Beruflich Dokumente
Kultur Dokumente
Stackable Switches
Configuration Guide
Firmware Version 5.02.xx.xxxx
P/N 9033991-17
Notice
EnterasysNetworksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthisdocumentand itswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasysNetworkstodeterminewhetheranysuch changeshavebeenmade. Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice. INNOEVENTSHALLENTERASYSNETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL,OR CONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS)ARISINGOUTOF ORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDINTHEM,EVENIFENTERASYS NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWNOF,THEPOSSIBILITYOFSUCH DAMAGES. EnterasysNetworks,Inc. 50MinutemanRoad Andover,MA01810 2008EnterasysNetworks,Inc.Allrightsreserved. PartNumber: 903399117 September2008 ENTERASYS,ENTERASYSNETWORKS,ENTERASYSSECURENETWORKS,SECURESTACK,ENTERASYS SECURESTACK,ENTERASYSNETSIGHT,WEBVIEW,andanylogosassociatedtherewith,aretrademarksorregistered trademarksofEnterasysNetworks,Inc.intheUnitedStatesandothercountries.ForacompletelistofEnterasystrademarks, seehttp://www.enterasys.com/company/trademarks.aspx. Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespectivecompanies. DocumentationURL:http://www.enterasys.com/support/manuals DocumentacionURL:http://www.enterasys.com/support/manuals DokumentationimInternet:http://www.enterasys.com/support/manuals
Version:
ii
IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionTSRundertheU.S.Export AdministrationRegulations,inadditiontotherestrictionontransfersetforthinSection1or2ofthisAgreement,You agreenotto(i)reexportorreleasetheProgram,thesourcecodefortheProgramortechnologytoanationalofa countryinCountryGroupsD:1orE:2(Albania,Armenia,Azerbaijan,Belarus,Cambodia,Cuba,Georgia,Iraq, Kazakhstan,Laos,Libya,Macau,Moldova,Mongolia,NorthKorea,thePeoplesRepublicofChina,Russia,Tajikistan, Turkmenistan,Ukraine,Uzbekistan,Vietnam,orsuchothercountriesasmaybedesignatedbytheUnitedStates Government),(ii)exporttoCountryGroupsD:1orE:2(asdefinedherein)thedirectproductoftheProgramorthe technology,ifsuchforeignproduceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S. CommerceControlList,or(iii)ifthedirectproductofthetechnologyisacompleteplantoranymajorcomponentofa plant,exporttoCountryGroupsD:1orE:2thedirectproductoftheplantoramajorcomponentthereof,ifsuch foreignproduceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S.CommerceControl ListorissubjecttoStateDepartmentcontrolsundertheU.S.MunitionsList. 5. UNITEDSTATESGOVERNMENTRESTRICTEDRIGHTS. TheenclosedProgram(i)wasdevelopedsolelyat privateexpense;(ii)containsrestrictedcomputersoftwaresubmittedwithrestrictedrightsinaccordancewithsection 52.22719(a)through(d)oftheCommercialComputerSoftwareRestrictedRightsClauseanditssuccessors,and(iii)in allrespectsisproprietarydatabelongingtoEnterasysand/oritssuppliers.ForDepartmentofDefenseunits,the ProgramisconsideredcommercialcomputersoftwareinaccordancewithDFARSsection227.72023anditssuccessors, anduse,duplication,ordisclosurebytheU.S.Governmentissubjecttorestrictionssetforthherein. 6. DISCLAIMEROFWARRANTY. EXCEPTFORTHOSEWARRANTIESEXPRESSLYPROVIDEDTOYOUIN WRITINGBYENTERASYS,ENTERASYSDISCLAIMSALLWARRANTIES,EITHEREXPRESSORIMPLIED, INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITY,SATISFACTORY QUALITY,FITNESSFORAPARTICULARPURPOSE,TITLEANDNONINFRINGEMENTWITHRESPECTTOTHE PROGRAM.IFIMPLIEDWARRANTIESMAYNOTBEDISCLAIMEDBYAPPLICABLELAW,THENANYIMPLIED WARRANTIESARELIMITEDINDURATIONTOTHIRTY(30)DAYSAFTERDELIVERYOFTHEPROGRAMTO YOU. 7. LIMITATIONOFLIABILITY. INNOEVENTSHALLENTERASYSORITSSUPPLIERSBELIABLEFORANY DAMAGESWHATSOEVER(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFBUSINESS, PROFITS,BUSINESSINTERRUPTION,LOSSOFBUSINESSINFORMATION,SPECIAL,INCIDENTAL, CONSEQUENTIAL,ORRELIANCEDAMAGES,OROTHERLOSS)ARISINGOUTOFTHEUSEORINABILITYTO USETHEPROGRAM,EVENIFENTERASYSHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES. THISFOREGOINGLIMITATIONSHALLAPPLYREGARDLESSOFTHECAUSEOFACTIONUNDERWHICH DAMAGESARESOUGHT. THECUMULATIVELIABILITYOFENTERASYSTOYOUFORALLCLAIMSRELATINGTOTHEPROGRAM, INCONTRACT,TORTOROTHERWISE,SHALLNOTEXCEEDTHETOTALAMOUNTOFFEESPAIDTO ENTERASYSBYYOUFORTHERIGHTSGRANTEDHEREIN. 8. AUDITRIGHTS. YouherebyacknowledgethattheintellectualpropertyrightsassociatedwiththeProgramare ofcriticalvaluetoEnterasys,and,accordingly,Youherebyagreetomaintaincompletebooks,recordsandaccounts showing(i)licensefeesdueandpaid,and(ii)theuse,copyinganddeploymentoftheProgram.Youalsograntto Enterasysanditsauthorizedrepresentatives,uponreasonablenotice,therighttoauditandexamineduringYour normalbusinesshours,Yourbooks,records,accountsandhardwaredevicesuponwhichtheProgrammaybedeployed toverifycompliancewiththisAgreement,includingtheverificationofthelicensefeesdueandpaidEnterasysandthe use,copyinganddeploymentoftheProgram.Enterasysrightofexaminationshallbeexercisedreasonably,ingood faithandinamannercalculatedtonotunreasonablyinterferewithYourbusiness.Intheeventsuchauditdiscovers noncompliancewiththisAgreement,includingcopiesoftheProgrammade,usedordeployedinbreachofthis Agreement,YoushallpromptlypaytoEnterasystheappropriatelicensefees.Enterasysreservestheright,tobe exercisedinitssolediscretionandwithoutpriornotice,toterminatethislicense,effectiveimmediately,forfailureto complywiththisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramandshall returntoEnterasystheProgramandallcopiesoftheProgram. 9. OWNERSHIP. Thisisalicenseagreementandnotanagreementforsale.Youacknowledgeandagreethatthe Programconstitutestradesecretsand/orcopyrightedmaterialofEnterasysand/oritssuppliers.Youagreeto implementreasonablesecuritymeasurestoprotectsuchtradesecretsandcopyrightedmaterial.Allright,titleand interestinandtotheProgramshallremainwithEnterasysand/oritssuppliers.Allrightsnotspecificallygrantedto YoushallbereservedtoEnterasys.
iii
10. ENFORCEMENT. YouacknowledgeandagreethatanybreachofSections2,4,or9ofthisAgreementbyYoumay causeEnterasysirreparabledamageforwhichrecoveryofmoneydamageswouldbeinadequate,andthatEnterasys maybeentitledtoseektimelyinjunctiverelieftoprotectEnterasysrightsunderthisAgreementinadditiontoanyand allremediesavailableatlaw. 11. ASSIGNMENT. Youmaynotassign,transferorsublicensethisAgreementoranyofYourrightsorobligations underthisAgreement,exceptthatYoumayassignthisAgreementtoanypersonorentitywhichacquiressubstantially allofYourstockassets.EnterasysmayassignthisAgreementinitssolediscretion.ThisAgreementshallbebinding uponandinuretothebenefitoftheparties,theirlegalrepresentatives,permittedtransferees,successorsandassignsas permittedbythisAgreement.Anyattemptedassignment,transferorsublicenseinviolationofthetermsofthis AgreementshallbevoidandabreachofthisAgreement. 12. WAIVER. AwaiverbyEnterasysofabreachofanyofthetermsandconditionsofthisAgreementmustbein writingandwillnotbeconstruedasawaiverofanysubsequentbreachofsuchtermorcondition.Enterasysfailureto enforceatermuponYourbreachofsuchtermshallnotbeconstruedasawaiverofYourbreachorpreventenforcement onanyotheroccasion. 13. SEVERABILITY. IntheeventanyprovisionofthisAgreementisfoundtobeinvalid,illegalorunenforceable,the validity,legalityandenforceabilityofanyoftheremainingprovisionsshallnotinanywaybeaffectedorimpaired thereby,andthatprovisionshallbereformed,construedandenforcedtothemaximumextentpermissible.Anysuch invalidity,illegality,orunenforceabilityinanyjurisdictionshallnotinvalidateorrenderillegalorunenforceablesuch provisioninanyotherjurisdiction. 14. TERMINATION. EnterasysmayterminatethisAgreementimmediatelyuponYourbreachofanyoftheterms andconditionsofthisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramand shallreturntoEnterasystheProgramandallcopiesoftheProgram.
iv
Contents
About This Guide
Using This Guide ........................................................................................................................................... xxix Structure of This Guide .................................................................................................................................. xxix Related Documents ....................................................................................................................................... xxxi Conventions Used in This Guide ................................................................................................................... xxxi Getting Help .................................................................................................................................................. xxxii
Chapter 1: Introduction
SecureStack C2 CLI Overview ....................................................................................................................... 1-1 Switch Management Methods ........................................................................................................................ 1-1 Factory Default Settings ................................................................................................................................. 1-2 Using the Command Line Interface ................................................................................................................ 1-6 Starting a CLI Session ............................................................................................................................. 1-6 Logging In ................................................................................................................................................ 1-7 Navigating the Command Line Interface .................................................................................................. 1-8
set system password history .............................................................................................................. 3-7 show system lockout .......................................................................................................................... 3-7 set system lockout .............................................................................................................................. 3-8 Setting Basic Switch Properties ...................................................................................................................... 3-9 Purpose .................................................................................................................................................... 3-9 Commands ............................................................................................................................................... 3-9 show ip address................................................................................................................................ 3-10 set ip address ................................................................................................................................... 3-11 clear ip address ................................................................................................................................ 3-11 show ip protocol................................................................................................................................ 3-12 set ip protocol ................................................................................................................................... 3-12 show system..................................................................................................................................... 3-13 show system hardware..................................................................................................................... 3-14 show system utilization..................................................................................................................... 3-15 show system enhancedbuffermode .................................................................................................. 3-16 set system enhancedbuffermode ..................................................................................................... 3-16 set system temperature .................................................................................................................... 3-17 clear system temperature ................................................................................................................. 3-18 show time ......................................................................................................................................... 3-19 set time ............................................................................................................................................. 3-19 show summertime ............................................................................................................................ 3-20 set summertime ................................................................................................................................ 3-20 set summertime date ........................................................................................................................ 3-21 set summertime recurring ................................................................................................................. 3-21 clear summertime ............................................................................................................................. 3-22 set prompt......................................................................................................................................... 3-23 show banner motd ............................................................................................................................ 3-23 set banner motd................................................................................................................................ 3-24 clear banner motd............................................................................................................................. 3-24 show version..................................................................................................................................... 3-25 set system name .............................................................................................................................. 3-26 set system location ........................................................................................................................... 3-26 set system contact............................................................................................................................ 3-27 set width ........................................................................................................................................... 3-27 set length .......................................................................................................................................... 3-28 show logout ...................................................................................................................................... 3-28 set logout ......................................................................................................................................... 3-29 show console .................................................................................................................................... 3-29 set console baud .............................................................................................................................. 3-30 Downloading a Firmware Image ................................................................................................................... 3-30 Downloading from a TFTP Server .......................................................................................................... 3-31 Downloading via the Serial Port ............................................................................................................. 3-31 Reverting to a Previous Image ............................................................................................................... 3-33 Reviewing and Selecting a Boot Firmware Image ........................................................................................ 3-33 Purpose .................................................................................................................................................. 3-33 Commands ............................................................................................................................................. 3-33 show boot system ............................................................................................................................. 3-34 set boot system ................................................................................................................................ 3-34 Starting and Configuring Telnet .................................................................................................................... 3-35 Purpose .................................................................................................................................................. 3-35 Commands ............................................................................................................................................. 3-35 show telnet ....................................................................................................................................... 3-36 set telnet ........................................................................................................................................... 3-36 telnet................................................................................................................................................. 3-37 Managing Switch Configuration and Files .................................................................................................... 3-37 Configuration Persistence Mode ............................................................................................................ 3-37
vi
Purpose .................................................................................................................................................. 3-38 Commands ............................................................................................................................................. 3-38 show snmp persistmode ................................................................................................................... 3-38 set snmp persistmode ...................................................................................................................... 3-39 save config ....................................................................................................................................... 3-39 dir...................................................................................................................................................... 3-40 show file............................................................................................................................................ 3-41 show config....................................................................................................................................... 3-41 configure ........................................................................................................................................... 3-42 copy .................................................................................................................................................. 3-43 delete................................................................................................................................................ 3-44 show tftp settings.............................................................................................................................. 3-44 set tftp timeout .................................................................................................................................. 3-45 clear tftp timeout ............................................................................................................................... 3-45 set tftp retry....................................................................................................................................... 3-46 clear tftp retry.................................................................................................................................... 3-46 Clearing and Closing the CLI ........................................................................................................................ 3-47 Purpose .................................................................................................................................................. 3-47 Commands ............................................................................................................................................. 3-47 cls (clear screen) .............................................................................................................................. 3-47 exit .................................................................................................................................................... 3-47 Resetting the Switch ..................................................................................................................................... 3-48 Purpose .................................................................................................................................................. 3-48 Commands ............................................................................................................................................. 3-48 reset.................................................................................................................................................. 3-48 clear config ....................................................................................................................................... 3-49 Using and Configuring WebView .................................................................................................................. 3-50 Purpose .................................................................................................................................................. 3-50 Commands ............................................................................................................................................. 3-50 show webview .................................................................................................................................. 3-50 set webview ...................................................................................................................................... 3-51 show ssl............................................................................................................................................ 3-51 set ssl ............................................................................................................................................... 3-52 Gathering Technical Support Information ..................................................................................................... 3-52 Purpose .................................................................................................................................................. 3-52 Command ............................................................................................................................................... 3-52 show support .................................................................................................................................... 3-53
vii
viii
Reviewing Port Status .................................................................................................................................... 7-3 Purpose .................................................................................................................................................... 7-3 Commands ............................................................................................................................................... 7-3 show port ............................................................................................................................................ 7-3 show port status ................................................................................................................................. 7-4 show port counters ............................................................................................................................. 7-5 Disabling / Enabling and Naming Ports .......................................................................................................... 7-6 Purpose .................................................................................................................................................... 7-6 Commands ............................................................................................................................................... 7-7 set port disable ................................................................................................................................... 7-7 set port enable.................................................................................................................................... 7-7 show port alias.................................................................................................................................... 7-8 set port alias ....................................................................................................................................... 7-8 Setting Speed and Duplex Mode .................................................................................................................. 7-10 Purpose .................................................................................................................................................. 7-10 Commands ............................................................................................................................................. 7-10 show port speed ............................................................................................................................... 7-10 set port speed................................................................................................................................... 7-11 show port duplex .............................................................................................................................. 7-11 set port duplex .................................................................................................................................. 7-12 Enabling / Disabling Jumbo Frame Support ................................................................................................. 7-13 Purpose .................................................................................................................................................. 7-13 Commands ............................................................................................................................................. 7-13 show port jumbo ............................................................................................................................... 7-13 set port jumbo................................................................................................................................... 7-14 clear port jumbo ................................................................................................................................ 7-14 Setting Auto-Negotiation and Advertised Ability ........................................................................................... 7-15 Purpose .................................................................................................................................................. 7-15 Commands ............................................................................................................................................. 7-15 show port negotiation ....................................................................................................................... 7-15 set port negotiation ........................................................................................................................... 7-16 show port advertise .......................................................................................................................... 7-16 set port advertise .............................................................................................................................. 7-17 clear port advertise ........................................................................................................................... 7-18 Setting Flow Control ..................................................................................................................................... 7-19 Purpose .................................................................................................................................................. 7-19 Commands ............................................................................................................................................. 7-19 show flowcontrol ............................................................................................................................... 7-19 set flowcontrol................................................................................................................................... 7-19 Setting Port Link Traps and Link Flap Detection .......................................................................................... 7-21 Purpose .................................................................................................................................................. 7-21 Commands ............................................................................................................................................. 7-21 show port trap................................................................................................................................... 7-21 set port trap ...................................................................................................................................... 7-22 show linkflap ..................................................................................................................................... 7-22 set linkflap globalstate ...................................................................................................................... 7-25 set linkflap portstate.......................................................................................................................... 7-25 set linkflap interval ............................................................................................................................ 7-26 set linkflap action .............................................................................................................................. 7-26 clear linkflap action ........................................................................................................................... 7-27 set linkflap threshold......................................................................................................................... 7-27 set linkflap downtime ........................................................................................................................ 7-28 clear linkflap down ............................................................................................................................ 7-28 clear linkflap...................................................................................................................................... 7-29 Configuring Broadcast Suppression ............................................................................................................. 7-30 Purpose .................................................................................................................................................. 7-30
ix
Commands ............................................................................................................................................. 7-30 show port broadcast ......................................................................................................................... 7-30 set port broadcast............................................................................................................................. 7-31 clear port broadcast.......................................................................................................................... 7-31 Port Mirroring ................................................................................................................................................ 7-33 Mirroring Features .................................................................................................................................. 7-33 Configuring SMON MIB Port Mirroring ................................................................................................... 7-33 Purpose .................................................................................................................................................. 7-34 Commands ............................................................................................................................................. 7-34 show port mirroring........................................................................................................................... 7-35 set port mirroring .............................................................................................................................. 7-35 clear port mirroring ........................................................................................................................... 7-36 Link Aggregation Control Protocol (LACP) ................................................................................................... 7-38 LACP Operation ..................................................................................................................................... 7-38 LACP Terminology ................................................................................................................................. 7-39 SecureStack C2 Usage Considerations ................................................................................................. 7-39 Commands ............................................................................................................................................. 7-40 show lacp.......................................................................................................................................... 7-41 set lacp ............................................................................................................................................. 7-42 set lacp asyspri................................................................................................................................. 7-43 set lacp aadminkey........................................................................................................................... 7-43 clear lacp .......................................................................................................................................... 7-44 set lacp static.................................................................................................................................... 7-44 clear lacp static ................................................................................................................................. 7-45 set lacp singleportlag........................................................................................................................ 7-46 clear lacp singleportlag..................................................................................................................... 7-46 show port lacp .................................................................................................................................. 7-47 set port lacp ...................................................................................................................................... 7-48 clear port lacp ................................................................................................................................... 7-50 Configuring Protected Ports ......................................................................................................................... 7-52 Protected Port Operation ....................................................................................................................... 7-52 Commands ............................................................................................................................................. 7-52 set port protected.............................................................................................................................. 7-52 show port protected .......................................................................................................................... 7-53 clear port protected........................................................................................................................... 7-53 set port protected name.................................................................................................................... 7-54 show port protected name ................................................................................................................ 7-54 clear port protected name................................................................................................................. 7-55
set snmp user ..................................................................................................................................... 8-9 clear snmp user ................................................................................................................................ 8-10 show snmp group ............................................................................................................................. 8-11 set snmp group ................................................................................................................................. 8-12 clear snmp group .............................................................................................................................. 8-12 show snmp community ..................................................................................................................... 8-13 set snmp community......................................................................................................................... 8-14 clear snmp community...................................................................................................................... 8-14 Configuring SNMP Access Rights ................................................................................................................ 8-15 Purpose .................................................................................................................................................. 8-15 Commands ............................................................................................................................................. 8-15 show snmp access ........................................................................................................................... 8-15 set snmp access............................................................................................................................... 8-17 clear snmp access............................................................................................................................ 8-18 Configuring SNMP MIB Views ...................................................................................................................... 8-19 Purpose .................................................................................................................................................. 8-19 Commands ............................................................................................................................................. 8-19 show snmp view ............................................................................................................................... 8-19 show snmp context........................................................................................................................... 8-20 set snmp view................................................................................................................................... 8-21 clear snmp view................................................................................................................................ 8-22 Configuring SNMP Target Parameters ......................................................................................................... 8-22 Purpose .................................................................................................................................................. 8-22 Commands ............................................................................................................................................. 8-22 show snmp targetparams ................................................................................................................. 8-22 set snmp targetparams..................................................................................................................... 8-24 clear snmp targetparams.................................................................................................................. 8-24 Configuring SNMP Target Addresses .......................................................................................................... 8-25 Purpose .................................................................................................................................................. 8-25 Commands ............................................................................................................................................. 8-25 show snmp targetaddr ...................................................................................................................... 8-25 set snmp targetaddr.......................................................................................................................... 8-26 clear snmp targetaddr....................................................................................................................... 8-28 Configuring SNMP Notification Parameters ................................................................................................. 8-28 About SNMP Notify Filters ..................................................................................................................... 8-28 Purpose .................................................................................................................................................. 8-28 Commands ............................................................................................................................................. 8-29 show newaddrtrap ............................................................................................................................ 8-29 set newaddrtrap................................................................................................................................ 8-30 show snmp notify .............................................................................................................................. 8-30 set snmp notify ................................................................................................................................. 8-31 clear snmp notify .............................................................................................................................. 8-32 show snmp notifyfilter ....................................................................................................................... 8-33 set snmp notifyfilter........................................................................................................................... 8-34 clear snmp notifyfilter........................................................................................................................ 8-34 show snmp notifyprofile .................................................................................................................... 8-35 set snmp notifyprofile........................................................................................................................ 8-36 clear snmp notifyprofile..................................................................................................................... 8-36 Creating a Basic SNMP Trap Configuration ................................................................................................. 8-37 Example ................................................................................................................................................. 8-38
xi
xii
set spantree legacypathcost............................................................................................................. 9-31 clear spantree legacypathcost .......................................................................................................... 9-32 Configuring Spanning Tree Port Parameters ............................................................................................... 9-33 Purpose .................................................................................................................................................. 9-33 Commands ............................................................................................................................................. 9-33 set spantree portadmin..................................................................................................................... 9-33 clear spantree portadmin.................................................................................................................. 9-34 show spantree portadmin ................................................................................................................. 9-34 show spantree portpri ....................................................................................................................... 9-35 set spantree portpri........................................................................................................................... 9-35 clear spantree portpri........................................................................................................................ 9-36 show spantree adminpathcost .......................................................................................................... 9-37 set spantree adminpathcost ............................................................................................................. 9-37 clear spantree adminpathcost .......................................................................................................... 9-38 show spantree adminedge ............................................................................................................... 9-38 set spantree adminedge ................................................................................................................... 9-39 clear spantree adminedge ................................................................................................................ 9-39 Configuring Spanning Tree Loop Protect Parameters .................................................................................. 9-41 Purpose .................................................................................................................................................. 9-41 Commands ............................................................................................................................................. 9-41 set spantree lp .................................................................................................................................. 9-42 show spantree lp .............................................................................................................................. 9-42 clear spantree lp ............................................................................................................................... 9-43 show spantree lplock ........................................................................................................................ 9-43 clear spantree lplock......................................................................................................................... 9-44 set spantree lpcapablepartner .......................................................................................................... 9-45 show spantree lpcapablepartner ...................................................................................................... 9-45 clear spantree lpcapablepartner ....................................................................................................... 9-46 set spantree lpthreshold ................................................................................................................... 9-46 show spantree lpthreshold................................................................................................................ 9-47 clear spantree lpthreshold ................................................................................................................ 9-47 set spantree lpwindow ...................................................................................................................... 9-48 show spantree lpwindow .................................................................................................................. 9-48 clear spantree lpwindow ................................................................................................................... 9-49 set spantree lptrapenable ................................................................................................................. 9-49 show spantree lptrapenable ............................................................................................................. 9-50 clear spantree lptrapenable .............................................................................................................. 9-50 set spantree disputedbpduthreshold ................................................................................................ 9-51 show spantree disputedbpduthreshold ............................................................................................. 9-52 clear spantree disputedbpduthreshold ............................................................................................. 9-52 show spantree nonforwardingreason ............................................................................................... 9-53
xiii
clear vlan .......................................................................................................................................... 10-6 clear vlan name ................................................................................................................................ 10-7 Assigning Port VLAN IDs (PVIDs) and Ingress Filtering .............................................................................. 10-8 Purpose .................................................................................................................................................. 10-8 Commands ............................................................................................................................................. 10-8 show port vlan .................................................................................................................................. 10-8 set port vlan ...................................................................................................................................... 10-9 clear port vlan ................................................................................................................................... 10-9 show port ingress filter.................................................................................................................... 10-10 set port ingress filter ....................................................................................................................... 10-11 show port discard ........................................................................................................................... 10-11 set port discard ............................................................................................................................... 10-12 Configuring the VLAN Egress List .............................................................................................................. 10-13 Purpose ................................................................................................................................................ 10-13 Commands ........................................................................................................................................... 10-13 show port egress ............................................................................................................................ 10-13 set vlan forbidden ........................................................................................................................... 10-14 set vlan egress ............................................................................................................................... 10-15 clear vlan egress ............................................................................................................................ 10-15 show vlan dynamicegress .............................................................................................................. 10-16 set vlan dynamicegress .................................................................................................................. 10-17 Setting the Host VLAN ................................................................................................................................ 10-18 Purpose ................................................................................................................................................ 10-18 Commands ........................................................................................................................................... 10-18 show host vlan................................................................................................................................ 10-18 set host vlan ................................................................................................................................... 10-18 clear host vlan ................................................................................................................................ 10-19 Enabling/Disabling GVRP (GARP VLAN Registration Protocol) ................................................................ 10-20 About GARP VLAN Registration Protocol (GVRP) .............................................................................. 10-20 Purpose ................................................................................................................................................ 10-21 Commands ........................................................................................................................................... 10-21 show gvrp ....................................................................................................................................... 10-22 show garp timer .............................................................................................................................. 10-22 set gvrp........................................................................................................................................... 10-23 clear gvrp ........................................................................................................................................ 10-24 set garp timer.................................................................................................................................. 10-24
xiv
Commands ........................................................................................................................................... 11-15 set policy port ................................................................................................................................. 11-15 clear policy port .............................................................................................................................. 11-16 Configuring Policy Class of Service (CoS) ................................................................................................. 11-17 About Policy-Based CoS Configurations .............................................................................................. 11-17 About CoS-Based Flood Control .......................................................................................................... 11-19 Commands ........................................................................................................................................... 11-20 set cos state ................................................................................................................................... 11-20 show cos state................................................................................................................................ 11-21 clear cos state ................................................................................................................................ 11-21 set cos settings............................................................................................................................... 11-22 clear cos settings ............................................................................................................................ 11-23 show cos settings ........................................................................................................................... 11-23 set cos port-config .......................................................................................................................... 11-24 show cos port-config....................................................................................................................... 11-25 clear cos port-config ....................................................................................................................... 11-26 set cos port-resource irl .................................................................................................................. 11-27 set cos port-resource flood-ctrl ....................................................................................................... 11-28 show cos port-resource .................................................................................................................. 11-29 clear cos port-resource irl ............................................................................................................... 11-30 clear cos port-resource flood-ctrl .................................................................................................... 11-31 set cos reference ............................................................................................................................ 11-31 show cos reference ........................................................................................................................ 11-32 clear cos reference ......................................................................................................................... 11-33 show cos unit.................................................................................................................................. 11-34 clear cos all-entries......................................................................................................................... 11-35 show cos port-type ......................................................................................................................... 11-35
