

    9-27

    clear spantree spanguardtimeout

    clear spantree spanguardtimeout


    UsethiscommandtoresettheSpanningTreeSpanGuardtimeouttothedefaultvalueof300 seconds.

    Syntax
    clear spantree spanguardtimeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheSpanGuardtimeoutto300seconds:
    C2(rw)->clear spantree spanguardtimeout

    show spantree spanguardlock


    UsethiscommandtodisplaytheSpanGuardlockstatusofoneormoreports.

    Syntax
    show spantree spanguardlock [port-string]

    Parameters
    portstring (Optional)Specifiestheport(s)forwhichtoshowSpanGuardlockstatus. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifnoportstringisspecified,theSpanGuardlockstatusforallportsisdisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheSpanGuardlockstatusforge.1.1:
    C2(su)->show spantree spanguardlock ge.1.1 Port ge.1.1 is Unlocked

    9-28

    Spanning Tree Configuration

    clear / set spantree spanguardlock

    clear / set spantree spanguardlock


    UseeitherofthesecommandstounlockoneormoreportslockedbytheSpanningTree SpanGuardfunction.WhenSpanGuardisenabled,itlocksportsthatreceiveBPDUswhenthose portshavebeendefinedasedge(user)ports(asdescribedinsetspantreeadminedgeon page 939).

    Syntax
    clear spantree spanguardlock port-string set spantree spanguardlock port-string

    Parameters
    portstring Specifiesport(s)tounlock.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtounlockportge.1.16:
    C2(rw)->clear spantree spanguardlock ge.1.16

    show spantree spanguardtrapenable


    UsethiscommandtodisplaythestateoftheSpanningTreeSpanGuardtrapfunction.

    Syntax
    show spantree spanguardtrapenable

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythestateoftheSpanGuardtrapfunction:
    C2(ro)->show spantree spanguardtrapenable Spanguard SNMP traps are enabled

    SecureStack C2 Configuration Guide

    9-29

    set spantree spanguardtrapenable

    set spantree spanguardtrapenable


    UsethiscommandtoenableordisablethesendingofanSNMPtrapmessagewhenSpanGuard haslockedaport.

    Syntax
    set spantree spanguardtrapenable {disable | enable}

    Parameters
    disable|enable DisablesorenablessendingSpanGuardtraps.Bydefault,sendingtraps isenabled.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisabletheSpanGuardtrapfunction:
    C2(su)->set spantree spanguardtrapenable disable

    clear spantree spanguardtrapenable


    UsethiscommandtoresettheSpanningTreeSpanGuardtrapfunctionbacktothedefaultstateof enabled.

    Syntax
    clear spantree spanguardtrapenable

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheSpanGuardtrapfunctiontoenabled:
    C2(rw)->clear spantree spanguardtrapenable

    9-30

    Spanning Tree Configuration

    show spantree legacypathcost

    show spantree legacypathcost


    UsethiscommandtodisplaythedefaultSpanningTreepathcostsetting.

    Syntax
    show spantree legacypathcost

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythedefaultSpanningTreepathcostsetting.
    C2(su)->show spantree legacypathcost Legacy Path Cost is disabled.

    set spantree legacypathcost


    Usethiscommandtoenableordisablelegacy(802.1D)pathcostvalues.

    Syntax
    set spantree legacypathcost {disable | enable}

    Parameters
    disable enable Use802.1t2001valuestocalculatepathcost. Use802.1d1998valuestocalculatepathcost.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Bydefault,legacypathcostisdisabled.Enablingthedevicetocalculatelegacypathcostsaffects therangeofvalidvaluesthatcanbeenteredinthesetspantreeadminpathcostcommand.

    Example
    Thisexampleshowshowtosetthedefaultpathcostvaluesto802.1D.
    C2(rw)->set spantree legacypathcost enable

    SecureStack C2 Configuration Guide

    9-31

    clear spantree legacypathcost

    clear spantree legacypathcost


    UsethiscommandtosettheSpanningTreedefaultvalueforlegacypathcostto802.1tvalues.

    Syntax
    clear spantree legacypathcost

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleclearsthelegacypathcostto802.1tvalues.
    C2(rw)->clear spantree legacypathcost

    9-32

    Spanning Tree Configuration

    Configuring Spanning Tree Port Parameters

    Configuring Spanning Tree Port Parameters


    Purpose
    TodisplayandsetSpanningTreeportparameters.

    Commands
    For information about... set spantree portadmin clear spantree portadmin show spantree portadmin show spantree portpri set spantree portpri clear spantree portpri show spantree adminpathcost set spantree adminpathcost clear spantree adminpathcost show spantree adminedge set spantree adminedge clear spantree adminedge Refer to page... 9-33 9-34 9-34 9-35 9-35 9-36 9-37 9-37 9-38 9-38 9-38 9-39

    set spantree portadmin


    UsethiscommandtodisableorenabletheSpanningTreealgorithmononeormoreports.

    Syntax
    set spantree portadmin port-string {disable | enable}

    Parameters
    portstring Specifiestheport(s)forwhichtoenableordisableSpanningTree.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. DisablesorenablesSpanningTree.

    disable|enable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    9-33

    clear spantree portadmin

    Example
    ThisexampleshowshowtodisableSpanningTreeonge.1.5:
    C2(rw)->set spantree portadmin ge.1.5 disable

    clear spantree portadmin


    UsethiscommandtoresetthedefaultSpanningTreeadminstatustoenableononeormoreports.

    Syntax
    clear spantree portadmin port-string

    Parameters
    portstring Resetsthedefaultadminstatusonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthedefaultSpanningTreeadminstatetoenableonge.1.12:
    C2(rw)->clear spantree portadmin ge.1.12

    show spantree portadmin


    UsethiscommandtodisplaythestatusoftheSpanningTreealgorithmononeormoreports.

    Syntax
    show spantree portadmin [port port-string]

    Parameters
    portportstring (Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage 72.

    Defaults
    Ifportstringisnotspecified,statuswillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    9-34

    Spanning Tree Configuration

    show spantree portpri

    Example
    Thisexampleshowshowtodisplayportadminstatusforge.1.1:
    C2(ro)->show spantree portadmin port ge.1.1 Port ge.1.1 has portadmin set to enabled

    show spantree portpri


    UsethiscommandtoshowtheSpanningTreepriorityforoneormoreports.Portpriorityisa componentoftheportID,whichisoneelementusedindeterminingSpanningTreeportroles.

    Syntax
    show spantree portpri [port port-string] [sid sid]

    Parameters
    portportstring (Optional)Specifiestheport(s)forwhichtodisplaySpanningTreepriority. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. (Optional)DisplaysportpriorityforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0isassumed.

    sidsid

    Defaults
    Ifportstringisnotspecified,portprioritywillbedisplayedforallSpanningTreeports. Ifsidisnotspecified,portprioritywillbedisplayedforSpanningTree0.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheportpriorityforge.2.7:
    C2(su)->show spantree portpri port ge.2.7 Port ge.2.7 has a Port Priority of 128 on SID 0

    set spantree portpri


    UsethiscommandtosetaportsSpanningTreepriority.

    Syntax
    set spantree portpri port-string priority [sid sid]

    SecureStack C2 Configuration Guide

    9-35

    clear spantree portpri

    Parameters
    portstring Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. SpecifiesanumberthatrepresentsthepriorityofalinkinaSpanningTree bridge.Validvaluesarefrom0to240(inincrementsof16)with0 indicatinghighpriority. (Optional)SetsportpriorityforaspecificSpanningTreeidentifier.Valid valuesare04094.Ifnotspecified,SID0isassumed.

    priority

    sidsid

    Defaults
    Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthepriorityofge.1.3to240onSID1
    C2(su)->set spantree portpri ge.1.3 240 sid 1

    clear spantree portpri


    UsethiscommandtoresetthebridgepriorityofaSpanningTreeporttoadefaultvalueof128.

    Syntax
    clear spantree portpri port-string [sid sid]

    Parameters
    portstring Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. (Optional)ResetstheportpriorityforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0willbeassumed.

    sidsid

    Defaults
    Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetthepriorityofge.1.3to128onSID1
    C2(su)->clear spantree portpri ge.1.3 sid 1

    9-36

    Spanning Tree Configuration

    show spantree adminpathcost

    show spantree adminpathcost


    UsethiscommandtodisplaytheadminpathcostforaportononeormoreSpanningTrees.

    Syntax
    show spantree adminpathcost [port port-string] [sid sid]

    Parameters
    portportstring (Optional)Displaystheadminpathcostvalueforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. (Optional)DisplaystheadminpathcostforaspecificSpanningTree identifier.Validvaluesare04094.Ifnotspecified,SID0willbeassumed.

    sidsid

    Defaults
    Ifportstringisnotspecified,adminpathcostforallSpanningTreeportswillbedisplayed. Ifsidisnotspecified,adminpathcostforSpanningTree0willbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheadminpathcostforge.3.4onSID1:
    C2(su)->show spantree adminpathcost port ge.3.4 sid 1 Port ge.3.4 has a Port Admin Path Cost of 0 on SID 1

    set spantree adminpathcost


    UsethiscommandtosettheadministrativepathcostonaportandoneormoreSpanningTrees.

    Syntax
    set spantree adminpathcost port-string cost [sid sid]

    Parameters
    portstring Specifiestheport(s)onwhichtosetanadminpathcost.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. Specifiestheportpathcost.Va1idvaluesare0200000000. (Optional)SetstheadminpathcostforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0willbeassumed.

    cost sidsid

    Defaults
    Ifsidisnotspecified,adminpathcostwillbesetforSpanningTree0.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    9-37

    clear spantree adminpathcost

    Example
    Thisexampleshowshowtosettheadminpathcostto200forge.3.2onSID1:
    C2(su)->set spantree adminpathcost ge.3.2 200 sid 1

    clear spantree adminpathcost


    UsethiscommandtoresettheSpanningTreedefaultvalueforportadminpathcostto0.

    Syntax
    clear spantree adminpathcost port-string [sid sid]

    Parameters
    portstring Specifiestheport(s)forwhichtoresetadminpathcost.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage 72. (Optional)ResetstheadminpathcostforspecificSpanningTree(s). Validvaluesare04094.Ifnotspecified,SID0isassumed.

    sidsid

    Defaults
    Ifsidisnotspecified,adminpathcostwillberesetforSpanningTree0.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresettheadminpathcostto0forge.3.2onSID1:
    C2(su)->clear spantree adminpathcost ge.3.2 sid 1

    show spantree adminedge


    Usethiscommandtodisplaytheedgeportadministrativestatusforaport.

    Syntax
    show spantree adminedge [port port-string]

    Parameters
    portstring (Optional)Displaysedgeportadministrativestatusforspecific port(s).Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 72.

    Defaults
    IfportstringisnotspecifiededgeportadministrativestatuswillbedisplayedforallSpanningTree ports.

    9-38

    Spanning Tree Configuration

    set spantree adminedge

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheedgeportstatusforge.3.2:
    C2(su)->show spantree adminedge port ge.3.2 Port ge.3.2 has a Port Admin Edge of Edge-Port

    set spantree adminedge


    UsethiscommandtosettheedgeportadministrativestatusonaSpanningTreeport.

    Syntax
    set spantree adminedge port-string {true | false}

    Parameters
    portstring true|false Specifiestheedgeport.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 72. Enables(true)ordisables(false)thespecifiedportasaSpanningTreeedge port.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thedefaultbehavioroftheedgeportadministrativestatusbeginswiththevaluesettofalse initiallyafterthedeviceispoweredup.IfaSpanningTreeBDPUisnotreceivedontheportwithin afewseconds,thestatussettingchangestotrue.

    Example
    Thisexampleshowshowtosetge.1.11asanedgeport:
    C2(su)->set spantree adminedge ge.1.11 true

    clear spantree adminedge


    UsethiscommandtoresetaSpanningTreeporttononedgestatus.

    Syntax
    clear spantree adminedge port-string

    SecureStack C2 Configuration Guide

    9-39

    clear spantree adminedge

    Parameters
    portstring Specifiesport(s)onwhichtoresetedgeportstatus.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetge.1.11asanonedgeport:
    C2(su)->clear spantree adminedge ge.1.11

    9-40

    Spanning Tree Configuration

    Configuring Spanning Tree Loop Protect Parameters

    Configuring Spanning Tree Loop Protect Parameters


    Purpose
    TodisplayandsetSpanningTreeLoopProtectparameters,includingtheglobalparametersof LoopProtectthreshold,window,enablingtraps,anddisputedBPDUthreshold,aswellasperport andport/SIDparameters.SeeLoopProtectonpage 92formoreinformationabouttheLoop Protectfeature.

    Commands
    For information about... set spantree lp show spantree lp clear spantree lp show spantree lplock clear spantree lplock set spantree lpcapablepartner show spantree lpcapablepartner clear spantree lpcapablepartner set spantree lpthreshold show spantree lpthreshold clear spantree lpthreshold set spantree lpwindow show spantree lpwindow clear spantree lpwindow set spantree lptrapenable show spantree lptrapenable clear spantree lptrapenable set spantree disputedbpduthreshold show spantree disputedbpduthreshold clear spantree disputedbpduthreshold show spantree nonforwardingreason Refer to page... 9-42 9-42 9-43 9-43 9-44 9-45 9-45 9-46 9-46 9-47 9-47 9-48 9-48 9-49 9-49 9-50 9-50 9-51 9-52 9-52 9-53

    SecureStack C2 Configuration Guide

    9-41

    set spantree lp

    set spantree lp
    UsethiscommandtoenableordisabletheLoopProtectfeatureperportandoptionally,perSID. TheLoopProtectfeatureisdisabledbydefault.SeeLoopProtectonpage 2.formore information.

    Syntax
    set spantree lp port-string {enable | disable} [sid sid]

    Parameters
    portstring enable|disable sidsid Specifiesport(s)onwhichtoenableordisabletheLoopProtectfeature. Enablesordisablesthefeatureonthespecifiedport. (Optional)EnablesordisablesthefeatureforspecificSpanningTree(s). Validvaluesare04094.Ifnotspecified,SID0isassumed.

    Defaults
    IfnoSIDisspecified,SID0isassumed.

    Mode
    Switchcommand,readwrite.

    Usage
    LoopProtecttakesprecedenceoverperportSTPenable/disable(portAdmin).Normally portAdmindisabledwouldcauseaporttogoimmediatelytoforwarding.IfLoopProtectis enabled,thatportshouldgotolisteningandremainthere.
    Note: The Loop Protect enable/disable settings for an MSTI port should match those for the CIST port.

    Example
    ThisexampleshowshowtoenableLoopProtectonge.2.3:
    C2(su)->set spantree lp ge.1.11 enable

    show spantree lp
    UsethiscommandtodisplaytheLoopProtectstatusperportand/orperSID.

    Syntax
    show spantree lp [port port-string] [sid sid]

    Parameters
    portstring sidsid (Optional)Specifiesport(s)forwhichtodisplaytheLoopProtect featurestatus. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay theLoopProtectfeaturestatus.Validvaluesare04094.Ifnot specified,SID0isassumed.

    9-42

    Spanning Tree Configuration

    clear spantree lp

    Defaults
    Ifnoportstringisspecified,statusisdisplayedforallports. IfnoSIDisspecified,SID0isassumed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayLoopProtectstatusonge.2.3:
    C2(su)->show spantree lp port ge.2.3 LoopProtect is disabled on port ge.2.3 , SI

    clear spantree lp
    UsethiscommandtoreturntheLoopProtectstatusperportandoptionally,perSID,toitsdefault stateofdisabled.

    Syntax
    clear spantree lp port-string [sid sid]

    Parameters
    portstring sidsid Specifiesport(s)forwhichtocleartheLoopProtectfeaturestatus. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtoclearthe LoopProtectfeaturestatus.Validvaluesare04094.Ifnotspecified, SID0isassumed.

    Defaults
    IfnoSIDisspecified,SID0isassumed.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoreturntheLoopProtectstateonge.2.3todisabled:
    C2(rw)->clear spantree lp port ge.2.3

    show spantree lplock


    UsethiscommandtodisplaytheLoopProtectlockstatusperportand/orperSID.Aportcan becomelockedifaconfigurednumberofLoopProtecteventsoccurduringtheconfigured windowoftime.Seethesetspantreelpthresholdandsetspantreelpwindowcommands.Oncea portisforcedintoblocking(locked),itremainslockeduntilmanuallyunlockedwiththeclear spantreelplockcommand.

    Syntax
    show spantree lplock [port port-string] [sid sid]

    SecureStack C2 Configuration Guide

    9-43

    clear spantree lplock

    Parameters
    portstring sidsid (Optional)Specifiesport(s)forwhichtodisplaytheLoopProtectlock status. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay theLoopProtectlockstatus.Validvaluesare04094.Ifnotspecified, SID0isassumed.

    Defaults
    Ifnoportstringisspecified,statusisdisplayedforallports. IfnoSIDisspecified,SID0isassumed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayLoopProtectlockstatusonge.1.1:
    C2(rw)->show spantree lplock port ge.1.1 The LoopProtect lock status for port ge.1.1 , SID 0 is UNLOCKED

    clear spantree lplock


    Usethiscommandtomanuallyunlockablockedportandoptionally,perSID.Thedefaultstateis unlocked.

    Syntax
    clear spantree lplock port-string [sid sid]

    Parameters
    portstring sidsid Specifiesport(s)forwhichtocleartheLoopProtectlock. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtoclearthe LoopProtectlock.Validvaluesare04094.Ifnotspecified,SID0is assumed.

    Defaults
    IfnoSIDisspecified,SID0isassumed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtoclearLoopProtectlockfromge.1.1:
    C2(rw)->show spantree lplock port ge.1.1 The LoopProtect lock status for port ge.1.1 C2(rw)->clear spantree lplock ge.1.1 C2(rw)->show spantree lplock port ge.1.1 The LoopProtect lock status for port ge.1.1 , SID 0 is LOCKED

    , SID 0 is UNLOCKED

    9-44

    Spanning Tree Configuration

    set spantree lpcapablepartner

    set spantree lpcapablepartner


    UsethiscommandtospecifyperportwhetherthelinkpartnerisLoopProtectcapable.SeeLoop Protectonpage 2.formoreinformation.

    Syntax
    set spantree lpcapablepartner port-string {true | false}

    Parameters
    portstring true|false Specifiesport(s)forwhichtoconfigureaLoopProtectcapablelink partner. Specifieswhetherthelinkpartneriscapable(true)ornot(false).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThedefaultvalueforLoopProtectcapablepartnerisfalse.IftheportisconfiguredwithaLoop Protectcapablepartner(true),thenthefullfunctionalityoftheLoopProtectfeatureisused.Ifthe valueisfalse,thenthereissomeambiguityastowhetheranActivePartnertimeoutisduetoa loopprotectioneventorisanormalsituationduetothefactthatthepartnerportdoesnot transmitAlternateAgreementBPDUs.Therefore,aconservativeapproachistakeninthat designatedportswillnotbeallowedtoforwardunlessreceivingagreementsfromaportwithroot role. Thistypeoftimeoutwillnotbeconsideredaloopprotectionevent.Loopprotectionismaintained bykeepingtheportfromforwardingbutsincethisisnotconsideredaloopeventitwillnotbe factoredintolockingtheport.

    Example
    ThisexampleshowshowtosettheLoopProtectcapablepartnertotrueforge.1.1:
    C2(rw)->set spantree lpcapablepartner ge.1.1 true

    show spantree lpcapablepartner


    UsethiscommandtotheLoopProtectcapabilityofalinkpartnerforoneormoreports.

    Syntax
    show spantree lpcapablepartner [port port-string]

    Parameters
    portstring (Optional)Specifiesport(s)forwhichtodisplayLoopProtectcapability foritslinkpartner.

    SecureStack C2 Configuration Guide

    9-45

    clear spantree lpcapablepartner

    Defaults
    Ifnoportstringisspecified,LoopProtectcapabilityforlinkpartnersisdisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheLoopProtectpartnercapabilityforge.1.1:
    C2(rw)->show spantree lpcapablepartner port ge.1.1 Link partner of port ge.1.1 is not LoopProtect-capable

    clear spantree lpcapablepartner


    UsethiscommandtoresettheLoopProtectcapabilityofportlinkpartnerstothedefaultstateof false.

    Syntax
    clear spantree lpcapablepartner port-string

    Parameters
    portstring Specifiesport(s)forwhichtocleartheirlinkpartnersLoopProtect capability(resettofalse).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheLoopProtectpartnercapabilityforge.1.1:
    C2(rw)->clear spantree lpcapablepartner ge.1.1

    set spantree lpthreshold


    UsethiscommandtosettheLoopProtecteventthreshold.

    Syntax
    set spantree lpthreshold value

    Parameters
    value Specifiesthenumberofeventsthatmustoccurduringtheevent windowinordertolockaport/SID.Thedefaultvalueis3events.A thresholdof0specifiesthatportswillneverbelocked.

    9-46

    Spanning Tree Configuration

    show spantree lpthreshold

    Defaults
    None.Thedefaulteventthresholdis3.

    Mode
    Switchcommand,readwrite.

    Usage
    TheLoopProtecteventthresholdisaglobalintegervariablethatprovidesprotectioninthecaseof intermittentfailures.Thedefaultvalueis3.Iftheeventcounterreachesthethresholdwithina givenperiod(theeventwindow),thentheport,forthegivenSID,becomeslocked(thatis,held indefinitelyintheblockingstate).Ifthethresholdis0,theportsareneverlocked.

    Example
    ThisexampleshowshowtosettheLoopProtectthresholdvalueto4:
    C2(rw)->set spantree lpthreshold 4

    show spantree lpthreshold


    UsethiscommandtodisplaythecurrentvalueoftheLoopProtecteventthreshold.

    Syntax
    show spantree lpthreshold

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythecurrentLoopProtectthresholdvalue:
    C2(rw)->show spantree lpthreshold The Loop Protect event threshold value is 4

    clear spantree lpthreshold


    UsethiscommandtoreturntheLoopProtecteventthresholdtoitsdefaultvalueof3.

    Syntax
    clear spantree lpthreshold

    Parameters
    None.

    SecureStack C2 Configuration Guide

    9-47

    set spantree lpwindow

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheLoopProtecteventthresholdtothedefaultof3:
    C2(rw)->clear spantree lpthreshold

    set spantree lpwindow


    UsethiscommandtosettheLoopProtecteventwindowvalueinseconds.

    Syntax
    set spantree lpwindow value

    Parameters
    value Specifiesthenumberofsecondsthatcomprisetheperiodduringwhich LoopProtecteventsarecounted.Thedefaulteventwindowis180 seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheLoopProtectWindowisatimervalue,inseconds,thatdefinesaperiodduringwhichLoop Protecteventsarecounted.Thedefaultvalueis180seconds.Ifthetimerissetto0,theevent counterisnotresetuntiltheLoopProtecteventthresholdisreached.Ifthethresholdisreached, thatconstitutesaloopprotectionevent.

    Example
    ThisexampleshowshowtosettheLoopProtecteventwindowto120seconds:
    C2(rw)->set spantree lpwindow 120

    show spantree lpwindow


    UsethiscommandtodisplaythecurrentLoopProtecteventwindowvalue.

    Syntax
    show spantree lpwindow

    9-48

    Spanning Tree Configuration

    clear spantree lpwindow

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythecurrentLoopProtectwindowvalue:
    C2(rw)->show spantree lpwindow The Loop Protect event window is set to 120 seconds

    clear spantree lpwindow


    UsethiscommandtoresettheLoopProtecteventwindowtothedefaultvalueof180seconds.

    Syntax
    clear spantree lpwindow

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheLoopProtecteventwindowtothedefaultof180seconds:
    C2(rw)->clear spantree lpwindow

    set spantree lptrapenable


    UsethiscommandtoenableordisableLoopProtecteventnotification.

    Syntax
    set spantree lptrapenable {enable | disable}

    Parameters
    enable|disable EnablesordisablesthesendingofLoopProtecttraps.Defaultis disabled.

    SecureStack C2 Configuration Guide

    9-49

    show spantree lptrapenable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    LoopProtecttrapsaresentwhenaLoopProtecteventoccurs,thatis,whenaportgoestolistening duetonotreceivingBPDUs.Thetrapindicatesport,SIDandloopprotectionstatus.

    Example
    ThisexampleshowshowtoenablesendingofLoopProtecttraps:
    C2(rw)->set spantree lptrapenable enable

    show spantree lptrapenable


    UsethiscommandtodisplaythecurrentstatusofLoopProtecteventnotification.

    Syntax
    show spantree lptrapenable

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythecurrentLoopProtecteventnotificationstatus:
    C2(rw)->show spantree lptrapenable The Loop Protect event notification status is enable

    clear spantree lptrapenable


    UsethiscommandtoreturntheLoopProtecteventnotificationstatetoitsdefaultstateof disabled.

    Syntax
    clear spantree lptrapenable

    Parameters
    None.

    9-50

    Spanning Tree Configuration

    set spantree disputedbpduthreshold

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheLoopProtecteventnotificationstatetothedefaultof disabled.
    C2(rw)->clear spantree lptrapenable

    set spantree disputedbpduthreshold


    UsethiscommandtosetthedisputedBPDUthreshold,whichisthenumberofdisputedBPDUs thatmustbereceivedonagivenport/SIDuntiladisputedBPDUtrapissent.

    Syntax
    set spantree disputedbpduthreshold value

    Parameters
    value SpecifiesthenumberofdisputedBPDUsthatmustbereceivedona givenport/SIDtocauseadisputedBPDUtraptobesent. Athresholdof0indicatesthattrapsshouldnotbesent.Thedefault valueis0.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    AdisputedBPDUisoneinwhichtheflagsfieldindicatesadesignatedroleandlearning,andthe priorityvectorisworsethanthatalreadyheldbytheport.IfadisputedBPDUisreceivedtheport isforcedtothelisteningstate.Refertothe802.1Q2005standard,IEEEStandardforLocaland MetropolitanAreaNetworksVirtualBridgedLocalAreaNetworks,forafulldescriptionofthedispute mechanism,whichpreventsloopingincasesofonewaycommunication. ThedisputedBPDUthresholdisanintegervariablethatrepresentsthenumberofdisputed BPDUsthatmustbereceivedonagivenport/SIDuntiladisputedBPDUtrapissentandasyslog messageisissued.Forexample,ifthethresholdis10,thenatrapisissuedwhen10,20,30,andso on,disputedBPDUshavebeenreceived. Ifthevalueis0,trapsarenotsent.Thetrapindicatesport,SIDandtotalDisputedBPDUcount. Thedefaultis0.

    SecureStack C2 Configuration Guide

    9-51

    show spantree disputedbpduthreshold

    Example
    ThisexampleshowshowtosetthedisputedBPDUthresholdvalueto5:
    C2(rw)->set spantree disputedbpduthreshold 5

    show spantree disputedbpduthreshold


    UsethiscommandtodisplaythecurrentvalueofthedisputedBPDUthreshold.

    Syntax
    show spantree disputedbpduthreshold

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythecurrentdisputedBPDUthreshold:
    C2(rw)->show spantree disputedbpduthreshold The disputed BPDU threshold value is 0

    clear spantree disputedbpduthreshold


    UsethiscommandtoreturnthedisputedBPDUthresholdtoitsdefaultvalueof0,meaningthat disputedBPDUtrapsshouldnotbesent.

    Syntax
    clear spantree disputedbpduthreshold

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthedisputedBPDUthresholdtothedefaultof0:
    C2(rw)->clear spantree disputedbpduthreshold

    9-52

    Spanning Tree Configuration

    show spantree nonforwardingreason

    show spantree nonforwardingreason


    Usethiscommandtodisplaythereasonforplacingaportinanonforwardingstateduetoan exceptionalcondition.

    Syntax
    show spantree nonforwardingreason port-string [sid sid]

    Parameters
    portstring sidsid Specifiesport(s)forwhichtodisplaythenonforwardingreason. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay thenonforwardingreason.Validvaluesare04094.Ifnotspecified, SID0isassumed.

    Defaults
    Ifnoportstringisspecified,nonforwardingreasonisdisplayedforallports. IfnoSIDisspecified,SID0isassumed.

    Mode
    Switchcommand,readonly.

    Usage
    ExceptionalconditionscausingaporttobeplacedinlisteningorblockingstateincludeaLoop Protectevent,receiptofdisputedBPDUs,andloopbackdetection.

    Example
    Thisexampleshowshowtodisplaythenonforwardingreasononge.1.1:
    C2(rw)->show spantree nonforwardingreason port ge.1.1 The non-forwarding reason for port ge.1.1 on SID 0 is None

    SecureStack C2 Configuration Guide

    9-53

    show spantree nonforwardingreason

    9-54

    Spanning Tree Configuration

    10
    802.1Q VLAN Configuration
    ThischapterdescribestheSecureStackC2systemscapabilitiestoimplement802.1QvirtualLANs (VLANs).
    For information about... VLAN Configuration Summary Viewing VLANs Creating and Naming Static VLANs Assigning Port VLAN IDs (PVIDs) and Ingress Filtering Configuring the VLAN Egress List Setting the Host VLAN Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Refer to page... 10-1 10-2 10-5 10-8 10-13 10-18 10-20

    VLAN Configuration Summary


    VirtualLANsallowthenetworkadministratortopartitionnetworktrafficintologicalgroupsand controltheflowofthattrafficthroughthenetwork.Oncethetrafficand,ineffect,theusers creatingthetraffic,areassignedtoaVLAN,thenbroadcastandmulticasttrafficiscontained withintheVLANanduserscanbeallowedordeniedaccesstoanyofthenetworksresources. Also,someoralloftheportsonthedevicecanbeconfiguredasGVRPports,whichenableframes receivedwithaparticularVLANIDandprotocoltobetransmittedonalimitednumberofports. ThiskeepsthetrafficassociatedwithaparticularVLANandprotocolisolatedfromtheotherparts ofthenetwork.
    Note: The device can support up to 1024 802.1Q VLANs. The allowable range for VLAN IDs is 1 to 4093. As a default, all ports on the device are assigned to VLAN ID 1, untagged.

    Port String Syntax Used in the CLI


    ForinformationonhowtodesignateVLANsandportnumbersintheCLIsyntax,refertoPort StringSyntaxUsedintheCLIonpage 72.

    Creating a Secure Management VLAN


    Bydefaultatstartup,thereisoneVLANconfiguredontheSecureStackC2device.ItisVLANID 1,theDEFAULTVLAN.Thedefaultcommunityname,whichdeterminesremoteaccessforSNMP management,issettopublicwithreadwriteaccess.

    SecureStack C2 Configuration Guide

    10-1

    Viewing VLANs

    IftheSecureStackC2deviceistobeconfiguredformultipleVLANs,itmaybedesirableto configureamanagementonlyVLAN.ThisallowsastationconnectedtothemanagementVLAN tomanagethedevice.Italsomakesmanagementsecurebypreventingconfigurationviaports assignedtootherVLANs. TocreateasecuremanagementVLAN,youmust:


    Step 1. 2. 3. 4. 5. Task Create a new VLAN. Set the PVID for the desired switch port to the VLAN created in Step 1. Add the desired switch port to the egress list for the VLAN created in Step 1. Assign host status to the VLAN. Set a private community name and access policy. Refer to page... 10-5 10-9 10-15 10-18 8-14

    ThecommandsusedtocreateasecuremanagementVLANarelistedinTable 101.Thisexample assumesthemanagementstationisattachedtoge.1.1andwantsuntaggedframes. Theprocessdescribedherewouldberepeatedoneverydevicethatisconnectedinthenetworkto ensurethateachdevicehasasecuremanagementVLAN. Table 10-1


    To do this... Create a new VLAN and confirm settings.

    Command Set for Creating a Secure Management VLAN


    Use these commands... set vlan create 2 (set vlan on page 10-5) (Optional) show vlan 2 (show vlan on page 10-3)

    Set the PVID to the new VLAN. Add the port to the new VLANs egress list. Remove the port from the default VLANs egress list. Assign host status to the VLAN. Set a private community name and access policy and confirm settings.

    set port vlan ge.1.1 2 (set port vlan on page 10-9) set vlan egress 2 ge.1.1 untagged (set vlan egress on page 10-15) clear vlan egress 1 ge.1.1 (clear vlan egress on page 10-15) set host vlan 2 (set host vlan on page 10-18) set snmp community private (set snmp community on page 8-14) (Optional) show snmp community (show snmp community on page 8-13)

    Viewing VLANs
    Purpose
    TodisplayalistofVLANscurrentlyconfiguredonthedevice,todeterminehowoneormore VLANswerecreated,theportsallowedanddisallowedtotransmittrafficbelongingtoVLAN(s), andifthoseportswilltransmitthetrafficwithaVLANtagincluded.

    10-2

    802.1Q VLAN Configuration

    show vlan

    Command
    For information about... show vlan Refer to page... 10-3

    show vlan
    UsethiscommandtodisplayallinformationrelatedtooneormoreVLANs.

    Syntax
    show vlan [static] [vlan-list] [portinfo [vlan vlan-list | vlan-name] [port portstring]]

    Parameters
    static (Optional)DisplaysinformationrelatedtostaticVLANs.StaticVLANsare manuallycreatedusingthesetvlancommand(setvlanonpage 105), SNMPMIBs,ortheWebViewmanagementapplication.ThedefaultVLAN, VLAN1,isalwaysstaticallyconfiguredandcantbedeleted.Onlyports thatuseaspecifiedVLANastheirdefaultVLAN(PVID)willbedisplayed. (Optional)DisplaysinformationforaspecificVLANorrangeofVLANs. (Optional)DisplaysVLANattributesrelatedtooneormoreports. (Optional)DisplaysportinformationforoneormoreVLANs. (Optional)Displaysportinformationforoneormoreports.

    vlanlist portinfo vlanvlanlist| vlanname portportstring

    Defaults
    Ifnooptionsarespecified,allinformationrelatedtostaticanddynamicVLANswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayinformationforVLAN1.Inthiscase,VLAN1isnamed DEFAULTVLAN.PortsallowedtotransmitframesbelongingtoVLAN1arelistedasegress ports.PortsthatwontincludeaVLANtagintheirtransmittedframesarelistedasuntagged ports.Therearenoforbiddenports(preventedfromtransmittedframes)onVLAN1:
    C2(su)->show vlan 1 VLAN: 1 NAME: DEFAULT VLAN VLAN Type: Default Egress Ports ge.1.1-10, ge.2.1-4, ge.3.1-7, Forbidden Egress Ports None. Untagged Ports ge.1.1-10, ge.2.1-4, ge.3.1-7,

    Table 102providesanexplanationofthecommandoutput.

    SecureStack C2 Configuration Guide

    10-3

    show vlan

    Table 10-2
    Output Field VLAN NAME Status VLAN Type Egress Ports

    show vlan Output Details


    What It Displays... VLAN ID. Name assigned to the VLAN. Whether it is enabled or disabled. Whether it is permanent (static) or dynamic. Ports configured to transmit frames for this VLAN. Ports prevented from transmitting frames for this VLAN. Ports configured to transmit untagged frames for this VLAN.

    Forbidden Egress Ports Untagged Ports

    10-4

    802.1Q VLAN Configuration

    Creating and Naming Static VLANs

    Creating and Naming Static VLANs


    Purpose
    TocreateanewstaticVLAN,ortoenableordisableexistingVLAN(s).

    Commands
    For information about... set vlan set vlan name clear vlan clear vlan name Refer to page... 10-5 10-6 10-6 10-7

    set vlan
    UsethiscommandtocreateanewstaticIEEE802.1QVLAN,ortoenableordisableanexisting VLAN.

    Syntax
    set vlan {create | enable | disable} vlan-list

    Parameters
    create|enable| disable vlanlist Creates,enablesordisablesVLAN(s). SpecifiesoneormoreVLANIDstobecreated,enabledordisabled.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    OnceaVLANiscreated,youcanassignitanameusingthesetvlannamecommanddescribedin setvlannameonpage 106. EachVLANIDmustbeunique.IfaduplicateVLANIDisentered,thedeviceassumesthatthe AdministratorintendstomodifytheexistingVLAN. EntertheVLANIDusingauniquenumberbetween1and4093.TheVLANIDsof0and4094and highermaynotbeusedforuserdefinedVLANs.

    Examples
    ThisexampleshowshowtocreateVLAN3:
    C2(su)->set vlan create 3
    SecureStack C2 Configuration Guide 10-5

    set vlan name

    set vlan name


    UsethiscommandtosetorchangetheASCIInameforaneworexistingVLAN.

    Syntax
    set vlan name vlan-list vlan-name

    Parameters
    vlanlist vlanname SpecifiestheVLANIDoftheVLAN(s)tobenamed. SpecifiesthestringusedasthenameoftheVLAN(1to32characters).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthenameforVLAN7togreen:
    C2(su)->set vlan name 7 green

    clear vlan
    UsethiscommandtoremoveastaticVLANfromthelistofVLANsrecognizedbythedevice.

    Syntax
    clear vlan vlan-list

    Parameters
    vlanlist SpecifiestheVLANIDoftheVLAN(s)toberemoved.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoremoveastaticVLAN9fromthedevicesVLANlist:
    C2(su)->clear vlan 9

    10-6

    802.1Q VLAN Configuration

    clear vlan name

    clear vlan name


    UsethiscommandtoremovethenameofaVLANfromtheVLANlist.

    Syntax
    clear vlan name vlan-list

    Parameters
    vlanlist SpecifiestheVLANIDoftheVLAN(s)forwhichthenamewillbecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearthenameforVLAN9:
    C2(su)->clear vlan name 9

    SecureStack C2 Configuration Guide

    10-7

    Assigning Port VLAN IDs (PVIDs) and Ingress Filtering

    Assigning Port VLAN IDs (PVIDs) and Ingress Filtering


    Purpose
    ToassigndefaultVLANIDstountaggedframesononeormoreports,toconfigureVLANingress filteringandconstraints,andtosettheframediscardmode.

    Commands
    For information about... show port vlan set port vlan clear port vlan show port ingress filter set port ingress filter show port discard set port discard Refer to page... 10-8 10-9 10-9 10-10 10-11 10-11 10-12

    show port vlan


    UsethiscommandtodisplayportVLANidentifier(PVID)information.PVIDdeterminesthe VLANtowhichalluntaggedframesreceivedononeormoreportswillbeclassified.

    Syntax
    show port vlan [port-string]

    Parameters
    portstring (Optional)DisplaysPVIDinformationforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,portVLANinformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayPVIDsassignedtoge.2.1through6.Inthiscase,untagged framesreceivedontheseportswillbeclassifiedtoVLAN1:
    C2(su)->show port vlan ge.2.1-6 ge.2.1 is set to 1 ge.2.2 is set to 1 ge.2.3 is set to 1 ge.2.4 is set to 1
    10-8 802.1Q VLAN Configuration

    set port vlan

    ge.2.5 is set to 1 ge.2.6 is set to 1

    set port vlan


    UsethiscommandtoconfigurethePVID(portVLANidentifier)foroneormoreports.

    Syntax
    set port vlan port-string pvid [modify-egress | no-modify-egress]

    Parameters
    portstring Specifiestheport(s)forwhichtoconfigureaVLANidentifier.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. SpecifiestheVLANIDoftheVLANtowhichport(s)willbeadded. (Optional)Addsport(s)toVLANsuntaggedegresslistandremovesthem fromotheruntaggedegresslists. (Optional)Doesnotpromptforormakeegresslistchanges.

    pvid modifyegress nomodifyegress

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThePVIDisusedtoclassifyuntaggedframesastheyingressintoagivenport.

    Example
    Thisexampleshowshowtoaddge.1.10totheportVLANlistofVLAN4(PVID4).
    C2(su)->set vlan create 4 C2(su)->set port vlan ge.1.10 4 modify-egress

    clear port vlan


    Usethiscommandtoresetaports802.1QportVLANID(PVID)tothehostVLANID1.
    Note: The following command will reset the specified ports egress status to tagged. To set the specified ports back to the default egress status of untagged, you must issue the set port vlan command as described on page 10-9.

    Syntax
    clear port vlan port-string

    SecureStack C2 Configuration Guide

    10-9

    show port ingress filter

    Parameters
    portstring Specifiestheport(s)toberesettothehostVLANID1.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetportsge.1.3through11toaVLAN IDof1(HostVLAN):
    C2(su)->clear port vlan ge.1.3-11

    show port ingress filter


    Usethiscommandtoshowallportsthatareenabledforportingressfiltering,whichlimits incomingVLANIDframesaccordingtoaportVLANegresslist.IftheVLANIDspecifiedinthe receivedframeisnotontheportsVLANegresslist,thenthatframeisdroppedandnot forwarded.

    Syntax
    show port ingress-filter [port-string]

    Parameters
    portstring (Optional)Specifiestheport(s)forwhichtodisplayingressfilteringstatus. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,ingressfilteringstatusforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheportingressfilterstatusforports10through15inslot1. Inthiscase,theportsaredisabledforingressfiltering:
    C2(su)->show port ingress-filter ge.1.10-15 Port State -------- --------ge.1.10 disabled ge.1.11 disabled ge.1.12 disabled ge.1.13 disabled ge.1.14 disabled ge.1.15 disabled

    10-10

    802.1Q VLAN Configuration

    set port ingress filter

    set port ingress filter


    UsethiscommandtodiscardallframesreceivedwithaVLANIDthatdontmatchtheports VLANegresslist.

    Syntax
    set port ingress-filter port-string {disable | enable}

    Parameters
    portstring Specifiestheport(s)onwhichtoenableofdisableingressfiltering.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. Disablesorenablesingressfiltering.

    disable|enable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Wheningressfilteringisenabledonaport,theVLANIDsofincomingframesarecomparedtothe portsegresslist.IfthereceivedVLANIDdoesnotmatchaVLANIDontheportsegresslist,then theframeisdropped. IngressfilteringisimplementedaccordingtotheIEEE802.1Qstandard.

    Example
    Thisexampleshowshowtoenableportingressfilteringonge.1.3:
    C2(su)->set port ingress-filter ge.1.3 enable

    show port discard


    Usethiscommandtodisplaytheframediscardmodeforoneormoreports.Portscanbesetto discardframesbasedonwhetherornottheframecontainsaVLANtag.Theycanalsobesetto discardbothtaggedanduntaggedframes,orneither.

    Syntax
    show port discard [port-string]

    Parameters
    portstring (Optional)Displaystheframediscardmodeforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    If port-string is not specified, frame discard mode will be displayed for all ports.

    SecureStack C2 Configuration Guide

    10-11

    set port discard

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheframediscardmodeforge.2.7.Inthiscase,theporthas beensettodiscardalltaggedframes:
    C2(su)->show port discard ge.2.7 Port Discard Mode ------------ ------------ge.2.7 tagged

    set port discard


    Usethiscommandtosettheframediscardmodeononeormoreports.

    Syntax
    set port discard port-string {tagged | untagged | both | none}

    Parameters
    portstring Specifiestheport(s)forwhichtosetframediscardmode.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. TaggedDiscardallincoming(received)taggedpacketsonthedefined port(s). UntaggedDiscardallincominguntaggedpackets. BothAlltrafficwillbediscarded(taggedanduntagged). NoneNopacketswillbediscarded.

    tagged| untagged|both| none

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Theoptionsaretodiscardallincomingtaggedframes,allincominguntaggedframes,neither (essentiallyallowalltraffic),orboth(essentiallydiscardingalltraffic). Acommonpracticeistodiscardalltaggedpacketonuserports.TypicallyanAdministratordoes notwanttheendusersdefiningwhatVLANtheyuseforcommunication.

    Example
    Thisexampleshowshowtodiscardalltaggedframesreceivedonportge.3.3:
    C2(su)->set port discard ge.3.3 tagged

    10-12

    802.1Q VLAN Configuration

    Configuring the VLAN Egress List

    Configuring the VLAN Egress List


    Purpose
    ToassignorremoveportsontheegresslistofaparticularVLAN.Thisdetermineswhichportson theswitchwillbeeligibletotransmitframesforaparticularVLAN.Forexample,ports1,5,7,8 couldbeallowedtotransmitframesbelongingtoVLAN20andports7,8,9,10couldbeallowedto transmitframestaggedwithVLAN30(aportcanbelongtomultipleVLANEgresslists).Note thatthePortEgresslistforports7and8wouldcontainbothVLAN20and30. Theportegresstypeforallportscanbesettotagged,forbidden,oruntagged.Ingeneral,VLANs havenoegress(exceptforVLAN1)untiltheyareconfiguredbystaticadministration,orthrough dynamicmechanismssuchasGVRP. SettingaporttoforbiddenpreventsitfromparticipatinginthespecifiedVLANandensuresthat anydynamicrequests(eitherthroughGVRPordynamicegress)fortheporttojointheVLANwill beignored.Settingaporttountaggedallowsittotransmitframeswithoutatagheader.This settingisusuallyusedtoconfigureaportconnectedtoanenduserdevice.Framessentbetween VLANawareswitchesaretypicallytagged. ThedefaultVLANdefaultsitsegresstountaggedforallports.

    Commands
    For information about... show port egress set vlan forbidden set vlan egress clear vlan egress show vlan dynamicegress set vlan dynamicegress Refer to page... 10-13 10-14 10-15 10-15 10-16 10-17

    show port egress


    UsethiscommandtodisplaytheVLANmembershipforoneormoreports.

    Syntax
    show port egress [port-string]

    Parameters
    portstring (Optional)DisplaysVLANmembershipforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,VLANmembershipwillbedisplayedforallports.

    SecureStack C2 Configuration Guide

    10-13

    set vlan forbidden

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowsyouhowtoshowVLANegressinformationforge.1.1through3.Inthiscase, allthreeportsareallowedtotransmitVLAN1framesastaggedandVLAN10framesas untagged.BotharestaticVLANs:
    C2(su)->show port egress ge.1.1-3 Port Vlan Egress Registration Number Id Status Status ------------------------------------------------------ge.1.1 1 tagged static ge.1.1 10 untagged static ge.1.2 1 tagged static ge.1.2 10 untagged static ge.1.3 1 tagged static ge.1.3 10 untagged static

    set vlan forbidden


    UsethiscommandtopreventoneormoreportsfromparticipatinginaVLAN.Thissetting instructsthedevicetoignoredynamicrequests(eitherthroughGVRPordynamicegress)forthe porttojointheVLAN.

    Syntax
    set vlan forbidden vlan-id port-string

    Parameters
    vlanid portstring SpecifiestheVLANforwhichtosetforbiddenport(s). Specifiestheport(s)tosetasforbiddenforthespecifiedvlanid.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowsyouhowtosetge.1.3toforbiddenforVLAN6:
    C2(su)->set vlan forbidden 6 ge.1.3

    10-14

    802.1Q VLAN Configuration

    set vlan egress

    set vlan egress


    UsethiscommandtoaddportstotheVLANegresslistforthedevice,ortopreventoneormore portsfromparticipatinginaVLAN.Thisdetermineswhichportswilltransmitframesfora particularVLAN.

    Syntax
    set vlan egress vlan-list port-string [untagged | forbidden | tagged]

    Parameters
    vlanlist portstring
    Specifies the VLAN where a port(s) will be added to the egress list.

    SpecifiesoneormoreportstoaddtotheVLANegresslistofthespecified vlanlist.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72. (Optional)Addsthespecifiedportsas: untaggedCausestheport(s)totransmitframeswithoutanIEEE 802.1Qheadertag. forbiddenInstructsthedevicetoignoredynamicrequests(either throughGVRPordynamicegress)fromtheport(s)tojointheVLAN anddisallowsegressonthatport. taggedCausestheport(s)totransmit802.1Qtaggedframes.

    untagged| forbidden| tagged

    Defaults
    Ifuntagged,forbiddenortaggedisnotspecified,theportwillbeaddedtotheVLANegresslist astagged.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtoaddge.1.5through10totheegresslistofVLAN7.Thismeansthat theseportswilltransmitVLAN7framesastagged:
    C2(su)->set vlan egress 7 ge.1.5-10 untagged

    Thisexampleshowshowtoforbidports13through15inslot1fromjoiningVLAN7anddisallow egressonthoseports:
    C2(su)->set vlan egress 7 ge.1.13-15 forbidden

    Thisexampleshowshowtoallowport2inslot1totransmitVLAN7framesasuntagged:
    C2(su)->set vlan egress 7 ge.1.2 untagged

    clear vlan egress


    UsethiscommandtoremoveportsfromaVLANsegresslist.
    Note: The following command will reset the specified ports egress status to tagged. To set the specified ports back to the default egress status of untagged, you must issue the set vlan egress command as described on page 10-15.

    SecureStack C2 Configuration Guide

    10-15

    show vlan dynamicegress

    Syntax
    clear vlan egress vlan-list port-string [forbidden]

    Parameters
    vlanlist portstring SpecifiesthenumberoftheVLANfromwhichaport(s)willberemoved fromtheegresslist. SpecifiesoneormoreportstoberemovedfromtheVLANegresslistofthe specifiedvlanlist.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 72. (Optional)Clearstheforbiddensettingfromthespecifiedport(s)andresets theport(s)asabletoegressframesifsoconfiguredbyeitherstaticor dynamicmeans.

    forbidden

    Defaults
    Ifforbiddenisnotspecified,taggedanduntaggedsettingswillbecleared.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtoremovege.3.14fromtheegresslistofVLAN 9:
    C2(su)->clear vlan egress 9 ge.3.14

    ThisexampleshowshowtoremoveallEthernetportsinslot2fromtheegresslistofVLAN4:
    C2(su)->clear vlan egress 4 ge.2.*

    show vlan dynamicegress


    Usethiscommandtodisplaythestatusofdynamicegress(enabledordisabled)foroneormore VLANs.

    Syntax
    show vlan dynamicegress [vlan-list]

    Parameters
    vlanlist (Optional)DisplaysdynamicegressstatusforspecificVLAN(s).

    Defaults
    Ifvlanlistisnotspecified,thedynamicegressstatusforallVLANswillbedisplayed.

    Mode
    Switchcommand,readwrite.

    10-16

    802.1Q VLAN Configuration

    set vlan dynamicegress

    Example
    ThisexampleshowshowtodisplaythedynamicegressstatusforVLANs5055:
    C2(rw)->show vlan dynamicegress 50-55 VLAN 50 is disabled VLAN 51 is disabled VLAN 52 is disabled VLAN 53 is enabled VLAN 54 is enabled VLAN 55 is enabled

    set vlan dynamicegress


    UsethiscommandtoadministrativelysetthedynamicegressstatusforoneormoreVLANs.

    Syntax
    set vlan dynamicegress vlan-list {enable | disable}

    Parameters
    vlanlist enable|disable SpecifiestheVLANsbyIDtoenableordisabledynamicegress. Enablesordisablesdynamicegress.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    IfdynamicegressisenabledforaparticularVLAN,whenaportreceivesaframetaggedwiththat VLANsID,theswitchwilladdthereceivingporttothatVLANsegresslist.Dynamicegressis disabledontheSecureStackC2bydefault. Forexample,assumeyouhave20AppleTalkusersonyournetworkwhoaremobileusers(thatis, usedifferentportseveryday),butyouwanttokeeptheAppleTalktrafficisolatedinitsown VLAN.YoucancreateanAppleTalkVLANwithaVLANIDof55withaclassificationrulethatall AppleTalktrafficgetstaggedwithVLANID55.Then,youenabledynamicegressforVLAN55. Now,whenanAppleTalkuserplugsintoportge.3.5andsendsanAppleTalkpacket,theswitch willtagthepackettoVLAN55andalsoaddportge.3.5toVLAN55segresslist,whichallowsthe AppleTalkusertoreceiveAppleTalktraffic.

    Example
    ThisexampleshowshowtoenabledynamicegressonVLAN55:
    C2(rw)->set vlan dynamicegress 55 enable

    SecureStack C2 Configuration Guide

    10-17

    Setting the Host VLAN

    Setting the Host VLAN


    Purpose
    ToconfigureahostVLANthatonlyselectdevicesareallowedtoaccess.Thissecuresthehostport formanagementonlytasks.
    Note: The host port is the management entity of the device. Refer to Creating a Secure Management VLAN on page 10-1 for more information.

    Commands
    For information about... show host vlan set host vlan clear host vlan Refer to page... 10-18 10-18 10-19

    show host vlan


    UsethiscommandtodisplaythecurrenthostVLAN.

    Syntax
    show host vlan

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythehostVLAN:
    C2(su)->show host vlan Host vlan is 7.

    set host vlan


    UsethiscommandtoassignhoststatustoaVLAN.

    Syntax
    set host vlan vlan-id

    10-18

    802.1Q VLAN Configuration

    clear host vlan

    Parameters
    vlanid SpecifiesthenumberoftheVLANtosetasthehostVLAN.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThehostVLANshouldbeasecureVLANwhereonlydesignatedusersareallowedaccess.For example,ahostVLANcouldbespecificallycreatedfordevicemanagement.Thiswouldallowa managementstationconnectedtothemanagementVLANtomanageallportsonthedeviceand makemanagementsecurebypreventingmanagementviaportsassignedtootherVLANs.
    Note: Before you can designate a VLAN as the host VLAN, you must create a VLAN using the set of commands described in Creating and Naming Static VLANs on page 10-5.

    Example
    ThisexampleshowshowtosetVLAN7asthehostVLAN:
    C2(su)->set host vlan 7

    clear host vlan


    UsethiscommandtoresetthehostVLANtothedefaultsettingof1.

    Syntax
    clear host vlan

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthehostVLANtothedefaultsetting:
    C2(su)->clear host vlan

    SecureStack C2 Configuration Guide

    10-19

    Enabling/Disabling GVRP (GARP VLAN Registration Protocol)

    Enabling/Disabling GVRP (GARP VLAN Registration Protocol)


    About GARP VLAN Registration Protocol (GVRP)
    Thefollowingsectionsdescribethedeviceoperationwhenitsportsareoperatingunderthe GenericAttributeRegistrationProtocol(GARP)applicationGARPVLANRegistrationProtocol (GVRP).

    Overview
    ThepurposeofGVRPistodynamicallycreateVLANsacrossaswitchednetwork.WhenaVLAN isdeclared,theinformationistransmittedoutGVRPconfiguredportsonthedeviceinaGARP formattedframeusingtheGVRPmulticastMACaddress.Aswitchthatreceivesthisframe, examinestheframe,andextractstheVLANIDs.GVRPthencreatestheVLANsandaddsthe receivingporttoitstaggedmemberlistfortheextractedVLANID(s).Theinformationisthen transmittedouttheotherGVRPconfiguredportsofthedevice.Figure 101showsanexampleof howVLANbluefromendstationAwouldbepropagatedacrossaswitchnetwork.

    How It Works
    InFigure 101onpage 1021,Switch4,port1isregisteredasbeingamemberofVLANBlueand thendeclaresthisfactoutallitsports(2and3)toSwitch1andSwitch 2.Thesetwodevices registerthisintheportegresslistsoftheports(Switch1,port1andSwitch2,port1)thatreceived theframeswiththeinformation.Switch2,whichisconnectedtoSwitch3andSwitch5declares thesameinformationtothosetwodevicesandtheportegresslistofeachportisupdatedwiththe newinformation,accordingly. ConfiguringaVLANonan802.1QswitchcreatesastaticVLANentry.Theentrywillalways remainregisteredandwillnottimeout.However,dynamicentrieswilltimeoutandtheir registrationswillberemovedfromthememberlistiftheendstationAisremoved.Thisensures that,ifswitchesaredisconnectedorifendstationsareremoved,theregisteredinformation remainsaccurate. TheendresultisthattheportegresslistofaportisupdatedwithinformationaboutVLANsthat resideonthatport,eveniftheactualstationontheVLANisseveralhopsaway.

    10-20

    802.1Q VLAN Configuration

    Enabling/Disabling GVRP (GARP VLAN Registration Protocol)

    Figure 10-1

    Example of VLAN Propagation via GVRP


    Switch 2 Switch 3

    1 Switch 1

    R 2D

    2 End Station A

    D 3 D

    Switch 4

    R Switch 5

    R D

    = Port registered as a member of VLAN Blue = Port declaring VLAN Blue

    Purpose
    TodynamicallycreateVLANsacrossaswitchednetwork.TheGVRPcommandsetisusedto displayGVRPconfigurationinformation,thecurrentglobalGVRPstatesetting,individualport settings(enableordisable)andtimersettings.Bydefault,GVRPisenabledgloballyonthedevice, butdisabledonallports.

    Commands
    For information about... show gvrp show garp timer set gvrp clear gvrp set garp timer Refer to page... 10-22 10-22 10-23 10-24 10-24

    SecureStack C2 Configuration Guide

    10-21

    show gvrp

    show gvrp
    UsethiscommandtodisplayGVRPconfigurationinformation.

    Syntax
    show gvrp [port-string]

    Parameters
    portstring (Optional)DisplaysGVRPconfigurationinformationforspecificport(s).For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,GVRPconfigurationinformationwillbedisplayedforallportsand thedevice.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayGVRPstatusforthedeviceandforfw.2.1:
    C2(su)->show gvrp ge.2.1 Global GVRP status is enabled. Port Number ----------ge.2.1 GVRP status ----------disabled

    show garp timer


    UsethiscommandtodisplayGARPtimervaluesforoneormoreports.

    Syntax
    show garp timer [port-string]

    Parameters
    portstring (Optional)DisplaysGARPtimerinformationforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,GARPtimerinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    10-22

    802.1Q VLAN Configuration

    set gvrp

    Example
    ThisexampleshowshowtodisplayGARPtimerinformationonports1through10inslot1:
    Note: For a functional description of the terms join, leave, and leaveall timers, refer to the standard IEEE 802.1Q documentation, which is not supplied with this device. C2(su)->show garp timer ge.1.1-10 Port based GARP Configuration: (Timer units are centiseconds) Port Number Join Leave Leaveall ----------- ---------- ---------- ---------ge.1.1 20 60 1000 ge.1.2 20 60 1000 ge.1.3 20 60 1000 ge.1.4 20 60 1000 ge.1.5 20 60 1000 ge.1.6 20 60 1000 ge.1.7 20 60 1000 ge.1.8 20 60 1000 ge.1.9 20 60 1000 ge.1.10 20 60 1000

    Table 103providesanexplanationofthecommandoutput.Fordetailsonusingthesetgvrp commandtoenableordisableGVRP,refertosetgvrponpage 1023.Fordetailsonusingtheset garptimercommandtochangedefaulttimervalues,refertosetgarptimeronpage 1024. Table 10-3


    Output Field Port Number Join Leave Leaveall

    show gvrp configuration Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. Join timer setting. Leave timer setting. Leavall timer setting.

    set gvrp
    UsethiscommandtoenableordisableGVRPgloballyonthedeviceorononeormoreports.

    Syntax
    set gvrp {enable | disable} [port-string]

    Parameters
    disable| enable portstring DisablesorenablesGVRPonthedevice. (Optional)DisablesorenablesGVRPonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsedin theCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,GVRPwillbedisabledorenabledforallports.

    SecureStack C2 Configuration Guide

    10-23

    clear gvrp

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtoenableGVRPgloballyonthedevice:
    C2(su)->set gvrp enable

    ThisexampleshowshowtodisableGVRPgloballyonthedevice:
    C2(su)->set gvrp disable

    ThisexampleshowshowtoenableGVRPonge.1.3:
    C2(su)->set gvrp enable ge.1.3

    clear gvrp
    UsethiscommandtoclearGVRPstatusorononeormoreports.

    Syntax
    clear gvrp [port-string]

    Parameters
    portstring (Optional)ClearsGVRPstatusonspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72.

    Defaults
    Ifportstringisnotspecified,GVRPstatuswillbeclearedforallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearGVRPstatusgloballyonthedevice:
    C2(su)->clear gvrp

    set garp timer


    Usethiscommandtoadjustthevaluesofthejoin,leave,andleavealltimers.

    Syntax
    set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]} port-string

    Parameters
    jointimervalue leavetimervalue SetstheGARPjointimerincentiseconds(Referto802.1Qstandard.) SetstheGARPleavetimerincentiseconds(Referto802.1Qstandard.)

    10-24

    802.1Q VLAN Configuration

    set garp timer

    leavealltimer value portstring

    SetstheGARPleavealltimerincentiseconds(Referto802.1Qstandard.) Specifiestheport(s)onwhichtoconfigureGARPtimersettings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thesettingofthesetimersiscriticalandshouldonlybechangedbypersonnelfamiliarwiththe 802.1Qstandardsdocumentation,whichisnotsuppliedwiththisdevice.

    Examples
    ThisexampleshowshowtosettheGARPjointimervalueto100centisecondsforallports:
    C2(su)->set garp timer join 100 *.*.*

    Thisexampleshowshowtosettheleavetimervalueto300centisecondsforallports:
    C2(su)->set garp timer leave 300 *.*.*

    Thisexampleshowshowtosettheleavealltimervalueto20000centisecondsforallports:
    C2(su)->set garp timer leaveall 20000 *.*.*

    SecureStack C2 Configuration Guide

    10-25

    set garp timer

    10-26

    802.1Q VLAN Configuration

    11
    Policy Classification Configuration
    ThischapterdescribesthePolicyClassificationsetofcommandsandhowtousethem.
    For information about... Policy Classification Configuration Summary Configuring Policy Profiles Configuring Classification Rules Assigning Ports to Policy Profiles Configuring Policy Class of Service (CoS) Refer to page... 11-1 11-1 11-6 11-15 11-17

    Policy Classification Configuration Summary


    SecureStackC2devicessupportpolicyprofilebasedprovisioningofnetworkresourcesby allowingITadministratorsto: Create,changeorremovepolicyprofilesbasedonbusinessspecificuseofnetworkservices. Permitordenyaccesstospecificservicesbycreatingandassigningclassificationruleswhich mapuserprofilestoprotocolbasedframefilteringpoliciesconfiguredforaparticularVLAN orClassofService(CoS). Assignorunassignportstopolicyprofilessothatonlyportsactivatedforaprofilewillbe allowedtotransmitframesaccordingly.
    Note: It is recommended that you use Enterasys Networks NetSight Policy Manager as an alternative to CLI for configuring policy classification on the SecureStack C2 devices.

    Configuring Policy Profiles


    Purpose
    Toreview,create,changeandremoveuserprofilesthatrelatetobusinessdrivenpoliciesfor managingnetworkresources.
    Note: B3, C3, and G3 devices support profile-based CoS traffic rate limiting only. Policy rules specifying CoS will only rate limit on D2, C2 and B2 devices, including when C2 and B2 devices are configured on mixed stacks containing B3 and C3 devices.

    SecureStack C2 Configuration Guide

    11-1

    show policy profile

    Commands
    For information about... show policy profile set policy profile clear policy profile Refer to page... 11-2 11-3 11-4

    show policy profile


    Usethiscommandtodisplaypolicyprofileinformation.

    Syntax
    show policy profile {all | profile-index [consecutive-pids] [-verbose]}

    Parameters
    all|profileindex consecutivepids verbose Displayspolicyinformationforallprofileindexesoraspecificprofileindex. (Optional)Displaysinformationforspecifiedconsecutiveprofileindexes. (Optional)Displaysdetailedinformation.

    Defaults
    Ifoptionalparametersarenotspecified,summaryinformationwillbedisplayedforthespecified indexorallindices.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaypolicyinformationforprofile11:
    C2(su)->show policy profile 11 Profile Index : 11 Profile Name : MacAuth1 Row Status : active Port VID Status : Enable Port VID Override : 11 CoS : 0 CoS Status : Disable Egress Vlans : none Forbidden Vlans : none Untagged Vlans : none Rule Precedence : 1-31 :MACSource(1),MACDest(2),Unknown(3), :Unknown(4),Unknown(5),Unknown(6), :Unknown(7),Unknown(8),Unknown(9), :Unknown(10),Unknown(11),IPSource(12), :IPDest(13),IPFrag(14),UDPSrcPort(15), :UDPDestPort(16),TCPSrcPort(17),TCPDestPort(18), :ICMPType(19),Unknown(20),IPTOS(21), :IPProto(22),Unknown(23),Unknown(24), :Ether(25),Unknown(26),VLANTag(27),

    11-2

    Policy Classification Configuration

    set policy profile

    Admin Profile Usage Oper Profile Usage Dynamic Profile Usage

    :Unknown(28),Unknown(29),Unknown(30), :port(31) : none : none : none

    Table 111providesanexplanationofthecommandoutput. Table 11-1


    Output Field Profile Index Profile Name Row Status Port VID Status

    show policy profile Output Details


    What It Displays... Number of the profile. User-supplied name assigned to this policy profile. Whether or not the policy profile is enabled (active) or disabled. Whether or not PVID override is enabled or disabled for this profile. If all classification rules associated with this profile are missed, then this parameter, if specified, determines default behavior. The PVID assigned to packets, if PVID override is enabled. CoS priority value to assign to packets, if CoS override is enabled. Whether or not Class of Service override is enabled or disabled for this profile. If all classification rules associated with this profile are missed, then this parameter, if specified, determines default behavior. VLAN(s) that ports to which the policy profile is assigned can use for tagged egress. VLAN(s) forbidden to ports to which the policy profile is assigned. VLAN(s) that ports to which the policy profile is assigned can use for untagged egress. Displays the precedence of types of rules.

    Port VID Override CoS CoS Status

    Egress VLANs Forbidden VLANs Untagged VLANs Rule Precedence

    Admin Profile Usage Ports administratively assigned to use this policy profile. Oper Profile Usage Dynamic Profile Usage Ports currently assigned to use this policy profile. Port dynamically assigned to use this policy profile.

    set policy profile


    Usethiscommandtocreateapolicyprofileentry.

    Syntax
    set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid] [cos-status {enable | disable}] [cos cos] [precedence precedence-list]

    Parameters
    profileindex namename pvidstatus enable|disable Specifiesanindexnumberforthepolicyprofile.Validvaluesare1255. (Optional)Specifiesanameforthepolicyprofile.Thisisastringfrom1to 64characters. (Optional)EnablesordisablesPVIDoverrideforthisprofile.Ifall classificationrulesassociatedwiththisprofilearemissed,thenthis parameter,ifspecified,determinesdefaultbehavior.

    SecureStack C2 Configuration Guide

    11-3

    clear policy profile

    pvidpvid cosstatusenable |disable

    (Optional)SpecifiesthePVIDtopackets,ifPVIDoverrideisenabledand invokedasdefaultbehavior. (Optional)EnablesordisablesClassofServiceoverrideforthisprofile.Ifall classificationrulesassociatedwiththisprofilearemissed,thenthis parameter,ifspecified,determinesdefaultbehavior.


    Note: A maximum of 99 rules can be supported per policy profile for policy profiles that have cos-status enabled..

    coscos precedence precedencelist

    (Optional)SpecifiesaCoSvaluetoassigntopackets,ifCoSoverrideis enabledandinvokedasdefaultbehavior.Validvaluesare0to7. (Optional)Assignsaruleprecedencetothisprofile.Lowervalueswillbe givenhigherprecedence.Foralistofvalues,refertotheshowpolicy profilecommandoutput.

    Defaults
    Ifoptionalparametersarenotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtocreateapolicyprofile1namednetadminwithPVIDoverride enabledforPVID10,andClassofServiceoverrideenabledforCoS5:
    C2(su)->set policy profile 1 name netadmin pvid-status enable pvid 10 cos-status enable cos 5

    clear policy profile


    Usethiscommandtodeleteapolicyprofileentry.

    Syntax
    clear policy profile profile-index

    Parameters
    profileindex Specifiestheindexnumberoftheprofileentrytobedeleted.Validvalues are1to255.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    11-4

    Policy Classification Configuration

    clear policy profile

    Example
    Thisexampleshowshowtodeletepolicyprofile8:
    C2(su)->clear policy profile 8

    SecureStack C2 Configuration Guide

    11-5

    Configuring Classification Rules

    Configuring Classification Rules


    Purpose
    Toreview,create,assign,andunassignclassificationrulestopolicyprofiles.Thismapsuser profilestoprotocolbasedframefilteringpolicies.
    Note: B3, C3, and G3 devices support profile-based CoS traffic rate limiting only. Policy rules specifying CoS will only rate limit on D2, C2 and B2 devices, including when C2 and B2 devices are configured on mixed stacks containing B3 and C3 devices.

    Commands
    For information about... show policy rule show policy capability set policy rule clear policy rule clear policy all-rules Refer to page... 11-6 11-8 11-10 11-13 11-14

    show policy rule


    Usethiscommandtodisplaypolicyclassificationruleinformation.

    Syntax
    show policy rule [all | admin-profile | profile-index] [ether | icmptype | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport] [data] [mask mask] [port-string portstring] [rule-status {active | not-in-service | not-ready}] [storage-type {nonvolatile | volatile}] [vlan vlan] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid] [-verbose] [usage-list] [display-if-used]

    Parameters
    all|admin profile|profile index ether icmptype ipproto ipdestsocket ipsourcesocket iptos macdest macsource Displayspolicyclassificationrulesforallprofiles,theadminprofile,orfor aspecificprofileindexnumber.Validvaluesare11023. DisplaysEthernettypeIIrules. DisplaysICMPtyperules. DisplaysIPprotocolfieldinIPpacketrules. DisplaysIPdestinationaddressrules. DisplaysIPsourceaddressrules. DisplaysTypeofServicerules. DisplaysMACdestinationaddressrules. DisplaysMACsourceaddressrules.

    11-6

    Policy Classification Configuration

    show policy rule

    tcpdestport tcpsourceport udpdestport udpsourceport data

    DisplaysTCPdestinationportrules. DisplaysTCPsourceportrules. DisplaysUDPdestinationportrules. DisplaysUDPsourceportrules. Displaysrulesforapredefinedclassifier.Thisvalueisdependentonthe classificationtypeentered.RefertoTable 113forvalidvaluesforeach classificationtype. (Optional)Displaysrulesforaspecificdatamask.RefertoTable 113for validvaluesforeachclassificationtypeanddatavalue. (Optional)Displaysrulesrelatedtoaspecificingressport.

    maskmask portstringport string

    rulestatusactive (Optional)Displaysrulesrelatedtoaspecificrulesstatus. |notinservice| notready storagetypenon volatile|volatile vlanvlan drop|forward dynamicpid dynamicpid coscos adminpid adminpid verbose usagelist displayifused (Optional)Displaysrulesconfiguredforeithernonvolatileorvolatile storage. (Optional)DisplaysrulesforaspecificVLANID. Displaysrulesbasedonwhethermatchingpacketswillbedroppedor forwarded. DisplaysrulesassociatedwithaspecificdynamicpolicyID. (Optional)DisplaysrulesforaClassofServicevalue. DisplaysrulesassociatedwithaspecificadministrativepolicyID[1..1023]. (Optional)Displaysdetailedinformation. (Optional)Ifselected,eachrulesusagelistshallbecheckedandshall displayonlythoseportswhichhaveappliedthisrule. (Optional)Displaysrule(s)onlyiftheyareappliedtoatleastoneport.