xv
xvi
show history.................................................................................................................................... 14-13 set history ....................................................................................................................................... 14-13 ping................................................................................................................................................. 14-14 show users ..................................................................................................................................... 14-14 disconnect ...................................................................................................................................... 14-15 show netstat ................................................................................................................................... 14-15 Managing Switch Network Addresses and Routes ..................................................................................... 14-17 Purpose ................................................................................................................................................ 14-17 Commands ........................................................................................................................................... 14-17 show arp ......................................................................................................................................... 14-17 set arp............................................................................................................................................. 14-18 clear arp.......................................................................................................................................... 14-19 traceroute ....................................................................................................................................... 14-19 show mac ....................................................................................................................................... 14-20 show mac agetime.......................................................................................................................... 14-21 set mac agetime ............................................................................................................................. 14-22 clear mac agetime .......................................................................................................................... 14-22 set mac algorithm ........................................................................................................................... 14-23 show mac algorithm........................................................................................................................ 14-23 clear mac algorithm ........................................................................................................................ 14-24 set mac multicast ............................................................................................................................ 14-24 clear mac address .......................................................................................................................... 14-25 show mac unreserved-flood ........................................................................................................... 14-26 set mac unreserved-flood ............................................................................................................... 14-26 Configuring Simple Network Time Protocol (SNTP) ................................................................................... 14-27 Purpose ................................................................................................................................................ 14-27 Commands ........................................................................................................................................... 14-27 show sntp ....................................................................................................................................... 14-27 set sntp client.................................................................................................................................. 14-29 clear sntp client............................................................................................................................... 14-29 set sntp server ................................................................................................................................ 14-30 clear sntp server ............................................................................................................................. 14-30 set sntp poll-interval........................................................................................................................ 14-31 clear sntp poll-interval..................................................................................................................... 14-31 set sntp poll-retry ............................................................................................................................ 14-32 clear sntp poll-retry ......................................................................................................................... 14-32 set sntp poll-timeout ....................................................................................................................... 14-33 clear sntp poll-timeout .................................................................................................................... 14-33 set timezone ................................................................................................................................... 14-33 Configuring Node Aliases ........................................................................................................................... 14-35 Purpose ................................................................................................................................................ 14-35 Commands ........................................................................................................................................... 14-35 show nodealias config .................................................................................................................... 14-35 set nodealias .................................................................................................................................. 14-36 clear nodealias config ..................................................................................................................... 14-37
xvii
History Group Commands ............................................................................................................................ 15-6 Purpose .................................................................................................................................................. 15-6 Commands ............................................................................................................................................. 15-6 show rmon history ............................................................................................................................ 15-6 set rmon history ................................................................................................................................ 15-7 clear rmon history ............................................................................................................................. 15-7 Alarm Group Commands .............................................................................................................................. 15-9 Purpose .................................................................................................................................................. 15-9 Commands ............................................................................................................................................. 15-9 show rmon alarm .............................................................................................................................. 15-9 set rmon alarm properties............................................................................................................... 15-10 set rmon alarm status ..................................................................................................................... 15-11 clear rmon alarm............................................................................................................................. 15-12 Event Group Commands ............................................................................................................................ 15-13 Purpose ................................................................................................................................................ 15-13 Commands ........................................................................................................................................... 15-13 show rmon event ............................................................................................................................ 15-13 set rmon event properties ............................................................................................................... 15-14 set rmon event status ..................................................................................................................... 15-15 clear rmon event............................................................................................................................. 15-15 Filter Group Commands ............................................................................................................................. 15-17 Commands ........................................................................................................................................... 15-17 show rmon channel ........................................................................................................................ 15-17 set rmon channel ............................................................................................................................ 15-18 clear rmon channel ......................................................................................................................... 15-19 show rmon filter .............................................................................................................................. 15-19 set rmon filter .................................................................................................................................. 15-20 clear rmon filter ............................................................................................................................... 15-21 Packet Capture Commands ....................................................................................................................... 15-22 Purpose ................................................................................................................................................ 15-22 Commands ........................................................................................................................................... 15-22 show rmon capture ......................................................................................................................... 15-22 set rmon capture............................................................................................................................. 15-23 clear rmon capture.......................................................................................................................... 15-24
xviii
clear dhcp server statistics ............................................................................................................. 16-10 Configuring IP Address Pools ..................................................................................................................... 16-12 Manual Pool Configuration Considerations .......................................................................................... 16-12 Purpose ................................................................................................................................................ 16-12 Commands ........................................................................................................................................... 16-12 set dhcp pool .................................................................................................................................. 16-13 clear dhcp pool ............................................................................................................................... 16-14 set dhcp pool network..................................................................................................................... 16-14 clear dhcp pool network.................................................................................................................. 16-15 set dhcp pool hardware-address .................................................................................................... 16-15 clear dhcp pool hardware-address ................................................................................................. 16-16 set dhcp pool host .......................................................................................................................... 16-16 clear dhcp pool host ....................................................................................................................... 16-17 set dhcp pool client-identifier .......................................................................................................... 16-17 clear dhcp pool client-identifier ....................................................................................................... 16-18 set dhcp pool client-name............................................................................................................... 16-19 clear dhcp pool client-name............................................................................................................16-19 set dhcp pool bootfile...................................................................................................................... 16-20 clear dhcp pool bootfile................................................................................................................... 16-20 set dhcp pool next-server ............................................................................................................... 16-21 clear dhcp pool next-server ............................................................................................................16-21 set dhcp pool lease......................................................................................................................... 16-22 clear dhcp pool lease...................................................................................................................... 16-22 set dhcp pool default-router ............................................................................................................16-23 clear dhcp pool default-router......................................................................................................... 16-23 set dhcp pool dns-server ................................................................................................................ 16-24 clear dhcp pool dns-server ............................................................................................................. 16-24 set dhcp pool domain-name ........................................................................................................... 16-25 clear dhcp pool domain-name ........................................................................................................ 16-25 set dhcp pool netbios-name-server ................................................................................................ 16-26 clear dhcp pool netbios-name-server ............................................................................................. 16-26 set dhcp pool netbios-node-type .................................................................................................... 16-27 clear dhcp pool netbios-node-type ................................................................................................. 16-27 set dhcp pool option ....................................................................................................................... 16-28 clear dhcp pool option .................................................................................................................... 16-29 show dhcp pool configuration ......................................................................................................... 16-29
xix
show dhcpsnooping binding ........................................................................................................... 17-12 show dhcpsnooping statistics ......................................................................................................... 17-13 clear dhcpsnooping binding ............................................................................................................17-14 clear dhcpsnooping statistics.......................................................................................................... 17-14 clear dhcpsnooping database......................................................................................................... 17-14 clear dhcpsnooping limit ................................................................................................................. 17-15 Dynamic ARP Inspection Overview ............................................................................................................ 17-16 Functional Description .......................................................................................................................... 17-16 Basic Configuration .............................................................................................................................. 17-18 Example Configuration ......................................................................................................................... 17-18 Dynamic ARP Inspection Commands ........................................................................................................ 17-20 set arpinspection vlan ..................................................................................................................... 17-20 set arpinspection trust .................................................................................................................... 17-21 set arpinspection validate ............................................................................................................... 17-22 set arpinspection limit ..................................................................................................................... 17-22 set arpinspection filter..................................................................................................................... 17-23 show arpinspection access-list ....................................................................................................... 17-24 show arpinspection ports................................................................................................................ 17-25 show arpinspection vlan ................................................................................................................. 17-25 show arpinspection statistics .......................................................................................................... 17-26 clear arpinspection validate ............................................................................................................17-27 clear arpinspection vlan .................................................................................................................. 17-27 clear arpinspection filter.................................................................................................................. 17-29 clear arpinspection limit .................................................................................................................. 17-30 clear arpinspection statistics........................................................................................................... 17-30
xx
ip helper-address ............................................................................................................................ 19-14 Reviewing IP Traffic and Configuring Routes ............................................................................................. 19-15 Purpose ................................................................................................................................................ 19-15 Commands ........................................................................................................................................... 19-15 show ip route .................................................................................................................................. 19-15 ip route............................................................................................................................................ 19-17 ping................................................................................................................................................. 19-17 traceroute ....................................................................................................................................... 19-18 Configuring ICMP Redirects ....................................................................................................................... 19-19 Purpose ................................................................................................................................................ 19-19 Commands ........................................................................................................................................... 19-19 ip icmp redirect enable ................................................................................................................... 19-19 show ip icmp redirect...................................................................................................................... 19-20
xxi
show ip ospf.................................................................................................................................... 20-26 show ip ospf database.................................................................................................................... 20-27 show ip ospf interface ..................................................................................................................... 20-28 show ip ospf neighbor..................................................................................................................... 20-30 show ip ospf virtual-links................................................................................................................. 20-31 clear ip ospf process....................................................................................................................... 20-31 Configuring DVMRP ................................................................................................................................... 20-33 Purpose ................................................................................................................................................ 20-33 Commands ........................................................................................................................................... 20-33 Enabling DVMRP on an Interface ........................................................................................................ 20-33 ip dvmrp.......................................................................................................................................... 20-34 ip dvmrp enable .............................................................................................................................. 20-34 ip dvmrp metric ............................................................................................................................... 20-35 show ip dvmrp ................................................................................................................................ 20-35 Configuring IRDP ........................................................................................................................................ 20-37 Purpose ................................................................................................................................................ 20-37 Commands ........................................................................................................................................... 20-37 ip irdp enable .................................................................................................................................. 20-37 ip irdp maxadvertinterval ................................................................................................................ 20-38 ip irdp minadvertinterval ................................................................................................................. 20-38 ip irdp holdtime ............................................................................................................................... 20-39 ip irdp preference............................................................................................................................ 20-39 ip irdp broadcast ............................................................................................................................. 20-40 show ip irdp .................................................................................................................................... 20-40 Configuring VRRP ...................................................................................................................................... 20-42 Purpose ................................................................................................................................................ 20-42 Commands ........................................................................................................................................... 20-42 router vrrp ....................................................................................................................................... 20-42 create.............................................................................................................................................. 20-43 address........................................................................................................................................... 20-44 priority............................................................................................................................................. 20-45 advertise-interval ............................................................................................................................ 20-45 preempt .......................................................................................................................................... 20-46 enable............................................................................................................................................. 20-47 ip vrrp authentication-key ............................................................................................................... 20-48 show ip vrrp .................................................................................................................................... 20-48 Configuring PIM-SM ................................................................................................................................... 20-49 Design Considerations ......................................................................................................................... 20-49 Purpose ................................................................................................................................................ 20-49 Commands ........................................................................................................................................... 20-49 ip pimsm ......................................................................................................................................... 20-50 ip pimsm staticrp............................................................................................................................. 20-50 ip pimsm enable ............................................................................................................................. 20-51 ip pimsm query-interval .................................................................................................................. 20-52 show ip pimsm................................................................................................................................ 20-52 show ip pimsm componenttable ..................................................................................................... 20-53 show ip pimsm interface ................................................................................................................. 20-54 show ip pimsm neighbor ................................................................................................................. 20-55 show ip pimsm rp............................................................................................................................ 20-56 show ip pimsm rphash .................................................................................................................... 20-57 show ip pimsm staticrp ................................................................................................................... 20-58 show ip mroute ............................................................................................................................... 20-59
xxii
set macauthentication portinitialize................................................................................................. 23-26 set macauthentication portquietperiod............................................................................................ 23-26 clear macauthentication portquietperiod......................................................................................... 23-27 set macauthentication macinitialize ................................................................................................ 23-27 set macauthentication reauthentication .......................................................................................... 23-28 set macauthentication portreauthenticate.......................................................................................23-28 set macauthentication macreauthenticate ...................................................................................... 23-29 set macauthentication reauthperiod ...............................................................................................23-29 clear macauthentication reauthperiod ............................................................................................ 23-30 set macauthentication significant-bits ............................................................................................. 23-31 clear macauthentication significant-bits .......................................................................................... 23-31 Configuring Multiple Authentication Methods ............................................................................................. 23-33 About Multiple Authentication Types .................................................................................................... 23-33 Configuring Multi-User Authentication (User + IP phone) .................................................................... 23-33 Commands ........................................................................................................................................... 23-33 show multiauth................................................................................................................................ 23-34 set multiauth mode ......................................................................................................................... 23-35 clear multiauth mode ...................................................................................................................... 23-35 set multiauth precedence ............................................................................................................... 23-36 clear multiauth precedence ............................................................................................................23-36 show multiauth port ........................................................................................................................ 23-37 set multiauth port ............................................................................................................................ 23-37 clear multiauth port ......................................................................................................................... 23-38 show multiauth station .................................................................................................................... 23-39 show multiauth session .................................................................................................................. 23-39 show multiauth idle-timeout ............................................................................................................23-40 set multiauth idle-timeout................................................................................................................ 23-41 clear multiauth idle-timeout............................................................................................................. 23-42 show multiauth session-timeout ..................................................................................................... 23-42 set multiauth session-timeout ......................................................................................................... 23-43 clear multiauth session-timeout ...................................................................................................... 23-44 Configuring VLAN Authorization (RFC 3580) ............................................................................................. 23-45 Purpose ................................................................................................................................................ 23-45 Commands ........................................................................................................................................... 23-45 show policy maptable response ..................................................................................................... 23-45 set policy maptable response ......................................................................................................... 23-46 set vlanauthorization....................................................................................................................... 23-47 set vlanauthorization egress ........................................................................................................... 23-48 clear vlanauthorization.................................................................................................................... 23-48 show vlanauthorization ................................................................................................................... 23-49 Configuring MAC Locking ........................................................................................................................... 23-50 Purpose ................................................................................................................................................ 23-50 Commands ........................................................................................................................................... 23-50 show maclock ................................................................................................................................. 23-51 show maclock stations.................................................................................................................... 23-52 set maclock enable......................................................................................................................... 23-53 set maclock disable ........................................................................................................................ 23-54 set maclock..................................................................................................................................... 23-54 clear maclock.................................................................................................................................. 23-55 set maclock static ........................................................................................................................... 23-56 clear maclock static ........................................................................................................................ 23-56 set maclock firstarrival .................................................................................................................... 23-57 clear maclock firstarrival ................................................................................................................. 23-58 set maclock agefirstarrival .............................................................................................................. 23-58 clear maclock agefirstarrival ........................................................................................................... 23-59 set maclock move ........................................................................................................................... 23-59
xxiv
set maclock trap ............................................................................................................................. 23-60 Configuring Port Web Authentication (PWA) .............................................................................................. 23-61 About PWA ........................................................................................................................................... 23-61 Purpose ................................................................................................................................................ 23-61 Commands ........................................................................................................................................... 23-61 show pwa........................................................................................................................................ 23-62 set pwa ........................................................................................................................................... 23-63 show pwa banner ........................................................................................................................... 23-64 set pwa banner ............................................................................................................................... 23-64 clear pwa banner ............................................................................................................................ 23-65 set pwa displaylogo ........................................................................................................................ 23-65 set pwa ipaddress........................................................................................................................... 23-66 set pwa protocol ............................................................................................................................. 23-66 set pwa guestname ........................................................................................................................ 23-67 clear pwa guestname ..................................................................................................................... 23-67 set pwa guestpassword .................................................................................................................. 23-68 set pwa gueststatus........................................................................................................................ 23-68 set pwa initialize ............................................................................................................................. 23-69 set pwa quietperiod ........................................................................................................................ 23-69 set pwa maxrequest ....................................................................................................................... 23-70 set pwa portcontrol ......................................................................................................................... 23-70 show pwa session .......................................................................................................................... 23-71 set pwa enhancedmode ................................................................................................................. 23-72 Configuring Secure Shell (SSH) ................................................................................................................. 23-73 Purpose ................................................................................................................................................ 23-73 Commands ........................................................................................................................................... 23-73 show ssh status .............................................................................................................................. 23-73 set ssh ............................................................................................................................................ 23-73 set ssh hostkey............................................................................................................................... 23-74 Configuring Access Lists ............................................................................................................................ 23-75 Purpose ................................................................................................................................................ 23-75 Commands ........................................................................................................................................... 23-75 show access-lists............................................................................................................................ 23-75 access-list (standard) ..................................................................................................................... 23-76 access-list (extended)..................................................................................................................... 23-77 ip access-group .............................................................................................................................. 23-79
Index Figures
1-1 1-2 1-3 1-4 1-5 1-6 10-1 SecureStack C2 Startup Screen......................................................................................................... 1-6 Sample CLI Defaults Description........................................................................................................ 1-8 Performing a Keyword Lookup ........................................................................................................... 1-8 Performing a Partial Keyword Lookup ................................................................................................ 1-9 Scrolling Screen Output...................................................................................................................... 1-9 Abbreviating a Command ................................................................................................................. 1-10 Example of VLAN Propagation via GVRP ...................................................................................... 10-21
Tables
1-1 1-2 1-3 3-1 3-2 3-3 Default Settings for Basic Switch Operation ....................................................................................... 1-2 Default Settings for Router Operation ................................................................................................ 1-4 Basic Line Editing Commands.......................................................................................................... 1-10 Required CLI Setup Commands......................................................................................................... 3-1 Optional CLI Setup Commands.......................................................................................................... 3-2 show system lockout Output Details................................................................................................... 3-8
xxv
3-4 3-5 5-1 6-1 6-2 6-3 6-4 6-5 7-1 7-2 7-3 7-4 7-5 7-6 8-1 8-2 8-3 8-4 8-5 8-6 8-7 8-8 8-9 8-10 8-11 9-1 10-1 10-2 10-3 11-1 11-2 11-3 12-1 14-1 14-2 14-3 14-4 14-5 14-6 14-7 14-8 15-1 15-2 15-3 18-1 18-2 19-1 19-2 20-1 20-2 20-3 20-4 20-5 20-6 20-7 20-8
xxvi
show system Output Details ............................................................................................................. 3-14 show version Output Details ............................................................................................................. 3-25 show inlinepower Output Details ........................................................................................................ 5-2 show cdp Output Details..................................................................................................................... 6-2 show ciscodp Output Details .............................................................................................................. 6-8 show ciscodp port info Output Details ................................................................................................ 6-9 show lldp port local-info Output Details ............................................................................................ 6-19 show lldp port remote-info Output Display........................................................................................ 6-21 show port status Output Details.......................................................................................................... 7-5 show port counters Output Details ..................................................................................................... 7-6 show linkflap parameters Output Details .......................................................................................... 7-24 show linkflap metrics Output Details................................................................................................. 7-24 LACP Terms and Definitions ............................................................................................................ 7-39 show lacp Output Details.................................................................................................................. 7-42 SNMP Security Levels........................................................................................................................ 8-2 show snmp engineid Output Details ................................................................................................... 8-4 show snmp counters Output Details ................................................................................................... 8-6 show snmp user Output Details.......................................................................................................... 8-9 show snmp group Output Details ..................................................................................................... 8-12 show snmp access Output Details ................................................................................................... 8-16 show snmp view Output Details ....................................................................................................... 8-20 show snmp targetparams Output Details ......................................................................................... 8-23 show snmp targetaddr Output Details .............................................................................................. 8-26 show snmp notify Output Details ...................................................................................................... 8-31 Basic SNMP Trap Configuration....................................................................................................... 8-37 show spantree Output Details ............................................................................................................ 9-6 Command Set for Creating a Secure Management VLAN ............................................................... 10-2 show vlan Output Details.................................................................................................................. 10-4 show gvrp configuration Output Details .......................................................................................... 10-23 show policy profile Output Details .................................................................................................... 11-3 show policy rule Output Details ........................................................................................................ 11-8 Valid Values for Policy Classification Rules ................................................................................... 11-12 show port ratelimit Output Details................................................................................................... 12-11 show logging server Output Details.................................................................................................. 14-2 show logging application Output Details........................................................................................... 14-7 Mnemonic Values for Logging Applications...................................................................................... 14-8 show netstat Output Details............................................................................................................ 14-16 show arp Output Details ................................................................................................................. 14-18 show mac Output Details................................................................................................................ 14-21 show sntp Output Details................................................................................................................ 14-28 show nodealias config Output Details ............................................................................................ 14-36 RMON Monitoring Group Functions and Commands ....................................................................... 15-1 show rmon alarm Output Details .................................................................................................... 15-10 show rmon event Output Details .................................................................................................... 15-14 Enabling the Switch for Routing ....................................................................................................... 18-2 Router CLI Configuration Modes ...................................................................................................... 18-2 show ip interface Output Details ....................................................................................................... 19-4 show ip arp Output Details ............................................................................................................... 19-9 RIP Configuration Task List and Commands ................................................................................... 20-2 OSPF Configuration Task List and Commands.............................................................................. 20-11 show ip ospf database Output Details ............................................................................................ 20-28 show ip ospf interface Output Details ............................................................................................. 20-29 show ip ospf neighbor Output Details............................................................................................. 20-30 show ip ospf virtual links Output Details ......................................................................................... 20-31 show ip pimsm Output Details ........................................................................................................ 20-53 show ip pimsm componenettable Output Details ........................................................................... 20-54
20-9 20-10 20-11 20-12 20-13 23-1 23-2 23-3 23-4 23-5 23-6 23-7 23-8
show ip pimsm interface vlan Output Details.................................................................................. 20-55 show ip pimsm interface stats Output Details................................................................................. 20-55 show ip pimsm neighbor Output Details ......................................................................................... 20-56 show ip pimsm rp Output Details .................................................................................................... 20-57 show ip pimsm staticrp Output Details ........................................................................................... 20-59 show radius Output Details............................................................................................................... 23-5 show eapol Output Details.............................................................................................................. 23-18 show macauthentication Output Details ......................................................................................... 23-22 show macauthentication session Output Details ............................................................................ 23-23 show vlanauthorization Output Details ........................................................................................... 23-49 show maclock Output Details ......................................................................................................... 23-52 show maclock stations Output Details............................................................................................ 23-53 show pwa Output Details................................................................................................................ 23-62
xxvii
xxviii
Important Notice
Depending on the firmware version used in your SecureStack device, some features described in this document may not be supported. Refer to the Release Notes shipped with your device to determine which features are supported.
xxix
Chapter 5,ConfiguringSystemPowerandPoE,describesthecommandsusedtoreviewandset systempowerandPoEparametersondevicesthatofferPoweroverEthernet. Chapter 6,DiscoveryProtocolConfigurationprovideshowtoconfigurediscoveryprotocols supportedbythedevice. Chapter 7,PortConfiguration,describeshowtoreviewandconfigureconsoleportsettings,and howtoenableordisableswitchportsandconfigureswitchportsettings,includingportspeed, duplexmode,autonegotiation,flowcontrol,portmirroring,linkaggegationandbroadcast suppression. Chapter 8,SNMPConfiguration,describeshowtoconfigureSNMPusersandusergroups,access rights,targetaddresses,andnotificationparameters. Chapter 9,SpanningTreeConfiguration,describeshowtoreviewandsetSpanningTreebridge parametersforthedevice,includingbridgepriority,hellotime,maximumagingtimeandforward delay;andhowtoreviewandsetSpanningTreeportparameters,includingportpriorityandpath costs.ConfiguringtheSpanGuardandLoopProtectfunctionsisalsodescribed. Chapter 10,802.1QVLANConfiguration,describeshowtocreatestaticVLANs,selectthemode ofoperationforeachport,establishVLANforwarding(egress)lists,routeframesaccordingto VLANID,displaythecurrentportsandporttypesassociatedwithaVLANandprotocol,createa securemanagementVLAN,andconfigureportsonthedeviceasGVRPawareports. Chapter 11,PolicyClassificationConfiguration,describeshowtocreate,changeorremoveuser rolesorprofilesbasedonbusinessspecificuseofnetworkservices;howtopermitordenyaccess tospecificservicesbycreatingandassigningclassificationruleswhichmapuserprofilestoframe filteringpolicies;howtoclassifyframestoaVLANorClassofService(CoS);andhowtoassignor unassignportstopolicyprofilessothatonlyportsactivatedforaprofilewillbeallowedto transmitframesaccordingly. Chapter 12,PortPriorityandRateLimitingConfiguration,describeshowtosetthetransmit priorityofeachportandconfigurearatelimitforagivenportandlistofpriorities. Chapter 13,IGMPConfiguration,describeshowtoconfigureInternetGroupManagement Protocol(IGMP)settingsformulticastfiltering. Chapter 14,LoggingandNetworkManagement,describeshowtoconfigureSyslog,howto managegeneralswitchsettings,howtomonitornetworkeventsandstatus,andhowtoconfigure SNTPandnodealiases. Chapter 15,RMONConfiguration,describeshowtouseRMON(RemoteNetworkMonitoring), whichprovidescomprehensivenetworkfaultdiagnosis,planning,andperformancetuning informationandallowsforinteroperabilitybetweenSNMPmanagementstationsandmonitoring agents. Chapter 16,DHCPServerConfiguration,describeshowtoreviewandconfigureDHCPserver parameters,howtoreviewandconfigureDHCPaddresspools,andhowtodisplayDHCPserver information. Chapter 17,DHCPSnoopingandDynamicARPInspection,describestwosecurityfeatures: DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserverto filterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings,and DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping featuretorejectinvalidandmaliciousARPpackets. Chapter 18,PreparingforRouterMode,providesinformationaboutroutermodesandhowto activatealicense. Chapter 19,IPConfiguration,describeshowtoenableIProutingforroutermodeoperation,how toconfigureIPinterfacesettings,howtoreviewandconfiguretheroutingARPtable,howto reviewandconfigureroutingbroadcasts,howtoconfigurePIM,andhowtoconfigureIProutes.
xxx
Related Documents
Chapter 20,IPv4RoutingProtocolConfiguration,describeshowtoconfigureIProutingand routingprotocols,includingRIP,OSPF,DVMRP,IRDP,andVRRP. Chapter 21,IPv6Management,describesthecommandsusedtoconfigureIPv6attheswitch level. Chapter 22,IPv6ProxyRouting,describesthecommandsusedtoenableIPv6proxyroutingand thesuggestedproceduretoconfigureamixedC2andC3stacktouseIPv6proxyrouting. Chapter 23,AuthenticationandAuthorizationConfiguration,describeshowtoconfigure802.1X authenticationusingEAPOL,howtoconfigureRADIUSserver,SecureShellserver,MAC authentication,MAClocking,PortWebAuthentication,andIPaccesscontrollists(ACLs).