    Defaults
    Ifverboseisnotspecified,summaryinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaypolicyclassificationinformationforEthernettype2rules
    C2(su)->show policy rule ether |PID |Rule Type |Rule Data |02 |Ether |2048 (0x0800) |02 |Ether |2049 (0x0801) |02 |Ether |2989 (0x0bad) |02 |Ether |33079 (0x8137) |Mk|PortStr |16|All |16|All |16|All |16|All |RS|ST|VLAN|CoS | A|NV|fwrd| | A|NV|drop| | A|NV|drop| | A|NV|drop| |U| |?| |?| |?| |?|

    Thisexampleshowshowtodisplaypolicyclassificationinformationforadministrativerule1
    C2(su)->show policy rule admin-pid 1 |Admin|Rule Type |Rule Data |Mk|PortStr |RS|ST|dPID|aPID|U|
    11-7

    SecureStack C2 Configuration Guide

    show policy capability

    |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port

    |ge.1.1 |ge.1.2 |ge.1.3 |ge.1.4 |ge.1.5 |ge.1.6 |ge.1.7 |ge.1.8 |ge.1.9 |ge.1.10 |ge.1.11 |ge.1.12

    |16|ge.1.1 |16|ge.1.2 |16|ge.1.3 |16|ge.1.4 |16|ge.1.5 |16|ge.1.6 |16|ge.1.7 |16|ge.1.8 |16|ge.1.9 |16|ge.1.10 |16|ge.1.11 |16|ge.1.12

    | | | | | | | | | | | |

    A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV|

    | | | | | | | | | | | |

    1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?|

    Table 112providesanexplanationofthecommandoutput. Table 11-2


    Output Field PID Rule Type Rule Data Mk PortStr RS ST VLAN CoS U dPID aPID

    show policy rule Output Details


    What It Displays... Profile index number. Assigned to this classification rule with the set policy profile command (set policy profile on page 11-3). Type of classification rule. Refer to Table 11-3 for valid types. Rule data value. Refer to Table 11-3 for valid values for each classification type. Rule data mask. Refer to Table 11-3 for valid values for each classification data value. Ingress port(s) to which this rule applies. Whether or not the status of this rule is active (A), not in service or not ready. Whether or not this rules storage type is non-volatile (NV) or volatile (V). VLAN ID to which this rule applies and whether or not matching packets will be dropped or forwarded. If applicable, Class of Service value to which this rule applies. Whether or not this rule has been used. Whether or not this is a dynamic profile ID. Whether or not this is an administrative profile ID.

    show policy capability


    Usethiscommandtodisplaydetailedpolicyclassificationcapabilitiessupportedbyyour SecureStackC2device.

    Syntax
    show policy capability

    Parameters
    None.

    Defaults
    None.

    11-8

    Policy Classification Configuration

    show policy capability

    Mode
    Switchcommand,readonly.

    Usage
    Usethiscommandtodisplaydetailedpolicyclassificationcapabilitiessupportedbyyour SecureStackC2device.Theoutputofthiscommandshowsatablelistingclassifiabletraffic attributesandthetypeofactions,byruletype,thatcanbeexecutedrelativetoeachattribute. Abovethetableisalistofalltheactionspossibleonthisdevice. Theleftmostcolumnofthetablelistsallpossibleclassifiabletrafficattributes.Thenexttwo columnsfromtheleftindicatehowpolicyprofilesmaybeassigned,eitheradministrativelyor dynamically.Thenextfourcolumnsfromtheleftindicatetheactionsthatmaybeperformed.The lastthreecolumnsindicateauditingoptions. Anxinanactioncolumnforatrafficattributerowindicatesthatyoursystemhasthecapabilityto performthatactionfortrafficclassifiedbythatattribute.

    Example
    Thisexampleshowshowtodisplaythedevicespolicyclassificationcapabilities.Refertoset policyruleonpage 1110foradescriptionoftheparametersdisplayed:
    C2(su)->show policy capability The following supports related to policy are supported in this device: VLAN Forwarding Priority Permit Deny Precedence Reordering Rules Table Rule-Use Notification Longest Prefix Rules ============================================================= | | D | | | | | F | | | D | | | Y | | | | | O | S | | I | | | N | A | | | | R | Y | | S | | | A | D | V | | D | W | S | T | A | | | M | M | L | C | R | A | L | R | B | | | I | I | A | O | O | R | O | A | L | | SUPPORTED RULE TYPES | C | N | N | S | P | D | G | P | E | ============================================================= |MAC source address | | | | X | X | X | | | | |MAC destination address | | | | X | X | X | | | | |IPX source address | | | | | | | | | | |IPX destination address | | | | | | | | | | |IPX source socket | | | | | | | | | | |IPX destination socket | | | | | | | | | | |IPX transmission control | | | | | | | | | | |IPX type field | | | | | | | | | | |IPv6 source address | | | | | | | | | | |IPv6 destination address | | | | | | | | | | |IPv6 flow label | | | | | | | | | | |IP source address | | | | X | X | X | | | | |IP destination address | | | | X | X | X | | | | |IP fragmentation | | | | | | | | | | |UDP port source | | | | X | X | X | | | | |UDP port destination | | | | X | X | X | | | | |TCP port source | | | | X | X | X | | | | |TCP port destination | | | | X | X | X | | | | |ICMP packet type | | | | X | X | X | | | | |TTL | | | | | | | | | | |IP type of service | | | | X | X | X | | | | |IP proto | | | | X | X | X | | | |

    SecureStack C2 Configuration Guide

    11-9

    set policy rule

    |Ether II packet type | | | X | X | X | X | | | |LLC DSAP/SSAP/CTRL | | | | | | | | | |VLAN tag | | | | | | | | | |Replace tci | | | | | | | | | |Port string | X | X | X | X | X | X | | | =============================================================

    | | | | |

    set policy rule


    UsethiscommandtoassignincominguntaggedframestoaspecificpolicyprofileandtoVLANor ClassofServiceclassificationrules.

    Syntax
    Thiscommandhastwoformsofsyntaxonetocreateanadminrule,andtheothertocreatea trafficclassificationruleandattachittoapolicyprofile.
    set policy rule admin-profile {vlantag data [mask mask] admin-pid profile-index} [port-string port-string] set policy rule profile-index {ether | icmptype | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport} data [mask mask] {[vlan vlan] [cos cos] | [drop | forward]}

    Note: Classification rules are automatically enabled when created.

    Parameters
    Thefollowingparametersapplytocreatinganadminrule.SeetheUsagesectionbelowformore informationaboutadminrules. adminprofile vlantagdata maskmask Specifiesthatthisisanadminrule. ClassifiesbasedonVLANtagspecifiedbydata.Valueofdatacanrange from1to4094or0xFFF. (Optional)Specifiesthenumberofsignificantbitstomatch,dependent onthedatavalueentered.Valueofmaskcanrangefrom1to12. RefertoTable 113forvalidvaluesforeachclassificationtypeanddata value. adminpid profileindex Associatesthisadminrulewithapolicyprofile,identifiedbyitsindex number.Policyprofilesareconfiguredwiththesetpolicyprofile commandasdescribedinsetpolicyprofileonpage 113. Validprofileindexvaluesare1255. portstringportstring (Optional)Assignsthisrulewiththespecifiedpolicyprofileonspecific ingressport(s).Rulewouldnotbeuseduntilpolicyisassignedtothe specifiedport(s)usingthesetpolicyportcommandasdescribedinset policyportonpage 1115.

    Thefollowingparametersapplytocreatingatrafficclassificationrule.

    11-10

    Policy Classification Configuration

    set policy rule

    profileindex

    Specifiesapolicyprofilenumbertowhichthisrulewillbeassigned. Policyprofilesareconfiguredwiththesetpolicyprofilecommandas describedinsetpolicyprofileonpage 113.Validprofileindexvalues are1255. Specifiesthattheruleshouldapplytotrafficwiththespecifiedtypefield inEthernetIIpacket. ClassifiesbasedonICMPtype. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedProtocol fieldinIPpacket. Specifiesthattheruleshouldapplytotrafficwiththespecified destinationIPaddresswithoptionalpostfixedport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedsourceIP address,withoptionalpostfixedport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTypeof ServicefieldinIPpacket. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedMAC destinationaddress. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedMAC sourceaddress. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTCP destinationport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTCP sourceport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedUDP destinationport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedUDP sourceport. Specifiesthecodeforthespecifiedtrafficclassifier(listedabove).This valueisdependentontheclassificationtypeentered.RefertoTable 113 forvalidvaluesforeachclassificationtype. (Optional)Specifiesthenumberofsignificantbitstomatch,dependenton thedatavalueentered.RefertoTable 113forvalidvaluesforeach classificationtypeanddatavalue. SpecifiestheactionoftheruleistoclassifytoaVLANID. SpecifiestheactionoftheruleistoclassifytoaClassofServiceID.Valid valuesare04095.Avalueof1indicatesthatnoCoSforwarding behaviormodificationisdesired.(NotsupportedonB3,C3,andG3.) Specifiesthatpacketswithinthisclassificationwillbedroppedor forwarded.

    ether icmptype ipproto ipdestsocket ipsourcesocket iptos macdest macsource tcpdestport tcpsourceport udpdestport udpsourceport data

    maskmask

    vlanvlan coscos

    drop|forward

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    11-11

    set policy rule

    Usage
    Anadminrulecanbeusedtomapincomingtaggedframestoapolicyrole(profile).Therecanbe onlyoneadminruleconfiguredpersystem(stack).Typically,thisruleisusedtoimplementthe User+IPphonefeature.RefertoConfiguringMultiUserAuthentication(User+IPphone)on page 2333formoreinformation.Youwouldconfigureapolicyprofile/roleforIPphones(for example,assigningthetraffictoavoiceVLAN),thenassociatethatpolicyprofilewiththe adminrule,andassociatetheadminrulewiththedesiredports.Usersauthenticatingoverthe sameportwilltypicallyuseadynamicallyassignedpolicyrole. Apolicyclassificationrulehastwomainparts:TrafficDescriptionandActions.TheTraffic Descriptionidentifiesthetypeoftraffictowhichtherulewillpertain.Actionsspecifywhether thattrafficwillbeassignedclassofservice,assignedtoaVLAN,orboth. Table 113providesthesetpolicyruledatavaluesthatcanbeenteredforaparticularparameter, andthemaskbitsthatcanbeenteredforeachclassifierassociatedwiththatparameter. Table 11-3 Valid Values for Policy Classification Rules
    data value Type field in Ethernet II packet: 1536 - 65535 or 0x600 - 0xFFFF ICMP Type: a.b Protocol field in IP packet: 0 - 255 or 0 - 0xFF IP Address in dotted decimal format: 000.000.000.000 and (Optional) post-fixed port: 0 65535 Type of Service field in IP packet: 0 - 252 or 0 - 0xFC MAC Address: 00-00-00-00-0000 TCP Port Number: 0 - 65535 or 0 - 0xFFFF UDP Port Number: 0 - 65535 or 0 - 0xFFFF VLAN tag: 1- 4094 mask bits Not applicable. Not applicable. Not applicable. 1 - 48

    Classification Rule Parameter ether icmptype ipproto Destination or Source IP Address: ipdestsocket ipsourcesocket iptos Destination or Source MAC: macdest macsource Destination or Source TCP port: tcpdestport tcpsourceport Destination or Source UDP port: udpsourceport udpdestport vlantag

    Not applicable. 1 - 48

    1 - 16

    1 - 16

    Not applicable.

    Examples
    ThisexampleshowshowtouseTable 113toassignaruletopolicyprofile3thatwillfilter EthernetIIType1526framestoVLAN7:
    C2(su)->set policy rule 3 ether 1526 vlan 7

    ThisexampleshowshowtouseTable 113toassignaruletopolicyprofile5thatwillforward UDPpacketsfromsourceport45:


    C2(su)->set policy rule 5 udpportsource 45 forward

    11-12

    Policy Classification Configuration

    clear policy rule

    ThisexampleshowshowtouseTable 113toassignaruletopolicyprofile1thatwilldropIP sourcetrafficfromIPaddress1.2.3.4.Ifmask32isnotspecifiedasshown,adefaultmaskof48bits (IPaddress+port)wouldbeapplied:


    C2(su)->set policy rule 1 ipsourcesocket 1.2.3.4 mask 32 drop

    clear policy rule


    Usethiscommandtodeletepolicyclassificationruleentries.

    Syntax
    Thiscommandhastwoformsofsyntaxonetoclearanadminrule(forpolicyID0),andtheother toclearaclassificationrule.
    clear policy rule admin-profile {vlantag data [mask mask] clear policy rule profile-index {all-pid-entries | {ether | icmptype | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport}}

    Parameters
    Thefollowingparametersapplytodeletinganadminrule. adminprofile vlantagdata maskmask SpecifiesthattheruletobedeletedisanadminruleforpolicyID0. DeletestherulebasedonVLANtagspecifiedbydata.Valueofdatacan rangefrom1to4094or0xFFF. (Optional)Specifiesthenumberofsignificantbitstomatch,dependent onthedatavalueentered.Valueofmaskcanrangefrom1to12. RefertoTable 113forvalidvaluesforeachclassificationtypeanddata value. Thefollowingparametersapplytodeletingaclassificationrule. profileindex allpidentries ether icmptype ipproto ipdestsocket ipsourcesocket iptos macdest macsource tcpdestport tcpsourceport Specifiesapolicyprofileforwhichtodeleteclassificationrules.Valid profileindexvaluesare1255. Deletesallentriesassociatedwiththespecifiedpolicyprofile. DeletesassociatedEthernetIIclassificationrule. DeletesassociatedICMPclassificationrule. DeletesassociatedIPprotocolclassificationrule. DeletesassociatedIPdestinationclassificationrule. DeletesassociatedIPsourceclassificationrule. DeletesassociatedIPTypeofServiceclassificationrule. DeletesassociatedMACdestinationaddressclassificationrule. DeletesassociatedMACsourceaddressclassificationrule. DeletesassociatedTCPdestinationportclassificationrule. DeletesassociatedTCPsourceportclassificationrule.

    SecureStack C2 Configuration Guide

    11-13

    clear policy all-rules

    udpdestport udpsourceport

    DeletesassociatedUDPdestinationportclassificationrule. DeletesassociatedUDPsourceportclassificationrule.

    Defaults
    Whenapplicable,dataandmaskmustbespecifiedforindividualrulestobecleared.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtodeleteEthernetIIType1526classificationruleentriesassociatedwith policyprofile1fromallports
    C2(su)->clear policy rule 1 ether 1526

    Thisexampleshowshowtoremovearulefrompolicyprofile5thatwillforwardUDPframes fromsourceport45:
    C2(su)->clear policy rule 5 udpportsource 45 forward

    clear policy all-rules


    Usethiscommandtoremoveallpolicyclassificationrules.

    Syntax
    clear policy all-rules

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoremovealladministrativeandpolicyindexrules:
    C2(su)->clear policy all-rules

    11-14

    Policy Classification Configuration

    Assigning Ports to Policy Profiles

    Assigning Ports to Policy Profiles


    Note: The C2 switch supports up to three user policies per port.

    Purpose
    Toassignandunassignportstopolicyprofiles.

    Commands
    For information about... set policy port clear policy port Refer to page... 11-15 11-16

    set policy port


    Usethiscommandtoassignportstoapolicyprofile.

    Syntax
    set policy port port-string profile-index

    Parameters
    portstring Specifiestheport(s)toaddtothepolicyprofile.Foradetaileddescription ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage 72. SpecifiestheIDofthepolicyprofile(role)towhichtheport(s)willbe added.Thisvaluemustmatchtheprofileindexvalueassignedusingthe setpolicyprofilecommand(setpolicyprofileonpage 113)inorder forapolicyprofiletobeactiveonthespecifiedport.

    profileindex

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoallowGigabitEthernetports5through15inslot1totransmitframes accordingtopolicyprofile1:
    C2(su)->set policy port ge.1.5-15 1

    SecureStack C2 Configuration Guide

    11-15

    clear policy port

    clear policy port


    Usethiscommandtoremoveapolicyprofilefromoneormoreports.

    Syntax
    clear policy port port-string profile-index

    Parameters
    portstring Specifiestheport(s)fromwhichtoremovethepolicyprofile.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. SpecifiestheIDofthepolicyprofile(role)towhichtheport(s)willbe added.Thisvaluemustmatchtheprofileindexvalueassignedusingthe setpolicyprofilecommand(setpolicyprofileonpage 113)inorder forapolicyprofiletobeactiveonthespecifiedport.

    profileindex

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoremovepolicyprofile10fromport21inslot1:
    C2(rw)->clear policy port ge.1.21 10

    11-16

    Policy Classification Configuration

    Configuring Policy Class of Service (CoS)

    Configuring Policy Class of Service (CoS)


    Note: It is recommended that you use Enterasys Networks NetSight Policy Manager as an alternative to CLI for configuring policy-based CoS on the switches.

    TheSecureStackC2supportsClassofService(CoS),whichallowsyoutoassignmissioncritical datatoahigherprioritythroughthedevicebydelayinglesscriticaltrafficduringperiodsof congestion.Thehigherprioritytrafficgoingthroughthedeviceisservicedfirst(beforelower prioritytraffic).TheClassofServicecapabilityofthedeviceisimplementedbyapriority queueingmechanism.ClassofServiceisbasedontheIEEE802.1D(802.1p)standardspecification, andallowsyoutodefineeightpriorities(07,with7grantedhighestpriority)andupto8transmit queues(07)foreachport. Bydefault,policybasedCoSisdisabledonthedevice,anddefaultoruserassignedportbased 802.1D(802.1p)settingsareusedtodeterminetrafficprioritization.WhenpolicybasedCoSis enabled,thedefaultanduserassignedpolicybasedsettingswilloverrideportbasedsettings describedinChapter 12. ClassofServicefunctionalitycanalsobeusedtocontrolbroadcast,unknownunicast,and/or multicastflooding.Thisfeaturepreventsconfiguredportsfrombeingdisruptedbyatrafficstorm byratelimitingspecifictypesofpacketsthroughthoseports.RefertoAboutCoSBasedFlood Controlonpage 1119formoreinformation.
    Co

    Note: Unlike CoS-based rate limiting, CoS-based flood control does not require a policy license on SecureStack B2 and B3 switches or on standalone D2 switches.

    About Policy-Based CoS Configurations


    Onceenabledusingthesetcosstatecommand,youcanaddtothepolicybasedCoSfunctionby definingnewportgroupings,andassigninginboundratelimiters.Theprocessforuserdefined CoSconfigurationinvolvesthefollowingstepsandassociatedcommandslistedinProcedure 111. Anexamplefollowstheprocedure. Procedure 11-1
    Step 1. 2. 3. 4. 5. Task Enable CoS Create CoS IRL port groups Define physical rate limiters for groups Create virtual reference for the IRL resource (physical reference) for each port group Add IRL reference to CoS settings table

    User-Defined CoS Configuration


    Command(s) set cos state enable set cos port-config irl set cos port-resource irl set cos reference set cos settings

    Example
    Thisexamplecreatesdifferentinboundratelimitersfortwoportgroupsandthenassignsthemto trafficwithaCoSsettingof0. 1. Configuretwoportgroups,oneforuserportsandoneforuplinkportsandassignportstothe groups.Portgroup1.0willrepresentuserports,group2.0willrepresentuplinkports.
    C2(su)->set cos port-config irl 1.0 name Users ports ge.1.1-46 C2(su)->set cos port-config irl 2.0 name Uplink ports ge.1.47-48

    SecureStack C2 Configuration Guide

    11-17

    Configuring Policy Class of Service (CoS)

    C2(su)->show cos port-config Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name :Default Port Group :0 Port Type :0 Assigned Ports :none ---------------------------------------------------------------------Port Group Name :Users Port Group :1 Port Type :0 Assigned Ports :ge.1.1-46 ---------------------------------------------------------------------Port Group Name :Uplink Port Group :2 Port Type :0 Assigned Ports :ge.1.47-48 ----------------------------------------------------------------------

    2.

    Configurephysicalinboundratelimitersforeachportgroup.Fortheuserportgroup(1.0), createanIRL(irlindexof1)for512kbps.Fortheuplinkportgroup(2.0),createanIRL(irl indexof1)for10megabitspersecond(10,000kbps).


    C2(su)->set cos port-resource irl 1.0 1 unit kbps rate 512 C2(su)->set cos port-resource irl 2.0 1 unit kbps rate 10000 C2(su)->show cos port-resource irl 1.0 1 Group Index Resource Type Unit Rate ----------- -------- ---- ---- ---------1.0 1 irl kbps 512 C2(su)->show cos port-resource irl 2.0 1 Group Index Resource Type Unit Rate ----------- -------- ---- ---- ---------2.0 1 irl kbps 10000

    Rate Limit Type Action --------------- -----drop none

    Rate Limit Type Action --------------- -----drop none

    3.

    IntheCoSIRLreferencemappingtableforeachportgroup,createareferenceforeachIRL resourcecreatedinthepreviousstep.Wewillusereferencenumber1.
    C2(su)->set cos reference irl 1.0 1 rate-limit 1 C2(su)->set cos reference irl 2.0 1 rate-limit 1 C2(su)->show cos reference irl 1.0 Group Index ----------1.0 1.0 1.0 1.0 ... 1.0 1.0 1.0 Reference --------0 1 2 3 97 98 99 Type ---irl irl irl irl irl irl irl Rate Limiter -----------none 1 none none none none none

    C2(su)->show cos reference irl 2.0 Group Index ----------2.0 2.0 Reference --------0 1 Type ---irl irl Rate Limiter -----------none 1

    11-18

    Policy Classification Configuration

    Configuring Policy Class of Service (CoS)

    2.0 2.0 ... 2.0 2.0 2.0

    2 3 97 98 99

    irl irl irl irl irl

    none none none none none

    4.

    IntheCoSsettingstable,configureaCoSsettingforCoSindex1,whichhasapriorityof0.We entertheIRLreference,createdinthepreviousstep.
    C2(su)->set cos settings 0 irl-reference 1 C2(su)->show cos settings CoS Index Priority ToS IRL --------- ---------- ------- ----0 0 * 1 1 1 * * 2 2 * * 3 3 * * 4 4 * * 5 5 * * 6 6 * * 7 7 * *

    About CoS-Based Flood Control


    Co

    Note: CoS-based flood control does not require a policy license on SecureStack B2 and B3 switches or on standalone D2 switches.

    CoSbasedfloodcontrolpreventsconfiguredportsfrombeingdisruptedbyatrafficstormbyrate limitingspecifictypesofpacketsthroughthoseports.Whenfloodcontrolisenabledonaport, incomingtrafficismonitoredoveronesecondintervals.Duringaninterval,theincomingtraffic levelforeachconfiguredtraffictypeiscomparedwiththeconfiguredtrafficstormcontrollevel, specifiedasapercentageofthetotalavailablebandwidthofthelink.Thedefaultthresholdis5% oflinkspeed. If,duringaonesecondinterval,theincomingtrafficofaconfiguredtypereachesthetrafficstorm controllevelconfiguredontheport,CoSbasedfloodcontroldropsthetrafficuntiltheinterval ends.Packetsarethenallowedtoflowagainuntilthelimitisagainreached. ThefollowingproceduredescribesthestepsandcommandsrequiredtoconfigureCoSbased floodcontrol. Procedure 11-2
    Step 1. 2. Task Enable CoS. Create a CoS flood control port resource, which specifies flood control rate limiters that can be mapped to specific ports. Assign the flood control resource to specific ports. Command(s) set cos state enable set cos port-resource flood-ctrl

    3.

    set cos port-config flood-ctrl

    Example
    Thisexamplecreatesabroadcastratelimiter(index1.0)of5packetspersecondandassignsitto portsge.1.2andge.2.2.

    SecureStack C2 Configuration Guide

    11-19

    set cos state

    C2(su)->set cos state enable C2(su)->set cos port-resource flood-ctrl 1.0 broadcast rate 5 C2(su)->set cos port-config flood-ctrl 1.0 ports ge.1.2;ge.2.2 append

    Commands
    For information about... set cos state show cos state clear cos state set cos settings clear cos settings show cos settings set cos port-config show cos port-config clear cos port-config set cos port-resource irl show cos port-resource clear cos port-resource irl set cos reference show cos reference clear cos reference show cos unit clear cos all-entries show cos port-type Refer to page... 11-20 11-21 11-21 11-22 11-23 11-23 11-24 11-25 11-26 11-27 11-29 11-30 11-31 11-32 11-33 11-34 11-35 11-35

    set cos state


    UsethiscommandtoenableordisableClassofService.

    Syntax
    set cos state {enable | disable}

    Parameters
    enable|disable EnablesordisablesClassofServiceontheswitch.Defaultstateis disabled.

    Defaults
    None.

    11-20

    Policy Classification Configuration

    show cos state

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenableClassofService:
    C2(rw)->set cos state enable

    show cos state


    UsethiscommandtodisplaytheClassofServiceenablestate.

    Syntax
    show cos state

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtoshowtheClassofServiceenablestate:
    C2(rw)->show cos state Class-of-Service application is enabled

    clear cos state


    UsethiscommandtosetCoSstatebacktoitsdefaultsettingofdisabled.

    Syntax
    clear cos state

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    11-21

    set cos settings

    Example
    ThisexampleshowshowtocleartheCoSstatebacktoitsdefaultsettingofdisabled:
    C2(su)->clear cos state

    set cos settings


    UsethiscommandtoconfigureaClassofServiceentryintheCoSsettingstable.

    Syntax
    set cos settings cos-index priority priority [tos-value tos-value] [irl-reference irl-reference]

    Parameters
    cosindex prioritypriority tosvaluetosvalue irlreference irlreference SpecifiesaClassofServiceentry.Validvaluesare0to255. Specifiesan802.1dpriorityvalue.Validvaluesare0to7,with0beingthe lowestpriority.SeeUsagesectionbelowformoreinformation. (Optional)SpecifiesaTypeofServicevalue.Validvaluesare0to255.See Usagesectionbelowformoreinformation. (Optional)Settheinboundratelimiterassociatedwiththisentry.Valid valuesare0to99.SeeUsagesectionbelowformoreinformation.

    Defaults
    Ifnooptionalparametersarespecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Usage
    TheCoSsettingstabletakesindividualclassofservicefeaturesanddisplaysthemasbelongingto aCoSentry.Essentially,itisusedforCoSfeatureassignment.Eachclassofserviceentryconsists ofanindex,802.1ppriority,anoptionalToSvalue,andanIRLreference. CoSIndex IndexesareuniqueidentifiersforeachCoSsetting.CoSindexes0through7arecreatedby defaultandmappeddirectlyto802.1ppriorityforbackwardscompatibility.Theseentries cannotberemoved,and802.1ppriorityvaluescannotbechanged.WhenCoSisenabled, indexesareassigned.Upto256CoSindexesorentriescanbeconfigured. Priority 802.1pprioritycanbeappliedperCoSindex.ForeachnewCoSindexcreated,theuserhasthe optiontoassignan802.1ppriorityvalue0to7fortheclassofservice.CoSindexes0through7 mapdirectlyto802.1pprioritiesandcannotbechangedastheyexistforbackward compatibility. ToS Thisvaluecanbesetperclassofservice,butisnotrequired.Whenaframeisassignedtoa classofserviceforwhichthisvalueisconfigured,theToSfieldoftheincomingIPpacketwill beoverwrittentotheuserdefinedvalue.AllbutthelasttwobitsoftheToSfieldare rewritable.ToScanbesetforCoSindexes0through7.
    11-22 Policy Classification Configuration

    clear cos settings

    IRLReference TheCoSIRLreferencefieldisoptional,asratelimitsarenotrequired.TheIRLreferencedoes notassignaninboundratelimitbutpointstotheCoSIRLReferenceMappingTable.This referencemaybethoughtofasthevirtualratelimiterthatwillassignthephysicalratelimiter definedbytheIRLReferenceMappingTable.

    Example
    ThisexampleshowshowtocreateCoSentry8withapriorityvalueof3:
    C2(rw)->set cos settings 8 priority 3

    clear cos settings


    UsethiscommandtoclearClassofServiceentrysettings.

    Syntax
    clear cos settings cos-list {[all] | [priority] [tos-value] [irl-reference]}

    Parameters
    coslist all priority tosvalue irlreference SpecifiesaClassofServiceentrytoclear. Clearsallsettingsassociatedwiththisentry. Clearsthepriorityvalueassociatedwiththisentry. ClearstheTypeofServicevalueassociatedwiththisentry. CleartheIRLreferenceassociatedwiththisentry.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearthepriorityforCoSentry8:
    C2(rw)->clear cos settings 8 priority

    show cos settings


    UsethiscommandtodisplayClassofServiceparameters.

    Syntax
    show cos settings [cos-list]

    Parameters
    coslist (Optional)SpecifiesaClassofServiceentrytodisplay.

    SecureStack C2 Configuration Guide

    11-23

    set cos port-config

    Defaults
    Ifnotspecified,allCoSentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtoshowallCoSsettings:
    C2(su)->show cos settings CoS Index Priority ToS IRL --------- ---------- ------- ------0 0 48 * 1 1 * * 2 2 * * 3 3 * * 4 4 * * 5 5 * * 6 6 * * 7 7 * * flood-ctrl ---------enabled enabled enabled enabled enabled enabled enabled enabled

    set cos port-config


    Usethiscommandtocreateaportgroupforinboundratelimitingorfloodcontrolandaddor removeportsfromthegroup.

    Syntax
    set cos port-config {irl|flood-ctrl} group-type-index [name name] [ports portlist] [append] | [clear]

    Parameters
    irl floodctrl grouptypeindex Specifiesthatthisisaninboundratelimiting(IRL)portgroup. Specifiesthatthisisafloodcontrolportgroup. Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. namename portsportlist append clear (Optional)Userdefinednameforthegroup. (Optional)Portsassignedtothegroup.Allportsmustbeofthesameport type(FastEthernet,GigabitEthernet). (Optional)Append(add)theportstotheportsthatarealreadyinthe group. (Optional)Clearthegivenportsfromthoseassignedtothegroup.

    Defaults
    None.

    11-24

    Policy Classification Configuration

    show cos port-config

    Mode
    Switchcommand,readwrite.

    Usage
    CoSportgroupsareidentifiedbygroupnumberandthetypeofportsinthegroup,intheformof group#.porttype.Theportgroup0.0existsbydefault.Thisdefaultportgroupcannotberemoved andallphysicalportsinthesystemareassignedtoit.Uptosevenadditionalportgroups(1 through7)canbeconfigured.Currently,onlyoneporttype(type0)issupported.Thisporttype supports100limiters. Additionalportgroupsmaybecreatedforflexibility.Portsassignedtoanewportgroupmustbe mutuallyexclusivefromtheotherportgroupentriesportsareautomaticallyremovedfromthe defaultportgroupandmustbecomprisedofthesameporttypeasdefinedbytheportgroup. Thecreationofadditionalportgroupscouldbeusedtocombinesimilarportsbytheirfunctionfor flexibility.Forinstance,portsassociatedtouserscanbeaddedtoaportgroupcalledUsersand portsassociatedtouplinkportscanbeaddedtoaportgroupcalledUplink.Usingtheseport groups,asingleclassofservicecanassigndifferentratelimitstoeachportgroup.Userports canbeassignedoneratelimit,whileUplinkportscanbeassignedanother. Thecommandshowcosportconfigdisplayseachportgroupconfiguredbygroupandtype,with thegroupnameandassociated(assigned)ports.Thecommandshowcosporttypedisplaysthe availableinboundratelimitingresourcesfortheporttype.

    Example
    Thisexampleconfigurestwoportgroups,oneforuserportsandoneforuplinkportsandassign portstothegroups.Portgroup1.0willrepresentuserports,group2.0willrepresentuplinkports.
    C2(su)->set cos port-config irl 1.0 name Users ports ge.1.1-46 C2(su)->set cos port-config irl 2.0 name Uplink ports ge.1.47-48

    show cos port-config


    UsethiscommandtoshowCoSportgroupsandtheassignedports.

    Syntax
    show cos port-config [irl|flood-ctrl [group-type-index]]

    Parameters
    irl floodctrl grouptypeindex (Optional)Specifiesthatinboundratelimitingconfigurationinformation shouldbedisplayed. (Optional)Specifiesthatfloodcontrolrateconfigurationinformation shouldbedisplayed. (Optional)Showassignedportsforaspecificportgroup.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0.

    Defaults
    Theshowcosportconfig commandbyitselfwillshowallPortGroups.

    SecureStack C2 Configuration Guide

    11-25

    clear cos port-config

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowsallinboundratelimitingportgroups.Notethatportsge.1.1throughge.1.48 wereremovedfromthedefaultportgroup0.0whentheywereaddedtoportgroups1.0and2.0.
    C2(su)->show cos port-config irl Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name :Default Port Group :0 Port Type :0 Assigned Ports :none ---------------------------------------------------------------------Port Group Name :Users Port Group :1 Port Type :0 Assigned Ports :ge.1.1-46 ---------------------------------------------------------------------Port Group Name :Uplink Port Group :2 Port Type :0 Assigned Ports :ge.1.47-48 ----------------------------------------------------------------------

    clear cos port-config


    UsethiscommandtoclearCoSportgroupsorassignedports.

    Syntax
    clear cos port-config {irl|flood-ctrl} {all | group-type-index [entry] | [name] [ports]}

    Parameters
    irl floodctrl all grouptypeindex ClearanIRLportgroupconfiguration. Clearafloodcontrolportgroupconfiguration. Clearallinboundratelimitingportconfignondefaultentries. Deleteaspecificportgrouporgroupname,orcleartheportsfromthat group.Validentriesareintheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. entry name ports Deletethisnondefaultinboundratelimiterentry. Cleartheadministrativelyassignedtextualdescriptionofthisportgroup entrytoitsdefault. Cleartheportsassignedtothisgrouptoitsdefault.

    11-26

    Policy Classification Configuration

    set cos port-resource irl

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thedefaultportgroup0.0cannotbedeleted.

    Example
    ThisexampledeletesallIRLPortGroupsexceptfortheDefaultgroup0.0:
    C2(su)->clear cos port-config irl all

    set cos port-resource irl


    UsethiscommandtosettheinboundratelimitparametersforaspecificIRLresourceforaspecific portgroup.

    Syntax
    set cos port-resource irl group-type-index irl-index {[unit {kbps}] [rate rate] [type {drop}]}[syslog enable | disable] [trap enable|disable]

    Parameters
    grouptypeindex Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. irlindex unit kbps raterate typedrop syslog enable|disable Indexnumberoftheinboundratelimiterresourceassociatedwiththis entry.Validvaluesrangefrom0to99. Unitofmeasurefortheinboundratelimiter(onlyoptionisKbps). Kilobitspersecond. Datarateforthisinboundratelimiter.Thisistheactualratelimit.Valid valuesrangefrom512to1,000,000KbpsforaGigabitport. Actionfortheratelimiter.Theonlyactionoptionisdroptheframeifall limitersareexceeded. Enableordisablereportingasyslogentryiflimitersareexceeded.

    trapenable|disable Enableordisablesendingatrapiflimitersareexceeded.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    11-27

    set cos port-resource flood-ctrl

    Usage
    CoSportresourcesarewhereactualphysicalratelimitersareconfigured.Resourcesmapdirectly tothenumberofratelimiterssupportedbytheporttype.(Porttype0supports100IRLresources.) Resourcesexistforeachportgroupandareindexedasgroup#.porttype.irlindex.Portresources arenotinitiallyconfiguredasratelimiting. Inboundratelimiting,orratepolicing,simplydropsorclipstrafficinboundifaconfiguredrateis exceeded.CoSinboundratelimitingallowstheusertoconfigureratelimitsbasedonkilobitsper second. Theshowcosportresourcecommanddisplaystheresourcesavailableforeachportgroup.By default,noIRLresourcesareconfigured.ThedefaultRateLimitingalgorithmisdropandcannot beconfiguredotherwise.

    Example
    Thisexamplesetstheinboundratelimitresourceindexnumber1forportgroup2.0to10000Kbps or1MB:
    C2(su)->set cos port-resource irl 2.0 1 unit kbps rate 10000 type drop

    set cos port-resource flood-ctrl


    UsethiscommandtocreateaCoSbasedfloodcontrolportresource.Thisresourcespecifiesflood controlratelimitersthatcanbemappedtospecificports.

    Syntax
    set cos port-resource flood-ctrl group-type-index {unicast | multicast | broadcast | all} rate rate

    Parameters
    grouptypeindex Specifiesaportgroup/typeindex.Validentriesareintheformof group#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. unicast multicast broadcast all raterate Specifiesratelimitingwillbeappliedtounknownunicasttraffic. Specifiesratelimitingwillbeappliedtomulticasttraffic. Specifiesratelimitingwillbeappliedtobroadcasttraffic. Specifiesratelimitingwillbeappliedtounknownunicast,multicast, andbroadcasttraffic. Specifiesaratelimitinpacketspersecond.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    11-28

    Policy Classification Configuration

    show cos port-resource

    Usage
    CoSportresourcesarewhereactualphysicalratelimitersareconfigured.Thiscommandcanbe usedtocreateuptothreedifferentfloodcontrollimitresourcesfortheporttypeindexof0.The resourcesareassignedtospecificportswiththesetcosportconfigcommand.

    Example
    Thisexamplecreatesaportresourcebroadcastratelimiterof5packetspersecondfortheport grouptypeindexof1.0(group#1ofporttypeindex0).
    C2(su)->set cos port-resource flood-ctrl 1.0 broadcast rate 5

    show cos port-resource


    Usethiscommandtodisplaytheconfiguredportresources.

    Syntax
    show cos port-resource [irl [group-type-index [irl-index]]] | [flood-ctrl [grouptype-index]]

    Parameters
    irl floodctrl grouptypeindex (Optional)Specifiesthatinboundratelimitingportresourcesshouldbe displayed. (Optional)Specifiesthatfloodcontrolportresourcesshouldbedisplayed. (Optional)Specifiesaportgroup/typeindex.Validentriesareintheform ofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. irlindex (Optional)Inboundratelimiterresourceindexconfiguredforthe specifiedportgroup.Validvaluesrangefrom0to99.

    Defaults
    Ifirlorfloodctrlarenotspecified,allportresourcesareshown. IfaportgroupandIRLindexarenotspecified,theIRLconfigurationforallresources(099)forall configuredportgroupswillbeshown. Ifaportgroupisnotspecifiedwiththefloodctrlparameter,floodcontrolresourcesforall configuredportgroupswillbeshown.

    Mode
    Switchcommand,readonly.

    Examples
    ThisexampledisplaystheIRLresourceindexnumber1configurationforgroup2.0.
    C2(su)->show cos port-resource irl 2.0 1 '?' after the rate value indicates an invalid rate value Group Index Resource Type Unit Rate Rate Limit Type Action
    SecureStack C2 Configuration Guide 11-29

    clear cos port-resource irl

    ----------- -------- ---- ---- ---------2.0 1 irl kbps 10000

    --------------- -----drop none

    Thisexampledisplaysthefloodcontrolresourcesconfiguredforgroup0.0.
    C2(su)->show cos port-resource flood-ctrl 0.0 '?' after the rate value indicates an invalid rate value Group Resource Index --------- ----------0.0 ucast 0.0 mcast 0.0 bcast Type ---------flood-ctrl flood-ctrl flood-ctrl Unit ---pps pps pps Rate Limit type ---------- --------------disable drop disable drop disable drop Rate Action -----none none none

    clear cos port-resource irl


    Usethiscommandtoclearinboundratelimitresourcestodefaultvalues.

    Syntax
    clear cos port-resource irl {all | group-type-index [irl-index [unit] [rate] [type]]}

    Parameters
    all grouptypeindex ClearallIRLresourcesforallportgroups. Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. irlindex unit rate type (Optional)Inboundratelimiterresourceindexassociatedwiththe specifiedportgroup.Validvaluesrangefrom0to99. Cleartheunitofmeasurefortheinboundratelimiter. Clearthedatarateforthisinboundratelimiter. Cleartheactionfortheratelimiter.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleclearsthedatarateto0forIRLresourceindex1forgroup2.0.
    C2(su)->clear cos port-resource irl 2.0 1 rate

    11-30

    Policy Classification Configuration

    clear cos port-resource flood-ctrl

    clear cos port-resource flood-ctrl


    Usethiscommandtoclearfloodcontrolportresourcestodefaultvalues.

    Syntax
    clear cos port-resource flood-ctrl {all | group-type-index {unicast | multicast | broadcast | all [rate]}}

    Parameters
    all grouptypeindex Clearallfloodcontrolresourcesforallportgroups. Specifiesaportgroup/typeindex.Validentriesareintheformof group#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. unicast multicast broadcast all rate Clearunicastportresourcesforthespecifiedportgroup. Clearmulticastportresourcesforthespecifiedportgroup. Clearbroadcastportresourcesforthespecifiedportgroup. Clearallfloodcontrolportresourcesforthespecifiedportgroup. (Optional)Clearthedataratelimiterofthespecifiedtypeofport resourcetothedefault(noneordisabled).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleclearstheunicastportresourceforportgroup1.0todefaultvalues.
    C2(su)->clear cos port-resource flood-ctrl 1.0 unicast

    set cos reference


    UsethiscommandtosettheClassofServiceinboundratelimitingreferenceconfiguration.

    Syntax
    set cos reference irl group-type-index reference rate-limit irl-index

    SecureStack C2 Configuration Guide

    11-31

    show cos reference

    Parameters
    irl grouptypeindex SpecifiesthatanIRLreferenceisbeingconfigured. Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. reference ratelimitirlindex IRLreferencenumberassociatedwiththisentry. Ratelimiter(IRLresourceindex)tobindthisreferenceto.Validvalues rangefrom0to99.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheCoSreferencetablemapstheuserdefinedIRLreferencesfoundintheCoSsettingstable(see setcossettingsonpage 1122)toratelimiterscreatedintheportresourcetable(seesetcos portresourceirlonpage 1127).TheCoSreferencetableindexescanbethoughtofasvirtualrate limiters.Thetableaccountsforthemaximumnumberofratelimiterssupportedbythedevice. Thevirtuallimitersthenmaptothephysicalratelimiters.TheCoSIRLReferenceTableisnot configuredbydefault. TheCoSIRLreferencetableuses100indexesorvirtualratelimiters,andmapseachvirtuallimiter toaphysicallimiterorresource.AnIRLreferencetableexistsforeachportgroupconfigured,and isindexedsimilarlytoportresources,asportgroup#,porttype,reference.IRLreferencesarenot populatedwithlimiters(resources),butcanbeconfiguredbytheuser.TheIRLreferencetablecan bedisplayedusingtheshowcosreferencecommand.

    Example
    IntheCoSIRLreferencemappingtableforportgroups1.0and2.0,createareferencefortheIRL resourcenumber1createdforeachgroup.Thereferencenumber1isused.
    C2(su)->set cos reference irl 1.0 1 rate-limit 1 C2(su)->set cos reference irl 2.0 1 rate-limit 1

    show cos reference


    UsethiscommandtoshowtheClassofServiceinboundratelimitingreferenceconfiguration.

    Syntax
    show cos reference [irl [group-type-index]]

    11-32

    Policy Classification Configuration

    clear cos reference

    Parameters
    irl grouptypeindex (Optional)Specifiesthatinboundratelimitingreferenceinformation shouldbedisplayed. (Optional)Specifiesaninboundratelimitingportgroup/typeindex.Valid entriesareintheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0.

    Defaults
    Ifirlisnotspecified,allCoSreferenceinformationisdisplayed. Ifaspecificportgroupisnotspecified,informationforallportgroupsisdisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowstheClassofServiceIRLreferencesforportgroup1.0.Notethatnotallofthe 100possiblereferencesaredisplayedinthisoutputexample.
    C2(su)->show cos reference irl 1.0 Group Index ----------1.0 1.0 1.0 1.0 ... 1.0 1.0 1.0 Reference --------0 1 2 3 97 98 99 Type ---irl irl irl irl irl irl irl Rate Limiter -----------none 1 none none none none none

    clear cos reference


    UsethiscommandtocleartheClassofServiceinboundratelimitingreferenceconfiguration.

    Syntax
    clear cos reference irl {all | group-type-index reference}

    Parameters
    irl all SpecifiesthatIRLreferencesarebeingcleared. Clearallgroupsindexesandreferences.

    SecureStack C2 Configuration Guide

    11-33

    show cos unit

    grouptypeindex

    Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0.

    reference

    Clearaspecificreferenceforthespecifiedportgroup.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheCoSinboundratelimitingreferenceconfigurationforall groups:
    C2(su)->clear cos reference irl all

    show cos unit


    UsethiscommandtoshowpossibleCoSunitentries.

    Syntax
    show cos unit [irl [port-type index] [kbps]] [flood-ctrl [port-type index] [pps]]

    Parameters
    irl porttypeindex kbps floodctrl pps (Optional)DisplayonlyIRLunitinformation. (Optional)Displayinformationaboutthespecifiedporttype.(Only porttypeindex0issupported.) (Optional)Displaykbpsinformation. (Optional)Displayonlyfloodcontrolunitinformation. (Optional)Displayppsinformation.

    Defaults
    Ifnoparametersareentered,allCosunitinformationisdisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowspossibleunitentriesforinboundratelimiting:
    C2(su)->show cos unit irl Type: irl = inbound rate limiting Unit: Kbps = Kilobits per second

    11-34

    Policy Classification Configuration

    clear cos all-entries

    Port Type --------0

    Type ---irl

    Unit ---Kbps

    Maximum Rate -----------1000000

    Minimum Rate -----------64

    Granularity ----------1

    Thisexamplesshowsfloodcontrolunitinformation.
    C2(su)->show cos unit flood-ctrl Type: flood-ctrl = flood control type Port Type ----------0 Type ----------flood-ctrl Unit ---pps Unit: pps = packets per second Maximum Rate -----------148810 Minimum Rate -----------0 Granularity ----------1

    clear cos all-entries


    UsethiscommandtoclearallClassofServiceentriesexceptentries07.

    Syntax
    clear cos all-entries

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheCoSconfigurationforallentriesexceptentries07:
    C2(su)->clear cos all-entries

    show cos port-type


    UsethiscommandtodisplayClassofServiceporttypeconfigurations.

    Syntax
    show cos port-type [irl [port-type]] [flood-ctrl [port-type]]

    Parameters
    irl floodctrl porttype (Optional)Displaysinboundratelimitinginformation. (Optional)Displaysfloodcontrolinformation. (Optional)Displaysinformationforaspecificporttype.(Onlyporttype 0issupported.)

    SecureStack C2 Configuration Guide

    11-35

    show cos port-type

    Defaults
    Ifnoparametersarespecified,inboundratelimitingandfloodcontrolinformationforallport typesisdisplayed.

    Mode
    Switchcommand,readonly.

    Usage
    TheC2implementationprovidesonedefaultporttype(0)fordesignatingavailableinboundrate limitingorfloodcontrolresources.Porttype0includesallports. Theporttype0IRLdescriptionisC2100IRL,whichindicatesthatthisporttypeprovidesa maximumof100inboundratelimitingresourcesperportgroup.Theporttype0floodcontrol descriptionisC23floodctrlwhichindicatesthatthisporttypeprovidesamaximumof3flood controlresourcesperportgroup.

    Examples
    Thisexampleshowsinboundratelimitinginformationforporttype0.
    C2(su)->show cos port-type irl 0 Number of resources: irl = inbound rate limiter(s) Port type description -----------C2 100 IRL Number of limiters --------100 Supported rate types: Kbps = kilobits per second Supported rate type --------kbps Eligible ports ----------------ge.1.1-48 Unselected ports ----------------ge.1.1-4

    Index ----0

    Thisexampleshowsfloodcontrolinformationforporttype0.
    C2(su)->show cos port-type flood-ctrl 0 Number of resources: flood-ctrl = flood control type Port type Number of description limiters -------------------C2 3 flood-ctrl 3 Supported rate types: Pps = Packets per second Supported rate type --------pps Eligible ports ---------------ge.1.1-24 Unselected ports -----------ge.1.1-24

    Index ----0

    11-36

    Policy Classification Configuration

    12
    Port Priority and Rate Limiting Configuration
    ThischapterdescribesthePortPriorityandRateLimitingsetofcommandsandhowtousethem.
    For information about... Port Priority Configuration Summary Configuring Port Priority Configuring Priority to Transmit Queue Mapping Configuring Quality of Service (QoS) Configuring Port Traffic Rate Limiting Refer to page... 12-1 12-1 12-4 12-6 12-10

    Port Priority Configuration Summary


    TheSecureStackC2devicesupportsClassofService(CoS),whichallowsyoutoassignmission criticaldatatohigherprioritythroughthedevicebydelayinglesscriticaltrafficduringperiodsof congestion.Thehigherprioritytrafficthroughthedeviceisservicedfirstbeforelowerpriority traffic.TheClassofServicecapabilityofthedeviceisimplementedbyapriorityqueueing mechanism.ClassofServiceisbasedontheIEEE802.1D(802.1p)standardspecification,and allowsyoutodefineeightpriorities(0 through 7)andassignthemtotransmitqueuesforeach port. Apriority0 through 7canbesetoneachport,with0beingthelowestpriority.Aportreceivinga framewithoutpriorityinformationinitstagheaderisassignedapriorityaccordingtothedefault prioritysettingontheport.Forexample,ifthepriorityofaportissetto4,theframesreceived throughthatportwithoutapriorityindicatedintheirtagheaderareclassifiedasapriority4and transmittedaccordingtothatpriority.Inaddition,thedevicesratelimitingcapabilitiesallowyou tofurtherprioritizetrafficbylimitingtherateofinboundtrafficonaperport/prioritybasis.
    Note: When CoS override is enabled using the set policy profile command as described in set policy profile on page 11-3, CoS-based classification rules will take precedence over priority settings configured with the set port priority command described in this section.

    Configuring Port Priority


    Purpose
    Tovieworconfigureportprioritycharacteristicsasfollows: DisplayorchangetheportdefaultClassofService(CoS)transmitpriority(0through7)of eachportforframesthatarereceived(ingress)withoutpriorityinformationintheirtag header.
    SecureStack C2 Configuration Guide 12-1

    show port priority

    Displaythecurrenttrafficclassmappingtopriorityofeachport. Seteachporttotransmitframesaccordingto802.1D(802.1p)prioritysetintheframeheader.

    Commands
    For information about... show port priority set port priority clear port priority Refer to page... 12-4 12-2 12-3

    show port priority


    Usethiscommandtodisplaythe802.1Dpriorityforoneormoreports.

    Syntax
    show port priority [port-string]

    Parameters
    portstring (Optional)Displayspriorityinformationforaspecificport.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    If port-string is not specified, priority for all ports will be displayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaytheportpriorityforthege.2.1through5.
    C2(su)->show ge.2.1 is set ge.2.2 is set ge.2.3 is set ge.2.4 is set ge.2.5 is set port priority ge.2.1-5 to 0 to 0 to 0 to 0 to 0

    set port priority


    Usethiscommandtosetthe802.1D(802.1p)ClassofServicetransmitpriority(0 through 7)on eachport.Aportreceivingaframewithoutpriorityinformationinitstagheaderisassigneda priorityaccordingtotheprioritysettingontheport.Forexample,ifthepriorityofaportissetto 5,theframesreceivedthroughthatportwithoutapriorityindicatedintheirtagheaderare classifiedasapriority5. Aframewithpriorityinformationinitstagheaderistransmittedaccordingtothatpriority.

    12-2

    Port Priority and Rate Limiting Configuration

    clear port priority

    Syntax
    set port priority port-string priority

    Parameters
    portstring Specifiestheportforwhichtosetpriority.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72. Specifiesavalueof0to7tosettheCoSpriorityfortheportenteredinthe portstring.Priorityvalueof0isthelowestpriority.

    priority

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thesetportprioritycommandwillnotchangethe802.1pprioritytagontaggedtrafficwitha defaultprioritytag.Thecommandonlyhasaneffectonhowuntaggedtrafficwillbeprioritized asitpassesinternallythroughthedevice.

    Example
    Thisexampleshowshowtosetadefaultpriorityof6onge.1.3.Framesreceivedbythisport withoutpriorityinformationintheirframeheaderaresettothedefaultsettingof6:
    C2(su)->set port priority ge.1.3 6

    clear port priority


    UsethiscommandtoresetthecurrentCoSportprioritysettingto0.Thiswillcauseallframes receivedwithoutapriorityvalueinitsheadertobesettopriority0.

    Syntax
    clear port priority port-string

    Parameters
    portstring Specifiestheportforwhichtoclearpriority.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    12-3

    Configuring Priority to Transmit Queue Mapping

    Example
    Thisexampleshowshowtoresetge.1.11tothedefaultpriority:
    C2(rw)->clear port priority ge.1.11

    Configuring Priority to Transmit Queue Mapping


    Purpose
    Toperformthefollowing: Viewthecurrentprioritytotransmitqueuemappingofeachphysicalport. Configureeachporttoeithertransmitframesaccordingtotheportpriority,setusingtheset portprioritycommanddescribedinsetportpriorityonpage 122,oraccordingtoapriority basedonapercentageofporttransmissioncapacity,assignedtotransmitqueuesusingtheset porttxqcommanddescribedinsetporttxqonpage 127. Clearcurrentportpriorityqueuesettingsforoneormoreports.

    Commands
    For information about... show port priority-queue set port priority-queue clear port priority-queue Refer to page... 12-4 12-5 12-6

    show port priority-queue


    Usethiscommandtodisplaytheportprioritylevels(0through7,with0asthelowestlevel) associatedwiththecurrenttransmitqueues(0beingthelowestpriority)foreachselectedport.A framewithacertainportpriorityistransmittedaccordingtothesettingsenteredusingtheset portpriorityqueuecommanddescribedinsetportpriorityqueueonpage 125.

    Syntax
    show port priority-queue [port-string]

    Parameters
    portstring (Optional)Displaysthemappingofprioritiestotransmitqueuesforone ormoreports.

    Defaults
    Ifportstringisnotspecified,priorityqueueinformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    12-4

    Port Priority and Rate Limiting Configuration

    set port priority-queue

    Example
    Thisexampleshowshowtodisplaypriorityqueueinformationforge.1.1.Inthiscase,frameswith apriorityof0areassociatedwithtransmitqueue1;frameswith1or2priority,areassociatedwith transmitqueue0;andsoforth:
    C2(su)->show Port P0 --------- -ge.1.1 1 port priority-queue ge.1.1 P1 P2 P3 P4 P5 P6 P7 -- -- -- -- -- -- -0 0 2 3 4 5 5

    set port priority-queue


    Usethiscommandtomap802.1D(802.1p)prioritiestotransmitqueues.Thisenablesyouto changethetransmitqueue(0to7,with0beingthelowestpriorityqueue)foreachportpriorityof theselectedport.Youcanapplythenewsettingstooneormoreports.

    Syntax
    set port priority-queue port-string priority queue

    Parameters
    portstring Specifiestheport(s)forwhichtosetprioritytoqueuemappings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. Specifiesavalueof0through7(0isthelowestlevel)thatdetermines whatpriorityframeswillbetransmittedonthetransmitqueueenteredin thiscommand. Specifiesavalueof0through5(0isthelowestlevel)thatdeterminesthe queueonwhichtotransmittheframeswiththeportpriorityenteredin thiscommand.
    Note: Although there are 8 queues, only queues 0 through 5 may be configured. Queues 6 and 7 are reserved for management traffic.l

    priority

    queue

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    PrioritytotransmitqueuemappingonanindividualportbasiscanonlybeconfiguredonGigabit Ethernetports(ge.x.x).OnswitchesthatprovideFastEthernetports,whenyouusethesetport priorityqueuecommandtoconfigureaFastEthernetport(fe.x.x),themappingvaluesare appliedgloballytoallFastEthernetportsonthesystem.

    Example
    Thisexampleshowshowtosetpriority5framesreceivedonge.2.12totransmitonqueue0.
    C2(su)->set port priority-queue ge.2.12 5 0

    SecureStack C2 Configuration Guide

    12-5

    clear port priority-queue

    clear port priority-queue


    Usethiscommandtoresetportpriorityqueuesettingsbacktodefaultsforoneormoreports.

    Syntax
    clear port priority-queue port-string

    Parameters
    portstring Specifiestheportforwhichtoclearprioritytoqueuemappings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthepriorityqueuesettingsonge.2.12:
    C2(su)->clear port priority-queue ge.2.12

    Configuring Quality of Service (QoS)


    Purpose
    Eighttransmitqueuesareimplementedintheswitchhardwareforeachport.Thecommandsin thissectionallowyoutosettheprioritymodeandweightforeachoftheavailablequeues(0 through7)foreachphysicalportontheswitch.Prioritymodeandweightcannotbeconfiguredon LAGs,onlyonthephysicalportsthatmakeuptheLAG.

    Commands
    For information about... show port txq set port txq clear port txq Refer to page... 12-6 12-7 12-8

    show port txq


    UsethiscommandtodisplayQoStransmitqueueinformationforoneormorephysicalports.

    Syntax
    show port txq [port-string]

    12-6

    Port Priority and Rate Limiting Configuration

    set port txq

    Parameters
    portstring (Optional)Specifiesport(s)forwhichtodisplayQoSsettings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. Onlyphysicalportswillbedisplayed.LAGportshavenotransmitqueue information.

    Defaults
    Iftheportstringisnotspecified,theQoSsettingofallphysicalportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythecurrentalgorithmandtransmitqueueweightsconfigured onportge.1.10:
    C2(su)->show port txq ge.1.10 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 ------- --- --- --- --- --- --- --- ---

    ge.1.10 WRR 10

    10

    15

    20

    25

    20

    set port txq


    UsethiscommandtosetQoStransmitqueuearbitrationvaluesforphysicalports.

    Syntax
    set port txq port-string value0 value1 value2 value3 value4 value5 value6 value7

    Parameters
    portstring Specifiesport(s)onwhichtosetqueuearbitrationvalues.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports cannotbeconfigured. value0value7 Specifiespercentagetoallocatetoaspecifictransmitqueue.Thevalues musttotal100percent.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    12-7

    clear port txq

    Usage
    Queuescanbesetforstrictpriority(SP)orweightedroundrobin(WRR).IfsetforWRRmode, weightsmaybeassignedtothosequeueswiththiscommand.Weightsarespecifiedintherangeof 0to100percent.Weightsspecifiedforqueues0through7onanyportmusttotal100percent.

    Examples
    Thisexampleshowshowtochangethearbitrationvaluesfortheeighttransmitqueuesbelonging toge.1.1:
    C2(su)->set port txq ge.1.1 10 10 10 10 10 10 10 30

    Thisexampleshowshowtochangethealgorithmtostrictpriorityfortheeighttransmitqueues belongingtoge.1.1:
    C2(su)->set port txq ge.1.1 0 0 0 0 0 O O 100 C2(su)->show port txq ge.1.1 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 ------- --- --- --- --- --- --- --- ---

    ge.1.1

    STR SP

    SP

    SP

    SP

    SP

    SP

    SP

    SP

    clear port txq


    Usethiscommandtoclearporttransmitqueuevaluesbacktotheirdefaultvalues.

    Syntax
    clear port txq port-string

    Parameters
    portstring Clearstransmitqueuevaluesonspecificport(s)backtotheirdefault values.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72. Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports cannotbeconfigured.

    Defaults
    Bydefault,transmitqueuesaredefinedasfollows:
    Queue 0 1 2 3 Mode WRR WRR WRR WRR Weight 1 2 3 4 Queue 4 5 6 7 Mode WRR WRR WRR WRR Weight 5 6 7 8

    Mode
    Switchcommand,readwrite.

    12-8

    Port Priority and Rate Limiting Configuration

    clear port txq

    Example
    Thisexampleshowshowtocleartransmitqueuevaluesonge.1.1:
    C2(su)->clear port txq ge.1.1

    SecureStack C2 Configuration Guide

    12-9

    Configuring Port Traffic Rate Limiting

    Configuring Port Traffic Rate Limiting


    Purpose
    TolimittherateofinboundtrafficontheSecureStackC2deviceonaperport/prioritybasis.The allowablerangefortheratelimitingis64kilobytespersecondminimumuptothemaximum transmissionrateallowableontheinterfacetype. Ratelimitisconfiguredforagivenportandlistofpriorities.Thelistofprioritiescanincludeone, some,oralloftheeight802.1pprioritylevels.Onceconfigured,therateofalltrafficenteringthe portwiththeprioritiesconfiguredtothatportisnotallowedtoexceedtheprogrammedlimit.If therateexceedstheprogrammedlimit,framesaredroppeduntiltheratefallsbelowthelimit.

    Commands
    Thecommandstoconfiguretrafficratelimitingarelistedbelow.
    For information about... show port ratelimit set port ratelimit clear port ratelimit Refer to page... 12-10 12-12 12-13

    show port ratelimit


    Usethiscommandtoshowthetrafficratelimitingconfigurationononeormoreports.

    Syntax
    show port ratelimit [port-string]

    Parameters
    portstring (Optional)Displaysratelimitinginformationforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,ratelimitinginformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    12-10

    Port Priority and Rate Limiting Configuration

    show port ratelimit

    Example
    Thisexampleshowshowtodisplaythecurrentratelimitinginformationforfe.2.1:
    C2(su)->show port ratelimit fe.2.1 Global Ratelimiting status is disabled. Port Number ----------fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 Threshold (kB/s) --------64 64 64 64 64 64 64 64 Priority List ----------0 0 0 0 0 0 0 0

    Index ----1 2 3 4 5 6 7 8

    Action -----------discard discard discard discard discard discard discard discard

    Direction --------inbound inbound inbound inbound inbound inbound inbound inbound

    Status -------disabled disabled disabled disabled disabled disabled disabled disabled

    Table 121showsadetailedexplanationofthecommandoutput. Table 12-1


    Output Port Number Index Threshold (kB/s) Action Direction Priority List Status

    show port ratelimit Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. Resource index for this port. Port rate limiting threshold in kilobytes per second. Whether or not frames not conforming to rate limiting will be discarded. Currently rules can only be applied to inbound traffic. 802.1D (802.1p) port priority level. Whether or not this rule is active or disabled.

    SecureStack C2 Configuration Guide

    12-11

    set port ratelimit

    set port ratelimit


    Usethiscommandtoconfigurethetrafficratelimitingstatusandthreshold(inkilobytesper second)foroneormoreports.

    Syntax
    set port ratelimit {disable | enable} | port-string priority threshold {disable | enable} [inbound] [index]

    Parameters
    disable|enable Whenenteredwithoutaportstring,globallydisablesorenablestheport ratelimitingfunction.Whenenteredwithaportstring,disablesor enablesratelimitingonspecificport(s)whentheglobalfunctionis enabled. Specifiesaportonwhichtosettheratelimitingthresholdandother parameters.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 72. Specifiesthe802.1D(802.1p)portprioritylevelassociatedwiththeport string.Thevaluecanbe0to7,with0specifyingthelowestpriority. Specifiesaportratelimitingthresholdinkilobytespersecond.Rangeis 64uptoamaximumof2,147,483,647kilobytespersecond. (Optional)Appliesthisratepolicingruletoinboundtraffic. (Optional)Assignsaresourceindexforthisport.

    portstring

    priority threshold inbound index

    Defaults
    Thresholdwillbeappliedtoinboundtrafficontheport/priority. Ifindexisnotspecified,settingswillbeappliedtoindex1,andwilloverwriteindex1forany subsequentratelimitsconfigured.

    Mode
    Switch command, read-write.

    Example
    Thisexampleshowshowto: globallyenableratelimiting configureratelimitingforinboundtrafficonportfe.2.1,index1,priority5,toathresholdof 125 KBps:

    C2(rw)->set port ratelimit enable C2(rw)->set port ratelimit fe.2.1 5 125 enable inbound

    12-12

    Port Priority and Rate Limiting Configuration

    clear port ratelimit

    clear port ratelimit


    Usethiscommandtoclearratelimitingparametersforoneormoreports.

    Syntax
    clear port ratelimit port-string [index]

    Parameters
    portstring Specifiestheport(s)onwhichtoclearratelimiting.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage 72. (Optional)Specifiestheassociatedresourceindextobereset.

    index

    Defaults
    Ifnotspecified,allindexentrieswillbereset.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearallratelimitingparametersonportfe.2.1.
    C2(su)->clear port ratelimit fe.2.1

    SecureStack C2 Configuration Guide

    12-13

    clear port ratelimit

    12-14

    Port Priority and Rate Limiting Configuration

    13
    IGMP Configuration
    ThischapterdescribestheIGMPConfigurationsetofcommandsandhowtousethem.
    For information about... IGMP Overview Configuring IGMP at Layer 2 Configuring IGMP on Routing Interfaces Refer to page... 13-1 13-2 13-10

    IGMP Overview
    About IP Multicast Group Management
    TheInternetGroupManagementProtocol(IGMP)runsbetweenhostsandtheirimmediately neighboringmulticastdevice.Theprotocolsmechanismsallowahosttoinformitslocaldevice thatitwantstoreceivetransmissionsaddressedtoaspecificmulticastgroup. Amulticastenableddevicecanperiodicallyaskitshostsiftheywanttoreceivemulticasttraffic.If thereismorethanonedeviceontheLANperformingIPmulticasting,oneofthesedevicesis electedquerierandassumestheresponsibilityofqueryingtheLANforgroupmembers. BasedonthegroupmembershipinformationlearnedfromIGMP,adevicecandeterminewhich(if any)multicasttrafficneedstobeforwardedtoeachofitsports.AtLayer3,multicastdevicesuse thisinformation,alongwithamulticastroutingprotocol,tosupportIPmulticastingacrossanIP network. IGMPprovidesthefinalstepinanIPmulticastpacketdeliveryservice,sinceitisonlyconcerned withforwardingmulticasttrafficfromthelocaldevicetogroupmembersonadirectlyattached subnetworkorLANsegment. ThisdevicesupportsIPmulticastgroupmanagementbypassivelysnoopingontheIGMPquery andIGMPreportpacketstransferredbetweenIPmulticastdevicesandIPmulticasthostgroupsto learnIPmulticastgroupmembers. ThepurposeofIPmulticastgroupmanagementistooptimizeaswitchednetworksperformance somulticastpacketswillonlybeforwardedtothoseportscontainingmulticastgrouphostsor multicastdevicesinsteadoffloodingtoallportsinthesubnet(VLAN). InadditiontopassivelymonitoringIGMPqueryandreportmessages,theSecureStackC2canalso activelysendL3IGMPquerymessagestolearnlocationsofmulticastdevicesandmemberhosts inmulticastgroupswithineachVLAN. However,notethatIGMPneitheraltersnorroutesanyIPmulticastpackets.SinceIGMPisnot concernedwiththedeliveryofIPmulticastpacketsacrosssubnetworks,multicastroutingis neededifIPmulticastpacketshavetoberoutedacrossdifferentsubnetworks.
    SecureStack C2 Configuration Guide 13-1

    Configuring IGMP at Layer 2

    About Multicasting
    Multicastingisusedtosupportrealtimeapplicationssuchasvideoconferencesorstreaming audio.Amulticastserverdoesnothavetoestablishaseparateconnectionwitheachclient.It merelybroadcastsitsservicetothenetwork,andanyhoststhatwanttoreceivethemulticast registerwiththeirlocalmulticastswitch/router.Althoughthisapproachreducesthenetwork overheadrequiredbyamulticastserver,thebroadcasttrafficmustbecarefullyprunedatevery multicastswitch/routeritpassesthroughtoensurethattrafficisonlypassedtothehoststhat subscribedtothisservice. TheSecureStackC2switchdeviceusesIGMP(InternetGroupManagementProtocol)toqueryfor anyattachedhostswhowanttoreceiveaspecificmulticastservice.ThedevicelooksuptheIP MulticastGroupusedforthisserviceandaddsittotheegresslistoftheLevel3interface.Itthen propagatestheservicerequestontoanyneighboringmulticastswitch/routertoensurethatitwill continuetoreceivethemulticastservice.

    Configuring IGMP at Layer 2


    Purpose
    ToconfigureIGMPsnoopingfromtheswitchCLI.

    Commands
    For information about... show igmpsnooping set igmpsnooping adminmode set igmpsnooping interfacemode set igmpsnooping groupmembershipinterval set igmpsnooping maxresponse set igmpsnooping mcrtrexpiretime set igmpsnooping add-static set igmpsnooping remove-static show igmpsnooping static show igmpsnooping mfdb clear igmpsnooping Refer to page... 13-2 13-3 13-4 13-4 13-5 13-6 13-6 13-7 13-8 13-8 13-9

    show igmpsnooping
    UsethiscommandtodisplayIGMPsnoopinginformation.

    Syntax
    show igmpsnooping

    13-2

    IGMP Configuration

    set igmpsnooping adminmode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    ConfiguredinformationisdisplayedwhetherornotIGMPsnoopingisenabled.Status informationisdisplayedonlywhenthefunctionisenabled.ForinformationonenablingIGMPon thesystem,refertosetigmpsnoopingadminmodeonpage 133.Forinformationonenabling IGMPononeormoreports,refertosetigmpsnoopinginterfacemodeonpage 134.

    Example
    ThisexampleshowshowtodisplayIGMPsnoopinginformation:
    C2(su)->show igmpsnooping Admin Mode..................................... Group Membership Interval...................... Max Response Time.............................. Multicast Router Present Expiration Time....... Interfaces Enabled for IGMP Snooping........... Multicast Control Frame Count.................. Data Frames Forwarded by the CPU............... Enable 260 100 0 ge.1.1,ge.1.2,ge.1.3 0 0

    set igmpsnooping adminmode


    UsethiscommandtoenableordisableIGMPonthesystem.

    Syntax
    set igmpsnooping adminmode {enable | disable}

    Parameters
    enable|disable EnablesordisablesIGMPsnoopingonthesystem.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe devicewiththiscommand,andthenenabledonaport(s)usingthesetigmpsnoopinginterface modecommandasdescribedinsetigmpsnoopinginterfacemodeonpage 134.

    SecureStack C2 Configuration Guide

    13-3

    set igmpsnooping interfacemode

    Note: IGMP snooping cannot be controlled via WebView.

    Example
    ThisexampleshowshowtoenableIGMPonthesystem:
    C2(su)->set igmpsnooping adminmode enable

    set igmpsnooping interfacemode


    UsethiscommandtoenableordisableIGMPononeorallports.

    Syntax
    set igmpsnooping interfacemode port-string {enable | disable}

    Parameters
    portstring enable|disable SpecifiesoneormoreportsonwhichtoenableordisableIGMP. EnablesordisablesIGMP.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe deviceusingthesetigmpsnoopingadminmodecommandasdescribedinsetigmpsnooping adminmodeonpage 133,andthenenabledonaport(s)usingthiscommand.

    Example
    ThisexampleshowshowtoenableIGMPonportge.1.10:
    C2(su)->set igmpsnooping interfacemode ge.1.10 enable

    set igmpsnooping groupmembershipinterval


    UsethiscommandtoconfiguretheIGMPgroupmembershipintervaltimeforthesystem.

    Syntax
    set igmpsnooping groupmembershipinterval time

    13-4

    IGMP Configuration

    set igmpsnooping maxresponse

    Parameters
    time SpecifiestheIGMPgroupmembershipinterval.Validvaluesare23600 seconds. Thisvalueworkstogetherwiththesetigmpsnoopingmaxresponsetime commandtoremoveportsfromanIGMPgroupandmustbegreaterthan themaxresponsetimevalue.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheIGMPgroupmembershipintervaltimesetsthefrequencyofhostqueryframetransmissions andmustbegreaterthantheIGMPmaximumresponsetimeasdescribedinsetigmpsnooping maxresponseonpage 135.

    Example
    ThisexampleshowshowtosettheIGMPgroupmembershipintervalto250seconds:
    C2(su)->set igmpsnooping groupmembershipinterval 250

    set igmpsnooping maxresponse


    UsethiscommandtoconfiguretheIGMPquerymaximumresponsetimeforthesystem.

    Syntax
    set igmpsnooping maxresponse time

    Parameters
    time SpecifiestheIGMPmaximumqueryresponsetime.Validvaluesare100 255seconds.Thedefaultvalueis100seconds. Thisvalueworkstogetherwiththesetigmpsnooping groupmembershipintervalcommandtoremoveportsfromanIGMPgroup andmustbelesserthanthegroupmembershipintervalvalue.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThisvaluemustbelessthantheIGMPmaximumresponsetimedescribedinsetigmpsnooping groupmembershipintervalonpage 134.

    SecureStack C2 Configuration Guide

    13-5

    set igmpsnooping mcrtrexpiretime

    Example
    ThisexampleshowshowtosettheIGMPmaximumresponsetimeto100seconds:
    C2(su)->set igmpsnooping maxresponse 100

    set igmpsnooping mcrtrexpiretime


    UsethiscommandtoconfiguretheIGMPmulticastrouterexpirationtimeforthesystem.

    Syntax
    set igmpsnooping mcrtrexpire time

    Parameters
    time SpecifiestheIGMPmulticastrouterexpirationtime.Validvaluesare0 3600seconds.Avalueof0willconfigurethesystemwithaninfinite expirationtime.Thedefaultvalueis0.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thistimerisforexpiringtheswitchfromthemulticastdatabase.Ifthetimerexpires,andtheonly addressleftisthemulticastswitch,thentheentrywillberemoved.

    Example
    ThisexampleshowshowtosettheIGMPmulticastrouterexpirationtimetoinfinity:
    C2(su)->set igmpsnooping mcrtrexpiretime 0

    set igmpsnooping add-static


    ThiscommandcreatesanewstaticIGMPentryoraddsoneormorenewportstoanexistingentry.

    Syntax
    set igmpsnooping add-static group vlan-list [modify] [port-string]

    Parameters
    group vlanlist modify portstring SpecifiesthemulticastgroupIPaddressfortheentry. SpecifiestheVLANsonwhichtoconfiguretheentry. (Optional)Addsthespecifiedportorportstoanexistingentry. (Optional)Specifiestheportorportstoaddtotheentry.

    Defaults
    Ifnoportsarespecified,allportsareaddedtotheentry.
    13-6 IGMP Configuration

    set igmpsnooping remove-static

    Ifmodifyisnotspecified,anewentryiscreated.

    Mode
    Switchcommand,readwrite.

    Usage
    UsethiscommandtocreateandconfigureLayer2IGMPentries.

    Example
    ThisexamplecreatesanIGMPentryforthemulticastgroupwithIPaddressof233.11.22.33 configuredonVLAN20configuredwiththeportge.1.1.
    C2(su)->set igmpsnooping add-static 233.11.22.33 20 ge.1.1

    set igmpsnooping remove-static


    ThiscommanddeletesastaticIGMPentryorremovesoneormorenewportsfromanexisting entry.

    Syntax
    set igmpsnooping remove-static group vlan-list [modify] [port-string]

    Parameters
    group vlanlist modify portstring SpecifiesthemulticastgroupIPaddressoftheentry. SpecifiestheVLANsonwhichtheentryisconfigured. (Optional)Removesthespecifiedportorportsfromanexistingentry. (Optional)Specifiestheportorportstoremovefromtheentry.

    Defaults
    Ifnoportsarespecified,allportsareremovedfromtheentry.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesportge.1.1fromtheentryforthemulticastgroupwithIPaddressof 233.11.22.33configuredonVLAN20.
    C2(su)->set igmpsnooping remove-static 233.11.22.33 20 ge.1.1

    show igmpsnooping static


    ThiscommanddisplaysstaticIGMPportsforoneormoreVLANsorIGMPgroups.

    Syntax
    show igmpsnooping static vlan-list [group group]

    SecureStack C2 Configuration Guide

    13-7

    show igmpsnooping mfdb

    Parameters
    vlanlist groupgroup SpecifiestheVLANforwhichtodisplaystaticIGMPports. (Optional)SpecifiestheIGMPgroupforwhichtodisplaystaticIGMP ports.

    Defaults
    Ifnogroupisspecified,informationforallgroupsisdisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampledisplaysthestaticIGMPportsforVLAN20.
    C2(su)->show igmpsnooping static 20 -------------------------------------------------------------------------------Vlan Id = 20 Static Multicast Group Address = 233.11.22.33 Type = IGMP IGMP Port List = ge.1.1

    show igmpsnooping mfdb


    Usethiscommandtodisplaymulticastforwardingdatabase(MFDB)information.

    Syntax
    show igmpsnooping mfdb [stats]

    Parameters
    stats (Optional)DisplaysMFDBstatistics.

    Defaults
    Ifstatsisnotspecified,allMFDBtableentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowshowtodisplaymulticastforwardingdatabaseentries:
    C2(su)->show igmpsnooping mfdb MAC Address Type Description ----------------------- ------- ---------------00:14:01:00:5E:02:CD:B0 Dynamic Network Assist 00:32:01:00:5E:37:96:D0 Dynamic Network Assist 00:32:01:00:5E:7F:FF:FA Dynamic Network Assist Interfaces ------------------------Fwd: ge.1.1,ge.3.1,ge.4.1 Fwd: ge.4.7 Fwd: ge.4.7

    Thisexampleshowshowtodisplaymulticastforwardingdatabasestatistics:
    C2(su)->show igmpsnooping mfdb stats Max MFDB Table Entries......................... 256 Most MFDB Entries Since Last Reset............. 1 Current Entries................................ 0
    13-8 IGMP Configuration

    clear igmpsnooping

    clear igmpsnooping
    UsethiscommandtoclearallIGMPsnoopingentries.

    Syntax
    clear igmpsnooping

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearallIGMPsnoopingentries:
    C2(su)->clear igmpsnooping Are you sure you want to clear all IGMP snooping entries? (y/n) y IGMP Snooping Entries Cleared.

    SecureStack C2 Configuration Guide

    13-9

    Configuring IGMP on Routing Interfaces

    Configuring IGMP on Routing Interfaces


    Router: The commands covered in this section can be executed only when the device is in router mode. For details on how to enable router configuration modes, refer to Enabling Router Configuration Modes on page 18-2.

    Purpose
    ToconfigureIGMPonroutinginterfaces.

    Commands
    For information about... ip igmp ip igmp enable ip igmp version show ip igmp interface show ip igmp groups ip igmp query-interval ip igmp query-max-response-time ip igmp startup-query-interval ip igmp startup-query-count ip igmp last-member-query-interval ip igmp last-member-query-count ip igmp robustness Refer to page... 13-10 13-11 13-11 13-12 13-13 13-13 13-14 13-14 13-15 13-15 13-16 13-16

    ip igmp
    UsethiscommandtoenabletheL3IGMPQuerierfunctionalityontheswitch.Thenoformofthis commanddisablesIGMPQuerierfunctionality.

    Syntax
    ip igmp no ip igmp

    Parameters
    None.

    Defaults
    None.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    13-10

    IGMP Configuration

    ip igmp enable

    Usage
    EnablingIGMPonaroutinginterfacerequiresboththeipigmpcommand(page1310),which enablesitontherouter,andtheipigmpenablecommand(page1311),whichenablesitonan interface.Oncethesecommandsareexecuted,thedevicewillstartsendingandprocessingIGMP multicasttraffic.IGMPisdisabledbydefault,bothgloballyandonaperinterfacebasis.

    Example
    ThisexampleshowshowtoenableIGMPontherouter:
    C2(su)->router(Config)#ip igmp

    ip igmp enable
    UsethiscommandtoenableIGMPonaninterface.ThenoformofthiscommanddisablesIGMP onaninterface.

    Syntax
    ip igmp enable no ip igmp enable

    Parameters
    None.

    Defaults
    None.

    Usage
    EnablingIGMPonaroutinginterfacerequiresboththeipigmpcommand(page1310),which enablesitontherouter,andtheipigmpenablecommand(page1311),whichenablesitonan interface.Oncethesecommandsareexecuted,thedevicewillstartsendingandprocessingIGMP multicasttraffic.IGMPisdisabledbydefault,bothgloballyandonaperinterfacebasis.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoenableIGMPontheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp enable

    ip igmp version
    UsethiscommandtosettheversionofIGMPrunningontherouter.Thenoformofthiscommand resetsIGMPtothedefaultversionof2(IGMPv2).

    Syntax
    ip igmp version version no ip igmp

    SecureStack C2 Configuration Guide

    13-11

    show ip igmp interface

    Parameters
    version SpecifiestheIGMPversionnumbertorunontherouter.Validvaluesare 1,2,or3.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheIGMPversiontoversion1onVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp version 1

    show ip igmp interface


    UsethiscommandtodisplayinformationaboutoneormoreIGMProutinginterfaces.

    Syntax
    show ip igmp interface [vlan vlan-id]

    Parameters
    vlanvlanid (Optional)DisplaysinformationforoneormoreVLANs.

    Defaults
    Ifnotspecified,informationwillbedisplayedforallVLANsconfiguredforIGMProuting.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayIGMProutinginformationforVLAN1:
    C2(su)->router#show ip igmp interface vlan 1 Vlan 1 is Admin UP Vlan 1 is Oper UP IGMP is configured via the Switch IGMP ACL currently not supported Multicast TTL currently defaults to 1 IGMP Version is 2 Query Interval is 125 (secs) Query Max Response Time is 100 (1/10 of a second) Robustness is 2 Startup Query Interval is 31 (secs) Startup Query Count is 2 Last Member Query Interval is 10 (1/10 of a second) Last Member Query Count is 2

    13-12

    IGMP Configuration

    show ip igmp groups

    show ip igmp groups


    UsethiscommandtodisplayalistofIGMPstreamsandclientconnectionports.

    Syntax
    show ip igmp groups

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayinformationaboutIGMPgroups:
    C2(su)->router#show ip igmp groups REGISTERED MULTICAST GROUP DETAILS Multicast IP Address Last Reporter Up Time Expiry Time Host Timer --------------- --------------- ------- ------------ -----------228.1.1.1 12.12.12.2 27

    Version1 ----------

    ip igmp query-interval
    UsethiscommandtosettheIGMPqueryintervalonaroutinginterface.Thenoformofthis commandresetstheIGMPqueryintervaltothedefaultvalueof125seconds.

    Syntax
    ip igmp query-interval time no ip igmp query-interval

    Parameters
    time SpecifiestheIGMPqueryinterval.Validvaluesarefrom1to3600 seconds.Defaultis125seconds.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheIGMPqueryintervalto1800secondsonVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp query-interval 1800

    SecureStack C2 Configuration Guide

    13-13

    ip igmp query-max-response-time

    ip igmp query-max-response-time
    UsethiscommandtosetthemaximumresponsetimeintervaladvertisedinIGMPv2queries.The

    no form of this command resets the IGMP maximum response time to the default value of 100 (one tenth of a second).

    Syntax
    ip igmp query-max-response-time time no ip igmp query-max-response-time

    Parameters
    time SpecifiestheIGMPmaximumresponsetimeinterval.Validvaluesare from0to255tenthsofasecond.The default value is 100 (one tenth of a

    second).

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheIGMPquerymaximumresponsetimeintervalto200(2tenths ofasecond)onVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp query-max-response-time 200

    ip igmp startup-query-interval
    UsethiscommandtosettheintervalbetweengeneralIGMPqueriessentonstartup.Thenoform ofthiscommandresetstheIGMPstartupqueryintervaltothedefaultvalueof31seconds.

    Syntax
    ip igmp startup-query-interval time no ip igmp startup-query-interval

    Parameters
    time SpecifiestheIGMPstartupqueryinterval.Validvaluesarefrom1to300 seconds.Thedefaultvalueis31seconds.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    13-14

    IGMP Configuration

    ip igmp startup-query-count

    Example
    ThisexampleshowshowtosettheIGMPstartupqueryintervalto100secondsonVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp startup-query-interval 100

    ip igmp startup-query-count
    UsethiscommandtosetthenumberofIGMPqueriessentoutonstartup,separatedbythe startupqueryintervalasdescribedinipigmpstartupqueryinterval(page1314).Thenoformof thiscommandresetstheIGMPstartupquerycounttothedefaultvalueof2.

    Syntax
    ip igmp startup-query-count count no ip igmp startup-query-count

    Parameters
    count SpecifiesthenumberofIGMPstartupqueries.Validvaluesarefrom1to 20.Thedefaultvalueis2.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheIGMPstartupquerycountto10onVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp startup-query-count 10

    ip igmp last-member-query-interval
    Usethiscommandtosetthemaximumresponsetimebeinginsertedintogroupspecificqueries sentinresponsetoleavegroupmessages.ThenoformofthiscommandresetstheIGMPlast memberqueryintervaltothedefaultvalueof1second.

    Syntax
    ip igmp last-member-query-interval time no ip igmp last-member-query-interval

    Parameters
    time SpecifiestheIGMPlastmemberqueryinterval.Validvaluesarefrom0to 255seconds.Thedefaultvalueis1second.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    13-15

    ip igmp last-member-query-count

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheIGMPlastmemberqueryintervalto10secondsonVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp last-member-query-interval 10

    ip igmp last-member-query-count
    Usethiscommandtosetthenumberofgroupspecificqueriessentbeforeassumingthereareno localmembers.ThenoformofthiscommandresetstheIGMPlastmemberquerycounttothe defaultvalueof2.

    Syntax
    ip igmp last-member-query-count count no ip igmp last-member-query-count

    Parameters
    count SpecifiesthenumberofIGMPstartupqueries.Validvaluesarefrom1to 20.Thedefaultvalueis2.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheIGMPlastmemberquerycountto10onVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp last-member-query-count 10

    ip igmp robustness
    UsethiscommandtoconfiguretherobustnesstuningforexpectedpacketlossonanIGMP routinginterface.ThenoformofthiscommandresetstheIGMProbustnessvaluetothedefaultof 2.

    Syntax
    ip igmp robustness robustness no ip igmp robustness

    Parameters
    robustness SpecifiestheIGMProbustnessvalue.Validvaluesarefrom1to255.The defaultvalueis2.

    13-16

    IGMP Configuration

    ip igmp robustness

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Usage
    ThisvaluedetermineshowmanytimesIGMPmessageswillbesent.Ahighernumberwillmean thatendstationswillbemorelikelytoseethepacket.Aftertherobustnessvalueisreached,IGMP willassumethereisnoresponsetoqueries.

    Example
    ThisexampleshowshowtosettheIGMProbustnessvalueto5onVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp robustness 5

    SecureStack C2 Configuration Guide

    13-17

    ip igmp robustness

    13-18

    IGMP Configuration

    14
    Logging and Network Management
    Thischapterdescribesswitchrelatedloggingandnetworkmanagementcommandsandhowto usethem.
    Note: The commands in this chapter pertain to network management of the SecureStack C2 device from the switch CLI only. For information on router-related network management tasks, including reviewing router ARP tables and IP traffic, refer to Chapter 19. For information about... Configuring System Logging Monitoring Network Events and Status Managing Switch Network Addresses and Routes Configuring Simple Network Time Protocol (SNTP) Configuring Node Aliases Refer to page... 14-1 14-12 14-17 14-27 14-35

    Configuring System Logging


    Purpose
    Todisplayandconfiguresystemlogging,includingSyslogserversettings,Syslogdefaultsettings, andtheloggingbuffer.

    Commands
    For information about... show logging server set logging server clear logging server show logging default set logging default clear logging default show logging application set logging application Refer to page... 14-2 14-3 14-4 14-4 14-5 14-6 14-6 14-7

    SecureStack C2 Configuration Guide

    14-1

    show logging server

    For information about... clear logging application show logging local set logging local clear logging local show logging buffer

    Refer to page... 14-8 14-9 14-9 14-10 14-10

    show logging server


    UsethiscommandtodisplaytheSyslogconfigurationforaparticularserver.

    Syntax
    show logging server [index]

    Parameters
    index (Optional)DisplaysSysloginformationpertainingtoaspecificserver tableentry.Validvaluesare18.

    Defaults
    Ifindexisnotspecified,allSyslogserverinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySyslogserverconfigurationinformation:
    C2(ro)->show logging server IP Address Facility Severity Description Port Status ------------------------------------------------------------------------1 132.140.82.111 local4 warning(5) default 514 enabled 2 132.140.90.84 local4 warning(5) default 514 enabled

    Table 141providesanexplanationofthecommandoutput. Table 14-1


    Output Field IP Address Facility Severity Description Port Status

    show logging server Output Details


    What It Displays... Syslog servers IP address. For details on setting this using the set logging server command, refer to set logging server on page 14-3. Syslog facility that will be encoded in messages sent to this server. Valid values are: local0 to local7. Severity level at which the server is logging messages. Text string description of this facility/server. UDP port the client uses to send to the server. Whether or not this Syslog configuration is currently enabled or disabled.

    14-2

    Logging and Network Management

    set logging server

    set logging server


    UsethiscommandtoconfigureaSyslogserver.

    Syntax
    set logging server index [ip-addr ip-addr] [facility facility] [severity severity] [descr descr] [port port] [state {enable | disable}]

    Parameters
    index ipaddripaddr facilityfacility severityseverity Specifiestheservertableindexnumberforthisserver.Validvaluesare1 8. (Optional)SpecifiestheSyslogmessageserversIPaddress. (Optional)Specifiestheserversfacilityname.Validvaluesare:local0to local7. (Optional)Specifiestheseveritylevelatwhichtheserverwilllog messages.Validvaluesandcorrespondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages descrdescr portport stateenable| disable (Optional)Specifiesatextualstringdescriptionofthisfacility/server. (Optional)SpecifiesthedefaultUDPporttheclientusestosendtothe server. (Optional)Enablesordisablesthisfacility/serverconfiguration.

    Defaults
    Ifipaddrisnotspecified,anentryintheSyslogservertablewillbecreatedwiththespecified indexnumberandamessagewilldisplayindicatingthatnoIPaddresshasbeenassigned. Ifnotspecified,facility,severityandportwillbesettodefaultsconfiguredwiththesetlogging defaultcommand(setloggingdefaultonpage 145). Ifstateisnotspecified,theserverwillnotbeenabledordisabled.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    14-3

    clear logging server

    Example
    ThiscommandshowshowtoenableaSyslogserverconfigurationforindex1,IPaddress 134.141.89.113,facilitylocal4,severitylevel3onport514:
    C2(su)->set logging server 1 ip-addr 134.141.89.113 facility local4 severity 3 port 514 state enable

    clear logging server


    UsethiscommandtoremoveaserverfromtheSyslogservertable.

    Syntax
    clear logging server index

    Parameters
    index Specifiestheservertableindexnumberfortheservertoberemoved. Validvaluesare18.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThiscommandshowshowtoremovetheSyslogserverwithindex1fromtheservertable:
    C2(su)->clear logging server 1

    show logging default


    UsethiscommandtodisplaytheSyslogserverdefaultvalues.

    Syntax
    show logging default

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    14-4

    Logging and Network Management

    set logging default

    Example
    ThiscommandshowshowtodisplaytheSyslogserverdefaultvalues.Foranexplanationofthe commandoutput,referbacktoTable 141onpage 142.
    C2(su)->show logging default Facility Severity Port ----------------------------------------local4 warning(5) 514

    Defaults:

    set logging default


    Usethiscommandtosetloggingdefaultvalues.

    Syntax
    set logging default {[facility facility] [severity severity] port port]}

    Parameters
    facilityfacility severityseverity Specifiesthedefaultfacilityname.Validvaluesare:local0tolocal7. Specifiesthedefaultloggingseveritylevel.Validvaluesand correspondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages portport SpecifiesthedefaultUDPporttheclientusestosendtotheserver.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheSyslogdefaultfacilitynametolocal2andtheseveritylevelto4 (errorlogging):
    C2(su)->set logging default facility local2 severity 4

    SecureStack C2 Configuration Guide

    14-5

    clear logging default

    clear logging default


    Usethiscommandtoresetloggingdefaultvalues.

    Syntax
    clear logging default {[facility] [severity] [port]}

    Parameters
    facility severity port (Optional)Resetsthedefaultfacilitynametolocal4. (Optional)Resetsthedefaultloggingseveritylevelto6(notificationsof significantconditions). (Optional)ResetsthedefaultUDPporttheclientusestosendtotheserver to514.

    Defaults
    Atleastoneoptionalparametermustbeentered. Allthreeoptionalkeywordsmustbeenteredtoresetallloggingvaluestodefaults.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresettheSyslogdefaultseveritylevelto6:
    C2(su)->clear logging default severity

    show logging application


    UsethiscommandtodisplaytheseveritylevelofSyslogmessagesforoneorallapplications configuredforloggingonyoursystem.

    Syntax
    show logging application [mnemonic | all]

    Parameters
    mnemonic (Optional)Displaysseveritylevelforoneapplicationconfiguredfor logging.Mnemonicswillvarydependingonthenumberandtypesof applicationsrunningonyoursystem.Samplemnemonicsandtheir correspondingapplicationsarelistedinTable 143onpage 148.
    Note: Mnemonic values are case sensitive and must be typed as they appear in Table 14-3.

    all

    (Optional)Displaysseveritylevelforallapplicationsconfiguredfor logging.

    Defaults
    Ifnoparameterisspecified,informationforallapplicationswillbedisplayed.

    14-6

    Logging and Network Management

    set logging application

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaysystemlogginginformationpertainingtotheSNMP application.
    C2(ro)->show logging application SNMP Application Current Severity Level --------------------------------------------90 SNMP 6 1(emergencies) 4(errors) 7(information) 2(alerts) 5(warnings) 8(debugging) 3(critical) 6(notifications)

    Table 142providesanexplanationofthecommandoutput. Table 14-2


    Output Field Application Current Severity Level

    show logging application Output Details


    What it displays... A mnemonic abbreviation of the textual description for applications being logged. Severity level at which the server is logging messages for the listed application. This range (from 1 to 8) and its associated severity list is shown in the CLI output. For a description of these entries, which are set using the set logging application command, refer to set logging application on page 14-7.

    set logging application


    Usethiscommandtosettheseverityleveloflogmessagesforoneorallapplications.

    Syntax
    set logging application {[mnemonic | all]} [level level]

    Parameters
    mnemonic Specifiesacasesensitivemnemonicabbreviationofanapplicationtobe logged.Thisparameterwillvarydependingonthenumberandtypesof applicationsrunningonyoursystem.Todisplayacompletelist,usethe showloggingapplicationcommandasdescribedinshowlogging applicationonpage 146.Samplemnemonicsandtheircorresponding applicationsarelistedinTable 143onpage 148.
    Note: Mnemonic values are case sensitive and must be typed as they appear in Table 14-3.

    all

    Setstheloggingseveritylevelforallapplications.

    SecureStack C2 Configuration Guide

    14-7

    clear logging application

    levellevel

    (Optional)Specifiestheseveritylevelatwhichtheserverwilllog messagesforapplications.Validvaluesandcorrespondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages

    Table 14-3
    Mnemonic CLIWEB SNMP STP Driver System Stacking UPN Router

    Mnemonic Values for Logging Applications


    Application Command Line Interface and Webview management Simple Network Management Protocol Spanning Tree Protocol Hardware drivers Non-application items such as general chassis management Stacking management (if applicable) User Personalized Networking Router

    Defaults
    Iflevelisnotspecified,nonewillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheseveritylevelforSNMPto4sothaterrorconditionswillbe loggedforthatapplication.
    C2(rw)->set logging application SNMP level 4

    clear logging application


    Usethiscommandtoresettheloggingseveritylevelforoneorallapplicationstothedefaultvalue of6(notificationsofsignificantconditions).

    Syntax
    clear logging application {mnemonic | all}

    14-8

    Logging and Network Management

    show logging local

    Parameters
    mnemonic Resetstheseveritylevelforaspecificapplicationto6.Validmnemonic valuesandtheircorrespondingapplicationsarelistedinTable 143on page 148. Resetstheseveritylevelforallapplicationsto6.

    all

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresettheloggingseveritylevelto6forSNMP.
    C2(rw)->clear logging application SNMP

    show logging local


    Usethiscommandtodisplaythestateofmessageloggingtotheconsoleandapersistentfile.

    Syntax
    show logging local

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythestateofmessagelogging.Inthiscase,loggingtothe consoleisenabledandloggingtoapersistentfileisdisabled.
    C2(su)->show logging local Syslog Console Logging enabled Syslog File Logging disabled

    set logging local


    Usethiscommandtoconfigurelogmessagestotheconsoleandapersistentfile.

    Syntax
    set logging local console {enable | disable} file {enable | disable}

    SecureStack C2 Configuration Guide

    14-9

    clear logging local

    Parameters
    consoleenable|disable fileenable|disable Enablesordisablesloggingtotheconsole. Enablesordisablesloggingtoapersistentfile.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thiscommandshowshowtoenableloggingtotheconsoleanddisableloggingtoapersistentfile:
    C2(su)->set logging local console enable file disable

    clear logging local


    Usethiscommandtocleartheconsoleandpersistentstoreloggingforthelocalsession.

    Syntax
    clear logging local

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearlocallogging:
    C2(su)->clear logging local

    show logging buffer


    Usethiscommandtodisplaythelast256messageslogged.Bydefault,criticalfailuresanduser loginandlogouttimestampsaredisplayed.

    Syntax
    show logging buffer

    Parameters
    None.

    14-10

    Logging and Network Management

    show logging buffer

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowsaportionoftheinformationdisplayedwiththeshowloggingbuffer command:
    C2(su)->show logging buffer <165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.122 (telnet) <165>Sep 4 07:43:24 10.42.71.13 CLI[5]User: debug failed login from 10.4.1.100 (telnet)

    SecureStack C2 Configuration Guide

    14-11

    Monitoring Network Events and Status

    Monitoring Network Events and Status


    Purpose
    Todisplayswitcheventsandcommandhistory,tosetthesizeofthehistorybuffer,andtodisplay anddisconnectcurrentusersessions.

    Commands
    For information about... history show history set history ping show users disconnect show netstat Refer to page... 14-12 14-13 14-13 14-14 14-14 14-15 14-15

    history
    Usethiscommandtodisplaythecontentsofthecommandhistorybuffer.Thecommandhistory bufferincludesalltheswitchcommandsentereduptoamaximumof100,asspecifiedintheset historycommand(sethistoryonpage 1413).

    Syntax
    history

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythecontentsofthecommandhistorybuffer.Itshowsthereare fivecommandsinthebuffer:
    C2(su)->history 1 hist 2 show gvrp 3 show vlan 4 show igmp 5 show ip address

    14-12

    Logging and Network Management

    show history

    show history
    Usethiscommandtodisplaythesize(inlines)ofthehistorybuffer.

    Syntax
    show history

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythesizeofthehistorybuffer:
    C2(su)->show history History buffer size: 20

    set history
    Usethiscommandtosetthesizeofthehistorybuffer.

    Syntax
    set history size [default]

    Parameters
    size default Specifiesthesizeofthehistorybufferinlines.Validvaluesare1to100. (Optional)Makesthissettingpersistentforallfuturesessions.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtosetthesizeofthecommandhistorybufferto30lines:
    C2(su)->set history 30

    SecureStack C2 Configuration Guide

    14-13

    ping

    ping
    UsethiscommandtosendICMPechorequestpacketstoanothernodeonthenetworkfromthe switchCLI.

    Syntax
    ping host

    Parameters
    host SpecifiestheIPaddressofthedevicetowhichthepingwillbesent.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtopingIPaddress134.141.89.29.Inthiscase,thishostisalive:
    C2(su)->ping 134.141.89.29 134.141.89.29 is alive

    Inthisexample,thehostatIPaddressisnotresponding:
    C2(su)->ping 134.141.89.255 no answer from 134.141.89.255

    show users
    UsethiscommandtodisplayinformationabouttheactiveconsoleportorTelnetsession(s)logged intotheswitch.

    Syntax
    show users

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtousetheshowuserscommand.Inthisoutput,therearetwoTelnet usersloggedinwithReadWriteaccessprivilegesfromIPaddresses134.141.192.119and 134.141.192.18:

    14-14

    Logging and Network Management

    disconnect

    C2(su)->show users Session User Location -------- ----- -------------------------* telnet rw 134.141.192.119 telnet rw 134.141.192.18

    disconnect
    UsethiscommandtocloseanactiveconsoleportorTelnetsessionfromtheswitchCLI.

    Syntax
    disconnect {ip-addr | console}

    Parameters
    ipaddr console SpecifiestheIPaddressoftheTelnetsessiontobedisconnected.This addressisdisplayedintheoutputshowninshowusersonpage 1215. Closesanactiveconsoleport.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtocloseaTelnetsessiontohost134.141.192.119:
    C2(su)->disconnect 134.141.192.119

    Thisexampleshowshowtoclosethecurrentconsolesession:
    C2(su)->disconnect console

    show netstat
    Usethiscommandtodisplaynetworklayerstatistics.

    Syntax
    show netstat

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    14-15

    show netstat

    Example
    Thefollowingexampleshowstheoutputofthiscommand.
    C2(su)->show netstat Prot Local Address ---- ----------------------------TCP 127.0.0.1.2222 TCP 0.0.0.0.80 TCP 0.0.0.0.23 TCP 10.1.56.17.23 UDP 0.0.0.0.17185 UDP 127.0.0.1.49152 UDP 0.0.0.0.161 UDP 0.0.0.0.* UDP 0.0.0.0.514 Foreign Address ----------------------------0.0.0.0.* 0.0.0.0.* 0.0.0.0.* 134.141.99.104.47718 0.0.0.0.* 127.0.0.1.17185 0.0.0.0.* 0.0.0.0.* 0.0.0.0.* State ----------LISTEN LISTEN LISTEN ESTABLISHED

    Thefollowingtabledescribestheoutputofthiscommand. Table 14-4


    Output Field Prot Local Address Foreign Address State

    show netstat Output Details


    What it displays... Type of protocol running on the connection. IP address of the connections local host. IP address of the connections foreign host. Communications mode of the connection.

    14-16

    Logging and Network Management

    Managing Switch Network Addresses and Routes

    Managing Switch Network Addresses and Routes


    Purpose
    TodisplayordeleteswitchARPtableentries,andtodisplayMACaddressinformation.

    Commands
    For information about... show arp set arp clear arp traceroute show mac show mac agetime set mac agetime clear mac agetime set mac algorithm show mac algorithm clear mac algorithm set mac multicast clear mac address show mac unreserved-flood set mac unreserved-flood Refer to page... 14-17 14-18 14-19 14-19 14-20 14-21 14-22 14-22 14-23 14-23 14-24 14-24 14-25 14-26 14-26

    show arp
    UsethiscommandtodisplaytheswitchsARPtable.

    Syntax
    show arp

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    SecureStack C2 Configuration Guide

    14-17

    set arp

    Example
    ThisexampleshowshowtodisplaytheARPtable:
    C2(su)->show arp LINK LEVEL ARP TABLE IP Address Phys Address Flags Interface ----------------------------------------------------10.20.1.1 00-00-5e-00-01-1 S host 134.142.21.194 00-00-5e-00-01-1 S host 134.142.191.192 00-00-5e-00-01-1 S host 134.142.192.18 00-00-5e-00-01-1 S host 134.142.192.119 00-00-5e-00-01-1 S host -----------------------------------------------------

    Table 145providesanexplanationofthecommandoutput. Table 14-5


    Output Field IP Address Phys Address Flags

    show arp Output Details


    What It Displays... IP address mapped to MAC address. MAC address mapped to IP address. Route status. Possible values and their definitions include: S - manually configured entry (static) P - respond to ARP requests for this entry

    set arp
    UsethiscommandtoaddmappingentriestotheswitchsARPtable.

    Syntax
    set arp ip-address mac-address

    Parameters
    ipaddress macaddress SpecifiestheIPaddresstomaptotheMACaddressandaddtotheARP table. SpecifiestheMACaddresstomaptotheIPaddressandaddtotheARP table.TheMACaddresscanbeformattedasxx:xx:xx:xx:xx:xxorxxxx xxxxxxxx.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtomapIPaddress192.168.219.232toMACaddress00000c400fbc:
    C2(su)->set arp 192.168.219.232 00-00-0c-40-0f-bc

    14-18

    Logging and Network Management

    clear arp

    clear arp
    UsethiscommandtodeleteaspecificentryorallentriesfromtheswitchsARPtable.

    Syntax
    clear arp {ip-address | all}

    Parameters
    ipaddress|all SpecifiestheIPaddressintheARPtabletobecleared,orclearsallARP entries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtodeleteentry10.1.10.10fromtheARPtable:
    C2(su)->clear arp 10.1.10.10

    traceroute
    UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa specificdestinationhost.ThreeUDPorICMPprobeswillbetransmittedforeachhopbetweenthe sourceandthetraceroutedestination.

    Syntax
    traceroute [-w waittime] [-f first-ttl] [-m max-ttl] [-p port] [-q nqueries] [-r] [-d] [-n] [-v] host

    Parameters
    wwaittime ffirstttl mmaxttl pport qnqueries r d n (Optional)Specifiestimeinsecondstowaitforaresponsetoaprobe. (Optional)Specifiesthetimetolive(TTL)ofthefirstoutgoingprobe packet. (Optional)Specifiesthemaximumtimetolive(TTL)usedinoutgoing probepackets. (Optional)SpecifiesthebaseUDPportnumberusedinprobes. (Optional)Specifiesthenumberofprobeinquiries. (Optional)Bypassesthenormalhostroutingtables. (Optional)Setsthedebugsocketoption. (Optional)Displayshopaddressesnumerically.(Supportedinafuture release.)

    SecureStack C2 Configuration Guide

    14-19

    show mac

    v host

    (Optional)Displaysverboseoutput,includingthesizeanddestinationof eachresponse. SpecifiesthehosttowhichtherouteofanIPpacketwillbetraced.

    Defaults
    Ifnotspecified,waittimewillbesetto5seconds. Ifnotspecified,firstttlwillbesetto1second. Ifnotspecified,maxttlwillbesetto30seconds. Ifnotspecified,portwillbesetto33434. Ifnotspecified,nquerieswillbesetto3. Ifrisnotspecified,normalhostroutingtableswillbeused. Ifdisnotspecified,thedebugsocketoptionwillnotbeused. Ifvisnotspecified,summaryoutputwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.167.252.17.In thiscase,hop1istheSecureStackC2switch,hop2is14.1.0.45,andhop3isbacktothehostIP address.RoundtriptimesforeachofthethreeUDPprobesaredisplayednexttoeachhop:
    C2(su)->traceroute 192.167.252.17 traceroute to 192.167.252.17 (192.167.252.17), 30 hops max, 40 byte packets 1 matrix.enterasys.com (192.167.201.40) 20.000 ms 20.000 ms 20.000 ms 2 14.1.0.45 (14.1.0.45) 40.000 ms 10.000 ms 20.000 ms 3 192.167.252.17 (192.167.252.17) 50.000 ms 0.000 ms 20.000 ms

    show mac
    UsethiscommandtodisplayMACaddressesintheswitchsfilteringdatabase.Theseare addresseslearnedonaportthroughtheswitchingprocess.

    Syntax
    show mac [address mac-address] [fid fid] [port port-string] [type {other | learned | self | mgmt}]

    Parameters
    addressmacaddress fidfid portportstring typeother|learned| self|mgmt (Optional)DisplaysaspecificMACaddress(ifitisknownbythe device). (Optional)DisplaysMACaddressesforaspecificfilterdatabase identifier. (Optional)DisplaysMACaddressesforspecificport(s). (Optional)Displaysinformationrelatedtoother,learned,selfor mgmt(management)addresstype.

    14-20

    Logging and Network Management

    show mac agetime

    Defaults
    Ifnoparametersarespecified,allMACaddressesforthedevicewillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayMACaddressinformationforge.3.1:
    C2(su)->show mac port ge.3.1 MAC Address FID Port Type ----------------- ---- ------------- -------00-09-6B-0F-13-E6 15 ge.3.1 Learned MAC Address VLAN Port Type Status Egress Ports ----------------- ---- ------------- ------- ------- --------------------------01-01-23-34-45-56 20 any mcast perm ge.3.1

    Table 146providesanexplanationofthecommandoutput. Table 14-6


    Output Field MAC Address FID Port Type

    show mac Output Details


    What It Displays... MAC addresses mapped to the port(s) shown. Filter database identifier. Port designation. Address type. Valid types are: Learned Self Management Other (this will include any static MAC locked addresses as described in Configuring MAC Locking on page 23-50). mcast (multicast)

    VLAN Status Egress Ports

    The VLAN ID configured for the multicast MAC address. The status of the multicast address. The ports which have been added to the egress ports list.

    show mac agetime


    UsethiscommandtodisplaythetimeoutperiodforaginglearnedMACentries.

    Syntax
    show mac agetime

    Parameters
    None.

    SecureStack C2 Configuration Guide

    14-21

    set mac agetime

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaytheMACtimeoutperiod:
    C2(su)->show mac agetime Aging time: 300 seconds

    set mac agetime


    UseThiscommandtosetthetimeoutperiodforaginglearnedMACentries.

    Syntax
    set mac agetime time

    Parameters
    time SpecifiesthetimeoutperiodinsecondsforaginglearnedMAC addresses.Validvaluesare10to1,000,000seconds.Defaultvalueis300 seconds.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtosettheMACtimeoutperiod:
    C2(su)->set mac agetime 250

    clear mac agetime


    UsethiscommandtoresetthetimeoutperiodforaginglearnedMACentriestothedefaultvalue of300seconds.

    Syntax
    clear mac agetime

    Parameters
    None.

    Defaults
    None.
    14-22 Logging and Network Management

    set mac algorithm

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtoresettheMACtimeoutperiodtothedefaultvalueof300seconds.
    C2(su)->clear mac agetime

    set mac algorithm


    UsethiscommandtosettheMACalgorithmmode,whichdeterminesthehashmechanismused bythedevicewhenperformingLayer2lookupsonreceivedframes.

    Syntax
    set mac algorithm {mac-crc16-lowerbits | mac-crc16-upperbits | mac-crc32-lowerbits | mac-crc32-upperbits}

    Parameters
    maccrc16lowerbits maccrc16upperbits maccrc32lowerbits maccrc32upperbits SelecttheMACCRC16lowerbitsalgorithmforhashing. SelecttheMACCRC16upperbitsalgorithmforhashing. SelecttheMACCRC32lowerbitsalgorithmforhashing. SelecttheMACCRC32upperbitsalgorithmforhashing.

    Defaults
    ThedefaultMACalgorithmismaccrc16upperbits.

    Mode
    Switchcommand,readwrite.

    Usage
    EachalgorithmisoptimizedforadifferentspreadofMACaddresses.Whenchangingthismode, theswitchwilldisplayawarningmessageandpromptyoutorestartthedevice. ThedefaultMACalgorithmismaccrc16upperbits.

    Example
    Thisexamplesetsthehashingalgorithmtomaccrc32upperbits.
    C2(rw)->set mac algorithm mac-crc32-upperbits

    show mac algorithm


    ThiscommanddisplaysthecurrentlyselectedMACalgorithmmode.

    Syntax
    show mac algorithm

    SecureStack C2 Configuration Guide

    14-23

    clear mac algorithm

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowstheoutputofthiscommand.
    C2(su)->show mac algorithm Mac hashing algorithm is mac-crc16-upperbits.

    clear mac algorithm


    UsethiscommandtoreturntheMAChashingalgorithmtothedefaultvalueofmaccrc16 upperbits.

    Syntax
    clear mac algorithm

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleresetstheMAChashingalgorithmtothedefaultvalue.
    C2(su)->clear mac algorithm

    set mac multicast


    UsethiscommandtodefineonwhatportswithinaVLANamulticastaddresscanbedynamically learnedon,oronwhatportsaframewiththespecifiedMACaddresscanbeflooded.Also,use thiscommandtoappendportstoorclearportsfromtheegressportslist.

    Syntax
    set mac multicast mac-address vlan-id [port-string] [{append | clear} port-string]

    14-24

    Logging and Network Management

    clear mac address

    Parameters
    macaddress vlanid portstring append|clear SpecifiesthemulticastMACaddress.TheMACaddresscanbe formattedasxx:xx:xx:xx:xx:xxorxxxxxxxxxxxx. SpecifiestheVLANIDcontainingtheports. SpecifiestheportorrangeofportsthemulticastMACaddresscanbe learnedonorfloodedto. Appendsorclearstheportorrangeofportsfromtheegressportlist.

    Defaults
    Ifnoportstringisdefined,thecommandwillapplytoallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleconfiguresmulticastMACaddress010122334455forVLAN24.
    C2(su)->set mac multicast 01-01-22-33-44-55 24

    clear mac address


    UsethiscommandtoremoveamulticastMACaddress.

    Syntax
    clear mac address mac-address [vlan-id]

    Parameters
    macaddress vlanid SpecifiesthemulticastMACaddresstobecleared.TheMACaddress canbeformattedasxx:xx:xx:xx:xx:xxorxxxxxxxxxxxx. (Optional)SpecifiestheVLANIDfromwhichtoclearthestatic multicastMACaddress.

    Defaults
    Ifnovlanidisspecified,themulticastMACaddressisclearedfromallVLANs.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleclearsmulticastMACaddress010122334455fromVLAN24.
    C2(su)->clear mac multicast 01-01-22-33-44-55 24

    SecureStack C2 Configuration Guide

    14-25

    show mac unreserved-flood

    show mac unreserved-flood


    Usethiscommandtodisplaythestateofmulticastfloodprotection.

    Syntax
    show mac unreserved-flood

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledisplaysthestatusofmulticastfloodprotection.
    C2(su)->show mac unreserved-flood mac unreserved flood is disabled.

    set mac unreserved-flood


    Usethiscommandtoenableordisablemulticastfloodprotection.Whenenabled,thisprevents policyprofilesrequiringafull10masksfrombeingloaded.

    Syntax
    set mac unreserved-flood {disable | enable}

    Parameters
    disable|enable Disablesorenablesmulticastfloodprotection.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thefollowingaddresseswillbeforwardedwhenthisfunctionisenabled: 01:80:C2:00:00:11 01:80:C2:00:00:14 01:80:C2:00:00:15 Thedefaultstateisdisabled,andtheseaddresseswillnotbeforwarded.

    14-26

    Logging and Network Management

    Configuring Simple Network Time Protocol (SNTP)

    Example
    Thisexampleenablesmulticastfloodprotection.
    C2(su)->set mac unreserved-flood enable

    Configuring Simple Network Time Protocol (SNTP)


    Purpose
    ToconfiguretheSimpleNetworkTimeProtocol(SNTP),whichsynchronizesdeviceclocksina network.

    Note: A host IP address must be configured on the C2 to support SNTP.

    Commands
    For information about... show sntp set sntp client clear sntp client set sntp server clear sntp server set sntp poll-interval clear sntp poll-interval set sntp poll-retry clear sntp poll-retry set sntp poll-timeout clear sntp poll-timeout set timezone Refer to page... 14-27 14-29 14-29 14-30 14-30 14-31 14-31 14-32 14-32 14-33 14-33 14-33

    show sntp
    UsethiscommandtodisplaySNTPclientsettings.

    Syntax
    show sntp

    Parameters
    None.

    SecureStack C2 Configuration Guide

    14-27

    show sntp

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySNTPclientsettings:
    C2(su)->show sntp SNTP Version: 3 Current Time: TUE SEP 09 16:13:33 2003 Timezone: 'EST', offset from UTC is -4 hours and 0 minutes Client Mode: unicast Broadcast Count: 0 Poll Interval: 512 seconds Poll Retry: 1 Poll Timeout: 5 seconds SNTP Poll Requests: 1175 Last SNTP Update: TUE SEP 09 16:05:24 2003 Last SNTP Request: TUE SEP 09 16:05:24 2003 Last SNTP Status: Success SNTP-Server Precedence Status ------------------------------------------10.2.8.6 2 Active 144.111.29.19 1 Active

    Table 147providesanexplanationofthecommandoutput. Table 14-7


    Output Field SNTP Version Current Time Timezone Client Mode Broadcast Count Poll Interval Poll Retry Poll Timeout

    show sntp Output Details


    What It Displays... SNTP version number. Current time on the system clock. Time zone name and amount it is offset from UTC (Universal Time). Set using the set timezone command (set timezone on page 14-33). Whether SNTP client is operating in unicast or broadcast mode. Set using set sntp client command (set sntp client on page 14-29). Number of SNTP broadcast frames received. Interval between SNTP unicast requests. Default of 512 seconds can be reset using the set sntp poll-interval command (set sntp poll-interval on page 14-31). Number of poll retries to a unicast SNTP server. Default of 1 can be reset using the set sntp poll-retry command (set sntp poll-retry on page 14-32). Timeout for a response to a unicast SNTP request. Default of 5 seconds can be reset using set sntp poll-timeout command (set sntp poll-timeout on page 14-33).

    SNTP Poll Requests Total number of SNTP poll requests. Last SNTP Update Last SNTP Request Date and time of most recent SNTP update. Date and time of most recent SNTP request.

    14-28

    Logging and Network Management

    set sntp client

    Table 14-7
    Output Field

    show sntp Output Details (Continued)


    What It Displays... Whether or not broadcast reception or unicast transmission and reception was successful. IP address(es) of SNTP server(s). Precedence level of SNTP server in relation to its peers. Highest precedence is 1 and lowest is 10. Default of 1 can be reset using the set sntp server command (set sntp server on page 14-30). Whether or not the SNTP server is active.

    Last SNTP Status SNTP-Server Precedence

    Status

    set sntp client


    UsethiscommandtosettheSNTPoperationmode.

    Syntax
    set sntp client {broadcast | unicast | disable}

    Parameters
    broadcast unicast disable EnablesSNTPinbroadcastclientmode. EnablesSNTPinunicast(pointtopoint)clientmode.Inthismode,the clientmustsupplytheIPaddressfromwhichtoretrievethecurrenttime. DisablesSNTP.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenableSNTPinbroadcastmode:
    C2(su)->set sntp client broadcast

    clear sntp client


    UsethiscommandtocleartheSNTPclientsoperationalmode.

    Syntax
    clear sntp client

    Parameters
    None.

    Defaults
    None.
    SecureStack C2 Configuration Guide 14-29

    set sntp server

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheSNTPclientsoperationalmode:
    C2(su)->clear sntp client

    set sntp server


    UsethiscommandtoaddaserverfromwhichtheSNTPclientwillretrievethecurrenttimewhen operatinginunicastmode.Upto10serverscanbesetasSNTPservers.

    Syntax
    set sntp server ip-address [precedence]

    Parameters
    ipaddress precedence SpecifiestheSNTPserversIPaddress. (Optional)SpecifiesthisSNTPserversprecedenceinrelationtoitspeers. Validvaluesare1(highest)to10(lowest).

    Defaults
    Ifprecedenceisnotspecified,1willbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheserveratIPaddress10.21.1.100 asan SNTPserver:
    C2(su)->set sntp server 10.21.1.100

    clear sntp server


    UsethiscommandtoremoveoneorallserversfromtheSNTPserverlist.

    Syntax
    clear sntp server {ip-address | all}

    Parameters
    ipaddress all SpecifiestheIPaddressofaservertoremovefromtheSNTPserverlist. RemovesallserversfromtheSNTPserverlist.

    Defaults
    None.

    14-30

    Logging and Network Management

    set sntp poll-interval

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoremovetheserveratIPaddress10.21.1.100 fromtheSNTPserverlist:
    C2(su)->clear sntp server 10.21.1.100

    set sntp poll-interval


    UsethiscommandtosetthepollintervalbetweenSNTPunicastrequests.

    Syntax
    set sntp poll-interval interval

    Parameters
    interval Specifiesthepollintervalinseconds.Validvaluesare16to16284.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheSNTPpollintervalto30seconds:
    C2(su)->set sntp poll-interval 30

    clear sntp poll-interval


    UsethiscommandtoclearthepollintervalbetweenunicastSNTPrequests.

    Syntax
    clear sntp poll-interval

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    14-31

    set sntp poll-retry

    Example
    ThisexampleshowshowtocleartheSNTPpollinterval:
    C2(su)->clear sntp poll-interval

    set sntp poll-retry


    UsethiscommandtosetthenumberofpollretriestoaunicastSNTPserver.

    Syntax
    set sntp poll-retry retry

    Parameters
    retry Specifiesthenumberofretries.Validvaluesare0to10.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthenumberofSNTPpollretriesto5:
    C2(su)->set sntp poll-retry 5

    clear sntp poll-retry


    UsethiscommandtoclearthenumberofpollretriestoaunicastSNTPserver.

    Syntax
    clear sntp poll-retry

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearthenumberofSNTPpollretries:
    C2(su)->clear sntp poll-retry

    14-32

    Logging and Network Management

    set sntp poll-timeout

    set sntp poll-timeout


    Usethiscommandtosetthepolltimeout(inseconds)foraresponsetoaunicastSNTPrequest.

    Syntax
    set sntp poll-timeout timeout

    Parameters
    timeout Specifiesthepolltimeoutinseconds.Validvaluesare1to30.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosettheSNTPpolltimeoutto10seconds:
    C2(su)->set sntp poll-timeout 10

    clear sntp poll-timeout


    UsethiscommandtocleartheSNTPpolltimeout.

    Syntax
    clear sntp poll-timeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheSNTPpolltimeout:
    C2(su)->clear sntp poll-timeout

    set timezone
    UsethiscommandtoconfigurethecurrenttimezoneasanoffsetfromUTC.

    Syntax
    set timezone name [hours] [minutes]

    SecureStack C2 Configuration Guide

    14-33

    set timezone

    Parameters
    name Thenameofthetimezone.Typically,thisnameisastandard abbreviationsuchasEST(EasternStandardTime)orEDT(Eastern DaylightTime). (Optional)SpecifiestheoffsetinhoursfromUTC.Thevaluecanrange from13to13.Thedefaultis0hours. (Optional)SpecifiesadditionaloffsetinminutesfromUTC.Thevalue canrangefrom0to59.Thedefaultis0minutes.

    hours minutes

    Defaults
    Ifyouenteratimezonenamewithoutspecifyinganoffsetinhoursandminutes,thedefaultisan offsetfromUTCof0hoursand0minutes.

    Mode
    Switchcommand,readwrite.

    Usage
    Typically,thiscommandisusedtoconfigurethelocaltimezoneoffsetfromUTC(UniveralTime) whenSNTPisusedtosynchronizethetimeusedbydevicesonthenetwork. TodisplaythecurrenttimezonesettingusedbySNTP,usetheshowsntpcommand.Toclearan existingoffsettozero,enterthecommandwithoutspecifyinganyhoursorminutes. StandardtimezonenamesandoffsetscanbefoundatthefollowingURL,amongothers: http://www.timeanddate.com/library/abbreviations/timezones/

    Example
    ThefollowingexamplesetsthetimezonenametoESTandtheoffsettoNorthAmericanEastern StandardTimeoffsetof5hoursfromUTC,thendisplaysthetimezoneusedwithSNTP.
    C2(su)->set timezone EST -5 C2(su)->show sntp SNTP Version: 3 Current Time: WED JUL 16 11:35:52 2008 Timezone: 'EST' offset from UTC is -5 hours and 0 minutes Client Mode: unicast Broadcast Count: 0 Poll Interval: 6 (64 seconds) Poll Retry: 1 Poll Timeout: 5 seconds SNTP Poll Requests: 2681 Last SNTP Update: WED JUL 16 16:35:23 2008 Last SNTP Request: WED JUL 16 16:35:23 2008 Last SNTP Status: Success SNTP-Server Precedence Status ------------------------------------------192.255.255.254 2 Active

    14-34

    Logging and Network Management

    Configuring Node Aliases

    Configuring Node Aliases


    ThenodealiasfeatureenablesadministratorstodeterminetheMACaddressandlocationofa givenendstation(ornode)usingthenodesLayer3aliasinformation(IPaddress)asakey.With thismethod,itispossibletodeterminethat,forinstance,IPaddress123.145.2.23islocatedon switch5port3. Thepassiveaccumulationofanetworksnode/aliasinformationisaccomplishedbysnooping onthecontentsofnetworktrafficasitpassesthroughtheswitchfabric. IntheC2,nodedataisautomaticallyaccumulatedintothectaliasmib,andbydefaultthisfeature isenabled.TheNetSightConsoleCompassutilityandAutomatedSecurityManager(ASM)use theinformationinthenode/aliasMIBtable. Itsimportanttomakesurethatinterswitchlinksarenotlearningnode/aliasinformation,asit wouldslowdownsearchesbytheNetSightCompassandASMtoolsandgiveinaccurateresults.

    Purpose
    Toreview,disable,andreenablenode(port)aliasfunctionalityontheswitch.

    Commands
    For information about... show nodealias config set nodealias clear nodealias config Refer to page... 14-35 14-36 14-37

    show nodealias config


    Usethiscommandtodisplaynodealiasconfigurationsettingsononeormoreports.

    Syntax
    show nodealias config [port-string]

    Parameters
    portstring (Optional)Displaysnodealiasconfigurationsettingsforspecificport(s).

    Defaults
    Ifportstringisnotspecified,nodealiasconfigurationswillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaynodealiasconfigurationsettingsforportsge.2.1through9:
    C2(rw)->show nodealias config ge.2.1-9 Port Number Max Entries Used Entries Status

    SecureStack C2 Configuration Guide

    14-35

    set nodealias

    ----------ge.2.1 ge.2.2 ge.2.3 ge.2.4 ge.2.5 ge.2.6 ge.2.7 ge.2.8 ge.2.9

    ----------16 47 47 47 47 47 47 47 4000

    -----------0 0 2 0 0 2 0 0 1

    -----Enable Enable Enable Enable Enable Enable Enable Enable Enable

    Table 148providesanexplanationofthecommandoutput. Table 14-8


    Output Field Port Number Max Entries Used Entries Status

    show nodealias config Output Details


    What It Displays... Port designation. Maximum number of alias entries configured for this port. Number of alias entries (out of the maximum amount configured) already used by this port. Whether or not a node alias agent is enabled (default) or disabled on this port.

    set nodealias
    Usethiscommandtoenableordisableanodealiasagentononeormoreports,orsetthe maximumnumberofaliasentriesstoredperport.

    Syntax
    set nodealias {enable | disable | maxentries maxentries} port-string

    Parameters
    enable|disable maxentriesmaxentries portstring Enablesordisablesanodealiasagent. Setthemaximumnumberofaliasentriesstoredperport.Validrange is0to4096.Thedefaultvalueis32. Specifiestheport(s)onwhichtoenable/disablenodealiasagentorset amaximumnumberofstoredentries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Uponpacketreception,nodealiasesaredynamicallyassignedtoportsenabledwithanalias agent,whichisthedefaultsettingonSecureStackC2devices.Nodealiasescannotbestatically created,butcanbedeletedusingthecommandclearnodealiasconfig(page 1437).

    14-36

    Logging and Network Management

    clear nodealias config

    Itsimportanttomakesurethatinterswitchlinksarenotlearningnode/aliasinformation,asit wouldslowdownsearchesbytheNetSightCompassandASMtoolsandgiveinaccurateresults.

    Example
    Thisexampleshowshowtodisablethenodealiasagentonge.1.3:
    C2(su)->set nodealias disable ge.1.3

    clear nodealias config


    Usethiscommandtoresetnodealiasstatetoenabledandclearthemaximumentriesvalue.

    Syntax
    clear nodealias config port-string

    Parameters
    portstring Specifiestheport(s)onwhichtoresetthenodealiasconfiguration.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoresetthenodealiasconfigurationonge.1.3:
    C2(su)->clear nodealias config ge.1.3

    SecureStack C2 Configuration Guide

    14-37

    clear nodealias config

    14-38

    Logging and Network Management

    15
    RMON Configuration
    ThischapterdescribesthecommandsusedtoconfigureRMONonaSecureStackC2switch.
    For information about... RMON Monitoring Group Functions Design Considerations Statistics Group Commands History Group Commands Alarm Group Commands Event Group Commands Filter Group Commands Packet Capture Commands Refer to page... 15-1 15-2 15-3 15-6 15-9 15-13 15-17 15-22

    RMON Monitoring Group Functions


    RMON(RemoteNetworkMonitoring)providescomprehensivenetworkfaultdiagnosis, planning,andperformancetuninginformationandallowsforinteroperabilitybetweenSNMP managementstationsandmonitoringagents.RMONextendstheSNMPMIBcapabilityby definingadditionalMIBsthatgenerateamuchrichersetofdataaboutnetworkusage.TheseMIB groupseachgatherspecificsetsofdatatomeetcommonnetworkmonitoringrequirements. Table 151liststheRMONmonitoringgroupssupportedonSecureStackC2devices,eachgroups functionandtheelementsitmonitors,andtheassociatedconfigurationcommandsneeded. Table 15-1
    RMON Group Statistics

    RMON Monitoring Group Functions and Commands


    What It Does... Records statistics measured by the RMON probe for each monitored interface on the device. What It Monitors... Packets dropped, packets sent, bytes sent (octets), broadcast and multicast packets, CRC errors, oversized and undersized packets, fragments, jabbers, and counters for packets. CLI Command(s) show rmon stats on page 15-4 set rmon stats on page 15-4 clear rmon stats on page 15-5

    SecureStack C2 Configuration Guide

    15-1

    Design Considerations

    Table 15-1
    RMON Group History

    RMON Monitoring Group Functions and Commands (Continued)


    What It Does... Records periodic statistical samples from a network. What It Monitors... Sample period, number of samples and item(s) sampled. CLI Command(s) show rmon history on page 15-6 set rmon history on page 15-7 clear rmon history on page 15-7

    Alarm

    Periodically gathers statistical samples from variables in the probe and compares them with previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. Controls the generation and notification of events from the device.

    Alarm type, interval, starting threshold, stop threshold.

    show rmon alarm on page 15-9 set rmon alarm properties on page 15-10 set rmon alarm status on page 15-11 clear rmon alarm on page 15-12

    Event

    Event type, description, last time event was sent.

    show rmon event on page 15-13 set rmon event properties on page 15-14 set rmon event status on page 15-15 clear rmon event on page 15-15

    Filter

    Allows packets to be matched by a filter equation. These matched packets form a data stream or channel that may be captured.

    Packets matching the filter configuration.

    show rmon channel on page 15-17 set rmon channel on page 15-18 clear rmon channel on page 15-19 show rmon filter on page 15-19 set rmon filter on page 15-20 clear rmon filter on page 15-21

    Packet Capture

    Allows packets to be captured upon a filter match.

    Packets matching the filter configuration.

    show rmon capture on page 15-22 set rmon capture on page 15-23 clear rmon capture on page 15-24

    Design Considerations
    TheC2supportsRMONPacketCapture/FilterSamplingthroughboththeCLIandMIBs,butwith thefollowingconstraints:

    15-2

    RMON Configuration

    Statistics Group Commands

    RMONPacketCapture/FilterSamplingandPortMirroringcannotbeenabledonthesame interfaceconcurrently. Youcancaptureatotalof100packetsonaninterface,nomoreandnoless. Thecapturedframeswillbeasclosetosequentialasthehardwarewillallow. Onlyoneinterfacecanbeconfiguredforcapturingatatime. Once100frameshavebeencapturedbythehardware,theapplicationwillstopwithout manualintervention.

    AsdescribedintheMIB,thefilterisonlyappliedaftertheframeiscaptured,thusonlya subsetoftheframescapturedwillbeavailablefordisplay. ThereisonlyoneBufferControlEntrysupported. Duetothelimitationsofthehardware,theBufferControlEntrytablewillhavelimitsonafew ofitselements: MaxOctetsRequestedcanonlybesettothevalue1whichindicatestheapplicationwill captureasmanypacketsaspossiblegivenitsrestrictions. CaptureSliceSizecanonlybesetto1518. TheFullActionelementcanonlybesettolocksincethedevicedoesnotsupport wrappingthecapturebuffer.

    Duetohardwarelimitations,theonlyframeerrorcountedisoversizedframes. TheapplicationdoesnotsupportEvents.Therefore,thefollowingelementsoftheChannel EntryTablearenotsupported:TurnOnEventIndex,TurnOffEventIndex,EventIndex,and EventStatus. ThereisonlyoneChannelEntryavailableatatime. ThereareonlythreeFilterEntriesavailable,andausercanassociateallthreeFilterEntries withtheChannelEntry.

    Configuredchannel,filter,andbufferinformationwillbesavedacrossresets,butnotframes withinthecapturebuffer.

    Statistics Group Commands


    Purpose
    Todisplay,configure,andclearRMONstatistics.

    Note: Due to hardware limitations, the only frame error counted is oversized frames.

    Commands
    For information about... show rmon stats set rmon stats clear rmon stats Refer to page... 15-4 15-4 15-5

    SecureStack C2 Configuration Guide

    15-3

    show rmon stats

    show rmon stats


    UsethiscommandtodisplayRMONstatisticsmeasuredforoneormoreports.

    Syntax
    show rmon stats [port-string]

    Parameters
    portstring (Optional)DisplaysRMONstatisticsforspecificport(s).

    Defaults
    Ifportstringisnotspecified,RMONstatswillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONstatisticsforGigabitEthernetport1inswitch1.
    :

    C2(su)->show rmon stats ge.1.1 Port: ge.1.1 ------------------------------------Index = 1 Owner = monitor Data Source = ifIndex.1 Drop Events Collisions Jabbers Broadcast Pkts Multicast Pkts CRC Errors Undersize Pkts Oversize Pkts Fragments = = = = = = = = = 0 0 0 0 0 0 0 0 0 Packets Octets 0 64 65 - 127 128 - 255 256 - 511 512 - 1023 1024 - 1518 = = = = = = = = 0 0 0 0 0 0 0 0

    Octets Octets Octets Octets Octets Octets

    Table 152providesanexplanationofthecommandoutput.

    set rmon stats


    UsethiscommandtoconfigureanRMONstatisticsentry.

    Syntax
    set rmon stats index port-string [owner]

    Parameters
    index portstring owner Specifiesanindexforthisstatisticsentry. Specifiesport(s)towhichthisentrywillbeassigned. (Optional)Assignsanownerforthisentry.

    15-4

    RMON Configuration

    clear rmon stats

    Defaults
    Ifownerisnotspecified,monitorwillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoconfigureRMONstatisticsentry2forge.1.20:
    C2(rw)->set rmon stats 2 ge.1.20

    clear rmon stats


    UsethiscommandtodeleteoneormoreRMONstatisticsentries.

    Syntax
    clear rmon stats {index-list | to-defaults}

    Parameters
    indexlist todefaults Specifiesoneormorestatsentriestobedeleted,causingthemtodisappear fromanyfutureRMONqueries. Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto reappearinRMONqueries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteRMONstatisticsentry2:
    C2(rw)->clear rmon stats 2

    SecureStack C2 Configuration Guide

    15-5

    History Group Commands

    History Group Commands


    Purpose
    Todisplay,configure,andclearRMONhistorypropertiesandstatistics.

    Commands
    For information about... show rmon history set rmon history clear rmon history Refer to page... 15-6 15-7 15-7

    show rmon history


    UsethiscommandtodisplayRMONhistorypropertiesandstatistics.TheRMONhistorygroup recordsperiodicstatisticalsamplesfromanetwork.

    Syntax
    show rmon history [port-string]

    Parameters
    portstring (Optional)DisplaysRMONhistoryentriesforspecificport(s).

    Defaults
    Ifportstringisnotspecified,informationaboutallRMONhistoryentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONhistoryentriesforGigabitEthernetport1inswitch1. Acontrolentrydisplaysfirst,followedbyactualentriescorrespondingtothecontrolentry.Inthis case,thedefaultsettingsforentryowner,samplinginterval,andmaximumnumberofentries. (buckets)havenotbeenchangedfromtheirdefaultvalues.Foradescriptionofthetypesof statisticsshown,refertoTable 152.
    :

    C2(su)->show rmon history ge.1.1 Port: ge.1.1 ------------------------------------Index 1 Owner = monitor Status = valid Data Source = ifIndex.1 Interval = 30 Buckets Requested = 50 Buckets Granted = 10

    15-6

    RMON Configuration

    set rmon history

    Sample 2779 Drop Events Octets Packets Broadcast Pkts Multicast Pkts CRC Align Errors

    = = = = = =

    Interval Start: 1 days 0 hours 2 minutes 22 seconds 0 Undersize Pkts = 0 0 Oversize Pkts = 0 0 Fragments = 0 0 Jabbers = 0 0 Collisions = 0 0 Utilization(%) = 0

    set rmon history


    UsethiscommandtoconfigureanRMONhistoryentry.

    Syntax
    set rmon history index [port-string] [buckets buckets] [interval interval] [owner owner]

    Parameters
    indexlist portstring bucketsbuckets intervalinterval ownerowner Specifiesanindexnumberforthisentry. (Optional)Assignsthisentrytoaspecificport. (Optional)Specifiesthemaximumnumberofentriestomaintain. (Optional)Specifiesthesamplingintervalinseconds. (Optional)Specifiesanownerforthisentry.

    Defaults
    Ifbucketsisnotspecified,themaximumnumberofentriesmaintainedwillbe50. Ifnotspecified,intervalwillbesetto30seconds. Ifownerisnotspecified,monitorwillbeapplied.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowconfigureRMONhistoryentry1onportge.2.1tosampleevery20 seconds:
    C2(rw)->set rmon history 1 ge.2.1 interval 20

    clear rmon history


    UsethiscommandtodeleteoneormoreRMONhistoryentriesorresetoneormoreentriesto defaultvalues.Forspecificvalues,refertosetrmonhistoryonpage 157.

    Syntax
    clear rmon history {index-list | to-defaults}

    SecureStack C2 Configuration Guide

    15-7

    clear rmon history

    Parameters
    indexlist todefaults Specifiesoneormorehistoryentriestobedeleted,causingthemto disappearfromanyfutureRMONqueries. Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto reappearinRMONqueries.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodeleteRMONhistoryentry1:
    C2(rw)->clear rmon history 1

    15-8

    RMON Configuration

    Alarm Group Commands

    Alarm Group Commands


    Purpose
    Todisplay,configure,andclearRMONalarmentriesandproperties.

    Commands
    For information about... show rmon alarm set rmon alarm properties set rmon alarm status clear rmon alarm Refer to page... 15-9 15-10 15-11 15-12

    show rmon alarm


    UsethiscommandtodisplayRMONalarmentries.TheRMONalarmgroupperiodicallytakes statisticalsamplesfromRMONvariablesandcomparesthemwithpreviouslyconfigured thresholds.IfthemonitoredvariablecrossesathresholdanRMONeventisgenerated.

    Syntax
    show rmon alarm [index]

    Parameters
    index (Optional)DisplaysRMONalarmentriesforaspecificentryindexID.

    Defaults
    Ifindexisnotspecified,informationaboutallRMONalarmentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONalarmentry3:
    C2(rw)->show rmon alarm 3 Index 3 --------------------Owner = Status = Variable = Sample Type = Interval = Rising Threshold = Rising Event Index =

    Manager valid 1.3.6.1.4.1.5624.1.2.29.1.2.1.0 delta Startup Alarm 30 Value 1 Falling Threshold 2 Falling Event Index

    = = = =

    rising 0 0 0

    Table 152providesanexplanationofthecommandoutput.
    SecureStack C2 Configuration Guide 15-9

    set rmon alarm properties

    Table 15-2
    Output Field Index Owner Status Variable Sample Type

    show rmon alarm Output Details


    What It Displays... Index number for this alarm entry. Text string identifying who configured this entry. Whether this event entry is enabled (valid) or disabled. MIB object to be monitored. Whether the monitoring method is an absolute or a delta sampling. Whether alarm generated when this entry is first enabled is rising, falling, or either. Interval in seconds at which RMON will conduct sample monitoring. Minimum threshold for causing a rising alarm. Maximum threshold for causing a falling alarm. Index number of the RMON event to be triggered when the rising threshold is crossed. Index number of the RMON event to be triggered when the falling threshold is crossed.

    Startup Alarm Interval Rising Threshold Falling Threshold Rising Event Index Falling Event Index

    set rmon alarm properties


    UsethiscommandtoconfigureanRMONalarmentry,ortocreateanewalarmentrywithan unusedalarmindexnumber.

    Syntax
    set rmon alarm properties index [interval interval] [object object] [type {absolute | delta}] [startup {rising | falling | either}] [rthresh rthresh] [fthresh fthresh] [revent revent] [fevent fevent] [owner owner]

    Parameters
    index intervalinterval objectobject Specifiesanindexnumberforthisentry.Maximumnumberorentriesis 50.Maximumvalueis65535. (Optional)Specifiesaninterval(inseconds)forRMONtoconductsample monitoring. (Optional)SpecifiesaMIBobjecttobemonitored.
    Note: This parameter is not mandatory for executing the command, but must be specified in order to enable the alarm entry configuration.

    typeabsolute| delta

    (Optional)Specifiesthemonitoringmethodas:samplingtheabsolute valueoftheobject,orthedifference(delta)betweenobjectsamples.

    15-10

    RMON Configuration

    set rmon alarm status

    startuprising| falling|either

    (Optional)Specifiesthetypeofalarmgeneratedwhenthiseventisfirst enabledas: RisingSendsalarmwhenanRMONeventreachesamaximum thresholdconditionisreached,forexample,morethan30collisions persecond. FallingSendsalarmwhenRMONeventfallsbelowaminimum thresholdcondition,forexamplewhenthenetworkisbehaving normallyagain. EitherSendsalarmwheneitherarisingorfallingthresholdis reached.

    rthreshrthresh fthreshfthresh reventrevent feventfevent ownerowner

    (Optional)Specifiesaminimumthresholdforcausingarisingalarm. Specifiesamaximumthresholdforcausingafallingalarm. SpecifiestheindexnumberoftheRMONeventtobetriggeredwhenthe risingthresholdiscrossed. SpecifiestheindexnumberoftheRMONeventtobetriggeredwhenthe fallingthresholdiscrossed. (Optional)Specifiesthenameoftheentitythatconfiguredthisalarm entry.

    Defaults
    interval3600seconds typeabsolute startuprising rthresh0 fthresh0 revent0 fevent0 ownermonitor

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoconfigurearisingRMONalarm.Thisentrywillconductmonitoring ofthedeltabetweensamplesevery30seconds:
    C2(rw)->set rmon alarm properties 3 interval 30 object 1.3.6.1.4.1.5624.1.2.29.1.2.1.0 type delta rthresh 1 revent 2 owner Manager

    set rmon alarm status


    UsethiscommandtoenableanRMONalarmentry.Analarmisanotificationthatastatistical sampleofamonitoredvariablehascrossedaconfiguredthreshold.