Related Documents
ThefollowingEnterasysNetworksdocumentsmayhelpyoutosetup,control,andmanagethe SecureStackdevice: EnterasysFirmwareFeatureGuides SecureStackC2InstallationGuide(s) SecureStackC2RedundantPowerSystemInstallationGuide
Thefollowingiconsareusedinthisguide:
Note: Calls the readers attention to any item of information that may be of special importance.
xxxi
Getting Help
Caution: Contains information essential to avoid damage to the equipment. Precaucin: Contiene informacin esencial para prevenir daar el equipo. Achtung: Verweit auf wichtige Informationen zum Schutz gegen Beschdigungen.
Getting Help
Foradditionalsupportrelatedtothisswitchordocument,contactEnterasysNetworksusingone ofthefollowingmethods:
World Wide Web Phone http://www.enterasys.com/services/support 1-800-872-8440 (toll-free in U.S. and Canada) or 1-978-684-1000 For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/services/support Internet mail support@enterasys.com To expedite your message, type [C-Series] in the subject line. To send comments or suggestions concerning this document to the Technical Publications Department: techpubs@enterasys.com Make sure to include the document Part Number in the email message.
BeforecallingEnterasysNetworks,havethefollowinginformationready: YourEnterasysNetworksservicecontractnumber Adescriptionofthefailure Adescriptionofanyaction(s)alreadytakentoresolvetheproblem(forexample,changing modeswitchesorrebootingtheunit) TheserialandrevisionnumbersofallinvolvedEnterasysNetworksproductsinthenetwork Adescriptionofyournetworkenvironment(forexample,layout,cabletype) Networkloadandframesizeatthetimeoftrouble(ifknown) Theswitchhistory(forexample,haveyoureturnedtheswitchbefore,isthisarecurring problem?) AnypreviousReturnMaterialAuthorization(RMA)numbers
xxxii
1
Introduction
ThischapterprovidesanoverviewoftheSecureStackC2suniquefeaturesandfunctionality,an overviewofthetasksthatmaybeaccomplishedusingtheCLIinterface,anoverviewofwaysto managetheswitch,factorydefaultsettings,andinformationabouthowtousetheCommandLine Interfacetoconfiguretheswitch.
For information about... SecureStack C2 CLI Overview Switch Management Methods Factory Default Settings Using the Command Line Interface Refer to page... 1-1 1-1 1-2 1-6
TheInstallationGuideforyourSecureStackC2deviceprovidessetupinstructionsforconnectinga terminalormodemtotheswitch.
1-2
Introduction
Table 1-1
Feature
Link aggregation control protocol (LACP) Link aggregation admin key Link aggregation flow regeneration Link aggregation system priority Link aggregation outport algorithm Lockout Logging MAC aging time MAC locking Passwords Password aging Password history Policy classification Port auto-negotiation Port advertised ability
Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch ports. Port duplex mode Port enable/disable Port priority Port speed Port trap Power over Ethernet port admin state Priority classification RADIUS client RADIUS last resort action RADIUS retries RADIUS timeout Rate limiting Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to full duplex. Enabled. Set to 0. Set to 10 Mbps, except for 1000BASE-X, which is set to 1000 Mbps, and 100BASE-FX, which is set to 100 Mbps. All ports are enabled to send link traps. Administrative state is on (auto). Classification rules are automatically enabled when created. Disabled. When the client is enabled, set to Challenge. When the client is enabled, set to 3. When the client is enabled, set to 20 seconds. Disabled (globally and on all ports).
1-3
Table 1-1
Feature SNMP SNTP
Spanning Tree Spanning Tree edge port administrative status Spanning Tree edge port delay Spanning Tree forward delay Spanning Tree hello interval Spanning Tree ID (SID) Spanning Tree maximum aging time Spanning Tree port priority Spanning Tree priority Spanning Tree topology change trap suppression Spanning Tree version SSH System baud rate System contact System location System name Terminal Timeout User names VLAN dynamic egress VLAN ID Host VLAN
1-4
Introduction
Table 1-2
Output...
Area authentication (OSPF) Area default cost (OSPF) Area NSSA (OSPF) Area range (OSPF) ARP table ARP timeout Authentication key (RIP and OSPF) Authentication mode (RIP and OSPF) Dead interval (OSPF) Disable triggered updates (RIP) Distribute list (RIP) DVMRP Hello interval (OSPF) ICMP IP-directed broadcasts IP forward-protocol IP interfaces IRDP
MD5 authentication (OSPF) MTU size OSPF OSPF cost OSPF network OSPF priority Passive interfaces (RIP) Proxy ARP Receive interfaces (RIP) Retransmit delay (OSPF) Retransmit interval (OSPF) RIP receive version RIP send version RIP offset SNMP
1-5
Table 1-2
Output...
Split horizon Stub area (OSPF) Telnet Telnet port (IP) Timers (OSPF) Transmit delay (OSPF) VRRP
Figure 1-1
Username:admin Password: Enterasys SecureStack C2 Command Line Interface Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A. Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com (c) Copyright Enterasys Networks, Inc. 2008 Chassis Serial Number: Chassis Firmware Revision: 041800249041 5.02.xx.xxxx
C2(su)->
1-6
Introduction
Logging In
Bydefault,theSecureStackC2switchisconfiguredwiththreeuserloginaccountsrofor ReadOnlyaccess,rwforReadWriteaccess,andadminforsuperuseraccesstoallmodifiable parameters.Thedefaultpasswordissettoablankstring.Forinformationonchangingthese defaultsettings,refertoSettingUserAccountsandPasswordsonpage 32.
ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11.
Note: Users with Read-Write (rw) and Read-Only access can use the set password command (page 3-5) to change their own passwords. Administrators with Super User (su) access can use the set system login command (page 3-4) to create and change user accounts, and the set password command to change any local account password.
1-7
Syntax
show port status [port-string]
Defaults
Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.
C2(su)->show snmp ? community notify targetaddr targetparams SNMP SNMP SNMP SNMP v1/v2c notify target target community name configuration configuration address configuration parameters configuration
1-8
Introduction
Enteringaquestionmark(?)withoutaspaceafterapartialkeywordwilldisplayalistof commandsthatbeginwiththepartialkeyword.Figure 14showshowtousethisfunctionforall commandsbeginningwithco: Figure 1-4 Performing a Partial Keyword Lookup
copy
Note: At the end of the lookup display, the system will repeat the command you entered without the ?.
C2(su)->show mac MAC Address FID Port Type ---------------------------------------------------------00-00-1d-67-68-69 1 host Management 00-00-02-00-00-00 1 ge.1.2 Learned 00-00-02-00-00-01 1 ge.1.3 Learned 00-00-02-00-00-02 1 ge.1.4 Learned 00-00-02-00-00-03 1 ge.1.5 Learned 00-00-02-00-00-04 1 ge.1.6 Learned 00-00-02-00-00-05 1 ge.1.7 Learned 00-00-02-00-00-06 1 ge.1.8 Learned 00-00-02-00-00-07 1 ge.1.9 Learned 00-00-02-00-00-08 1 ge.1.10 Learned --More--
1-9
Figure 1-6
Abbreviating a Command
C2(su)->sh net Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address ----- ------ ------ --------------------- --------------------TCP 0 0 10.21.73.13.23 134.141.190.94.51246 TCP 0 275 10.21.73.13.23 134.141.192.119.4724 TCP 0 0 *.80 *.* TCP 0 0 *.23 *.* UDP 0 0 10.21.73.13.1030 134.141.89.113.514 UDP 0 0 *.161 *.* UDP 0 0 *.1025 *.* UDP 0 0 *.123 *.*
Key Sequence Ctrl+A Ctrl+B Ctrl+D Ctrl+E Ctrl+F Ctrl+H Ctrl+I or TAB Ctrl+K Ctrl+N Ctrl+P Ctr1+Q Ctr1+S Ctrl+T Ctrl+U or Ctrl+X Ctrl+W Ctrl+Y
1-10
Introduction
2
Configuring Switches in a Stack
ThischapterprovidesinformationaboutconfiguringSecureStackC2switchesinastack.
For information about ... About SecureStack C2 Switch Operation in a Stack Installing a New Stackable System of Up to Eight Units Installing Previously-Configured Systems in a Stack Adding a New Unit to an Existing Stack Creating a Virtual Switch Configuration Considerations About Using Clear Config in a Stack Issues Related to Mixed Type Stacks Stacking Configuration and Management Commands Refer to page ... 2-1 2-2 2-3 2-3 2-3 2-5 2-5 2-6
Onceinstalledinastack,theswitchesbehaveandperformasasingleswitchproduct.Assuch, youcanstartwithasingleunitandaddmoreunitsasyournetworkexpands.Youcanalsomix differentproductsinthefamilyinasinglestacktoprovideadesiredcombinationofporttypes andfunctionstomatchtherequirementsofindividualapplications.Inallcases,astackofunits performsasonelargeproduct,andismanagedasasinglenetworkentity. WhenswitchesareinstalledandconnectedasdescribedintheSecureStackC2InstallationGuides, thefollowingoccursduringinitialization: Theswitchthatwillmanagethestackisautomaticallyestablished.Thisisknownasthe managerswitch. Allotherswitchesareestablishedasmembersinthestack. Thehierarchyoftheswitchesthatwillassumethefunctionofbackupmanagerisalso determinedincasethecurrentmanagermalfunctions,ispowereddown,orisdisconnected fromthestack.
2-1
Onceastackiscreated(morethanoneswitchisinterconnected),thefollowingprocedureoccurs: 1. 2. Bydefault,unitIDsarearbitrarilyassignedonafirstcome,firstservedbasis. UnitIDsaresavedagainsteachmodule.Then,everytimeaboardispowercycled,itwill initializewiththesameunitID.Thisisimportantforportspecificinformation(forexample: ge.4.12isthe12thGigabitEthernetportonUnit#4). Themanagementelectionprocessusesthefollowingprecedencetoassignamanagement switch: a. b. c. Previouslyassigned/electedmanagementunit Managementassignedpriority(values115) Hardwarepreferencelevel
3.
Important
The following procedures assume that all units have a clean configuration from manufacturing. When adding a new unit to an already running stack, it is also assumed that the new unit is using the same firmware image version as other units in the stack.
3. 4. 5.
2-2
3.
Applypowertothenewunit.
2-3
Tocreateavirtualswitchconfigurationinastackenvironment: 1. 2. 3. Displaythetypesofswitchessupportedinthestack,usingtheshowswitchswitchtype command(page27). Usingtheoutputoftheshowswitchswitchtypecommand,determinetheswitchindex(SID) ofthemodelofswitchbeingconfigured. Addthevirtualswitchtothestackusingthesetswitchmembercommand(page211).Use theSIDoftheswitchmodel,determinedinthepreviousstep,andtheunitIDthatyouwantto assigntothisswitchmember. Proceedtoconfiguretheportsofthevirtualswitchasyouwoulddoforphysicallypresent devices.
4.
ThefollowingexampleaddsaC2G12424modetoastackasunit2ofthestack.Thefirstporton thatvirtualswitchisthenassociatedwithVLAN555.
C2(su)->show switch switchtype SID --1 2 3 4 5 6 7 8 9 10 11 12 13 15 17 Switch Model ID -------------------------------C2G124-24 C2K122-24 C2G124-48 C2G124-48P C2H124-48 C2H124-48P C2G134-24P C2G170-24 C3G124-24P C3G124-48P C3G124-48 C3G124-24 C3K172-24 C3K122-24 C3K122-24P Mgmt Pref ---1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Code Version --------0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245
C2(su)->set switch member 2 1 C2(su)->show switch Management Preconfig Plugged-in Switch Code Switch Status Model ID Model ID Status Version ------ ------------ ------------- ------------- --------------------- -------1 Mgmt Switch C2G124-48 C2G124-48 OK 5.02.xx.xxxx 2 Unassigned C2G124-24 Not Present 00.00.00 C2(su)->set vlan create 555 C2(su)->clear vlan egress 1 ge.2.1 C2(su)->set port vlan ge.2.1 555 untagged C2(su)->show port vlan ge.2.1 ge.2.1 is set to 555 Note: If you preconfigure a virtual switch and then add a physical switch of a different type to the stack as that unit number, any configured functionality that cannot be supported on the physical switch will cause a configuration mismatch status for that device and the ports of the new device will join detached. You must clear the mismatch before the new device will properly join the stack.
2-4
Configuration
Common Firmware Version
MixedstackingisonlysupportedbySecureStackC2firmwareversion5.00.xxandhigher.(Ifyou areusingaC3Kswitch,thefirmwareversionmustbe5.02.xxorhigher.)Inordertomix SecureStackC3switcheswithC2switches,youmustinstalltheC2firmware(version5.00.xxor higher,orversion5.02.xxorhigherforC3Kdevices)ontheC3switch.YoucaninstalltheC2 firmwarefirst,withtheC3switchinstandalonemode,oryoucanaddtheC3switchtothestack andthencopytheC2firmwaretotheC3switchusingthesetswitchcopyfwcommand(page2 10).AftercopyingtheC2firmwaretotheC3switch,youmustresetthestack.
Switch Manager
ItisrecommendedthataSecureStackC3switchbemadethemanagerofamixedstack.Usetheset switchmovemanagementcommand(page211)tochangethemanagerunit.
2-5
Commands
For information about... show switch show switch switchtype show switch stack-ports set switch set switch copy-fw set switch description set switch movemanagement set switch member clear switch member Refer to page... 2-6 2-7 2-8 2-9 2-10 2-10 2-11 2-11 2-12
show switch
Usethiscommandtodisplayinformationaboutoneormoreunitsinthestack.
Syntax
show switch [status] [unit]
Parameters
status unit (Optional)Displayspowerandadministrativestatusinformationforone ormoreunitsinthestack. (Optional)Specifiestheunit(s)forwhichinformationwilldisplay.
Defaults
Ifnotspecified,statusandotherconfigurationinformationaboutallunitswillbedisplayed.
Mode
Switchcommand,readonly.
Usage
Afterastackhasbeenconfigured,youcanusethiscommandtophysicallyconfirmtheidentityof eachunit.Whenyouenterthecommandwithaunitnumber,theMGRLEDofthespecified switchwillblinkfor10seconds.ThenormalstateofthisLEDisoffformemberunitsandsteady greenforthemanagerunit.
2-6
Examples
Thisexampleshowshowtodisplayinformationaboutallswitchunitsinthestack:
C2(rw)->show switch Management Preconfig Plugged-in Switch Code Switch Status Model ID Model ID Status Version ------ ------------ ------------- ------------- --------------------- -------1 Mgmt Switch C2G124-24 C2G124-24 OK 05.02.xx.xxxx 2 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 3 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 4 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 5 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 6 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 7 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx 8 Stack Member C2G124-24 C2G124-24 OK 05.02.xx.xxxx
Thisexampleshowshowtodisplayinformationaboutswitchunit1inthestack:
C2(ro)->show switch 1 Switch Management Status Hardware Management Preference Admin Management Preference Switch Type Preconfigured Model Identifier Plugged-in Model Identifier Switch Status Switch Description Detected Code Version Detected Code in Flash Detected Code in Back Image Up Time 1 Management Switch Unassigned Unassigned C2G124-24 C2G124-24 C2G124-24 OK Enterasys Networks, Inc. C2 -- Model C2G124-24 05.02.xx.xxxx 03.01.20 02.01.37 0 days 6 hrs 37 mins 54 secs
Thisexampleshowshowtodisplaystatusinformationforswitchunit1inthestack:
C2(ro)->show switch status 1 Switch Switch Status Admin State Power State Inserted Switch: Model Identifier Description Configured Switch: Model Identifier Description 1 Full
C2G124-24 Enterasys Networks, Inc. C2 -- Model C2G124-24 C2G124-24 Enterasys Networks, Inc. C2 -- Model C2G124-24
Syntax
show switch switchtype [switchindex]
2-7
Parameters
switchindex (Optional)Specifiestheswitchindex(SID)oftheswitchtypetodisplay.
Defaults
None.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplayswitchtypeinformationaboutallswitchesinthestack:
C2(ro)->show switch switchtype SID --1 2 3 4 5 6 7 8 9 10 11 12 13 15 17 Switch Model ID -------------------------------C2G124-24 C2K122-24 C2G124-48 C2G124-48P C2H124-48 C2H124-48P C2G134-24P C2G170-24 C3G124-24P C3G124-48P C3G124-48 C3G124-24 C3K172-24 C3K122-24 C3K122-24P Mgmt Pref ---1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Code Version --------0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 0xa08245
ThisexampleshowshowtodisplayswitchtypeinformationaboutSID1:
C2(ro)->show switch switchtype 1 Switch Type Model Identifier Switch Description Management Preference Expected Code Version Supported Cards: Slot Card Index (CID) Model Identifier 0 1 C2G124-24 0x56950200 C2G124-24 Enterasys Networks, Inc. C2 -Model C2G124-24 1 0xa08245
Syntax
show switch stack-ports [unit]
2-8
set switch
Parameters
unit (Optional)SpecifiestheswitchunitID,anintegerrangingfrom1to8.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaydataanderrorinformationonstackports:
C2(ro)->show switch stack-ports ------------TX-------------- ------------RX----------Data Error Data Error Stacking Rate Rate Total Rate Rate Total Switch Port (Mb/s) (Errors/s) Errors (Mb/s) (Errors/s) Errors ------ ---------- ------ ---------- ---------- ------ ---------- -------1 Up 0 0 0 0 0 0 Down 0 0 0 0 0 0
set switch
UsethiscommandtoassignaswitchID,tosetaswitchspriorityforbecomingthemanagement switchifthepreviousmanagementswitchfails,ortochangetheswitchunitIDforaswitchinthe stack.
Syntax
set switch {unit [priority value | renumber newunit]}
Parameters
unit priorityvalue renumbernewunit Specifiesaunitnumberfortheswitch.Valuecanrangefrom1to8. Specifiesapriorityvaluefortheunit.Validvaluesare1to15withhigher valuesassigninghigherpriority. Specifiesanewnumberfortheunit.
Note: This number must be a previously unassigned unit ID number.
Defaults
None.
Mode
Switchcommand,readwrite.
2-9
Examples
Thisexampleshowshowtoassignpriority3toswitch5:
C2(su)->set switch 5 priority 3
Thisexampleshowshowtorenumberswitch5toswitch7:
C2(su)->set switch 5 renumber 7
Syntax
set switch copy-fw [destination-system unit]
Parameters
destinationsystem (Optional)Specifiestheunitnumberofunitonwhichtocopythe unit managementimagefile.
Defaults
Ifdestinationsystemisnotspecified,themanagementimagefilewillbereplicatedtoallswitches inthestack.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoreplicatethemanagementimagefiletoallswitchesinthestack:
C2(su)->set switch copy-fw Are you sure you want to copy firmware? (y/n) y Code transfer completed successfully.
Syntax
set switch description unit description
Parameters
unit description Specifiesaunitnumberfortheswitch. Specifiesatextdescriptionfortheunit.
Defaults
None.
2-10
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoassignthenameFirstUnittoswitchunit1inthestack:
C2(su)->set switch description 1 FirstUnit
Syntax
set switch movemanagement fromunit tounit
Parameters
fromunit tounit Specifiestheunitnumberofthecurrentmanagementswitch. Specifiestheunitnumberofthenewlydesignatedmanagementswitch.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtomovemanagementfunctionalityfromswitch1toswitch2:
C2(su)->set switch movemenagement 1 2 Moving stack management will unconfigure entire stack including all interfaces. Are you sure you want to move stack management? (y/n) y
Syntax
set switch member unit switch-id
Parameters
unit switchid Specifiesaunitnumberfortheswitch. SpecifiesaswitchID(SID)fortheswitch.SIDscanbedisplayedwiththe showswitchswitchtypecommand.
Defaults
None.
2-11
Mode
Switchcommand,readwrite.
Usage
RefertoCreatingaVirtualSwitchConfigurationonpage23formoreinformationabouthowto addavirtualswitchtoastack.
Example
Thisexampleshowshowtospecifyaswitchasunit1withaswitchIDof1:
C2(su)->set switch member 1 1
Syntax
clear switch member unit
Parameters
unit Specifiestheunitnumberoftheswitch.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovetheswitch5entryfromthestack:
C2(su)->clear switch member 5
2-12
3
Basic Configuration
Atstartup,theSecureStackC2switchisconfiguredwithmanydefaultsandstandardfeatures. Thischapterdescribeshowtocustomizebasicsystemsettingstoadapttoyourworkenvironment.
For information about... Quick Start Setup Commands Setting User Accounts and Passwords Setting Basic Switch Properties Downloading a Firmware Image Reviewing and Selecting a Boot Firmware Image Starting and Configuring Telnet Managing Switch Configuration and Files Clearing and Closing the CLI Resetting the Switch Using and Configuring WebView Gathering Technical Support Information Refer to page... 3-1 3-2 3-9 3-30 3-33 3-35 3-37 3-47 3-48 3-50 3-52
3-1
Table 3-2
Task
Save the active configuration. Enable or disable SSH. Enable or disable Telnet. Enable or disable HTTP management (WebView). Enable or disable SNMP port link traps. Set the per port broadcast limit Configure a VLAN. Set a Syslog server IP and severity Configure and enable a RADIUS server.
23-5
Commands
For information about... show system login set system login clear system login set password set system password length set system password aging set system password history show system lockout set system lockout Refer to page... 3-3 3-4 3-4 3-5 3-6 3-6 3-7 3-7 3-8
3-2
Basic Configuration
Syntax
show system login
Parameters
None.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtodisplayloginaccountinformation.Inthiscase,switchdefaultshave notbeenchanged:
C2(su)->show system login Password history size: 0 Password aging : disabled Username admin ro rw Access super-user read-only read-write State enabled enabled enabled
3-3
Syntax
set system login username {super-user | read-write | read-only} {enable | disable}
Parameters
username Specifiesaloginnameforaneworexistinguser.Thisstringcanbea maximumof80characters,althoughamaximumof16charactersis recommendedforproperviewingintheshowsystemlogindisplay. Specifiestheaccessprivilegesforthisuser.
Enablesordisablestheuseraccount.
Defaults
None.
Mode
Switchcommand,superuser.
Usage
Loginaccounts,includingtheadminuseraccount,canbelockedoutaftermultiplefailedattempts tologintothesystem.Refertoshowsystemlockoutonpage37andsetsystemlockouton page38formoreinformationaboutlockoutparameters. Iftheadminuseraccounthasbeenlockedout,youmustwaituntiltheconfiguredlockouttime periodhasexpiredoryoucanpowercycletheswitchtorebootit,whichwillreenabletheadmin useraccount.