    Syntax
    set rmon alarm status index enable
    SecureStack C2 Configuration Guide 15-11

    clear rmon alarm

    Parameters
    index enable Specifiesanindexnumberforthisentry.Maximumnumberorentriesis 50.Maximumvalueis65535. Enablesthisalarmentry.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    AnRMONalarmentrycanbecreatedusingthiscommand,configuredusingthesetrmonalarm propertiescommand(setrmonalarmpropertiesonpage 1510),thenenabledusingthis command.AnRMONalarmentrycanbecreatedandconfiguredatthesametimebyspecifying anunusedindexwiththesetrmonalarmpropertiescommand.

    Example
    ThisexampleshowshowtoenableRMONalarmentry3:
    C2(rw)->set rmon alarm status 3 enable

    clear rmon alarm


    UsethiscommandtodeleteanRMONalarmentry.

    Syntax
    clear rmon alarm index

    Parameters
    index Specifiestheindexnumberofentrytobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONalarmentry1:
    C2(rw)->clear rmon alarm 1

    15-12

    RMON Configuration

    Event Group Commands

    Event Group Commands


    Purpose
    TodisplayandclearRMONevents,andtoconfigureRMONeventproperties.

    Commands
    For information about... show rmon event set rmon event properties set rmon event status clear rmon event Refer to page... 15-13 15-14 15-15 15-15

    show rmon event


    UsethiscommandtodisplayRMONevententryproperties.

    Syntax
    show rmon event [index]

    Parameters
    index (Optional)DisplaysRMONpropertiesandlogentriesforaspecificentry indexID.

    Defaults
    Ifindexisnotspecified,informationaboutallRMONentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONevententry3:
    C2(rw)->show rmon event 3 Index 3 ---------------Owner = Status = Description = Type = Community = Last Time Sent =

    Manager valid STP Topology change log-and-trap public 0 days 0 hours 0 minutes 37 seconds

    Table 153providesanexplanationofthecommandoutput.

    SecureStack C2 Configuration Guide

    15-13

    set rmon event properties

    Table 15-3
    Output Field Index Owner Status Description Type Community

    show rmon event Output Details


    What It Displays... Index number for this event entry. Text string identifying who configured this entry. Whether this event entry is enabled (valid) or disabled. Text string description of this event. Whether the event notification will be a log entry, and SNMP trap, both, or none. SNMP community name if message type is set to trap. When an event notification matching this entry was sent.

    Last Time Sent

    set rmon event properties


    UsethiscommandtoconfigureanRMONevententry,ortocreateanewevententrywithan unusedeventindexnumber.

    Syntax
    set rmon event properties index [description description] [type {none | log | trap | both}] [community community] [owner owner]

    Parameters
    index description description typenone|log| trap|both community community Specifiesanindexnumberforthisentry.Maximumnumberofentriesis 100.Maximumvalueis65535. (Optional)Specifiesatextstringdescriptionofthisevent. (Optional)SpecifiesthetypeofRMONeventnotificationas:none,alog tableentry,anSNMPtrap,orbothalogentryandatrapmessage. (Optional)SpecifiesanSNMPcommunitynametouseifthemessage typeissettotrap.FordetailsonsettingSNMPtrapsandcommunity names,refertoCreatingaBasicSNMPTrapConfigurationon page 837. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.

    ownerowner

    Defaults
    Ifdescriptionisnotspecified,nonewillbeapplied. Ifnotspecified,typenonewillbeapplied. Ifownerisnotspecified,monitorwillbeapplied.

    Mode
    Switchcommand,readwrite.

    15-14

    RMON Configuration

    set rmon event status

    Example
    ThisexampleshowshowtocreateandenableanRMONevententrycalledSTPtopology changethatwillsendbothalogentryandanSNMPtrapmessagetothepubliccommunity:
    C2(rw)->set rmon event properties 2 description "STP topology change" type both community public owner Manager

    set rmon event status


    UsethiscommandtoenableanRMONevententry.Anevententrydescribestheparametersofan RMONeventthatcanbetriggered.EventscanbefiredbyRMONalarmsandcanbeconfiguredto createalogentry,generateatrap,orboth.

    Syntax
    set rmon event status index enable

    Parameters
    index enable Specifiesanindexnumberforthisentry.Maximumnumberofentriesis 100.Maximumvalueis65535. Enablesthisevententry.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    AnRMONevententrycanbecreatedusingthiscommand,configuredusingthesetrmonevent propertiescommand(setrmoneventpropertiesonpage 1514),thenenabledusingthis command.AnRMONevententrycanbecreatedandconfiguredatthesametimebyspecifyingan unusedindexwiththesetrmoneventpropertiescommand.

    Example
    ThisexampleshowshowtoenableRMONevententry1:
    C2(rw)->set rmon event status 1 enable

    clear rmon event


    UsethiscommandtodeleteanRMONevententryandanyassociatedlogentries.

    Syntax
    clear rmon event index

    Parameters
    index Specifiestheindexnumberoftheentrytobecleared.

    SecureStack C2 Configuration Guide

    15-15

    clear rmon event

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONevent1:
    C2(rw)->clear rmon event 1

    15-16

    RMON Configuration

    Filter Group Commands

    Filter Group Commands


    Thepacketcaptureandfilterfunctionisdisabledbydefault.Onlyoneinterfacecanbeconfigured forcapturingandfilteringatatime. Whenpacketcaptureisenabledonaninterface,theSecureStackC2switchwillcapture100frames asclosetosequentiallyaspossible.These100frameswillbeplacedintoabufferforinspection.If thereisdatainthebufferwhenthefunctionisstarted,thebufferwillbeoverwritten.Once100 frameshavebeencaptured,thecapturewillstop.Filteringwillbeperformedontheframes capturedinthebuffer.Therefore,onlyasubsetoftheframescapturedwillbeavailablefordisplay.

    Note: Packet capture is sampling only and does not guarantee receipt of back to back packets.

    Onechannelatatimecanbesupported,withuptothreefilters.Configuredchannel,filter,and buffercontrolinformationwillbesavedacrossresets,butcapturedframeswithinthebufferwill notbesaved. Thisfunctioncannotbeusedconcurrentlywithportmirroring.Thesystemwillchecktoprevent concurrentlyenablingbothfunctions,andawarningwillbegeneratedintheCLIifattempted.

    Commands
    For information about... show rmon channel set rmon channel clear rmon channel show rmon filter set rmon filter clear rmon filter Refer to page... 15-17 15-18 15-19 15-19 15-20 15-21

    show rmon channel


    UsethiscommandtodisplayRMONchannelentriesforoneormoreports.

    Syntax
    show rmon channel [port-string]

    Parameters
    portstring (Optional)DisplaysRMONchannelentriesforaspecificport(s).

    Defaults
    Ifportstringisnotspecified,informationaboutallchannelswillbedisplayed.

    Mode
    Switchcommand,readonly.

    SecureStack C2 Configuration Guide

    15-17

    set rmon channel

    Example
    ThisexampleshowshowtodisplayRMONchannelinformationforge.2.12:
    C2(rw)->show rmon channel ge.2.12 Port ge.2.12 Channel index= 628 EntryStatus= valid ---------------------------------------------------------Control off AcceptType matched OnEventIndex 0 OffEventIndex 0 EventIndex 0 Status ready Matches 4498 Description Thu Dec 16 12:57:32 EST 2004 Owner NetSight smith

    set rmon channel


    UsethiscommandtoconfigureanRMONchannelentry.

    Syntax
    set rmon channel index port-string [accept {matched | failed}] [control {on | off}] [description description] [owner owner]

    Parameters
    index Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe createdifanunusedindexnumberischosen.Maximumnumberof entriesis2.Maximumvalueis65535. Specifiestheportonwhichtrafficwillbemonitored. (Optional)Specifiestheactionofthefiltersonthischannelas: controlon|off description description ownerowner matchedPacketswillbeacceptedonfiltermatches failedPacketswillbeacceptediftheyfailamatch

    portstring acceptmatched| failed

    (Optional)Enablesordisablescontroloftheflowofdatathroughthe channel. (Optional)Specifiesadescriptionforthischannel. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.

    Defaults
    Ifanactionisnotspecified,packetswillbeacceptedonfiltermatches. Ifnotspecified,controlwillbesettooff. Ifadescriptionisnotspecified,nonewillbeapplied. Ifownerisnotspecified,itwillbesettomonitor.

    Mode
    Switchcommand,readwrite.

    15-18

    RMON Configuration

    clear rmon channel

    Example
    ThisexampleshowshowtocreateanRMONchannelentry:
    C2(rw)->set rmon channel 54313 ge.2.12 accept failed control on description "capture all"

    clear rmon channel


    UsethiscommandtoclearanRMONchannelentry.

    Syntax
    clear rmon channel index

    Parameters
    index Specifiesthechannelentrytobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONchannelentry2:
    C2(rw)->clear rmon channel 2

    show rmon filter


    UsethiscommandtodisplayoneormoreRMONfilterentries.

    Syntax
    show rmon filter [index index | channel channel]

    Parameters
    indexindex| channelchannel (Optional)Displaysinformationaboutaspecificfilterentry,oraboutall filterswhichbelongtoaspecificchannel.

    Defaults
    Ifnooptionsarespecified,informationforallfilterentrieswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayallRMONfilterentriesandchannelinformation:

    SecureStack C2 Configuration Guide

    15-19

    set rmon filter

    C2(rw)->show rmon filter Index= 55508 Channel Index= 628 EntryStatus= valid ---------------------------------------------------------Data Offset 0 PktStatus 0 PktStatusMask 0 PktStatusNotMask 0 Owner ETS,NAC-D ----------------------------Data ff ff ff ff ff ff ----------------------------DataMask ff ff ff ff ff ff ----------------------------DataNotMask 00 00 00 00 00 00

    set rmon filter


    UsethiscommandtoconfigureanRMONfilterentry.

    Syntax
    set rmon filter index channel-index [offset offset] [status status] [smask smask] [snotmask snotmask] [data data] [dmask dmask] [dnotmask dnotmask] [owner owner]

    Parameters
    index Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe createdifanunusedindexnumberischosen.Maximumnumberof entriesis10.Maximumvalueis65535. Specifiesthechanneltowhichthisfilterwillbeapplied. (Optional)Specifiesanoffsetfromthebeginningofthepackettolookfor matches. (Optional)Specifiespacketstatusbitsthataretobematched. (Optional)Specifiesthemaskappliedtostatustoindicatewhichbitsare significant. (Optional)Specifiestheinversionmaskthatindicateswhichbitsshould besetornotset (Optional)Specifiesthedatatobematched. (Optional)Specifiesthemaskappliedtodatatoindicatewhichbitsare significant. (Optional)Specifiestheinversionmaskthatindicateswhichbitsshould besetornotset. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.

    channelindex offsetoffset statusstatus smasksmask snotmasksnotmask datadata dmaskdmask dnotmaskdnotmask owner

    Defaults
    Ifownerisnotspecified,itwillbesettomonitor. Ifnootheroptionsarespecified,none(0)willbeapplied.

    15-20

    RMON Configuration

    clear rmon filter

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateRMONfilter1andapplyittochannel9:
    C2(rw)->set rmon filter 1 9 offset 30 data 0a154305 dmask ffffffff

    clear rmon filter


    UsethiscommandtoclearanRMONfilterentry.

    Syntax
    clear rmon filter {index index | channel channel}

    Parameters
    indexindex| channelchannel Clearsaspecificfilterentry,orallentriesbelongingtoaspecificchannel.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONfilterentry1:
    C2(rw)->clear rmon filter index 1

    SecureStack C2 Configuration Guide

    15-21

    Packet Capture Commands

    Packet Capture Commands


    Notethatpacketcapturefilterissamplingonlyanddoesnotguaranteereceiptofbacktoback packets.

    Purpose
    TodisplayRMONcaptureentries,configure,enable,ordisablecaptureentries,andclearcapture entries.

    Commands
    For information about... show rmon capture set rmon capture clear rmon capture Refer to page... 15-22 15-23 15-24

    show rmon capture


    UsethiscommandtodisplayRMONcaptureentriesandassociatedbuffercontrolentries.

    Syntax
    show rmon capture [index [nodata]]

    Parameters
    index nodata (Optional)Displaysthespecifiedbuffercontrolentryandallcaptured packetsassociatedwiththatentry. (Optional)Displaysonlythebuffercontrolentryspecifiedbyindex.

    Defaults
    Ifnooptionsarespecified,allbuffercontrolentriesandassociatedcapturedpacketswillbe displayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRMONcaptureentriesandassociatedbufferentries:
    C2(rw)->show rmon capture Buf.control= 28062 Channel= 38283 EntryStatus= valid ---------------------------------------------------------FullStatus avail FullAction lock Captured packets 251 Capture slice 1518 Download size 100 Download offset 0 Max Octet Requested 50000 Max Octet Granted 50000 Start time 1 days 0 hours 51 minutes 15 seconds

    15-22

    RMON Configuration

    set rmon capture

    Owner

    monitor

    captureEntry= 1 Buff.control= 28062 -------------------------------------------Pkt ID 9 Pkt time 1 days 0 hours 51 minutes 15 seconds Pkt Length 93 Pkt status 0 Data: 00 00 5e 00 01 01 00 01 f4 00 7d ce 08 00 45 00 00 4b b4 b9 00 00 40 11 32 5c 0a 15 43 05 86 8d bf e5 00 a1 0e 2b 00 37 cf ca 30 2d 02 01 00 04 06 70 75 62 6c 69 63 a2 20 02 02 0c 92 02 01 00 02 01 00 30 14 30 12 06 0d 2b 06 01 02 01 10 07 01 01 0b 81 fd 1c 02 01 01 00 11 0b 00

    set rmon capture


    UsethiscommandtoconfigureanRMONcaptureentry.

    Syntax
    set rmon capture index {channel [action {lock}] [slice slice] [loadsize loadsize] [offset offset] [asksize asksize] [owner owner]}

    Parameters
    index channel actionlock Specifiesabuffercontrolentry. Specifiesthechanneltowhichthiscaptureentrywillbeapplied. (Optional)Specifiestheactionofthebufferwhenitisfullas: sliceslice loadsizeloadsize offsetoffset asksizeasksize lockPacketswillceasetobeaccepted

    (Optional)Specifiesthemaximumoctetsfromeachpackettobesavedin abuffer.Currently,theonlyvalueallowedis1518. (Optional)Specifiesthemaximumoctetsfromeachpackettobe downloadedfromthebuffer.Thedefaultis100. (Optional)Specifiesthefirstoctetfromeachpacketthatwillberetrieved. (Optional)Specifiestherequestedmaximumoctetstobesavedinthis buffer.Currently,theonlyvalueacceptedis1,whichrequestsasmany octetsaspossible. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.

    owner

    Defaults
    Ifnotspecified,actiondefaultstolock. Ifnotspecified,offsetdefaultsto0. Ifnotspecified,asksizedefaultsto1(whichwillrequestasmanyoctetsaspossible). Ifsliceisnotspecified,1518willbeapplied. Ifloadsizeisnotspecified,100willbeapplied. Ifownerisnotspecified,itwillbesettomonitor.

    SecureStack C2 Configuration Guide

    15-23

    clear rmon capture

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocreateRMONcaptureentry1tolistenonchannel628:
    C2(rw)->set rmon capture 1 628

    clear rmon capture


    UsethiscommandtoclearsanRMONcaptureentry.

    Syntax
    clear rmon capture index

    Parameters
    index Specifiesthecaptureentrytobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearRMONcaptureentry1:
    C2(rw)->clear rmon capture 1

    15-24

    RMON Configuration

    16
    DHCP Server Configuration
    ThischapterdescribesthecommandstoconfiguretheIPv4DHCPserverfunctionalityona SecureStackC2switch.
    For information about... DHCP Overview Configuring General DHCP Server Parameters Configuring IP Address Pools Refer to page... 16-1 16-3 16-12

    DHCP Overview
    DynamicHostConfigurationProtocol(DHCP)forIPv4isanetworklayerprotocolthat implementsautomaticormanualassignmentofIPaddressesandotherconfigurationinformation toclientdevicesbyservers.ADHCPservermanagesauserconfiguredpoolofIPaddressesfrom whichitcanmakeassignmentsuponclientrequests.ArelayagentpassesDHCPmessages betweenclientsandserverswhichareondifferentphysicalsubnets.

    DHCP Relay Agent


    TheDHCP/BOOTPrelayagentfunctioncanbeconfiguredonalloftheSecureStackC2srouting interfaces.TherelayagentcanforwardaDHCPclientsrequesttoaDHCPserverlocatedona differentnetworkiftheaddressoftheserverisconfiguredasahelperaddressonthereceiving interface.TherelayagentinterfacemustbeaVLANwhichisconfiguredwithanIPaddress.Refer totheiphelperaddresscommand(iphelperaddressonpage 1914)formoreinformation.

    DHCP Server
    DHCPserverfunctionalityallowstheSecureStackC2switchtoprovidebasicIPconfiguration informationtoaclientonthenetworkwhorequestssuchinformationusingtheDHCPprotocol. DHCPprovidesthefollowingmechanismsforIPaddressallocationbyaDHCPserver: AutomaticDHCPserverassignsanIPaddresstoaclientforalimitedperiodoftime(or untiltheclientexplicitlyrelinquishestheaddress)fromadefinedpoolofIPaddresses configuredontheserver. ManualAclientsIPaddressisassignedbythenetworkadministrator,andDHCPisused simplytoconveytheassignedaddresstotheclient.Thisismanagedbymeansofstatic addresspoolsconfiguredontheserver.

    TheamountoftimethataparticularIPaddressisvalidforasystemiscalledalease.The SecureStackC2maintainsaleasedatabasewhichcontainsinformationabouteachassignedIP

    SecureStack C2 Configuration Guide

    16-1

    DHCP Overview

    address,theMACaddresstowhichitisassigned,theleaseexpiration,andwhethertheaddress assignmentisdynamic(automatic)orstatic(manual).TheDHCPleasedatabaseisstoredinflash memory. InadditiontoassigningIPaddresses,theDHCPservercanalsobeconfiguredtoassignthe followingtorequestingclients: Defaultrouter(s) DNSserver(s)anddomainname NetBIOSWINSserver(s)andnodename Bootfile DHCPoptionsasdefinedbyRFC2132
    Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the entire switch, can be configured on the SecureStack C2.

    Configuring a DHCP Server


    ForDHCPtofunctiononSecureStackC2systems,thesystemhastoknowabouttheIPnetwork forwhichtheDHCPpoolistobecreated. OntheC2,therearetwowaystoconfigureaDHCPserver:oneistoassociatetheDHCPaddress poolwiththeswitchshostportIPaddress,andtheotheristoassociatetheDHCPaddresspool witharoutedinterface. SinceonaC2system,thehostportIPaddresscannotfallwithinaconfiguredroutedinterfaceon thesystem,atypicalC2systemconfiguredwithroutinginterfaceswillnothaveahostportIP address.Therefore,allDHCPpoolswouldbeassociatedwithroutedinterfaces. ThefollowingtasksprovidebasicDHCPserverfunctionalitywhentheDHCPpoolisassociated withthesystemshostIPaddress.ThisprocedurewouldtypicallybeusedwhentheC2systemis NOTconfiguredforrouting. 1. Configurethesystem(stack)hostportIPaddresswiththesetipaddresscommand.Oncethe systemsIPaddressisconfigured,thesystemthenknowsabouttheconfiguredsubnet.For example:
    set ip address 192.0.0.50 mask 255.255.255.0

    2. 3.

    EnableDHCPserverfunctionalityonthesystemwiththesetdhcpenablecommand. ConfigureanIPaddresspoolfordynamicIPaddressassignment.Theonlyrequiredstepsare tonamethepoolanddefinethenetworknumberandmaskforthepool.Notethatthepool hastobeinthesamesubnetandusethesamemaskasthesystemhostportIPaddress.For example:


    set dhcp pool auto-pool network 192.0.0.0 255.255.255.0

    AllDHCPclientsservedbythisswitchmustbeinthesameVLANasthesystemshostport. ThefollowingtasksprovidebasicDHCPserverfunctionalitywhentheDHCPpoolisassociated witharoutedinterface. 1. CreateaVLANandaddportstotheVLAN.OnlyDHCPclientsassociatedwiththisVLAN willbeservedIPaddressesfromtheDHCPaddresspoolassociatedwiththisroutedinterface (VLAN).Inthisexample,VLAN6iscreatedandportsge.1.1throughge.1.10areaddedto VLAN6:


    set vlan create 6

    16-2

    DHCP Server Configuration

    Configuring General DHCP Server Parameters

    set port vlan ge.1.1-10 6

    2.

    CreatearoutedinterfacefortheVLANinrouterconfigurationmode.Inthefollowing example,anIPaddressisassociatedwithroutedinterfaceVLAN6: Inrouterconfigurationmode:


    interface vlan 6 no shutdown ip address 6.6.1.1 255.255.0.0

    3. 4.

    EnableDHCPserverfunctionalityonthesystemwiththesetdhcpenablecommand. CreatetheDHCPaddresspool.Theonlyrequiredstepsaretonamethepoolanddefinethe networknumberandmaskforthepool.Notethatthepoolhastobeinthesamesubnetasthe routedinterfaceandusethesamemaskconfiguredontheroutedinterface.Forexample:


    set dhcp pool auto-pool network 6.6.0.0 255.255.0.0

    DHCPclientsinVLAN6willbeservedIPaddressesfromthisDHCPaddresspool. OptionalDHCPservertasksinclude: Youcanlimitthescopeofaddressesassignedtoapoolfordynamicaddressassignmentwith thesetdhcpexcludecommand.Upto128nonoverlappingaddressrangescanbeexcluded ontheSecureStackC2.Forexample:


    set dhcp exclude 192.0.0.1 192.0.0.10 Note: The IP address of the systems host port or the routed interface is automatically excluded.

    Configurestaticaddresspoolsformanualaddressassignment.Theonlyrequiredstepsareto namethepool,configureeitherthehardwareaddressoftheclientortheclientidentifier,and configuretheIPaddressandmaskforthemanualbinding.Forexample:


    set dhcp pool static-pool hardware-address 0011.2233.4455 set dhcp pool static-pool host 192.0.0.200 255.255.255.0

    SetotherDHCPserverparameterssuchasthenumberofpingpacketstobesentbefore assigninganIPaddress,orenablingconflictlogging.

    Configuring General DHCP Server Parameters


    Purpose
    ToconfigureDHCPserverparameters,andtodisplayandclearaddressbindinginformation, serverstatistics,andconflictinformation.

    Commands
    For information about... set dhcp set dhcp bootp set dhcp conflict logging show dhcp conflict Refer to page... 16-4 16-4 16-5 16-5

    SecureStack C2 Configuration Guide

    16-3

    set dhcp

    For information about... clear dhcp conflict set dhcp exclude clear dhcp exclude set dhcp ping clear dhcp ping show dhcp binding clear dhcp binding show dhcp server statistics clear dhcp server statistics

    Refer to page... 16-6 16-7 16-7 16-8 16-8 16-9 16-9 16-10 16-10

    set dhcp
    UsethiscommandtoenableordisabletheDHCPserverfunctionalityontheSecureStackC2.

    Syntax
    set dhcp {enable | disable}

    Parameters
    enable|disable EnablesordisablesDHCPserverfunctionality.Bydefault,DHCPserveris disabled.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleenablesDHCPserverfunctionality.
    C2(rw)->set dhcp enable

    set dhcp bootp


    UsethiscommandtoenableordisableautomaticaddressallocationforBOOTPclients.By default,addressallocationforBOOTPclientsisdisabled.RefertoRFC1534,Interoperation BetweenDHCPandBOOTP,formoreinformation.

    Syntax
    set dhcp bootp {enable | disable}

    Parameters
    enable|disable EnablesordisablesaddressallocationforBOOTPclients.

    16-4

    DHCP Server Configuration

    set dhcp conflict logging

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleenablesaddressallocationforBOOTPclients.
    C2(rw)->set dhcp bootp enable

    set dhcp conflict logging


    Usethiscommandtoenableconflictlogging.Bydefault,conflictloggingisenabled.Usetheclear dhcpconflictloggingcommandtodisableconflictlogging.

    Syntax
    set dhcp conflict logging

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleenablesDHCPconflictlogging.
    C2(rw)->set dhcp conflict logging

    show dhcp conflict


    Usethiscommandtodisplayconflictinformation,foroneaddressoralladdresses.

    Syntax
    show dhcp conflict [address]

    Parameters
    address [Optional]Specifiestheaddressforwhichtodisplayconflictinformation.

    Defaults
    Ifnoaddressisspecified,conflictinformationforalladdressesisdisplayed.

    SecureStack C2 Configuration Guide

    16-5

    clear dhcp conflict

    Mode
    Readonly.

    Example
    Thisexampledisplaysconflictinformationforalladdresses.Notethatpingistheonlydetection methodused.
    C2(ro)->show dhcp conflict IP address ----------192.0.0.2 192.0.0.3 192.0.0.4 192.0.0.12 Detection Method ----------------Ping Ping Ping Ping Detection Time --------------0 days 19h:01m:23s 0 days 19h:00m:46s 0 days 19h:01m:25s 0 days 19h:01m:26s

    clear dhcp conflict


    Usethiscommandtoclearconflictinformationforoneoralladdresses,ortodisableconflict logging.

    Syntax
    clear dhcp conflict {logging | ip-address| *}

    Parameters
    logging ipaddress * Disablesconflictlogging. ClearstheconflictinformationforthespecifiedIPaddress. ClearstheconflictinformationforallIPaddresses.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampledisablesDHCPconflictlogging.
    C2(rw)->clear dhcp conflict logging

    ThisexampleclearstheconflictinformationfortheIPaddress192.0.0.2.
    C2(rw)->clear dhcp conflict 192.0.0.2

    16-6

    DHCP Server Configuration

    set dhcp exclude

    set dhcp exclude


    UsethiscommandtoconfiguretheIPaddressesthattheDHCPservershouldnotassigntoDHCP clients.Multipleaddressrangescanbeconfiguredbuttherangescannotoverlap.Upto128non overlappingaddressrangescanbeexcluded.

    Syntax
    set dhcp exclude low-ipaddr [high-ipaddr]

    Parameters
    lowipaddr highipaddr SpecifiesthefirstIPaddressintheaddressrangetobeexcludedfrom assignment. (Optional)SpecifiesthelastIPaddressintheaddressrangetobe excluded.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplefirstconfigurestheaddresspoolnamedauto1with255addressesfortheClassC network172,20.28.0,withthesetdhcppoolnetworkcommand.Then,theexamplelimitsthe scopeoftheaddressesthatcanbeassignedbyaDHCPserverbyexcludingaddresses172.20.28.80 100,withthesetdhcpexcludecommand.
    C2(rw)->set dhcp pool auto1 network 172.20.28.0 24 C2(rw)->set dhcp exclude 172.20.28.80 172.20.28.100

    clear dhcp exclude


    UsethiscommandtocleartheconfiguredIPaddressesthattheDHCPservershouldnotassignto DHCPclients.

    Syntax
    clear dhcp exclude low-ipaddr [high-ipaddr]

    Parameters
    lowipaddr highipaddr SpecifiesthefirstIPaddressintheaddressrangetobecleared. (Optional)SpecifiesthelastIPaddressintheaddressrangetobecleared.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    16-7

    set dhcp ping

    Example
    ThisexampleclearsthepreviouslyexcludedrangeofIPaddressesbetween192.168.1.88through 192.168.1.100.
    C2(rw)->clear dhcp exclude 192.168.1.88 192.168.1.100

    set dhcp ping


    UsethiscommandtoconfigurethenumberofpingpacketstheDHCPserversendstoanIP addressbeforeassigningtheaddresstoarequestingclient.

    Syntax
    set dhcp ping packets number

    Parameters
    packetsnumber Specifiesthenumberofpingpacketstobesent.Thevalueofnumbercan be0,orrangefrom2to10.Entering0disablesthisfunction.Thedefault valueis2packets.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsthenumberofpingpacketssentto3.
    C2(rw)->set dhcp ping packets 3

    clear dhcp ping


    UsethiscommandtoresetthenumberofpingpacketssentbytheDHCPserverbacktothe defaultvalueof2.

    Syntax
    clear dhcp ping packets

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    16-8

    DHCP Server Configuration

    show dhcp binding

    Example
    Thisexampleresetsthenumberofpingpacketssentbacktothedefaultvalue.
    C2(rw)->clear dhcp ping packets

    show dhcp binding


    UsethiscommandtodisplaybindinginformationforoneorallIPaddresses.

    Syntax
    show dhcp binding [ip-address]

    Parameters
    ipaddress (Optional)SpecifiestheIPaddressforwhichtodisplaybinding information.

    Defaults
    IfnoIPaddressisspecified,bindinginformationforalladdressesisdisplayed.

    Mode
    Readonly.

    Example
    Thisexampledisplaysbindinginformationaboutalladdresses.
    C2(rw)->show dhcp binding IP address Hardware Address --------------------------192.0.0.6 00:33:44:56:22:39 192.0.0.8 00:33:44:56:22:33 192.0.0.10 00:33:44:56:22:34 192.0.0.11 00:33:44:56:22:35 192.0.0.12 00:33:44:56:22:36 192.0.0.13 00:33:44:56:22:37 192.0.0.1400:33:44:56:22:38 Lease Expiration ----------------00:11:02 00:10:22 00:09:11 00:10:05 00:10:30 infinite infinite Type ----Automatic Automatic Automatic Automatic Automatic Manual Manual

    clear dhcp binding


    Usethiscommandtoclear(delete)oneorallDHCPaddressbindings.

    Syntax
    clear dhcp binding {ip-addr | *}

    Parameters
    ipaddr * SpecifiestheIPaddressforwhichtoclear/deletetheDHCPbinding. Deletesalladdressbindings.

    Defaults
    None.
    SecureStack C2 Configuration Guide 16-9

    show dhcp server statistics

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampledeletestheDHCPaddressbindingforIPaddress192.168.1.1.
    C2(rw)->clear dhcp binding 192.168.1.1

    show dhcp server statistics


    UsethiscommandtodisplayDHCPserverstatistics.

    Syntax
    show dhcp server statistics

    Parameters
    None.

    Defaults
    None.

    Mode
    Readonly.

    Example
    Thisexampledisplaysserverstatistics.
    C2(ro)->show dhcp server statistics Automatic Bindings Expired Bindings Malformed Bindings Messages ---------DHCP DISCOVER DHCP REQUEST DHCP DECLINE DHCP RELEASE DHCP INFORM Messages ---------DHCP OFFER DHCP ACK DHCP NACK 36 6 0 Received ---------382 3855 0 67 1 Sent -----381 727 2

    clear dhcp server statistics


    UsethiscommandtoclearallDHCPservercounters.

    Syntax
    clear dhcp server statistics

    16-10

    DHCP Server Configuration

    clear dhcp server statistics

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleclearsallDHCPservercounters.
    C2(rw)->clear dhcp server statistics

    SecureStack C2 Configuration Guide

    16-11

    Configuring IP Address Pools

    Configuring IP Address Pools


    Manual Pool Configuration Considerations
    ThesubnetoftheIPaddressbeingissuedshouldbeonthesamesubnetastheingress interface(thatis,thesubnetofthehostIPaddressoftheswitch,orifroutinginterfacesare configured,thesubnetoftheroutinginterface). Amanualpoolcanbeconfiguredusingeithertheclientshardwareaddress(setdhcppool hardwareaddress)ortheclientsclientidentifier(setdhcppoolclientidentifier),butusing bothisnotrecommended. IftheincomingDHCPrequestpacketcontainsaclientidentifier,thenamanualpool configuredwiththatclientidentifiermustexistontheswitchinorderfortherequesttobe processed.Thehardwareaddressisnotchecked. Ahardwareaddressandtype(EthernetorIEEE802)configuredinamanualpoolischecked onlywhenaclientidentifierisnotalsoconfiguredforthepoolandtheincomingDHCP requestpacketdoesnotincludeaclientidentifieroption.

    Purpose
    ToconfigureandclearDHCPaddresspoolparameters,andtodisplayaddresspoolconfiguration information.

    Note: A total of 16 address pools, dynamic and/or static, can be configured on the SecureStack C2.

    Commands
    For information about... set dhcp pool clear dhcp pool set dhcp pool network clear dhcp pool network set dhcp pool hardware-address clear dhcp pool hardware-address set dhcp pool host clear dhcp pool host set dhcp pool client-identifier clear dhcp pool client-identifier set dhcp pool client-name clear dhcp pool client-name set dhcp pool bootfile clear dhcp pool bootfile Refer to page... 16-13 16-14 16-14 16-15 16-15 16-16 16-16 16-17 16-17 16-18 16-19 16-19 16-20 16-20

    16-12

    DHCP Server Configuration

    set dhcp pool

    For information about... set dhcp pool next-server clear dhcp pool next-server set dhcp pool lease clear dhcp pool lease set dhcp pool default-router clear dhcp pool default-router set dhcp pool dns-server clear dhcp pool dns-server set dhcp pool domain-name clear dhcp pool domain-name set dhcp pool netbios-name-server clear dhcp pool netbios-name-server set dhcp pool netbios-node-type clear dhcp pool netbios-node-type set dhcp pool option clear dhcp pool option show dhcp pool configuration

    Refer to page... 16-21 16-21 16-22 16-22 16-23 16-23 16-24 16-24 16-25 16-25 16-26 16-26 16-27 16-27 16-28 16-29 16-29

    set dhcp pool


    UsethiscommandtocreateandassignanametoaDHCPserverpoolofaddresses.Upto16 addresspoolsmaybeconfiguredonaSecureStackC2.Notethatenteringthiscommandisnot requiredtocreateanaddresspoolbeforeconfiguringotheraddresspoolparameters.

    Syntax
    set dhcp pool poolname

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplecreatesanaddresspoolnamedauto1.
    C2(rw)->set dhcp pool auto1

    SecureStack C2 Configuration Guide

    16-13

    clear dhcp pool

    clear dhcp pool


    UsethiscommandtodeleteaDHCPserverpoolofaddresses.

    Syntax
    clear dhcp pool poolname

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletestheaddresspoolnamedauto1.
    C2(rw)->clear dhcp pool auto1

    set dhcp pool network


    UsethiscommandtoconfigurethesubnetnumberandmaskforanautomaticDHCPaddress pool.

    Syntax
    set dhcp pool poolname network number {mask | prefix-length}

    Parameters
    poolname number mask prefixlength Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiesanIPsubnetfortheaddresspool. Specifiesthesubnetmaskindottedquadnotation. Specifiesthesubnetmaskasaninteger.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    UsethiscommandtoconfigureasetofIPaddressestobeassignedbytheDHCPserverusingthe specifiedaddresspool.Inordertolimitthescopeoftheaddressesconfiguredwiththiscommand, usethesetdhcpexcludecommandonpage167.
    16-14 DHCP Server Configuration

    clear dhcp pool network

    Examples
    ThisexampleconfigurestheIPsubnet172.20.28.0withaprefixlengthof24fortheautomatic DHCPpoolnamedauto1.Alternatively,themaskcouldhavebeenspecifiedas255.255.255.0.
    C2(rw)->set dhcp pool auto1 network 172.20.28.0 24

    Thisexamplelimitsthescopeof255addressescreatedfortheClassCnetwork172,20.28.0bythe previousexample,byexcludingaddresses172.20.28.80100.
    C2(rw)->set dhcp exclude 172.20.28.80 172.20.28.100

    clear dhcp pool network


    UsethiscommandtoremovethenetworknumberandmaskofaDHCPserverpoolofaddresses.

    Syntax
    clear dhcp pool poolname network

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletesthenetworkandmaskfromtheaddresspoolnamedauto1.
    C2(rw)->clear dhcp pool auto1 network

    set dhcp pool hardware-address


    UsethiscommandtoconfiguretheMACaddressoftheDHCPclientandcreateanaddresspool formanualbinding.Youcanuseeitherthiscommandorthesetdhcppoolclientidentifier commandtocreateamanualbindingpool,butusingbothisnotrecommended.

    Syntax
    set dhcp pool poolname hardware-address hw-addr [type]

    Parameters
    poolname hwaddr type Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheMACaddressoftheclientshardwareplatform.Thisvalue canbeenteredusingdottedhexadecimalnotationorcolons. (Optional)Specifiestheprotocolofthehardwareplatform.Validvalues are1forEthernetor6forIEEE802.Defaultvalueis1,Ethernet.

    SecureStack C2 Configuration Guide

    16-15

    clear dhcp pool hardware-address

    Defaults
    Ifnotypeisspecified,Ethernetisassumed.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplespecifies0001.f401.2710astheEthernetMACaddressforthemanualaddresspool namedmanual1.Alternatively,theMACaddresscouldhavebeenteredas00:01:f4:01:27:10.
    C2(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710

    clear dhcp pool hardware-address


    UsethiscommandtoremovethehardwareaddressofaDHCPclientfromamanualbinding addresspool.

    Syntax
    clear dhcp pool poolname hardware-address

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletestheclienthardwareaddressfromtheaddresspoolnamedmanual1.
    C2(rw)->clear dhcp pool manual1 hardware-address

    set dhcp pool host


    UsethiscommandtoconfigureanIPaddressandnetworkmaskforamanualDHCPbinding.

    Syntax
    set dhcp pool poolname host ip-address [mask | prefix-length]

    Parameters
    poolname ipaddress Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressformanualbinding.

    16-16

    DHCP Server Configuration

    clear dhcp pool host

    mask prefixlength

    (Optional)Specifiesthesubnetmaskindottedquadnotation. (Optional)Specifiesthesubnetmaskasaninteger.

    Defaults
    Ifamaskorprefixisnotspecified,theclassA,B,orCnaturalmaskwillbeused.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress pool.First,thehardwareaddressoftheclientshardwareplatformisconfigured,followedby configurationoftheaddresstobeassignedtothatclientmanually.
    C2(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710 C2(rw)->set dhcp pool manual1 host 15.12.1.99 255.255.248.0

    clear dhcp pool host


    UsethiscommandtoremovethehostIPaddressfromamanualbindingaddresspool.

    Syntax
    clear dhcp pool poolname host

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampledeletesthehostIPaddressfromtheaddresspoolnamedmanual1.
    C2(rw)->clear dhcp pool manual1 host

    set dhcp pool client-identifier


    UsethiscommandtoconfiguretheclientidentifieroftheDHCPclientandcreateanaddresspool formanualbinding.Youcanuseeitherthiscommandorthesetdhcppoolhardwareaddress commandtocreateamanualbindingpool,butusingbothisnotrecommended.

    Syntax
    set dhcp pool poolname client-identifier id

    SecureStack C2 Configuration Guide

    16-17

    clear dhcp pool client-identifier

    Parameters
    poolname id Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiestheuniqueclientidentifierforthisclient.Thevaluemustbe enteredinxx:xx:xx:xx:xx:xxformat.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheclientidentifierisformedbyconcatenatingthemediatypeandtheMACaddress.For example,iftheclienthardwaretypeisEthernetandtheclientMACaddressis00:01:22:33:44:55, thentheclientidentifierconfiguredwiththiscommandmustbe01:00:01:22:33:44:55.

    Example
    Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress pool,usingaclientidentifierratherthanthehardwareaddressoftheclientshardwareplatform.
    C2(rw)->set dhcp pool manual2 client-identifier 01:00:01:22:33:44:55 C2(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0

    clear dhcp pool client-identifier


    UsethiscommandtoremovetheuniqueidentifierofaDHCPclientfromamanualbinding addresspool.

    Syntax
    clear dhcp pool poolname client-identifier

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletestheclientidentifierfromtheaddresspoolnamedmanual1.
    C2(rw)->clear dhcp pool manual1 client-identifier

    16-18

    DHCP Server Configuration

    set dhcp pool client-name

    set dhcp pool client-name


    UsethiscommandtoassignanametoaDHCPclientwhencreatinganaddresspoolformanual binding.

    Syntax
    set dhcp pool poolname client-name name

    Parameters
    poolname name Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthenametobeassignedtothisclient.Clientnamesmaybeupto 31charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleconfigurestheclientnameappsvr1tothemanualbindingpoolmanual2.
    C2(rw)->set dhcp pool manual2 client-identifier 01:22:33:44:55:66 C2(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0 C2(rw)->set dhcp pool manual2 client-name appsvr1

    clear dhcp pool client-name


    UsethiscommandtodeleteaDHCPclientnamefromanaddresspoolformanualbinding.

    Syntax
    clear dhcp pool poolname client-name

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampledeletestheclientnamefromthemanualbindingpoolmanual2.
    C2(rw)->clear dhcp pool manual2 client-name

    SecureStack C2 Configuration Guide

    16-19

    set dhcp pool bootfile

    set dhcp pool bootfile


    UsethiscommandtospecifyadefaultbootimagefortheDHCPclientswhowillbeservedbythe addresspoolbeingconfigured.

    Syntax
    set dhcp pool poolname bootfile filename

    Parameters
    poolname filename Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthebootimagefilename.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsthebootimagefilenameforaddresspoolnamedauto1.
    C2(rw)->set dhcp pool auto1 bootfile image1.img

    clear dhcp pool bootfile


    Usethiscommandtoremoveadefaultbootimagefromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname bootfile

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesthebootimagefilenamefromaddresspoolnamedauto1.
    C2(rw)->clear dhcp pool auto1 bootfile

    16-20

    DHCP Server Configuration

    set dhcp pool next-server

    set dhcp pool next-server


    Usethiscommandtospecifythefileserverfromwhichthedefaultbootimageistobeloadedby theclient.

    Syntax
    set dhcp pool poolname next-server ip-address

    Parameters
    poolname ipaddress Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofthefileservertheDHCPclientshouldcontact toloadthedefaultbootimage.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplespecifiesthefileserverfromwhichclientsbeingservedbyaddresspoolauto1 shoulddownloadthebootimagefileimage1.img.
    C2(rw)->set dhcp pool auto1 bootfile image1.img C2(rw)->set dhcp pool auto1 next-server 10.1.1.10

    clear dhcp pool next-server


    Usethiscommandtoremovethebootimagefileserverfromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname next-server

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesthefileserverfromaddresspoolauto1.
    C2(rw)->clear dhcp pool auto1 next-server

    SecureStack C2 Configuration Guide

    16-21

    set dhcp pool lease

    set dhcp pool lease


    UsethiscommandtospecifythedurationoftheleaseforanIPaddressassignedbytheDHCP serverfromtheaddresspoolbeingconfigured.

    Syntax
    set dhcp pool poolname lease {days [hours [minutes]] | infinite}

    Parameters
    poolname days hours minutes Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthenumberofdaysanaddressleasewillremainvalid.Valuecan rangefrom0to59. (Optional)Whenadaysvaluehasbeenassigned,specifiesthenumberof hoursanaddressleasewillremainvalid.Valuecanrangefrom0to1439. (Optional)Whenadaysvalueandanhoursvaluehavebeenassigned, specifiesthenumberofminuteanaddressleasewillremainvalid.Value canrangefrom0to86399. Specifiesthatthedurationoftheleasewillbeunlimited.

    infinite

    Defaults
    Ifnoleasetimeisspecified,aleasedurationof1dayisconfigured.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleconfiguresaleasedurationof12hoursfortheaddresspoolbeingconfigured.Note thattoconfigurealeasetimelessthanoneday,enter0fordays,thenthenumberofhoursand minutes.
    C2(rw)->set dhcp pool auto1 lease 0 12

    clear dhcp pool lease


    Usethiscommandtorestorethedefaultleasetimevalueofonedayfortheaddresspoolbeing configured.

    Syntax
    clear dhcp pool poolname lease

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    Clearstheleasetimeforthisaddresspooltothedefaultvalueofoneday.

    16-22

    DHCP Server Configuration

    set dhcp pool default-router

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplerestoresthedefaultleasedurationofonedayforaddresspoolauto1.
    C2(rw)->clear dhcp pool auto1 lease

    set dhcp pool default-router


    UsethiscommandtospecifyadefaultrouterlistfortheDHCPclientsservedbytheaddresspool beingconfigured.Upto8defaultrouterscanbeconfigured.

    Syntax
    set dhcp pool poolname default-router address [address2 ... address8]

    Parameters
    poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofadefaultrouter. (Optional)Specifies,inorderofpreference,upto7additionaldefault routeraddresses.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleassignsadefaultrouterat10.10.10.1totheaddresspoolnamedauto1.
    C2(rw)->set dhcp pool auto1 default-router 10.10.10.1

    clear dhcp pool default-router


    Usethiscommandtodeletethedefaultroutersconfiguredforthisaddresspool.

    Syntax
    clear dhcp pool poolname default-router

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    16-23

    set dhcp pool dns-server

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesthedefaultrouterfromtheaddresspoolauto1.
    C2(rw)->clear dhcp pool auto1 default-router

    set dhcp pool dns-server


    UsethiscommandtospecifyoneormoreDNSserversfortheDHCPclientsservedbytheaddress poolbeingconfigured.Upto8DNSserverscanbeconfigured.

    Syntax
    set dhcp pool poolname dns-server address [address2 ... address8]

    Parameters
    poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofaDNSserver. (Optional)Specifies,inorderofpreference,upto7additionalDNS serveraddresses.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleassignsaDNSserverat10.14.10.1totheaddresspoolauto1.
    C2(rw)->set dhcp pool auto1 dns-server 10.14.10.1

    clear dhcp pool dns-server


    UsethiscommandtoremovetheDNSserverlistfromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname dns-server

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    16-24

    DHCP Server Configuration

    set dhcp pool domain-name

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleremovestheDNSserverlistfromtheaddresspoolauto1.
    C2(rw)->clear dhcp pool auto1 dns-server

    set dhcp pool domain-name


    UsethiscommandtospecifyadomainnametobeassignedtoDHCPclientsservedbytheaddress poolbeingconfigured.

    Syntax
    set dhcp pool poolname domain-name domain

    Parameters
    poolname domain Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthedomainnamestring.Thedomainnamecanbeupto255 charactersinlength.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleassignsthemycompany.comdomainnametotheaddresspoolauto1.
    C2(rw)->set dhcp pool auto1 domain-name mycompany.com

    clear dhcp pool domain-name


    Usethiscommandtoremovethedomainnamefromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname domain-name

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    16-25

    set dhcp pool netbios-name-server

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesthedomainnamefromtheaddresspoolauto1.
    C2(rw)->clear dhcp pool auto1 domain-name

    set dhcp pool netbios-name-server


    UsethiscommandtoassignoneormoreNetBIOSnameserversfortheDHCPclientsservedby theaddresspoolbeingconfigured.Upto8NetBIOSnameserverscanbeconfigured.

    Syntax
    set dhcp pool poolname netbios-name-server address [address2 ... address8]

    Parameters
    poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofaNetBIOSnameserver. (Optional)Specifies,inorderofpreference,upto7additionalNetBIOS nameserveraddresses.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleassignsaNetBIOSnameserverat10.15.10.1totheaddresspoolbeingconfigured.
    C2(rw)->set dhcp pool auto1 netbios-name-server 10.15.10.1

    clear dhcp pool netbios-name-server


    UsethiscommandtoremovetheNetBIOSnamerserverlistfromtheaddresspoolbeing configured.
    clear dhcp pool poolname netbios-name-server

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    16-26

    DHCP Server Configuration

    set dhcp pool netbios-node-type

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleremovestheNetBIOSnameserverlistfromtheaddresspoolauto1.
    C2(rw)->clear dhcp pool auto1 netbios-name-server

    set dhcp pool netbios-node-type


    UsethiscommandtospecifyaNetBIOSnode(server)typefortheDHCPclientsservedbythe addresspoolbeingconfigured.

    Syntax
    set dhcp pool poolname netbios-node-type {b-node | h-node | p-node | m-node}

    Parameters
    poolname bnode hnode pnode mnode Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheNetBIOsnodetypetobebroadcast(noWINS). SpecifiestheNetBIOsnodetypetobehybrid(WINS,thenbroadcast). SpecifiestheNetBIOsnodetypetobepeer(WINSonly). SpecifiestheNetBIOsnodetypetobemixed(broadcast,thenWINS).

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexamplespecifieshybridastheNetBIOSnodetypefortheaddresspoolauto1.
    C2(rw)->set dhcp pool auto1 netbios-node-type h-node

    clear dhcp pool netbios-node-type


    UsethiscommandtoremovetheNetBIOSnodetypefromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname netbios-node-type

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    SecureStack C2 Configuration Guide

    16-27

    set dhcp pool option

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleremovestheNetBIOSnodetypefromtheaddresspoolauto1.
    C2(rw)->clear dhcp pool auto1 netbios-node-type

    set dhcp pool option


    UsethiscommandtoconfigureDHCPoptions,describedinRFC2132.

    Syntax
    set dhcp pool poolname option code {ascii string | hex string-list | ip addresslist}

    Parameters
    poolname code asciistring hexstringlist ipaddresslist Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange from1to254. SpecifiesthedatainASCIIformat.AnASCIIcharacterstringcontaininga spacemustbeenclosedinquotations. SpecifiesthedatainHEXformat.Upto8HEXstringscanbeentered. SpecifiesthedatainIPaddressformat.Upto8IPaddressescanbeentered.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleconfiguresDHCPoption19,whichspecifieswhethertheclientshouldconfigureits IPlayerforpacketforwarding.Inthiscase,IPforwardingisenabledwiththe01value.
    C2(rw)->set dhcp pool auto1 option 19 hex 01

    ThisexampleconfiguresDHCPoption72,whichassignsoneormoreWebserversforDHCP clients.Inthiscase,twoWebserveraddressesareconfigured.
    C2(rw)->set dhcp pool auto1 option 72 ip 168.24.3.252 168.24.3.253

    16-28

    DHCP Server Configuration

    clear dhcp pool option

    clear dhcp pool option


    UsethiscommandtoremoveaDHCPoptionfromtheaddresspoolbeingconfigured.

    Syntax
    clear dhcp pool poolname option code

    Parameters
    poolname code Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange from1to254.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleremovesoption19fromaddresspoolauto1.
    C2(rw)->clear dhcp pool auto1 option 19

    show dhcp pool configuration


    Usethiscommandtodisplayconfigurationinformationforoneoralladdresspools.

    Syntax
    show dhcp pool configuration {poolname | all}

    Parameters
    poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.

    Defaults
    None.

    Mode
    Readonly.

    Example
    Thisexampledisplaysconfigurationinformationforalladdresspools.
    C2(rw)->show dhcp pool configuration all Pool: Atg_Pool Pool Type

    Dynamic

    SecureStack C2 Configuration Guide

    16-29

    show dhcp pool configuration

    Network Lease Time Default Routers Pool: static1 Pool Type Client Name Client Identifier Host Lease Time Option Pool: static2 Pool Type Hardware Address Hardware Address Type Host Lease Time

    192.0.0.0 255.255.255.0 1 days 0 hrs 0 mins 192.0.0.1

    Manual appsvr1 01:00:01:f4:01:27:10 10.1.1.1 255.0.0.0 infinite 19 hex 01

    Manual 00:01:f4:01:27:10 ieee802 192.168.10.1 255.255.255.0 infinite

    16-30

    DHCP Server Configuration

    17
    DHCP Snooping and Dynamic ARP Inspection
    Thischapterdescribestwosecurityfeatures: DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserver tofilterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping featuretorejectinvalidandmaliciousARPpackets
    Refer to page... 17-1 17-4 17-16 17-20

    For information about... DHCP Snooping Overview DHCP Snooping Commands Dynamic ARP Inspection Overview Dynamic ARP Inspection Commands

    DHCP Snooping Overview


    DHCPsnoopingmonitorsDHCPmessagesbetweenDHCPclientsandDHCPserverstofilter harmfulDHCPmessagesandtobuildabindingsdatabaseof{MACaddress,IPaddress,VLAN ID,port}tuplesthatareconsideredauthorized. DHCPsnoopingisdisabledgloballyandonallVLANsbydefault.Portsareuntrustedbydefault. DHCPsnoopingmustbeenabledgloballyandonspecificVLANs.PortswithintheVLANsmust beconfiguredastrustedoruntrusted.DHCPserversmustbereachedthroughtrustedports. DHCPsnoopingenforcesthefollowingsecurityrules: DHCPpacketsfromaDHCPserver(DHCPOFFER,DHCPACK,DHCPNAK)aredroppedif receivedonanuntrustedport. DHCPRELEASEandDHCPDECLINEmessagesaredroppediftheyareforaMACaddress inthesnoopingdatabasebutthebindingsinterfaceinthedatabaseisdifferentfromthe interfacewherethemessagewasreceived. Onuntrustedinterfaces,theswitchdropsDHCPpacketswhosesourceMACaddressdoesnot matchtheclienthardwareaddress.Thisfeatureisaconfigurableoption.

    DHCP Message Processing


    ThehardwareidentifiesallincomingDHCPpacketsonportswhereDHCPsnoopingisenabled. Onuntrustedports,thehardwaretrapsallincomingDHCPpacketstotheCPU.Ontrustedports,

    SecureStack C2 Configuration Guide

    17-1

    DHCP Snooping Overview

    thehardwareforwardsclientmessagesandcopiesservermessagestotheCPUsoDHCPsnooping canlearnthebinding. TheDHCPsnoopingapplicationprocessesincomingDHCPmessages.ForDHCPRELEASEand DHCPDECLINEmessages,theapplicationcomparesthereceiveinterfaceandVLANwiththe clientsinterfaceandVLANinthebindingsdatabase.Iftheinterfacesdonotmatch,the applicationlogstheeventanddropsthemessage.Forvalidclientmessages,DHCPsnooping comparesthesourceMACaddresstotheDHCPclienthardwareaddress.Wherethereisa mismatch,DHCPsnoopinglogsanddropsthepacket.Youcandisablethisfeatureusingtheset dhcpsnoopingverifymacaddressdisablecommand.


    Note: If the switch has been configured as a DHCP relay agent, to forward client requests to a DHCP server that does not reside on the same broadcast domain as the client, MAC address verification should be disabled in order to allow DHCP RELEASE packets to be processed by the DHCP snooping functionality and client bindings removed from the bindings database.

    DHCPsnoopingcanbeconfiguredonswitchingVLANsandroutingVLANs.WhenaDHCP packetisreceivedonaroutingVLAN,theDHCPsnoopingapplicationappliesitsfilteringrules andupdatesthebindingsdatabase.Ifaclientmessagepassesfilteringrules,themessageisplaced intothesoftwareforwardingpath,whereitmaybeprocessedbytheDHCPrelayagent,thelocal DHCPserver,orforwardedasanIPpacket. DHCPsnoopingforwardsvalidDHCPclientmessagesreceivedonnonroutingVLANs.The messageisforwardedonalltrustedinterfacesintheVLAN.IfaDHCPrelayagentorlocalDHCP servercoexistwiththeDHCPsnoopingfeature,DHCPclientmessageswillbesenttotheDHCP relayagentorlocalDHCPservertoprocessfurther. TheDHCPsnoopingapplicationdoesnotforwardservermessagessincetheyareforwardedin hardware.

    Building and Maintaining the Database


    TheDHCPsnoopingapplicationusesDHCPmessagestobuildandmaintainthebindings database.Thebindingsdatabaseincludesonlydataforclientsonuntrustedports.Thebindings databaseincludesthefollowinginformationforeachentry: ClientMACaddress ClientIPaddress Timewhenclientsleaseexpires ClientVLANID Clientport

    DHCPsnoopingcreatesatentativebindingfromDHCPDISCOVERandREQUESTmessages. Tentativebindingstieaclienttoaport(theportwheretheDHCPclientmessagewasreceived). TentativebindingsarecompletedwhenDHCPsnoopinglearnstheclientsIPaddressfroma DHCPACKmessageonatrustedport.DHCPsnoopingremovesbindingsinresponseto DECLINE,RELEASE,andNACKmessages.TheDHCPsnoopingapplicationignorestheACK messagessentinreplytotheDHCPInformmessagesreceivedontrustedports.Youcanalso enterstaticbindingsintothebindingsdatabase. Whenaswitchlearnsofnewbindingsorwhenitlosesbindings,theswitchimmediatelyupdates theentriesinthedatabase. Iftheabsoluteleasetimeofasnoopingdatabaseentryexpires,thenthatentrywillberemoved. Careshouldbetakentoensurethatsystemtimeisconsistentacrossthereboots.Otherwise, snoopingentrieswillnotexpireproperly.IfahostsendsaDHCPRELEASEmessagewhilethe

    17-2

    DHCP Snooping and Dynamic ARP Inspection

    DHCP Snooping Overview

    switchisrebooting,whentheswitchreceivesaDHCPDISCOVERYorREQUESTmessage,the clientsbindingwillgotoatentativebindingstate.

    Rate Limiting
    ToprotecttheswitchagainstDHCPattackswhenDHCPsnoopingisenabled,thesnooping applicationenforcesaratelimitforDHCPpacketsreceivedonuntrustedinterfaces.DHCP snoopingmonitorsthereceiverateoneachinterfaceseparately.Ifthereceiverateexceedsa configurablelimit,DHCPsnoopingbringsdowntheinterface.Usethesetportenablecommand toreenabletheinterface.Boththerateandtheburstintervalcanbeconfigured.

    Basic Configuration
    Thefollowingconfigurationproceduredoesnotchangethewritedelaytothesnoopingdatabase oranyofthedefaultratelimitingvalues.Additionalconfigurationnotesfollowthisprocedure. Procedure 17-1
    Step 1. 2. Task Enable DHCP snooping globally on the switch. Determine where DHCP clients will be connected and enable DHCP snooping on their VLANs. Determine which ports will be connected to the DHCP server and configure them as trusted ports. If desired, enable logging of invalid DHCP messages on specfic ports. If desired, add static bindings to the database.

    Basic Configuration for DHCP Snooping


    Command(s) set dhcpsnooping enable set dhcpsnooping vlan vlan-list enable set dhcpsnooping trust port port-string enable set dhcpsnooping log-invalid port port-string enable set dhcpsnooping binding mac-address vlan vlan-id ipaddr port port-string

    3.

    4. 5.

    Configuration Notes
    DHCP Server
    Whentheswitchisoperatinginswitchmode,thentheDHCPserverandDHCPclientsmust beinthesameVLAN. Iftheswitchisinroutingmode(onthoseplatformsthatsupportrouting),thentheDCHP servercanberemotelyconnectedtoaroutinginterface,orrunninglocally. IftheDHCPserverisremotelyconnected,thentheuseofanIPhelperaddressisrequiredand MACaddressverificationshouldbedisabled(setdhcpsnoopingverifymacaddress disable). TheDHCPservermustuseScopesinordertoprovidetheIPaddressesperVLAN. DHCPsnoopingmustbeenabledontheinterfaceswheretheDHCPclientsareconnected, andtheinterfacesmustbeuntrustedDHCPsnoopingports. TheroutinginterfacethatisconnectedtotheDHCPservermustbeenabledforDHCP snoopingandmustbeatrustedDHCPsnoopingport.

    SecureStack C2 Configuration Guide

    17-3

    DHCP Snooping Commands

    DHCP Snooping Commands


    For information about... set dhcpsnooping set dhcpsnooping vlan set dhcpsnooping database write-delay set dhcpsnooping trust set dhcpsnooping binding set dhcpsnooping verify set dhcpsnooping log-invalid set dhcpsnooping limit show dhcpsnooping show dhcpsnooping database show dhcpsnooping port show dhcpsnooping binding show dhcpsnooping statistics clear dhcpsnooping binding clear dhcpsnooping statistics clear dhcpsnooping database clear dhcpsnooping limit Refer to page... 17-4 17-5 17-5 17-6 17-7 17-7 17-8 17-9 17-10 17-11 17-11 17-12 17-13 17-14 17-14 17-14 17-15

    set dhcpsnooping
    UsethiscommandtoenableordisableDHCPsnoopingglobally.

    Syntax
    set dhcpsnooping {enable | disable}

    Parameters
    enable disable EnableDHCPsnoopinggloballyontheswitch. DisableDHCPsnoopinggloballyontheswitch.

    Defaults
    Disabledglobally.

    Mode
    Switchcommand,readwrite.

    Usage
    Bydefault,DHCPsnoopingisdisabledgloballyandonallVLANs.Youmustenableitglobally withthiscommand,andthenenableitonspecificVLANs.
    17-4 DHCP Snooping and Dynamic ARP Inspection

    set dhcpsnooping vlan

    Example
    ThefollowingexampleenablesDHCPsnoopingglobally.
    C2(rw)->set dhcpsnooping enable

    set dhcpsnooping vlan


    UsethiscommandtoenableordisableDHCPsnoopingonaVLANorrangeofVLANs.

    Syntax
    set dhcpsnooping vlan vlan-range {enable | disable}

    Parameters
    vlanrange enable|disable SpecifiestheVLANorrangeofVLANsonwhichDHCPsnoopingisto beenabledordisabled. EnablesordisablesDHCPsnoopingforthespecifiedVLANs.

    Defaults
    DHCPsnoopingisdisabledbydefaultonallVLANs.

    Mode
    Switchcommand,readwrite.

    Usage
    Bydefault,DHCPsnoopingisdisabledgloballyandonallVLANs.Youmustenableitglobally withthesetdhcpsnoopingcommand,andthenenableitonspecificVLANswiththiscommand.

    Example
    ThisexampleenablesDHCPsnoopingonVLANS10through20.
    C2(rw)->set dhcpsnooping vlan 10-20 enable

    set dhcpsnooping database write-delay


    Usethiscommandtospecifytheintervalbetweenupdatestothestoredbindingsdatabase.

    Syntax
    set dhcpsnooping database write-delay seconds

    Parameters
    second Specifytheintervalinsecondsbetweenupdatestothestoredbindings database.Thevaluecanrangefrom15to86400seconds.

    Defaults
    Every5minutes(300seconds).

    SecureStack C2 Configuration Guide

    17-5

    set dhcpsnooping trust

    Mode
    Switchcommand,readwrite.

    Usage
    Whenaswitchlearnsofnewbindingsorwhenitlosesbindings,theswitchupdatestheentriesin thebindingsdatabaseaccordingtothewritedelaytimer.Theswitchalsoupdatestheentriesin thebindingfile.Thefrequencyatwhichthefileisupdatedisbasedonthedelayconfiguredwith thiscommand,andtheupdatesarebatched.

    Example
    Thefollowingexamplespecifiesthatthestoreddatabaseshouldbeupdatedonceanhour.
    C2(rw)->set dhcpsnooping database write-delay 3600

    set dhcpsnooping trust


    UsethiscommandtoenableordisableaportasaDHCPsnoopingtrustedport.

    Syntax
    set dhcpsnooping trust port port-string {enable | disable}

    Parameters
    portportstring enable|disable Specifiestheportorportstobeenabledordisabledastrustedports.The portscanbephysicalportsorLAGsthataremembersofaVLAN. Enablesordisablesthespecifiedportsastrustedports.

    Defaults
    Bydefault,portsareuntrusted.

    Mode
    Switchcommand,readwrite.

    Usage
    InorderforDHCPsnoopingtooperate,snoopinghastobeenabledgloballyandonspecific VLANs,andtheportswithintheVLANshavetobeconfiguredastrustedoruntrusted.On trustedports,DHCPclientmessagesareforwardeddirectlybythehardware.Onuntrustedports, clientmessagesaregiventotheDHCPsnoopingapplication. TheDHCPsnoopingapplicationbuildsthebindingsdatabasefromclientmessagesreceivedon untrustedports.DHCPsnoopingcreatesatentativebindingfromDHCPDISCOVERand REQUESTmessages.Tentativebindingstieaclienttotheportonwhichthemessagepacketwas received.TentativebindingsarecompletedwhenDHCPsnoopinglearnstheclientsIPaddress fromaDHCPACKmessageonatrustedport. TheportsontheswitchthroughwhichDHCPserversarereachedmustbeconfiguredastrusted portssothatpacketsreceivedfromthoseportswillbeforwardedtoclients.DCHPpacketsfroma DHCPserver(DHCPOFFER,DHCPACK,DHCPNAK)aredroppedifreceivedonanuntrusted port.

    17-6

    DHCP Snooping and Dynamic ARP Inspection

    set dhcpsnooping binding

    Example
    Thisexampleconfiguresportge.1.1asatrustedport. C2(rw)->set dhcpsnooping trust port ge.1.1 enable

    set dhcpsnooping binding


    UsethiscommandtoaddastaticDHCPbindingtotheDHCPsnoopingdatabase.

    Syntax
    set dhcpsnooping binding mac-address vlan vlan-id ipaddr port port-string

    Parameters
    macaddress vlanvlanid ipaddr portportstring SpecifiestheMACaddressofthebindingentry. SpecifiestheVLANofthebindingentry. SpecifiestheIPaddressofthebindingentry. Specifiestheportofthebindingentry.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    WhenenabledgloballyandonVLANs,DHCPsnoopingbuildsitsbindingsdatabasefromDHCP clientmessagesreceivedonuntrustedports.Suchentriesinthedatabasearedynamicentries whichwillberemovedinresponsetovalidDECLINE,RELEASE,andNACKmessagesorwhen theabsoluteleasetimeoftheentryexpires. Youcanaddstaticentriestothebindingsdatabasewiththiscommand.

    Example
    Thisexamplecreatesastaticentry,associatingMACaddress00:01:02:33:44:55withIPaddress 192.168.10.10andVLAN10,portge.1.1. C2(rw)->set dhcpsnooping binding 00:01:02:33:44:55 vlan 10 192.168.10.10 port
    ge.1.1

    set dhcpsnooping verify


    UsethiscommandtoenableordisableDHCPsnoopingtofilteronsourceMACaddress.

    Syntax
    set dhcpsnooping verify mac-address {enable | disable}

    SecureStack C2 Configuration Guide

    17-7

    set dhcpsnooping log-invalid

    Parameters
    enable disable EnablesverificationofthesourceMACaddressinclientmessages againsttheclienthardwareaddress. DisablesverificationofthesourceMACaddressinclientmessages againsttheclienthardwareaddress.

    Defaults
    SourceMACaddressverificationisenabledbydefault.

    Mode
    Switchcommand,readwrite.

    Usage
    Whenthisverificationisenabled,theDHCPsnoopingapplicationcomparesthesourceMAC addresscontainedinvalidclientmessageswiththeclientshardwareaddress.Ifthereisa mismatch,DHCPsnoopinglogstheeventanddropsthepacket. Usetheshowdhcpsnoopingcommandtodisplaythestatus(enabledordisabled)ofsourceMAC addressverificationforeachinterfaceinanenabledVLAN.Theshowdhcpsnoopingstatistics commandshowstheactualnumberofMACverificationerrorsthatoccurredonuntrustedports.

    Example
    ThisexampledisablessourceMACaddressverificationandlogging. C2(rw)->set dhcpsnooping verify mac-address disable

    set dhcpsnooping log-invalid


    UsethiscommandtoenableordisableloggingofinvalidDHCPmessagesonports.

    Syntax
    set dhcpsnooping log-invalid port port-string {enable | disable}

    Parameters
    portportstring enable|disable Specifiestheportorportsonwhichtoenableordisableloggingof invalidpackets. Enablesordisablesloggingonthespecifiedports.

    Defaults
    Disabled.

    Mode
    Switchcommand,readwrite.

    Usage
    TheDHCPsnoopingapplicationprocessesincomingDHCPmessages.ForDHCPRELEASEand DHCPDECLINEmessages,theapplicationcomparesthereceiveinterfaceandVLANwiththe

    17-8

    DHCP Snooping and Dynamic ARP Inspection

    set dhcpsnooping limit

    clientsinterfaceandVLANinthebindingsdatabase.Iftheinterfacesdonotmatch,the applicationlogstheeventiflogginghasbeenenabled. Usetheshowdhcpsnoopingcommandtodisplaythestatus(enabledordisabled)oflogging invalidpacketsforeachinterfaceinanenabledVLAN.Theshowdhcpsnoopingstatistics commandshowstheactualnumberofservermessagesreceivedonuntrustedports.

    Example
    ThisexampleenablesloggingofinvalidDHCPmessagesonportge.1.1andthendisplaysthe DHCPconfigurationsettings. C2(rw)->set dhcpsnooping log invalid port ge.1.1 enable
    C2(su)->show dhcpsnooping DHCP snooping is Disabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 3

    Interface ----------ge.1.1 ge.1.2 ge.1.3

    Trusted ---------No No Yes

    Log Invalid Pkts ---------------Yes No No

    set dhcpsnooping limit


    UsethiscommandtoconfigureratelimitingparametersforincomingDHCPpacketsonaportor ports.

    Syntax
    set dhcpsnooping limit port-string {none | rate pps {burst interval secs]}

    Parameters
    portstring none ratepps burstintervalsecs Specifiestheportorportstowhichtoapplytheseratelimiting parameters. ConfiguresnolimitonincomingDHCPpackets. Specifiesaratelimitinpacketspersecond.Thevalueofppscanrange from0to100packetspersecond. Specifiesaburstintervalinseconds.Thevalueofsecscanrangefrom1 to15seconds.

    Defaults
    Rate=15packetspersecond BurstInterval=1second

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    17-9

    show dhcpsnooping

    Usage
    ToprotecttheswitchfromDHCPattackswhenDHCPsnoopingisenabled,thesnooping applicationenforcesaratelimitforDHCPpacketsreceivedonuntrustedinterfaces.DHCP snoopingmonitorsthereceiverateoneachinterfaceseparately.Ifthereceiverateexceedsthe configuredlimit,DHCPsnoopingbringsdowntheinterface.Youcanreenabletheinterfacewith thesetportenablecommand.Boththerateandtheburstintervalcanbeconfigured. Youcandisplaythecurrentlyconfiguredratelimitparameterswiththeshowdhcpsnoopingport command.

    Example
    Thisexampleconfiguresratelimitparametersonportge.1.1.
    C2(rw)->set dhcpsnooping limit ge.1.1 rate 20 burst interval 2 C2(rw)->show dhcpsnooping port ge.1.1 Interface Trust State Rate Limit (pps) ---------ge.1.1 ------------No ------------20 Burst Interval (seconds) --------------2

    show dhcpsnooping
    UsethiscommandtodisplayDHCPsnoopingconfigurationparameters.

    Syntax
    show dhcpsnooping

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thiscommanddisplaysthestatus(enabledordisabled)ofDHCPsnoopingglobally,liststhe VLANsonwhichDHCPsnoopingisenabled,displayswhethersourceMACaddressverification isenabledordisabled,andforportsthatareenabledforsnooping,displayswhethertheyare trustedoruntrustedandwhetherloggingofinvalidpacketshasbeenenabled.

    Example
    Thisexampleshowstheoutputoftheshowdhcpsnoopingcommand.
    C2(su)->show dhcpsnooping DHCP snooping is Enabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs:

    17-10

    DHCP Snooping and Dynamic ARP Inspection

    show dhcpsnooping database

    Interface ----------ge.1.47 ge.1.48 lag.0.1

    Trusted ---------Yes No No

    Log Invalid Pkts ---------------No No No

    show dhcpsnooping database


    UsethiscommandtodisplayDHCPsnoopingdatabaseconfigurationparameters.

    Syntax
    show dhcpsnooping database

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thiscommanddisplayswherethedatabasefileisstored(locally)andwhatthewritedelayvalue is.

    Example
    Thisexampleshowstheoutputoftheshowdhcpsnoopingdatabasecommand.
    C2(su)->show dhcpsnooping database agent url: local

    write-delay:

    300

    show dhcpsnooping port


    UsethiscommandtodisplayDHCPsnoopingconfigurationparametersforspecificports.

    Syntax
    show dhcpsnooping port port-string

    Parameters
    portstring Specifiestheportorportsforwhichtodisplayconfiguration information.

    SecureStack C2 Configuration Guide

    17-11

    show dhcpsnooping binding

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thiscommanddisplaysthetruststateandratelimitingparametersconfiguredonthespecified ports.

    Example
    Thisexampleshowstheoutputoftheshowdhcpsnoopingportcommand.
    C2(su)->show dhcpsnooping port ge.1.1 Interface Trust State Rate Limit (pps) ---------ge.1.1 ------------No ------------20 Burst Interval (seconds) --------------2

    show dhcpsnooping binding


    UsethiscommandtodisplaythecontentsoftheDHCPsnoopingbindingsdatabase.

    Syntax
    show dhcpsnooping binding [dynamic | static] [port port-string] [vlan vlan-id]

    Parameters
    dynamic|static portportstring vlanvlanid (Optional)Limitsthedisplayofbindingsinthedatabasebytypeof entry,eitherdynamicorstatic. (Optional)Limitsthedisplayofbindingsinthedatabasebyport. (Optional)LimitsthedisplayofbindingsinthedatabasebyVLANid.

    Defaults
    Ifnoparametersareentered,allbindingsinthedatabasearedisplayed.

    Mode
    Switchcommand,readwrite.

    Usage
    ThiscommanddisplaysinformationabouttheDHCPbindingsintheDHCPsnoopingdatabase.

    Example
    Thisexampleshowstheoutputoftheshowdhcpsnoopingbindingcommandwhenno parametersareentered.
    C2(su)->show dhcpsnooping binding Total number of bindings: 2

    17-12

    DHCP Snooping and Dynamic ARP Inspection

    show dhcpsnooping statistics

    MAC Address ----------------00:02:B3:06:60:80 00:0F:FE:00:13:04

    IP Address --------------192.168.10.10 192.168.20.1

    VLAN ---3 5

    Interface ----------ge.1.1 ge.1.30

    Type ------STATIC DYNAMIC

    Lease (min) -----------

    1440

    show dhcpsnooping statistics


    UsethiscommandtodisplayDHCPsnoopingstatisticsforuntrustedports.

    Syntax
    show dhcpsnooping statistics

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    TheDHCPsnoopingapplicationprocessesincomingDHCPmessagesonenableduntrusted interfaces.ForDHCPRELEASEandDHCPDECLINEmessages,theapplicationcomparesthe receiveinterfaceandVLANwiththeclientsinterfaceandVLANinthebindingsdatabase.Ifthe interfacesdonotmatch,theapplicationlogstheevent(ifloggingofinvalidmessagesisenabled) anddropsthemessage.IfsourceMACverificationisenabled,forvalidclientmessages,DHCP snoopingcomparesthesourceMACaddresstotheDHCPclienthardwareaddress.Wherethereis amismatch,DHCPsnoopinglogsanddropsthepacket. Thiscommanddisplays,foreachenableduntrustedinterface,thenumberofsourceMAC verificationfailuresandclientinterfacemismatchesthatoccurredsincethelasttimethese statisticswerecleared. SinceDHCPserversshouldnotbeconnectedthroughanuntrustedport,theDHCPsnooping applicationwilldropincomingDHCPservermessagesonuntrustedinterfacesandincrementa counterthatisdisplayedwiththiscommand.

    Example
    Thisexampleshowstheoutputoftheshowdhcpsnoopingstatisticscommand.
    C2(su)->show dhcpsnooping statistics Interface MAC Verify Failures ----------ge.1.48 lag.0.1 ---------0 0 Client Ifc Mismatch ---------0 0 DHCP Server Msgs Rec'd ----------0 0

    SecureStack C2 Configuration Guide

    17-13

    clear dhcpsnooping binding

    clear dhcpsnooping binding


    UsethiscommandtoremovebindingsfromtheDHCPsnoopingbindingsdatabase.

    Syntax
    clear dhcpsnooping binding [port port-string | mac mac-addr]

    Parameters
    portportstring macmacaddr (Optional)Specifiestheentryorentriestoremovebyportidentifier. (Optional)SpecifiestheentrytoremovebyMACaddress.

    Defaults
    Ifnoparametersareentered,allbindings(staticanddynamic)areremoved.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleclearsthestaticbindingentrythatincludesportge.1.2.
    C2(su)->clear dhcpsnooping binding port ge.1.2

    clear dhcpsnooping statistics


    UsethiscommandtocleartheDHCPsnoopingstatisticscounters.

    Syntax
    clear dhcpsnooping statistics

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleclearstheDHCPsnoopingstatisticscountersforallenableduntrustedports. C2(su)->clear dhcpsnooping statistics

    clear dhcpsnooping database


    Usethiscommandtoreturnthewritedelayvaluetoitsdefaultvalueof300seconds.

    17-14

    DHCP Snooping and Dynamic ARP Inspection

    clear dhcpsnooping limit

    Syntax
    clear dhcpsnooping database [write-delay]

    Parameters
    writedelay (Optional)Specifiesthatthewritedelayvalueshouldbereturnedtothe defaultvalueof300seconds.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Thiscommandwillsetthedatabasewritedelayvaluetothedefaultof300seconds.

    Example
    Thisexamplesetsthedatabasestoragelocationtothedefaultoflocal.
    C2(su)->clear dhcpsnooping database

    clear dhcpsnooping limit


    Usethiscommandtoresettheratelimitvaluestothedefaultsof15packetspersecondwitha burstintervalof1second.

    Syntax
    clear dhcpsnooping limit port-string

    Parameters
    portstring Specifiestheportorportstowhichthiscommandapplies.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleresetstheratelimitvaluestotheirdefaultsonportge.1.1. C2(su)->clear dhcpsnooping limit ge.1.1

    SecureStack C2 Configuration Guide

    17-15

    Dynamic ARP Inspection Overview

    Dynamic ARP Inspection Overview


    DynamicARPinspection(DAI)isasecurityfeaturethatrejectsinvalidandmaliciousARP packets.Thefeaturepreventsaclassofmaninthemiddleattackswhereanunfriendlystation interceptstrafficforotherstationsbypoisoningtheARPcachesofitsunsuspectingneighbors. ARPpoisoningisatacticwhereanattackerinjectsfalseARPpacketsintothesubnet,normallyby broadcastingARPresponsesinwhichtheattackerclaimstobesomeoneelse.Bypoisoningthe ARPcache,amalicioususercaninterceptthetrafficintendedforotherhostsonthenetwork. TheDynamicARPInspectionapplicationperformsARPpacketvalidation.WhenDAIisenabled, itverifiesthatthesenderMACaddressandthesourceIPaddressareavalidpairintheDHCP snoopingbindingdatabaseanddropsARPpacketswhosesenderMACaddressandsenderIP addressdonotmatchanentryinthedatabase.AdditionalARPpacketvalidationcanbe configured. IfDHCPsnoopingisdisabledontheingressVLANorthereceiveinterfaceistrustedforDHCP snooping,ARPpacketsaredropped.

    Functional Description
    DAIisenabledonVLANs,effectivelyenablingDAIontheinterfaces(physicalportsorLAGs)that aremembersofthatVLAN.Individualinterfacesareconfiguredastrustedoruntrusted.Thetrust configurationforDAIisindependentofthetrustconfigurationforDHCPsnooping.Atrusted portisaportthenetworkadministratordoesnotconsidertobeasecuritythreat.Anuntrusted portisonewhichcouldpotentiallybeusedtolaunchanetworkattack. DAIconsidersallphysicalportsandLAGsuntrustedbydefault.

    Static Mappings
    StaticmappingsareusefulwhenhostsconfigurestaticIPaddresses,DHCPsnoopingcannotbe run,orotherswitchesinthenetworkdonotrundynamicARPinspection.Astaticmapping associatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstaticmappingsbeforeit consultsDHCPsnoopingthus,staticmappingshaveprecedenceoverDHCPsnooping bindings. ARPACLsareusedtodefinestaticmappingsforDAI.Inthisimplementation,onlythesubsetof ARPACLsyntaxrequiredforDAIissupported.ARPACLsarecompletelyindependentofACLs usedforQoS.Amaximumof100ARPACLscanbeconfigured.WithinanACL,amaximumof20 rulescanbeconfigured.

    Optional ARP Packet Validation


    IfoptionalARPpacketvalidationhasbeenconfigured,DAIverifiesthatthesenderMACaddress equalsthesourceMACaddressintheEthernetheader.Additionally,theoptiontoverifythatthe targetMACaddressequalsthedestinationMACaddressintheEthernetheadercanbe configured.ThischeckonlyappliestoARPresponses,sincethetargetMACaddressis unspecifiedinARPrequests. YoucanalsoenableIPaddresschecking.Whenthisoptionisenabled,DAIdropsARPpackets withaninvalidIPaddress.ThefollowingIPaddressesareconsideredinvalid: 0.0.0.0 255.255.255.255 AllIPmulticastaddresses AllclassEaddresses(240.0.0.0/4)

    17-16

    DHCP Snooping and Dynamic ARP Inspection

    Dynamic ARP Inspection Overview

    Loopbackaddresses(intherange127.0.0.0/8)

    Logging Invalid Packets


    Bydefault,DAIwritesalogmessagetothenormalbufferedlogforeachinvalidARPpacketit drops.YoucanconfigureDAItonotloginvalidpacketsforspecificVLANs.

    Packet Forwarding
    DAIforwardsvalidARPpacketswhosedestinationMACaddressisnotlocal.TheingressVLAN couldbeaswitchingorroutingVLAN.ARPrequestsarefloodedintheVLAN.ARPresponsesare unicasttowardtheirdestination.DAIqueriestheMACaddresstabletodeterminetheoutgoing port.IfthedestinationMACaddressislocal,DAIgivesvalidARPpacketstotheARPapplication.

    Rate Limiting
    ToprotecttheswitchfromDHCPattackswhenDAIisenabled,theDAIapplicationenforcesarate limitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach interfaceseparately.Ifthereceiverateexceedsaconfigurablelimit,DAIerrordisablesthe interface,whicheffectivelybringsdowntheinterface.Youcanusethesetportenablecommand toreenabletheport. Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted interfacewitharangeof0to100pps.Thedefaultburstintervalis1secondwitharangeto1to15 seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted interfacesdonotcometotheCPU.

    Eligible Interfaces
    DynamicARPinspectionisenabledperVLAN,effectivelyenablingDAIonthemembersofthe VLAN,eitherphysicalportsorLAGs.TrustisspecifiedontheVLANmembers. DAIcannotbeenabledonportbasedroutinginterfaces.Itmaybeconnectedto: Asinglehostthroughatrustedlink(forexample,aserver) Ifmultiplehostsneedtoconnected,theremustbeaswitchbetweentherouterandthehosts, withDAIenabledonthatswitch

    Interaction with Other Functions


    DAIreliesontheDHCPsnoopingapplicationtoverifythata{IPaddress,MACaddress, VLAN,interface}tupleisvalid. DAIregisterswithdot1qtoreceivenotificationofVLANmembershipchangesfortheVLANs whereDAIisenabled. DAItellsthedriverabouteachuntrustedinterface(physicalportorLAG)whereDAIis enabledsothatthehardwarewillinterceptARPpacketsandsendthemtotheCPU.

    SecureStack C2 Configuration Guide

    17-17

    Dynamic ARP Inspection Overview

    Basic Configuration
    Thefollowingbasicconfigurationdoesnotchangethedefaultratelimitingparameters. Procedure 17-2
    Step 1. 2. Task Configure DHCP snooping. Enable ARP inspection on the VLANs where clients are connected, and optionally, enable logging of invalid ARP packets. Determine which ports are not security threats and configure them as DAI trusted ports. If desired, configure optional validation parameters. If desired, configure static mappings for DAI by creating ARP ACLs: Create the ARP ACL Apply the ACL to a VLAN

    Basic Dynamic ARP Inspection Configuration


    Command(s) Refer to Procedure 17-1 on page 17-3. set arpinspection vlan vlan-range [logging] set arpinspection trust port port-string enable set arpinspection validate {[src-mac] [dst-mac] [ip]} set arpinspection filter name permit ip host sender-ipaddr mac host sender-macaddr set arpinspection filter name vlan vlan-range [static]

    3. 4. 5.

    Example Configuration
    ThefollowingexampleconfiguresDHCPsnoopinganddynamicARPinspectioninarouting environmentusingRIP.Theexampleconfigurestwointerfacesontheswitch,configuringRIPon bothinterfaces,assigningeachtoadifferentVLAN,andthenenablingDHCPsnoopingand dynamicARPinspectiononthem: Interfacege.1.1,whichisconnectedtoaremoteDHCPserver,onVLAN192 Interfacege.1.2,whichisconnectedtoDHCPclients,onVLAN10

    Inaddition,thedefaultVLAN,VLAN1,isalsoenabledforDHCPsnoopinganddynamicARP inspection. SincetheDHCPserverisremote,theswitchhasbeenconfiguredasaDHCPrelayagent(withthe iphelperaddresscommand),toforwardclientrequeststotheDHCPserver.Therefore,MAC addressverificationisdisabled(withthesetdhcpsnoopingverifymacaddressdisable command)inordertoallowDHCPRELEASEpacketstobeprocessedbytheDHCPsnooping functionalityandclientbindingsremovedfromthebindingsdatabase

    Router Configuration
    router enable configure interface vlan 10 no shutdown ip address 10.2.0.1 255.255.0.0 ip helper-address 192.168.0.200 ip rip send version 2 ip rip receive version 2 ip rip enable

    17-18

    DHCP Snooping and Dynamic ARP Inspection

    Dynamic ARP Inspection Overview

    exit

    interface vlan 192 no shutdown ip address 192.168.0.1 255.255.255.0 ip rip send version 2 ip rip receive version 2 ip rip enable exit router rip exit

    VLAN Configuration
    set vlan create 10 set vlan create 192 clear vlan egress 1 ge.1.1-2 set vlan egress 10 ge.1.2 untagged set vlan egress 192 ge.1.1 untagged

    DHCP Snooping Configuration


    set dhcpsnooping enable set dhcpsnooping vlan 1 enable set dhcpsnooping vlan 10 enable set dhcpsnooping vlan 192 enable set dhcpsnooping verify mac-address disable set dhcpsnooping trust port ge.1.1 enable

    Dynamic ARP Inspection Configuration


    set arpinspection vlan 1 set arpinspection vlan 10 set arpinspection vlan 192 set arpinspection trust port ge.1.1 enable

    SecureStack C2 Configuration Guide

    17-19

    Dynamic ARP Inspection Commands

    Dynamic ARP Inspection Commands


    For information about... set arpinspection vlan set arpinspection trust set arpinspection validate set arpinspection limit set arpinspection filter show arpinspection access-list show arpinspection ports show arpinspection vlan show arpinspection statistics clear arpinspection validate clear arpinspection vlan clear arpinspection filter clear arpinspection limit clear arpinspection statistics Refer to page... 17-20 17-21 17-22 17-22 17-23 17-24 17-25 17-25 17-26 17-27 17-27 17-29 17-30 17-30

    set arpinspection vlan


    UsethiscommandtoenabledynamicARPinspectionononeormoreVLANs,andoptionally, enableloggingofinvalidARPpackets.

    Syntax
    set arpinspection vlan vlan-range [logging]

    Parameters
    vlanrange logging SpecifiestheVLANorrangeofVLANsonwhichtoenabledynamic ARPinspection. (Optional)EnablesloggingofinvalidARPpacketsforthatVLAN.

    Defaults
    Loggingisdisabledbydefault.

    Mode
    Switchcommand,readwrite.

    Usage
    ThiscommandenablesdynamicARPinspection(DAI)ononeormoreVLANs.WhenDAIis enabledonaVLAN,DAIiseffectivelyenabledontheinterfaces(physicalportsorLAGs)thatare membersofthatVLAN.

    17-20

    DHCP Snooping and Dynamic ARP Inspection

    set arpinspection trust

    DAIusestheDHCPsnoopingbindingsdatabasetoverifythatthesenderMACaddressandthe sourceIPaddressareavalidpairinthedatabase.ARPpacketswhosesenderMACaddressand senderIPaddressdonotmatchanentryinthedatabasearedropped. Ifloggingisenabled,invalidARPpacketsarealsologged.

    Example
    ThisexampleenablesDAIonVLANs2through5andalsoenablesloggingofinvalidARPpackets onthoseVLANs.
    C2(su)->set arpinspection vlan 2-5 logging

    set arpinspection trust


    UsethiscommandtoenableordisableaportasadynamicARPinspectiontrustedport.

    Syntax
    set arpinspection trust port port-string {enable | disable}

    Parameters
    portstring SpecifiestheportorportstobeenabledordisabledasDAItrusted ports.TheportscanbephysicalportsorLAGsthataremembersofa VLAN. EnablesordisablesthespecifiedportsastrustedforDAI.

    enable|disable

    Defaults
    Bydefault,allphysicalportsandLAGsareuntrusted.

    Mode
    Switchcommand,readwrite.

    Usage
    Individualinterfacesareconfiguredastrustedoruntrusted.ThetrustconfigurationforDAIis independentofthetrustconfigurationforDHCPsnooping.Atrustedportisaportthenetwork administratordoesnotconsidertobeasecuritythreat.Anuntrustedportisonewhichcould potentiallybeusedtolaunchanetworkattack. DAIconsidersallphysicalportsandLAGsuntrustedbydefault.Packetsarrivingontrusted interfacesbypassallDAIvalidationchecks.

    Example
    Thisexampleenablesportge.1.1astrustedforDAI.
    C2(su)->set arpinspection trust port ge.1.1 enable

    SecureStack C2 Configuration Guide

    17-21

    set arpinspection validate

    set arpinspection validate


    UsethiscommandtoconfigureadditionaloptionalARPvalidationparameters.

    Syntax
    set arpinspection validate {[src-mac] [dst-mac] [ip]}

    Parameters
    srcmac dstmac SpecifiesthatDAIshouldverifythatthesenderMACaddressequals thesourceMACaddressintheEthernetheader. SpecifiesthatDAIshouldverifythatthetargetMACaddressequalsthe destinationMACaddressintheEthernetheader. ThischeckonlyappliestoARPresponses,sincethetargetMACaddress isunspecifiedinARPrequests. ip SpecifiesthatDAIshouldchecktheIPaddressanddropARPpackets withaninvalidaddress.Aninvalidaddressisoneofthefollowing:
    0.0.0.0 255.255.255.255 All IP multicast addresses All class E addresses (240.0.0.0/4) Loopback addresses (in the range 127.0.0.0/8)

    Defaults
    Allparametersareoptional,butatleastoneparametermustbespecified.

    Mode
    Switchcommand,readwrite.

    Usage
    ThiscommandaddsadditionalvalidationofARPpacketsbyDAI,beyondthebasicvalidation thattheARPpacketssenderMACaddressandsenderIPaddressmatchanentryintheDHCP snoopingbindingsdatabase.

    Example
    ThisexampleaddstheoptionalverificationthatsenderMACaddressesarethesameasthesource MACaddressesintheEthernetheadersofARPpackets.
    C2(su)->set arpinspection validate src-mac

    set arpinspection limit


    UsethiscommandtoconfigureratelimitingparametersforincomingARPpacketsonaportor ports

    Syntax
    set arpinspection limit port port-string {none | rate pps {burst interval secs]}

    17-22

    DHCP Snooping and Dynamic ARP Inspection

    set arpinspection filter

    Parameters
    portstring none ratepps burstintervalsecs Specifiestheportorportstowhichtoapplytheseratelimiting parameters. ConfiguresnolimitonincomingARPpackets. Specifiesaratelimitinpacketspersecond.Thevalueofppscanrange from0to100packetspersecond. Specifiesaburstintervalinseconds.Thevalueofsecscanrangefrom1 to15seconds.

    Defaults
    Rate=15packetspersecond BurstInterval=1second

    Mode
    Switchcommand,readwrite.

    Usage
    ToprotecttheswitchagainstDHCPattackswhenDAIisenabled,theDAIapplicationenforcesa ratelimitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach interfaceseparately.Ifthereceiverateexceedsthelimitconfiguredwiththiscommand,DAI disablestheinterface,whicheffectivelybringsdowntheinterface.Youcanusethesetportenable commandtoreenabletheport. Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted interfacewitharangeof0to100pps.Thedefaultburstintervalis1secondwitharangeto1to15 seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted interfacesdonotcometotheCPU.

    Example
    Thisexamplesetstherateto20packetspersecondandtheburstintervalto2secondsonports ge.1.1andge.1.2.
    C2(su)->set arpinspection limit port ge.1.1-2 rate 20 burst interval 2

    set arpinspection filter


    UsethiscommandtocreateanARPACLandthentoassignanACLtoaVLAN,optionallyasa staticmapping.

    Syntax
    set arpinspection filter name {permit ip host sender-ipaddr mac host sender-macaddr | vlan vlan-range [static]}

    Parameters
    name permit iphostsenderipaddr SpecifiesthenameoftheARPACL. Specifiesthatapermitruleisbeingcreated. SpecifiestheIPaddressintherulebeingcreated.

    SecureStack C2 Configuration Guide

    17-23

    show arpinspection access-list

    machost sendermacaddr vlanvlanrange static

    SpecifiestheMACaddressintherulebeingcreated. SpecifiestheVLANorVLANstowhichthisARPACLisassigned. (Optional)SpecifiesthatthisARPACLconfiguresstaticmappingsfor theVLANorVLANs.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ARPACLsareusedtodefinestaticmappingsforDAI.ARPACLsarecompletelyindependentof ACLsusedforQoS.Amaximumof100ARPACLscanbeconfigured.WithinanACL,a maximumof20rulescanbeconfigured. AstaticmappingassociatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstatic mappingsbeforeitconsultstheDHCPsnoopingbindingsdatabasethus,staticmappingshave precedenceoverDHCPsnoopingbindings.

    Example
    ThisexamplecreatesanACLnamedstaticARPandcreatesapermitruleforIPaddress 192.168.1.10.Then,theACLisassignedtoaVLANasastaticmapping.
    C2(su)->set arpinspection filter staticARP permit ip host 192.168.1.10 mac host 00:01:22:33:44:55 C2(su)->set arpinspection filter staticARP vlan 10 static

    show arpinspection access-list


    UsethiscommandtodisplayARPaccesslistconfigurationinformation.

    Syntax
    show arpinspection access-list [acl-name]

    Parameters
    aclname (Optional)SpecifiestheARPACLtodisplay.

    Defaults
    IfaspecificACLisnotspecified,informationaboutallconfiguredARPACLsisdisplayed.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampledisplaysinformationabouttheARPACLnamedstaticARP.
    C2(su)->show arpinspection access-list staticARP

    17-24

    DHCP Snooping and Dynamic ARP Inspection

    show arpinspection ports

    ARP access list

    staticARP

    permit ip host 192.168.1.10 mac host 00:01:22:33:44:55 permit ip host 192.168.1.20 mac host 00:0A:11:22:33:66

    show arpinspection ports


    UsethiscommandtodisplaytheARPconfigurationofoneormoreports.

    Syntax
    show arpinspection ports [port-string]

    Parameters
    portstring (Optional)SpecifiestheportorportsforwhichtodisplayARP configurationinformation.

    Defaults
    Ifaportstringisnotspecified,informationaboutallDAIenableduntrustedportsisdisplayed.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampledisplaystheARPconfigurationoflag.0.1.
    C2(su)->show arpinspection ports lag.0.1 Interface ---------lag.0.1 Trust State ------------No Rate Limit (pps) ------------15 Burst Interval (seconds) --------------1

    show arpinspection vlan


    UsethiscommandtodisplaytheARPconfigurationofoneormoreVLANs.

    Syntax
    show arpinspection vlan vlan-range

    Parameters
    vlanrange SpecifiestheVLANsforwhichtodisplayconfigurationinformation.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    17-25

    show arpinspection statistics

    Example
    ThisexampledisplaysARPconfigurationinformationforVLAN5.
    C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Static flag ----------Enabled

    Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Disabled Enabled staticARP

    show arpinspection statistics


    UsethiscommandtodisplayARPstatisticsforallDAIenabledVLANsorforspecificVLANs.

    Syntax
    show arpinspection statistics [vlan vlan-range]

    Parameters
    vlanvlanrange (Optional)SpecifiestheVLANsforwhichtodisplaystatistics.

    Defaults
    IfnoVLANsarespecified,limitedstatisticsforallDAIenabledVLANsisdisplayed.

    Mode
    Switchcommand,readwrite.

    Usage
    WhennospecificVLANsareentered,thiscommanddisplaysthenumberofForwardedand DroppedARPpacketsperDAIenabledVLAN.WhenoneormoreVLANsarespecified,this commanddisplaysmoredetailedstatistics.

    Examples
    ThisexampleshowswhatisdisplayedwhennoVLANsarespecified.
    C2(su)->show arpinspection statistics VLAN ---5 Forwarded -----------0 Dropped --------0

    ThisexampleshowswhatinformationisdisplayedwhenoneormoreVLANsarespecified.
    C2(su)->show arpinspection statistics vlan 5 VLAN DHCP ACL DHCP ACL Bad Src Bad Dest Invalid Drops Drops Permits Permits MAC MAC IP ---- ---------- ---------- ---------- ---------- ---------- ---------- --------5 0 0 0 0 0 0 0

    17-26

    DHCP Snooping and Dynamic ARP Inspection

    clear arpinspection validate

    clear arpinspection validate


    UsethiscommandtoremoveadditionaloptionalARPvalidationparametersthatwerepreviously configured.

    Syntax
    clear arpinspection validate {[src-mac] [dst-mac] [ip]}

    Parameters
    srcmac dstmac ip Clear,orremove,theverificationthatthesenderMACaddressequals thesourceMACaddressintheEthernetheader. Clear,orremove,theverificationthatthetargetMACaddressequals thedestinationMACaddressintheEthernetheader. Clear,orremove,checkingtheIPaddressanddroppingARPpackets withaninvalidaddress.

    Defaults
    Allparametersareoptional,butatleastoneparametermustbespecified.

    Mode
    Switchcommand,readwrite.

    Usage
    ThiscommandremovespreviouslyconfiguredadditionalvalidationofARPpacketsbyDAI, beyondthebasicvalidationthattheARPpacketssenderMACaddressandsenderIPaddress matchanentryintheDHCPsnoopingbindingsdatabase. Usetheshowarpinspectionvlancommandtodisplaythecurrentstatusoftheadditional validationrules.

    Example
    Thisexampleremovesall3additionalvalidationconditions.
    C2(su)->clear arpinspection validate src-mac dst-mac ip

    clear arpinspection vlan


    UsethiscommandtodisabledynamicARPinspectionononeormoreVLANsortodisable loggingofinvalidARPpacketsononeormoreVLANs.

    Syntax
    clear arpinspection vlan vlan-range [logging]

    Parameters
    vlanrange logging SpecifiestheVLANorrangeofVLANsonwhichtodisabledynamic ARPinspection. (Optional)DisableloggingofinvalidARPpacketsforthespecified VLANs.

    SecureStack C2 Configuration Guide

    17-27

    clear arpinspection vlan

    Defaults
    IfloggingisenabledforthespecifiedVLANbutloggingisnotenteredwiththiscommand, loggingwillremainenabled.

    Mode
    Switchcommand,readwrite.

    Usage
    YoucanusethiscommandtodisabledynamicARPinspectionononeormoreVLANs,oryoucan disableloggingofinvalidARPpacketsonspecifiedVLANs.TodisablebothloggingandDAI,you mustenterthiscommandtwice.

    Example
    ThisexamplefirstdisplaystheDAIconfigurationforVLAN5,thendisablesDAIonVLAN5,then disablesloggingofinvalidARPpacketsonVLAN5.
    C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Static flag ----------Enabled

    Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Enabled Enabled staticARP

    C2(su)->clear arpinspection vlan 5

    C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Static flag ----------Enabled

    Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Disabled Enabled staticARP

    C2(su)->clear arpinspection vlan 5 logging C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Static flag ----------Enabled

    Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Disabled Disabled staticARP

    17-28

    DHCP Snooping and Dynamic ARP Inspection

    clear arpinspection filter

    clear arpinspection filter


    UsethiscommandtoremoveanARPACLfromaVLANorfromtheswitch,ortoremovea permitrulefromanexistingACL,ortochangethestatusofstaticmappingtodisabled.

    Syntax
    clear arpinspection filter name [permit ip host sender-ipaddr mac host sender-macaddr] | [vlan vlan-range [static]

    Parameters
    name permit iphostsenderipaddr machost sendermacaddr vlanvlanrange SpecifiesthenameoftheARPACL. (Optional)Specifiesthatapermitruleisbeingdeleted. SpecifiestheIPaddressintherulebeingdeleted. SpecifiestheMACaddressintherulebeingdeleted. (Optional)SpecifiestheVLANorVLANstowhichthiscommand shouldapply.RemovetheACLfromtheVLAN,ifstaticisnotspecified also. (Optional)SpecifiesthatstaticmappingshouldbedisabledforthisARP ACLforthespecifiedVLANorVLANs.

    static

    Defaults
    Ifonlythenameisspecified,theACLisdeletedfromtheswitch.

    Mode
    Switchcommand,readwrite.

    Usage
    Youcanusethiscommandto: RemoveaconfiguredARPACLfromtheswitch,or RemoveapermitrulefromaconfiguredARPACL,or RemovetheassociationofanARPACLwithaVLANorVLANs,or DisablestaticmappingofanARPACLassociatedwithaVLANorVLANs.

    UsethesetarpinspectionfiltercommandtocreateandassignanARPACL. UsetheshowarpinspectionaccesslistcommandtodisplaycurrentlyconfiguredARPACLs.

    Examples
    ThisexampleremovesapermitrulefromtheARPACLnamedstaticARP.
    C2(su)->clear arpinspection filter staticARP permit ip host 192.168.1.10 mac host 00:01:22:33:44:55

    ThisexampledisablesstaticmappingoftheARPACLnamedstaticARPthatisassociatedwith VLAN5.
    C2(su)->clear arpinspection filter staticARP vlan 5 static

    SecureStack C2 Configuration Guide

    17-29

    clear arpinspection limit

    ThisexampleremovestheARPACLnamedstaticARPfromVLAN5.
    C2(su)->clear arpinspection filter staticARP vlan 5

    ThisexampleremovestheARPACLnamedstaticARPfromtheswitchcompletely.
    C2(su)->clear arpinspection filter staticARP

    clear arpinspection limit


    UsethiscommandtoreturntheDAIratelimitingvaluestotheirdefaultvaluesforaportorrange ofports.

    Syntax
    clear arpinspection limit port port-string

    Parameters
    portstring Specifiestheportsonwhichtoreturntheratelimitingvaluesto defaults.

    Defaults
    Rate=15packetspersecond BurstInterval=1second

    Mode
    Switchmode,readwrite.

    Usage
    Usethesetarpinspectionlimitcommandtochangethevaluesoftheratelimitandburstinterval. Usetheshowarpinspectionportscommandtodisplaythecurrentlyconfiguredratelimits.

    Example
    ThisexamplereturnstheDAIratelimitingvaluestotheirdefaultsforportge.1.1.
    C2(su)->clear arpinspection limit port ge.1.1

    clear arpinspection statistics


    UsethiscommandtoclearalldynamicARPinspectionstatistics.

    Syntax
    clear arpinspection statistics

    Parameters
    None.

    Defaults
    None.

    17-30

    DHCP Snooping and Dynamic ARP Inspection

    clear arpinspection statistics

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleclearsallDAIstatisticsfromtheswitch.
    C2(su)->clear arpinspection statistics

    SecureStack C2 Configuration Guide

    17-31

    clear arpinspection statistics

    17-32

    DHCP Snooping and Dynamic ARP Inspection

    18
    Preparing for Router Mode
    Thischapterdescribeshowtopreparetheswitchforrouting.
    For information about... Pre-Routing Configuration Tasks Enabling Router Configuration Modes Refer to page... 18-1 18-2

    Pre-Routing Configuration Tasks


    StartupandgeneralconfigurationoftheSecureStackC2switchmustoccurfromtheswitchCLI. Fordetailsonhowtostarttheswitchandconfiguregeneralplatformsettings,refertoChapter 1, Introduction,Chapter 2,ConfiguringSwitchesinaStack,andChapter 3,BasicConfiguration. Oncestartupandgeneralswitchsettingsarecomplete,IPconfigurationandotherrouterspecific commandscanbeexecutedwhentheswitchisinroutermode.Fordetailsonhowtoenablerouter modefromtheswitchCLI,refertoTable 182inEnablingRouterConfigurationModes. ThefollowingpreroutingtasksmustbeperformedfromtheswitchCLI: StartinguptheCLI.(UsingtheCommandLineInterfaceonpage16) Settingthesystempassword.(setpasswordonpage35) Configuringbasicplatformsettings,suchashostname,systemclock,andterminaldisplay settings.(SettingBasicSwitchPropertiesonpage39) SettingthesystemIPaddress.(setipaddressonpage311) CreatingandenablingVLANs.(Chapter 10) Filemanagementtasks,includinguploadingordownloadingflashortextconfigurationfiles, anddisplayingdirectoryandfilecontents.(ManagingSwitchConfigurationandFileson page337) Configuringtheswitchtoruninroutermode.(EnablingRouterConfigurationModeson page182) Enablingadvancedrouterfeatures.(ActivatingAdvancedRoutingFeaturesonpage201)
    Note: The command prompts used as examples in Table 18-1 and throughout this guide show switch operation for a user in admin (su) access mode, and a system where the VLAN 1 interface has been configured for routing. The prompt changes depending on your current configuration mode, your specific switch, and the interface types and numbers configured for routing on your system.

    SecureStack C2 Configuration Guide

    18-1

    Enabling Router Configuration Modes

    Table 18-1
    Step 1 2 3 4

    Enabling the Switch for Routing


    Type this command... router enable configure interface {vlan vlan-id | loopback loop-id} ip address {ip-address ip-mask} At this prompt... Switch: C2(su)-> Router: C2(su)->router> Router: C2(su)->router# Router: C2(su)>router(Config)# Router: C2(su)->router (Config-if (Vlan 1))# Router: C2(su)->router(Config-if (Vlan 1))# interface on page 19-2 interface on page 19-2 no shutdown on page 19-6 For details, see...

    To do this task... From admin (su) mode, enable router mode. Enable router Privileged EXEC mode. Enable global router configuration mode. Enable interface configuration mode using the routing VLAN or loopback id. Assign an IP address to the routing interface. Enable the interface for IP routing.

    no shutdown

    Example
    ThefollowingexampleshowshowtoconfigureVLAN1onIPaddress182.127.63.1255.255.255.0 asaroutinginterface.
    C2(su)->router C2(su)->router>enable C2(su)->router#configure Enter configuration commands: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip address 182.127.63.1 255.255.255.0 C2(su)->router(Config-if(Vlan 1))#no shutdown

    Enabling Router Configuration Modes


    TheSecureStackC2CLIprovidesdifferentmodesofrouteroperationforissuingasubsetof commandsfromeachmode.Table 182describesthesemodesofoperation. Table 18-2 Router CLI Configuration Modes
    To... Set system operating parameters Show configuration parameters Save/copy configurations Global Configuration Mode Interface Configuration Mode Set system-wide parameters. Configure router interfaces. Type configure from Privileged EXEC mode. Type interface vlan or loopback and the interfaces id from Global Configuration mode. C2(su)->router (Config)# C2(su)->router(Config-if (Vlan 1))# C2(su)->router(Config-if (Lpbk 1))# Access method... From the switch CLI: Type router, then Type enable. C2(su)->router> C2(su)->router# Resulting Prompt...

    Use this mode... Privileged EXEC Mode

    18-2

    Preparing for Router Mode

    Enabling Router Configuration Modes

    Table 18-2

    Router CLI Configuration Modes (Continued)


    To... Set IP protocol parameters. Access method... Type router and the protocol name (and, for OSPF, the instance ID) from Global or Interface Configuration mode. Resulting Prompt... C2(su)->router(Config-router)#

    Use this mode... Router Configuration Mode

    Note: To jump to a lower configuration mode, type exit at the command prompt. To revert back to switch CLI, type exit from Privileged EXEC router mode.

    SecureStack C2 Configuration Guide

    18-3

    Enabling Router Configuration Modes

    18-4

    Preparing for Router Mode

    19
    IP Configuration
    ThischapterdescribestheInternetProtocol(IP)configurationsetofcommandsandhowtouse them.
    Router: Unless otherwise noted, the commands covered in this chapter can be executed only when the device is in router mode. For details on how to enable router configuration modes, refer to Enabling Router Configuration Modes on page 18-2. For information about... Configuring Routing Interface Settings Reviewing and Configuring the ARP Table Configuring Broadcast Settings Reviewing IP Traffic and Configuring Routes Configuring ICMP Redirects Refer to page... 19-1 19-8 19-12 19-15 19-19

    Configuring Routing Interface Settings


    Purpose
    Toenableroutinginterfaceconfigurationmodeonthedevice,tocreateroutinginterfaces,to reviewtheusabilitystatusofinterfacesconfiguredforIP,tosetIPaddressesforinterfaces,to enableinterfacesforIProutingatdevicestartup,andtoreviewtherunningconfiguration.

    Commands
    For information about... show interface interface show ip interface ip address show running-config no shutdown no ip routing Refer to page... 19-2 19-2 19-4 19-5 19-6 19-6 19-7

    SecureStack C2 Configuration Guide

    19-1

    show interface

    show interface
    Usethiscommandtodisplayinformationaboutoneormoreinterfaces(VLANsorloopbacks) configuredontherouter.

    Syntax
    show interface [vlan vlan-id] [loopback loop-id]

    Parameters
    vlanvlanid (Optional)DisplaysinterfaceinformationforaspecificVLANinterface. ThisinterfacemustbeconfiguredforIProutingasdescribedinPre RoutingConfigurationTasksonpage 181. (Optional)Displaysinterfaceinformationforaspecificloopbackinterface.

    loopbackloopid

    Defaults
    Ifinterfacetypeisnotspecified,informationforallroutinginterfaceswillbedisplayed.

    Mode
    Anyroutermode.

    Examples
    Thisexampleshowshowtodisplayinformationforallinterfacesconfiguredontherouter.Fora detaileddescriptionofthisoutput,refertoTable 191:
    C2(su)->router#show interface Vlan 1 is Administratively DOWN Vlan 1 is Operationally DOWN Mac Address is: 0001.f4da.2cba The name of this device is Vlan 1 The MTU is 1500 bytes The bandwidth is 10000 Mb/s Encapsulation ARPA, Loopback not set ARP type: ARPA, ARP Timeout: 14400 seconds

    Thisexampleshowshowtodisplayinformationforloopbackinterface1.
    C2(su)->router#show interface loopback 1 Loopback 1 is Administratively UP Loopback 1 is Operationally UP Internet Address is 10.1.192.100, Subnet Mask is 255.255.255.0 The name of this device is Loopback 1 The MTU is 1500 bytes

    interface
    UsethiscommandtoconfigureinterfacesforIProuting.

    Syntax
    interface vlan vlan-id | loopback loop-id

    19-2

    IP Configuration

    interface

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANinterfacetobeconfiguredforrouting. ThisinterfacemustbeconfiguredforIProutingasdescribedinPre RoutingConfigurationTasksonpage 181. Specifiesthenumberoftheloopbackinterfacetobeconfiguredforrouting. Thevalueofloopidcanrangefrom0to7.

    loopbackloopid

    Defaults
    None.

    Mode
    Routerglobalconfigurationmode:C2(su)>router(Config)#

    Usage
    Thiscommandenablesinterfaceconfigurationmodefromglobalconfigurationmode,and,ifthe interfacehasnotpreviouslybeencreated,thiscommandcreatesanewroutinginterface.For detailsonconfigurationmodessupportedbytheSecureStackC2deviceandtheiruses,referto Table 182inEnablingRouterConfigurationModesonpage 182. VLANsmustbecreatedfromtheswitchCLIbeforetheycanbeconfiguredforIProuting.For detailsoncreatingVLANsandconfiguringthemforIP,refertoEnablingRouterConfiguration Modesonpage 182. EachVLANinterfacemustbeconfiguredforroutingseparatelyusingtheinterfacecommand.To endconfigurationononeinterfacebeforeconfiguringanother,typeexitatthecommandprompt. Enablinginterfaceconfigurationmodeisrequiredforcompletinginterfacespecificconfiguration tasks.Foranexampleofhowthesecommandsareused,refertoPreRoutingConfiguration Tasksonpage 181. Aloopbackinterfaceisalwaysexpectedtobeup.Thisinterfacecanprovidethesourceaddressfor sentpacketsandcanreceivebothlocalandremotepackets.Theloopbackinterfaceistypically usedbyroutingprotocols.IfRADIUSisconfiguredwithnohostIPaddressonthedevice,itwill usetheloopbackinterface0IPaddress(ifithasbeenconfigured)asitssourcefortheNASIP attribute. EachSecureStackC2system(stack)cansupportupto24routinginterfaces.Eachinterfacecanbe configuredfortheRIPand/orOSPFroutingprotocols.

    Examples
    ThisexampleshowshowtoenterconfigurationmodeforVLAN1:
    C2(su)->router#configure C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#

    Thisexampleshowshowtoenterconfigurationmodeforloopback1:
    C2(su)->router#configure C2(su)->router(Config)#interface loopback 1 C2(su)->router(Config-if(Lpbk 1))#

    SecureStack C2 Configuration Guide

    19-3

    show ip interface

    show ip interface
    Usethiscommandtodisplayinformation,includingadministrativestatus,IPaddress,MTU (MaximumTransmissionUnit)sizeandbandwidth,andACLconfigurations,forinterfaces configuredforIP.

    Syntax
    show ip interface [vlan vlan-id] [loopback loop-id]

    Parameters
    vlanvlanid (Optional)DisplaysinformationforaspecificVLANinterface.This interfacemustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage 181. (Optional)Displaysinterfaceinformationforaspecificloopbackinterface.

    loopbackloopid

    Defaults
    Ifinterfacetypeisnotspecified,statusinformationforallroutinginterfaceswillbedisplayed.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayconfigurationinformationforVLAN1:
    C2(su)->router#show ip interface vlan 1 Vlan 1 is Admin DOWN Vlan 1 is Oper DOWN Primary IP Address is 192.168.10.1 Frame Type Ethernet MAC-Address 0001.F45C.C993 Incoming Accesslist is not set Outgoing AccessList is not set MTU is 6145 bytes ARP Timeout is 1 seconds Direct Broadcast Disabled Proxy ARP is Disabled

    Mask 255.255.255.0

    Table 191providesanexplanationofthecommandoutput. Table 19-1


    Output Field Vlan N Primary IP Address Frame Type MAC-Address Incoming Access List

    show ip interface Output Details


    What It Displays... Whether the interface is administratively and operationally up or down. Intefaces primary IP address and mask. Set using the ip address command as described in ip address on page 19-5. Encapsulation type used by this interface. Set using the arp command as described in arp on page 19-9. MAC address mapped to this interface. Whether or not an access control list (ACL) has been configured for ingress on this interface using the commands described in Configuring Access Lists on page 23-75.

    19-4

    IP Configuration

    ip address

    Table 19-1
    Output Field

    show ip interface Output Details (Continued)


    What It Displays... Not supported. Interfaces Maximum Transmission Unit size. Duration for entries to stay in the ARP table before expiring. Set using the arp timeout command as described in arp timeout on page 19-11. Whether or not IP directed broadcast is enabled. Set using the ip directed-broadcast command described in ip directed-broadcast on page 19-12. Whether or not proxy ARP is enabled or disabled for this interface. Set using the ip proxy arp command as described in ip proxy-arp on page 19-10.

    Outgoing Access List MTU ARP Timeout Direct Broadcast Proxy Arp

    ip address
    Usethiscommandtoset,remove,ordisableaprimaryorsecondaryIPaddressforaninterface. ThenoformofthiscommandremovesthespecifiedIPaddressanddisablestheinterfaceforIP processing.

    Syntax
    ip address ip-address ip-mask [secondary] no ip address ip-address ip-mask

    Parameters
    ipaddress ipmask secondary SpecifiestheIPaddressoftheinterfacetobeaddedorremoved. SpecifiesthemaskfortheassociatedIPsubnet. (Optional)SpecifiesthattheconfiguredIPaddressisasecondaryaddress.

    Defaults
    Ifsecondaryisnotspecified,theconfiguredaddresswillbetheprimaryaddressfortheinterface.

    Mode
    Routerinterfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Usage
    EachSecureStackC2systemsupportsupto24routinginterfaces,withupto8secondary addressesallowedforeachprimaryIPaddress.

    Example
    ThisexamplesetstheIPaddressto192.168.1.1andthenetworkmaskto255.255.255.0forVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip address 192.168.1.1 255.255.255.0

    SecureStack C2 Configuration Guide

    19-5

    show running-config

    show running-config
    Usethiscommandtodisplaythenondefault,usersuppliedcommandsenteredwhileconfiguring thedevice.

    Syntax
    show running-config

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    Example
    Thisexampleshowshowtodisplaythecurrentrouteroperatingconfiguration:
    C2(su)->router#show running-config ! interface vlan 10 ip address 99.99.2.10 255.255.255.0 no shutdown ! router ospf 1 network 99.99.2.0 0.0.0.255 area 0.0.0.0 network 192.168.100.1 0.0.0.0 area 0.0.0.0

    no shutdown
    UsethiscommandtoenableaninterfaceforIProutingandtoallowtheinterfacetoautomatically beenabledatdevicestartup.

    Syntax
    no shutdown shutdown

    Parameters
    None.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Usage
    TheshutdownformofthiscommanddisablesaninterfaceforIProuting.
    19-6 IP Configuration

    no ip routing

    Example
    ThisexampleshowshowtoenableVLAN1forIProuting:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#no shutdown

    no ip routing
    UsethiscommandtodisableIProutingonthedevice.Bydefault,IProutingisenabledwhen interfacesareconfiguredforitasdescribedinConfiguringRoutingInterfaceSettingson page 191.

    Syntax
    no ip routing

    Parameters
    None.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Defaults
    None.

    Example
    This example shows how to disable IP routing on the device:
    C2(su)->router(Config)#no ip routing

    SecureStack C2 Configuration Guide

    19-7

    Reviewing and Configuring the ARP Table

    Reviewing and Configuring the ARP Table


    Purpose
    ToreviewandconfiguretheroutingARPtable,toenableproxyARPonaninterface,andtoseta MACaddressonaninterface.

    Commands
    For information about... show ip arp arp ip proxy-arp arp timeout clear arp-cache Refer to page... 19-8 19-9 19-10 19-11 19-11

    show ip arp
    UsethiscommandtodisplayentriesintheARP(AddressResolutionProtocol)table.ARP convertsanIPaddressintoaphysicaladdress.

    Syntax
    show ip arp [ip-address]|[vlan vlan-id]|[output-modifier]

    Parameters
    ipaddress vlanvlanid (Optional)DisplaysARPentriesrelatedtoaspecificIPaddress. (Optional)DisplaysonlyARPentrieslearnedthroughaspecificVLAN interface.ThisVLANmustbeconfiguredforIProutingasdescribedin PreRoutingConfigurationTasksonpage 181. (Optional)DisplaysARPentrieswithinaspecificrange.Optionsare: |beginipaddressDisplaysonlyARPentriesthatbeginwiththe specifiedIPaddress. |excludeipaddressExcludesARPentriesmatchingthespecified IPaddress. |includeipaddressIncludesARPentriesmatchingthespecified IPaddress.

    outputmodifier

    Defaults
    Ifnoparametersarespecified,allentriesintheARPcachewillbedisplayed.

    Mode
    Anyroutermode.

    19-8

    IP Configuration

    arp

    Example
    Thisexampleshowshowtousetheshowiparpcommand:
    C2(su)->router#show ip arp Protocol Address Age (min) Hardware Addr Type Interface

    -----------------------------------------------------------------------------Internet Internet Internet 134.141.235.251 134.141.235.165 134.141.235.167 0 4 0003.4712.7a99 0002.1664.a5b3 00d0.cf00.4b74 ARPA ARPA ARPA Vlan1 Vlan1 Vlan2

    C2(su)->router#show ip arp 134.141.235.165 Protocol Address Age (min) Hardware Addr Type Interface

    -----------------------------------------------------------------------------Internet 134.141.235.165 0002.1664.a5b3 ARPA Vlan2

    C2(su)->router#show ip arp vlan 2 Protocol Address Age (min) Hardware Addr Type Interface

    -----------------------------------------------------------------------------Internet 134.141.235.251 0 0003.4712.7a99 ARPA Vlan2

    Table 192providesanexplanationofthecommandoutput. Table 19-2


    Output Field Protocol Address Age (min) Hardware Addr Type Interface

    show ip arp Output Details


    What It Displays... ARP entrys type of network address. Network address mapped to the entrys MAC address. Interval (in minutes) since the entry was entered in the table. MAC address mapped to the entrys network address. Encapsulation type used for the entrys network address. Interface (VLAN or loopback) through which the entry was learned.

    arp
    Usethiscommandtoaddorremovepermanent(static)ARPtableentries.Upto1,000staticARP entriesaresupportedperSecureStackC2system.AmulticastMACaddresscanbeusedinastatic ARPentry.ThenoformofthiscommandremovesthespecifiedpermanentARPentry:

    Syntax
    arp ip-address mac-address no arp ip-address

    Parameters
    ipaddress macaddress SpecifiestheIPaddressofadeviceonthenetwork.ValidvaluesareIP addressesindotteddecimalnotation. Specifiesthe48bithardwareaddresscorrespondingtotheipaddress expressedinhexadecimalnotation.
    SecureStack C2 Configuration Guide 19-9

    ip proxy-arp

    Defaults
    None.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Usage
    TheIPaddressspecifiedforthestaticARPentrymustfallwithinoneofthesubnetsornetworks definedontheroutedinterfacesofthesystem(orstack,ifapplicable).Thesystemcanthenmatch theIPaddressofthestaticARPentrywiththeappropriateroutedinterfaceandassociateitwith thecorrectVLAN.

    Example
    ThisexampleshowshowtoaddapermanentARPentryfortheIPaddress130.2.3.1andMAC address0003.4712.7a99:
    C2(su)->router(Config)#arp 130.2.3.1 0003.4712.7a99

    ip proxy-arp
    UsethiscommandtoenableproxyARPonaninterface.Thenoformofthiscommanddisables proxyARP.

    Syntax
    ip proxy-arp no ip proxy-arp

    Parameters
    None.

    Defaults
    Disabled.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Usage
    ThisvariationoftheARPprotocolallowstheroutertosendanARPresponseonbehalfofanend nodetotherequestinghost.ProxyARPcanbeusedtoresolveroutingissuesonendstationsthat areunabletorouteinthesubnettedenvironment.TheSecureStackC2willanswertoARP requestsonbehalfoftargetedendstationsonneighboringnetworks.Itisdisabledbydefault.

    Example
    ThisexampleshowshowtoenableproxyARPonVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip proxy-arp

    19-10

    IP Configuration

    arp timeout

    arp timeout
    Usethiscommandtosettheduration(inseconds)fordynamicallylearnedentriestoremaininthe ARPtablebeforeexpiring.Thenoformofthiscommandrestoresthedefaultvalueof14,400 seconds.
    arp timeout seconds no arp timeout

    Parameters
    seconds SpecifiesthetimeinsecondsthatanentryremainsintheARPcache.Valid valuesare065535.Avalueof0specifiesthatARPentrieswillneverbe agedout.

    Defaults
    14,400seconds.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Example
    ThisexampleshowshowtosettheARPtimeoutto7200seconds:
    C2(su)->router(Config)#arp timeout 7200

    clear arp-cache
    Usethiscommandtodeleteallnonstatic(dynamic)entriesfromtheARPtable.
    clear arp-cache

    Parameters
    None.

    Mode
    PrivilegedEXEC:C2(su)>router#

    Defaults
    None.

    Example
    ThisexampleshowshowtodeletealldynamicentriesfromtheARPtable:
    C2(su)->router#clear arp-cache

    SecureStack C2 Configuration Guide

    19-11

    Configuring Broadcast Settings

    Configuring Broadcast Settings


    Purpose
    ToconfigureIPbroadcastsettings.Bydefault,interfacesontheSecureStackC2donotforward broadcastpackets.

    Commands
    For information about... ip directed-broadcast ip forward-protocol ip helper-address Refer to page... 19-12 19-13 19-14

    ip directed-broadcast
    UsethiscommandtoenableordisableIPdirectedbroadcastsonaninterface.Bydefault, interfacesontheSecureStackC2donotforwarddirectedbroadcasts.Thenoformofthis commanddisablesIPdirectedbroadcastontheinterface.

    Syntax
    ip directed-broadcast no ip directed-broadcast

    Parameters
    None.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>Router1(Configif(Vlan1))#

    Usage
    Directedbroadcastisanefficientmechanismforcommunicatingwithmultiplehostsonanetwork whileonlytransmittingasingledatagram.Adirectedbroadcastisapacketsenttoallhostsona specificnetworkorsubnet.Thedirectedbroadcastaddressincludesthenetworkorsubnetfields, withthebinarybitsofthehostportionoftheaddresssettoone.Forexample,foranetworkwith theaddress192.168.0.0/16,thedirectedbroadcastaddresswouldbe192.168.255.255.Forasubnet withtheaddress192.168.12.0/24,thedirectedbroadcastaddresswouldbe192.168.12.255. InordertominimizebroadcastDoSattacks,forwardingofdirectedbroadcastsisdisabledby defaultontheSecureStackC2,asrecommendedbyRFC2644. Iftheabilitytosenddirectedbroadcaststoanetworkisrequired,youshouldenabledirected broadcastsonlyontheoneinterfacethatwillbetransmittingthedatagrams.Forexample,ifa SecureStackC2hasfiveroutedinterfacesforthe10,20,30,40,and50networks,enablingdirected

    19-12

    IP Configuration

    ip forward-protocol

    broadcastonlyonthe30networkinterfacewillallowanyonefromanyothernetworks(10,20,40, 50)tosenddirectedbroadcasttothe30network.

    Example
    ThisexampleshowshowtoenableIPdirectedbroadcastsonVLAN1:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip directed-broadcast

    ip forward-protocol
    UsethiscommandtoenableUDPbroadcastforwardingandspecifywhichprotocolswillbe forwarded.

    Syntax
    ip forward-protocol udp [port] no ip forward-protocol udp [port]

    Parameters
    udp port SpecifiesUDPastheIPforwardingprotocol. (Optional)SpecifiesadestinationportthatcontrolswhichUDPservices areforwarded.

    Defaults
    Ifportisnotspecified,thefollowingdefaultsareused: TrivialFileTransferProtocol(TFTP)(port69) DomainNamingSystem(port53) Timeservice(port37) NetBIOSNameServer(port137) NetBIOSDatagramServer(port138) TACACSservice(port49) EN116NameService(port42)

    Mode
    Routercommand,Globalconfiguration:C2(su)>router(Config)# Routerinterfaceconfiguration:C2(su)>router(Configif(Vlan1)#

    Usage
    Inordertoactuallyforwardprotocols,youmustconfigureanIPhelperaddressontheindividual routerinterfaceswiththecommandiphelperaddress(page 1914). Ifacertainserviceexistsinsidethenode,andthereisnoneedtoforwardtherequesttoremote networks,thenoformofthiscommandshouldbeusedtodisabletheforwardingforthespecific port.Suchrequestswillnotbeautomaticallyblockedfrombeingforwardedjustbecauseaservice forthemexistsinthenode. ThenoformofthiscommandremovesaUDPportorprotocol,disablingforwarding.

    SecureStack C2 Configuration Guide

    19-13

    ip helper-address

    Examples
    ThefollowingexamplegloballydisablesIPforwardingforUDPport69.
    C2(su)->router(Config)#no ip forward-protocol udp 69

    ThefollowingexampledisablesIPforwardingforUDPport69onaspecificinterface.
    C2(su)->router(Config)#interface vlan 10 C2(su)->router(Config-if(Vlan 10))#no ip forward-protocol udp 69

    ip helper-address
    UsethiscommandtoenabletheDHCP/BOOTPrelayagentonaSecureStackC2routedinterface. EnablingtherelayagentallowsforwardingofclientDHCP/BOOTPrequeststoaDHCP/BOOTP serverthatdoesnotresideonthesamebroadcastdomainastheclient.Upto6IPhelperaddresses maybeconfiguredperinterface. ThenoformofthiscommanddisablestheforwardingofUDPdatagramstothespecifiedaddress.

    Syntax
    ip helper-address address no ip helper-address address

    Parameters
    address AddressofthehostwhereUDPbroadcastpacketsshouldbeforwarded.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>Router1(Configif(Vlan1))#

    Usage
    WhenahostrequestsanIPaddress,itsendsoutaDHCPbroadcastpacket.Normally,therouter dropsallbroadcastpackets.However,byexecutingthiscommand,youenabletherouted interfacetopassDHCPbroadcastframesthrough,sendingthemdirectlytotheremoteDHCP serversIPaddress. TheDHCP/BOOTPrelayagentwilldetectDHCP/BOOTPrequestsbasedonUDPsourceand destinationports.Itwillthenmakethenecessarychangestothepacketandsendthepackettothe DHCPserver.Thechangesinclude: ReplacingthedestinationIPaddresswiththeaddressoftheDHCPserver, ReplacingthesourceIPaddresswithitsownaddress(thatis,theIPaddressofthelocal routedinterface),and WithintheBOOTPpartofthepacket,changingtheRelayAgentIPaddressfrom0.0.0.0tothe addressofthelocalroutedinterface.

    ThelastchangetotheBootPpackettellstheDHCPserverthatitneedstoassignanIPaddress thatisinthesamesubnetastheRelayAgentIP.Whentheresponsecomesfromtheserver,the DHCP/BOOTPrelayagentsendsittothehost.

    19-14

    IP Configuration

    Reviewing IP Traffic and Configuring Routes

    Example
    ThisexampleshowhowtohaveallclientDHCPrequestsforusersinVLAN1tobeforwardedto theremoteDHCPserverwithIPaddress192.168.1.28.
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip helper-address 192.168.1.28

    Reviewing IP Traffic and Configuring Routes


    Purpose
    ToreviewIPtrafficandconfigureroutes,tosendrouterICMP(ping)messages,andtoexecute traceroute.

    Commands
    For information about... show ip route ip route ping traceroute Refer to page... 19-15 19-17 19-17 19-18

    show ip route
    UsethiscommandtodisplayinformationaboutIProutes.

    Syntax
    show ip route [destination-prefix [destination-prefix-match] | connected | ospf | rip | static | summary]

    Parameters
    destinationprefix destinationprefix match connected ospf rip static summary (Optional)Convertsthespecifiedaddressandmaskintoaprefixand displaysanyroutesthatmatchtheprefix. (Optional)Displaysconnectedroutes. (Optional)DisplaysroutesconfiguredfortheOSPFroutingprotocol.For detailsonconfiguringOSPF,refertoConfiguringOSPFonpage 2011. (Optional)DisplaysroutesconfiguredfortheRIProutingprotocol.For detailsonconfiguringRIP,refertoConfiguringRIPonpage 201. (Optional)Displaysstaticroutes. (Optional)DisplaysasummaryoftheIProutingtable.

    Defaults
    Ifnoparametersarespecified,allIProuteinformationwillbedisplayed.

    SecureStack C2 Configuration Guide

    19-15

    show ip route

    Mode
    Anyroutermode.

    Usage
    Theroutingtablecontainsallactivestaticroutes,alltheRIProutes,anduptothreebestOSPF routeslearnedforeachnetwork.

    Example
    ThisexampleshowshowtousetheshowiproutecommandtodisplayallIProuteinformation.A portionoftheoutputisshown:
    C2(su)->router#show ip route Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2 * - candidate default, U - per user static route IA O O C O O O E2 IA IA E2 O C O O E2 E2 IA E2 E2 E2 O E2 O E2 E2 O O IA IA IA O IA E2 E2 C O E2 C O 1.255.255.248/29 [10/30] via 168.0.0.249, Vlan 3205 2.0.0.0/10 [8/30] via 168.1.0.254, Vlan 1200 2.224.0.0/11 [8/30] via 168.1.0.254, Vlan 1200 7.15.0.0/24 [0/0] directly connected, Vlan 715 11.11.12.12/32 [8/30] via 168.0.0.249, Vlan 3205 11.11.13.13/32 [8/10] via 168.1.0.249, Vlan 1300 11.11.16.16/32 [8/20] via 168.0.0.249, Vlan 3205 11.11.17.17/32 [150/20] via 168.0.0.249, Vlan 3205 11.11.21.21/32 [10/30] via 168.0.0.249, Vlan 3205 11.11.22.22/32 [10/30] via 168.0.0.249, Vlan 3205 11.11.24.24/32 [150/20] via 168.0.0.249, Vlan 3205 11.11.25.25/32 [8/20] via 168.0.0.249, Vlan 3205 11.11.26.26/32 [0/0] directly connected, Loopback 0 11.11.27.27/32 [8/10] via 168.1.0.254, Vlan 1200 11.11.28.28/32 [8/20] via 168.1.0.254, Vlan 1200 12.0.0.0/17 [150/20] via 168.0.0.249, Vlan 3205 19.0.0.0/30 [150/20] via 168.0.0.249, Vlan 3205 20.0.0.0/24 [10/40] via 168.0.0.249, Vlan 3205 22.22.0.0/16 [150/20] via 168.0.0.249, Vlan 3205 22.22.10.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.12.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.13.0/24 [8/30] via 168.1.0.254, Vlan 1200 22.22.14.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.15.0/24 [8/20] via 168.1.0.249, Vlan 1300 via 168.1.0.254, Vlan 1200 22.22.16.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.17.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.18.0/24 [8/30] via 168.1.0.254, Vlan 1200 22.22.19.0/24 [8/20] via 168.1.0.249, Vlan 1300 via 168.1.0.254, Vlan 1200 22.22.20.0/24 [10/40] via 168.0.0.249, Vlan 3205 22.22.21.0/24 [10/50] via 168.0.0.249, Vlan 3205 22.22.22.0/24 [10/30] via 168.0.0.249, Vlan 3205 22.22.23.0/24 [8/30] via 168.0.0.249, Vlan 3205 22.22.24.0/24 [10/40] via 168.0.0.249, Vlan 3205 22.22.25.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.26.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.27.0/24 [0/0] directly connected, Vlan 4027 22.22.28.0/24 [8/20] via 168.1.0.249, Vlan 1300 via 168.1.0.254, Vlan 1200 22.22.29.0/24 [150/20] via 168.0.0.249, Vlan 3205 26.0.0.0/8 [0/0] directly connected, Vlan 26 33.9.8.0/28 [8/20] via 168.1.0.254, Vlan 1200

    19-16

    IP Configuration

    ip route

    E2

    33.33.0.0/16 [150/20] via 168.0.0.249, Vlan 3205

    ip route
    UsethiscommandtoaddorremoveastaticIProute.Thenoformofthiscommandremovesthe staticIProute.
    ip route prefix mask dest-addr [distance] no ip route prefix mask forward-addr

    Parameters
    prefix mask destaddr distance SpecifiesadestinationIPaddressprefix. Specifiesadestinationprefixmask. Specifiesaforwarding(gateway)IPaddress. (Optional)Specifiesanadministrativedistancemetricforthisroute.Valid valuesare1(default)to255.Routeswithlowervaluesreceivehigher preferenceinrouteselection.

    Defaults
    Ifdistanceisnotspecified,thedefaultvalueof1willbeapplied.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Example
    ThisexampleshowshowtosetIPaddress10.1.2.3asthenexthopgatewaytodestinationaddress 10.0.0.0:
    C2(su)->router(Config)#ip route 10.0.0.0 255.0.0.0 10.1.2.3

    ping
    UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.

    Syntax
    ping ip-address

    Parameters
    ipaddress SpecifiestheIPaddressofthesystemtoping.

    Defaults
    None.

    Mode
    PrivilegedEXEC:C2(su)>router#

    SecureStack C2 Configuration Guide

    19-17

    traceroute

    Usage
    Thiscommandisalsoavailableinswitchmode.

    Examples
    ThisexampleshowsoutputfromasuccessfulpingtoIPaddress182.127.63.23:
    C2(su)->router#ping 182.127.63.23 182.127.63.23 is alive

    ThisexampleshowsoutputfromanunsuccessfulpingtoIPaddress182.127.63.24:
    C2(su)->router#ping 182.127.63.24 no answer from 182.127.63.24

    traceroute
    UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa specificdestinationhost.ThreeICMPprobeswillbetransmittedforeachhopbetweenthesource andthetraceroutedestination.

    Syntax
    traceroute host

    Parameters
    host SpecifiesahosttowhichtherouteofanIPpacketwillbetraced.

    Defaults
    None.

    Mode
    PrivilegedEXEC:C2(su)>router#

    Usage
    Thereisalsoatraceroutecommandavailableinswitchmode.

    Example
    Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.141.90.183.
    C2(su)->router#traceroute 192.141.90.183 Traceroute to 192.141.90.183, 30 hops max, 40 byte packets 1 10.1.56.1 0.000 ms 0.000 ms 2 10.1.48.254 10.000 ms 0.000 ms 3 10.1.0.2 0.000 ms 0.000 ms 4 192.141.89.17 0.000 ms 0.000 ms 5 192.141.100.13 0.000 ms 10.000 ms 6 192.141.100.6 0.000 ms 0.000 ms 7 192.141.90.183 0.000 ms 0.000 ms

    0.000 0.000 0.000 10.000 0.000 10.000 0.000

    ms ms ms ms ms ms ms

    19-18

    IP Configuration

    Configuring ICMP Redirects

    Configuring ICMP Redirects


    Purpose
    DisableorenablesendingICMPredirectpacketstotheswitchCPUforprocessing,ataglobal levelandataninterfacelevel.Bydefault,sendingICMPredirectsisenabledgloballyandonall interfaces.DisablingsendingICMPredirectscanreduceCPUusageincertaindeployments.

    Commands
    For information about... ip icmp redirect enable show ip icmp redirect Refer to page... 19-19 19-20

    ip icmp redirect enable


    UsethiscommandtoenableordisablesendingICMPredirectstotheCPUforprocessingona globalleveloronaspecificinterface.ThenoformofthiscommanddisablessendingICMP redirectstotheCPU.

    Syntax
    ip icmp redirect enable no ip icmp redirect enable

    Parameters
    None.

    Defaults
    Bydefault,sendingICMPredirectstotheCPUisenabledgloballyandonallinterfaces.

    Mode
    Routerglobalconfigurationmode:C2(su)>router(Config)# Interfaceconfigurationmode:C2(su)>Router1(Configif(Vlan1))#

    Usage
    YoucanusethiscommandinrouterglobalconfigurationmodetoenableordisablesendingICMP redirectsgloballyontheswitch. Youcanusethiscommandinrouterinterfaceconfigurationmodetoenableordisablesending ICMPredirectsonlyonspecificinterfaces.

    Examples
    ThisexampledisablessendingICMPredirectsontheinterfaceVLAN5.
    C2(su)->router#configure C2(su)->router(Config)#interface vlan 5 C2(su)->Router1(Config-if(Vlan 5))# no ip icmp redirect enable

    SecureStack C2 Configuration Guide

    19-19

    show ip icmp redirect

    ThisexampledisablessendingICMPredirectsglobally.
    C2(su)->router#configure C2(su)->router(Config)#no ip icmp redirect enable

    show ip icmp redirect


    UsethiscommandtodisplaythestatusofsendingICMPredirectsataglobalorinterfacelevel.

    Syntax
    show ip icmp redirect {status | interface [vlan vlan-id]}

    Parameters
    status interface vlanvlanid DisplaytheglobalICMPredirectstatus. DisplayICMPredirectstatusforinterfaces. (Optional)DisplayICMPredirectstatusforthespecifiedVLAN.

    Defaults
    IfnoVLANisspecifiedwiththeinterfaceparameter,informationforallVLANinterfacesis displayed.

    Mode
    PrivilegedEXECmode:C2(su)>router# Routerglobalconfigurationmode:C2(su)>router(Config)#

    Examples
    ThisexampledisplaystheglobalICMPredirectstatus.
    C2(su)->router#show ip icmp redirect status Global ICMP Redirect status - Enabled

    ThisexampledisplaystheICMPredirectstatusforVLAN5.
    C2(su)->router#show ip icmp redirect interface vlan 5 Vlan Id Admin Status -----------------5 Enabled

    19-20

    IP Configuration

    20
    IPv4 Routing Protocol Configuration
    ThischapterdescribestheIPv4RoutingProtocolConfigurationsetofcommandsandhowtouse them.
    Router: The commands covered in this chapter can be executed only when the device is in router mode. For details on how to enable router configuration modes, refer to Enabling Router Configuration Modes on page 18-2. For information about... Activating Advanced Routing Features Configuring RIP Configuring OSPF Configuring DVMRP Configuring IRDP Configuring VRRP Configuring PIM-SM Refer to page... 20-1 20-1 20-11 20-33 20-37 20-42 20-49

    Activating Advanced Routing Features


    Inordertoenableadvancedroutingprotocols,suchasOSPF,DVMRP,VRRP,andPIMSM,ona SecureStackC2device,youmustpurchaseandactivatealicensekey.Ifyouhavepurchasedan advancedroutinglicense,andhaveenabledroutingonthedevice,youcanactivateyourlicenseas describedinthechapterentitledActivatingLicensedFeatures.Ifyouwishtopurchasean advancedroutinglicense,contactEnterasysNetworksSales.
    Note: The command prompts used in examples throughout this guide show a system where the VLAN 1 interface has been configured for routing. The prompt changes depending on your current configuration mode, your specific device, and the interface types and numbers configured for routing on your system.

    Configuring RIP
    Purpose
    ToenableandconfiguretheRoutingInformationProtocol(RIP).

    SecureStack C2 Configuration Guide

    20-1

    router rip

    RIP Configuration Task List and Commands


    Table 201liststhetasksandcommandsassociatedwithRIPconfiguration.Commandsare describedintheassociatedsectionasshown. Table 20-1
    To do this... Enable RIP configuration mode. Enable RIP on an interface. Configure an administrative distance. Allow reception of a RIP version. Allow transmission of a RIP version. Configure RIP simple authentication. Configure RIP encrypted authentication. Disable automatic route summarization (necessary for enabling CIDR) Activate split horizon or poison-reverse. Suppress sending routing updates. Control reception of routing updates Control advertising non-RIP routes.