Example
Thisexampleshowshowtoenableanewuseraccountwiththeloginnamenetopswithsuper useraccessprivileges:
C2(su)->set system login netops super-user enable
Syntax
clear system login username
3-4
Basic Configuration
set password
Parameters
username Specifiestheloginnameoftheaccounttobecleared.
Note: The default admin (su) account cannot be deleted.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtoremovethenetopsuseraccount:
C2(su)->clear system login netops
set password
UsethiscommandtochangesystemdefaultpasswordsortosetanewloginpasswordontheCLI.
Syntax
set password [username]
Parameters
username (Onlyavailabletouserswithsuperuseraccess.)Specifiesasystemdefault orauserconfiguredloginaccountname.Bydefault,theSecureStackC2 switchprovidesthefollowingaccountnames: roforReadOnlyaccess. rwforReadWriteaccess. adminforSuperUseraccess.(ThisaccesslevelallowsReadWriteaccess toallmodifiableparameters,includinguseraccounts.)
Defaults
None.
Mode
Switchcommand,readwrite. Switchcommand,superuser.
Usage
ReadWriteuserscanchangetheirownpasswords. SuperUsers(Admin)canchangeanypasswordonthesystem. Ifyouforgetthepasswordfortheadminuseraccount,youcanresetthepasswordtothedefault passwordvaluebypressingthepasswordresetbuttonontheswitch.
3-5
Examples
ThisexampleshowshowasuperuserwouldchangetheReadWritepasswordfromthesystem default(blankstring):
C2(su)->set password rw Please enter new password: ******** Please re-enter new password: ******** Password changed. C2(su)->
ThisexampleshowshowauserwithReadWriteaccesswouldchangehispassword:
C2(su)->set password Please enter old password: ******** Please enter new password: ******** Please re-enter new password: ******** Password changed. C2(su)->
Syntax
set system password length characters
Parameters
characters Specifiestheminimumnumberofcharactersforauseraccountpassword. Validvaluesare0to40.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtosettheminimumsystempasswordlengthto8characters:
C2(su)->set system password length 8
Syntax
set system password aging {days | disable}
3-6
Basic Configuration
Parameters
days disable Specifiesthenumberofdaysuserpasswordswillremainvalidbefore agingout.Validvaluesare1to365. Disablespasswordaging.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtosetthesystempasswordagetimeto45days:
C2(su)->set system password aging 45
Syntax
set system password history size
Parameters
size Specifiesthenumberofpasswordscheckedforduplication.Validvalues are0to10.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtoconfigurethesystemtocheckthelast10passwordsforduplication
C2(su)->set system password history 10
Syntax
show system lockout
3-7
Parameters
None.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtodisplayuserlockoutsettings.Inthiscase,switchdefaultshavenot beenchanged:
C2(su)->show system lockout Lockout attempts: 3 Lockout time: 15 minutes.
Table 33providesanexplanationofthecommandoutput.Thesesettingsareconfiguredwiththe setsystemlockoutcommand(setsystemlockoutonpage38). Table 3-3 show system lockout Output Details
What It Displays... Number of failed login attempts allowed before a read-write or read-only users account will be disabled. Number of minutes the default admin user account will be locked out after the maximum login attempts.
Syntax
set system lockout {[attempts attempts] [time time]}
Parameters
attemptsattempts timetime Specifiesthenumberoffailedloginattemptsallowedbeforeareadwrite orreadonlyusersaccountwillbedisabled.Validvaluesare1to10. Specifiesthenumberofminutesthedefaultadminuseraccountwillbe lockedoutafterthemaximumloginattempts.Validvaluesare0to60.
Defaults
None.
Mode
Switchcommand,superuser.
3-8
Basic Configuration
Usage
Onceauseraccountislockedout,itcanonlybereenabledbyasuperuserwiththesetsystem logincommand(page34). Ifthedefaultadminsuperuseraccounthasbeenlockedout,youcanwaituntilthelockouttime hasexpiredoryoucanresettheswitchinordertoreenabletheadminaccount.
Example
Thisexampleshowshowtosetloginattemptsto5andlockouttimeto30minutes:
C2(su)->set system lockout attempts 5 time 30
Commands
For information about... show ip address set ip address clear ip address show ip protocol set ip protocol show system show system hardware show system utilization show system enhancedbuffermode set system enhancedbuffermode set system temperature clear system temperature show time set time show summertime set summertime set summertime date set summertime recurring clear summertime set prompt Refer to page... 3-10 3-11 3-11 3-12 3-12 3-13 3-14 3-15 3-16 3-16 3-17 3-18 3-19 3-19 3-20 3-20 3-21 3-21 3-22 3-23
3-9
show ip address
For information about... show banner motd set banner motd clear banner motd show version set system name set system location set system contact set width set length show logout set logout show console set console baud
Refer to page... 3-23 3-24 3-24 3-25 3-26 3-26 3-27 3-27 3-28 3-28 3-29 3-29 3-30
show ip address
UsethiscommandtodisplaythesystemIPaddressandsubnetmask.
Syntax
show ip address
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythesystemIPaddressandsubnetmask:
C2(su)->show ip address Name ---------------host Address ---------------10.42.13.20 Mask ---------------255.255.0.0
3-10
Basic Configuration
set ip address
set ip address
UsethiscommandtosetthesystemIPaddress,subnetmaskanddefaultgateway.
Note: The C2 does not support the ability for a user to configure the host's gateway to be a local routed interface IP. The host's gateway must exist on a different device in the network if one is configured.
Syntax
set ip address ip-address [mask ip-mask] [gateway ip-gateway]
Parameters
ipaddress SetstheIPaddressforthesystem.ForSecureStackC2systems,thisisthe IPaddressofthemanagementswitchasdescribedinAboutSecureStack C2SwitchOperationinaStackonpage21. (Optional)Setsthesystemssubnetmask. (Optional)Setsthesystemsdefaultgateway(nexthopdevice).
maskipmask gatewayipgateway
Defaults
Ifnotspecified,ipmaskwillbesettothenaturalmaskoftheipaddressandipgatewaywillbesetto theipaddress.
Mode
Switchcommand,readwrite.
Usage
Parametersmustbeenteredintheordershown(hostIP,thenmask,thengateway)forthe commandtobeaccepted.
Example
ThisexampleshowshowtosetthesystemIPaddressto10.1.10.1withamaskof255.255.128.0:
C2(su)->set ip address 10.1.10.1 mask 255.255.128.0
clear ip address
UsethiscommandtoclearthesystemIPaddress.
Syntax
clear ip address
Parameters
None.
Defaults
None.
3-11
show ip protocol
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthesystemIPaddress:
C2(rw)->clear ip address
show ip protocol
UsethiscommandtodisplaythemethodusedtoacquireanetworkIPaddressforswitch management.
Syntax
show ip protocol
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythemethodusedtoacquireanetworkIPaddress:
C2(su)->show ip protocol System IP address acquisition method: dhcp
set ip protocol
UsethiscommandtospecifytheprotocolusedtoacquireanetworkIPaddressforswitch management.
Syntax
set ip protocol {bootp | dhcp | none}
Parameters
bootp dhcp none SelectsBOOTPastheprotocoltousetoacquirethesystemIPaddress. SelectsDHCPastheprotocoltousetoacquirethesystemIPaddress. NoprotocolwillbeusedtoacquirethesystemIPaddress.
Defaults
None.
3-12
Basic Configuration
show system
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthemethodusedtoacquireanetworkIPaddresstoDHCP.
C2(su)->set ip protocol dhcp
show system
Usethiscommandtodisplaysysteminformation,includingcontactinformation,powerandfan traystatusanduptime.
Syntax
show system
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaysysteminformation:
C2(su)->show system System contact: System location: System name: Switch 1 -------PS1-Status ---------Ok Fan1-Status ----------Ok Temp-Alarm ----------off Thermal Threshold: 58% Temp alarm max threshold: 100% Temp alarm trap: disabled Temp alarm syslog: disabled Uptime d,h:m:s -------------0,20:36:49 Logout ------0 min
SecureStack C2 Configuration Guide 3-13
Syntax
show system hardware
Parameters
None.
Defaults
None.
3-14
Basic Configuration
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythesystemshardwareconfiguration.Pleasenotethatthe informationyouseedisplayedmaydifferfromthisexample.
C2(su)->show system hardware SLOT 1 HARDWARE INFORMATION --------------------------Model: Serial Number: Vendor ID: Base MAC Address: Hardware Version: FirmWare Version: Boot Code Version:
Syntax
show system utilization {cpu | storage | process}
Parameters
cpu storage process Displayinformationabouttheprocessorrunningontheswitch. Displayinformationabouttheoverallmemoryusageontheswitch. Displayinformationabouttheprocessesrunningontheswitch.
Defaults
None.
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplaythesystemsCPUutilization:
C2(ro)->show system utilization cpu Total CPU Utilization: Switch CPU 5 sec 1 min 5 min ----------------------------------------------1 1 50% 49% 49%
Thisexampleshowshowtodisplaythesystemsoverallmemoryusage:
C2(ro)->show system utilization storage Storage Utilization:
3-15
Type Description Size(Kb) Available (Kb) --------------------------------------------------------------RAM RAM device 262144 97173 Flash Images, Config, Other 31095 8094
Thisexampleshowshowtodisplayinformationabouttheprocessesrunningonthesystem.Only partialoutputisshown.
C2(ro)->show system utilization process Switch:1 CPU:1 TID Name 5Sec 1Min 5Min ---------------------------------------------------------c157930 ipMapForwardingTask 3.60% 3.02% 3.48% cc70000 RMONTask 0.00% 0.00% 0.00% ccb0b60 SNMPTask 34.80% 34.06% 31.78% d4847a0 tEmWeb 0.00% 0.03% 0.01% d4ca360 hapiRxTask 3.20% 4.80% 5.00% dec8600 lvl7TaskUtilMonitorTas 0.40% 0.40% 0.40% eb74120 bcmRX 2.00% 2.91% 4.48% eb7fbc8 bcmLINK.0 0.40% 0.22% 0.32% f00c9a0 bcmTX 0.00% 0.33% 0.53% f027648 bcmCNTR.0 0.00% 0.00% 0.03% f034858 bcmL2X.0 0.00% 0.02% 0.04%
Syntax
show system enhancedbuffermode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisplayenhancedbuffermodestatus:
C2(su)->show system enhancedbuffermode enable Optimized system buffer distribution Disable
3-16
Basic Configuration
switches..Executingthiscommandwillresettheswitch,sothesystempromptsyoutoconfirm whetheryouwanttoproceed.
Syntax
set system enhancedbuffermode {enable | disable}
Parameters
enable|disable Enablesordisablesenhancedbuffermode.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableenhancedbuffermode:
C2(su)->set system enhancedbuffermode enable Changes in the enhanced buffer mode will require resetting this unit. Are you sure you want to continue? (y/n)
Syntax
set system temperature {[syslog enable | disable] [trap enable | disable] [overtemp-threshold value]}
Parameters
syslogenable| disable trapenable|disable overtempthreshold value Enablesordisableslogginghightemperaturealertstothesystemlog whenthesystemtransitionsintoanalarmstate. EnablesordisablessendinghightemperaturealertsbymeansofSNMP trapswhenthesystemtransitionsintoanalarmstate. Setsthethermalthresholdasapercentageofthemaximumratedforthe specificplatform.Valuecanrangefrom0to100%.
Defaults
Syslogalertsaredisabledbydefault. Trapalertsaredisabledbydefault. Overtempthresholdis100%bydefault.
Mode
Switchcommand,readwrite.
3-17
Usage
Ontheplatformsthatsupportthisfeature,temperaturesensorsarelocatedinseveraldifferent locationswithinthedevice.Thresholdcalibrationshavebeencalculatedseparatelyforeach platform.Thethermalovertempthresholdisthehighwatermarkthat,whenreached,triggersan alerttowarnthesystemadministratorthatthedeviceisoperatingathightemperatures. Thevaluessetwiththiscommandcanbeviewedwiththeshowsystemcommand. RefertotheReleaseNoteforyourplatformtodetermineifthisfeatureissupportedonyour platform.
Example
ThefollowingexampleenablessendingSNMPtrapsandsetstheovertempthresholdto60%.
C2(su)->set system temperature trap enable overtemp-threshold 60
Syntax
clear system temperature
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommandresetsallthehightemperatureparameterstotheirdefaultvalues: Syslogalertsaredisabledbydefault. Trapalertsaredisabledbydefault. Overtempthresholdis100%bydefault.
Example
Thisexampleresetsallhightemperatureparameterstotheirdefaults.
C2(su)->clear system temperature
3-18
Basic Configuration
show time
show time
Usethiscommandtodisplaythecurrenttimeofdayinthesystemclock.
Syntax
show time
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythecurrenttime.Theoutputshowsthedayoftheweek, month,day,andthetimeofdayinhours,minutes,andsecondsandtheyear:
C2(su)->show time THU SEP 05 09:21:57 2002
set time
Usethiscommandtochangethetimeofdayonthesystemclock.
Syntax
set time [mm/dd/yyyy] [hh:mm:ss]
Parameters
[mm/dd/yyyy] [hh:mm:ss] Setsthetimein: month,day,yearand/or 24hourformat Atleastonesetoftimeparametersmustbeentered.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemclockto7:50a.m:
C2(su)->set time 7:50:00
3-19
show summertime
show summertime
Usethiscommandtodisplaydaylightsavingstimesettings.
Syntax
show summertime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaydaylightsavingstimesettings:
C2(su)->show summertime Summertime is disabled and set to '' Start : SUN APR 04 02:00:00 2004 End : SUN OCT 31 02:00:00 2004 Offset: 60 minutes (1 hours 0 minutes) Recurring: yes, starting at 2:00 of the first Sunday of April and ending at 2:00 of the last Sunday of October
set summertime
Usethiscommandtoenableordisablethedaylightsavingstimefunction.
Syntax
set summertime {enable | disable} [zone]
Parameters
enable|disable zone Enablesordisablesthedaylightsavingstimefunction. (Optional)Appliesanametothedaylightsavingstimesettings.
Defaults
Ifazonenameisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtoenabledaylightsavingstimefunction:
C2(su)->set summertime enable
3-20
Basic Configuration
Syntax
set summertime date start_month start_date start_year start_hr_min end_month end_date end_year end_hr_min [offset_minutes]
Parameters
start_month start_date start_year start_hr_min end_month end_date end_year end_hr_min offset_minutes Specifiesthemonthoftheyeartostartdaylightsavingstime. Specifiesthedayofthemonthtostartdaylightsavingstime. Specifiestheyeartostartdaylightsavingstime. Specifiesthetimeofdaytostartdaylightsavingstime.Formatishh:mm. Specifiesthemonthoftheyeartoenddaylightsavingstime. Specifiesthedayofthemonthtoenddaylightsavingstime. Specifiestheyeartoenddaylightsavingstime. Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm. (Optional)Specifiestheamountoftimeinminutestooffsetdaylight savingstimefromthenondaylightsavingstimesystemsetting.Valid valuesare11440.
Defaults
Ifanoffsetisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetadaylightsavingstimestartdateofApril4,2004at2a.m.andan endingdateofOctober31,2004at2a.m.withanoffsettimeofonehour:
C2(su)->set summertime date April 4 2004 02:00 October 31 2004 02:00 60
Syntax
set summertime recurring start_week start_day start_month start_hr_min end_week end_day end_month end_hr_min [offset_minutes]
3-21
clear summertime
Parameters
start_week start_day start_hr_min end_week end_day end_hr_min offset_minutes Specifiestheweekofthemonthtorestartdaylightsavingstime.Valid valuesare:first,second,third,fourth,andlast. Specifiesthedayoftheweektorestartdaylightsavingstime. Specifiesthetimeofdaytorestartdaylightsavingstime.Formatis hh:mm. Specifiestheweekofthemonthtoenddaylightsavingstime. Specifiesthedayoftheweektoenddaylightsavingstime. Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm. (Optional)Specifiestheamountoftimeinminutestooffsetdaylight savingstimefromthenondaylightsavingstimesystemsetting.Valid valuesare11440.
Defaults
Ifanoffsetisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowsetdaylightsavingstimetorecurstartingonthefirstSundayofAprilat 2a.m.andendingthelastSundayofOctoberat2a.m.withanoffsettimeofonehour:
C2(su)->set summertime recurring first Sunday April 02:00 last Sunday October 02:00 60
clear summertime
Usethiscommandtoclearthedaylightsavingstimeconfiguration.
Syntax
clear summertime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthedaylightsavingstimeconfiguration:
C2(su)->clear summertime
3-22
Basic Configuration
set prompt
set prompt
Usethiscommandtomodifythecommandprompt.
Syntax
set prompt prompt_string
Parameters
prompt_string Specifiesatextstringforthecommandprompt.
Note: A prompt string containing a space in the text must be enclosed in quotes as shown in the example below.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthecommandprompttoSwitch1:
C2(su)->set prompt Switch 1 Switch 1(su)->
Syntax
show banner motd
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythebannermessageoftheday:
C2(rw)->show banner motd This system belongs to XYZ Corporation. Use of this system is strictly limited to authorized personnel.
3-23
Syntax
set banner motd message
Parameters
message Specifiesamessageoftheday.Thisisatextstringthatneedstobein doublequotesifanyspacesareused.Usea\nforanewlineand\tfora tab(eightspaces).
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthemessageofthedaybannertoread:Thissystembelongsto XYZCorporation.Useofthissystemisstrictlylimitedtoauthorizedpersonnel.
C2(rw)->set banner motd "\tThis system belongs to XYZ Corporation.\nUse of this system is strictly limited to authorized personnel."
Syntax
clear banner motd
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
3-24
Basic Configuration
show version
Example
Thisexampleshowshowtoclearthemessageofthedaybannertoablankstring:
C2(rw)->clear banner motd
show version
Usethiscommandtodisplayhardwareandfirmwareinformation.RefertoDownloadinga FirmwareImageonpage330forinstructionsonhowtodownloadafirmwareimage.
Syntax
show version
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayversioninformation.Pleasenotethatyoumayseedifferent informationdisplayed,dependingonthetypeofhardware.
C2(su)->show version Copyright (c) 2007 by Enterasys Networks, Inc. Model -------------C2G124-48P Serial # ----------------001188021035 Versions ------------------Hw:BCM5665 REV 17 Bp:01.00.29 Fw:5.02.xx.xxxx BuFw:03.01.13 PoE:500_3
3-25
Syntax
set system name [string]
Parameters
string (Optional)Specifiesatextstringthatidentifiesthesystem.
Note: A name string containing a space in the text must be enclosed in quotes as shown in the example below.
Defaults
Ifstringisnotspecified,thesystemnamewillbecleared.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthesystemnametoInformationSystems:
C2(su)->set system name Information Systems
Syntax
set system location [string]
Parameters
string (Optional)Specifiesatextstringthatindicateswherethesystemis located.
Note: A location string containing a space in the text must be enclosed in quotes as shown in the example below.
Defaults
Ifstringisnotspecified,thelocationnamewillbecleared.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemlocationstring:
C2(su)->set system location Bldg N32-04 Closet 9
3-26
Basic Configuration
Syntax
set system contact [string]
Parameters
string (Optional)Specifiesatextstringthatcontainsthenameofthepersonto contactforsystemadministration.
Note: A contact string containing a space in the text must be enclosed in quotes as shown in the example below.
Defaults
Ifstringisnotspecified,thecontactnamewillbecleared.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemcontactstring:
C2(su)->set system contact Joe Smith
set width
Usethiscommandtosetthenumberofcolumnsfortheterminalconnectedtotheswitchsconsole port.
Syntax
set width screenwidth [default]
Parameters
screenwidth default Setsthenumberofterminalcolumns.Validvaluesare50to150. (Optional)Makesthissettingpersistentforallfuturesessions(writtento NVRAM).
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThenumberofrowsofCLIoutputdisplayedissetusingthesetlengthcommandasdescribedin setlengthonpage328.
3-27
set length
Example
Thisexampleshowshowtosettheterminalcolumnsto50:
C2(su)->set width 50
set length
UsethiscommandtosetthenumberoflinestheCLIwilldisplay.Thiscommandispersistent (writtentoNVRAM).
Syntax
set length screenlength
Parameters
screenlength SetsthenumberoflinesintheCLIdisplay.Validvaluesare0,which disablesthescrollingscreenfeaturedescribedinDisplayingScrolling Screensonpage19,andfrom5to512.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheterminallengthto50:
C2(su)->set length 50
show logout
Usethiscommandtodisplaythetime(inseconds)anidleconsoleorTelnetCLIsessionwill remainconnectedbeforetimingout.
Syntax
show logout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
3-28
Basic Configuration
set logout
Example
ThisexampleshowshowtodisplaytheCLIlogoutsetting:
C2(su)->show logout Logout currently set to: 10 minutes.
set logout
Usethiscommandtosetthetime(inminutes)anidleconsoleorTelnetCLIsessionwillremain connectedbeforetimingout.
Syntax
set logout timeout
Parameters
timeout Setsthenumberofminutesthesystemwillremainidlebeforetimingout.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemtimeoutto10minutes:
C2(su)->set logout 10
show console
Usethiscommandtodisplayconsolesettings.
Syntax
show console [baud] [bits] [flowcontrol] [parity] [stopbits]
Parameters
baud bits flowcontrol parity stopbits (Optional)Displaystheinput/outputbaudrate. (Optional)Displaysthenumberofbitspercharacter. (Optional)Displaysthetypeofflowcontrol. (Optional)Displaysthetypeofparity. (Optional)Displaysthenumberofstopbits.
Defaults
Ifnoparametersarespecified,allsettingswillbedisplayed.
3-29
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayallconsolesettings:
C2(su)->show console Baud Flow Bits ------ ------- ---9600 Disable 8 StopBits ---------1 Parity -----none
Syntax
set console baud rate
Parameters
rate Setstheconsolebaudrate.Validvaluesare:300,600,1200,2400,4800,5760, 9600,14400,19200,38400,and115200.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheconsoleportbaudrateto19200:
C2(su)->set console baud 19200
3-30
Basic Configuration
TeraTermProVersion2.3
2.
Beforethebootupcompletes,type2toselectStartBootMenu.Useadministratorfor thePassword.
Note: The Boot Menu password administrator can be changed using boot menu option 11.
Options available 1 - Start operational code 2 - Change baud rate 3 - Retrieve event log using XMODEM (64KB). 4 - Load new operational code using XMODEM 5 - Display operational code vital product data 6 - Run Flash Diagnostics 7 - Update Boot Code 8 - Delete operational code 9 - Reset the system 10 - Restore Configuration to factory defaults (delete config files) 11 - Set new Boot Code password [Boot Menu] 2
3-31
3.
Type2.Thefollowingbaudrateselectionscreendisplays:
1 2 3 4 5 6 7 8 0 1200 2400 4800 9600 19200 38400 57600 115200 no change
4.
Type8tosettheswitchbaudrateto115200.Thefollowingmessagedisplays:
Setting baud rate to 115200, you must change your terminal baud rate.
5. 6.
7. 8.
Fromthebootmenuoptionsscreen,type2todisplaythebaudrateselectionscreenagain. Type4settheswitchbaudrateto9600.Thefollowingmessagedisplays:
Setting baud rate to 9600, you must change your terminal baud rate.
9.
Settheterminalbaudrateto9600andpressENTER.
3-32
Basic Configuration
Note: You will not be able to peform these steps remotely unless you have remote console support.
1. 2. 3.
4. 5. 6. 7.
Commands
For information about... show boot system set boot system Refer to page... 3-34 3-34
3-33
Syntax
show boot system
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheswitchsbootfirmwareimage:
C2(su)->show boot system Current system image to boot: bootfile
Syntax
set boot system filename
Parameters
filename Specifiesthenameofthefirmwareimagefile.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommandallowsyoutosetthefirmwareimagetobeloadedatstartup.Youcanchooseto resetthesystemtousethenewfirmwareimageimmediately,oryoucanchoosetoonlyspecifythe newimagetobeloadedthenexttimetheswitchisrebooted. YoucanusethedircommandtodisplaytheActiveimageandtheBootimage,whichwillbe theimageloadedatthenextsystemreboot.
Note: If you are changing the firmware image to a version earlier than the current version, refer to Reverting to a Previous Image on page 3-33 for the correct steps to follow.
3-34
Basic Configuration
Example
Thisexampleshowshowtosetthebootfirmwareimagefileandresetthesystem.
C2(su)->set boot system c2_05.02.01.0005 This command requires resetting the entire system. Do you want to continue (y/n) [n]?y Checking firmware version Saving Configuration
Commands
For information about... show telnet set telnet telnet Refer to page... 3-36 3-36 3-37
3-35
show telnet
show telnet
UsethiscommandtodisplaythestatusofTelnetontheswitch.
Syntax
show telnet
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayTelnetstatus:
C2(su)->show telnet Telnet inbound is currently: ENABLED Telnet outbound is currently: ENABLED
set telnet
UsethiscommandtoenableordisableTelnetontheswitch.
Syntax
set telnet {enable | disable} [inbound | outbound | all]
Parameters
enable|disable inbound| outbound|all EnablesordisablesTelnetservices. (Optional)Specifiesinboundservice(theabilitytoTelnettothisswitch), outboundservice(theabilitytoTelnettootherdevices),orall(both inboundandoutbound).