    RIP Configuration Task List and Commands


    Use these commands... router rip on page 20-2 ip rip enable on page 20-3 distance on page 20-3 ip rip send version on page 20-4 ip rip receive version on page 20-5 ip rip authentication-key on page 20-5 ip rip message-digest-key on page 20-6 no auto-summary on page 20-6 split-horizon poison on page 20-7 passive-interface on page 20-8 receive-interface on page 20-8 redistribute on page 20-9

    router rip
    UsethiscommandtoenableordisableRIPconfigurationmode.Thenoformofthiscommand disablesRIP.

    Syntax
    router rip no router rip

    Parameters
    None.

    Defaults
    None.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Usage
    YoumustexecutetherouterripcommandtoenabletheprotocolbeforecompletingmanyRIP specificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182in EnablingRouterConfigurationModesonpage182.

    20-2

    IPv4 Routing Protocol Configuration

    ip rip enable

    Example
    ThisexampleshowshowtoenableRIP:
    C2(su)->router#configure C2(su)->router(Config)#router rip C2(su)->router(Config-router)#

    ip rip enable
    UsethiscommandtoenableRIPonaninterface.ThenoformofthiscommanddisablesRIPonan interface:Bydefault,RIPisdisabledonallinterfaces.

    Syntax
    ip rip enable no ip rip enable

    Parameters
    None.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoenableRIPontheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip enable

    distance
    UsethiscommandtoconfiguretheadministrativedistanceforRIProutes.Thenoformofthis commandresetsRIPadministrativedistancetothedefaultvalueof120.

    Syntax
    distance weight no distance [weight]

    Parameters
    weight SpecifiesanadministrativedistanceforRIProutes.Validvaluesare1255.

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    SecureStack C2 Configuration Guide

    20-3

    ip rip send version

    Usage
    Ifseveralroutes(comingfromdifferentprotocols)arepresentedtotheSecureStackC2,the protocolwiththelowestadministrativedistancewillbechosenforrouteinstallation.Bydefault, RIPadministrativedistanceissetto120.Thedistancecommandcanbeusedtochangethisvalue, resettingRIPsroutepreferenceinrelationtootherroutesasshowninthetablebelow.
    Route Source Connected Static OSPF RIP Default Distance 0 1 110 120

    Example
    ThisexampleshowshowtochangethedefaultadministrativedistanceforRIPto1001:
    C2(su)->router(Config)#router rip C2(su)->router(Config-router)#distance 100

    ip rip send version


    UsethiscommandtosettheRIPversionforRIPupdatepacketstransmittedoutaninterface.The noversionofthiscommandsetstheversionoftheRIPupdatepacketstoRIPv1.

    Syntax
    ip rip send version {1 | 2 | r1compatible} no ip rip send version

    Parameters
    1 2 r1compatible SpecifiesRIPversion1.Thisisthedefaultsetting. SpecifiesRIPversion2. Specifiesthatpacketsbesentasversion2packets,buttransmitstheseas broadcastpacketsratherthanmulticastpacketssothatsystemswhichonly understandRIPversion1canreceivethem.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheRIPsendversionto2forpacketstransmittedontheVLAN1 interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip send version 2

    20-4

    IPv4 Routing Protocol Configuration

    ip rip receive version

    ip rip receive version


    UsethiscommandtosettheRIPversion(s)forRIPupdatepacketsacceptedonaninterface.The noversionofthiscommandsetstheacceptablereceiveversionoftheRIPupdatepacketstoRIPv1.

    Syntax
    ip rip receive version {1 | 2 | 1 2 | none} no ip rip receive version

    Parameters
    1 2 12 none SpecifiesRIPversion1.Thisisthedefaultsetting. SpecifiesRIPversion2. SpecifiesRIPversions1and2. SpecifiesthatnoRIProuteswillbeprocessedonthisinterface.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Defaults
    None.

    Example
    ThisexampleshowshowtosettheRIPreceiveversionto2forupdatepacketsreceivedonthe VLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip receive version 2

    ip rip authentication-key
    UsethiscommandtoenableordisableaRIPauthenticationkey(password)foruseonan interface.ThenoformofthiscommandpreventsRIPfromusingauthentication.

    Syntax
    ip rip authentication-key name no ip rip authentication-key

    Parameters
    name SpecifiesthepasswordtoenableordisableforRIPauthentication.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    SecureStack C2 Configuration Guide

    20-5

    ip rip message-digest-key

    Example
    ThisexampleshowshowtosettheRIPauthenticationkeychaintopasswordontheVLAN1 interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip authentication-key password

    ip rip message-digest-key
    UsethiscommandtoenableordisableaRIPMD5authenticationkey(password)foruseonan interface.ThenoformofthiscommandpreventsRIPfromusingauthentication.

    Syntax
    ip rip message-digest-key keyid md5 key no ip rip message-digest-key keyid

    Parameters
    keyid md5 key SpecifiesthekeyIDtoenableordisableforRIPauthentication.Validvalues are1to255. SpecifiesuseoftheMD5algorithm. SpecifiestheRIPauthenticationpassword.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Defaults
    None.

    Examples
    ThisexampleshowshowtosettheMD5authenticationIDto5fortheRIPauthenticationkeyset ontheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip message-digest-key 5 md5 password

    no auto-summary
    Usethiscommandtodisableautomaticroutesummarization.

    Syntax
    no auto-summary auto-summary

    Parameters
    None.

    Defaults
    None.

    20-6

    IPv4 Routing Protocol Configuration

    split-horizon poison

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    Bydefault,RIPversion2supportsautomaticroutesummarization,whichsummarizes subprefixestotheclassfulnetworkboundarywhencrossingnetworkboundaries.Disabling automaticroutesummarizationenablesCIDR,allowingRIPtoadvertiseallsubnetsandhost routinginformationontheSecureStackC2device.Toverifywhichroutesaresummarizedforan interface,usetheshowiproutecommandasdescribedinshowiprouteonpage1915.The reverseofthecommandreenablesautomaticroutesummarization.Bydefault,RIPauto summarizationaffectsbothRIPv1andRIPv2routes.

    Note: This command is necessary for enabling CIDR for RIP on the SecureStack C2 device.

    Example
    ThisexampleshowshowtodisableRIPautomaticroutesummarization:
    C2(su)->router(Config)#router rip C2(su)->router(Config-router)#no auto-summary

    split-horizon poison
    UsethiscommandtoenableordisablesplithorizonpoisonreversemodeforRIPpackets.Theno formofthiscommanddisablessplithorizonpoisonreverse.

    Syntax
    split-horizon poison no split-horizon poison

    Parameters
    None.

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    Splithorizonpreventsanetworkfrombeingadvertisedoutthesameinterfaceitwasreceivedon. Thisfunctionisdisabledbydefault.

    Example
    ThisexampleshowshowtodisablesplithorizonpoisonreverseforRIPpacketstransmittedon theVLAN1interface:
    C2(su)->router(Config)#router rip C2(su)->Router1(Config-router)#no split-horizon poison

    SecureStack C2 Configuration Guide

    20-7

    passive-interface

    passive-interface
    UsethiscommandtopreventRIPfromtransmittingupdatepacketsonaninterface.Thenoform ofthiscommanddisablespassiveinterface.

    Syntax
    passive-interface vlan vlan-id no passive-interface vlan vlan-id

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANtomakeapassiveinterface.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181.

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    ThiscommanddoesnotpreventRIPfrommonitoringupdatesontheinterface.

    Example
    ThisexampleshowshowtosetVLAN2asapassiveinterface.NoRIPupdateswillbetransmitted onVLAN2:
    C2(su)->router(Config)#router rip C2(su)->router(Config-router)#passive-interface vlan 2

    receive-interface
    UsethiscommandtoallowRIPtoreceiveupdatepacketsonaninterface.Thenoformofthis commanddeniesthereceptionofRIPupdates.Bydefault,receivingisenabledonallrouting interfaces.

    Syntax
    receive-interface vlan vlan-id no receive-interface vlan vlan-id

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANtomakeareceiveinterface.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181.

    Defaults
    None.

    20-8

    IPv4 Routing Protocol Configuration

    redistribute

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    ThiscommanddoesnotaffectthesendingofRIPupdatesonthespecifiedinterface.

    Example
    ThisexampleshowshowtodenythereceptionofRIPupdatesonVLAN2:
    C2(su)->router(Config)#router rip C2(su)->router(Config-router)#no receive-interface vlan 2

    redistribute
    UsethiscommandtoallowroutinginformationdiscoveredthroughnonRIPprotocolstobe distributedinRIPupdatemessages.Thenoformofthiscommandclearsredistribution parameters.

    Syntax
    redistribute {connected | ospf process-id | static} [metric metric value] [subnets] no redistribute {connected | ospf process-id | static}

    Parameters
    connected ospf processid SpecifiesthatnonRIProutinginformationdiscoveredviadirectly connectedinterfaceswillberedistributed. SpecifiesthatOSPFroutinginformationwillberedistributedinRIP. SpecifiestheprocessID,aninternallyusedidentificationnumberforeach instanceoftheOSPFroutingprocessrunonarouter.Validvaluesare1to 65535. SpecifiesthatnonRIProutinginformationdiscoveredviastaticrouteswill beredistributed.Staticroutesarethosecreatedusingtheiproute commanddetailediniprouteonpage1917. (Optional)Specifiesametricfortheconnected,OSPForstatic redistributionroute.Thisvalueshouldbeconsistentwiththedesignation protocol. (Optional)Specifiesthatconnected,OSPForstaticroutesthatare subnettedwillberedistributed.

    static

    metricmetricvalue

    subnets

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Defaults
    Ifmetricvalueisnotspecified,1willbeapplied. Ifsubnetsisnotspecified,onlynonsubnettedrouteswillberedistributed.

    SecureStack C2 Configuration Guide

    20-9

    redistribute

    Example
    Thisexampleshowshowtoredistributeroutinginformationdiscoveredthroughstaticrouteswill beredistributedintoRIPupdatemessages:
    C2(su)->router(Config)#router rip C2(su)->router(Config-router)#redistribute static

    20-10

    IPv4 Routing Protocol Configuration

    Configuring OSPF

    Configuring OSPF
    * Advanced License Required *
    OSPF is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the chapter entitiled Activating Licensed Features in order to enable the OSPF command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales.

    Purpose
    ToenableandconfiguretheOpenShortestPathFirst(OSPF)routingprotocol.

    OSPF Configuration Task List and Commands


    Table 202liststhetasksandcommandsassociatedwithOSPFconfiguration.Commandsare describedintheassociatedsectionasshown. Table 20-2
    To do this... If necessary, activate your advanced routing license. Enable OSPF configuration mode.

    OSPF Configuration Task List and Commands


    Use these commands... See the Activating Licensed Features chapter. router id on page 20-12 router ospf on page 20-13

    Enable or disable RFC 1583 compatibility. Configure OSPF Interface Parameters. Enable OSPF on the interface. Configure an OSPF area. Set the cost of sending a packet on an OSPF interface. Set a priority to help determine the OSPF designated router for the network. Adjust timers and message intervals.

    1583compatibility on page 20-13

    ip ospf enable on page 20-14 ip ospf areaid on page 20-14 ip ospf cost on page 20-15 ip ospf priority on page 20-15 timers spf on page 20-16 ip ospf retransmit-interval on page 20-17 ip ospf transmit-delay on page 20-17 ip ospf hello-interval on page 20-18 ip ospf dead-interval on page 20-18

    Configure OSPF authentication.

    ip ospf authentication-key on page 20-19 ip ospf message digest key md5 on page 20-20

    Configure OSPF Areas. Configure an administrative distance. Define the range of addresses to be used by Area Boundary Routers (ABRs). distance ospf on page 20-20 area range on page 20-21

    SecureStack C2 Configuration Guide

    20-11

    router id

    Table 20-2
    To do this...

    OSPF Configuration Task List and Commands (Continued)


    Use these commands... area stub on page 20-22 area default cost on page 20-23 area nssa on page 20-23 area virtual-link on page 20-24 redistribute on page 20-25 show ip ospf on page 20-26 show ip ospf neighbor on page 20-30 show ip ospf interface on page 20-28 show ip ospf neighbor on page 20-30 show ip ospf virtual-links on page 20-31 clear ip ospf process on page 20-31

    Define an area as a stub area. Set the cost value for the default route that is sent into a stub area. Define an area as an NSSA. Create virtual links. Enable redistribution from non-OSPF routes. Monitor and maintain OSPF.

    router id
    UsethiscommandtosettheOSPFrouterIDforthedevice.ThisIPaddressmustbesetmanually inordertorunOSPF.ThenoformofthiscommandremovestherouterIDforthedevice.

    Syntax
    router id ip-address no router id

    Parameters
    ipaddress SpecifiestheIPaddressthatOSPFwilluseastherouterID.

    Defaults
    None.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Usage
    ThiscommandsetstheOSPFrouterID.TheOSPFareaIDofaroutedVLANisconfiguredoneach interfacewiththeinterfacecommandipospfareaidonpage2014.Ifyoudonotconfigurean areaIDonaroutedinterfacerunningOSPF,thedefaultareaIDof0.0.0.0willbeused.

    Example
    ThisexampleshowshowtosettheOSPFrouterIDtoIPaddress182.127.62.1:
    C2(su)->router(Config-router)#router id 182.127.62.1

    20-12

    IPv4 Routing Protocol Configuration

    router ospf

    router ospf
    UsethiscommandtoenableordisableOpenShortestPathFirst(OSPF)configurationmode.The noformofthiscommanddisablesOSPFconfigurationmode.

    Syntax
    router ospf process-id no router ospf process-id

    Parameters
    processid SpecifiestheprocessID,aninternallyusedidentificationnumberforan OSPFroutingprocessrunonarouter.OnlyoneOSPFprocessisallowedper stackorstandalone.Validvaluesare1to65535.

    Defaults
    None.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Usage
    YoumustexecutetherouterospfcommandtoenabletheprotocolbeforecompletingmanyOSPF specificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182on page 182. OnlyoneOSPFprocess(processid)isallowedperSecureStackC2router.

    Example
    ThisexampleshowshowtoenableroutingforOSPFprocess1:
    C2(su)->router#conf terminal C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#

    1583compatibility
    UsethiscommandtoenableRFC1583compatibilityonOSPFinterfaces.Thenoformofthis commanddisablesRFC1583compatibilityonOSPFinterfaces.

    Syntax
    1583compatability no 1583compatability

    Parameters
    None.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    20-13

    ip ospf enable

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Example
    ThisexampleshowshowtoenableRFC1583compatibility:
    C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#1583compatability

    ip ospf enable
    UsethiscommandtoenableOSPFonaninterface.ThenoformofthiscommanddisablesOSPFon aninterface.

    Syntax
    ip ospf enable no ip ospf enable

    Parameters
    None.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoenableOSPFontheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf enable

    ip ospf areaid
    UsethiscommandtoconfigureareaIDsforOSPFinterfaces.IfOSPFisenabledonaninterfaceas describedinipospfenableonpage2014,theOSPFareawilldefaultto0.0.0.0.Thenoformof thiscommandremovesOSPFroutingfortheinterfaces.

    Syntax
    ip ospf areaid area-id no ip ospf areaid

    Parameters
    areaid SpecifiestheareaidtobeassociatedwiththeOSPFinterface.Validvalues aredecimalvaluesorIPaddresses.

    Defaults
    None.
    20-14 IPv4 Routing Protocol Configuration

    ip ospf cost

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoconfiguretheVLAN1interfaceasarea0.0.0.31:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf areaid 0.0.0.31

    ip ospf cost
    UsethiscommandtosetthecostofsendinganOSPFpacketonaninterface.Thenoformofthis commandresetstheOSPFcosttothedefaultof10.

    Syntax
    ip ospf cost cost no ip ospf cost

    Parameters
    cost Specifiesthecostofsendingapacket.Validvaluesrangefrom1to65535.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Usage
    EachrouterinterfacethatparticipatesinOSPFroutingisassignedadefaultcost.Thiscommand overwritesthedefaultof10.

    Example
    ThisexampleshowshowtosettheOSPFcostto20fortheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf cost 20

    ip ospf priority
    UsethiscommandtosettheOSPFpriorityvalueforrouterinterfaces.Thenoformofthis commandresetsthevaluetothedefaultof1.

    Syntax
    ip ospf priority number no ip ospf priority

    SecureStack C2 Configuration Guide

    20-15

    timers spf

    Parameters
    number SpecifiestheroutersOSPFpriorityinarangefrom0to255.Defaultvalueis 1.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Usage
    Thepriorityvalueiscommunicatedbetweenroutersbymeansofhellomessagesandinfluences theelectionofadesignatedrouter.

    Example
    ThisexampleshowshowtosettheOSPFpriorityto20fortheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf priority 20

    timers spf
    UsethiscommandtochangeOSPFtimervaluestofinetunetheOSPFnetwork.Thenoformof thiscommandrestoresthedefaulttimervalues(5secondsfordelayand10secondsforholdtime).

    Syntax
    timers spf spf-delay spf-hold no timers spf

    Parameters
    spfdelay spfhold Specifiesthedelay,inseconds,betweenthereceiptofanupdateandtheSPF execution.Validvaluesare0to4294967295. Specifiestheminimumamountoftime,inseconds,betweentwo consecutiveOSPFcalculations.Validvaluesare0to4294967295.Avalueof 0meansthattwoconsecutiveOSPFcalculationsareperformedone immediatelyaftertheother.

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Example
    ThisexampleshowshowtosetSPFdelaytimeto7secondsandholdtimeto3:
    C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#timers spf 7 3

    20-16

    IPv4 Routing Protocol Configuration

    ip ospf retransmit-interval

    ip ospf retransmit-interval
    Usethiscommandtosettheamountoftimebetweenretransmissionsoflinkstateadvertisements (LSAs)foradjacenciesthatbelongtoaninterface.Thenoformofthiscommandresetsthe retransmitintervalvaluetothedefault,5seconds.

    Syntax
    ip ospf retransmit-interval seconds no ip ospf retransmit-interval

    Parameters
    seconds Specifiestheretransmittimeinseconds.Validvaluesare1to65535.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheOSPFretransmitintervalfortheVLAN1interfaceto20:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf retransmit-interval 20

    ip ospf transmit-delay
    Usethiscommandtosettheamountoftimerequiredtotransmitalinkstateupdatepacketonan interface.Thenoformofthiscommandresetstheretransmitintervalvaluetothedefault,1 second.

    Syntax
    ip ospf transmit-delay seconds no ip ospf transmit-delay

    Parameters
    seconds Specifiesthetransmitdelayinseconds.Validvaluesarefrom1to65535.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    SecureStack C2 Configuration Guide

    20-17

    ip ospf hello-interval

    Example
    Thisexampleshowshowtosetthetimerequiredtotransmitalinkstateupdatepacketonthe VLAN1interfaceat20seconds:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf transmit-delay 20

    ip ospf hello-interval
    Usethiscommandtosetthenumberofsecondsaroutermustwaitbeforesendingahellopacket toneighborroutersonaninterface.Thenoformofthiscommandsetsthehellointervalvalueto thedefaultvalueof10seconds.

    Syntax
    ip ospf hello-interval seconds no ip ospf hello-interval

    Parameters
    seconds Specifiesthehellointervalinseconds.Hellointervalmustbethesameon neighboringrouters(onaspecificsubnet),butcanvarybetweensubnets. Thisparameterisanunsignedintegerwithvalidvaluesbetween1and 65535.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    Thisexampleshowshowtosetthehellointervalto5fortheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf hello-interval 5

    ip ospf dead-interval
    Usethiscommandtosetthenumberofsecondsaroutermustwaittoreceiveahellopacketfrom itsneighborbeforedeterminingthattheneighborisoutofservice.Thenoformofthiscommand setsthedeadintervalvaluetothedefaultvalueof40seconds.

    Syntax
    ip ospf dead-interval seconds no ip ospf dead-interval

    20-18

    IPv4 Routing Protocol Configuration

    ip ospf authentication-key

    Parameters
    seconds Specifiesthenumberofsecondsthataroutermustwaittoreceiveahello packetbeforedeclaringtheneighborasdeadandremovingitfromthe OSPFneighborlist.Deadintervalmustbethesameonneighboringrouters (onaspecificsubnet),butcanvarybetweensubnets.Thisparameterisan unsignedintegerrangingfrom1to65535.Defaultvalueis40seconds.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    Thisexampleshowshowtosetthedeadintervalto20fortheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf dead-interval 20

    ip ospf authentication-key
    UsethiscommandtoassignapasswordtobeusedbyneighboringroutersusingOSPFssimple passwordauthentication.ThenoformofthiscommandremovesanOSPFauthentication passwordonaninterface.

    Syntax
    ip ospf authentication-key password no ip ospf authentication-key

    Parameters
    password SpecifiesanOSPFauthenticationpassword.Validvaluesarealphanumeric stringsupto8charactersinlength.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Usage
    ThispasswordisusedasakeythatisinserteddirectlyintotheOSPFheaderinroutingprotocol packets.AseparatepasswordcanbeassignedtoeachOSPFnetworkonaperinterfacebasis. Allneighboringroutersonthesamenetworkmusthavethesamepasswordconfiguredtobeable toexchangeOSPFinformation.

    SecureStack C2 Configuration Guide

    20-19

    ip ospf message digest key md5

    Example
    ThisexampleshowshowtoenablesanOSPFauthenticationkeyontheVLAN1interfacewiththe passwordyourpass:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf authentication-key yourpass

    ip ospf message digest key md5


    UsethiscommandtoenableordisableOSPFMD5authenticationonaninterface.Thisvalidates OSPFMD5routingupdatesbetweenneighboringrouters.Thenoformofthiscommanddisables MD5authenticationonaninterface.

    Syntax
    ip ospf message-digest-key keyid md5 key no ip ospf message-digest-key keyid

    Parameters
    keyid key SpecifiesthekeyidentifierontheinterfacewhereMD5authenticationis enabled.Validvaluesareintegersfrom1to255. SpecifiesapasswordforMD5authenticationtobeusedwiththekeyid.Valid valuesarealphanumericstringsofupto16characters.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoenableOSPFMD5authenticationontheVLAN1interface,setthekey identifierto20,andsetthepasswordtopassone:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf message-digest-key 20 md5 passone

    distance ospf
    UsethiscommandtoconfiguretheadministrativedistanceforOSPFroutes.Thenoformofthis commandresetsOSPFadministrativedistancetothedefaultvalues.

    Syntax
    distance ospf {external | inter-area | intra-area} weight no distance ospf {external | inter-area | intra-area}

    20-20

    IPv4 Routing Protocol Configuration

    area range

    Parameters
    external|inter area|intraarea Appliesthedistancevaluetoexternal(type5andtype7),tointerarea,orto intraarearoutes.
    Note: The value for intra-area distance must be less than the value for inter-area distance, which must be less than the value for external distance.

    weight

    SpecifiesanadministrativedistanceforOSPFroutes.Validvaluesare1 255.

    Defaults
    Ifroutetypeisnotspecified,thedistancevaluewillbeappliedtoallOSPFroutes.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    Ifseveralroutes(comingfromdifferentprotocols)arepresentedtotheSecureStackC2,the protocolwiththelowestadministrativedistancewillbechosenforrouteinstallation.Bydefault, OSPFadministrativedistanceissetto110.Thedistanceospfcommandcanbeusedtochangethis value,resettingOSPFsroutepreferenceinrelationtootherroutesasshowninthetablebelow.
    Route Source Connected Static OSPF RIP Default Distance 0 1 Intra-area - 8; Inter-area - 10; External type 1 - 13; External type 2 - 150 15

    Example
    ThisexampleshowshowtochangethedefaultadministrativedistanceforexternalOSPFroutesto 100:
    C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#distance ospf external 100

    area range
    UsethiscommandtodefinetherangeofaddressestobeusedbyAreaBorderRouters(ABRs) whentheycommunicateroutestootherareas.EachSecureStackC2stackcansupportupto4 OSPFareas.Thenoformofthiscommandstopstheroutesfrombeingsummarized.

    Syntax
    area area-id range ip-address ip-mask [advertise | no-advertise] no area area-id range ip-address ip-mask

    SecureStack C2 Configuration Guide

    20-21

    area stub

    Parameters
    areaid ipaddress ipmask advertise|no advertise Specifiestheareafromwhichroutesaretobesummarized.Thisisa decimalvaluefrom0to429496295. SpecifiestheIPaddressassociatedwiththeareaID. SpecifiesthemaskfortheIPaddress. (Optional)Entersaddressrangeinadvertisemode,ordonotadvertise mode.

    Defaults
    Ifnotspecified,advertisemodewillbeset.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Example
    Thisexampleshowshowtodefinetheaddressrangeas172.16.0.0/16forsummarizedroutesfrom area0.0.0.8:
    C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 0.0.0.8 range 172.16.0.0 255.255.0.0

    area stub
    UsethiscommandtodefineanOSPFareaasastubarea.ThisisanareaintowhichAutonomous SystemexternalASAswillnotbeflooded.Thenoformofthiscommandchangesthestubbackto aplainarea.

    Syntax
    area area-id stub [no-summary] no area area-id stub [no-summary]

    Parameters
    areaid nosummary Specifiesthestubarea.Validvaluesaredecimalvaluesoripaddresses. (Optional)PreventsanAreaBorderRouter(ABR)fromsendingLinkState Advertisements(LSAs)intothestubarea.Whenthisparameterisused,it meansthatalldestinationsoutsideofthestubareaarerepresentedby meansofadefaultroute.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Defaults
    Ifnosummaryisnotspecified,thestubareawillbeabletoreceiveLSAs.

    20-22

    IPv4 Routing Protocol Configuration

    area default cost

    Example
    ThefollowingexampleshowshowtodefineOSPFarea10asastubarea:
    C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 stub

    area default cost


    UsethiscommandtosetthecostvalueforthedefaultroutethatissentintoastubareaandNSSA byanAreaBorderRouter(ABR).Thenoformofthiscommandremovesthecostvaluefromthe summaryroutethatissentintothestubarea.

    Syntax
    area area-id default-cost cost no area area-id default-cost

    Parameters
    areaid cost Specifiesthestubarea.ValidvaluesaredecimalvaluesorIPaddresses. Specifiesacostvalueforthesummaryroutethatissentintoastubareaby default.Validvaluesare24bitnumbers,from0to16777215.

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    TheuseofthiscommandisrestrictedtoABRsattachedtostubandNSSAareas.

    Example
    Thisexampleshowshowtosetthecostvalueforstubarea10to99:
    C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 default-cost 99

    area nssa
    UsethiscommandtoconfigureanareaasaNotSoStubbyArea(NSSA).Thenoformofthis commandchangestheNSSAbacktoaplainarea.

    Syntax
    area area-id nssa [default-information-originate] no area area-id nssa [default-information-originate]

    SecureStack C2 Configuration Guide

    20-23

    area virtual-link

    Parameters
    areaid default information originate SpecifiestheNSSAarea.ValidvaluesaredecimalvaluesorIPaddresses. (Optional)GeneratesadefaultofType7intotheNSSA.Thisisusedwhen therouterisanNSSAABR.

    Defaults
    Ifdefaultinformationoriginateisnotspecified,nodefaulttypewillbegenerated.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    AnNSSAallowssomeexternalroutesrepresentedbyexternalLinkStateAdvertisements(LSAs) tobeimportedintoit.Thisisincontrasttoastubareathatdoesnotallowanyexternalroutes. ExternalroutesthatarenotimportedintoanNSSAcanberepresentedbymeansofadefault route.ThisconfigurationisusedwhenanOSPFinternetworkisconnectedtomultiplenonOSPF routingdomains.

    Example
    Thisexampleshowshowtoconfigurearea10asanNSSAarea:
    C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 nssa default-information-originate

    area virtual-link
    UsethiscommandtodefineanOSPFvirtuallink,whichrepresentsalogicalconnectionbetween thebackboneandanonbackboneOSPFarea.Thenoformofthiscommandremovesthevirtual linkand/oritsassociatedsettings.

    Syntax
    area area-id virtual-link router-id no area area-id virtual-link router-id

    Inadditiontothesyntaxabove,theoptionsforusingthiscommandare:
    area area-id virtual-link router-id authentication-key key no area area-id virtual-link router-id authentication-key key area area-id virtual-link router-id dead-interval seconds no area area-id virtual-link router-id dead-interval seconds area area-id virtual-link router-id hello-interval seconds no area area-id virtual-link router-id hello-interval seconds area area-id virtual-link router-id retransmit-interval seconds no area area-id virtual-link router-id retransmit-interval seconds area area-id virtual-link router-id transmit-delay seconds no area area-id virtual-link router-id transmit-delay seconds

    20-24

    IPv4 Routing Protocol Configuration

    redistribute

    Parameters
    areaid Specifiesthetransitareaforthevirtuallink.Validvaluesaredecimalvalues orIPaddresses.Atransitareaisanareathroughwhichavirtuallinkis established. SpecifiestherouterIDofthevirtuallinkneighbor. Specifiesapasswordtobeusedbythevirtuallink.Validvaluesare alphanumericstringsofupto8characters.Neighborvirtuallinkrouterson anetworkmusthavethesamepassword. Specifiesthenumberofsecondsthataroutermustwaittoreceiveahello packetbeforedeclaringtheneighborasdeadandremovingitfromthe OSPFneighborlist.Thisvaluemustbethesameforallvirtuallinksattached toacertainsubnet,anditisavaluerangingfrom1to8192. Specifiesthenumberofsecondsbetweenhellopacketsonthevirtuallink. Thisvaluemustbethesameforallvirtuallinksattachedtoanetworkandit isavaluerangingfrom1to8192. Specifiesthenumberofsecondsbetweensuccessiveretransmissionsofthe sameLSAs.Validvaluesaregreaterthantheexpectedamountoftime requiredfortheupdatepackettoreachandreturnfromtheinterface,and rangefrom1to8192.Defaultis5seconds. Specifiestheestimatednumberofsecondsbeforealinkstateupdatepacket ontheinterfacetobetransmitted.Validvaluesrangefrom1to8192.Default is1second.

    routerid authentication keykey deadinterval seconds

    hellointerval seconds retransmit intervalseconds

    transmitdelay seconds

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Example
    Thisexampleshowshowtoconfigureavirtuallinkovertransitionarea0.0.0.2torouterID 192.168.7.2:
    C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 0.0.0.2 virtual-link 192.168.7.2

    redistribute
    UsethiscommandtoallowroutinginformationdiscoveredthroughnonOSPFprotocolstobe distributedinOSPFupdatemessages.Thenoformofthiscommandclearsredistribution parameters.

    Syntax
    redistribute {connected | rip | static} [metric metric value] [metric-type typevalue] [subnets] no redistribute {connected | rip | static}

    SecureStack C2 Configuration Guide

    20-25

    show ip ospf

    Parameters
    connected rip static SpecifiesthatnonOSPFinformationdiscoveredviadirectlyconnected interfaceswillberedistributed. SpecifiesthatRIProutinginformationwillberedistributedinOSPF. SpecifiesthatnonOSPFinformationdiscoveredviastaticrouteswillbe redistributed.Staticroutesarethosecreatedusingtheiproutecommand detailediniprouteonpage1917. (Optional)Specifiesametricfortheconnected,RIPorstaticredistribution route.Thisvalueshouldbeconsistentwiththedesignationprotocol. (Optional)Specifiestheexternallinktypeassociatedwiththedefault connected,RIPorstaticrouteadvertisedintotheOSPFroutingdomain. Validvaluesare1fortype1externalroute,and2fortype2externalroute. (Optional)Specifiesthatconnected,RIP,orstaticroutesthataresubnetted routeswillberedistributed.

    metricmetricvalue metrictypetype value subnets

    Defaults
    Ifmetricvalueisnotspecified,0willbeapplied. Iftypevalueisnotspecified,type2(externalroute)willbeapplied. Ifsubnetsisnotspecified,onlytheshortestprefixmatchingrouteswillberedistributed.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Example
    ThisexampleshowshowtoredistributeRIProutinginformationtononsubnettedroutesinOSPF routes:
    C2(su)->router(Config)#router ospf C2(su)->router(Config-router)#redistribute rip

    show ip ospf
    UsethiscommandtodisplayOSPFinformation.

    Syntax
    show ip ospf

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    20-26

    IPv4 Routing Protocol Configuration

    show ip ospf database

    Example
    ThisexampleshowshowtodisplayOSPFinformation:
    C2(su)->router#show ip ospf Routing process "ospf 1" with ID 155.155.155.155 Supports only Normal TOS route. It is not an area border router and is an autonomous system boundary router. Redistributing External Routes from static Number of areas in this router is 2 Area 0.0.0.0 SPF algorithm executed 0 times Area ranges are Link State Age Interval is 10 Area 0.0.0.8 SPF algorithm executed 302 times Area ranges are Link State Age Interval is 10

    show ip ospf database


    UsethiscommandtodisplaytheOSPFlinkstatedatabase.

    Syntax
    show ip ospf database

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayallOSPFlinkstatedatabaseinformation.Thisisaportionof thecommandoutput:
    C2(su)->router#show ip ospf database OSPF Router with ID(155.155.155.155) Displaying Ipnet Sum Link States(Area 0.0.0.0) LinkID ADV Router Age Seq# 192.168.16.0 155.155.155.155 1751 0x80000036 Displaying As External Link States(Area 0.0.0.0) ADV Router Age Seq# 155.155.155.155 1306 0x8000003c 155.155.155.155 1306 0x8000003c 155.155.155.155 1306 0x8000003c 155.155.155.155 1306 0x8000003c 155.155.155.155 1307 0x8000003c 155.155.155.155 1307 0x8000003c 155.155.155.155 1307 0x8000003c 155.155.155.155 1307 0x8000003c

    Checksum 0x18a

    LinkID 191.2.2.0 191.3.3.3 191.3.3.4 191.3.3.5 191.3.3.6 191.3.3.7 191.3.3.8 191.3.3.9

    Checksum 0x9096 0x5bc6 0x51cf 0x47d8 0x3de1 0x33ea 0x29f3 0x1ffc


    20-27

    SecureStack C2 Configuration Guide

    show ip ospf interface

    191.4.0.0

    155.155.155.155

    1307

    0x8000003c

    0x8e98

    Displaying Router Link States(Area 0.0.0.8) LinkID ADV Router Age Seq# 3.3.3.3 3.3.3.3 986 0x8000008e 155.155.155.155 155.155.155.155 977 0x8000009c Displaying Net Link States(Area 0.0.0.8) LinkID ADV Router Age Seq# 192.168.30.2 155.155.155.155 310 0x8000003b 192.168.31.2 155.155.155.155 997 0x80000002 192.168.32.2 155.155.155.155 997 0x80000002 192.168.33.2 155.155.155.155 998 0x80000002 Displaying Ipnet Sum Link States(Area 0.0.0.8) LinkID ADV Router Age Seq# 0.0.0.0 3.3.3.3 361 0x80000005 8.1.1.0 3.3.3.3 1512 0x80000003 8.1.2.0 3.3.3.3 1512 0x80000003 8.1.3.0 3.3.3.3 1502 0x80000003 8.1.4.0 3.3.3.3 1512 0x80000003

    Checksum 0xb6f9 0x6e96

    Checksum 0x59ab 0xc07c 0xb586 0xaa90 Checksum 0x311d 0x3de1 0x32eb 0x27f5 0x1c00

    Table 203providesanexplanationofthecommandoutput. Table 20-3


    Output Field Link ID

    show ip ospf database Output Details


    What It Displays... Link ID, which varies as a function of the link state record type, as follows: Net Link States - Shows the interface IP address of the designated router to the broadcast network. Router Link States - Shows the ID of the router originating the record. Summary Link States - Shows the summary network prefix.

    ADV Router Age Seq# Checksum LinkCount

    Router ID of the router originating the link state record. Age (in seconds) of the link state record. OSPF sequence number assigned to each link state record. Field in the link state record used to verify the contents upon receipt by another router. Link count of router link state records. This number is equal to, or greater than, the number of active OSPF interfaces on the originating router.

    show ip ospf interface


    UsethiscommandtodisplayOSPFinterfacerelatedinformation,includingnetworktype,priority, cost,hellointerval,anddeadinterval.

    Syntax
    show ip ospf interface [vlan vlan-id]

    Parameters
    vlanvlanid (Optional)DisplaysOSPFinformationforaspecificVLAN.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181.

    20-28

    IPv4 Routing Protocol Configuration

    show ip ospf interface

    Defaults
    Ifvlanidisnotspecified,OSPFstatisticswillbedisplayedforallVLANs.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayallOSPFrelatedinformationfortheVLAN6interface:
    C2(su)->router#show ip ospf interface vlan 6 Vlan 6 Internet Address 192.168.6.2 Mask 255.255.255.0, Area 0.0.0.0 Router ID 3.3.3.3 , Cost: 10 (computed) Transmit Delay is 1 sec , State designated-router , Priority 1 Designated Router id 3.3.3.3 , Interface Addr 192.168.6.2 Backup Designated Router id 2.2.2.2 , Timer intervals configured , Hello 10 , Dead 40 , Retransmit 5

    Table 204providesanexplanationofthecommandoutput. Table 20-4


    Output Field Vlan Internet Address Area Router ID Cost Transmit Delay State Priority Designated Router id Interface Addr Backup Designated Router id Timer intervals configured

    show ip ospf interface Output Details


    What It Displays... VLAN ID IP address and mask assigned to this interface. Area ID Router ID configured on this router. OSPF interface cost, which is either default, or assigned with the ip ospf cost command. For details, refer to ip ospf cost on page 20-15. The number (in seconds) added to the LSA (Link State Advertisement) age field. The interface state (versus the state between neighbors). Valid values include Backup Designated Router, Designated Router, and Err for error. The interface priority value, which is either default, or assigned with the ip ospf priority command. For details, refer to ip ospf priority on page 20-15. The router ID of the designated router on this subnet, if one exists, in which case Err will be displayed. IP address of the designated router on this interface. IP address of the backup designated router on this interface, if one exists, in which case Err will be displayed. OSPF timer intervals. These are either default, or configured with the ip ospf retransmit-interval (ip ospf retransmit-interval on page 20-17), the ip ospf hellointerval (ip ospf hello-interval on page 20-18), the ip ospf retransmit-delay (ip ospf transmit-delay on page 20-17) and the ip ospf dead interval (ip ospf deadinterval on page 20-18) commands.

    SecureStack C2 Configuration Guide

    20-29

    show ip ospf neighbor

    show ip ospf neighbor


    UsethiscommandtodisplaythestateofcommunicationbetweenanOSPFrouterandits neighborrouters.

    Syntax
    show ip ospf neighbor [detail] [ip-address] [vlan vlan-id]

    Parameters
    detail (Optional)Displaysdetailedinformationabouttheneighbors,includingthe areainwhichtheyareneighbors,whothedesignatedrouter/backup designatedrouterisonthesubnet,ifapplicable,andthedecimalequivalent oftheEbitvaluefromthehellopacketoptionsfield. (Optional)DisplaysOSPFneighborsforaspecificIPaddress. (Optional)DisplaysOSPFneighborsforaspecificVLAN.ThisVLANmust beconfiguredforIProutingasdescribedinPreRoutingConfiguration Tasksonpage181.

    ipaddress vlanvlanid

    Defaults
    Ifdetailisnotspecified,summaryinformationwillbedisplayed. Ifipaddressisnotspecified,OSPFneighborswillbedisplayedforallIPaddressesconfiguredfor routing. Ifvlanidisnotspecified,OSPFneighborswillbedisplayedforallVLANsconfiguredforrouting.

    Mode
    Anyroutermode.

    Example
    Thisexampleshowshowtousetheshowospfneighborcommand:
    C2(su)->router#show ip ospf neighbor ID Pri State Dead-Int 182.127.62.1 1 FULL 40 Address 182.127.63.1 Interface vlan1

    Table 205providesanexplanationofthecommandoutput. Table 20-5


    Output Field ID Pri State Dead-Int Address Interface

    show ip ospf neighbor Output Details


    What It Displays... Neighbors router ID of the OSPF neighbor. Neighbors priority over this interface. Neighbors OSPF communication state. Interval (in seconds) this router will wait without receiving a Hello packet from a neighbor before declaring the neighbor is down. Neighbors IP address. Neighbors interface (VLAN).

    20-30

    IPv4 Routing Protocol Configuration

    show ip ospf virtual-links

    show ip ospf virtual-links


    Usethiscommandtodisplayinformationaboutthevirtuallinksconfiguredonarouter.Avirtual linkrepresentsalogicalconnectionbetweenthebackboneandanonbackboneOSPFarea.

    Syntax
    show ip ospf virtual-links

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayOSPFvirtuallinksinformation:
    C2(su)->router#show ip ospf virtual-links Neighbor ID 155.155.155.155 Transit area 0.0.0.8 Transmit delay is 1 sec State point-to-point Timer intervals configured: Hello 10, Dead 40, Retransmit 5 Adjacency State Full

    Table 206providesanexplanationofthecommandoutput. Table 20-6


    Output Field Neighbor ID Transit area Transmit delay State Timer intervals configured Adjacency State

    show ip ospf virtual links Output Details


    What It Displays... ID of the virtual link neighbor, and the virtual link status, which is up or down. ID of the transit area through which the virtual link is configured. Amount of time required to transmit a link state update packet on an interface. Whether the state of this interface is down or point-to-point. Timer intervals configured for the virtual link, including Hello, Wait, and Retransmit intervals. State of adjacency between this router and the virtual link neighbor of this router.

    clear ip ospf process


    UsethiscommandtoresettheOSPFprocess.Thiswillrequireadjacenciestobereestablishedand routestobereconverged.

    Syntax
    clear ip ospf process process-id

    SecureStack C2 Configuration Guide

    20-31

    clear ip ospf process

    Parameters
    processid SpecifiestheprocessID,aninternallyusedidentificationnumberforeach instanceoftheOSPFroutingprocessrunonarouter.Validvaluesare1to 65535.

    Defaults
    None.

    Mode
    PrivilegedEXEC:C2(su)>router#

    Example
    ThisexampleshowshowtoresetOSPFprocess1:
    C2(su)->router#clear ip ospf process 1

    20-32

    IPv4 Routing Protocol Configuration

    Configuring DVMRP

    Configuring DVMRP
    * Advanced License Required *
    DVMRP is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the chapter entitled Activating Licensed Features in order to enable the DVMRP command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales.

    Purpose
    ToenableandconfiguretheDistanceVectorMulticastRoutingProtocol(DVMRP)onaninterface. DVMRProutesmulticasttrafficusingatechniqueknownasReversePathForwarding.Whena routerreceivesapacket,itfloodsthepacketoutofallpathsexcepttheonethatleadsbacktothe packetssource.DoingsoallowsadatastreamtoreachallVLANs(possiblymultipletimes).Ifa routerisattachedtoasetofVLANsthatdonotwanttoreceivefromaparticularmulticastgroup, theroutercansendaprunemessagebackupthedistributiontreetostopsubsequentpackets fromtravelingwheretherearenomembers.DVMRPwillperiodicallyrefloodinordertoreach anynewhoststhatwanttoreceivefromaparticulargroup.
    Note: IGMP must be enabled on all VLANs running DVMRP, and must also be globally enabled on the SecureStack C2. For details on enabling IGMP, refer to Chapter 13.

    Commands

    For information about... ip dvmrp ip dvmrp enable ip dvmrp metric show ip dvmrp

    Refer to page... 20-34 20-34 20-35 20-35

    Seealsoshowipmrouteonpage2059,whichcanbeusedtodisplaytheIPmulticastrouting table.

    Enabling DVMRP on an Interface


    DVMRPisdisabledbydefault,bothgloballyandoneachinterface.EnablingDVMRPonarouted interfacerequirescompletingthestepslistedinTable 201. Table 20-1
    To do this... Globally enable IGMP. Globally enable DVMRP. Enable IGMP on each interface. Enable DVMRP on each interface .

    Commands to Enable DVMRP on an Interface


    Use these commands... ip igmp on page 13-10 ip dvmrp on page 20-34. ip igmp enable on page 13-11 ip dvmrp enable on page 20-34

    SecureStack C2 Configuration Guide

    20-33

    ip dvmrp

    ip dvmrp
    UsethiscommandtoenabletheDVMRPprocess.Thenoformofthiscommanddisablesthe DVMRPprocess:

    Syntax
    ip dvmrp no ip dvmrp

    Parameters
    None.

    Defaults
    None.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Example
    ThisexampleshowshowtoenabletheDVMRPprocess:
    C2(su)->router(Config)#ip dvmrp

    ip dvmrp enable
    UsethiscommandtoenableDVMRPonaninterface.Thenoformofthiscommanddisables DVMRPonaninterface:

    Syntax
    ip dvmrp enable no ip dvmrp enable

    Parameters
    None.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoenableDVMRPontheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip dvmrp enable

    20-34

    IPv4 Routing Protocol Configuration

    ip dvmrp metric

    ip dvmrp metric
    UsethiscommandtoconfigurethemetricassociatedwithasetofdestinationsforDVMRP reports.

    Syntax
    ip dvmrp metric metric

    Parameters
    metric SpecifiesametricassociatedwithasetofdestinationsforDVMRP reports.Validvaluesarefrom1to31.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Usage
    ToresettheDVMRPmetricbacktothedefaultvalueof1,enteripdvmrpmetric1.

    Example
    ThisexampleshowshowtosetaDVMRPof16ontheVLAN1interface:
    C2(su)->router(Config-if(Vlan 1))#ip dvmrp metric 16

    show ip dvmrp
    UsethiscommandtodisplayDVMRProutinginformation.

    Syntax
    show ip dvmrp [route | neighbor | status]

    Parameters
    route|neighbor| status (Optional)Displays,DVMRProutinginformation,neighborinformation, orDVMRPenablestatus.

    Defaults
    Ifnooptionalparametersarespecified,statusinformationwillbedisplayed.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayDVMRPstatusinformation:
    C2(su)->router#show ip dvmrp Vlan Id Metric Admin Status Oper. Status

    SecureStack C2 Configuration Guide

    20-35

    show ip dvmrp

    ------10 18 20 25 32 500

    -------

    -----------Enabled Enabled Enabled Enabled Enabled Enabled

    -----------Enabled Enabled Enabled Enabled Enabled Disabled

    20-36

    IPv4 Routing Protocol Configuration

    Configuring IRDP

    Configuring IRDP
    Purpose
    ToenableandconfiguretheICMPRouterDiscoveryProtocol(IRDP)onaninterface.Thisprotocol enablesahosttodeterminetheaddressofarouteritcanuseasadefaultgateway.Itisdisabledby default.

    Commands
    For information about... ip irdp enable ip irdp maxadvertinterval ip irdp minadvertinterval ip irdp holdtime ip irdp preference ip irdp broadcast show ip irdp Refer to page... 20-37 20-38 20-38 20-39 20-39 20-40 20-40

    ip irdp enable
    UsethiscommandtoenableIRDPonaninterface.ThenoformofthiscommanddisablesIRDPon aninterface.

    Syntax
    ip irdp enable no ip irdp enable

    Parameters
    None.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoenableIRDPontheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp enable

    SecureStack C2 Configuration Guide

    20-37

    ip irdp maxadvertinterval

    ip irdp maxadvertinterval
    UsethiscommandtosetthemaximumintervalinsecondsbetweenIRDPadvertisements.Theno formofthiscommandresetsthemaximumadvertisementintervaltothedefaultvalueof600 seconds.

    Syntax
    ip irdp maxadvertinterval interval no irdp maxadvertinterval

    Parameters
    interval Specifiesamaximumadvertisementintervalinseconds.Validvaluesare 4to1800.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosetthemaximumIRDPadvertisementintervalto1000secondsonthe VLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp maxadvertinterval 1000

    ip irdp minadvertinterval
    UsethiscommandtosettheminimumintervalinsecondsbetweenIRDPadvertisements.Theno formofthiscommanddeletesthecustomholdtimesetting,andresetstheminimum advertisementintervaltothedefaultvalueofthreefourthsofthemaxadvertintervalvalue,which isequalto450seconds.

    Syntax
    ip irdp minadvertinterval interval no irdp minadvertinterval

    Parameters
    interval Specifiesaminimumadvertisementintervalinseconds.Validvaluesare3 to1800.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    20-38

    IPv4 Routing Protocol Configuration

    ip irdp holdtime

    Example
    ThisexampleshowshowtosettheminimumIRDPadvertisementintervalto500secondsonthe VLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp minadvertinterval 500

    ip irdp holdtime
    UsethiscommandtosetthelengthoftimeinsecondsIRDPadvertisementsareheldvalid.Theno formofthiscommandresetstheholdtimetothedefaultvalueofthreetimesthe maxadvertintervalvalue,whichisequalto1800seconds.

    Syntax
    ip irdp holdtime holdtime no irdp holdtime

    Parameters
    holdtime Specifiestheholdtimeinseconds.Validvaluesare0to 9000.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheIRDPholdtimeto4000secondsontheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp holdtime 4000

    ip irdp preference
    UsethiscommandtosettheIRDPpreferencevalueforaninterface.ThisvalueisusedbyIRDPto determinetheinterfacesselectionasadefaultgatewayaddress.Thenoformofthiscommand resetstheinterfacesIRDPpreferencevaluetothedefaultof0.

    Syntax
    ip irdp preference preference no irdp preference

    Parameters
    preference Specifiesthevaluetoindicatetheinterfacesuseasadefaultrouter address.Validvaluesare2147483648to2147483647. Theminimumvalueindicatesthattheaddress,eventhoughitmaybe advertised,isnottobeusedbyneighboringhostsasadefaultrouter address.

    SecureStack C2 Configuration Guide

    20-39

    ip irdp broadcast

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosetIRDPpreferenceontheVLAN1interfacesothattheinterfaces addressmaystillbeadvertised,butcannotbeusedbyneighboringhostsasadefaultrouter address:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp preference -2147483648

    ip irdp broadcast
    UsethiscommandtoconfigureIRDPtousethelimitedbroadcastaddressof255.255.255.255.The defaultismulticastwithaddress224.0.0.1.ThenoformofthiscommandresetsIRDPtouse multicastonIPaddress224.0.0.1.

    Syntax
    ip irdp broadcast no ip irdp broadcast

    Parameters
    None.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoenablebroadcastforIRDPontheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp broadcast

    show ip irdp
    UsethiscommandtodisplayIRDPinformation.

    Syntax
    show ip irdp [vlan vlan-id]

    20-40

    IPv4 Routing Protocol Configuration

    show ip irdp

    Parameters
    vlanvlanid (Optional)DisplaysIRDPinformationforaspecificVLAN.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181.

    Defaults
    Ifvlanvlanidisnotspecified,IRDPinformationforallinterfaceswillbedisplayed.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtodisplayIRDPinformationfortheVLAN1interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(vlan 1))#show ip irdp vlan 1 Interface vlan 1 has router discovery enabled Advertisements will occur between 450 and 600 seconds Advertisements are sent with broadcasts Advertisements are valid for 1800 seconds Default preference will be 0

    SecureStack C2 Configuration Guide

    20-41

    Configuring VRRP

    Configuring VRRP
    * Advanced License Required *
    VRRP is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the chapter entitled Activating Licensed Features in order to enable the VRRP command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales.

    Purpose
    ToenableandconfiguretheVirtualRouterRedundancyProtocol(VRRP).Thisprotocoleliminates thesinglepointoffailureinherentinthestaticdefaultroutedenvironmentbytransferringthe responsibilityfromoneroutertoanotheriftheoriginalroutergoesdown.VRRPenabledrouters decidewhowillbecomemasterandwhowillbecomebackupintheeventthemasterfails.

    Commands
    For information about... router vrrp create address priority advertise-interval preempt enable ip vrrp authentication-key show ip vrrp Refer to page... 20-42 20-43 20-44 20-45 20-45 20-46 20-47 20-48 20-48

    router vrrp
    UsethiscommandtoenableordisableVRRPconfigurationmode.Thenoformofthiscommand removesallVRRPconfigurationsfromtherunningconfiguration.

    Syntax
    router vrrp no router vrrp

    Parameters
    None.

    Defaults
    None.

    Mode
    Globalconfiguration:C2(su)>router(Config)#
    20-42 IPv4 Routing Protocol Configuration

    create

    Usage
    Youmustexecutetheroutervrrpcommandtoenabletheprotocolbeforecompletingother VRRPspecificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182 onpage 182.

    Example
    ThisexampleshowshowenableVRRPconfigurationmode:
    C2(su)->router#configure C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#

    create
    UsethiscommandtocreateaVRRPsession.EachSecureStackC2systemsupportsupto20VRRP sessions.ThenoformofthiscommanddisablestheVRRPsession.

    Syntax
    create vlan vlan-id vrid no create vlan vlan-id vrid

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANonwhichtocreateaVRRPsession.This VLANmustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)toassociatewiththerouting interface.

    vrid

    Defaults
    None.

    Mode
    Router configuration: C2(su)->router(Config-router)#

    Usage
    ThiscommandmustbeexecutedtocreateaninstanceofVRRPonaroutinginterface(VLAN) beforeanyotherVRRPsettingscanbeconfigured.

    Example
    ThisexampleshowshowtocreateaVRRPsessionontheVLAN1interfacewithaVRIDof1:
    C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#create vlan 1 1

    SecureStack C2 Configuration Guide

    20-43

    address

    address
    UsethiscommandtoconfigureavirtualrouterIPaddress.Thenoformofthiscommandclears theVRRPaddressconfiguration.

    Syntax
    address vlan vlan-id vrid ip-address owner no address vlan vlan-id vrid ip-address owner

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfigureavirtualrouter address.ThisVLANmustbeconfiguredforIProutingasdescribedinPre RoutingConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting interface. SpecifiesthevirtualrouterIPaddresstoassociatewiththerouter. SpecifiesavaluetoindicateiftherouterownstheIPaddressasoneofits interfaces.Validvaluesare: 1toindicatetherouterownstheaddress. 0toindicatetherouterdoesnotowntheaddress.

    vrid ipaddress owner

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    IfthevirtualrouterIPaddressisthesameastheinterface(VLAN)addressownedbyaVRRP router,thentherouterowningtheaddressbecomesthemaster.Themastersendsan advertisementtoallotherVRRProutersdeclaringitsstatusandassumesresponsibilityfor forwardingpacketsassociatedwithitsvirtualrouterID(VRID). IfthevirtualrouterIPaddressisnotownedbyanyoftheVRRProuters,thentherouterscompare theirprioritiesandthehigherpriorityownerbecomesthemaster.Ifpriorityvaluesarethesame, thentheVRRProuterwiththehigherIPaddressisselectedmaster.Fordetailsonusingthe prioritycommand,refertopriorityonpage2045.

    Example
    Thisexampleshowshowtoconfigureavirtualrouteraddressof182.127.62.1ontheVLAN1 interface,VRID1,andtosettherouterconnectedtotheVLANviathisinterfaceasthemaster:
    C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#address vlan 1 1 182.127.62.1 1

    20-44

    IPv4 Routing Protocol Configuration

    priority

    priority
    UsethiscommandtosetapriorityvalueforaVRRProuter.Thenoformofthiscommandclears theVRRPpriorityconfiguration.

    Syntax
    priority vlan vlan-id vrid priority-value no priority vlan vlan-id vrid priority-value

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfigureVRRPpriority. ThisVLANmustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting interface.Validvaluesarefrom1to255. SpecifiestheVRRPpriorityvaluetoassociatewiththevrid.Validvaluesare from1to254,withthehighestvaluesettingthehighestpriority.Priority valueof255isreservedfortheVRRProuterthatownstheIPaddress associatedwiththevirtualrouter.Priority0isreservedforsignalingthatthe masterhasstoppedworkingandthebackuproutermusttransitionto masterstate.

    vrid priorityvalue

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Example
    ThisexampleshowshowsetaVRRPpriorityof200ontheVLAN1interface,VRID1:
    C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#priority vlan 1 1 200

    advertise-interval
    UsethiscommandtosettheintervalinsecondsbetweenVRRPadvertisements.Thenoformof thiscommandclearstheVRRPadvertiseintervalvalue.

    Syntax
    advertise-interval vlan vlan-id vrid interval no advertise-interval vlan vlan-id vrid interval

    SecureStack C2 Configuration Guide

    20-45

    preempt

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfiguretheVRRP advertisementinterval.ThisVLANmustbeconfiguredforIProutingas describedinPreRoutingConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting interface.Validvaluesarefrom1to255. SpecifiesaVRRPadvertisementintervaltoassociatewiththevrid.Valid valuesarefrom1to255seconds.

    vrid interval

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    VRRPadvertisementsaresentbythemasterroutertootherroutersparticipatingintheVRRP masterselectionprocess,informingthemofitsconfiguredvalues.Oncethemasterisselected, thenadvertisementsaresenteveryadvertisingintervaltoletotherVRRProutersinthisVLAN/ VRIDknowtherouterisstillactingasmasteroftheVLAN/VRID. AllrouterswiththesameVRIDshouldbeconfiguredwiththesameadvertisementinterval.

    Example
    Thisexampleshowshowsetanadvertiseintervalof3secondsontheVLAN1interface,VRID1:
    C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#advertise-interval vlan 1 1 3

    preempt
    UsethiscommandtoenableordisablepreemptmodeonaVRRProuter.Thenoformofthis commanddisablespreemptmode.

    Syntax
    preempt vlan-id vrid no preempt vlan-id vrid

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANonwhichtosetpreemptmode.This VLANmustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting interface.Validvaluesarefrom1to255.

    vrid

    Defaults
    None.

    20-46

    IPv4 Routing Protocol Configuration

    enable

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Usage
    PreemptisenabledonVRRProutersbydefault,whichallowsahigherprioritybackuprouterto preemptalowerprioritymaster. TherouterthatownsthevirtualrouterIPaddressalwayspreemptsotherrouters,regardlessof thissetting.

    Example
    ThisexampleshowshowtodisablepreemptmodeontheVLAN1interface,VRID1:
    C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#no preempt vlan 1 1

    enable
    UsethiscommandtoenableVRRPonaninterface.ThenoformofthiscommanddisablesVRRP onaninterface.

    Syntax
    enable vlan vlan-id vrid no enable vlan vlan-id vrid

    Parameters
    vlanvlanid SpecifiesthenumberoftheVLANonwhichtoenableVRRP.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181. SpecifiestheVirtualRouterID(VRID)associatedwiththevlanid.Valid valuesarefrom1to255.

    vrid

    Defaults
    None.

    Mode
    Routerconfiguration:C2(su)>router(Configrouter)#

    Example
    ThisexampleshowshowtoenableVRRPontheVLAN1interface,VRID1:
    C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#enable vlan 1 1

    SecureStack C2 Configuration Guide

    20-47

    ip vrrp authentication-key

    ip vrrp authentication-key
    UsethiscommandtoenableordisableaVRRPauthenticationkey(password)foruseonan interface.ThenoformofthiscommandpreventsVRRPfromusingauthentication.

    Syntax
    ip vrrp authentication-key name no ip vrrp authentication-key

    Parameters
    name SpecifiesthepasswordtoenableordisableforVRRPauthentication.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtosettheVRRPauthenticationkeychaintopasswordontheVLAN1 interface:
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip vrrp authentication-key password

    show ip vrrp
    UsethiscommandtodisplayVRRProutinginformation.

    Syntax
    show ip vrrp

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayVRRPinformation
    C2(su)->router(Config)#show ip vrrp -----------VRRP CONFIGURATION----------Vlan Vrid State Owner AssocIpAddr 2 1 Initialize 0 25.25.2.1

    Priority 100

    20-48

    IPv4 Routing Protocol Configuration

    Configuring PIM-SM

    Configuring PIM-SM
    * Advanced License Required *
    PIM is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the chapter entitled Activating Licensed Features in order to enable the PIM command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales.

    Design Considerations
    Enterasys Networksrecommendsthatadministratorsconsiderthefollowingrecommendations beforeconfiguringtheSecureStackC2foraPIMSMenvironment. ASecureStackC2cannotbeconfiguredasaCandidateRPoraCandidateBSR. ASecureStackC2shouldnotbethefirsthoprouterforamulticaststream.Inotherwords,the multicaststreamshouldnotoriginateonaSecureStackC2. ASecureStackC2shouldnotbepositionedinthecoreofaPIMSMtopology,andshould onlybepositionedattheedgeinaPIMSMtopology.Inotherwords,theSecureStackC2 shouldonlybeusedtodelivermulticaststreamstoendclients.

    Purpose
    ToenableandconfigureProtocolIndependentMulticastinSparseMode(PIMSM).Thisprotocol providesthemeansofdynamicallylearninghowtoforwardmulticasttrafficinanenvironment wheregroupmembersaresparselylocatedthroughoutthenetworkandbandwidthislimited.In situationswheremembersaredenselylocatedandbandwidthisplentiful,DVMRPwouldsuffice (seeConfiguringDVMRPonpage2033.) PIMSMdeterminesthenetworktopologyusingtheunderlyingunicastroutingprotocoltobuild aMulticastRoutingInformationBase(MRIB).
    Note: IGMP must be enabled on all VLANs running PIM-SM, and must also be globally enabled on the SecureStack C2. For details on enabling IGMP, refer to Chapter 13.

    Commands
    For information about... Global configuration commands ip pimsm ip pimsm staticrp Interface configuration commands ip pimsm enable ip pimsm query-interval Display commands show ip pimsm show ip pimsm componenttable 20-52 20-53 20-51 20-52 20-50 20-50 Refer to page...

    SecureStack C2 Configuration Guide

    20-49

    ip pimsm

    For information about... show ip pimsm interface show ip pimsm neighbor show ip pimsm rp show ip pimsm rphash show ip pimsm staticrp show ip mroute

    Refer to page... 20-54 20-55 20-56 20-57 20-58 20-59

    ip pimsm
    ThiscommandsetsadministrativemodeofPIMSMmulticastroutingacrosstherouterto enabled.IGMPmustbeenabledbeforePIMSMcanbeenabled.Bydefault,bothIGMPandPIM aregloballydisabled.ThenoformofthiscommanddisablesPIM(acrosstheentirestack,if applicable).

    Syntax
    ip pimsm no ip pimsm

    Parameters
    None.

    Defaults
    None.

    Mode
    Globalrouterconfiguration:C2(su)>router(Config)#

    Example
    ThisexampleshowshowtogloballyenableanddisablePIM:
    C2(su)->router(Config)# ip pimsm C2(su)->router(Config)# no ip pimsm

    ip pimsm staticrp
    ThiscommandisusedtocreateamanualRendezvousPointIPaddressforthePIMSMrouter. ThenoformofthiscommandremovesapreviouslyconfiguredRP.

    Syntax
    ip pimsm staticrp ipaddress groupadress groupmask no ip pimsm staticrp ipaddress groupadress groupmask

    20-50

    IPv4 Routing Protocol Configuration

    ip pimsm enable

    Parameters
    ipaddress groupadress groupmask TheIPaddressoftheRendezvousPoint ThegroupaddresssupportedbytheRendezvousPoint Thegroupmaskforthegroupaddress

    Defaults
    None.

    Mode
    GlobalRouterconfiguration:C2(su)>router(Config)#

    Example
    ThisexampleshowshowtosetanRPforaspecificmulticastgroup.
    C2(su)->router(Config)# ip pimsm staticrp 192.15.18.3 224.0.0.0 240.0.0.0

    ip pimsm enable
    ThiscommandsetstheadministrativemodeofPIMSMmulticastroutingonaroutinginterfaceto enabled.Bydefault,PIMisdisabledonallIPinterfaces.Thenoformofthiscommanddisables PIMonthespecificinterface.

    Syntax
    ip pimsm enable no ip pimsm enable

    Parameters
    None.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    ThisexampleshowshowtoenablePIMonIPinterfaceforVLAN1.
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip pimsm enable

    SecureStack C2 Configuration Guide

    20-51

    ip pimsm query-interval

    ip pimsm query-interval
    Thiscommandconfiguresthetransmissionfrequencyofhellomessagesinsecondsbetween PIMenabledneighbors.Thenoformofthiscommandresetsthehellointervaltothedefault,30 seconds.

    Syntax
    ip pimsm query-interval seconds no ip pimsm query-interval

    Parameters
    seconds Thisfieldhasarangeof10to3600seconds.Defaultis30.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#

    Example
    Thisexampleshowshowtosetthehellointervalrateto100seconds.
    C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip pimsm query-interval 100

    show ip pimsm
    UsethiscommandtodisplaysystemwidePIMSMroutinginformation.

    Syntax
    show ip pimsm

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayPIMinformation.
    C2(su)->router# show ip pimsm Admin Mode Enable Join/Prune Interval (secs) 60

    20-52

    IPv4 Routing Protocol Configuration

    show ip pimsm componenttable

    PIM-SM INTERFACE STATUS VlanId Interface Mode --------- -------------8 Disable 16 Enable 17 Enable 20 Enable 30 Enable 31 Disable 32 Disable 33 Disable

    Protocol State ---------------Non-Operational Operational Operational Operational Operational Non-Operational Non-Operational Non-Operational

    Table 207providesanexplanationofthecommandoutput. Table 20-7


    Output Field Admin Mode Join/Prune Interval (secs) VlanId Interface Mode Protocol State

    show ip pimsm Output Details


    What it displays This field indicates whether PIM-SM is enabled or disabled. This is a configured value. This field shows the interval at which periodic PIM-SM Join/Prune messages are to be sent. VLAN id associated with the PIM IP Interface. This field indicates whether PIM-SM is enabled or disabled on the interface. This is a configured value. This field indicates the current state of the PIM-SM protocol on the interface. Possible values are Operational or Non-Operational.

    show ip pimsm componenttable


    ThiscommanddisplaysthetablecontainingobjectsspecifictoaPIMdomain.Onerowexistsfor eachdomaintowhichtherouterisconnected.

    Syntax
    show ip pimsm componenttable

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayPIMrouterinformation:
    C2(su)->router> show ip pimsm componenttable

    SecureStack C2 Configuration Guide

    20-53

    show ip pimsm interface

    COMPONENT TABLE Component Index ---------1 Component BSR Address Component BSR Expiry Time (hh:mm:ss) --------------- --------------192.168.30.2 00:02:10 Component CRP Hold Time (hh:mm:ss) ------------00:00:00

    Table 208providesanexplanationofthecommandoutput. Table 20-8


    Output Field Component Index Component BSR Address Component BSR Expiry Time Component CRP Hold Time

    show ip pimsm componenettable Output Details


    What it displays This field displays a number which uniquely identifies the component. This field displays the IP address of the bootstrap router (BSR) for the local PIM region. This field displays the minimum time remaining before the BSR in the local domain will be declared down. This field displays the hold time of the component when it is a candidate rendezvous point.

    show ip pimsm interface


    ThiscommanddisplaysPIMSMstatusoftherouterinterfaces.Withthestatsparameter,this commanddisplaysstatisticalinformationforPIMSMonthespecifiedinterface.

    Syntax
    show ip pimsm interface {vlan vlan-id | stats {vlan-id | all}}

    Parameters
    vlanvlanid stats vlanid|all DisplayPIMSMinformationforthespecifiedIPinterfaceenabledfor PIM. DisplayPIMSMinterfacestatistics. DisplaystatisticsforaspecificVLANorallVLANs.

    Defaults
    None.

    Mode
    Anyroutermode.

    Examples
    ThisexampleshowshowtodisplayPIMinterfaceinformation.
    .

    C2(su)->router> show ip pimsm interface vlan 30 VLAN ID IP Address Subnet Mask Mode 30 192.168.30.1 255.255.255.0 enable

    20-54

    IPv4 Routing Protocol Configuration

    show ip pimsm neighbor

    Hello Interval (secs) CBSR Preference CRP Preference CBSR Hash Mask Length

    30 secs -1 -1 30

    Table 209providesanexplanationoftheshowippimsminterfacevlancommandoutput. Table 20-9


    Output Field IP Address Subnet Mask Mode Hello Interval CBSR Preference CRP Preference CBSR Hash Mask Length

    show ip pimsm interface vlan Output Details


    What it displays The IP address of the specified interface. The Subnet Mask for the IP address of the PIM interface. Indicates whether PIM-SM is enabled or disabled on the specified interface. This is a configured value. By default it is disabled. Indicates the frequency at which PIM hello messages are transmitted on this interface. This is a configured value. By default, the value is 30 seconds The preference value for the local interface as a candidate bootstrap router. The preference value as a candidate rendezvous point on this interface. The hash mask length to be advertised in bootstrap messages if this interface is elected as the bootstrap router. The value is used in the hash algorithm for selecting the RP for a particular group.

    ThisexampleshowshowtodisplayPIMinterfacestatistics.
    .

    C2(su)->router> show ip pimsm interface stats all Vlan ID --------6 7 8 30 IP Address --------------192.168.6.2 192.168.7.1 192.168.8.1 192.168.30.1 Subnet Mask --------------255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Neighbor Designated Router count ----------------- ---------0.0.0.0 0 192.168.7.1 0 0.0.0.0 0 192.168.30.2 1

    Table 2010providesanexplanationoftheshowippimsminterfacestatscommandoutput. Table 20-10


    Output Field IP Address Subnet Mask Designated Router Neighbor Count

    show ip pimsm interface stats Output Details


    What it displays The IP Address that represents the PIM-SM interface. The Subnet Mask of this PIM-SM interface. IP Address of the Designated Router for this interface. The number of neighbors on the PIM-SM interface.

    show ip pimsm neighbor


    DisplaytheroutersPIMneighbors.

    Syntax
    show ip pimsm neighbor [vlan-id]

    SecureStack C2 Configuration Guide

    20-55

    show ip pimsm rp

    Parameters
    vlanid (Optional)DisplayallneighborsdiscoveredonaspecificInterface.

    Mode
    Anyroutermode.

    Defaults
    IftheVLANidisomitted,allneighborsoffallinterfaceswillbedisplayed.

    Example
    ThisexampleshowshowtodisplayPIMinformation:
    C2(su)->router> show ip pimsm neighbor NEIGHBOR TABLE IP Address Up Time (hh:mm:ss) ---------------- ---------192.168.30.2 01:36:41 192.168.6.1 01:36:41

    Vlan ID --------30 6

    Expiry Time (hh:mm:ss) -----------00:01:25 00:01:25

    Table 2011providesanexplanationofthecommandoutput. Table 20-11


    Output Field Vlan ID IP Address Up Time Expiry Time

    show ip pimsm neighbor Output Details


    What it displays VLAN id of the interface. The IP Address of the neighbor on an interface The time since this neighbor has become active on this interface. The expiry time of the neighbor on this interface.

    show ip pimsm rp
    ThiscommanddisplaysthePIMinformationforcandidateRendezvousPoints(RPs)forallIP multicastgroupsorforaspecificgroupaddress.Theinformationinthetableisdisplayedforeach IPmulticastgroup.

    Syntax
    show ip pimsm rp {group-address group-mask | all | candidate}

    Parameters
    groupaddress groupmask all candidate ThemulticastgroupIPaddress. Themulticastgroupaddresssubnetmask. Forallknowngroupaddresses. DisplayPIMSMcandidateRPtableinformation.

    20-56

    IPv4 Routing Protocol Configuration

    show ip pimsm rphash

    Defaults
    None.

    Mode
    Anyroutermode.

    Examples
    ThisexampleshowshowtodisplaytheRPsetforaspecificgroupaddress.
    C2(su)->router> show ip pimsm rp 224.0.0.0 240.0.0.0 RP SET TABLE Group Address Hold Time Expiry Time Component C-RP Priority (hh:mm:ss) (hh:mm:ss) --------- ---------- ----------- ---------- ----------- --------- ----------224.0.0.0 240.0.0.0 192.168.30.2 00:02:15 00:02:30 1 0 Group Mask Address

    Table 2012providesanexplanationofthecommandoutput. Table 20-12


    Output Field Group Address Group Mask Address Hold Time Expiry Time Component C-RP Priority

    show ip pimsm rp Output Details


    What it displays The address of the group for which the RP set is displayed. The mask of the group address. The IP address of the RP. The hold time of the RP. The minimum time remaining before the RP will be declared down. A number which uniquely identifies the component. Each protocol instance connected to a separate domain should have a different index value. The candidate-RP priority of the RP.

    ThisexampleshowshowtodisplaythecandidateRPsforeachgroupaddress.
    C2(su)->router> show ip pimsm rp candidate CANDIDATE RP TABLE Group Address Group Mask Address --------------- --------------- --------------224.0.0.0 240.0.0.0 192.168.30.2

    show ip pimsm rphash


    DisplaystheRendezvousPointrouterthatwillbeselectedfromthesetofactiveRProuters.The RProuter,forthegroup,isselectedbyusingthehashalgorithmdefinedinRFC2362.

    Syntax
    show ip pimsm rphash group-address

    SecureStack C2 Configuration Guide

    20-57

    show ip pimsm staticrp

    Parameters
    groupaddress TheGroupAddressfortheRP.

    Defaults
    None.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayRPthatwillbeselectedforgroupaddress224.0.0.0:
    C2(su)->router> show ip pimsm rphash 224.0.0.0 192.168.129.223

    show ip pimsm staticrp


    DisplaythePIMSMstaticRendezvousPointinformation.

    Syntax
    show ip pimsm staticrp

    Parameters
    None.

    Mode
    Anyroutermode.

    Defaults
    None.

    Example
    ThisexampleshowshowtodisplayPIMinformation.
    C2(su)->router# show ip pimsm staticrp STATIC RP TABLE Address Group Address Group Mask --------------- --------------- --------------123.231.111.121 234.0.0.0 255.0.0.0 192.168.129.223 224.0.0.0 240.0.0.0

    Table 2013providesanexplanationofthecommandoutput.

    20-58

    IPv4 Routing Protocol Configuration

    show ip mroute

    Table 20-13
    Output Field Address

    show ip pimsm staticrp Output Details


    What it displays The IP address of the RP. The group address supported by the RP. The group mask for the group address.

    Group Address Group Mask

    show ip mroute
    UsethiscommandtodisplaytheIPmulticastroutingtable.

    Syntax
    show ip mroute

    Parameters
    None.

    Defaults
    None.

    Mode
    Anyroutermode.

    Usage
    Themulticastroutingtableshowshowamulticastroutingprotocol,suchasPIMandDVMRP, willforwardamulticastpacket.Informationinthetableincludessourcenetwork/maskand upstreamneighbors. ForinformationaboutDVMRP,seeConfiguringDVMRPonpage2033.

    Example
    Thisexampleshowstheoutputofthiscommand.
    C2(su)->router#show ip mroute Active IP Multicast Sources Flags: D - Dense, S - Sparse, C - Connected, L - Local,P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode Source Network : Source Mask : MultiCast Group : Uptime : Upstream Neighbor: Upstream Vlan : Downstream Vlans : Source Network Source Mask MultiCast Group Uptime : : : : 192.168.111.10 0.0.0.0 239.1.8.9 6336 0.0.0.0 111 8 192.168.111.10 0.0.0.0 239.1.7.105 6336

    SecureStack C2 Configuration Guide

    20-59

    show ip mroute

    Upstream Neighbor: 0.0.0.0 Upstream Vlan : 111 Downstream Vlans : 8 Source Network : Source Mask : MultiCast Group : Uptime : Upstream Neighbor: Upstream Vlan : Downstream Vlans : Source Network : Source Mask : MultiCast Group : Uptime : Upstream Neighbor: Upstream Vlan : Downstream Vlans : 192.168.111.10 0.0.0.0 239.1.8.169 6582 0.0.0.0 111 8 192.168.111.10 0.0.0.0 239.1.4.173 6582 0.0.0.0 111 8

    20-60

    IPv4 Routing Protocol Configuration

    21
    IPv6 Management
    ThischapterdescribestheswitchmodesetofcommandsusedtomanageIPv6.

    Purpose
    ToenableordisabletheIPv6managementfunction,toconfigureanddisplaytheIPv6host addressandIPv6gatewayfortheswitch,andtodisplayIPv6statusinformation.

    Commands
    For information about... show ipv6 status set ipv6 set ipv6 address show ipv6 address clear ipv6 address set ipv6 gateway clear ipv6 gateway show ipv6 neighbors show ipv6 netstat ping ipv6 traceroute ipv6 Refer to page... 21-1 21-2 21-3 21-4 21-4 21-5 21-6 21-6 21-7 21-8 21-9

    show ipv6 status


    UsethiscommandtodisplaythestatusoftheIPv6managementfunction.

    Syntax
    show ipv6 status

    Parameters
    None.

    SecureStack C2 Configuration Guide

    21-1

    set ipv6

    Defaults
    None.

    Mode
    Switchmode,readonly.

    Example
    ThisexampleshowshowtodisplayIPv6managementfunctionstatus.
    C2(ro)->show ipv6 status IPv6 Administrative Mode: Disabled

    set ipv6
    UsethiscommandtogloballyenableordisabletheIPv6managementfunction.

    Syntax
    set ipv6 {enable | disable}

    Parameters
    enable|disable EnableordisabletheIPv6managementfunction.

    Defaults
    Bydefault,IPv6managementisdisabled.

    Mode
    Switchmode,readwrite.

    Usage
    WhenyouenableIPv6managementontheswitch,thesystemautomaticallygeneratesalinklocal hostaddressfortheswitchfromthehostMACaddress.YoucansetadifferenthostIPv6address withthesetipv6addresscommand.

    Example
    ThisexampleshowshowtoenableIPv6management.
    C2(su)-> set ipv6 enable C2(su)->show ipv6 status IPv6 Administrative Mode: Enabled C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64

    21-2

    IPv6 Management

    set ipv6 address

    set ipv6 address


    UsethiscommandtoconfigureIPv6globaladdressinginformation.

    Syntax
    set ipv6 address ipv6-addr/prefix-length [eui64]

    Parameters
    ipv6addr TheIPv6addressorprefixtobeconfigured.Thisparametermustbeinthe formdocumentedinRFC4291,withtheaddressspecifiedinhexadecimal using16bitvaluesbetweencolons. ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlengthisa decimalnumberindicatingthenumberofhighordercontiguousbitsofthe addressthatcomprisethenetworkportionoftheaddress. (Optional)FormulatetheIPv6addressusinganEUI64IDinthelower order64bitsoftheaddress.

    prefixlength

    eui64

    Defaults
    NoglobalunicastIPv6addressisdefinedbydefault.

    Mode
    Switchmode,readwrite.

    Usage
    UsethiscommandtomanuallyconfigureaglobalunicastIPv6addressforIPv6management.You canspecifytheaddresscompletely,oryoucanusetheoptionaleui64parametertoallowthe switchtogeneratethelowerorder64bitsoftheaddress. Whenusingtheeui64parameter,youspecifyonlythenetworkprefixandlength.

    Examples
    ThisexampleshowshowtocompletelyspecifyanIPv6addressbyenteringall128bitsandthe prefix:
    C2(su)->set ipv6 address 2001:0db8:1234:5555::9876:2/64 C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555::9876:2/64

    Thisexampleshowshowtousetheeui64parametertoconfigurethelowerorder64bits:
    C2(su)->set ipv6 address 2001:0db8:1234:5555::/64 eui64 C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555:201:F4FF:FE5C:2880/64

    SecureStack C2 Configuration Guide

    21-3

    show ipv6 address

    show ipv6 address


    UsethiscommandtodisplaythesystemIPv6address(es)andIPv6gatewayaddress(default router),ifconfigured.

    Syntax
    show ipv6 address

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Usage
    ThiscommanddisplaystheIPv6addressesconfiguredautomaticallyandwiththesetipv6 addressandsetipv6gatewaycommands.

    Example
    ThisexampledisplaysthreeIPv6managementaddressesconfiguredfortheswitch.
    C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555:201:F4FF:FE5C:2880/64 gateway FE80::201:F4FF:FE5D:1234

    clear ipv6 address


    UsethiscommandtoclearIPv6globaladdresses.

    Syntax
    clear ipv6 [address {all|ipv6-addr/prefix-length}]

    Parameters
    ipv6addr TheIPv6addresstobecleared.Thisparametermustbeintheform documentedinRFC4291,withtheaddressspecifiedinhexadecimalusing 16bitvaluesbetweencolons. ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlengthisa decimalnumberindicatingthenumberofhighordercontiguousbitsofthe addressthatcomprisethenetworkportionoftheaddress. DeletesallIPv6globaladdresses.

    prefixlength

    all

    Defaults
    Ifaddressisnotentered,allmanuallyconfiguredglobalIPv6addressesarecleared.
    21-4 IPv6 Management

    set ipv6 gateway

    Mode
    Switchmode,readwrite.

    Usage
    Thiscommandclearsaddressesmanuallyconfiguredwiththesetipv6addresscommand.Usethe clearipv6gatewaycommandtocleartheIPv6gatewayaddress.

    Example
    ThisexampleillustratesthatthiscommandclearsonlythoseIPv6addressesconfiguredwiththe setipv6addresscommand.Thelinklocaladdressforthehostinterfaceandthegatewayaddress arenotremovedwiththiscommand.
    C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555:201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555::9876:2/64 gateway FE80::201:F4FF:FE5D:1234 C2(su)->clear ipv6 address all C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 gateway FE80::201:F4FF:FE5D:1234

    set ipv6 gateway


    UsethiscommandtoconfiguretheIPv6gateway(defaultrouter)address.

    Syntax
    set ipv6 gateway ipv6-addr

    Parameters
    ipv6addr TheIPv6addresstobeconfigured.Theaddresscanbeaglobalunicastor linklocalIPv6address,intheformdocumentedinRFC4291,withthe addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Usage
    ThiscommandconfigurestheIPv6gatewayaddress.OnlyoneIPv6gatewayaddresscanbe configuredfortheswitch,soexecutingthiscommandwhenagatewayaddresshasalreadybeen configuredwilloverwritethepreviouslyconfiguredaddress.

    SecureStack C2 Configuration Guide

    21-5

    clear ipv6 gateway

    Usetheshowipv6addresscommandtodisplayaconfiguredIPv6gatewayaddress.

    Example
    ThisexampleshowshowtoconfigureanIPv6gatewayaddressusingalinklocaladdress.
    C2(su)->set ipv6 gateway fe80::201:f4ff:fe5d:1234 C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 gateway FE80::201:F4FF:FE5D:1234

    clear ipv6 gateway


    UsethiscommandtoclearanIPv6gatewayaddress.

    Syntax
    clear ipv6 gateway

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Example
    ThisexampleshowshowtoremoveaconfiguredIPv6gatewayaddress.
    C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 gateway FE80::201:F4FF:FE5D:1234 C2(su)->clear ipv6 gateway C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64

    show ipv6 neighbors


    UsethiscommandtodisplaythesystemIPv6NeighborDiscoveryProtocolcache.

    Syntax
    show ipv6 neighbors

    21-6

    IPv6 Management

    show ipv6 netstat

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowsexampleoutputofthiscommand.
    C2(su)->show ipv6 neighbors Last IPv6 Address MAC Address isRtr State Updated --------------------------------------- ----------------- ----- ------- ------2001:db8:1234:6666::2310:3 00:04:76:73:42:31 True Reachable 00:01:16

    show ipv6 netstat


    UsethiscommandtodisplayIPv6netstatinformation.

    Syntax
    show ipv6 netstat

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowstheoutputofthiscommand.
    C2(su)->show ipv6 netstat Prot Local Address Foreign Address ---- -------------------------------------------TCP 3333::211:88FF:FE59:4424.22 2020::D480:1384:F58C:B114.1049 TCP 3333::211:88FF:FE59:4424.443 2020::D480:1384:F58C:B114.1056 TCP ::.23 ::.* TCP 3333::211:88FF:FE59:4424.22 2020::D480:1384:F58C:B114.1050 TCP 3333::211:88FF:FE59:4424.22 3333::2117:F1C0:90B:910D.1045 TCP ::.80 State ----------ESTABLISHED TIME_WAIT LISTEN ESTABLISHED ESTABLISHED LISTEN

    SecureStack C2 Configuration Guide

    21-7

    ping ipv6

    TCP

    ::.* ::.22 ::.* 3333::211:88FF:FE59:4424.80 2020::D480:1384:F58C:B114.1053 3333::211:88FF:FE59:4424.80 2020::D480:1384:F58C:B114.1054 ::.443 ::.* 3333::211:88FF:FE59:4424.22 2020::D480:1384:F58C:B114.1048 3333::211:88FF:FE59:4424.443 2020::D480:1384:F58C:B114.1055

    LISTEN

    TCP TCP TCP TCP TCP

    ESTABLISHED ESTABLISHED LISTEN ESTABLISHED TIME_WAIT

    ping ipv6
    UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.

    Syntax
    ping ipv6-addr [size num]

    Parameters
    ipv6addr SpecifiestheIPv6addressofthesystemtoping.Entertheaddressinthe formdocumentedinRFC4291,withtheaddressspecifiedinhexadecimal using16bitvaluesbetweencolons. (Optional)Specifiesthesizeofthedatagrampacket.Thevalueofnumcan rangefrom48to2048bytes.

    sizenum

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Usage
    Thiscommandisalsoavailableinroutermode.

    Examples
    ThisexampleshowsoutputfromasuccessfulpingtoIPv6address2001:0db8:1234:5555::1234:1.
    C2(su)->ping ipv6 2001:0db8:1234:5555::1234:1 2001:DB8:1234:5555::1234:1 is alive

    ThisexampleshowsoutputfromanunsuccessfulpingtoIPv6address 2001:0db8:1234:5555::1234:1.
    C2(su)->ping ipv6 2001:0db8:1234:5555::1234:1 no answer from 2001:DB8:1234:5555::1234:1

    21-8

    IPv6 Management

    traceroute ipv6

    traceroute ipv6
    Usethiscommandtodiscovertheroutesthatpacketsactuallytakewhentravelingtotheir destinationthroughthenetworkonahopbyhopbasis.

    Syntax
    traceroute ipv6 ipv6-addr

    Parameters
    ipv6addr SpecifiesahosttowhichtherouteofanIPv6packetwillbetraced.Enterthe addressintheformdocumentedinRFC4291,withtheaddressspecifiedin hexadecimalusing16bitvaluesbetweencolons.

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Usage
    Thiscommandisalsoavailableinroutermode.

    Example
    Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost
    2001:0db8:1234:5555 C2(su)->router#traceroute ipv6 2001:0db8:1234:5555::1 Traceroute to 2001:0db8:1234:5555, 30 hops max, 40 byte packets 1 2001:0db8:1234:5555 1.000000e+00 ms 1.000000e+00 ms

    1.000000e+00 ms

    SecureStack C2 Configuration Guide

    21-9

    traceroute ipv6

    21-10

    IPv6 Management

    22
    IPv6 Proxy Routing
    ThischapterdescribesthecommandsusedtoenableIPv6proxyroutingandthesuggested proceduretoconfigureamixedC2andC3stacktouseIPv6proxyrouting.
    For information about... Overview Preparing a Mixed Stack for IPv6 Proxy Routing Commands Refer to page... 22-1 22-2 22-3

    Overview
    IPv6proxyroutingallowsamixedC2/C3stacktosupportsomeIPv6routingfunctionality.When IPv6proxyroutingisenabled,alltheswitchesinthestackcansupportIPv6unicastroutingand IPv6tunneling.YoucanconfigureportbasedandVLANbasedIPv6routinginterfacesonanyC2 orC3stackunit.ThereisnochangeinexistingIPv4routingcapabilities. Sincethisisafunctionthatexistsonlyinamixedstack,itisimplementedonlyintheC2firmware, release5.01andlater.ForIPv6proxyroutingtoexistinthestack,aC3unitmustrunasthe managerofthestack.Tofacilitatethis,thestackmanagerpreferenceofC3unitsshouldbesettoa highervaluethanC2units.IfaC3unitisaddedtoanallC2stack,youmustmovethemanagerto aC3unittousethisfeature. MultipleC3unitscanexistinthemixedstack.AlltheC3unitsinthemixedstackwill independentlyperformhardwareIPv6routing/tunneling.ThemanagerC3unitwilltransparently dothehardwareIPv6routing/tunnelingforalltheC2units. WhenIPv6proxyroutingisenabled,theC2beingconfiguredforrouting/tunneling(calledthe proxyclient)isconfiguredtoredirecttheroutedIPV6/Tunnelingpacketstooneofthestacking portsoftheC3stackmanager(calledtheproxyserver).TheC2isonlyconfigurediftheproxy featureisalreadyenabledonthestack.ItshouldbenotedthatonlyIPv6packetswitha destinationMACoftherouterMACofthesystemareredirectedtotheproxyserver. Ontheproxyserver,allincomingpacketstothestackingportswithadestinationofoneofthe stackingportswillbeprocessedthroughL2andL3switchinglogic.Ifthedestinationportisnot oneofthestackingports(notanIPv6packet),thentheincomingpacketisforwardedbasedon headerinformation. Thisfeatureisdisabledbydefault. InordertousetheOSPF,PIM,DVMRP,orVRRPprotocols,youmusthavepurchasedand installedtheC2advancedroutinglicense.

    SecureStack C2 Configuration Guide

    22-1

    Preparing a Mixed Stack for IPv6 Proxy Routing

    Limitations
    Proxyroutingwilluseuptotwomasksinthefastforwardingprocessorassociatedwitheach portinvolvedinroutingofIPv6packets.Thiswillrequirerestrictionsontheuseofpolicy whenproxyroutingisenabled. AllIPv6packetsingressingoregressingaC2portmustbesentoverthestacktotheC3stack master.LimitedstackbandwidthandtheamountofIPv6trafficmustbecarefullyconsidered whenconfiguringmultipleC2portsforIPv6routing. IfthestackmastermovesfromaC3unittoaC2unitinthestack,proxyroutingwillnolonger beavailable.Toensurethatproxyroutingcontinuestooperateintheeventofafailover,C3 unitsmustbeconfiguredtobepreferredwhenanewmasteriselected.

    Preparing a Mixed Stack for IPv6 Proxy Routing


    AtleasttwoC3switchesshouldbeaddedtoaC2stack,formanagementredundancy. AsinanymixedC2/C3mixedstack,theC2firmware(release5.01orlater)mustbeinstalledonthe C3switches.RefertoIssuesRelatedtoMixedTypeStacksonpage 25foradditional information. IfyouareaddingtheC3switchestoanexistingC2stack,makeoneoftheC3switchesthestack manager.Forexample,ifthecurrentstackmanagerisunit1andtheC3switchthatyouwantto becomemanagerisunit7:
    C2(su)->set switch movemenagement 1 7 Moving stack management will unconfigure entire stack including all interfaces. Are you sure you want to move stack management? (y/n) y

    SetthemanagementpriorityoftheC3switchestobehigherthanthatoftheC2switches.For example,ifyourC3switchesareunits7and8,andyouwanttheunit7C3switchtoalways becomethemanagerandtheunit8C3switchtobethebackupmanager:


    C2(su)->set switch 7 priority 15 C2(su)->set switch 8 priority 13

    Usetheshowswitchunitcommandtodisplayswitchpriority(AdminManagementPreference).
    C2(su)->show switch 7 Switch Management Status Hardware Management Preference Admin Management Preference Switch Type Preconfigured Model Identifier Plugged-in Model Identifier Switch Status Switch Family Switch Description Detected Code Version Detected Code in Flash Detected Code in Back Image Up Time 05.02.00.0031 05.02.00.0031 05.01.06.0006 0 days 0 hrs 13 mins 9 secs 7 Management Switch Unassigned 15 C3G124-48 C3G124-48 C3G124-48 OK XGS3

    22-2

    IPv6 Proxy Routing

    Commands

    Commands
    For information about... ipv6 proxy-routing show ipv6 proxy-routing Refer to page... 22-3 22-3

    ipv6 proxy-routing
    UsethiscommandtoenableordisableIPv6proxyroutingonamixedC2/C3stack.

    Syntax
    ipv6 proxy-routing no ipv6 proxy-routing

    Parameters
    None.

    Defaults
    IPv6proxyroutingisdisabledbydefault.

    Mode
    Routerglobalconfiguration:C2(su)>router(Config)#

    Usage
    IPv6proxyroutingisdisabledbydefault.ItmustbeenabledwiththiscommandbeforetheC2 switchesinthestackwillstartredirectingroutedIPv6/tunnelingpacketstotheC3proxyserver. UsesthenoformofthiscommandtodisableIPv6proxyrouting.

    Example
    ThisexampleenablesIPv6proxyrouting.
    c2(su)->router c2(su)->router>enable c2(su)->router#config Enter configuration commands: c2(su)->router(Config)#ipv6 proxy-routing

    show ipv6 proxy-routing


    UsethiscommandtodisplaythestatusofIPv6proxyrouting.

    Syntax
    show ipv6 proxy-routing

    Parameters
    None.
    SecureStack C2 Configuration Guide 22-3

    show ipv6 proxy-routing

    Defaults
    None.

    Mode
    Anyroutingmode.

    Example
    ThisexampleshowstheoutputofthiscommandwhenIPv6proxyroutingisdisabled.
    c2(su)->router(Config)#show ipv6 proxy-routing IPv6 Proxy Routing Mode................................... Disable

    22-4

    IPv6 Proxy Routing

    23
    Authentication and Authorization Configuration
    Thischapterdescribestheauthenticationandauthorizationcommandsandhowtousethem.
    For information about... Overview of Authentication and Authorization Methods Configuring RADIUS Configuring 802.1X Authentication Configuring MAC Authentication Configuring Multiple Authentication Methods Configuring VLAN Authorization (RFC 3580) Configuring MAC Locking Configuring Port Web Authentication (PWA) Configuring Secure Shell (SSH) Configuring Access Lists Refer to page... 23-1 23-3 23-11 23-21 23-33 23-45 23-50 23-61 23-73 23-75

    Overview of Authentication and Authorization Methods


    Thefollowingmethodsareavailableforcontrollingwhichusersareallowedtoaccess,monitor, andmanagetheswitch. LoginuseraccountsandpasswordsusedtologintotheCLIviaaTelnetconnectionorlocal COMportconnection.Fordetails,refertoSettingUserAccountsandPasswordson page 32. HostAccessControlAuthentication(HACA)authenticatesuseraccessofTelnet management,consolelocalmanagementandWebViewviaacentralRADIUSClient/Server application.WhenRADIUSisenabled,thisessentiallyoverridesloginuseraccounts.When HACAisactiveperavalidRADIUSconfiguration,theusernamesandpasswordsusedto accesstheswitchviaTelnet,SSH,WebView,andCOMportswillbevalidatedagainstthe configuredRADIUSserver.OnlyinthecaseofaRADIUStimeoutwillthosecredentialsbe comparedagainstcredentialslocallyconfiguredontheswitch.Fordetails,referto ConfiguringRADIUSonpage 233. SNMPuserorcommunitynamesallowsaccesstotheSecureStackC2switchviaanetwork SNMPmanagementapplication.Toaccesstheswitch,youmustenteranSNMPuseror communitynamestring.Thelevelofmanagementaccessisdependentontheassociated accesspolicy.Fordetails,refertoChapter 8.

    SecureStack C2 Configuration Guide

    23-1

    Overview of Authentication and Authorization Methods

    802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol) providesamechanismviaaRADIUSserverforadministratorstosecurelyauthenticateand grantappropriateaccesstoenduserdevicescommunicatingwithSecureStackC2ports.For detailsonusingCLIcommandstoconfigure802.1X,refertoConfiguring802.1X Authenticationonpage 2311.


    Note: To configure EAP pass-through, which allows client authentication packets to be forwarded through the switch to an upstream device, 802.1X authentication must be globally disabled with the set dot1x command.

    MACAuthenticationprovidesamechanismforadministratorstosecurelyauthenticate sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith SecureStackC2ports.Fordetails,refertoConfiguringMACAuthenticationonpage 2321. MultipleAuthenticationMethodsallowsuserstoauthenticateusingmultiplemethodsof authenticationonthesameport.Fordetails,refertoConfiguringMultipleAuthentication Methodsonpage 2333. MultiUserAuthenticationUser+IPPhone.TheUser+IPPhoneauthenticationfeature supportsauthenticationandauthorizationoftwodevices,specificallyaPCcascadedwithan IPphone,onasingleportontheC2.TheIPphonemustauthenticateusingMACor802.1X authentication,buttheusermayauthenticatebyanymethod.Thisfeatureallowsboththe usersPCandIPphonetosimultaneouslyauthenticateonasingleportandeachreceivea uniquelevelofnetworkaccess.Fordetails,refertoConfiguringMultiUserAuthentication (User+IPphone)onpage 2333. RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedorMAC authenticatedusertoaVLANregardlessofthePVID.Uptosixuserscanbeconfiguredper Gigabitport.RefertoConfiguringVLANAuthorization(RFC3580)onpage 2345.
    Notes: The C2 supports up to six authenticated users per port. The C2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are configured to use a port, and the C2 is then switched from "policy" mode to "tunnel" mode (RFC3580 VLAN to port mapping), the total number of users supported to use a port will be reset to one. RFC-3580 VLAN authorization is not supported by PWA authentication.

    MACLockinglocksaporttooneormoreMACaddresses,preventingtheuseof unauthorizeddevicesandMACspoofingontheportFordetails,refertoConfiguringMAC Lockingonpage 2350. PortWebAuthentication(PWA)passesalllogininformationfromtheendstationtoa RADIUSserverforauthenticationbeforeallowingausertoaccessthenetwork.PWAisan alternativeto802.1XandMACauthentication.Fordetails,refertoConfiguringPortWeb Authentication(PWA)onpage 2361. SecureShell(SSH)providessecureTelnet.Fordetails,refertoConfiguringSecureShell (SSH)onpage 2373. IPAccessLists(ACLs)permitsordeniesaccesstoroutinginterfacesbasedonprotocoland inboundand/oroutboundIPaddressrestrictionsconfiguredinaccesslists.Fordetails,referto ConfiguringAccessListsonpage 2375.

    RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment


    IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver, youcanusetheRADIUSFilterIDattributetodynamicallyassignapolicyprofileand/or managementleveltoauthenticatingusersand/ordevices.

    23-2

    Authentication and Authorization Configuration

    Configuring RADIUS

    TheRADIUSFilterIDattributeissimplyastringthatisformattedintheRADIUSAccessAccept packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess. EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilterIDattribute thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned uponsuccessfulauthentication.Duringtheauthenticationprocess,whentheRADIUSserver returnsaRADIUSAccessAcceptmessagethatincludesaFilterIDmatchingapolicyprofilename configuredontheswitch,theswitchthendynamicallyappliesthepolicyprofiletothephysical porttheuser/deviceisauthenticatingon.

    Filter-ID Attribute Formats


    EnterasysNetworkssupportstwoFilterIDformatsdecoratedandundecorated.The decoratedformathasthreeforms: Tospecifythepolicyprofiletoassigntotheauthenticatinguser(networkaccess authentication): Enterasys:version=1:policy=string wherestringspecifiesthepolicyprofilename.Policyprofilenamesarecasesensitive. Tospecifyamanagementlevel(managementaccessauthentication): Enterasys:version=1:mgmt=level wherelevelindicatesthemanagementlevel,eitherro,rw,orsu. Tospecifybothmanagementlevelandpolicyprofile: Enterasys:version=1:mgmt=level:policy=string Theundecoratedformatissimplyastringthatspecifiesapolicyprofilename.Theundecorated formatcannotbeusedformanagementaccessauthentication. DecoratedFilterIDsareprocessedfirstbytheswitch.IfnodecoratedFilterIDsarefound,then undecoratedFilterIDsareprocessed.IfmultipleFilterIDsarefoundthatcontainconflicting values,aSyslogmessageisgenerated.

    Configuring RADIUS
    Purpose
    Toperformthefollowing: ReviewtheRADIUSclient/serverconfigurationontheswitch. EnableordisabletheRADIUSclient. Setlocalandremoteloginoptions. Setprimaryandsecondaryserverparameters,includingIPaddress,timeoutperiod, authenticationrealm,andnumberofuserloginattemptsallowed. ResetRADIUSserversettingstodefaultvalues. ConfigureaRADIUSaccountingserver.

    SecureStack C2 Configuration Guide

    23-3

    show radius

    Commands
    For information about... show radius set radius clear radius show radius accounting set radius accounting clear radius accounting Refer to page... 23-4 23-5 23-7 23-7 23-8 23-9

    show radius
    UsethiscommandtodisplaythecurrentRADIUSclient/serverconfiguration.

    Syntax
    show radius [status | retries | timeout | server [index | all]]

    Parameters
    status retries timeout server index|all (Optional)DisplaystheRADIUSserversenablestatus. (Optional)DisplaysthenumberofretryattemptsbeforetheRADIUSserver timesout. (Optional)Displaysthemaximumamountoftime(inseconds)toestablish contactwiththeRADIUSserverbeforeretryattemptsbegin. (Optional)DisplaysRADIUSserverconfigurationinformation. Forusewiththeserverparametertoshowserverconfigurationforall serversoraspecificRADIUSserverasdefinedbyanindex.

    Defaults
    Ifnoparametersarespecified,allRADIUSconfigurationinformationwillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayRADIUSconfigurationinformation:
    C2(rw)->show radius RADIUS status: Enabled RADIUS retries: 3 RADIUS timeout: 20 seconds RADIUS Server IP Address ----------------------10 172.16.20.10

    Auth-Port --------1812

    Realm-Type ----------------management-access

    Table 231providesanexplanationofthecommandoutput.

    23-4

    Authentication and Authorization Configuration

    set radius

    Table 23-1
    Output Field

    show radius Output Details


    What It Displays... Whether RADIUS is enabled or disabled. Number of retry attempts before the RADIUS server times out. The default value of 3 can be reset using the set radius command as described in set radius on page 23-5. Maximum amount of time (in seconds) to establish contact with the RADIUS server before retry attempts begin. The default value of 20 can be reset using the set radius command as described in set radius on page 23-5. RADIUS servers index number, IP address, and UDP authentication port. Realm defines who has to go through the RADIUS server for authentication. Management-access: This means that anyone trying to access the switch (Telnet, SSH, Local Management) has to authenticate through the RADIUS server. Network-access: This means that all the users have to authenticate to a RADIUS server before they are allowed access to the network. Any-access: Means that both Management-access and Network-access have been enabled.

    RADIUS status RADIUS retries

    RADIUS timeout

    RADIUS Server Realm-Type

    set radius
    Usethiscommandtoenable,disable,orconfigureRADIUSauthentication.

    Syntax
    set radius {enable | disable} | {retries number-of-retries} | {timeout timeout} | {server index ip-address port [secret-value] [realm {management-access | any | network-access}} | {realm {management-access | any | network-access} {index| all}}

    Parameters
    enable|disable retriesnumberof retries timeouttimeout EnablesordisablestheRADIUSclient. SpecifiesthenumberofretryattemptsbeforetheRADIUSservertimesout. Validvaluesarefrom0to10.Defaultis3. Specifiesthemaximumamountoftime(inseconds)toestablishcontact withtheRADIUSserverbeforeretryattemptsbegin.Validvaluesarefrom1 to30.Defaultis20seconds. Specifiestheindexnumber,IPaddressandtheUDPauthenticationportfor theRADIUSserver. (Optional)Specifiesanencryptionkeytobeusedforauthentication betweentheRADIUSclientandserver.

    serverindex ip_addressport secretvalue

    SecureStack C2 Configuration Guide

    23-5

    set radius

    realm management access|any| networkaccess

    RealmallowsyoutodefinewhohastogothroughtheRADIUSserverfor authentication. managementaccess:Thismeansthatanyonetryingtoaccesstheswitch (Telnet,SSH,LocalManagement)hastoauthenticatethroughthe RADIUSserver. networkaccess:Thismeansthatalltheusershavetoauthenticatetoa RADIUSserverbeforetheyareallowedaccesstothenetwork. any:Meansthatbothmanagementaccessandnetworkaccesshave beenenabled.

    Note: If the management-access or any access realm has been configured, the local admin account is disabled for access to the switch using the console, Telnet, or Local Management. Only the network-access realm allows access to the local admin account.

    index|all

    Appliestherealmsettingtoaspecificserverortoallservers.

    Defaults
    Ifsecretvalueisnotspecified,nonewillbeapplied. Ifrealmisnotspecified,theanyaccessrealmwillbeused.

    Mode
    Switchcommand,readwrite.

    Usage
    TheSecureStackC2deviceallowsupto10RADIUSaccountingserverstobeconfigured,withup totwoserversactiveatanygiventime. TheRADIUSclientcanonlybeenabledontheswitchonceaRADIUSserverisonline,anditsIP address(es)hasbeenconfiguredwiththesamepasswordtheRADIUSclientwilluse.
    Note: If RADIUS is configured with no host IP address on the device, it will use the loopback interface 0 IP address (if it has been configured) as its source for the NAS-IP attribute. For information about configuring loopback interfaces, refer to interface on page 19-2.

    Examples
    ThisexampleshowshowtoenabletheRADIUSclientforauthenticatingwithRADIUSserver1at IPaddress192.168.6.203,UDPauthenticationport1812,andanauthenticationpasswordof pwsecret.Aspreviouslynoted,theserversecretpasswordenteredheremustmatchthat alreadyconfiguredastheReadWrite(rw)passwordontheRADIUSserver:
    C2(su)->set radius server 1 192.168.6.203 1812 pwsecret

    ThisexampleshowshowtosettheRADIUStimeoutto5seconds:
    C2(su)->set radius timeout 5

    ThisexampleshowshowtosetRADIUSretriesto10:
    C2(su)->set radius retries 10

    23-6

    Authentication and Authorization Configuration

    clear radius

    Thisexampleshowshowtoforceanymanagementaccesstotheswitch(Telnet,web,SSH)to authenticatethroughaRADIUSserver.Theallparameterattheendofthecommandmeansthat anyofthedefinedRADIUSserverscanbeusedforthisAuthentication.


    C2(rw)->set radius realm management-access all

    clear radius
    UsethiscommandtoclearRADIUSserversettings.

    Syntax
    clear radius [retries] | [timeout] | [server {index | all | realm {index | all}}]

    Parameters
    retries timeout server index|all realm ResetsthemaximumnumberofattemptsausercancontacttheRADIUS serverbeforetimingoutto3. ResetsthemaximumamountoftimetoestablishcontactwiththeRADIUS serverbeforetimingoutto20seconds. Deletesserversettings. Forusewiththeserverparametertocleartheserverconfigurationforall serversoraspecificRADIUSserverasdefinedbyanindex. ResetstherealmsettingforallserversoraspecificRADIUSserveras definedbyanindex.

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Examples
    ThisexampleshowshowtoclearallsettingsonallRADIUSservers:
    C2(su)->clear radius server all

    ThisexampleshowshowtoresettheRADIUStimeouttothedefaultvalueof20seconds:
    C2(su)->clear radius timeout

    show radius accounting


    UsethiscommandtodisplaytheRADIUSaccountingconfiguration.Thistransmitsaccounting informationbetweenanetworkaccessserverandasharedaccountingserver.

    Syntax
    show radius accounting [server] | [counter ip-address] | [retries] | [timeout]

    SecureStack C2 Configuration Guide

    23-7

    set radius accounting

    Parameters
    server counteripaddress retries timeout (Optional)DisplaysoneorallRADIUSaccountingserverconfigurations. (Optional)DisplayscountersforaRADIUSaccountingserver. (Optional)Displaysthemaximumnumberofattemptstocontactthe RADIUSaccountingserverbeforetimingout. (Optional)Displaysthemaximumamountoftimebeforetimingout.

    Mode
    Switchcommand,readonly.

    Defaults
    Ifnoparametersarespecified,allRADIUSaccountingconfigurationinformationwillbe displayed.

    Example
    ThisexampleshowshowtodisplayRADIUSaccountingconfigurationinformation.Inthiscase, RADIUSaccountingisnotcurrentlyenabledandglobaldefaultsettingshavenotbeenchanged. Oneserverhasbeenconfigured. FordetailsonenablingandconfiguringRADIUSaccounting,refertosetradiusaccountingon page 238:
    C2(ro)->show radius accounting RADIUS accounting status: Disabled RADIUS Acct Server IP Address Acct-Port Retries Timeout Status ------------------ ---------- --------- ------- ------- -----1 172.16.2.10 1856 3 20 Disabled

    set radius accounting


    UsethiscommandtoconfigureRADIUSaccounting.

    Syntax
    set radius accounting {[enable | disable] [retries retries] [timeout timeout] [server ip_address port [server-secret]

    Parameters
    enable|disable retriesretries EnablesordisablestheRADIUSaccountingclient. SetsthemaximumnumberofattemptstocontactaspecifiedRADIUS accountingserverbeforetimingout.Validretryvaluesare010.

    23-8

    Authentication and Authorization Configuration

    clear radius accounting

    timeouttimeout

    Setsthemaximumamountoftime(inseconds)toestablishcontactwitha specifiedRADIUSaccountingserverbeforetimingout.Validtimeout valuesare130. Specifiestheaccountingservers: IPaddress UDPauthenticationport(065535) serversecret(ReadWritepasswordtoaccessthisaccountingserver. Devicewillpromptforthisentryuponcreatingaserverinstance,as shownintheexamplebelow.)

    serverip_address portserversecret

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Examples
    ThisexampleshowshowtoenabletheRADIUSaccountingclientforauthenticatingwiththe accountingserveratIPaddress10.2.4.12,UDPauthenticationport1800.Aspreviouslynoted,the serversecretpasswordenteredheremustmatchthatalreadyconfiguredastheReadWrite(rw) passwordontheRADIUSaccountingserver:
    C2(su)->set radius accounting server 10.2.4.12 1800 Enter secret: Re-enter secret:

    ThisexampleshowshowtosettheRADIUSaccountingtimeoutto30seconds:
    C2(su)->set radius accounting timeout 30

    ThisexampleshowshowtosetRADIUSaccountingretriesto10:
    C2(su)->set radius accounting retries 10

    clear radius accounting


    UsethiscommandtoclearRADIUSaccountingconfigurationsettings.

    Syntax
    clear radius accounting {server ip-address | retries | timeout | counter}

    Parameters
    serveripaddress retries timeout counter Clearstheconfigurationononeormoreaccountingservers. Resetstheretriestothedefaultvalueof3. Resetsthetimeoutto5seconds. Clearscounters.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    23-9

    clear radius accounting

    Defaults
    None.

    Example
    ThisexampleshowshowtoresettheRADIUSaccountingtimeoutto5seconds.
    C2(su)->clear radius accounting timeout

    23-10

    Authentication and Authorization Configuration

    Configuring 802.1X Authentication

    Configuring 802.1X Authentication


    Purpose
    Toreviewandconfigure802.1XauthenticationforoneormoreportsusingEAPOL(Extensible AuthenticationProtocol).802.1Xcontrolsnetworkaccessbyenforcinguserauthorizationon selectedports,whichresultsinallowingordenyingnetworkaccessaccordingtoRADIUSserver configuration.
    Note: To configure EAP pass-through, which allows client authentication packets to be forwarded through the switch to an upstream device, 802.1X authentication must be globally disabled with the set dot1x command (set dot1x on page 23-14).

    Commands
    For information about... show dot1x show dot1x auth-config set dot1x set dot1x auth-config clear dot1x auth-config show eapol set eapol clear eapol Refer to page... 23-11 23-13 23-14 23-15 23-16 23-17 23-19 23-19

    show dot1x
    Usethiscommandtodisplay802.1Xstatus,diagnostics,statistics,andreauthenticationor initializationcontrolinformationforoneormoreports.

    Syntax
    show dot1x [auth-diag] [auth-stats] [port [init | reauth]] [port-string]

    Parameters
    authdiag authstats portinit|reauth portstring (Optional)Displaysauthenticationdiagnosticsinformation. (Optional)Displaysauthenticationstatistics. (Optional)Displaysthestatusofportinitializationandreauthentication controlfortheport. (Optional)Displaysinformationforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifnoparametersarespecified,802.1Xstatuswillbedisplayed.

    SecureStack C2 Configuration Guide

    23-11

    show dot1x

    Ifportstringisnotspecified,informationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    Thisexampleshowshowtodisplay802.1Xstatus:
    C2(su)->show dot1x DOT1X is disabled.

    Thisexampleshowshowtodisplayauthenticationdiagnosticsinformationforfe.1.1:
    C2(su)->show dot1x auth-diag fe.1.1 Port : 1 Auth-Diag Enter Connecting: EAP Logoffs While Connecting: Enter Authenticating: Success While Authenticating Timeouts While Authenticating: Fails While Authenticating: ReAuths While Authenticating: EAP Starts While Authenticating: EAP logoff While Authenticating: Backend Responses: Backend Access Challenges: Backend Others Requests To Supp: Backend NonNak Responses From: Backend Auth Successes: Backend Auth Fails:

    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

    Thisexampleshowshowtodisplayauthenticationstatisticsforfe.1.1:
    C2(su)->show dot1x auth-stats Port: 1 Auth-Stats EAPOL Frames Rx: EAPOL Frames Tx: EAPOL Start Frames Rx: EAPOL Logoff Frames Rx: EAPOL RespId Frames Rx: EAPOL Resp Frames Rx: EAPOL Req Frames Tx: EAP Length Error Frames Rx: Last EAPOL Frame Version: Last EAPOL Frame Source:

    fe.1.1
    0 0 0 0 0 0 0 0 0 00:00:00:00:00:00

    Thisexampleshowshowtodisplaythestatusofportreauthenticationcontrolforfe.1.1through fe.1.6:
    C2(su)->show dot1x port reauth fe.1.1-6 Port 1: Port reauthenticate: FALSE Port 2: Port reauthenticate: FALSE Port 3: Port reauthenticate: FALSE Port 4: Port reauthenticate: FALSE Port 5: Port reauthenticate: FALSE Port 6: Port reauthenticate: FALSE

    23-12

    Authentication and Authorization Configuration

    show dot1x auth-config

    show dot1x auth-config


    Usethiscommandtodisplay802.1Xauthenticationconfigurationsettingsforoneormoreports.

    Syntax
    show dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [port-string]

    Parameters
    authcontrolled portcontrol maxreq quietperiod reauthenabled reauthperiod servertimeout supptimeout txperiod portstring (Optional)DisplaysthecurrentvalueofthecontrolledPortcontrol parameterfortheport. (Optional)Displaysthevaluesetformaximumrequestscurrentlyinuseby thebackendauthenticationstatemachine. (Optional)Displaysthevaluesetforquietperiodcurrentlyinusebythe authenticatorPAEstatemachine. (Optional)Displaysthestateofreauthenticationcontrolusedbythe ReauthenticationTimerstatemachine. (Optional)Displaysthevalue,inseconds,setforthereauthentication periodusedbythereauthenticationtimerstatemachine. (Optional)Displaystheservertimeoutvalue,inseconds,currentlyinuse bythebackendauthenticationstatemachine. (Optional)Displaystheauthenticationsupplicanttimeoutvalue,in seconds,currentlyinusebythebackendauthenticationstatemachine. (Optional)Displaysthetransmissionperiodvalue,inseconds,currentlyin usebytheauthenticatorPAEstatemachine. (Optional)Limitsthedisplayofdesiredinformationinformationtospecific port(s).Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72.

    Defaults
    Ifnoparametersarespecified,all802.1Xsettingswillbedisplayed. Ifportstringisnotspecified,informationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Examples
    ThisexampleshowshowtodisplaytheEAPOLportcontrolmodeforfe.1.1:
    C2(su)->show dot1x auth-config authcontrolled-portcontrol fe.1.1 Port 1: Auth controlled port control: Auto

    Thisexampleshowshowtodisplaythe802.1Xquietperiodsettingsforfe.1.1:
    C2(su)->show dot1x auth-config quietperiod fe.1.1 Port 1: Quiet period: 30

    Thisexampleshowshowtodisplayall802.1Xauthenticationconfigurationsettingsforge.1.1:
    C2(ro)->show dot1x auth-config ge.1.1

    SecureStack C2 Configuration Guide

    23-13

    set dot1x

    Port : 1 Auth-Config PAE state: Backend auth state: Admin controlled directions: Oper controlled directions: Auth controlled port status: Auth controlled port control: Quiet period: Transmission period: Supplicant timeout: Server timeout: Maximum requests: Reauthentication period: Reauthentication control:

    Initialize Initialize Both Both Authorized Auto 60 30 30 30 2 3600 Disabled

    set dot1x
    Usethiscommandtoenableordisable802.1Xauthentication,toreauthenticateoneormoreaccess entities,ortoreinitializeoneormoresupplicants.

    Syntax
    set dot1x {enable | disable | port {init | reauth} {true | false} [port-string]}

    Parameters
    enable|disable port init|reauth true|false portstring Enablesordisables802.1X. Enableordisable802.1Xreauthenticationorinitializationcontrolononeor moreports. Configureinitializationorreauthenticationcontrol. Enable(true)ordisable(false)reinitialization/reauthentication. (Optional)Specifiestheport(s)toreinitializeorreauthenticate.

    Defaults
    Ifnoportsarespecified,thereinitializationorreauthenticationsettingwillbeappliedtoallports.

    Mode
    Switchcommand,readwrite.

    Usage
    Disabling802.1Xauthenticationglobally,bynotenteringaspecificportstringvalue,willenable theEAPpassthroughfeature.EAPpassthroughallowsclientauthenticationpacketstobe forwardedunmodifiedthroughtheswitchtoanupstreamdevice.

    Examples
    Thisexampleshowshowtoenable802.1X:
    C2(su)->set dot1x enable

    Thisexampleshowshowtoreinitializege.1.2:
    C2(rw)->set dot1x port init true ge.1.2

    23-14

    Authentication and Authorization Configuration

    set dot1x auth-config

    set dot1x auth-config


    Usethiscommandtoconfigure802.1Xauthentication.

    Syntax
    set dot1x auth-config {[authcontrolled-portcontrol {auto | forced-auth | forced-unauth}] [maxreq value] [quietperiod value] [reauthenabled {false | true}] [reauthperiod value] [servertimeout timeout] [supptimeout timeout] [txperiod value]} [port-string]

    Parameters
    authcontrolled portcontrol auto|forcedauth| forcedunauth Specifiesthe802.1Xportcontrolmode. maxreqvalue autoSetportcontrolmodetoautocontrolledportcontrol.This isthedefaultvalue. forcedauthSetportcontrolmodetoForcedAuthorized controlledportcontrol. forcedunauthSetportcontrolmodetoForcedUnauthorized controlledportcontrol.

    Specifiesthemaximumnumberofauthenticationrequestsallowed bythebackendauthenticationstatemachine.Validvaluesare110. Defaultvalueis2. Specifiesthetime(inseconds)followingafailedauthentication beforeanotherattemptcanbemadebytheauthenticatorPAEstate machine.Validvaluesare065535.Defaultvalueis60seconds. Enables(true)ordisables(false)reauthenticationcontrolofthe reauthenticationtimerstatemachine.Defaultvalueisfalse. Specifiesthetimelapse(inseconds)betweenattemptsbythe reauthenticationtimerstatemachinetoreauthenticateaport.Valid valuesare065535.Defaultvalueis3600seconds. Specifiesatimeoutperiod(inseconds)fortheauthenticationserver, usedbythebackendauthenticationstatemachine.Validvaluesare1 300.Defaultvalueis30seconds. Specifiesatimeoutperiod(inseconds)fortheauthentication supplicantusedbythebackendauthenticationstatemachine.Valid valuesare1300.Defaultvalueis30seconds. Specifiestheperiod(inseconds)whichpassesbetweenauthenticator PAEstatemachineEAPtransmissions.Validvaluesare065535. Defaultvalueis30seconds. (Optional)Limitstheconfigurationofdesiredsettingstospecified port(s).Foradetaileddescriptionofpossibleportstringvalues,refer toPortStringSyntaxUsedintheCLIonpage 72.

    quietperiodvalue

    reauthenabledfalse| true reauthperiodvalue

    servertimeouttimeout

    supptimeouttimeout

    txperiodvalue

    portstring

    Defaults
    Ifportstringisnotspecified,authenticationparameterswillbesetonallports.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    23-15

    clear dot1x auth-config

    Examples
    Thisexampleshowshowtoenablereauthenticationcontrolonportsfe.1.13:
    C2(su)->set dot1x auth-config reauthenabled true fe.1.1-3

    Thisexampleshowshowtosetthe802.1Xquietperiodto120secondsonportsfe.1.13:
    C2(su)->set dot1x auth-config quietperiod 120 fe.1.1-3

    clear dot1x auth-config


    Usethiscommandtoreset802.1Xauthenticationparameterstodefaultvaluesononeormore ports.

    Syntax
    clear dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [portstring]

    Parameters
    authcontrolled portcontrol maxreq quietperiod reauthenabled reauthperiod servertimeout supptimeout txperiod portstring (Optional)Resetsthe802.1Xportcontrolmodetoauto. (Optional)Resetsthemaximumrequestsvalueto2. (Optional)Resetsthequietperiodvalueto60seconds. (Optional)Resetsthereauthenticationcontrolstatetodisabled(false). (Optional)Resetsthereauthenticationperiodvalueto3600seconds. (Optional)Resetstheservertimeoutvalueto30seconds. (Optional)Resetstheauthenticationsupplicanttimeoutvalueto30 seconds. (Optional)Resetsthetransmissionperiodvalueto30seconds. (Optional)Resetssettingsonspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72.

    Defaults
    Ifnoparametersarespecified,allauthenticationparameterswillbereset. Ifportstringisnotspecified,parameterswillbesetonallports.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtoresetthe802.1Xportcontrolmodetoautoonallports:
    C2(su)->clear dot1x auth-config authcontrolled-portcontrol

    Thisexampleshowshowtoresetreauthenticationcontroltodisabledonportsfe.1.13:
    C2(su)->clear dot1x auth-config reauthenabled fe.1.1-3

    23-16

    Authentication and Authorization Configuration

    show eapol

    Thisexampleshowshowtoresetthe802.1Xquietperiodto60secondsonportsfe.1.13:
    C2(su)->clear dot1x auth-config quietperiod fe.1.1-3

    show eapol
    UsethiscommandtodisplayEAPOLstatusorsettingsforoneormoreports.

    Syntax
    show eapol [port-string]

    Parameters
    portstring (Optional)DisplaysEAPOLstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,onlyEAPOLenablestatuswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayEAPOLstatusforportsfe.1.13:
    C2(su)->show eapol fe.1.1-3 EAPOL is disabled. Port -------fe.1.1 fe.1.2 fe.1.3 Authentication State -------------------Initialize Initialize Initialize Authentication Mode -------------------Auto Auto Auto

    Table 232providesanexplanationofthecommandoutput.Fordetailsonusingtheseteapol commandtoenabletheprotocolandassignanauthenticationmode,refertoseteapolon page 2319.

    SecureStack C2 Configuration Guide

    23-17

    show eapol

    Table 23-2
    Output Field Port

    show eapol Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. Current EAPOL authentication state for each port. Possible internal states for the authenticator (switch) are: initialize: A port is in the initialize state when:

    Authentication State

    authentication is disabled, authentication is enabled and the port is not linked, or authentication is enabled and the port is linked. (In this case very little time is spent in this state, it immediately transitions to the connecting state, via disconnected.

    disconnected: The port passes through this state on its way to connected whenever the port is reinitialized, via link state change, reauthentication failure, or management intervention. connecting: While in this state, the authenticator sends request/ID messages to the end user. authenticating: The port enters this state from connecting after receiving a response/ID from the end user. It remains in this state until the entire authentication exchange between the end user and the authentication server completes. authenticated: The port enters this state from authenticating state after the exchange completes with a favorable result. It remains in this state until linkdown, logoff, or until a reauthentication begins. aborting: The port enters this state from authenticating when any event occurs that interrupts the login exchange. held: After any login failure the port remains in this state for the number of seconds equal to quietPeriod (can be set using MIB). forceAuth: Management is allowing normal, unsecured switching on this port. forceUnauth: Management is preventing any frames from being forwarded to or from this port. Authentication Mode Mode enabling network access for each port. Modes include: Auto: Frames are forwarded according to the authentication state of each port. Forced Authorized Mode: Meant to disable authentication on a port. It is intended for ports that support ISLs and devices that cannot authenticate, such as printers and file servers. If a default policy is applied to the port via the policy profile MIB, then frames are forwarded according to the configuration set by that policy, otherwise frames are forwarded according to the current configuration for that port. Authentication using 802.1X is not possible on a port in this mode. Forced Unauthorized Mode: All frames received on the port are discarded by a filter. Authentication using 802.1X is not possible on a port in this mode.

    23-18

    Authentication and Authorization Configuration

    set eapol

    set eapol
    UsethiscommandtoenableordisableEAPOLportbaseduserauthenticationwiththeRADIUS serverandtosettheauthenticationmodeforoneormoreports.

    Syntax
    set eapol [enable | disable] [auth-mode {auto | forced-auth | forced-unauth} port-string

    Parameters
    enable|disable authmode auto| forcedauth| forcedunauth EnablesordisablesEAPOL. Specifiestheauthenticationmodeas: autoAutoauthorizationmode.Thisisthedefaultmodeandwill forwardframesaccordingtotheauthenticationstateoftheport.For detailsonthismode,refertoTable 232. forcedauthForcedauthorizedmode,whichdisablesauthentication ontheport. forcedunauthForcedunauthorizedmode,whichfiltersanddiscards allframesreceivedontheport.

    portstring

    Specifiestheport(s)onwhichtosetEAPOLparameters.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtoenableEAPOL:
    C2(su)->set eapol enable

    ThisexampleshowshowtoenableEAPOLwithforcedauthorizedmodeonportfe.1.1:
    C2(su)->set eapol auth-mode forced-auth fe.1.1

    clear eapol
    UsethiscommandtogloballycleartheEAPOLauthenticationmode,ortoclearsettingsforoneor moreports.

    Syntax
    clear eapol [auth-mode] [port-string]

    SecureStack C2 Configuration Guide

    23-19

    clear eapol

    Parameters
    authmode portstring (Optional)GloballyclearstheEAPOLauthenticationmode. Specifiestheport(s)onwhichtoclearEAPOLparameters.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifauthmodeisnotspecified,allEAPOLsettingswillbecleared. Ifportstringisnotspecified,settingswillbeclearedforallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheEAPOLauthenticationmodeforportge.1.3:
    C2(su)->clear eapol auth-mode ge.1.3

    23-20

    Authentication and Authorization Configuration

    Configuring MAC Authentication

    Configuring MAC Authentication


    Purpose
    Toreview,disable,enableandconfigureMACauthentication.Thisauthenticationmethodallows thedevicetoauthenticatesourceMACaddressesinanexchangewithanauthenticationserver. Theauthenticator(switch)selectsasourceMACseenonaMACauthenticationenabledportand submitsittoabackendclientforauthentication.ThebackendclientusestheMACaddressstored password,ifrequired,ascredentialsforanauthenticationattempt.Ifaccepted,astring representinganaccesspolicymaybereturned.Ifpresent,theswitchappliestheassociatedpolicy rules. YoucanspecifyamasktoapplytoMACaddresseswhenauthenticatingusersthroughaRADIUS server(seesetmacauthenticationsignificantbitsonpage 2331).Themostcommonuseof significantbitmasksisforauthenticationofallMACaddressesforaspecificvendor.

    Commands
    For information about... show macauthentication show macauthentication session set macauthentication set macauthentication password clear macauthentication password set macauthentication port set macauthentication portinitialize set macauthentication portquietperiod clear macauthentication portquietperiod set macauthentication macinitialize set macauthentication reauthentication set macauthentication portreauthenticate set macauthentication macreauthenticate set macauthentication reauthperiod clear macauthentication reauthperiod set macauthentication significant-bits clear macauthentication significant-bits Refer to page... 23-21 23-23 23-24 23-24 23-25 23-25 23-26 23-26 23-27 23-27 23-28 23-28 23-29 23-29 23-30 23-31 23-31

    show macauthentication
    UsethiscommandtodisplayMACauthenticationinformationforoneormoreports.

    Syntax
    show macauthentication [port-string]

    SecureStack C2 Configuration Guide

    23-21

    show macauthentication

    Parameters
    portstring (Optional)DisplaysMACauthenticationinformationforspecificport(s). Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,MACauthenticationinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayMACauthenticationinformationforge.2.1through8:
    C2(su)->show macauthentication ge.2.1-8 MAC authentication: - enabled MAC user password: - NOPASSWORD Port username significant bits - 48 Port ------ge.2.1 ge.2.2 ge.2.3 ge.2.4 ge.2.5 ge.2.6 ge.2.7 ge.2.8 Port State -------disabled disabled disabled disabled disabled disabled disabled disabled Reauth Period ---------3600 3600 3600 3600 3600 3600 3600 3600 Auth Allowed -------1 1 1 1 1 1 1 1 Auth Allocated --------1 1 1 1 1 1 1 1 Reauthentications ----------------disabled disabled disabled disabled disabled disabled disabled disabled

    Table 233providesanexplanationofthecommandoutput. Table 23-3


    Output Field MAC authentication

    show macauthentication Output Details


    What It Displays... Whether MAC authentication is globally enabled or disabled. Set using the set macauthentication command as described in set macauthentication on page 23-24. User password associated with MAC authentication on the device. Set using the set macauthentication password command as described in set macauthentication password on page 23-24. Number of significant bits in the MAC addresses to be used starting with the left-most bit of the vendor portion of the MAC address. The significant portion of the MAC address is sent as a user-name credential when the primary attempt to authenticate the full MAC address fails. Any other failure to authenticate the full address, (i.e., authentication server timeout) causes the next attempt to start once again with a full MAC authentication. Default value of 48 can be changed with the set macauthentication significant-bits command. Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. Whether or not MAC authentication is enabled or disabled on this port.

    MAC user password

    Port username significant bits

    Port Port State

    23-22

    Authentication and Authorization Configuration

    show macauthentication session

    Table 23-3
    Output Field

    show macauthentication Output Details (Continued)


    What It Displays... Reauthentication period for this port. Default value of 30 can be changed using the set macauthentication reauthperiod command (page 23-29). Number of concurrent authentications supported on this port. Default is 1 and cannot be reset. Maximum number of MAC authentications permitted on this port. Default is 1 and cannot be reset Whether or not reauthentication is enabled or disabled on this port. Set using the set macauthentication reauthentication command (page 23-28).

    Reauth Period Auth Allowed Auth Allocated Reauthentications

    show macauthentication session


    UsethiscommandtodisplaytheactiveMACauthenticatedsessions.

    Syntax
    show macauthentication session

    Parameters
    None.

    Defaults
    Ifportstringisnotspecified,MACsessioninformationwillbedisplayedforallMAC authenticationports.

    Mode
    Switchcommand,readonly.

    Usage
    ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot affectcurrentsessions.Newsessionsdisplaythecorrectperiod.

    Example
    ThisexampleshowshowtodisplayMACsessioninformation:
    C2(su)->show macauthentication session Port MAC Address Duration Reauth Period --------------------- ---------- ------------ge.1.2 00:60:97:b5:4c:07 0,00:52:31 3600 Reauthentications ----------------disabled

    Table 234providesanexplanationofthecommandoutput. Table 23-4


    Output Field Port MAC Address

    show macauthentication session Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. MAC address associated with the session.

    SecureStack C2 Configuration Guide

    23-23

    set macauthentication

    Table 23-4
    Output Field Duration

    show macauthentication session Output Details (Continued)


    What It Displays... Time this session has been active. Reauthentication period for this port, set using the set macauthentication reauthperiod command described in set macauthentication reauthperiod on page 23-29. Whether or not reauthentication is enabled or disabled on this port. Set using the set macauthentication reauthentication command described in set macauthentication reauthentication on page 23-28.

    Reauth Period

    Reauthentications

    set macauthentication
    UsethiscommandtogloballyenableordisableMACauthentication.

    Syntax
    set macauthentication {enable | disable}

    Parameters
    enable|disable GloballyenablesordisablesMACauthentication.

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Example
    ThisexampleshowshowtogloballyenableMACauthentication:
    C2(su)->set macauthentication enable

    set macauthentication password


    UsethiscommandtosetaMACauthenticationpassword.

    Syntax
    set macauthentication password password

    Parameters
    password SpecifiesatextstringMACauthenticationpassword.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.
    23-24 Authentication and Authorization Configuration

    clear macauthentication password

    Example
    ThisexampleshowshowtosettheMACauthenticationpasswordtomacauth:
    C2(su)->set macauthentication password macauth

    clear macauthentication password


    UsethiscommandtocleartheMACauthenticationpassword.

    Syntax
    clear macauthentication password

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtocleartheMACauthenticationpassword:
    C2(su)->clear macauthentication password

    set macauthentication port


    UsethiscommandtoenableordisableoneormoreportsforMACauthentication.

    Syntax
    set macauthentication port {enable | disable} port-string

    Parameters
    enable|disable portstring EnablesordisablesMACauthentication. Specifiesport(s)onwhichtoenableordisableMACauthentication.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    23-25

    set macauthentication portinitialize

    Usage
    Enablingport(s)forMACauthenticationrequiresgloballyenablingMACauthenticationonthe switchasdescribedinsetmacauthenticationonpage 2324,andthenenablingitonaportby portbasis.Bydefault,MACauthenticationisgloballydisabledanddisabledonallports.

    Example
    ThisexampleshowshowtoenableMACauthenticationonge.2.1though5:
    C2(su)->set macauthentication port enable ge.2.1-5

    set macauthentication portinitialize


    UsethiscommandtoforceoneormoreMACauthenticationportstoreinitializeandremoveany currentlyactivesessionsonthoseports.

    Syntax
    set macauthentication portinitialize port-string

    Parameters
    portstring SpecifiestheMACauthenticationport(s)toreinitialize.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoforcege.2.1through5toinitialize:
    C2(su)->set macauthentication portinitialize ge.2.1-5

    set macauthentication portquietperiod


    Thissetsthenumberofsecondsfollowingafailedauthenticationbeforeanotherattemptmaybe madeontheport.

    Syntax
    set macauthentication portquietperiod time port-string

    Parameters
    time portstring Periodinsecondstowaitafterafailedauthentication.Bydefault,thisis30 seconds. Specifiestheportsforwhichthequitperiodistobeapplied.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    23-26

    Authentication and Authorization Configuration

    clear macauthentication portquietperiod

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexamplesetsport1towait5secondsafterafailedauthenticationattemptbeforeanew attemptcanbemade:
    C2(su)->set macauthentication portquietperiod 5 ge.1.1

    clear macauthentication portquietperiod


    Thissetsthequietperiodbacktothedefaultvalueof30seconds.

    Syntax
    clear macauthentication portquietperiod [port-string]

    Parameters
    portstring (Optional)Specifiestheportsforwhichthequietperiodistobereset.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifaportstringisnotspecifiedthenallportswillbesettothedefaultportquietperiod.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleresetsthedefaultquietperiodonport1:
    C2(su)->clear macauthentication portquietperiod ge.1.1

    set macauthentication macinitialize


    UsethiscommandtoforceacurrentMACauthenticationsessiontoreinitializeandremovethe session.

    Syntax
    set macauthentication macinitialize mac-addr

    Parameters
    macaddr SpecifiestheMACaddressofthesessiontoreinitialize.

    SecureStack C2 Configuration Guide

    23-27

    set macauthentication reauthentication

    Mode
    Switchcommand,readwrite.

    Defaults
    None.

    Example
    ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07 toreinitialize:
    C2(su)->set macauthentication macinitialize 00-60-97-b5-4c-07

    set macauthentication reauthentication


    UsethiscommandtoenableordisablereauthenticationofallcurrentlyauthenticatedMAC addressesononeormoreports.

    Syntax
    set macauthentication reauthentication {enable | disable} port-string

    Parameters
    enable|disable portstring EnablesordisablesMACreauthentication. Specifiesport(s)onwhichtoenableordisableMACreauthentication.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenableMACreauthenticationonge.4.1though5:
    C2(su)->set macauthentication reauthentication enable ge.4.1-5

    set macauthentication portreauthenticate


    Usethiscommandtoforceanimmediatereauthenticationofthecurrentlyactivesessionsonone ormoreMACauthenticationports.

    Syntax
    set macauthentication portreauthenticate port-string

    23-28

    Authentication and Authorization Configuration

    set macauthentication macreauthenticate

    Parameters
    portstring SpecifiesMACauthenticationport(s)tobereauthenticated.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoforcege.2.1though5toreauthenticate:
    C2(su)->set macauthentication portreauthentication ge.2.1-5

    set macauthentication macreauthenticate


    UsethiscommandtoforceanimmediatereauthenticationofaMACaddress.

    Syntax
    set macauthentication macreauthenticate mac-addr

    Parameters
    macaddr SpecifiestheMACaddressofthesessiontoreauthenticate.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07 toreauthenticate:
    C2(su)->set macauthentication macreauthenticate 00-60-97-b5-4c-07

    set macauthentication reauthperiod


    UsethiscommandtosettheMACreauthenticationperiod(inseconds).Thisisthetimelapse betweenattemptstoreauthenticateanycurrentMACaddressauthenticatedtoaport.

    Syntax
    set macauthentication reauthperiod time port-string

    SecureStack C2 Configuration Guide

    23-29

    clear macauthentication reauthperiod

    Parameters
    time portstring Specifiesthenumberofsecondsbetweenreauthenticationattempts.Valid valuesare14294967295. Specifiestheport(s)onwhichtosettheMACreauthenticationperiod.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot affectcurrentsessions.Newsessionswillusethecorrectperiod.

    Example
    ThisexampleshowshowtosettheMACreauthenticationperiodto7200seconds(2hours)on ge.2.1through5:
    C2(su)->set macauthentication reauthperiod 7200 ge.2.1-5

    clear macauthentication reauthperiod


    UsethiscommandtocleartheMACreauthenticationperiodononeormoreports.

    Syntax
    clear macauthentication reauthperiod [port-string]

    Parameters
    portstring (Optional)ClearstheMACreauthenticationperiodonspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,thereauthenticationperiodwillbeclearedonallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtogloballycleartheMACreauthenticationperiod:
    C2(su)->clear macauthentication reauthperiod

    23-30

    Authentication and Authorization Configuration

    set macauthentication significant-bits

    set macauthentication significant-bits


    UsethiscommandtosetthenumberofsignificantbitsoftheMACaddresstousefor authentication.

    Syntax
    set macauthentication significant-bits number

    Parameters
    number Specifiesthenumberofsignificantbitstobeusedforauthentication.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ThiscommandallowsyoutospecifyamasktoapplytoMACaddresseswhenauthenticating usersthroughaRADIUSserver.Themostcommonuseofsignificantbitmasksisfor authenticationofallMACaddressesforaspecificvendor. OnswitchesusingMACauthentication,theMACaddressofauserattemptingtologinissentto theRADIUSserverastheusername.Ifaccessisdenied,andifasignificantbitmaskhasbeen configured(otherthan48)withthiscommand,theswitchwillapplythemaskandresendthe maskedaddresstotheRADIUSserver.Forexample,ifauserwithMACaddressof0016CF12 3456isdeniedaccess,anda32bitmaskhasbeenconfigured,theswitchwillapplythemaskand resendaMACaddressof0016CF120000totheRADIUSserver. Touseasignificantbitsmaskforauthenticationofdevicesbyaparticularvendor,specifya24bit mask,tomaskouteverythingexceptthevendorportionoftheMACaddress.

    Example
    ThisexamplesetstheMACauthenticationsignificantbitsmaskto24.
    C2(su)->set macauthentication significant-bits 24

    clear macauthentication significant-bits


    UsethiscommandtoresetthenumberofsignificantbitsoftheMACaddresstousefor authenticationtothedefaultof48.

    Syntax
    clear macauthentication significant-bits

    Parameters
    None.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    23-31

    clear macauthentication significant-bits

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleresetstheMACauthenticationsignificantbitsto48.
    C2(su)->clear macauthentication significant-bits

    23-32

    Authentication and Authorization Configuration

    Configuring Multiple Authentication Methods

    Configuring Multiple Authentication Methods


    Note: C2 devices support up to six authenticated users per port.

    About Multiple Authentication Types


    Whenenabled,multipleauthenticationtypesallowuserstoauthenticateusingmorethanone methodonthesameport.Inorderformultipleauthenticationtofunctiononthedevice,each possiblemethodofauthentication(MACauthentication,802.1X,PWA)mustbeenabledglobally andconfiguredappropriatelyonthedesiredportswithitscorrespondingcommandsetdescribed inthischapter. Multipleauthenticationmodemustbegloballyenabledonthedeviceusingthesetmultiauth modecommand.

    Configuring Multi-User Authentication (User + IP phone)


    TheUser+IPphonemultiuserauthenticationfeatureallowsauserandtheirIPphonetobothuse asingleportontheC2buttohaveseparatepolicyroles.
    Note: The only Multi-User Authentication supported on the C2 is User + IP phone. The IP phone has to authenticate using 802.1x or MAC authentication, but the User may authenticate using 802.1x, PWA, or MAC authentication.

    User+IPPhoneAuthenticationontheSecureStackC2isimplementedbyassigninganingressed packetreceivedonaporttoapolicyrolebasedontheVLANthepacketwasassignedto,andnot thepacketssourceMACaddress.Therefore,onaportconfiguredforUser+IPPhone Authentication,thereexiststwodifferentVLANtopolicyrolemappings. ThepolicyrolefortheIPphoneisstaticallymappedusingtheVLANtopolicymappingfeature whichassignsanypacketsreceivedwithaVLANtagsettoaspecificVID(forexample,Voice VLAN)toanindicatedpolicyrole(forexample,IPPhonepolicyrole).Therefore,itisrequiredthat IPphoneisconfiguredtosendVLANtaggedpacketstotheVoiceVLAN.RefertotheUsage sectionforthecommandsetpolicyruleonpage 1110foradditionalinformation. Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole ontheportordynamicallyassignedthroughauthenticationtothenetwork.Whenthedefault policyroleisassignedonaport,theVLANsetastheportsPVIDismappedtothedefaultpolicy role.Whenapolicyroleisdynamicallyappliedtoaportastheresultofasuccessfully authenticatedsession,theauthenticatedVLANismappedtothepolicyrolesetintheFilterID returnedfromtheRADIUSserver.TheauthenticatedVLANmayeitherbethePVIDoftheport, ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedinthePVIDOverride ifthePVIDOverrideisenabled.