Defaults
Ifnotspecified,bothinboundandoutboundTelnetservicewillbeenabled.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableinboundandoutboundTelnetservices:
C2(su)->set telnet disable all Disconnect all telnet sessions and disable now (y/n)? [n]: y All telnet sessions have been terminated, telnet is now disabled.
3-36
Basic Configuration
telnet
telnet
UsethiscommandtostartaTelnetconnectiontoaremotehost.TheSecureStackC2switchallows atotaloffourinboundand/oroutboundTelnetsessiontorunsimultaneously.
Syntax
telnet host [port]
Parameters
host port SpecifiesthenameorIPaddressoftheremotehost. (Optional)Specifiestheserverportnumber.
Defaults
Ifnotspecified,thedefaultportnumber23willbeused.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtostartaTelnetsessiontoahostat10.21.42.13:
C2(su)->telnet 10.21.42.13
3-37
Purpose
TosetandviewthepersistencemodeforCLIconfigurationcommands,manuallysavethe runningconfiguration,view,manage,andexecuteconfigurationfilesandimagefiles,andsetand viewTFTPparameters.
Commands
For information about... show snmp persistmode set snmp persistmode save config dir show file show config configure copy delete show tftp settings set tftp timeout clear tftp timeout set tftp retry clear tftp retry Refer to page... 3-38 3-39 3-39 3-40 3-41 3-41 3-42 3-43 3-44 3-44 3-45 3-45 3-46 3-46
Syntax
show snmp persistmode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Bydefault,themodeissettoautosave,whichautomaticallysavesconfigurationchangesat specificintervals.Ifthemodeissettomanual,configurationcommandsareneverautomatically
3-38 Basic Configuration
saved.Inordertomakeconfigurationchangespersistentwhenthemodeismanual,thesave configcommandmustbeissuedasdescribedinConfigurationPersistenceModeonpage337.
Example
Thisexampleshowshowtodisplaytheconfigurationpersistencemodesetting.Inthiscase, persistencemodeissettomanual,whichmeansconfigurationchangesarenotbeing automaticallysaved.
C2(su)->show snmp persistmode persistmode is manual
Syntax
set snmp persistmode {auto | manual}
Parameters
auto manual Setstheconfigurationpersistencemodetoautomatic.Thisisthedefault state. Setstheconfigurationpersistencemodetomanual.Inordertomake configurationchangespersistent,thesaveconfigcommandmustbe issuedasdescribedinsaveconfigonpage339.Thismodeisusefulfor revertingbacktooldconfigurations.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheconfigurationpersistencemodetomanual:
C2(su)->set snmp persistmode manual
save config
Usethiscommandtosavetherunningconfiguration.Ifapplicable,thiscommandwillsavethe configurationtoallswitchmembersinastack.
Syntax
save config
Parameters
None.
3-39
dir
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosavetherunningconfiguration:
C2(su)->save config
dir
Usethiscommandtolistconfigurationandimagefilesstoredinthefilesystem.
Syntax
dir [filename]
Parameters
filename (Optional)Specifiesthefilenameordirectorytolist.
Defaults
Iffilenameisnotspecified,allfilesinthesystemwillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtolistalltheconfigurationandimagefilesinthesystem.Thedisplay indicateswhichimagefileistheActivefileandwhichimagefileistheBootfilethatwillbeused thenexttimethesystemreboots.
C2(su)->dir Images: ================================================================== Filename: c2-series_05.02.00.0029 (Active) Version: 05.02.00.0029 Size: 9411584 (bytes) Date: Fri Aug 1 06:55:23 2008 CheckSum: 6126a7aadfdf05150afb6eca51982302 Compatibility: <platform specific> Filename: Version: Size: Date: CheckSum: Compatibility: c2-series_05.02.00.0030 (Boot) 05.02.00.0030 9411584 (bytes) Fri Aug 8 08:44:04 2008 627938b785fa7fdb8eed74672af1edcc <platform specific>
3-40
Basic Configuration
show file
show file
Usethiscommandtodisplaythecontentsofafile.
Syntax
show file filename
Parameters
filename Specifiesthenameofthefiletodisplay.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayatextfilenamedmypolicyintheconfigs/directory.Note thatonlyaportionofthefileisshowninthisexample.
C2(rw)->show file configs/mypolicy 1 : 2 : 3 : #policy 4 : 5 : set policy profile 1 name "Check GUEST" pvid-status enable pvid 4095 untaggedvlans 1 6 : 7 : set policy profile 2 name "User LABORATORIES" pvid-status enable pvid 680 cosstatus enable cos 4 untagged-vlans 680 8 : 9 : set policy profile 3 name "Administrator" pvid-status enable pvid 4095 10 : 11 : set policy profile 4 name "Guest" pvid-status enable pvid 999 cos-status enable cos 3 untagged-vlans 999 12 : 13 : set policy port ge.1.1 4 14 : 15 : set policy port ge.1.2 4
show config
Usethiscommandtodisplaythesystemconfigurationorwritetheconfigurationtoafile.
Syntax
show config [all | facility] [outfile {configs/filename}]
SecureStack C2 Configuration Guide 3-41
configure
Parameters
all facility (Optional)Displaysdefaultandnondefaultconfigurationsettings. (Optional)Specifiestheexactnameofonefacilityforwhichtoshow configuration.Forexample,enterroutertoshowonlyrouter configuration. (Optional)Specifiesthatthecurrentconfigurationwillbewrittentoatext fileintheconfigs/directory. Specifiesafilenameintheconfigs/directorytodisplay.
outfile configs/filename
Defaults
Bydefault,showconfigwilldisplayallnondefaultconfigurationinformationforallfacilities.
Mode
Switchcommand,readonly.
Usage
Theseparatefacilitiesthatcanbedisplayedbythiscommandareidentifiedinthedisplayofthe currentconfigurationbya#precedingthefacilityname.Forexample,#portindicatesthefacility nameport.
Examples
Thisexampleshowshowtowritethecurrentconfigurationtoafilenamedsave_config2:
C2(rw)->show config all outfile configs/save_config2
Thisexampleshowshowtodisplayconfigurationforthefacilityport.
C2(rw)->show config port This command shows non-default configurations only. Use 'show config all' to show both default and non-default configurations. begin ! #***** NON-DEFAULT CONFIGURATION ***** ! ! #port set port jumbo disable ge.1.1 ! end
configure
Usethiscommandtoexecuteapreviouslydownloadedconfigurationfilestoredontheswitch.
Syntax
configure filename [append]
3-42
Basic Configuration
copy
Parameters
filename append Specifiesthepathandfilenameoftheconfigurationfiletoexecute. (Optional)Appendstheconfigurationfilecontentstothecurrent configuration.Thisisequivalenttotypingthecontentsoftheconfigfile directlyintotheCLIandcanbeused,forexample,tomakeincremental adjustmentstothecurrentconfiguration.
Defaults
Ifappendisnotspecified,thecurrentrunningconfigurationwillbereplacedwiththecontentsof theconfigurationfile,whichwillrequireanautomatedresetofthechassis.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoexecutetheJan1_2004.cfgconfigurationfile:
C2(su)->configure configs/Jan1_2004.cfg
copy
UsethiscommandtouploadordownloadanimageoraCLIconfigurationfile.
Syntax
copy source destination
Parameters
source destination Specifieslocationandnameofthesourcefiletocopy.Optionsarealocalfile pathintheconfigsdirectory,ortheURLofaTFTPserver. Specifieslocationandnameofthedestinationwherethefilewillbecopied. Optionsareaslotlocationandfilename,ortheURLofaTFTPserver.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtodownloadanimageviaTFTP:
C2(su)->copy tftp://10.1.192.34/version01000 system:image
Thisexampleshowshowtodownloadaconfigurationfiletotheconfigsdirectory:
C2(su)->copy tftp://10.1.192.1/Jan1_2004.cfg configs/Jan1_2004.cfg
3-43
delete
delete
UsethiscommandtoremoveanimageoraCLIconfigurationfilefromtheswitch.
Syntax
delete filename
Parameters
filename Specifiesthelocalpathnametothefile.Validdirectoriesare/imagesand /configs.44.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Usethedircommand(page340)todisplaycurrentimageandconfigurationfilenames.
Example
ThisexampleshowshowtodeletetheJan1_2004.cfgconfigurationfile:
C2(su)->delete configs/Jan1_2004.cfg
Syntax
show tftp settings
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
TheTFTPtimeoutvaluecanbesetwiththesettftptimeoutcommand.TheTFTPretryvaluecan besetwiththesettftpretrycommand.
3-44
Basic Configuration
Example
Thisexampleshowstheoutputofthiscommand.
C2(ro)->show tftp settings TFTP packet timeout (seconds): 2 TFTP max retry: 5
Syntax
set tftp timeout seconds
Parameters
seconds Specifiesthenumberofsecondstowaitforareply.Thevalidrangeis from1to30seconds.Defaultvalueis2seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthetimeoutperiodto4seconds.
C2(rw)->set tftp timeout 4
Syntax
clear tftp timeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
3-45
Example
Thisexampleshowshowtoclearthetimeoutvaluetothedefaultof2seconds.
C2(rw)-> clear tftp timeout
Syntax
set tftp retry retry
Parameters
retry Specifiesthenumberoftimesapacketwillberesent.Thevalidrangeis from1to1000.Defaultvalueis5retries.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetstheretrycountto3.
C2(rw)->set tftp retry 3
Syntax
clear tftp retry
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocleartheretryvaluetothedefaultof5retries.
C2(rw)-> clear tftp retry
3-46
Basic Configuration
Commands
For information about... cls exit Refer to page... 3-47 3-47
Syntax
cls
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtocleartheCLIscreen:
C2(su)->cls
exit
UseeitherofthesecommandstoleaveaCLIsession.
Syntax
exit
Parameters
None.
Defaults
None.
3-47
Mode
Switchcommand,readonly.
Usage
Bydefault,switchtimeoutoccursafter15minutesofuserinactivity,automaticallyclosingyour CLIsession.Usethesetlogoutcommand(page329)tochangethisdefault.
Example
ThisexampleshowshowtoexitaCLIsession:
C2(su)->exit
Commands
For information about... reset clear config Refer to page... 3-48 3-49
reset
Usethiscommandtoresettheswitchwithoutlosinganyuserdefinedconfigurationsettings.
Syntax
reset [unit]
Parameters
unit (Optional)Specifiesaunittobereset.
Defaults
IfnounitIDisspecified,theentiresystemwillbereset.
Mode
Switchcommand,readwrite.
Usage
ASecureStackC2switchcanalsoberesetwiththeRESETbuttonlocatedonitsfrontpanel.For informationonhowtodothis,refertotheSecureStackC2InstallationGuideshippedwithyour switch.
3-48
Basic Configuration
clear config
Examples
Thisexampleshowshowtoresetthesystem:
C2(su)->reset Are you sure you want to reload the stack? (y/n) y Saving Configuration to stacking members Reloading all switches.
Thisexampleshowshowtoresetunit1:
C2(su)->reset 1 Are you sure you want to reload the switch? (y/n) y Reloading switch 1. This switch is manager of the stack. STACK: detach 3 units
clear config
Usethiscommandtocleartheuserdefinedconfigurationparameters.
Syntax
clear config [all]
Parameters
all (Optional)Clearsuserdefinedconfigurationparameters(andstackunit numbersandpriorities,ifapplicable).
Defaults
Ifallisnotspecified,stackingconfigurationparameterswillnotbecleared.
Mode
Switchcommand,readwrite.
Usage
Whenusingtheclearconfigcommandtoclearconfigurationparametersinastack,itisimportant torememberthefollowing: UseclearconfigtoclearconfigurationparameterswithoutclearingstackunitIDs.This commandWILLNOTclearstackparametersandavoidstheprocessofrenumberingthe stack. Useclearconfigallwhenitisnecessarytoclearallconfigurationparameters,includingstack unitIDs(ifapplicable)andswitchpriorityvalues. UsetheclearipaddresscommandtocleartheIPaddress.
3-49
Example
Thisexampleshowshowtoclearconfigurationparameters(includingstackingparameters,if applicable):
C2(su)->clear config all
Commands
For information about... show webview set webview show ssl set ssl Refer to page... 3-50 3-51 3-51 3-52
show webview
UsethiscommandtodisplayWebViewstatus.
Syntax
show webview
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
3-50
Basic Configuration
set webview
Example
ThisexampleshowshowtodisplayWebViewstatus:
C2(rw)->show webview WebView is Enabled.
set webview
UsethiscommandtoenableordisableWebViewontheswitch.
Syntax
set webview {enable | disable}
Parameters
enable|disable EnableordisableWebViewontheswitch.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ItisgoodpracticeforsecurityreasonstodisableHTTPaccessontheswitchwhenfinished configuringwithWebView,andthentoonlyenableWebViewontheswitchwhenchangesneedto bemade.
Example
ThisexampleshowshowtodisableWebViewontheswitch:
C2(rw)->set webview disable
show ssl
UsethiscommandtodisplaySSLstatus.
Syntax
show ssl
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
3-51
set ssl
Example
ThisexampleshowshowtodisplaySSLstatus:
C2(rw)->show ssl SSL status: Enabled
set ssl
UsethiscommandtoenableordisabletheuseofWebViewoverSSLport443.Bydefault,SSLis disabledontheswitch.Thiscommandcanalsobeusedtoreinitializethehostkeythatisusedfor encryption.
Syntax
set ssl {enabled | disabled | reinitialize | hostkey reinitialize}
Parameters
enabled|disabled reinitialize hostkeyreinitialize EnableordisabletheabilitytouseWebViewoverSSL. StopsandthenrestartstheSSLprocess. StopsSSL,regeneratesnewkeys,andthenrestartsSSL.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableSSL:
C2(rw)->set ssl enabled
Command
For information about... show support Refer to page... 3-53
3-52
Basic Configuration
show support
show support
Usethiscommandtodisplayswitchinformationfortroubleshooting.
Syntax
show support
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Thiscommandinitiatesanumberofshowcommandstoeasilygatherbasicinformationfroman installeddevice.Tousethiscommand,setyourconsoletocapturetheoutputtoafilefirst,before executingthecommand,sincetheoutputisextensive. Outputfromthefollowingcommandsisgatheredbythiscommand: showversion showloggingbuffer showportstatus showsystemutilizationprocess showsystemutilizationstorage showconfig
Example
Thereisnodisplayexamplebecausetheoutputofthiscommandisquitelengthy.
3-53
show support
3-54
Basic Configuration
4
Activating Licensed Features
Inordertoenableadvancedfeatures,suchasadvancedroutingprotocols,youmustpurchaseand activatealicensekey.Ifyouhavepurchasedalicense,youcanproceedtoactivateyourlicenseas describedinthissection.Ifyouwishtopurchasealicense,contacttheEnterasysNetworksSales Department.
Purpose
Toactivateandverifylicensedfeatures.
Commands
For information about... license advanced show license no license advanced Refer to page... 4-1 4-2 4-2
license advanced
Whenanadvancedlicenseisavailable,usethiscommandtoactivatelicensedfeatures.Ifthisis availableonyourSecureStackC2switch,auniquelicensekeywilldisplayintheshowlicense commandoutput.
Syntax
license advanced activation-key
Parameters
activationkey Specifiesyourunique16digithexadecimaladvancedlicensingkey.
Note: When available, the licensing key will display at the top of the show runningconfig command output. .
Defaults
None.
Mode
Globalconfiguration:router(Config)#
SecureStack C2 Configuration Guide 4-1
show license
Example
Thisexampleshowshowtouselicensekeyabcdefg123456789toactivateadvancedrouting features:
C2(su)->router# configure Enter configuration commands: C2(su)->router(Config)# license advanced abcdefg123456789
show license
Whenavailableandactivated,usethiscommandtodisplayyourlicensekey.
Syntax
show license
Parameters
None.
Defaults
None.
Mode
PrivilegedEXEC:router#
Example
Thisexampleshowshowtodisplayyourlicensekeyinformation:
C2(su)->router# show license license advanced abcdefg123456789
no license advanced
Usethiscommandtoremovethelicensekey.
Syntax
no license advanced
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:router(Config)#
Example
Thisexampleshowshowtoremoveanadvancedlicensekey:
4-2
no license advanced
4-3
no license advanced
4-4
5
Configuring System Power and PoE
Important Notice
The commands in this section apply only to PoE-equipped devices. Consult the Installation Guide for your product to determine if it is PoE-equipped.
Commands
For information about... show inlinepower set inlinepower threshold set inlinepower trap set inlinepower detectionmode show port inlinepower set port inlinepower Refer to page... 5-1 5-2 5-3 5-3 5-4 5-5
show inlinepower
Usethiscommandtodisplaysystempowerproperties.
Syntax
show inlinepower
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
5-1
Example
Thisexampleshowshowtodisplaysystempowerproperties:
C2(su)->show inlinepower Detection Mode : auto Unit ---1 Status -----auto Power(W) -------480 Consumption(W) -------------0.00 Usage(%) -------0.00 Threshold(%) -----------80 Trap ---enable
Syntax
set inlinepower threshold usage-threshold module-number
Parameters
usagethreshold modulenumber Specifiesapowerthresholdasapercentageofavailablesystempower. Validvaluesare11to100. Specifiesthemoduleorunitonwhichtosetthepowerthreshold.
Defaults
None.
Mode
Switchcommand,readwrite.
5-2
Usage
ThethresholdisexpressedasapercentageoftheavailablePoEpower.Whenthisthresholdis reached,atrapwillbesentiftrapsareenabledwiththesetinlinepowertrapcommand.
Example
Thisexampleshowshowtosetthepowerthresholdto90onmodule/unit1:
C2(su)->set inlinepower threshold 90 1
Syntax
set inlinepower trap {disable | enable} module-number
Parameters
disable|enable modulenumber Disablesorenablesinlinepowertrapmessaging. Specifiesthemoduleorunitonwhichtodisableorenabletrapmessaging.
Defaults
Sendingoftrapsisdisabledbydefault.
Mode
Switchcommand,readwrite.
Usage
Themodulesorunitspowerusagethresholdmustbesetusingthesetinlinepowerthreshold commandasdescribedonpage52.
Example
Thisexampleshowshowtoenableinlinepowertrapmessagingonmodule1:
C2(su)->set inlinepower trap enable 1
Syntax
set inlinepower detectionmode {auto | ieee)
5-3
Parameters
auto Specifiesthattheswitchwillusethestandard802.3afdetectionmethod first.Ifthatfails,thentheswtichwillusethelegacy(pre802.3af standard)capacitancemethodofdetection. Specifiesthattheswitchwillonlythestandard802.3afdetection method.
ieee
Defaults
Defaultdetectionmodeisauto.
Mode
Switchcommand,readwrite.
Usage
ThiscommandisusedtospecifyhowtheswitchshoulddetectPDsconnectedtoitsports.ThePoE hardwareintheswitchescanusetheIEEEstandard802.3af(resistorbased)methodora proprietarymethodusingcapacitordetection. Ifautoisconfigured,theswitchwillfirstusetheIEEEresistorbaseddetectionmethod,andifthat fails,theswitchwillusethecapacitorbaseddetectionmethod.Ifieeeisconfigured,onlytheIEEE resistorbaseddetectionmethodwillbeused.
Example
ThisexamplesetstheswitchsPDdetectionmodetoIEEEstandard802.3afonly. C2(su)->set inlinepower detectionmode ieee
Syntax
show port inlinepower [port-string]
Parameters
portstring (Optional)DisplaysinformationforspecificPoEport(s).
Defaults
Ifnotspecified,informationforallPoEportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPoEinformationforportge.2.1.Inthiscase,theports administrativestate,PoEpriorityandclasshavenotbeenchangedfromdefaultvalues:
5-4
C2(su)->show port inlinepower ge.2.1 Port ---ge.2.1 Type ---wireless Admin ----auto Oper ---searching Priority -------low Class ----0 Power(W) -------15.4
Syntax
set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]}
Parameters
portstring adminoff|auto prioritycritical| high|low typetype Specifiestheport(s)onwhichtoconfigurePoE. SetsthePoEadministrativestatetooff(disabled)orauto(on). Setstheport(s)priorityforthePoEallocationalgorithmtocritical (highest),highorlow. Specifiesastringdescribingthetypeofdeviceconnectedtoaport.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePoEonportge.3.1withcriticalpriority:
C2(su)->set port inlinepower ge.3.1 admin auto priority critical
5-5
5-6
6
Discovery Protocol Configuration
Thischapterdescribeshowtoconfigurediscoveryprotocols.
For information about... Configuring CDP Configuring Cisco Discovery Protocol Configuring Link Layer Discovery Protocol and LLDP-MED Refer to page... 6-1 6-7 6-13
Configuring CDP
Purpose
ToreviewandconfiguretheEnterasysCDPdiscoveryprotocol.Thisprotocolisusedtodiscover networktopology.Whenenabled,thisprotocolallowsEnterasysdevicestosendperiodicPDUs aboutthemselvestoneighboringdevices.
Commands
ThecommandsusedtoreviewandconfiguretheCDPdiscoveryprotocolarelistedbelow.
For information about... show cdp set cdp state set cdp auth set cdp interval set cdp hold-time clear cdp show neighbors Refer to page... 6-2 6-3 6-4 6-4 6-5 6-5 6-6
6-1
show cdp
show cdp
UsethiscommandtodisplaythestatusoftheCDPdiscoveryprotocolandmessageintervalon oneormoreports.
Syntax
show cdp [port-string]
Parameters
portstring (Optional)DisplaysCDPstatusforaspecificport.Foradetaileddescription ofpossibleportstringvalues,refertoPort String Syntax Used in the CLIon page72.
Defaults
Ifportstringisnotspecified,allCDPinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayCDPinformationforportsge.1.1throughge.1.9:
C2(su)->show cdp ge.1.1-9 CDP Global Status CDP Version Supported CDP Hold Time CDP Authentication Code CDP Transmit Frequency Port Status ----------------ge.1.1 auto-enable ge.1.2 auto-enable ge.1.3 auto-enable ge.1.4 auto-enable ge.1.5 auto-enable ge.1.6 auto-enable ge.1.7 auto-enable ge.1.8 auto-enable ge.1.9 auto-enable :auto-enable :30 hex :180 :00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 hex :60
6-2
Table 6-1
Output Field CDP Authentication Code CDP Transmit Frequency Port Status
Syntax
set cdp state {auto | disable | enable} [port-string]
Parameters
auto|disable| enable portstring Autoenables,disablesorenablestheCDPprotocolonthespecifiedport(s). Inautoenablemode,whichisthedefaultmodeforallports,aport automaticallybecomesCDPenableduponreceivingitsfirstCDPmessage. (Optional)EnablesordisablesCDPonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72.
Defaults
Ifportstringisnotspecified,theCDPstatewillbegloballyset.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtogloballyenableCDP:
C2(su)->set cdp state enable
ThisexampleshowshowtoenabletheCDPforportge.1.2:
C2(su)->set cdp state enable ge.1.2
ThisexampleshowshowtodisabletheCDPforportge.1.2:
C2(su)->set cdp state disable ge.1.2
6-3
Syntax
set cdp auth auth-code
Parameters
authcode SpecifiesanauthenticationcodefortheCDPprotocol.Thiscanbeupto16 hexadecimalvaluesseparatedbycommas.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheauthenticationcodevaluedeterminesaswitchsCDPdomain.Iftwoormoreswitcheshave thesameCDPauthenticationcode,theywillbeenteredintoeachothersCDPneighbortables.If theyhavedifferentauthenticationcodes,theyareindifferentdomainsandwillnotbeentered intoeachothersCDPneighbortables. Aswitchwiththedefaultauthenticationcode(16nullcharacters)willrecognizeallswitches,no matterwhattheirauthenticationcode,andenterthemintoitsCDPneighbortable.
Example
ThisexampleshowshowtosettheCDPauthenticationcodeto1,2,3,4,5,6,7,8:
C2(su)->set cdp auth 1,2,3,4,5,6,7,8:
Syntax
set cdp interval frequency
Parameters
frequency SpecifiesthetransmitfrequencyofCDPmessagesinseconds.Validvalues arefrom5to900seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
6-4
Example
ThisexampleshowshowtosettheCDPintervalfrequencyto15seconds:
C2(su)->set cdp interval 15
Syntax
set cdp hold-time hold-time
Parameters
holdtime SpecifiestheholdtimevalueforCDPmessagesinseconds.Validvaluesare from15to600.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetCDPholdtimeto60seconds:
C2(su)->set cdp hold-time 60
clear cdp
UsethiscommandtoresetCDPdiscoveryprotocolsettingstodefaults.
Syntax
clear cdp {[state] [port-state port-string] [interval] [hold-time] [auth-code]}
Parameters
state portstateportstring interval holdtime authcode (Optional)ResetstheglobalCDPstatetoautoenabled. (Optional)Resetstheportstateonspecificport(s)toautoenabled. (Optional)Resetsthemessagefrequencyintervalto60seconds. (Optional)Resetstheholdtimevalueto180seconds. (Optional)Resetstheauthenticationcodeto16bytesof00(000000 0000000000).
Defaults
Atleastoneoptionalparametermustbeentered.
6-5
show neighbors
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheCDPstatetoautoenabled:
C2(su)->clear cdp state
show neighbors
ThiscommanddisplaysNeighborDiscoveryinformationforeithertheCDPorCiscoDP protocols.
Syntax
show neighbors [port-string]
Parameters
portstring (Optional)SpecifiestheportorportsforwhichtodisplayNeighbor Discoveryinformation.
Defaults
Ifnoportisspecified,allNeighborDiscoveryinformationisdisplayed.
Mode
Switchcommand,readonly.
Usage
ThiscommanddisplaysinformationdiscoveredbyboththeCDPandtheCiscoDPprotocols.
Example
ThisexampledisplaysNeighborDiscoveryinformationforallports.
C2(su)->show neighbors Port Device ID Port ID Type Network Address -----------------------------------------------------------------------------ge.1.1 00036b8b1587 12.227.1.176 ciscodp 12.227.1.176 ge.1.6 0001f496126f 140.2.3.1 ciscodp 140.2.3.1 ge.1.6 00-01-f4-00-72-fe 140.2.4.102 cdp 140.2.4.102 ge.1.6 00-01-f4-00-70-8a 140.2.4.104 cdp 140.2.4.104 ge.1.6 00-01-f4-c5-f7-20 140.2.4.101 cdp 140.2.4.101 ge.1.6 00-01-f4-89-4f-ae 140.2.4.105 cdp 140.2.4.105 ge.1.6 00-01-f4-5f-1f-c0 140.2.1.11 cdp 140.2.1.11 ge.1.19 0001f400732e 165.32.100.10 ciscodp 165.32.100.10
6-6
Commands
ThecommandsusedtoreviewandconfiguretheCiscodiscoveryprotocolarelistedbelow.Refer alsotoshowneighborsonpage66.
For information about... show ciscodp show ciscodp port info set ciscodp status set ciscodp timer set ciscodp holdtime set ciscodp port clear ciscodp Refer to page... 6-7 6-8 6-9 6-9 6-10 6-10 6-12
show ciscodp
UsethiscommandtodisplayglobalCiscodiscoveryprotocolinformation.
Syntax
show ciscodp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayglobalCiscoDPinformation.
C2(su)->show ciscodp CiscoDP :Enabled Timer :5 Holdtime (TTl): 180
SecureStack C2 Configuration Guide 6-7
Syntax
show ciscodp port info [port-string]
Parameters
portstring (Optional)DisplaysCiscoDPinformationforaspecificport.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72.
Defaults
Ifportstringisnotspecified,CiscoDPinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayCiscoDPinformationforGigabitEthernetport1inslot1.
C2(su)->show ciscodp port info ge.1.1 port state vvid trusted cos ---------------------------------------------ge.1.1 enable none yes 0
Table 63providesanexplanationofthecommandoutput.
6-8
Table 6-3
Syntax
set ciscodp state {auto | disable | enable}
Parameters
auto disable enable GloballyenableonlyifCiscoDPPDUsarereceived. GloballydisableCiscodiscoveryprotocol. GloballyenableCiscodiscoveryprotocol.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballyenableCiscoDP:
C2(su)->set ciscodp state enable
Syntax
set ciscodp timer seconds
6-9
Parameters
seconds SpecifiesthenumberofsecondsbetweenCiscoDPPDUtransmissions. Validvaluesarefrom5to254seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheCiscoDPtimerto120seconds.
C2(su)->set ciscodp timer 120
Syntax
set ciscodp holdtime hold-time
Parameters
holdtime SpecifiesthetimetoliveforCiscoDPPDUs.Validvaluesarefrom10to255 seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetCiscoDPholdtimeto180seconds:
C2(su)->set ciscodp hold-time 180
Syntax
set ciscodp port {[status {disable | enable}] [vvid {vlan-id | none | dot1p | untagged}] [trusted {yes | no}] [cos value]} port-string
6-10
Parameters
status disable enable vvid vlanid none dot1p untagged trusted yes SetstheCiscoDPportoperationalstatus. DoesnottransmitorprocessCiscoDPPDUs. TransmitsandprocessesCiscoDPPDUs. SetstheportvoiceVLANforCiscoDPPDUtransmission. SpecifiestheVLANID,range14094. NovoiceVLANwillbeusedinCiscoDPPDUs.Thisisthedefault. Instructsattachedphonetosend802.1ptaggedframes. Instructsattachedphonetosenduntaggedframes. Setstheextendedtrustmodeontheport. Instructsattachedphonetoallowthedeviceconnectedtoittotransmit trafficcontaininganyCoSorLayer2802.1pmarking.Thisisthedefault value. Instructsattachedphonetooverwritethe802.1ptagoftraffic transmittedbythedeviceconnectedtoitto0,bydefault,ortothevalue configuredwiththecosparameter. Instructsattachedphonetooverwritethe802.1ptagoftraffic transmittedbythedeviceconnectedtoitwiththespecifiedvalue,when thetrustmodeoftheportissettountrusted.Valuecanrangefrom0to 7,with0indicatingthelowestpriority. Specifiestheport(s)onwhichstatuswillbeset.
no
cosvalue
portstring
Defaults
Status:enabled VoiceVLAN:none Trustmode:trusted CoSvalue:0
Mode
Switchmode,readwrite.
Usage
ThefollowingpointsdescribehowtheCiscoDPextendedtrustsettingsworkontheswitch. ACiscoDPporttruststatusoftrustedoruntrustedisonlymeaningfulwhenaCiscoIPphone isconnectedtoaswitchportandaPCorotherdeviceisconnectedtothebackoftheCiscoIP phone. ACiscoDPportstateoftrustedoruntrustedonlyaffectstaggedtraffictransmittedbythe deviceconnectedtotheCiscoIPphone.Untaggedtraffictransmittedbythedeviceconnected totheCiscoIPphoneisunaffectedbythissetting. IftheswitchportisconfiguredtoaCiscoDPtruststateoftrusted(withthetrustedyes parameterofthiscommand),thissettingiscommunicatedtotheCiscoIPphoneinstructingit toallowthedeviceconnectedtoittotransmittrafficcontaininganyCoSorLayer2802.1p marking.
6-11
clear ciscodp
Examples
ThisexampleshowshowtosettheCiscoDPportvoiceVLANIDto3onportge.1.6andenable theportoperationalstate.
C2(rw)->set ciscodp port status enable vvid 3 ge.1.6
ThisexampleshowshowtosettheCiscoDPextendedtrustmodetountrustedonportge.1.5and settheCoSpriorityto1.
C2(rw)->set ciscodp port trusted no cos 1 ge.1.5
clear ciscodp
UsethiscommandtocleartheCiscodiscoveryprotocolbacktothedefaultvalues.
Syntax
clear ciscodp [status | timer | holdtime | {port {status | vvid | trust | cos} [port-string]}]
Parameters
status timer holdtime port status vvid trust cos portstring ClearsglobalCiscoDPenablestatustodefaultofauto. ClearsthetimebetweenCiscoDPPDUtransmissionstodefaultof60 seconds. ClearsthetimetoliveforCiscoDPPDUdatatodefaultof180seconds. ClearstheCiscoDPportconfiguration. Clearstheindividualportoperationalstatustothedefaultofenabled. ClearstheindividualportvoiceVLANforCiscoDPPDUtransmission to0. Clearsthetrustmodeconfigurationoftheporttotrusted. ClearstheCoSpriorityforuntrustedtrafficoftheportto0. (Optional)Specifiestheport(s)onwhichstatuswillbeset.
Defaults
Ifnoparametersareentered,allCiscoDPparametersareresettothedefaultsgloballyandforall ports.
Mode
Switchmode,readwrite.
6-12 Discovery Protocol Configuration
Examples
ThisexampleshowshowtoclearalltheCiscoDPparametersbacktothedefaultsettings.
C2(rw)->clear ciscodp
ThisexampleshowshowtocleartheCiscoDPstatusonportge.1.5.
C2(rw)->clear ciscodp port status ge.1.5
TheinformationsentbyanLLDPenableddeviceisextractedandtabulatedbyitspeers.The communicationcanbedonewheninformationchangesoronaperiodicbasis.Theinformation tabulatedisagedtoensurethatitiskeptuptodate.Portscanbeconfiguredtosendthis information,receivethisinformation,orbothsendandreceive. EitherLLDPorLLDPMED,butnotboth,canbeusedonaninterfacebetweentwodevices.A switchportusesLLDPMEDwhenitdetectsthatanLLDPMEDcapabledeviceisconnectedtoit. LLDPinformationiscontainedwithinaLinkLayerDiscoveryProtocolDataUnit(LLDPDU)sent inasingle802.3Ethernetframe.TheinformationfieldsinLLDPDUareasequenceofshort, variablelength,informationelementsknownasTLVstype,length,andvaluefieldswhere: Typeidentifieswhatkindofinformationisbeingsent Lengthindicatesthelengthoftheinformationstringinoctets Valueistheactualinformationthatneedstobesent
Purpose
ToreviewandconfigureLLPDandLLPDMED.
Commands
ThecommandsusedtoreviewandconfiguretheCDPdiscoveryprotocolarelistedbelow.
For information about... show lldp Refer to page... 6-14
6-13
show lldp
For information about... show lldp port status show lldp port trap show lldp port tx-tlv show lldp port location-info show lldp port local-info show lldp port remote-info set lldp tx-interval set lldp hold-multiplier set lldp trap-interval set lldp med-fast-repeat set lldp port status set lldp port trap set lldp port med-trap set lldp port tx-tlv clear lldp clear lldp port status clear lldp port trap clear lldp port med-trap clear lldp port tx-tlv
Refer to page... 6-15 6-16 6-16 6-17 6-18 6-20 6-22 6-22 6-23 6-23 6-24 6-24 6-25 6-25 6-27 6-27 6-28 6-28 6-29
Configuration Tasks
Thecommandsincludedinthisimplementationallowyoutoperformthefollowingconfiguration tasks:
Step 1. Task Configure global system LLDP parameters Command(s) set lldp tx-interval set lldp hold-multiplier set lldp trap-interval set lldp med-fast-repeat clear lldp 2. Enable/disable specific ports to: Transmit and process received LLDPDUs Send LLDP traps Send LLDP-MED traps set/clear lldp port status set/clear lldp port trap set/clear lldp port med-trap
show lldp
UsethiscommandtodisplayLLDPconfigurationinformation.
6-14
Syntax
show lldp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLLDPconfigurationinformation.
C2(ro)->show lldp Message Tx Interval Message Tx Hold Multiplier Notification Tx Interval MED Fast Start Count Tx-Enabled Ports Rx-Enabled Ports Trap-Enabled Ports MED Trap-Enabled Ports : : : : 30 4 5 3
: ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12; : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12; : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12; : ge.1.1-60; ge.2.1-24; ge.3.1-30; ge.4.1-12;
Syntax
show lldp port status [port-string]
Parameters
portstring (Optional)DisplaysLLDPstatusforoneorarangeofports.
Defaults
Ifportstringisnotspecified,LLDPstatusinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLLDPportstatusinformationforallports.
C2(ro)->show lldp port status
6-15
Syntax
show lldp port trap [port-string]
Parameters
portstring (Optional)Displaystheportorrangeofportsthathavebeenenabled tosendLLDPand/orLLDPMEDnotifications.
Defaults
Ifportstringisnotspecified,LLDPporttrapinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLLDPporttrapinformationforallports.
C2(ro)->show lldp port trap Trap-Enabled Ports : MED Trap-Enabled Ports:
Syntax
showlldpporttxtlv[portstring]
Parameters
portstring (Optional)DisplaysinformationaboutTLVconfigurationforoneora rangeofports.
Defaults
Ifportstringisnotspecified,TLVconfigurationinformationwillbedisplayedforallports.
6-16
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytransmitTLVinformationforthreeports.
C2(ro)->show lldp port tx-tlv ge.1.1-3 * Means TLV is supported and enabled on this port o Means TLV is supported on this port Means TLV is not supported on this port Column Pro Id uses letter notation for enable: s-stp, l-lacp, g-gvrp Ports ------ge.1.1 ge.1.2 ge.1.3 Port Desc ---* * * Sys Name ---* * * Sys Desc ---* * * Sys Cap --* * * Mgmt Addr ---* * * Vlan Id ---* * * Pro Id ---slg slg slg MAC PoE Link Max PHY Aggr Frame --- --- ---- ---* * * * * * * * * MED MED MED MED Cap Pol Loc PoE --- --- --- --* * * *
Syntax
show lldp port location-info [port-string]
Parameters
portstring (Optional)Displaysportlocationinformationforoneorarangeof ports.
Defaults
Ifportstringisnotspecified,portlocationconfigurationinformationwillbedisplayedforall ports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayportlocationinformationforthreeports.
C2(ro)->show lldp port location-info ge.1.1-3 Ports -------ge.1.1 ge.1.2 ge.1.3 Type ------------ELIN ELIN ELIN Location ------------------------1234567890 1234567890 1234567890
6-17
Syntax
show lldp port local-info [port-string]
Parameters
portstring (Optional)Displayslocalsysteminformationforoneorarangeof ports.
Defaults
Ifportstringisnotspecified,localsysteminformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythelocalsysteminformationstoredforportge.4.1.Table 64 describestheoutputfieldsofthiscommand.
C2(rw)->show lldp port local-info ge.4.1 Local Port : ge.4.1 Local Port Id: ge.4.1 -------------------Port Desc : ... 1000BASE-TX RJ45 Gigabit Ethernet Frontpanel Port Mgmt Addr : 10.21.64.100 Chassis ID : 00-E0-63-93-74-A5 Sys Name : LLDP PoE test Chassis Sys Desc : Enterasys Networks, Inc. Sys Cap Supported/Enabled : bridge,router/bridge Auto-Neg Supported/Enabled Auto-Neg Advertised : yes/yes : 10BASE-T, 10BASE-TFD, 100BASE-TX, 100BASE-TXFD, 1000BASE-TFD, Bpause Operational Speed/Duplex/Type : 100 full tx Max Frame Size (bytes) : 1522 Vlan Id : 1 LAG Supported/Enabled/Id : no/no/0 Protocol Id : Spanning Tree v-3 (IEEE802.1s) LACP v-1 GVRP PoE PoE PoE PoE PoE PoE PoE Device Power Source MDI Supported/Enabled Pair Controllable/Used Power Class Power Limit (mW) Power Priority : : : : : : : PSE device primary yes/yes false/spare 2 15400 high
6-18
Table 64describestheinformationdisplayedbytheshowlldpportlocalinfocommand. Table 6-4 show lldp port local-info Output Details
What it Displays... Identifies the port for which local system information is displayed. Mandatory basic LLDP TLV that identifies the port transmitting the LLDPDU. Value is ifName object defined in RFC 2863. Optional basic LLDP TLV. Value is ifDescr object defined in RFC 2863. Optional basic LLDP TLV. IPv4 address of host interface. Mandatory basic LLDP TLV that identifies the chassis transmitting the LLDPDU. Value is MAC address of chassis. Optional basic LLDP TLV. Value is the administratively assigned name for the system. Optional basic LLDP TLV. Value is sysDescr object defined in RFC 3418. Optional basic LLDP TLV. System capabilities, value can be bridge and/or router. IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Autonegotiation supported and enabled settings should be the same on the two systems attached to the same link. IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Lists the configured advertised values on the port. IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Lists the operational MAU type, duplex, and speed of the port. If the received TLV indicates that auto-negotiation is supported but not enabled, these values will be used by the port. IEEE 802.3 Extensions Maximum Frame Size TLV. Value indicates maximum frame size capability of the devices MAC and PHY. In normal mode, max frame size is 1522 bytes. In jumbo mode, max frame size is 10239 bytes. IEEE 802.1 Extensions Port VLAN ID TLV. Value is port VLAN ID (pvid). IEEE 802.3 Extensions Link Aggregation TLV. Values indicate whether the link associated with this port can be aggregated, whether it is currently aggregated, and if aggregated, the aggregated port identifier. IEEE 802.1 Extensions Protocol Identity TLV. Values can include Spanning tree, LACP, and GARP protocols and versions. Only those protocols enabled on the port are displayed. LLDP-MED Extensions Location Identification TLV. Emergency Call Services (ECS) Emergency Location Identification Number (ELIN) is currently the only type supported. Value is the ELIN configured on this port. LLDP-MED Extensions Extended Power via MDI TLV. Displayed only when a port has PoE capabilities. Value is the Power Type of the device. On a switch port, the value is Power Sourcing Entity (PSE). LLDP-MED Extensions Extended Power via MDI TLV. Displayed only when a port has PoE capabilities. Value can be primary or backup, indicating whether the PSE is using its primary or backup power source. IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port has PoE capabilities. Indicates whether sending the Power via MDI TLV is supported/enabled. Value can be yes or no.
Output Field Local Port Local Port Id Port Desc Mgmt Addr Chassis ID Sys Name Sys Desc Sys Cap Supported/Enabled Auto-Neg Supported/Enabled
Protocol Id
ECS ELIN
PoE Device
6-19
Table 6-4
Syntax
show lldp port remote-info [port-string]
Parameters
portstring (Optional)Displaysremotesysteminformationforoneorarangeof ports.
Defaults
Ifportstringisnotspecified,remotesysteminformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
6-20
Example
Thisexampleshowshowtodisplaytheremotesysteminformationstoredforportge.3.1.The remotesysteminformationwasreceivedfromanIPphone,whichisanLLDPMEDenabled device.Table 65describestheoutputfieldsthatareuniquetotheremotesysteminformation displayedforaMEDenableddevice.
C2(ro)->show lldp port remote-info ge.3.1 Local Port : ge.3.1 Remote Port Id : 00-09-6e-0e-14-3d --------------------Mgmt Addr : 0.0.0.0 Chassis ID : 0.0.0.0 Device Type : Communication Device Endpoint (class III) Sys Name : AVE0E143D Sys Cap Supported/Enabled : bridge,telephone/bridge Auto-Neg Supported/Enabled Auto-Neg Advertised : : : : yes/yes 10BASE-T, 10BASE-TFD 100BASE-TX, 100BASE-TXFD pause, Spause
Operational Speed/Duplex/Type : 100/full/TX Hardware Revision Firmware Revision Software Revision Serial Number Manufacturer Model Number : : : : : : 4610D01A b10d01b2_7.bin a10d01b2_7.bin 05GM42004348 Avaya 4610
Notethattheinformationfieldsdisplayedbytheshowlldpportremoteinfocommandwillvary, dependingonthetypeofremotedevicethatisconnectedtotheport. Table 65describestheoutputfieldsthatareuniquetotheremotesysteminformationdatabase. RefertoTable 64onpage 19fordescriptionsoftheinformationfieldsthatarecommontoboththe localandtheremotesysteminformationdatabases. Table 6-5 show lldp port remote-info Output Display
What it Displays... Displays whatever port Id information received in the LLDPDU from the remote device. In this case, the port Id is MAC address of remote device. Mandatory LLDP-MED Capabilities TLV. Displayed only when the port is connected to an LLDP-MED-capable endpoint device. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. LLDP-MED Extensions Inventory Management TLV component. In the above example, no asset ID was received from the remote device so the field is not displayed.
Output Field Remote Port Id Device Type Hardware Revision Firmware Revision Software Revision Serial Number Manufacturer Model Number Asset ID
6-21
Syntax
set lldp tx-interval frequency
Parameters
frequency SpecifiesthenumberofsecondsbetweentransmissionsofLLDP frames.Valuecanrangefrom5to32,768seconds.Thedefaultis30 seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthetransmitintervalto20seconds.
C2(rw)->set lldp tx-interval 20
Syntax
set lldp hold-multiplier multiplier-val
Parameters
multiplierval Specifiesthemultipliertoapplytothetransmitintervaltodetermine thetimetolivevalue.Valuecanrangefrom2to10.Defaultvalueis4.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthetransmitintervalto20secondsandtheholdmultiplierto5,whichwill configureatimetoliveof100tobeusedintheTTLfieldintheLLDPDUheader.
C2(rw)->set lldp tx-interval 20 C2(rw)->set lldp hold-multiplier 5
6-22 Discovery Protocol Configuration
Syntax
set lldp trap-interval frequency
Parameters
frequency SpecifiestheminimumtimebetweenLLDPtraptransmissions,in seconds.Thevaluecanrangefrom5to3600seconds.Thedefault valueis5seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexamplesetstheminimumintervalbetweenLLDPtrapsto10seconds.
C2(rw)->set lldp trap-interval 10
Syntax
set lldp med-fast-repeat count
Parameters
count SpecifiesthenumberoffaststartLLDPDUstobesentwhenan LLDPMEDendpointdeviceisdetected.Valuecanrangefrom1to 10.Defaultis3.
Defaults
None.
Mode
Switchcommand,readwrite.
6-23
Example
ThisexamplesetsthenumberoffaststartLLDPDUstobesentto4.
C2(rw)->set lldp med-fast-repeat 4
Syntax
set lldp port status {tx-enable | rx-enable | both | disable} port-string
Parameters
txenable rxenable both disable portstring EnablestransmittingLLDPDUsonthespecifiedports. EnablesreceivingandprocessingLLDPDUsfromremotesystemson thespecifiedports. EnablesbothtransmittingandprocessingreceivedLLDPDUsonthe specifiedports. DisablesbothtransmittingandprocessingreceivedLLDPDUsonthe specifiedports. Specifiestheportorrangeofportstobeaffected.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesbothtransmittingLLDPDUsandreceivingandprocessingLLDPDUsfrom remotesystemsonportsge.1.1throughge.1.6.
C2(rw)->set lldp port status both ge.1.1-6
Syntax
set lldp port trap {enable | disable} port-string
Parameters
enable disable portstring
6-24 Discovery Protocol Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablestransmittingLLDPtrapsonportsge.1.1throughge.1.6.
C2(rw)->set lldp port trap enable ge.1.1-6
Syntax
set lldp port med-trap {enable | disable} port-string
Parameters
enable disable portstring EnablestransmittingLLDPMEDtrapsonthespecifiedports. DisablestransmittingLLDPMEDtrapsonthespecifiedports. Specifiestheportorrangeofportstobeaffected.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablestransmittingLLDPMEDtrapsonportsge.1.1throughge.1.6.
C2(rw)->set lldp port med-trap enable ge.1.1-6
Syntax
set lldp port tx-tlv {[all] | [port-desc] [sys-name] [sys-desc] [sys-cap] [mgmtaddr] [vlan-id] [stp] [lacp] [gvrp] [mac-phy] [poe] [link-aggr] [max-frame] [medcap] [med-loc] [med-poe]} port-string
6-25
Parameters
all portdesc sysname sysdesc syscap mgmtaddr vlanid stp AddsalloptionalTLVstotransmittedLLDPDUs. PortDescriptionoptionalbasicLLDPTLV.ValuesentisifDescrobject definedinRFC2863. SystemNameoptionalbasicLLDPTLV.Valuesentisthe administrativelyassignednameforthesystem. SystemDescriptionoptionalbasicLLDPTLV.ValuesentissysDescr objectdefinedinRFC3418. SystemCapabilitiesoptionalbasicLLDPTLV.Foranetwork connectivitydevice,valuesentcanbebridgeand/orrouter. ManagementAddressoptionalbasicLLDPTLV.ValuesentisIPv4 addressofhostinterface. PortVLANIDIEEE802.1ExtensionsTLV.ValuesentisportVLAN ID(PVID). SpanningTreeinformationdefinedbyProtocolIdentityIEEE802.1 ExtensionsTLV.IfSTPisenabledontheport,valuesentincludes versionofprotocolbeingused. LACPinformationdefinedbyProtocolIdentityIEEE802.1 ExtensionsTLV.IfLACPisenabledontheport,valuesentincludes versionofprotocolbeingused. GVRPinformationdefinedbyProtocolIdentityIEEE802.1 ExtensionsTLV.IfLACPisenabledontheport,valuesentincludes versionofprotocolbeingused. MACPHYConfiguration/StatusIEEE802.3ExtensionsTLV.Value sentincludestheoperationalMAUtype,duplex,andspeedofthe port. PowerviaMDIIEEE802.3ExtensionsTLV.Valuessentinclude whetherpairselectioncanbecontrolledonport,andthepowerclass suppliedbytheport.OnlyvalidforPoEenabledports. LinkAggregationIEEE802.3ExtensionsTLV.Valuessentindicate whetherthelinkassociatedwiththisportcanbeaggregated, whetheritiscurrentlyaggregated,andifaggregated,theaggregated portidentifier. MaximumFrameSizeIEEE802.3ExtensionsTLV.Valuesent indicatesmaximumframesizeoftheportsMACandPHY. LLDPMEDCapabilitiesTLV.Valuesentindicatesthecapabilities (whetherthedevicesupportslocationinformation,extendedpower viaMDI)andDeviceType(networkconnectivitydevice)ofthe sendingdevice. LLDPMEDLocationIdentificationTLV.ValuesentistheECSELIN valueconfiguredontheport. LLDPMEDExtendedPowerviaMDITLV.Valuessentincludethe PowerLimit(totalpowertheportiscapableofsourcingovera maximumlengthcable)andthepowerpriorityconfiguredonthe port.OnlyvalidforPoEenabledports. Specifiestheportorrangeofportstobeaffected.
lacp
gvrp
macphy
poe
linkaggr
maxframe medcap
medloc medpoe
portstring
6-26
clear lldp
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfiguresthemanagementaddress,MEDcapability,andMEDlocation identificationTLVstobesentinLLDPDUsbyportge.1.1.
C2(rw)->set lldp port tx-tlv mgmt-addr med-cap med-loc ge.1.1
clear lldp
UsethiscommandtoreturnLLDPparameterstotheirdefaultvalues.
Syntax
clear lldp {all | tx-interval | hold-multiplier | trap-interval | med-fast-repeat}
Parameters
all txinterval holdmultiplier trapinterval medfastrepeat ReturnsallLLDPconfigurationparameterstotheirdefaultvalues, includingportLLDPconfigurationparameters. ReturnsthenumberofsecondsbetweentransmissionsofLLDP frames.tothedefaultof30seconds. Returnsthemultipliertoapplytothetransmitintervaltodetermine thetimetolivevaluetothedefaultvalueof4. ReturnstheminimumtimebetweenLLSPtraptransmissionstothe defaultvalueof5seconds. ReturnsthenumberoffaststartLLDPDUstobesentwhenanLLDP MEDendpointdeviceisdetectedtothedefaultof3.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplereturnsthetransmitintervaltothedefaultvalueof30seconds.