    Commands
    For information about... show multiauth set multiauth mode clear multiauth mode Refer to page... 23-34 23-35 23-35

    SecureStack C2 Configuration Guide

    23-33

    show multiauth

    For information about... set multiauth precedence clear multiauth precedence show multiauth port set multiauth port clear multiauth port show multiauth station show multiauth session show multiauth idle-timeout set multiauth idle-timeout clear multiauth idle-timeout show multiauth session-timeout set multiauth session-timeout clear multiauth session-timeout

    Refer to page... 23-36 23-36 23-37 23-37 23-38 23-39 23-39 23-40 23-41 23-42 23-42 23-43 23-44

    show multiauth
    Usethiscommandtodisplaymultipleauthenticationsystemconfiguration.

    Syntax
    show multiauth

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaymultipleauthenticationsystemconfiguration:
    C2(rw)->show multiauth Multiple authentication system configuration ------------------------------------------------Supported types : dot1x, pwa, mac Maximum number of users : 768 Current number of users : 2 System mode : multi Default precedence : dot1x, pwa, mac Admin precedence : dot1x, pwa, mac Operational precedence : dot1x, pwa, mac

    23-34

    Authentication and Authorization Configuration

    set multiauth mode

    set multiauth mode


    Usethiscommandtosetthesystemauthenticationmodetoallowmultipleauthenticators simultaneously(802.1x,PWA,andMACAuthentication)onasingleport,ortostrictlyadhereto 802.1xauthentication.

    Syntax
    set multiauth mode {multi | strict}

    Parameters
    multi strict Allowsthesystemtousemultipleauthenticatorssimultaneously(802.1x, PWA,andMACAuthentication)onaport.Thisisthedefaultmode. Usermustauthenticateusing802.1xauthenticationbeforenormaltraffic (anythingotherthanauthenticationtraffic)canbeforwarded.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    MultiauthmultimoderequiresthatMAC,PWA,and802.1Xauthenticationbeenabledglobally, andconfiguredappropriatelyonthedesiredportsaccordingtotheircorrespondingcommand setsdescribedinthischapter.RefertoConfiguring802.1XAuthenticationonpage 2311and ConfiguringMACAuthenticationonpage 2321andConfiguringPortWebAuthentication (PWA)onpage 2361.

    Example
    Thisexampleshowshowtoenablesimultaneousmultipleauthentications:
    C2(rw)->set multiauth mode multi

    clear multiauth mode


    Usethiscommandtoclearthesystemauthenticationmode.

    Syntax
    clear multiauth mode

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    23-35

    set multiauth precedence

    Example
    Thisexampleshowshowtoclearthesystemauthenticationmode:
    C2(rw)->clear multiauth mode

    set multiauth precedence


    Usethiscommandtosetthesystemsmultipleauthenticationadministrativeprecedence.

    Syntax
    set multiauth precedence {[dot1x] [mac] [pwa]}

    Parameters
    dot1x mac pwa Setsprecedencefor802.1Xauthentication. SetsprecedenceforMACauthentication. Setsprecedenceforportwebauthentication

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Whenauserissuccessfullyauthenticatedbymorethanonemethodatthesametime,the precedenceoftheauthenticationmethodswilldeterminewhichRADIUSreturnedfilterIDwillbe processedandresultinanappliedtrafficpolicyprofile.

    Example
    ThisexampleshowshowtosetprecedenceforMACauthentication:
    C2(rw)->set multiauth precedence mac dot1x

    clear multiauth precedence


    Usethiscommandtoclearthesystemsmultipleauthenticationadministrativeprecedence.

    Syntax
    clear multiauth precedence

    Parameters
    None.

    Defaults
    None.

    23-36

    Authentication and Authorization Configuration

    show multiauth port

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoclearthemultipleauthenticationprecedence:
    C2(rw)->clear multiauth precedence

    show multiauth port


    Usethiscommandtodisplaymultipleauthenticationpropertiesforoneormoreports.

    Syntax
    show multiauth port [port-string]

    Parameters
    portstring (Optional)Displaysmultipleauthenticationinformationforspecificport(s).

    Defaults
    Ifportstringisnotspecified,multipleauthenticationinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaymultipleauthenticationinformationforportsge.3.14:
    C2(rw)->show multiauth port ge.3.1-4 Port Max Allowed Current users users users ------------ ------------ ---------- ---------- ---------ge.3.1 auth-opt 8 8 0 ge.3.2 auth-opt 8 8 0 ge.3.3 auth-opt 8 8 0 ge.3.4 auth-opt 8 8 0 Mode

    set multiauth port


    Usethiscommandtosetmultipleauthenticationpropertiesforoneormoreports.

    Syntax
    set multiauth port mode {auth-opt | auth-reqd | force-auth | force-unauth} | numusers numusers port-string

    SecureStack C2 Configuration Guide

    23-37

    clear multiauth port

    Parameters
    mode authopt| authreqd| forceauth| forceunauth Specifiestheport(s)multipleauthenticationmodeas: authoptAuthenticationoptional(nonstrictbehavior).Ifauser doesnotattempttoauthenticateusing802.1x,orif802.1x authenticationfails,theportwillallowtraffictobeforwarded accordingtothedefineddefaultVLAN. authreqdAuthenticationisrequired. forceauthAuthenticationconsidered. forceunauthAuthenticationdisabled.

    numusers numusers portstring

    Specifiesthenumberofusersallowedauthenticationonport(s).Valid valuesare0to8. Specifiestheport(s)onwhichtosetmultipleauthenticationproperties.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtosettheportmultipleauthenticationmodetorequiredonge.3.14:
    C2(rw)->set multiauth port mode auth-reqd ge.3.14

    Thisexampleshowshowtosetthenumberofusersallowedtoauthenticateonportge.3.14to8:
    C2(rw)->set multiauth port numusers 8 ge.3.14

    clear multiauth port


    Usethiscommandtoclearmultipleauthenticationpropertiesforoneormoreports.

    Syntax
    clear multiauth port {mode | numusers} port-string

    Parameters
    mode numusers portstring Clearsthespecifiedportsmultipleauthenticationmode. Clearsthevaluesetforthenumberofusersallowedauthenticationonthe specifiedport. Specifiestheportorportsonwhichtoclearmultipleauthentication properties.

    Defaults
    None.

    23-38

    Authentication and Authorization Configuration

    show multiauth station

    Mode
    Switchcommand,readwrite.

    Examples
    Thisexampleshowshowtocleartheportmultipleauthenticationmodeonportge.3.14:
    C2(rw)->clear multiauth port mode ge.3.14

    Thisexampleshowshowtoclearthenumberofusersonportge.3.14:
    C2(rw)->clear multiauth port numusers ge.3.14

    show multiauth station


    Usethiscommandtodisplaymultipleauthenticationstation(enduser)entries.

    Syntax
    show multiauth station [mac address] [port port-string]

    Parameters
    macaddress portportstring (Optional)DisplaysmultipleauthenticationstationentriesforspecificMAC address(es). (Optional)Displaysmultipleauthenticationstationentriesforspecific port(s).

    Mode
    Switchcommand,readonly.

    Defaults
    Ifnooptionsarespecified,multipleauthenticationstationentrieswillbedisplayedforallMAC addressesandports.

    Example
    Thisexampleshowshowtodisplaymultipleauthenticationstationentries.Inthiscase,twoend userMACaddressesareshown:
    C2(rw)->show Port -----------fe.1.20 fe.2.16 multiauth station Address type Address ------------ -----------------------mac 00-10-a4-9e-24-87 mac 00-b0-d0-e5-0c-d0

    show multiauth session


    Usethiscommandtodisplaymultipleauthenticationsessionentries.

    Syntax
    show multiauth session [all] [agent {dot1x | mac | pwa}] [mac address] [port port-string]

    SecureStack C2 Configuration Guide

    23-39

    show multiauth idle-timeout

    Parameters
    all agentdot1x|mac| pwa macaddress portportstring (Optional)Displaysinformationaboutallsessions,includingthosewith terminatedstatus. (Optional)Displays802.1X,orMAC,orportwebauthenticationsession information. (Optional)Displaysmultipleauthenticationsessionentriesforspecific MACaddress(es). (Optional)Displaysmultipleauthenticationsessionentriesforthe specifiedportorports.

    Defaults
    Ifnooptionsarespecified,multipleauthenticationsessionentrieswillbedisplayedforall sessions,authenticationtypes,MACaddresses,andports.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaymultipleauthenticationsessioninformationforportge.1.1.
    C2(su)->show multiauth session port ge.1.1 __________________________________________ Port | ge.1.1 Station address Auth status | success Last attempt Agent type | dot1x Session applied Server type | radius VLAN-Tunnel-Attr Policy index | 0 Policy name Session timeout | 0 Session duration Idle timeout | 5 Idle time Termination time | Not Terminated

    | | | | | | |

    00-01-03-86-0A-87 FRI MAY 18 11:16:36 2007 true none Administrator 0,00:00:25 0,00:00:00

    show multiauth idle-timeout


    Usethiscommandtodisplaythetimeoutvalue,inseconds,foranidlesessionforall authenticationmethods.

    Syntax
    show multiauth idle-timeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    23-40

    Authentication and Authorization Configuration

    set multiauth idle-timeout

    Example
    Thisexampleshowshowtodisplaytimeoutvaluesforanidlesessionforallauthenticationtypes.
    C2(su)->show multiauth idle-timeout Authentication type Timeout (sec) ------------------- ------------dot1x 0 pwa 0 mac 0

    set multiauth idle-timeout


    Usethiscommandtosetthemaximumnumberofconsecutivesecondsanauthenticatedsession maybeidlebeforeterminationofthesession.

    Syntax
    set multiauth idle-timeout [dot1x | mac | pwa] timeout

    Parameters
    dot1x mac pwa timeout (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol authenticationmethodforwhichtosetthetimeoutvalue. (Optional)SpecifiestheEnterasysMACauthenticationmethodfor whichtosetthetimeoutvalue. (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor whichtosetthetimeoutvalue. Specifiesthetimeoutvalueinseconds.Thevaluecanrangefrom0to 65535.Avalueof0meansthatnoidletimeoutwillbeappliedunlessan idletimeoutvalueisprovidedbytheauthenticatingserver.

    Defaults
    Ifnoauthenticationmethodisspecified,theidletimeoutvalueissetforallauthentication methods.

    Mode
    Switchmode,readwrite.

    Usage
    Ifyousetanidletimeoutvalue,aMACuserwhoseMACaddresshasagedoutoftheforwarding databasewillbeunauthenticatedifnotraffichasbeenseenfromthataddressforthespecifiedidle timeoutperiod. Avalueofzeroindicatesthatnoidletimeoutwillbeappliedunlessanidletimeoutvalueis providedbytheauthenticatingserver.Forexample,ifasessionisauthenticatedbyaRADIUS server,thatservermayencodeaIdleTimeoutAttributeinitsauthenticationresponse.

    Example
    Thisexamplesetstheidletimeoutvalueforallauthenticationmethodsto300seconds.
    C2(su)->set multiauth idle-timeout 300

    SecureStack C2 Configuration Guide

    23-41

    clear multiauth idle-timeout

    clear multiauth idle-timeout


    Usethiscommandtoresetthemaximumnumberofconsecutivesecondsanauthenticatedsession maybeidlebeforeterminationofthesessiontoitsdefaultvalueof0.

    Syntax
    clear multiauth idle-timeout [dot1x | mac | pwa]

    Parameters
    dot1x (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol authenticationmethodforwhichtoresetthetimeoutvaluetoits default. (Optional)SpecifiestheEnterasysMACauthenticationmethodfor whichtoresetthetimeoutvaluetoitsdefault. (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor whichtoresetthetimeoutvaluetoitsdefault.

    mac pwa

    Defaults
    Ifnoauthenticationmethodisspecified,theidletimeoutvalueisresettoitsdefaultvalueof0for allauthenticationmethods.

    Mode
    Switchmode,readwrite.

    Example
    Thisexampleresetstheidletimeoutvalueforallauthenticationmethodsto0seconds.
    C2(su)->clear multiauth idle-timeout

    show multiauth session-timeout


    Usethiscommandtodisplaythesessiontimeoutvalue,inseconds,forallauthenticationmethods.

    Syntax
    show multiauth session-timeout

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchmode,readonly.

    23-42

    Authentication and Authorization Configuration

    set multiauth session-timeout

    Example
    Thisexampledisplaysthesessiontimeoutvaluesforallauthenticationmethods.
    C2(su)->show multiauth session-timeout Authentication type Timeout (sec) ------------------- ------------dot1x 0 pwa 0 mac 0

    set multiauth session-timeout


    Usethiscommandtosetthemaximumnumberofsecondsanauthenticatedsessionmaylast beforeterminationofthesession.

    Syntax
    set multiauth session-timeout [dot1x | mac | pwa] timeout

    Parameters
    dot1x mac pwa timeout (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol authenticationmethodforwhichtosetthesessiontimeoutvalue. (Optional)SpecifiestheEnterasysMACauthenticationmethodfor whichtosetthesessiontimeoutvalue. (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor whichtosetthesessiontimeoutvalue. Specifiesthetimeoutvalueinseconds.Thevaluecanrangefrom0to 65535.Avalueof0meansthatnosessiontimeoutwillbeappliedunless asessiontimeoutvalueisprovidedbytheauthenticatingserver.

    Defaults
    Ifnoauthenticationmethodisspecified,thesessiontimeoutvalueissetforallauthentication methods.

    Mode
    Switchmode,readwrite.

    Usage
    Avalueofzeromaybesupersededbyasessiontimeoutvalueprovidedbytheauthenticating server.Forexample,ifasessionisauthenticatedbyaRADIUSserver,thatservermayencodea SessionTimeoutAttributeinitsauthenticationresponse.

    Example
    ThisexamplesetsthesessiontimeoutvaluefortheIEEE802.1Xauthenticationmethodto300 seconds.
    C2(su)->set multiauth session-timeout dot1x 300

    SecureStack C2 Configuration Guide

    23-43

    clear multiauth session-timeout

    clear multiauth session-timeout


    Usethiscommandtoresetthemaximumnumberofconsecutivesecondsanauthenticatedsession maylastbeforeterminationofthesessiontoitsdefaultvalueof0.

    Syntax
    clear multiauth session-timeout [dot1x | mac | pwa]

    Parameters
    dot1x (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol authenticationmethodforwhichtoresetthetimeoutvaluetoits default. (Optional)SpecifiestheEnterasysMACauthenticationmethodfor whichtoresetthetimeoutvaluetoitsdefault. (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor whichtoresetthetimeoutvaluetoitsdefault.

    mac pwa

    Defaults
    Ifnoauthenticationmethodisspecified,thesessiontimeoutvalueisresettoitsdefaultvalueof0 forallauthenticationmethods.

    Mode
    Switchmode,readwrite.

    Example
    ThisexampleresetsthesessiontimeoutvaluefortheIEEE802.1Xauthenticationmethodto0 seconds.
    C2(su)->clear multiauth session-timeout dot1x

    23-44

    Authentication and Authorization Configuration

    Configuring VLAN Authorization (RFC 3580)

    Configuring VLAN Authorization (RFC 3580)


    Purpose
    RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedoraMAC authenticatedusertoaVLANregardlessofthePVID.Uptosixuserscanbeconfiguredper Gigabitport. Pleaseseesection331ofRFC3580fordetailsonconfiguringaRADIUSservertoreturnthe desiredtunnelattributes.AsstatedinRFC3580,...itmaybedesirabletoallowaporttobeplaced intoaparticularVirtualLAN(VLAN),definedin[IEEE8021Q],basedontheresultofthe authentication. TheRADIUSservertypicallyindicatesthedesiredVLANbyincludingtunnelattributeswithinits AccessAcceptparameters.However,theIEEE802.1XorMACauthenticatorcanalsobe configuredtoinstructtheVLANtobeassignedtothesupplicantbyincludingtunnelattributes withinAccessRequestparameters. ThefollowingtunnelattributesareusedinVLANauthorizationassignment,: TunnelTypeVLAN(13) TunnelMediumType802 TunnelPrivateGroupIDVLANID

    InordertoauthenticatemultipleRFC3580users,policymaptableresponsemustbesettotunnel asdescribedinthissection.
    Notes: The C2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are configured to use a port, and the C2 is then switched from "policy" mode to RFC-3580 "tunnel" mode, the total number of users supported to use a port will be reset to one. A policy license, if applicable, is not required to run RFC3580.

    Commands
    For information about... show policy maptable response set policy maptable response set vlanauthorization set vlanauthorization egress clear vlanauthorization show vlanauthorization Refer to page... 23-45 23-46 23-47 23-48 23-48 23-49

    show policy maptable response


    Displaysthecurrentpolicymaptableresponsesetting.WhenVLANauthorizationisenabled(as describedinthissection)andthepolicymaptableresponseistunnel,youcanusetheset

    SecureStack C2 Configuration Guide

    23-45

    set policy maptable response

    multiauthportcommand(page2337)tosetthenumberofRFC3580users(numusers)allowed perGigabitport.UptosixuserscanbeconfiguredperGigabitport.

    Syntax
    show policy maptable response

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    Thisexampleshowshowtodisplaythecurrentpolicymaptableresponsesetting:
    C2(rw)->show policy maptable response

    policy

    set policy maptable response


    SetsthemaptableresponsefromthedefaultofpolicytotunneltoallowuptosixVLAN authorizeduserstobeconfiguredperGigabitport.

    Syntax
    set policy maptable response {policy | tunnel}

    Parameters
    policy tunnel Setsthemaptableresponsetopolicy.Thisisthedefaultsetting,which allowsauthenticationofuptosixmultiauthusersperport. Setsthemaptableresponsetotunnel,whichallowsauthenticationofup tosixmultiauthusersperport.Thissettingisrequiredtoconfigure VLANauthorizationformultipleusersperGigabitport.

    Defaults
    Settopolicy.

    Mode
    Switchcommand,readwrite.

    Usage
    Thiscommandputstheswitchineitherpolicymode(thedefault)ortunnelmode,whichis RFC3580VLANmapping.

    23-46

    Authentication and Authorization Configuration

    set vlanauthorization

    Whenausersuccessfullyauthenticatestothenetwork,theRADIUSserverreturnsanAccess Acceptframe.Thisframecanhavemanyattributes,twoofwhichareaFilterID(whichishow policyassignmentisachieved)andRFC3580VLANassignment. Ifaswitchisintunnelmode: TheFID(FilterID)isalwaysignored,butDefaultpolicyrulesstillapply. TheVLANattributeisusedifpresent,andifVLANauthorizationisenabled.Seeset vlanauthorizationonpage 2347.

    Ifaswitchisinpolicymode: IftheAccessAcceptframehastheFIDattributeonly,thentheFIDisused. IftheAccessAcceptframehastheVLANattributeonly,thenitisusedprovidedthatVLAN authorizationisenabled.Seesetvlanauthorizationonpage 2347. Ifbothattributesarereturned,usetheFIDonly.

    Examples
    Thisexampleshowshowtosetthepolicymaptableresponsetotunnel:
    C2(rw)-> set policy maptable response tunnel

    set vlanauthorization
    EnableordisabletheuseoftheRADIUSVLANtunnelattributetoputaportintoaparticular VLANbasedontheresultofauthentication.

    Syntax
    set vlanauthorization {enable | disable} [port-string]

    Parameters
    enable|disable portstring Enablesordisablesvlanauthorization/tunnelattributes. (Optional)SpecifieswhichportstoenableordisabletheuseofVLAN tunnelattributes/authorization.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage 72.

    Defaults
    VLANauthenticationisdisabledbydefault.

    Mode
    Switchcommand,readwrite.

    Examples
    ThisexampleshowshowtoenableVLANauthenticationforallGigabitEthernetports:
    C2(rw)-> set vlanauthorization enable ge.*.*

    ThisexampleshowshowtodisableVLANauthenticationforallGigabitEthernetportsonswitch unit/module 3:
    C2(rw)-> set vlanauthorization disable ge.3.*

    SecureStack C2 Configuration Guide

    23-47

    set vlanauthorization egress

    set vlanauthorization egress


    ControlsthemodificationofthecurrentVLANegresslistof802.1xauthenticatedportsforthe VLANsreturnedintheRADIUSauthorizationfilteridstring.

    Syntax
    set vlanauthorization egress {none | tagged | untagged} port-string

    Parameters
    none tagged untagged portstring Specifiesthatnoegressmanipulationwillbemade. Specifiesthattheauthenticatingportwillbeaddedtothecurrenttagged egressfortheVLANIDreturned. Specifiesthattheauthenticatingportwillbeaddedtothecurrent untaggedegressfortheVLANIDreturned(default). Specifiesthattheportorlistofports.towhichthiscommandwillapply. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage 72.

    Defaults
    Bydefault,administrativeegressissettountagged.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenabletheinsertionoftheRADIUSassignedVLANtoan802.1qtag foralloutboundframesforports10through15onunit/modulenumber3.
    C2(rw)->set vlanauthorization egress tagged ge.3.10-15

    clear vlanauthorization
    Usethiscommandtoreturnport(s)tothedefaultconfigurationofVLANauthorizationdisabled, egressuntagged.

    Syntax
    clear vlanauthorization [port-string]

    Parameters
    portstring (Optional)Specifieswhichportsaretoberestoredtodefault configuration.Ifnoportstringisentered,theactionwillbeaglobal setting.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72.

    Defaults
    Ifnoportstringisentered,allportsawillberesettodefaultconfigurationwithVLAN authorizationdisabledandegressframesuntagged.

    23-48

    Authentication and Authorization Configuration

    show vlanauthorization

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowhowtoclearVLANauthorizationforallportsonslots3,4,and5:
    C2(rw)->clear vlanauthorization ge.3-5.*

    show vlanauthorization
    DisplaystheVLANauthenticationstatusandconfigurationinformationforthespecifiedports.

    Syntax
    show vlanauthorization [port-string]

    Parameters
    portstring (Optional)DisplaysVLANauthenticationstatusforthespecifiedports.If noportstringisentered,thentheglobalstatusofthesettingisdisplayed. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage 72.

    Defaults
    Ifnoportstringisentered,thestatusforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThiscommandshowshowtodisplayVLANauthorizationstatusforge.1.1: C2(su)>showvlanauthorizationge.1.1 VlanAuthorization:enabled
    port ------ge.1.1 status administrative egress -------- -------------enabled untagged operational egress ----------authenticated vlan id mac address ----------------- -------

    Table 235providesanexplanationofcommandoutput.Fordetailsonenablingandassigning protocolandegressattributes,refertosetvlanauthorizationonpage 2347andset vlanauthorizationegressonpage 2348. Table 23-5


    Output Field port status administrative egress operational egress

    show vlanauthorization Output Details


    What It Displays... Port identification Port status as assigned by set vlanauthorization command Port status as assigned by the set vlanauthorization egress command Port operational status of vlanauthorization egress.

    SecureStack C2 Configuration Guide

    23-49

    Configuring MAC Locking

    Table 23-5
    Output Field

    show vlanauthorization Output Details (Continued)


    What It Displays... If authentication has succeeded, displays the MAC address assigned for egress. If authentication has succeeded, displays the assigned VLAN id for ingress.

    authenticated mac address vlan id

    Configuring MAC Locking


    ThisfeaturelocksaMACaddresstooneormoreports,preventingconnectionofunauthorized devicesthroughtheport(s).WhensourceMACaddressesarereceivedonspecifiedports,the switchdiscardsallsubsequentframesnotcontainingtheconfiguredsourceaddresses.Theonly framesforwardedonalockedportarethosewiththelockedMACaddress(es)forthatport. TherearetwomethodsoflockingaMACtoaport:firstarrivalandstatic.Thefirstarrivalmethod isdefinedtobelockingthefirstnnumberofMACswhicharriveonaportconfiguredwithMAC lockingenabled.Thevaluenisconfiguredwiththesetmaclockfirstarrivalcommand. ThestaticmethodisdefinedtobestaticallyprovisioningaMACportlockusingthesetmaclock command.ThemaximumnumberofstaticMACaddressesallowedforMAClockingonaport canbeconfiguredwiththesetmaclockstaticcommand. YoucanconfiguretheswitchtoissueaviolationtrapifapacketarriveswithasourceMAC addressdifferentfromanyofthecurrentlylockedMACaddressesforthatport. MACsareunlockedasaresultof: Alinkdownevent WhenMAClockingisdisabledonaport WhenaMACisagedoutoftheforwardingdatabasewhenFirstArrivalagingisenabled

    Whenproperlyconfigured,MAClockingisanexcellentsecuritytoolasitpreventsMACspoofing onconfiguredports.AlsoifaMACweretobesecuredbysomethinglikeDragonDynamic IntrusionDetection,MAClockingwouldmakeitmoredifficultforahackertosendpacketsinto thenetworkbecausethehackerwouldhavetochangetheirMACaddressandmovetoanother port.Inthemeantimethesystemadministratorwouldbereceivingamaclocktrapnotification.

    Purpose
    Toreview,disable,enable,andconfigureMAClocking.

    Commands
    For information about... show maclock show maclock stations set maclock enable set maclock disable set maclock clear maclock Refer to page... 23-51 23-52 23-53 23-54 23-54 23-55

    23-50

    Authentication and Authorization Configuration

    show maclock

    For information about... set maclock static clear maclock static set maclock firstarrival clear maclock firstarrival set maclock agefirstarrival clear maclock agefirstarrival set maclock move set maclock trap

    Refer to page... 23-56 23-56 23-57 23-58 23-58 23-59 23-59 23-60

    show maclock
    UsethiscommandtodisplaythestatusofMAClockingononeormoreports.

    Syntax
    show maclock [port-string]

    Parameters
    portstring (Optional)DisplaysMAClockingstatusforspecifiedport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,MAClockingstatuswillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayMAClockinginformationforge.1.1.
    C2(su)->show maclock ge.1.1 MAC locking is globally enabled Port Number ------ge.1.1 Port Trap Status Status ------- -------enabled disabled Aging Status ------enabled Max Static Max FirstArrival Last Violating Allocated Allocated MAC Address ---------- --------------- --------------20 1 00:a0:c9:39:5c:b4

    Table 236providesanexplanationofthecommandoutput.

    SecureStack C2 Configuration Guide

    23-51

    show maclock stations

    Table 23-6
    Output Field Port Number Port Status

    show maclock Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. Whether MAC locking is enabled or disabled on the port. MAC locking is globally disabled by default. For details on enabling MAC locking on the switch and on one or more ports, refer to set maclock enable on page 23-53 and set maclock on page 23-54. Whether MAC lock trap messaging is enabled or disabled on the port. For details on setting this status, refer to set maclock trap on page 23-60. Whether aging of FirstArrival MAC addresses is enabled or disabled on the port. Refer to set maclock agefirstarrival on page 23-58. The maximum static MAC addresses allowed locked to the port. For details on setting this value, refer to set maclock static on page 23-56. The maximum end station MAC addresses allowed locked to the port. For details on setting this value, refer to set maclock firstarrival on page 23-57. Most recent MAC address(es) violating the maximum static and first arrival value(s) set for the port.

    Trap Status Aging Status Max Static Allocated Max FirstArrival Allocated Last Violating MAC Address

    show maclock stations


    UsethiscommandtodisplayMAClockinginformationaboutendstationsconnectedtothe switch.

    Syntax
    show maclock stations [firstarrival | static] [port-string]

    Parameters
    firstarrival static portstring (Optional)DisplaysMAClockinginformationaboutendstationsfirst connectedtoMAClockedports. (Optional)DisplaysMAClockinginformationaboutstatic(management defined)endstationsconnectedtoMAClockedports. (Optional)Displaysendstationinformationforspecifiedport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifnoparametersarespecified,MAClockinginformationwillbedisplayedforallendstations.

    Mode
    Switchcommand,readonly.

    23-52

    Authentication and Authorization Configuration

    set maclock enable

    Example
    ThisexampleshowshowtodisplayMAClockinginformationfortheendstationsconnectedtoall GigabitEthernetportsinunit/module2:
    C2(su)->show maclock stations fe.2.* Port Number MAC Address Status State Aging ------------ ------------------------------ -------------- ----fe.2.1 00:a0:c9:39:5c:b4 active first arrival true fe.2.7 00:a0:c9:39:1f:11 active static false

    Table 237providesanexplanationofthecommandoutput. Table 23-7


    Output Field Port Number MAC address Status State Aging

    show maclock stations Output Details


    What It Displays... Port designation. For a detailed description of possible port-string values, refer to Port String Syntax Used in the CLI on page 7-2. MAC address of the end station(s) locked to the port. Whether the end stations are active or inactive. Whether the end station locked to the port is a first arrival or static connection. When true, FirstArrival MACs that have aged out of the forwarding database will be removed for the associated port lock.

    set maclock enable


    UsethiscommandtoenableMAClockinggloballyorononeormoreports.

    Note: MAC locking needs to be enabled globally and on appropriate ports for it to function.

    Syntax
    setmaclockenable[portstring]

    Parameters
    portstring (Optional)EnablesMAClockingonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,MAClockingwillbeenabledglobally.

    Mode
    Switchcommand,readwrite.

    Usage
    Whenenabledandconfigured,MAClockingdefineswhichMACaddresses,aswellashowmany MACaddressesarepermittedtousespecificport(s).
    SecureStack C2 Configuration Guide 23-53

    set maclock disable

    MAClockingisdisabledbydefaultatdevicestartup.ConfiguringoneormoreportsforMAC lockingrequiresgloballyenablingitonthedeviceandthenenablingitonthedesiredports.

    Example
    ThisexampleshowshowtoenableMAClockingonfe.2.3:
    C2(su)->set maclock enable fe.2.3

    set maclock disable


    UsethiscommandtodisableMAClockinggloballyorononeormoreports.

    Syntax
    set maclock disable [port-string]

    Parameters
    portstring (Optional)DisablesMAClockingonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,MAClockingwillbedisabledgloballyontheswitch.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableMAClockingonfe.2.3:
    C2(su)->set maclock disable fe.2.3

    set maclock
    UsethiscommandtocreateastaticMACaddresstoportlocking,andtoenableordisableMAC lockingforthespecifiedMACaddressandport.

    Syntax
    set maclock mac-address port-string {create | enable | disable}

    Parameters
    macaddress portstring SpecifiestheMACaddressforwhichMAClockingwillbecreated, enabledordisabled. Specifiestheportonwhichtocreate,enableordisableMAClockingfor thespecifiedMAC.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 72.

    23-54

    Authentication and Authorization Configuration

    clear maclock

    create

    EstablishesaMAClockingassociationbetweenthespecifiedMAC addressandport.CreateautomaticallyenablesMAClockingbetweenthe specifiedMACaddressandport. EnablesordisablesMAClockingbetweenthespecifiedMACaddressand port.

    enable|disable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    ConfiguringaportforMAClockingrequiresgloballyenablingitontheswitchfirstusingtheset maclockenablecommandasdescribedinsetmaclockenableonpage 2353. StaticMAClockingauseronmultipleportsisnotsupported. StaticallyMAClockedaddresseswilldisplayintheshowmacoutput(asdescribedonpage1420) asaddresstypeotherandwillnotremovethemonlinkdown.

    Example
    ThisexampleshowshowtocreateaMAClockingassociationbetweenMACaddress0e03efd8 4455andportge.3.2:
    C2(rw)->set maclock 0e-03-ef-d8-44-55 ge.3.2 create

    clear maclock
    UsethiscommandtoremoveastaticMACaddresstoportlockingentry.

    Syntax
    clear maclock mac-address port-string

    Parameters
    macaddress portstring SpecifiestheMACaddressthatwillberemovedfromthelistofstatic MACsallowedtocommunicateontheport. SpecifiestheportonwhichtocleartheMACaddress.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    SecureStack C2 Configuration Guide

    23-55

    set maclock static

    Usage
    TheMACaddressthatisclearedwillnolongerbeabletocommunicateontheportunlessthefirst arrivallimithasbeensettoavaluegreaterthan0andthislimithasnotyetbeenmet. Forexample,ifuserBsMACisremovedfromthestaticMACaddresslistandthefirstarrival limithasbeensetto0,thenuserBwillnotbeabletocommunicateontheport.IfuserAsMACis removedfromthestaticMACaddresslistandthefirstarrivallimithasbeensetto10,butonlyhas 7entries,userAwillbecomethe8thentryandallowedtocommunicateontheport.

    Example
    ThisexampleshowshowtoremoveaMACfromthelistofstaticMACsallowedtocommunicate onportge.3.2:
    C2(rw)->clear maclock 0e-03-ef-d8-44-55 ge.3.2

    set maclock static


    UsethiscommandtosetthemaximumnumberofstaticMACaddressesallowedperport.Static MACsareadministrativelydefined.

    Syntax
    set maclock static port-string value

    Parameters
    portstring SpecifiestheportonwhichtosetthemaximumnumberofstaticMACs allowed.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72. SpecifiesthemaximumnumberofstaticMACaddressesallowedper port.Validvaluesare0to20.

    value

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthemaximumnumberofallowablestaticMACsto2onge.3.1:
    C2(rw)->set maclock static ge.3.1 2

    clear maclock static


    UsethiscommandtoresetthenumberofstaticMACaddressesallowedperporttothedefault valueof20.

    Syntax
    clear maclock static port-string

    23-56

    Authentication and Authorization Configuration

    set maclock firstarrival

    Parameters
    portstring SpecifiestheportonwhichtoresetnumberofstaticMACaddresses allowed.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthenumberofallowablestaticMACsonfe.2.3:
    C2(rw)->clear maclock static fe.2.3

    set maclock firstarrival


    UsethiscommandtorestrictMAClockingonaporttoamaximumnumberofendstation addressesfirstconnectedtothatport.

    Syntax
    set maclock firstarrival port-string value

    Parameters
    portstring SpecifiestheportonwhichtolimitMAClocking.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. SpecifiesthenumberoffirstarrivalendstationMACaddressestobe allowedconnectionstotheport.Validvaluesare0to600.

    value

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Themaclockfirstarrivalcountresetswhenthelinkgoesdown.Thisfeatureisbeneficialifyou haveroamingusersthefirstarrivalcountwillbereseteverytimeausermovestoanotherport, butwillstillprotectagainstconnectingmultipledevicesonasingleportandwillprotectagainst MACaddressspoofing.
    Note: Setting a ports first arrival limit to 0 does not deny the first MAC address learned on the port from passing traffic.

    SecureStack C2 Configuration Guide

    23-57

    clear maclock firstarrival

    Example
    ThisexampleshowshowtorestrictMAClockingto6MACaddressesonfe.2.3:
    C2(su)->set maclock firstarrival fe.2.3 6

    clear maclock firstarrival


    UsethiscommandtoresetthenumberoffirstarrivalMACaddressesallowedperporttothe defaultvalueof600.

    Syntax
    clear maclock firstarrival port-string

    Parameters
    portstring Specifiestheportonwhichtoresetthefirstarrivalvalue.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetMACfirstarrivalsonfe.2.3:
    C2(su)->clear maclock firstarrival fe.2.3

    set maclock agefirstarrival


    UsethiscommandtoenableordisabletheagingoffirstarrivalMACaddresses.Whenenabled, firstarrivalMACaddressesthatareagedoutoftheforwardingdatabasewillberemovedfromthe associatedportMAClock.

    Syntax
    set maclock agefirstarrival port-string {enable | disable}

    Parameters
    portstring Specifiestheport(s)onwhichtoenableordisablefirstarrivalaging.For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. Enableordisablefirstarrivalaging.Bydefault,firstarrivalagingis disabled.

    enable|disable

    Defaults
    None.

    23-58

    Authentication and Authorization Configuration

    clear maclock agefirstarrival

    Mode
    Switchmode,readwrite.

    Example
    Thisexampleenablesfirstarrivalagingonportge.1.1.
    C2(su)-> set maclock agefirstarrival ge.1.1 enable

    clear maclock agefirstarrival


    Usethiscommandtoresetfirstarrivalagingononeormoreportstoitsdefaultstateofdisabled.

    Syntax
    clear maclock agefirstarrival port-string

    Parameters
    portstring Specifiestheport(s)onwhichtodisablefirstarrivalaging.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    Mode
    Switchmode,readwrite.

    Example
    Thisexampledisablesfirstarrivalagingonportge.1.1.
    C2(su)-> clear maclock agefirstarrival ge.1.1 enable

    set maclock move


    UsethiscommandtomoveallcurrentfirstarrivalMACstostaticentries.

    Syntax
    set maclock move port-string

    Parameters
    portstring SpecifiestheportonwhichMACwillbemovedfromfirstarrivalMACs tostaticentries.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 72.

    Defaults
    None.

    SecureStack C2 Configuration Guide

    23-59

    set maclock trap

    Mode
    Switchcommand,readwrite.

    Usage
    IftherearemorefirstarrivalMACsthantheallowedmaximumstaticMACs,thenonlythelatest firstarrivalMACswillbemovedtostaticentries.Forexample,ifyousetthemaximumnumberof staticMACsto2withthesetmaclockstaticcommand,andthenexecutedthesetmaclockmove command,eventhoughtherewerefiveMACsinthefirstarrivaltable,onlythetwomostrecent MACentrieswouldbemovedtostaticentries.

    Example
    ThisexampleshowshowtomoveallcurrentfirstarrivalMACstostaticentriesonportsge.3.140:
    C2(rw)->set maclock move ge.3.1-40

    set maclock trap


    UsethiscommandtoenableordisableMAClocktrapmessaging.

    Syntax
    set maclock trap port-string {enable | disable}

    Parameters
    portstring SpecifiestheportonwhichMAClocktrapmessagingwillbeenabledor disabled.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72. EnablesordisablesMAClocktrapmessaging.

    enable|disable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    Whenenabled,thisfeatureauthorizestheswitchtosendanSNMPtrapmessageifanendstation isconnectedthatexceedsthemaximumvaluesconfiguredusingthesetmaclockfirstarrivaland setmaclockstaticcommands.ViolatingMACaddressesaredroppedfromthedevices(orstacks) filteringdatabase.

    Example
    ThisexampleshowshowtoenableMAClocktrapmessagingonfe.2.3:
    C2(su)->set maclock trap fe.2.3 enable

    23-60

    Authentication and Authorization Configuration

    Configuring Port Web Authentication (PWA)

    Configuring Port Web Authentication (PWA)


    About PWA
    PWAprovidesawayofauthenticatingusersbeforeallowinggeneralaccesstothenetwork TologonusingPWA,theusermakesarequestthroughawebbrowserforthePWAwebpageoris automaticallyredirectedtothisloginpageafterrequestingaURLinabrowser. Dependingupontheauthenticatedstateoftheuser,aloginpageoralogoutpagewilldisplay. Whenausersubmitsusernameandpassword,theswitchthenauthenticatestheuserviaa preconfiguredRADIUSserver.Iftheloginissuccessful,thentheuserwillbegrantedfullnetwork accessaccordingtotheuserspolicyconfigurationontheswitch.
    Note: One user per PWA-configured port can be authenticated on SecureStack C2 devices. PWA authentication does not support RFC-3580 VLAN authorization.

    Purpose
    Toreview,enable,disable,andconfigurePortWebAuthentication(PWA).

    Commands
    For information about... show pwa set pwa show pwa banner set pwa banner clear pwa banner set pwa displaylogo set pwa ipaddress set pwa protocol set pwa guestname clear pwa guestname set pwa guestpassword set pwa gueststatus set pwa initialize set pwa quietperiod set pwa maxrequest set pwa portcontrol show pwa session set pwa enhancedmode Refer to page... 23-62 23-63 23-64 23-64 23-65 23-65 23-66 23-66 23-67 23-67 23-68 23-68 23-69 23-69 23-70 23-70 23-71 23-72

    SecureStack C2 Configuration Guide

    23-61

    show pwa

    show pwa
    Usethiscommandtodisplayportwebauthenticationinformationforoneormoreports.

    Syntax
    show pwa [port-string]

    Parameters
    portstring (Optional)DisplaysPWAinformationforspecificport(s).

    Defaults
    Ifportstringisnotspecified,PWAinformationwillbedisplayedforallports.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayPWAinformationforge.2.1:
    C2(su)->show pwa ge.2.1 PWA Status PWA IP Address PWA Protocol PWA Enhanced Mode PWA Logo PWA Guest Networking Status PWA Guest Name PWA Redirect Time Port Mode -------- ---------------ge.2.1 disabled enabled 192.168.62.99 PAP N/A enabled disabled guest N/A QuietPeriod ----------60 MaxReq --------16

    AuthStatus -------------disconnected

    Table 238providesanexplanationofthecommandoutput. Table 23-8


    Output Field PWA Status

    show pwa Output Details


    What It Displays... Whether or not port web authentication is enabled or disabled. Default state of disabled can be changed using the set pwa command as described in set pwa on page 23-63. IP address of the end station from which PWA will prevent network access until the user is authenticated. Set using the set pwa ipaddress command as described in set pwa ipaddress on page 23-66. Whether PWA protocol is CHAP or PAP. Default setting of PAP can be changed using the set pwa protocol command as described in set pwa protocol on page 23-66. Whether PWA enhanced mode is enabled or disabled. Default state of disabled can be changed using the set pwa enhancedmode command as described in set pwa enhancedmode on page 23-72.

    PWA IP Address

    PWA Protocol

    PWA Enhanced Mode

    23-62

    Authentication and Authorization Configuration

    set pwa

    Table 23-8
    Output Field PWA Logo

    show pwa Output Details (Continued)


    What It Displays... Whether the Enterasys Networks logo will be displayed or hidden at user login. Default state of enabled (displayed) can be changed using the set pwa displaylogo command as described in set pwa displaylogo on page 23-65. Whether PWA guest user status is disabled or enabled with RADIUS or no authentication. Default state of disabled can be changed using the set pwa gueststatus command as described in set pwa gueststatus on page 23-68. Guest user name for PWA enhanced mode networking. Default value of guest can be changed using the set pwa guestname command as described in set pwa guestname on page 23-67. Guest users password. Default value of an empty string can be changed using the set pwa guestpassword command as described in set pwa guestpassword on page 23-68. Time in seconds after login success before the user is redirected to the PWA home page. PWA port designation. Whether PWA is enabled or disabled on his port. Whether or not the port state is disconnected, authenticating, authenticated, or held (authentication has failed). Amount of time a port will be in the held state after a user unsuccessfully attempts to log on to the network. Default value of 60 can be changed using the set pwa quietperiod command as described in set pwa quietperiod on page 23-69. Maximum number of log on attempts allowed before transitioning the port to a held state. Default value of 2 can be changed using the set pwa maxrequests command as described in set pwa maxrequest on page 23-70.

    PWA Guest Networking Status PWA Guest Name

    PWA Guest Password PWA Redirect Time Port Mode Auth Status Quiet Period

    MaxReq

    set pwa
    Usethiscommandtoenableordisableportwebauthentication.

    Syntax
    set pwa {enable | disable}

    Parameters
    enable|disable Enablesordisablesportwebauthentication.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoenableportwebauthentication:
    C2(su)->set pwa enable

    SecureStack C2 Configuration Guide

    23-63

    show pwa banner

    show pwa banner


    Usethiscommandtodisplaytheportwebauthenticationloginbannerstring.

    Syntax
    show pwa banner

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaythePWAloginbanner:
    C2(su)->show pwa banner Welcome to Enterasys Networks

    set pwa banner


    UsethiscommandtoconfigureastringtobedisplayedasthePWAloginbanner.

    Syntax
    set pwa banner string

    Parameters
    string SpecifiesthePWAloginbanner.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthePWAloginbannertoWelcometoEnterasysNetworks:
    C2(su)->set pwa banner Welcome to Enterasys Networks

    23-64

    Authentication and Authorization Configuration

    clear pwa banner

    clear pwa banner


    UsethiscommandtoresetthePWAloginbannertoablankstring.

    Syntax
    clear pwa banner

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoresetthePWAloginbannertoablankstring
    C2(su)->clear pwa banner

    set pwa displaylogo


    UsethiscommandtosetthedisplayoptionsfortheEnterasysNetworkslogo.

    Syntax
    set pwa displaylogo {display | hide}

    Parameters
    display|hide DisplaysorhidestheEnterasysNetworkslogowhenthePWAwebsite displays.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtohidetheEnterasysNetworkslogo:
    C2(su)->set pwa displaylogo hide

    SecureStack C2 Configuration Guide

    23-65

    set pwa ipaddress

    set pwa ipaddress


    UsethiscommandtosetthePWAIPaddress.ThisistheIPaddressoftheendstationfromwhich PWAwillpreventnetworkaccessuntiltheuserisauthenticated.

    Syntax
    set pwa ipaddress ip-address

    Parameters
    ipaddress SpecifiesagloballyuniqueIPaddress.Thissamevaluemustbe configuredintoeveryauthenticatingswitchinthedomain.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetaPWAIPaddressof1.2.3.4:
    C2(su)->set pwa ipaddress 1.2.3.4

    set pwa protocol


    Usethiscommandtosettheportwebauthenticationprotocol.

    Syntax
    set pwa protocol {chap | pap}

    Parameters
    chap|pap SetsthePWAprotocolto: CHAP(PPPChallengeHandshakeProtocol)encryptstheusername andpasswordbetweentheendstationandtheswitchport. PAP(PasswordAuthenticationProtocoldoesnotprovideany encryptionbetweentheendstationtheswitchport.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetathePWAprotocoltoCHAP:
    C2(su)->set pwa protocol chap

    23-66

    Authentication and Authorization Configuration

    set pwa guestname

    set pwa guestname


    UsethiscommandtosetaguestusernameforPWAnetworking.PWAwillusethisnametogrant networkaccesstoguestswithoutestablishedloginnamesandpasswords.

    Syntax
    set pwa guestname name

    Parameters
    name Specifiesaguestusername.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthePWAguestusernametoguestuser:
    C2(su)->set pwa guestname guestuser

    clear pwa guestname


    UsethiscommandtoclearthePWAguestusername.

    Syntax
    clear pwa guestname

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoclearthePWAguestusername
    C2(su)->clear pwa guestname

    SecureStack C2 Configuration Guide

    23-67

    set pwa guestpassword

    set pwa guestpassword


    UsethiscommandtosettheguestuserpasswordforPWAnetworking.

    Syntax
    set pwa guestpassword

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Usage
    PWAwillusethispasswordandtheguestusernametograntnetworkaccesstoguestswithout establishedloginnamesandpasswords.

    Example
    ThisexampleshowshowtosetthePWAguestuserpasswordname:
    C2(su)->set pwa guestpassword Guest Password: ********* Retype Guest Password: *********

    set pwa gueststatus


    Usethiscommandtoenableordisableguestnetworkingforportwebauthentication.

    Syntax
    set pwa gueststatus {authnone | authradius | disable}

    Parameters
    authnone authradius Enablesguestnetworkingwithnoauthenticationmethod. EnablesguestnetworkingwithRADIUSauthentication.Uponsuccessful authenticationfromRADIUS,PWAwillapplythepolicyreturnedfrom RADIUStothePWAport. Disablesguestnetworking.

    disable

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    23-68

    Authentication and Authorization Configuration

    set pwa initialize

    Usage
    PWAwilluseaguestpasswordandguestusernametograntnetworkaccesswithdefaultpolicy privilegestouserswithoutestablishedloginnamesandpasswords.

    Example
    ThisexampleshowshowtoenablePWAguestnetworkingwithRADIUSauthentication:
    C2(su)->set pwa guestnetworking authradius

    set pwa initialize


    UsethiscommandtoinitializeaPWAporttoitsdefaultunauthenticatedstate.

    Syntax
    set pwa initialize [port-string]

    Parameters
    portstring (Optional)Initializesspecificport(s).Foradetaileddescriptionofpossible portstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72.

    Defaults
    Ifportstringisnotspecified,allportswillbeinitialized.

    Mode
    Switchcommand,readwrite.

    Example
    Thisexampleshowshowtoinitializeportsge.1.57:
    C2(su)->set pwa initialize ge.1.5-7

    set pwa quietperiod


    Usethiscommandtosettheamountoftimeaportwillremainintheheldstateafterauser unsuccessfullyattemptstologontothenetwork.

    Syntax
    set pwa quietperiod time [port-string]

    Parameters
    time portstring Specifiesquiettimeinseconds. (Optional)Setsthequietperiodforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    SecureStack C2 Configuration Guide

    23-69

    set pwa maxrequest

    Defaults
    Ifportstringisnotspecified,quietperiodwillbesetforallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthePWAquietperiodto30secondsforportsge.1.57:
    C2(su)->set pwa quietperiod 30 ge.1.5-7

    set pwa maxrequest


    Usethiscommandtosetthemaximumnumberoflogonattemptsallowedbeforetransitioning thePWAporttoaheldstate.

    Syntax
    set pwa maxrequests requests [port-string]

    Parameters
    maxrequests portstring Specifiesthemaximumnumberoflogonattempts. (Optional)Setsthemaximumrequestsforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,maximumrequestswillbesetforallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtosetthePWAmaximumrequeststo3forallports:
    C2(su)->set pwa maxrequests 3

    set pwa portcontrol


    ThiscommandenablesordisablesPWAauthenticationonselectports.

    Syntax
    set pwa portcontrol {enable | disable} [port-string]

    23-70

    Authentication and Authorization Configuration

    show pwa session

    Parameters
    enable|disable portstring EnablesordisablesPWAonspecifiedports. (Optional)Setsthecontrolmodeonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,PWAwillenabledonallports.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenablePWAonports122:
    C2(su)->set pwa portcontrol enable ge.1.1-22

    show pwa session


    UsethiscommandtodisplayinformationaboutcurrentPWAsessions.

    Syntax
    show pwa session [port-string]

    Parameters
    portstring (Optional)DisplaysPWAsessioninformationforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.

    Defaults
    Ifportstringisnotspecified,sessioninformationforallportswillbedisplayed.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplayPWAsessioninformation:
    C2(su)->show pwa session Port MAC -------- ----------------ge.2.19 00-c0-4f-20-05-4b ge.2.19 00-c0-4f-24-51-70 ge.2.19 00-00-f8-78-9c-a7 IP --------------172.50.15.121 172.50.15.120 172.50.15.61 User ------------pwachap10 pwachap1 pwachap11 Duration -----------0,14:46:55 0,15:43:30 0,14:47:58 Status --------active active active

    SecureStack C2 Configuration Guide

    23-71

    set pwa enhancedmode

    set pwa enhancedmode


    ThiscommandenablesPWAURLredirection.TheswitchinterceptsallHTTPpacketsonport80 fromtheenduser,andsendstheenduserarefreshpagedestinedforthePWAIPAddress configured.

    Syntax
    set pwa enhancedmode {enable | disable}

    Parameters
    enable|disable EnablesordisablesPWAenhancedmode.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoenablePWAenhancedmode:
    C2(su)->set pwa enhancedmode enable

    23-72

    Authentication and Authorization Configuration

    Configuring Secure Shell (SSH)

    Configuring Secure Shell (SSH)


    Purpose
    Toreview,enable,disable,andconfiguretheSecureShell(SSH)protocol,whichprovidessecure Telnet.

    Commands
    For information about... show ssh status set ssh set ssh hostkey Refer to page... 23-73 23-73 23-74

    show ssh status


    UsethiscommandtodisplaythecurrentstatusofSSHontheswitch.

    Syntax
    show ssh status

    Parameters
    None.

    Defaults
    None.

    Mode
    Switchcommand,readonly.

    Example
    ThisexampleshowshowtodisplaySSHstatusontheswitch:
    C2(su)->show ssh status SSH Server status: Disabled

    set ssh
    Usethiscommandtoenable,disableorreinitializeSSHserverontheswitch.Bydefault,theSSH serverisdisabled.

    Syntax
    set ssh {enable | disable | reinitialize}

    SecureStack C2 Configuration Guide

    23-73

    set ssh hostkey

    Parameters
    enable|disable reinitialize EnablesordisablesSSH,orreinitializestheSSHserver. ReinitializestheSSHserver.

    Defaults
    None.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtodisableSSH:
    C2(su)->set ssh disable

    set ssh hostkey


    UsethiscommandtosetorreinitializenewSSHauthenticationkeys.

    Syntax
    set ssh hostkey [reinitialize]

    Parameters
    reinitialize (Optional)Reinitializestheserverhostauthenticationkeys.

    Defaults
    Ifreinitializeisnotspecified,theusermustsupplySSHauthenticationkeyvalues.

    Mode
    Switchcommand,readwrite.

    Example
    ThisexampleshowshowtoregenerateSSHkeys:
    C2(su)->set ssh hostkey reinitialize

    23-74

    Authentication and Authorization Configuration

    Configuring Access Lists

    Configuring Access Lists


    Router: These commands can be executed when the device is in router mode only. For details on how to enable router configuration modes, refer to Enabling Router Configuration Modes on page 18-2. Note: Access Control Lists are limited to 100 per stack and 9 per interface on C2 stack configurations, or mixed configurations of C2 and C3 switches in a stack. On C3-only configurations, up to 100 Access Control Lists with up to 20 access rules per list and 60 per interface are supported per stack .

    Purpose
    Toreviewandconfiguresecurityaccesscontrollists(ACLs),whichpermitordenyaccessto routinginterfacesbasedonprotocolandIPaddressrestrictions.

    Commands
    For information about... show access-lists access-list (standard) access-list (extended) ip access-group Refer to page... 23-75 23-76 23-77 23-79

    show access-lists
    UsethiscommandtodisplayconfiguredIPaccesslistswhenoperatinginroutermode.

    Syntax
    showaccesslists[number]

    Parameters
    accesslist number (Optional)Displaysaccesslistinformationforaspecificaccesslistnumber. Validvaluesarebetween1and199.

    Defaults
    Ifnumberisnotspecified,theentiretableofaccesslistswillbedisplayed.

    Mode
    Anyroutermode.

    Example
    ThisexampleshowshowtodisplayIPaccesslistnumber101.Thisisanextendedaccesslist, whichpermitsordeniesICMP,UDPandIPframesbasedonrestrictionsconfiguredwiththeone oftheaccesslistcommands.Fordetailsonconfiguringstandardaccesslists,refertoaccesslist

    SecureStack C2 Configuration Guide

    23-75

    access-list (standard)

    (standard)onpage 2376.Fordetailsonconfiguringextendedaccesslists,refertoaccesslist (extended)onpage 2377.


    C2(su)->router#show access-lists 101 Extended IP access list 101 1: permit icmp host 18.2.32.130 any 2: permit udp host 198.92.32.130 host 171.68.225.126 3: deny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255 4: deny ip 11.6.0.0 0.1.255.255 224.0.0.0 15.255.255.255 5: deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255

    access-list (standard)
    UsethiscommandtodefineastandardIPaccesslistbynumberwhenoperatinginroutermode. Thenoformofthiscommandremovesthedefinedaccesslistorentry.

    Syntax
    To create an ACL entry:
    access-list access-list-number {deny | permit} source [source-wildcard] no access-list access-list-number [entry]

    To insert or replace an ACL entry:


    access-list access-list-number insert | replace entry

    To move entries within an ACL:


    access-list access-list-number move destination source1 [source2]

    Parameters
    accesslist number deny|permit source Specifiesastandardaccesslistnumber.Validvaluesarefrom1to99. Deniesorpermitsaccessifspecifiedconditionsaremet. Specifiesthenetworkorhostfromwhichthepacketwillbesent.Valid optionsforexpressingsourceare: sourcewildcard insert|replace entry movedestination source1source2 IPaddressorrangeofaddresses(A.B.C.D) anyAnysourcehost hostsourceIPaddressofasinglesourcehost

    (Optional)Specifiesthebitstoignoreinthesourceaddress. (Optional)InsertsthisnewentrybeforeaspecifiedentryinanexistingACL, orreplacesaspecifiedentrywiththisnewentry. (Optional)Movesasequenceofaccesslistentriesbeforeanotherentry. Destinationisthenumberoftheexistingentrybeforewhichthisnewentry willbemoved.Source1isasingleentrynumberorthefirstentrynumberin therangetobemoved.Source2(optional)isthelastentrynumberinthe rangetobemoved.Ifsource2isnotspecified,onlythesource1entrywillbe moved.

    Defaults
    Ifinsert,replaceormovearenotspecified,thenewentrywillbeappendedtotheaccesslist.

    23-76

    Authentication and Authorization Configuration

    access-list (extended)

    Ifsource2isnotspecifiedwithmove,onlyoneentrywillbemoved.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Usage

    Note: ACLs are not supported on routed VLANs which incorporate LAG ports.

    ValidaccesslistnumbersforstandardACLsare1to99.ForextendedACLs,validvaluesare100 to199. Accesslistsareappliedtointerfacesbyusingthe ipaccessgroupcommand((page2379)).

    Examples
    Thisexampleshowshowtocreateaccesslist1withthreeentriesthatallowaccesstoonlythose hostsonthethreespecifiednetworks.Thewildcardbitsapplytothehostportionsofthenetwork addresses.Anyhostwithasourceaddressthatdoesnotmatchtheaccesslistentrieswillbe rejected:
    C2(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255 C2(su)->router(Config)#access-list 1 permit 128.88.0.0 0.0.255.255 C2(su)->router(Config)#access-list 1 permit 36.0.0.0 0.255.255.255

    Thisexamplemovesentry16tothebeginningofACL22:
    C2(su)->router(Config)#access-list 22 move 1 16

    access-list (extended)
    UsethiscommandtodefineanextendedIPaccesslistbynumberwhenoperatinginroutermode. Thenoformofthiscommandremovesthedefinedaccesslistorentry:

    Syntax
    To apply ACL restrictions to IP, UDP, ICMP or TCP packets:
    access-list access-list-number {deny | permit} protocol source [source-wildcard] [operator [port]] destination [destination-wildcard] no access-list access-list-number [entry]

    To insert or replace an ACL entry:


    access-list access-list-number insert | replace entry

    To move entries within an ACL:


    access-list access-list-number move destination source1 [source2]

    Parameters
    accesslistnumber deny|permit Specifiesanextendedaccesslistnumber.Validvaluesarefrom100to199. Deniesorpermitsaccessifspecifiedconditionsaremet.

    SecureStack C2 Configuration Guide

    23-77

    access-list (extended)

    protocol

    SpecifiesanIPprotocolforwhichtodenyorpermitaccess.Validvalues andtheircorrespondingprotocolsare: ipAnyInternetprotocol udpUserDatagramProtocol tcpTransmissionControlProtocol icmpInternetControlMessageProtocol

    source

    Specifiesthenetworkorhostfromwhichthepacketwillbesent.Valid optionsforexpressingsourceare: IPaddressorrangeofaddresses(A.B.C.D) anyAnysourcehost hostsourceIPaddressofasinglesourcehost

    sourcewildcard operatorport

    (Optional)Specifiesthebitstoignoreinthesourceaddress. (Optional)AppliesaccessrulestoTCPorUDPsourceordestinationport numbers.Possibleoperandis: eqportMatchesonlypacketsonagivenportnumber.

    destination

    Specifiesthenetworkorhosttowhichthepacketwillbesent.Validoptions forexpressingdestinationare: IPaddress(A.B.C.D) anyAnydestinationhost hostsourceIPaddressofasingledestinationhost

    destination wildcard insert|replace entry movedestination source1source2

    (Optional)Specifiesthebitstoignoreinthedestinationaddress. (Optional)Insertsthisnewentrybeforeaspecifiedentryinanexisting ACL,orreplacesaspecifiedentrywiththisnewentry. (Optional)Movesasequenceofaccesslistentriesbeforeanotherentry. Destinationisthenumberoftheexistingentrybeforewhichthisnewentry willbemoved.Source1isasingleentrynumberorthefirstentrynumberin therangetobemoved.Source2(optional)isthelastentrynumberinthe rangetobemoved.Ifsource2isnotspecified,onlythesource1entrywillbe moved.

    Defaults
    Ifinsert,replace,ormovearenotspecified,thenewentrywillbeappendedtotheaccesslist. Ifsource2isnotspecifiedwithmove,onlyoneentrywillbemoved. Ifoperatorandportarenotspecified,accessparameterswillbeappliedtoallTCPorUDPports.

    Mode
    Globalconfiguration:C2(su)>router(Config)#

    Usage
    Accesslistsareappliedtointerfacesbyusingtheipaccessgroupcommandasdescribedinip accessgrouponpage 2379.

    23-78

    Authentication and Authorization Configuration

    ip access-group

    ValidaccesslistnumbersforextendedACLsare100to199.ForstandardACLs,validvaluesare1 to99.

    Example
    Thisexampleshowshowtodefineaccesslist101todenyICMPtransmissionsfromanysource andforanydestination:
    C2(su)->router(Config)#access-list 101 deny ICMP any any

    ip access-group
    Usethiscommandtoapplyaccessrestrictionstoinboundframesonaninterfacewhenoperating inroutermode.Thenoformofthiscommandremovesthespecifiedaccesslist.

    Syntax
    ip access-group access-list-number in no ip access-group access-list-number in

    Parameters
    accesslistnumber in Specifiesthenumberoftheaccesslisttobeappliedtotheaccesslist.This isadecimalnumberfrom1to199. Filtersinboundframes.

    Defaults
    None.

    Mode
    Interfaceconfiguration:C2(su)>router(Configif(Vlan<vlan_id>))#

    Usage
    ACLsmustbeappliedperroutinginterface.Anentry(rule)canbeappliedtoinboundframes only.

    Example
    Thisexampleshowshowtoapplyaccesslist1forallinboundframesontheVLAN1interface. Throughthedefinitionofaccesslist1,onlyframeswithasourceaddressonthe192.5.34.0/24 networkwillberouted.AlltheframeswithothersourceaddressesreceivedontheVLAN1 interfacearedropped:
    C2(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255 C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip access-group 1 in

    SecureStack C2 Configuration Guide

    23-79

    ip access-group

    23-80

    Authentication and Authorization Configuration

    Index
    Numerics
    802.1D 9-1 802.1p 11-17, 12-1 802.1Q 10-1 802.1s 9-1 802.1w 9-1 802.1x 23-5, 23-19 Command Line Interface. See also CLI Configuration clearing switch parameters 3-49 modes for router operation 18-2 Configuration Files copying 3-43 deleting 3-44 displaying 3-41 executing 3-42 show running config 3-44 show running-config 19-6 Contexts (SNMP) 8-3 Copying Configuration or Image Files 3-43 CoS flood control 11-19 rate limiting 11-17 Cost area default 20-23 OSPF 20-15, 20-23 Spanning Tree port 9-39 show system 3-14, 3-25 Hello Packets 20-18 Help keyword lookups 1-8 Host VLAN 10-18

    I
    ICMP 14-14 IGMP 13-1 enabling and disabling 13-2, 13-10 Image File copying 3-43 downloading 3-30 Ingress Filtering 10-8, 10-11 Interface Configuration Mode 19-2 Interface(s) configuring OSPF parameters 20-11 configuring settings for IP 19-1 RIP passive 20-8 RIP receive 20-8 RIP send 20-4 IP access lists 23-76 to 23-77 address, setting for a routing interface 19-5 routes, adding in router mode 19-17 routes, managing in switch mode 14-17 IPv6 addresses, setting 21-3 default router, setting 21-5 gateway, setting 21-5 management 21-1 Neighbor Discovery Protocol displaying cache 21-6 IPv6 proxy routing 22-1 IRDP 20-37

    A
    Access Groups 23-79 Access Lists 23-76 to 23-77 Addresses MAC, adding entries to routing table 19-5 setting the router ID address 20-12 Advertised Ability 7-15 Alias node 14-35 Area Border Routers (ABRs) 20-21 ARP dynamic inspection 17-16 entries, adding in routing mode 19-9 proxy, enabling 19-10 timeout 19-11 Authentication EAPOL 23-19 MAC 23-21 MD5 20-20 OSPF MD5 20-20 simple password 20-19 Port web 23-61 RADIUS server 23-5, 23-8 SSH 23-74 Auto-negotiation 7-15

    D
    Defaults CLI behavior, described 1-8 factory installed 1-2 DHCP server, configuring 16-1 DHCP snooping basic configuration 17-3 database 17-2 overview 17-1 DHCP/BOOTP Relay 16-1 DVMRP 20-33 Dynamic ARP inspection basic configuration 17-18 overview 17-16 Dynamic policy profile assignment 23-2

    B
    banner motd 3-24 Baud Rate 3-30 Broadcast settings for IP routing 19-12 suppression, enabling on ports 7-30

    J
    Jumbo Frame Support 7-13

    E
    EAP pass-through 23-2, 23-14 EAPOL 23-19

    K
    Keyword Lookups 1-8

    C
    CDP Discovery Protocol 6-1 CIDR 20-6 Cisco Discovery Protocol 6-7 Class of Service 11-7, 11-11, 11-17 to 11-23, 12-1 Class of Service (CoS) 11-17 Classification Policies 11-1 Clearing NVRAM 3-49 CLI closing 3-47 scrolling screens 1-9 starting 1-6 Command History Buffer 14-12, 14-13

    F
    Flood control, via CoS 11-19 Flow Control 7-19 Forbidden VLAN port 10-14

    L
    License key advanced routing 20-1 Line Editing Commands 1-10 Link Layer Discovery Protocol (LLDP) configuring 6-13 Link State Advertisements displaying 20-27 retransmit interval 20-17 transmit delay 20-17 LLDP configuring 6-13 LLDP-MED

    G
    Getting Help xxxii GVRP enabling and disabling 10-23 purpose of 10-20 timer 10-24

    H
    Hardware

    Index -1

    configuring 6-13 Lockout set system 3-7 Logging 14-1 Login administratively configured 1-7 default 1-7 setting accounts 3-2 via Telnet 1-7

    transmit delay 20-17 virtual links 20-24, 20-31

    P
    Password aging 3-6 history 3-6, 3-7 set new 3-5 setting the login 3-5 PIM-SM 20-49 Ping 14-14, 19-17 Policy Management assigning ports 11-15 classifying to a VLAN or Class of Service 11-7, 11-11 dynamic assignment of profiles 23-2 profiles 11-1, 11-17 Port Mirroring 7-33 Port Priority configuring 12-1 Port String syntax used in the CLI 7-2 Port Trunking 7-38 Port web authentication configuring 23-61 Port(s) alias 7-8 assignment scheme 7-2 auto-negotiation and advertised ability 7-15 broadcast suppression 7-30 counters, reviewing statistics 7-5 duplex mode, setting 7-10 flow control 7-19 link flap about 7-21 configuration defaults 7-23 configuring 7-22 link traps, configuring 7-21 MAC lock 23-53 priority, configuring 12-1 speed, setting 7-10 status, reviewing 7-3 Power over Ethernet (PoE), configuring 5-1 Priority OSPF 20-15 VRRP 20-45 Priority to Transmit Queue Mapping 12-4 Prompt in router mode 18-2 set 3-23 Protocol Independant Multicast 20-49 PWA 23-61

    M
    MAC Addresses displaying 14-20 MAC Authentication 23-21 MAC Locking 23-50 maximum static entries 23-56 static 23-56 Management VLAN 10-1 MD5 Authentication 20-20 motd 3-24 Multicast 20-49 Multicast Filtering 13-1, 13-2 Multiple Spanning Tree Protocol (MSTP) 9-1

    N
    Name setting for a VLAN 10-6 setting for the system 3-26 Neighbors OSPF 20-30 Network Management addresses and routes 14-17 monitoring switch events and status 14-12 Networks OSPF 20-14 Node Alias 14-35 NSSA Areas 20-23 NVRAM clearing 3-49

    RADIUS server 23-5, 23-8 Rapid Spanning Tree Protocol (RSTP) 9-1 Rate Limiting 12-10 Rate limiting, via CoS 11-17 Redistribute 20-9, 20-25 Related Manuals xxxi Reset 3-48 RFC 3580 23-45 RIP CIDR 20-6 configuration mode, enabling 20-2 configuration tasks 20-1 passive interface 20-8 redistribute 20-9 Router Mode(s) enabling 18-2 Routing Interfaces configuring 19-2 Routing Protocol Configuration DVMRP 20-33 IRDP 20-37 OSPF 20-11 RIP 20-1 VRRP 20-42

    S
    Scrolling Screens 1-9 Secure Shell (SSH) 23-73 enabling 23-73 regenerating new keys 23-74 Security methods, overview of 23-1 Serial Port downloading upgrades via 3-30 show system utilization cpu 3-15 SNMP access rights 8-15 accessing in router mode 8-3 enabling on the switch 8-17 MIB views 8-19 notification parameters 8-28 notify filters 8-28 security models and levels 8-2 statistics 8-3 target addresses 8-25 target parameters 8-22 trap configuration example 8-37 users, groups and communities 8-8 SNTP 14-27 Spanning Tree 9-1 backup root 9-21, 9-22 bridge parameters 9-3 features 9-2 port parameters 9-33 Rapid Spanning Tree Protocol (RSTP) 9-1 Split Horizon 20-7 SSL WebView 3-52 stacks installing units 2-2

    O
    OSPF Area Border Routers (ABRs) 20-21 areas, defining NSSAs 20-23 areas, defining range 20-21 areas, defining stub 20-22 configuration mode, enabling 20-13 configuration tasks 20-11 cost 20-15, 20-23 hello packet intervals 20-18 information, displaying 20-26 to 20-31 link state advertisements 20-27 neighbors 20-30 networks 20-14 priority 20-15 redistribute 20-25 retransmit interval 20-17 timers 20-16

    R
    RADIUS 23-3 realm 23-6 RADIUS Filter-ID 23-2 attribute formats 23-3

    Index - 2

    operation 2-1 virtual switch configuration 2-3 Stub Areas 20-22 Syslog 14-1 System Information displaying basic 3-13 setting basic 3-9

    priority 20-45 virtual router address 20-44

    W
    WebView 1-2, 3-50 WebView SSL 3-52

    T
    Technical Support xxxii Telnet disconnecting 14-15 enabling in switch mode 3-36 Terminal Settings 3-27 TFTP downloading firmware upgrades via 3-30 Timeout ARP 19-11 CLI, system 3-29 RADIUS 23-5 Timers OSPF 20-16 Traceroute in router mode 19-18 Trap SNMP configuration example 8-37 Tunnel Attributes RFC 3580 RADIUS attributes 23-45

    U
    User Accounts default 1-7 setting 3-2

    V
    Version RIP receive 20-5 RIP send 20-4 Version Information 3-25 Virtual Links 20-24, 20-31 virtual switch, configuring 2-3 VLANs assigning ingress filtering 10-11 assigning port VLAN IDs 10-8 authentication 23-45, 23-49 classifying to 11-7, 11-11 creating static 10-5 dynamic egress 10-17 egress lists 10-13, 23-48 enabling GVRP 10-20 forbidden ports 10-14 host, setting 10-18 ingress filtering 10-8 naming 10-6 RADIUS 23-45 secure management, creating 10-1 VRRP configuration mode, enabling 20-42 creating a session 20-43 enabling on an interface 20-47

    Index -3

    Index - 4

    Das könnte Ihnen auch gefallen