C2(rw)->clear lldp tx-interval
6-27
Syntax
clear lldp port status port-string
Parameters
portstring Specifiestheportorrangeofportstobeaffected.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplereturnsportge.1.1tothedefaultstateofenabledforbothtransmittingand processingreceivedLLDPDUs.
C2(rw)->clear lldp port status ge.1.1
Syntax
clear lldp port trap port-string
Parameters
portstring Specifiestheportorrangeofportstobeaffected.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplereturnsportge.1.1tothedefaultLLDPtrapstateofdisabled.
C2(rw)->clear lldp port trap ge.1.1
Syntax
clear lldp port med-trap port-string
6-28
Parameters
portstring Specifiestheportorrangeofportstobeaffected.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplereturnsportge.1.1tothedefaultLLDPMEDtrapstateofdisabled.
C2(rw)->clear lldp port med-trap ge.1.1
Syntax
clear lldp port tx-tlv {[all] | [port-desc] [sys-name] [sys-desc] [sys-cap] [mgmtaddr] [vlan-id] [stp] [lacp] [gvrp] [mac-phy] [poe] [link-aggr] [max-frame] [medcap] [med-loc] [med-poe]} port-string
Parameters
all portdesc sysname sysdesc syscap mgmtaddr vlanid stp lacp gvrp macphy DisablesalloptionalTLVsfrombeingtransmittedinLLDPDUs. DisablesthePortDescriptionoptionalbasicLLDPTLVfrombeing transmittedinLLDPDUs. DisablestheSystemNameoptionalbasicLLDPTLVfrombeing transmittedinLLDPDUs. DisablestheSystemDescriptionoptionalbasicLLDPTLVfrombeing transmittedinLLDPDUs. DisablestheSystemCapabilitiesoptionalbasicLLDPTLVfrom beingtransmittedinLLDPDUs. DisablestheManagementAddressoptionalbasicLLDPTLVfrom beingtransmittedinLLDPDUs. DisablesthePortVLANIDIEEE802.1ExtensionsTLVfrombeing transmittedinLLDPDUs. DisablestheSpanningTreeinformationdefinedbyProtocolIdentity IEEE802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs. DisablestheLACPinformationdefinedbyProtocolIdentityIEEE 802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs. DisablestheGVRPinformationdefinedbyProtocolIdentityIEEE 802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs. DisablestheMACPHYConfiguration/StatusIEEE802.3Extensions TLVfrombeingtransmittedinLLDPDUs.
6-29
DisablesthePowerviaMDIIEEE802.3ExtensionsTLVfrombeing transmittedinLLDPDUs.OnlyvalidforPoEenabledports. DisablestheLinkAggregationIEEE802.3ExtensionsTLVfrombeing transmittedinLLDPDUs. DisablestheMaximumFrameSizeIEEE802.3ExtensionsTLVfrom beingtransmittedinLLDPDUs. DisablestheLLDPMEDCapabilitiesTLVfrombeingtransmittedin LLDPDUs. DisablestheLLDPMEDLocationIdentificationTLVfrombeing transmittedinLLDPDUs. DisablestheLLDPMEDExtendedPowerviaMDITLVfrombeing transmittedinLLDPDUs.OnlyvalidforPoEenabledports. Specifiestheportorrangeofportstobeaffected.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledisablesthemanagementaddress,MEDcapability,andMEDlocationidentification TLVsfrombeingsentinLLDPDUsbyportge.1.1.
C2(rw)->clear lldp port tx-tlv mgmt-addr med-cap med-loc ge.1.1
6-30
Port Configuration
ThischapterdescribesthePortConfigurationsetofcommandsandhowtousethem.
For information about... Port Configuration Summary Reviewing Port Status Disabling / Enabling and Naming Ports Setting Speed and Duplex Mode Enabling / Disabling Jumbo Frame Support Setting Auto-Negotiation and Advertised Ability Setting Flow Control Setting Port Link Traps and Link Flap Detection Configuring Broadcast Suppression Port Mirroring Link Aggregation Control Protocol (LACP) Configuring Protected Ports Refer to page... 7-1 7-3 7-6 7-10 7-13 7-15 7-19 7-21 7-30 7-33 7-38 7-52
7-1
7-2
Port Configuration
Whereportnumberdependsonthedevice.Thehighestvalidportnumberisdependentonthe numberofportsinthedeviceandtheporttype.
Examples
Note: You can use a wildcard (*) to indicate all of an item. For example, fe.3.* would represent all 100Mbps Ethernet (fe) ports in slot 3, and ge.3 * would represent all 1-Gigabit Ethernet (ge) ports in slot 3.
Thisexampleshowstheportstringsyntaxforspecifyingthe1GigabitEthernetport14inslotunit 3.
ge.3.14
Thisexampleshowstheportstringsyntaxforspecifyingall1GigabitEthernetportsinslotunit3 inthesystem.
ge.3.*
Thisexampleshowstheportstringsyntaxforspecifyingallports(ofanyinterfacetype)inthe system.
*.*.*
Commands
For information about... show port show port status show port counters Refer to page... 7-3 7-4 7-5
show port
Usethiscommandtodisplaywhetherornotoneormoreportsareenabledforswitching.
Syntax
show port [port-string]
7-3
Parameters
portstring (Optional)Displaysoperationalstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72.
Defaults
Ifportstringisnotspecified,operationalstatusinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayoperationalstatusinformationforge.3.14:
C2(su)->show port ge.3.14 Port ge.3.14 enabled
Syntax
show port status [port-string]
Parameters
portstring (Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page72.
Defaults
Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaystatusinformationforge.3.14:
C2(su)->show port status ge.3.14 Port Alias Oper (truncated) Status ------------ -------------- ------ge.3.14 up Admin Status ------up Speed Duplex Type
Table 71providesanexplanationofthecommandoutput.
7-4
Port Configuration
Table 7-1
Speed Duplex
Type
Syntax
show port counters [port-string] [switch | mib2]
Parameters
portstring (Optional)Displayscounterstatisticsforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72. (Optional)DisplaysswitchorMIB2statistics.Switchstatisticsdetail performanceoftheSecureStackC2device.MIB2interfacestatisticsdetail performanceofallnetworkdevices.
switch|mib2
Defaults
Ifportstringisnotspecified,counterstatisticswillbedisplayedforallports. Ifmib2orswitcharenotspecified,allcounterstatisticswillbedisplayedforthespecifiedport(s).
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplayallcounterstatistics,includingMIB2networktrafficand trafficthroughthedeviceforge.3.1:
C2(su)->show port counters ge.3.1 Port: ge.3.1 MIB2 Interface: 1
7-5
No counter discontinuity time ----------------------------------------------------------------MIB2 Interface Counters ----------------------In Octets In Unicast Pkts In Multicast Pkts In Broadcast Pkts In Discards In Errors Out Octets Out Unicasts Pkts Out Multicast Pkts Out Broadcast Pkts Out Errors 802.1Q Switch Counters ---------------------Frames Received Frames Transmitted
0 0 0 0 0 0 0 0 0 0 0
0 0
Thisexampleshowshowtodisplayallge.3.1portcounterstatisticsrelatedtotrafficthroughthe device.
C2(su)->show port counters ge.3.1 switch Port: ge.3.1 Bridge Port: 2
0 0
Output Field Port MIB2 Interface Bridge Port MIB2 Interface Counters 802.1Q Switch Counters
Commands
For information about... set port disable set port enable show port alias set port alias Refer to page... 7-7 7-7 7-8 7-8
Syntax
set port disable port-string
Parameters
portstring Specifiestheport(s)todisable.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisablege.1.1:
C2(su)->set port disable ge.1.1
Syntax
set port enable port-string
Parameters
portstring Specifiestheport(s)toenable.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage72.
Defaults
None.
7-7
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenablege.1.3:
C2(su)->set port enable ge.1.3
Syntax
show port alias [port-string]
Parameters
portstring (Optional)Displaysaliasname(s)forspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage72.
Defaults
Ifportstringisnotspecified,aliasesforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayaliasinformationforports13onslot3:
C2(rw)->show Port ge.3.1 Port ge.3.2 Port ge.3.3 port alias ge.3.1-3 user user Admin
Syntax
set port alias port-string [name]
Parameters
portstring Specifiestheporttowhichanaliaswillbeassigned.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage72. (Optional)Assignsanaliasnametotheport.Ifthealiasnamecontains spaces,thetextstringmustbesurroundedbydoublequotes.Maximum lengthis60characters.
name
7-8
Port Configuration
Defaults
Ifnameisnotspecified,thealiasassignedtotheportwillbecleared.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoassignthealiasAdmintoge.3.3:
C2(rw)->set port alias ge.3.3 Admin
Thisexampleshowshowtoclearthealiasforge.3.3:
C2(rw)->set port alias ge.3.3
7-9
Note: These settings only take effect on ports that have auto-negotiation disabled.
Commands
For information about... show port speed set port speed show port duplex set port duplex Refer to page... 7-10 7-11 7-11 7-15
Syntax
show port speed [port-string]
Parameters
portstring (Optional)Displaysdefaultspeedsetting(s)forspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72.
Defaults
Ifportstringisnotspecified,defaultspeedsettingsforallportswilldisplay.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythedefaultspeedsettingfor1GigabitEthernetport14in slot 3:
C2(su)->show port speed ge.3.14 default speed is 10 on port ge.3.14.
7-10
Port Configuration
Syntax
set port speed port-string {10 | 100 | 1000}
Parameters
portstring Specifiestheport(s)forwhichtoaspeedvaluewillbeset.Fora detaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage72. Specifiestheportspeed.Validvaluesare:10 Mbps,100 Mbps,or 1000 Mbps.
10|100|1000
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetge.3.3toaportspeedof10 Mbps:
C2(su)->set port speed ge.3.3 10
Syntax
show port duplex [port-string]
Parameters
portstring (Optional)Displaysdefaultduplexsetting(s)forspecificport(s). Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage72.
Defaults
Ifportstringisnotspecified,defaultduplexsettingsforallportswillbedisplayed.
Mode
Switchcommand,readonly.
7-11
Example
ThisexampleshowshowtodisplaythedefaultduplexsettingforEthernetport14inslot 3:
C2(su)->show port duplex ge.3.14 default duplex mode is full on port ge.3.14.
Syntax
set port duplex port-string {full | half}
Parameters
portstring Specifiestheport(s)forwhichduplextypewillbeset.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage72. Setstheport(s)tofullduplexorhalfduplexoperation.
full|half
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetge.1.17tofullduplex:
C2(su)->set port duplex ge.1.17 full
7-12
Port Configuration
Commands
For information about... show port jumbo set port jumbo clear port jumbo Refer to page... 7-13 7-14 7-14
Syntax
show port jumbo [port-string]
Parameters
portstring (Optional)Displaysthestatusofjumboframesupportforspecific port(s).Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage72.
Defaults
Ifportstringisnotspecified,jumboframesupportstatusforallportswilldisplay.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestatusofjumboframesupportforge.1.1:
C2(su)->show port jumbo ge.1.1 Port Number Jumbo Status Max Frame Size ------------- --------------- -----------------ge.1.1 Enable 9216
7-13
Syntax
set port jumbo {enable | disable}[port-string]
Parameters
enable|disable portstring Enablesordisablesjumboframesupport. (Optional)Specifiestheport(s)onwhichtodisableorenablejumbo framesupport.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage72.
Defaults
Ifportstringisnotspecified,jumboframesupportwillbeenabledordisabledonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablejumboframesupportforGigabitEthernetport14inslot3:
C2(su)->set port jumbo enable ge.3.14
Syntax
clear port jumbo [port-string]
Parameters
portstring (Optional)Specifiestheport(s)onwhichtoresetjumboframe supportstatustoenabled.Foradetaileddescriptionofpossible portstringvalues,refertoPortStringSyntaxUsedintheCLIon page72.
Defaults
Ifportstringisnotspecified,jumboframesupportstatuswillberesetonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetjumboframesupportstatusforGigabitEthernetport14inslot 3:
C2(su)->clear port jumbo ge.3.14
7-14
Port Configuration
Note: Advertised ability can be activated only on ports that have auto-negotiation enabled.
Commands
For information about... show port negotiation set port negotiation show port advertise set port advertise clear port advertise Refer to page... 7-15 7-16 7-16 7-17 7-18
Syntax
show port negotiation [port-string]
Parameters
portstring (Optional)Displaysautonegotiationstatusforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72.
Defaults
Ifportstringisnotspecified,autonegotiationstatusforallportswillbedisplayed.
Mode
Switchcommand,readonly.
7-15
Example
Thisexampleshowshowtodisplayautonegotiationstatusfor1GigabitEthernetport14inslot 3:
C2(su)->show port negotiation ge.3.14 auto-negotiation is enabled on port ge.3.14.
Syntax
set port negotiation port-string {enable | disable}
Parameters
portstring Specifiestheport(s)forwhichtoenableordisableautonegotiation.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72. Enablesordisablesautonegotiation.
enable|disable
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisableautonegotiationon1GigabitEthernetport3inslot14:
C2(su)->set port negotiation ge.3.14 disable
Syntax
show port advertise [port-string]
Parameters
portstring (Optional)Displaysadvertisedabilityforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72.
Defaults
Ifportstringisnotspecified,advertisementforallportswillbedisplayed.
Mode
Switchcommand,readonly.
7-16 Port Configuration
Example
ThisexampleshowshowtodisplayadvertisementstatusforGigabitports13and14:
C2(su)->show port advertise ge.1.13-14 ge.1.13 capability advertised remote ------------------------------------------------10BASE-T yes yes yes 10BASE-TFD yes yes yes 100BASE-TX yes yes yes 100BASE-TXFD yes yes yes 1000BASE-T no no no 1000BASE-TFD yes yes yes pause yes yes no ge.1.14 capability advertised remote ------------------------------------------------10BASE-T yes yes yes 10BASE-TFD yes yes yes 100BASE-TX yes yes yes 100BASE-TXFD yes yes yes 1000BASE-T no no no 1000BASE-TFD yes yes yes pause yes yes no
Syntax
set port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause}
Parameters
portstring Selecttheportsforwhichtoconfigureadvertisements.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72. Advertise10BASEThalfduplexmode. Advertise10BASETfullduplexmode. Advertise100BASETXhalfduplexmode. Advertise100BASETXfullduplexmode. Advertise1000BASEThalfduplexmode. Advertise1000BASETfullduplexmode. AdvertisePAUSEforfullduplexlinks.
Defaults
None.
Mode
Switchcommand,readwrite.
7-17
Example
Thisexampleshowshowtoconfigureport1toadvertise1000BASETfullduplex:
C2(su)->set port advertise ge.1.1 1000tfd
Syntax
clear port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause}
Parameters
portstring Clearadvertisementsforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedinthe CLIonpage72. Donotadvertise10BASEThalfduplexmode. Donotadvertise10BASETfullduplexmode. Donotadvertise100BASETXhalfduplexmode. Donotadvertise100BASETXfullduplexmode. Donotadvertise1000BASEThalfduplexmode. Donotadvertise1000BASETfullduplexmode. DonotadvertisePAUSEforfullduplexlinks.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoconfigureport1tonotadvertise10MBcapabilityforauto negotiation:
C2(su)->clear port advertise ge.1.1 10t 10tfd
7-18
Port Configuration
Commands
For information about... show flowcontrol set flowcontrol Refer to page... 7-19 7-19
show flowcontrol
Usethiscommandtodisplaytheflowcontrolstate.
Syntax
show flowcontrol
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportflowcontrolstate:
C2(su)->show flowcontrol Flow control status: enabled
set flowcontrol
Usethiscommandtoenableordisableflowcontrol.
Syntax
set flowcontrol {enable | disable}
Parameters
enable|disable Enablesordisablesflowcontrolsettings.
7-19
set flowcontrol
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableflowcontrol:
C2(su)->set flowcontrol enable
7-20
Port Configuration
Commands
For information about... show port trap set port trap show linkflap set linkflap globalstate set linkflap portstate set linkflap interval set linkflap action clear linkflap action set linkflap threshold set linkflap downtime clear linkflap down clear linkflap Refer to page... 7-21 7-22 7-22 7-25 7-25 7-26 7-26 7-27 7-27 7-28 7-28 7-29
Syntax
show port trap [port-string]
Parameters
portstring (Optional)Displayslinktrapstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72.
7-21
Defaults
Ifportstringisnotspecified,thetrapstatusforallportswillbedisplayed.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisplaylinktrapstatusforge.3.1through4:
C2(su)->show port trap ge.3.1-4 Link traps enabled on port ge.3.1. Link traps enabled on port ge.3.2. Link traps enabled on port ge.3.3. Link traps enabled on port ge.3.4.
Syntax
set port trap port-string {enable | disable}
Parameters
portstring Specifiestheport(s)forwhichtoenableordisableporttraps.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72. Enablesordisablessendingtrapmessageswhenlinkstatuschanges.
enable|disable
Defaults
Sendingtrapswhenlinkstatuschangesisenabledbydefault.
Mode
Switchcommand,readwrite.
Example
Thefollowingexampledisablessendingtraponge.3.1.
C2(su)->set port trap ge.3.1 disable
show linkflap
Usethiscommandtodisplaylinkflapdetectionstateandconfigurationinformation.
Syntax
show linkflap {globalstate | portstate | parameters | metrics | portsupported | actsupported | maximum | downports | action | operstatus | threshold | interval] | downtime | currentcount | totalcount | timelapsed | violations [port-string]}
7-22
Port Configuration
show linkflap
Parameters
globalstate portstate parameters metrics portsupported actsupported maximum downports action operstatus threshold interval downtime currentcount totalcount timelapsed violations portstring Displaystheglobalenablestateoflinkflapdetection. Displaystheportenablestateoflinkflapdetection. Displaysthecurrentvalueofsettablelinkflapdetectionparameters. Displayslinkflapdetectionmetrics. Displaysportswhichcansupportthelinkflapdetectionfunction. Displayslinkflapdetectionactionssupportedbysystemhardware. Displaysthemaximumallowedlinkdownsper10secondssupported bysystemhardware. Displaysportsdisabledbylinkflapdetectionduetoaviolation. Displayslinkflapactionstakenonviolatingport(s). Displayswhetherlinkflaphasdeactivatedport(s). Displaysthenumberofallowedlinkdowntransitionsbeforeactionis taken. Displaysthetimeperiodforcountinglinkdowntransitions. Displayshowlongviolatingport(s)aredeactivated. Displayshowmanylinkdowntransitionsareinthecurrentinterval. Displayshowmanylinkdowntransitionshaveoccurredsincethelast reset. Displaysthetimeperiodsincethelastlinkdowneventorreset. Displaysthenumberoflinkflapviolationssincethelastreset. (Optional)Displaysinformationforspecificport(s).
Defaults
Ifnotspecified,informationaboutalllinkflapdetectionsettingswillbedisplayed. Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchmode,readonly.
Usage
Thelinkflapdefaultconditionsareshowninthefollowingtable.
Linkflap Parameter Linkflap global state Linkflap port state Linkflap action Linkflap interval Linkflap maximum allowed link downs per 10 seconds Linkflap threshold (number of allowed link down transitions before action is taken) Default Condition Disabled Disabled None 5 20 10
7-23
show linkflap
Examples
Thisexampleshowshowtodisplaytheglobalstatusofthelinktrapdetectionfunction:
C2(rw)->show linkflap globalstate Linkflap feature globally disabled
Thisexampleshowshowtodisplayportsdisabledbylinkflapdetectionduetoaviolation:
C2(rw)->show linkflap downports Ports currently held DOWN for Linkflap violations: None.
Thisexampleshowshowtodisplaythelinkflapparameterstable:
C2(rw)->show linkflap parameters Linkflap Port Settable Parameter Table (X Port LF Status Actions Threshold -------- --------- ------- ---------ge.1.1 disabled ....... 10 ge.1.2 enabled D..S..T 3 ge.1.3 disabled ...S..T 10 means error Interval ---------5 5 5 occurred) Downtime ---------300 300 300
Thisexampleshowshowtodisplaythelinkflapmetricstable:
C2(rw)->show linkflap metrics Port LinkStatus CurrentCount -------- ----------- -----------ge.1.1 operational 0 ge.1.2 disabled 4 ge.1.3 operational 3 TotalCount ---------0 15 3 TimeElapsed Violations ----------- ------------241437 0 147 5 241402 0
7-24
Port Configuration
Table 7-4
Syntax
set linkflap globalstate {disable | enable}
Parameters
disable|enable Globallydisablesorenablesthelinkflapdetectionfunction.
Defaults
Bydefault,thefunctionisdisabledgloballyandonallports.
Mode
Switchmode,readwrite.
Usage
Bydefault,thefunctionisdisabledgloballyandonallports.Ifdisabledgloballyafterperport settingshavebeenconfiguredusingthelinkflapcommands,perportsettingswillberetained.
Example
Thisexampleshowshowtogloballyenablethelinktrapdetectionfunction.
C2(rw)->set linkflap globalstate enable
Syntax
set linkflap portstate {disable | enable} [port-string]
Parameters
disable|enable portstring Disablesorenablesthelinkflapdetectionfunction. (Optional)Specifiestheportorportsonwhichtodisableorenable monitoring.
Defaults
Ifportstringisnotspecified,allportsareenabledordisabled.
7-25
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenablethelinktrapmonitoringonallports.
C2(rw)->set linkflap portstate enable
Syntax
set linkflap interval port-string interval-value
Parameters
portstring intervalvalue Specifiestheport(s)onwhichtosetthelinkflapinterval. Specifiesanintervalinseconds.Avalueof0willsettheintervalto forever.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthelinkflapintervalonportge.1.4to1000seconds.
C2(rw)->set linkflap interval ge.1.4 1000
Syntax
set linkflap action port-string {disableInterface | gensyslogentry | gentrap | all}
Parameters
portstring disableInterface gensyslogentry gentrap all Specifiestheport(s)onwhichtosetthelinkflapaction. Setsthereactionasdisablingtheinterface. Setsthereactionasgeneratingasyslogentry. SetsthereactionasgeneratinganSNMPtrap. Setsthereactionasalloftheabove.
7-26
Port Configuration
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapviolationactiononportge.1.4togeneratingaSyslog entry.
C2(rw)->set linkflap action ge.1.4 gensyslogentry
Syntax
clear linkflap action [port-string] {disableInterface | gensyslogentry | gentrap | all}
Parameters
portstring disableInterface gensyslogentry gentrap all (Optional)Specifiestheport(s)onwhichtoclearthelinkflapaction. Clearsthereactionasdisablingtheinterface. Clearsthereactionasgeneratingasyslogentry. ClearsthereactionasgeneratinganSNMPtrap. Clearsthereactionasalloftheabove.
Defaults
Ifportstringisnotspecified,actionswillbeclearedonallports.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtoclearthelinkflapviolationactiononportge.1.4togeneratinga Syslogentry.
C2(rw)->clear linkflap action ge.1.4 gensyslogentry
Syntax
set linkflap threshold port-string threshold-value
7-27
Parameters
portstring thresholdvalue Specifiestheport(s)onwhichtosetthelinkflapactiontriggercount. Specifiesthenumberoflinkdowntransitionsnecessarytotriggerthe linkflapaction.Aminimumof1mustbeconfigured.
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapthresholdonportge.1.4to5.
C2(rw)->set linkflap threshold ge.1.4 5
Syntax
set linkflap downtime port-string downtime-value
Parameters
portstring downtimevalue Specifiestheport(s)onwhichtosetthelinkflapdowntime. Specifiesadowntimeinseconds.Avalueof0willsetthedowntimeto forever.
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapdowntimeonportge.1.4to5000seconds.
C2(rw)->set linkflap downtime ge.1.4 5000
Syntax
clear linkflap down [port-string]
7-28
Port Configuration
clear linkflap
Parameters
portstring (Optional)Specifiestheportstomakeoperational.
Defaults
Ifportstringisnotspecified,allportsdisabledbyalinkflapviolationwillbemadeoperational.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtomakedisabledportge.1.4operational.
C2(rw)->clear linkflap down ge.1.4
clear linkflap
Usethiscommandtoclearalllinkflapoptionsand/orstatisticsononeormoreports.
Syntax
clear linkflap {all | stats [port-string] | parameter port-string {threshold | interval | downtime | all}
Parameters
all|stats parameter Clearsalloptionsandstatistics,orclearsonlystatistics. Clearslinkflapparameters.
Defaults
Ifportstringisnotspecified,settingsand/orstatisticswillbeclearedonallports.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtoclearalllinkflapoptionsonportge.1.4.
C2(rw)->clear linkflap all ge.1.4
7-29
Commands
For information about... show port broadcast set port broadcast clear port broadcast Refer to page... 7-30 7-31 7-31
Syntax
show port broadcast [port-string]
Parameters
portstring (Optional)Selecttheportsforwhichtoshowbroadcastsuppression thresholds.Foradetaileddescriptionofpossibleportstringvalues,refer toPortStringSyntaxUsedintheCLIonpage72.
Defaults
Ifportstringisnotspecified,broadcaststatusofallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythebroadcastsuppressionthresholdsforports1through4:
C2(su)->show port broadcast ge.1.1-4 Port Total BC Threshold Packets (pkts/s) ---------------------------------------ge.1.1 0 50 ge.1.2 0 50 ge.1.3 0 40 ge.1.4 0 14881
7-30
Port Configuration
Syntax
set port broadcast port-string threshold-val
Parameters
portstring Selecttheportsforwhichtoconfigurebroadcastsuppressionthresholds. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage72. Setsthepacketspersecondthresholdonbroadcasttraffic.Maximum valueis 148810forFastEthernetports 1488100for1Gigabitports. 14881000for10Gigabitports
thresholdval
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
PerportbroadcastsuppressionishardsettobegloballyenabledontheC2.Ifyouwouldliketo disablebroadcastsuppression,youcangetthesameresultbysettingthethresholdlimitforeach porttothemaximumnumberofpacketswhichcanbereceivedpersecondaslistedinthe parameterssection,above.Thedefaultbroadcastsuppressionthresholdforallportsissetto 14881.
Example
Thisexampleconfiguresports1through5withabroadcastlimitof50pps:
C2(su)->set port broadcast ge.1.1-5 50
Syntax
clear port broadcast port-string threshold
Parameters
portstring Selecttheportsforwhichtoclearbroadcastsuppressionthresholds.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72.
7-31
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthebroadcastthresholdlimitto14881ppsforports1through5:
C2(su)->clear port broadcast ge.1.1-5 threshold
7-32
Port Configuration
Port Mirroring
Port Mirroring
Caution: Port mirroring configuration should be performed only by personnel who are knowledgeable about the effects of port mirroring and its impact on network operation.
Mirroring Features
TheSecureStackC2devicesupportsthefollowingmirroringfeatures: Mirroringcanbeconfiguredinamanytooneconfigurationsothatonetarget(destination) portcanmonitortrafficonupto8sourceports.Onlyonemirrordestinationportcanbe configuredperstack,ifapplicable. Bothtransmitandreceivetrafficwillbemirrored. Adestinationportwillonlyactasamirroringportwhenthesessionisoperationallyactive. Whenaportmirroriscreated,themirrordestinationportisremovedfromtheegresslistof VLAN1afterareboot. MACaddresseswillbelearnedforpacketstaggedwiththemirrorVLANID.Thiswill preventtheabilitytosnooptrafficacrossmultiplehops.
Caution: Traffic mirrored to a VLAN may contain control traffic. This may be interpreted by the downstream neighbor as legal control frames. It is recommended that you disable any protocols (such as Spanning Tree) on inter-switch connections that might be affected .
Procedures
PerformthefollowingstepstoconfigureandmonitorportmirroringusingSMONMIBobjects. Tocreateandenableaportmirroringinstance: 1. 2. 3. 4. OpenaMIBbrowser,suchasNetsightMIBTools IntheMIBdirectorytree,navigatetotheportCopyEntryfolderandexpandit. SelecttheportCopyStatusMIB. EnteradesiredsourceandtargetportintheInstancefieldusingtheformatsource.target. Forexample,3.2wouldcreatearelationshipwheresourceportge.1.3wouldbemirroredto targetportge.1.2.
Note: In order to configure a port mirroring relationship, both source and destination interfaces must be enabled and operational (up).
7-33
Port Mirroring
5. 6.
4. 5.
Purpose
Toreviewandconfigureportmirroringonthedevice.
Commands
For information about... show port mirroring set port mirroring clear port mirroring Refer to page... 7-35 7-35 7-36
7-34
Port Configuration
Syntax
show port mirroring
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayportmirroringinformation.Inthiscase,ge.1.4isconfigured asasourceportandge.1.11isatargetandmirroringhasbeenenabledbetweentheseports:
C2(su)->show port mirroring Port Mirroring ============== Source Port = ge.1.4 Target Port = ge.1.11 Frames Mirrored = Rx and Tx Port Mirroring status enabled.
Syntax
set port mirroring {create | disable | enable} source destination}
7-35
Parameters
create|disable| enable source Creates,disablesorenablesmirroringsettingsonthespecifiedports. Specifiesthesourceportdesignation.Thisistheportonwhichthetraffic willbemonitored.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage72. Specifiesthetargetportdesignation.Thisistheportthatwillduplicateor mirrorallthetrafficonthemonitoredport.Onlyonedestinationport canbeconfiguredperstack,ifapplicable. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage72.
destination
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
NotethatLAGportsandtheirunderlyingphysicalports,asdescribedinLinkAggregation ControlProtocol(LACP)onpage738,cannotbemirrored.
Example
Thisexampleshowshowtocreateandenableportmirroringwithge.1.4asthesourceport,and ge.1.11asthetargetport:
C2(su)->set port mirroring create ge.1.4 ge.1.11 C2(su)->set port mirroring enable ge.1.4 ge.1.11
Syntax
clear port mirroring source destination
Parameters
source Specifiesthesourceportofthemirroringconfigurationtobecleared.For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72. Specifiesthetargetportofthemirroringconfigurationtobecleared.
destination
Defaults
None.
Mode
Switchcommand,readwrite.
7-36 Port Configuration
Example
Thisexampleshowshowtoclearportmirroringbetweensourceportge.1.4andtargetport ge.1.11:
C2(su)->clear port mirroring ge.1.4 ge.1.11
7-37
Usingmultiplelinkssimultaneouslytoincreasebandwidthisadesirableswitchfeature,which canbeaccomplishedifbothsidesagreeonasetofportsthatarebeingusedasaLinkAggregation Group(LAG).OnceaLAGisformedfromselectedports,problemswithloopingcanbeavoided sincetheSpanningTreecantreatthisLAGasasingleport. Enabledbydefault,theLinkAggregationControlProtocol(LACP)logicallygroupsinterfaces togethertocreateagreaterbandwidthuplink,orlinkaggregation,accordingtotheIEEE802.3ad standard.ThisstandardallowstheswitchtodeterminewhichportsareinLAGsandconfigure themdynamically.SincetheprotocolisbasedontheIEEE802.3adspecification,anyswitchfrom anyvendorthatsupportsthisstandardcanaggregatelinksautomatically. 802.3adLACPaggregationscanalsoberuntoendusers(thatis,aserver)ortoarouter.
Note: Earlier (proprietary) implementations of port aggregation referred to groups of aggregated ports as trunks.
LACP Operation
Foreachaggregatableportinthedevice,LACP: Maintainsconfigurationinformation(reflectingtheinherentpropertiesoftheindividuallinks aswellasthoseestablishedbymanagement)tocontrolaggregation. ExchangesconfigurationinformationwithotherdevicestoallocatethelinktoaLink AggregationGroup(LAG).
Note: A given link is allocated to, at most, one Link Aggregation Group (LAG) at a time. The allocation mechanism attempts to maximize aggregation, subject to management controls.
7-38
Port Configuration
Note: The path cost of a LAG port will be displayed as zero when it is not an active link.
LACP Terminology
Table 75defineskeyterminologyusedinLACPconfiguration. Table 7-5
Term Aggregator
LAG
LACPDU
Link Aggregation Control Protocol Data Unit. The protocol exchanges aggregation state/mode information by way of a ports actor and partner operational states. LACPDUs sent by the first party (the actor) convey to the second party (the actors protocol partner) what the actor knows, both about its own state and that of its partner. An actor is the local device sending LACPDUs. Its protocol partner is the device on the other end of the link aggregation. Each maintains current status of the other via LACPDUs containing information about their ports LACP status and operational state. Value assigned to aggregator ports and physical ports that are candidates for joining a LAG. The LACP implementation on SecureStack C2 devices will use this value to form an oper key and will determine which underlying physical ports are capable of aggregating by comparing oper keys. Aggregator ports allow only underlying ports with oper keys matching theirs to join their LAG. On SecureStack C2 devices, the default admin key value is 32768. Value used to build a LAG ID, which determines aggregation precedence. If there are two partner devices competing for the same aggregator, LACP compares the LAG IDs for each grouping of ports. The LAG with the lower LAG ID is given precedence and will be allowed to use the aggregator. Note: Only one LACP system priority can be set on a SecureStack C2 device, using either the set lacp asyspri command (page 7-43), or the set port lacp command (page 7-48).
Admin Key
System Priority
7-39
is,willblockredundantpaths).Forinformationaboutbuildingstaticaggregations,refertoset lacpstatic(page 744). EachSecureStackC2moduleprovidessixvirtuallinkaggregatorports,whicharedesignatedin theCLIaslag.0.1throughlag.0.6.EachLAGcanhaveuptoeightassociatedphysicalports.Once underlyingphysicalports(forexample,fe.x.x,orge.x.x)areassociatedwithanaggregatorport, theresultingaggregationwillberepresentedasoneLAGwithalag.0.xportdesignation.LACP determineswhichunderlyingphysicalportsarecapableofaggregatingbycomparingoperational keys.AggregatorportsallowonlyunderlyingportswithkeysmatchingtheirstojointheirLAG. LACPusesasystempriorityvaluetobuildaLAGID,whichdeterminesaggregationprecedence. Iftherearetwopartnerdevicescompetingforthesameaggregator,LACPcomparestheLAGIDs foreachgroupingofports.TheLAGwiththelowerLAGIDisgivenprecedenceandwillbe allowedtousetheaggregator. Thereareafewcasesinwhichportswillnotaggregate: Anunderlyingphysicalportisattachedtoanotherportonthissameswitch(loopback). ThereisnoavailableaggregatorfortwoormoreportswiththesameLAGID.Thiscan happeniftherearesimplynoavailableaggregators,orifnoneoftheaggregatorshavea matchingadminkeyandsystempriority. 802.1xauthenticationisenabledusingtheseteapolcommand(page 2319)andportsthat wouldotherwiseaggregatearenot802.1Xauthorized.
TheLACPimplementationontheSecureStackC2devicewillallowuptoeightphysicalportsinto aLAG.ThedevicewiththelowestLAGIDdetermineswhichunderlyingphysicalportsare allowedintoaLAGbasedontheportsLAGportpriority.PortswiththelowestLAGportpriority valuesareallowedintotheLAGandallotherspeedgroupingsgointoastandbystate. MultiportLAGswillcontinuetooperateaslongasthereisatleastoneactiveportintheLAG. Therefore,thereisnoneedtocreatebackupsingleportLAGsortospecificallyassigntheLAGand allitsphysicalportstotheegresslistoftheLAGsVLAN. Typically,twoormoreportsarerequiredtoformaLAG.However,youcanenablethecreationof singleportLAGsasdescribedinsetlacpsingleportlagonpage746.IfasingleportLAGgoes downandtheswitchstaysup,theswitchwillreconfiguretheLAGtothesameLAGnumberifthe portcomesbackup.
Note: To aggregate, underlying physical ports must be running in full duplex mode and must be of the same operating speed.
Commands
For information about... show lacp set lacp set lacp asyspri set lacp aadminkey clear lacp set lacp static clear lacp static Refer to page... 7-41 7-42 7-43 7-43 7-44 7-44 7-45
7-40
Port Configuration
show lacp
For information about... set lacp singleportlag clear lacp singleportlag show port lacp set port lacp clear port lacp
show lacp
Usethiscommandtodisplayinformationaboutoneormoreaggregatorports.
Syntax
show lacp [port-string]
Parameters
portstring (Optional)DisplaysLACPinformationforspecificLAGport(s).Valid portdesignationsarelag.0.16.
Defaults
Ifportstringisnotspecified,linkaggregationinformationforallLAGswillbedisplayed.
Mode
Switchcommand,readonly.
Usage
EachSecureStackC2moduleprovides6virtuallinkaggregatorports,whicharedesignatedinthe CLIaslag.0.1throughlag.0.6.Onceunderlyingphysicalports(thatis,ge.x.x)areassociatedwith anaggregatorport,theresultingaggregationwillberepresentedasoneLinkAggregationGroup (LAG)withalag.x.xportdesignation.
Example
Thisexampleshowshowtodisplaylacpinformationforlag.0.1.Thefollowingtabledescribesthe outputfields.
C2(su)->show lacp lag.0.1 Global Link Aggregation state: enabled Single Port LAGs: disabled Aggregator: lag.0.1 System Identifier: System Priority: Admin Key: Oper Key: Attached Ports: Actor 00:01:F4:5F:1E:20 32768 32768 32768 ge.1.1 ge.1.3 Partner 00:11:88:11:74:F9 32768 0
Table 76providesanexplanationofthecommandoutput.
7-41
set lacp
Table 7-6
Output Field Global Link Aggregation state Single Port LAGs Aggregator
set lacp
UsethiscommandtodisableorenabletheLinkAggregationControlProtocol(LACP)onthe device.
Syntax
set lacp {disable | enable}
Parameters
disable|enable DisablesorenablesLACP.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableLACP:
C2(su)->set lacp disable
7-42
Port Configuration
Syntax
set lacp asyspri value
Parameters
asyspri value SetsthesystemprioritytobeusedincreatingaLAG(LinkAggregation Group)ID.Validvaluesare0to65535. Specifiesasystempriorityvalue.Validvaluesare0to65535,with precedencegiventolowervalues.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
LACPusesthisvaluetodetermineaggregationprecedence.Iftherearetwopartnerdevices competingforthesameaggregator,LACPcomparestheLAGIDsforeachgroupingofports.The LAGwiththelowerLAGIDisgivenprecedenceandwillbeallowedtousetheaggregator.
Example
ThisexampleshowshowtosettheLACPsystempriorityto1000:
C2(su)->set lacp asyspri 1000
Syntax
set lacp aadminkey port-string value
Parameters
portstring value SpecifiestheLAGport(s)onwhichtoassignanadminkey. Specifiesanadminkeyvaluetoset.Validvaluesare0to65535.The defaultadminkeyvalueis32768.
Defaults
None.
Mode
Switchcommand,readwrite.
7-43
clear lacp
Usage
LACPwillusethisvaluetoformanoperkey.Onlyunderlyingphysicalportswithoperkeys matchingthoseoftheiraggregatorswillbeallowedtoaggregate.Thedefaultadminkeyvaluefor allLAGportsis32768.
Example
ThisexampleshowshowtosettheLACPadminkeyto2000forLAGport6:
C2(su)->set lacp aadminkey lag.0.6 2000
clear lacp
UsethiscommandtoclearLACPsystempriorityoradminkeysettings.
Syntax
clear lacp {[asyspri] [aadminkey port-string]}
Parameters
asyspri aadminkeyportstring Clearssystempriority. Resetsadminkeysforoneormoreportstothedefaultvalueof32768.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheactoradminkeyforLAGport6:
C2(su)->clear lacp aadminkey lag.0.6
Syntax
set lacp static {disable | enable} | lagportstring [key] port-string
Parameters
disable|enable lagportstring Disablesorenablesstaticlinkaggregation. SpecifiestheLAGaggregatorporttowhichnewportswillbeassigned.
7-44
Port Configuration
key
portstring
Defaults
Ifnotspecified,akeywillbeassignedaccordingtothespecifiedaggregator.Forexampleakeyof4 wouldbeassignedtolag.0.4.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoaddportge.1.6totheLAGofaggregatorport6:
C2(su)->set lacp static lag.0.6 ge.1.6
Syntax
clear lacp static lagportstring port-string
Parameters
lagportstring portstring SpecifiestheLAGaggregatorportfromwhichportswillberemoved. Specifiestheport(s)toremovefromtheLAG.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovege.1.6fromtheLAGofaggregatorport6:
C2(su)->clear lacp static lag.0.6 ge.1.6
7-45
Syntax
set lacp singleportlag {enable | disable}
Parameters
disable|enable EnablesordisablestheformationofsingleportLAGs.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
WhensingleportLAGsareenabled,LinkAggregrationGroupscanbeformedwhenonlyone portisreceivingprotocoltransmissionsfromapartner.Whenthissettingisdisabled,twoormore portsarerequiredtoformaLAG. ThissettinghasnoeffectonexistingLAGscreatedwithmultiplememberports.Italsodoesnot preventpreviouslyformedLAGsfromcomingupaftertheyhavegonedown,aslongasany previousLAGmemberportscomeupconnectedtothesameswitchasbeforetheLAGwent down.
Example
ThisexampleenablestheformationofsingleportLAGs:
C2(su)->set lacp singleportlag enable
Syntax
clear lacp singleportlag
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
7-46
Port Configuration
Example
ThisexampleshowshowtoresetthesingleportLAGfunctionbacktodisabled:
C2(su)->clear lacp singleportlag
Syntax
show port lacp port port-string {[status {detail | summary}] | [counters]}
Parameters
portportstring DisplaysLACPinformationforspecificport(s).Foradetaileddescription ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage72. DisplaysLACPstatusindetailedorsummaryinformation. DisplaysLACPcounterinformation.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Statedefinitions,suchasActorAdminStateandPartnerAdminState,areindicatedwithletter abbreviations.Iftheshowportlacpcommanddisplaysoneormoreofthefollowingletters,it meansthestateistruefortheassociatedactororpartnerports: E=Expired F=Defaulted D=Distributing(txenabled) C=Collecting(rxenabled) S=Synchronized(actorandpartneragree) G=Aggregationallowed S/l=Short/LongLACPtimeout A/p=Active/PassiveLACP
Examples
ThisexampleshowshowtodisplaydetailedLACPstatusinformationforportge.1.12:
C2(su)-> show port lacp port ge.1.12 status detail
SecureStack C2 Configuration Guide 7-47
Port Instance: ge.1.12 ActorPort: 1411 ActorSystemPriority: 32768 ActorPortPriority: 32768 ActorAdminKey: 32768 ActorOperKey: 32768 ActorAdminState: -----GlA ActorOperState: -F----lA ActorSystemID: 00-e0-63-9d-b5-87 SelectedAggID: none AttachedAggID: none MuxState: Detached DebugRxState: port Disabled
PartnerAdminPort: 1411 PartnerOperPort: 1411 PartnerAdminSystemPriority: 32768 PartnerOperSystemPriority: 32768 PartnerAdminPortPriority: 32768 PartnerOperPortPriority: 32768 PartnerAdminKey: 1411 PartnerOperKey: 1411 PartnerAdminState: --DCSGlp PartnerOperState: --DC-Glp PartnerAdminSystemID: 00-00-00-00-00-00 PartnerOperSystemID: 00-00-00-00-00-00
ThisexampleshowshowtodisplaysummarizedLACPstatusinformationforportge.1.12:
C2(su)->show port lacp port ge.1.12 status summary Port Aggr Actor System Partner System Pri: System ID: Key: Pri: System ID: Key: ge.1.12 none [(32768,00e0639db587,32768),(32768,000000000000, 1411)]
ThisexampleshowshowtodisplayLACPcountersforportge.1.12:
C2(su)->show port lacp port ge.1.12 counters Port Instance: ge.1.12 LACPDUsRx: 11067 LACPDUsTx: 0 IllegalRx: 0 UnknownRx: 0 MarkerPDUsRx: 0 MarkerPDUsTx: 0 MarkerResponsePDUsRx: 0 MarkerResponsePDUsTx: 374
Syntax
set port lacp port port-string {[aadminkey aadminkey] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}] [aportpri aportpri] [asyspri asyspri] [enable | [disable] [padminkey padminkey] [padminport padminport] [padminportpri padminportpri] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}] [padminsysid padminsysid] [padminsyspri padminsyspri]
Parameters
portportstring Specifiesthephysicalport(s)onwhichtoconfigureLACP.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage72. Setstheportsactoradminkey.LACPwillusethisvaluetoformanoper keyandwilldeterminewhichunderlyingphysicalportsarecapableof aggregatingbycomparingoperkeys.Aggregatorportsallowonly underlyingportswithoperkeysmatchingtheirstojointheirLAG.Valid valuesare165535.Thedefaultkeyvalueis32768.
aadminkey aadminkey
7-48
Port Configuration
aportpriaportpri asyspriasyspri
padminstate SetsaportspartnerLACPadministrativestate.Seeaadminstateforvalid lacpactive| options. lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire padminsysid padminsysid padminsyspri padminsyspri SetsadefaultvaluetouseastheportspartnersystemID.ThisisaMAC address. Setsadefaultvaluetouseastheportspartnerpriority.Validvaluesare0 65535,withlowervaluesgivenhigherpriority.
Defaults
Atleastoneparametermustbeenteredperportstring. Ifenableordisablearenotspecified,port(s)willbeenabledwiththeLACPparametersentered.
7-49
Mode
Switchcommand,readwrite.
Usage
LACPcommandsandparametersbeginningwithana(suchasaadminkey)setactorvalues. Correspondingcommandsandparametersbeginningwithap(suchaspadminkey)set correspondingpartnervalues.ActorreferstothelocaldeviceparticipatinginLACPnegotiation, whilepartnerreferstoitsremotedevicepartnerattheotherendofthenegotiation.Actorsand partnersmaintaincurrentstatusoftheotherviaLACPDUscontaininginformationabouttheir portsLACPstatusandoperationalstate.
Example
Thisexampleshowshowtosettheactoradminkeyto3555forportge.3.16:
C2(su)->set port lacp ge.3.16 aadminkey 3555
Syntax
clear port lacp port port-string {[aadminkey] [aportpri] [asyspri] [aadminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all}] [padminsyspri] [padminsysid] [padminkey] [padminportpri] [padminport] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all}]}
Parameters
portportstring Specifiesthephysicalport(s)onwhichLACPsettingswillbecleared.For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage72. Clearsaportsactoradminkey. Clearsaportsactorportpriority. Clearstheportsactorsystempriority.
Clearsaportsspecificactoradminstate,orallactoradminstate(s).For aadminstate descriptionsofspecificstates,refertothesetportlacpcommand(set lacpactive| portlacponpage748). lacptimeout| lacpagg|lacpsync |lacpcollect| lacpdist|lacpdef| lacpexpire|all padminsyspri padminsysid padminkey padminportpri Clearstheportsdefaultpartnerpriorityvalue. ClearstheportsdefaultpartnersystemID. Clearstheportsdefaultpartneradminkey. Clearstheportsdefaultpartnerportpriority.
7-50
Port Configuration
padminport
DeletesapartnerportfromtheLACPconfiguration.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
IfyousetaporttoLACPpassiveusingthecommandclearportlacpport<portstring> aadminstatelacpactive,thecommandclearportlacpport<portstring>aadminstatelacptimeout willalsobeaddedtotheconfiguration.Ifyouunsetthefirstcommand,itwillremovethesecond commandautomaticallyfromtheconfigurationfile.
Example
Thisexampleshowshowtoclearalllinkaggregationparametersforportge.3.16:
C2(su)->clear port lacp port ge.3.16
7-51
Commands
For information about... set port protected show port protected clear port protected set port protected name show port protected name clear port protected name Refer to page... 7-52 7-53 7-53 7-54 7-54 7-55
Syntax
set port protected port-string group-id
Parameters
portstring groupid Specifiestheportorportstobeprotected. Specifiestheidofthegrouptowhichtheportsshouldbeassigned.Idcan rangefrom0to2.
Defaults
None.
Mode
Switchcommand,readwrite.
7-52
Port Configuration
Example
Thisexampleshowshowtoassignportsge.1.1throughge.1.3toprotectedportgroup1:
C2(rw)->set port protected ge.1.1-3 1
Syntax
show port protected [port-string] | [group-id]
Parameters
portstring groupid (Optional)Specifiestheportorportsforwhichtodisplayinformation. (Optional)Specifiestheidofthegroupforwhichtodisplayinformation. Idcanrangefrom0to2.
Defaults
Ifnoparametersareentered,informationaboutallprotectedportsisdisplayed.
Mode
Readonly.
Example
Thisexampleshowshowtodisplayinformationaboutallprotectedports:
C2(ro)->show port protected Group id Port ---------------------1 ge.1.1 1 ge.1.2 1 ge.1.3
Syntax
clear port protected [port-string] | [group-id]
Parameters
portstring groupid (Optional)Specifiestheportorportstoremovefromprotectedmode. (Optional)Specifiestheidofthegrouptoremovefromprotectedmode. Idcanrangefrom0to2.
Defaults
Ifnoparametersareentered,allprotectedportsandgroupsarecleared.
7-53
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearprotectedportsge.1.1throughge.1.3:
C2(rw)->clear port protected ge.1.1-3
Syntax
set port protected name group-id name
Parameters
groupid name Specifiestheidofthisgroup.Idcanrangefrom0to2. Specifiesanameforthegroup.Thenamecanbeupto32charactersin length.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoassignthenamegroup1toprotectedportgroup1:
C2(rw)->set port protected name 1 group1
Syntax
show port protected name group-id
Parameters
groupid Specifiestheidofthegrouptodisplay.Idcanrangefrom0to2.
Defaults
None.
Mode
Readonly.
7-54 Port Configuration
Example
Thisexampleshowshowtoshowthenameofprotectedportgroup1:
C2(ro)->show port protected name 1 Group ID Group Name ----------------------------1 group1
Syntax
clear port protected name group-id
Parameters
groupid Specifiestheidofthegroupforwhichtoclearthename.Idcanrange from0to2.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthenameofprotectedportgroup1:
C2(rw)->clear port protected name 1
7-55
7-56
Port Configuration
8
SNMP Configuration
ThischapterdescribestheSimpleNetworkManagementProtocol(SNMP)setofcommandsand howtousethem.
For information about... SNMP Configuration Summary Reviewing SNMP Statistics Configuring SNMP Users, Groups, and Communities Configuring SNMP Access Rights Configuring SNMP MIB Views Configuring SNMP Target Parameters Configuring SNMP Target Addresses Configuring SNMP Notification Parameters Creating a Basic SNMP Trap Configuration Refer to page... 8-1 8-3 8-8 8-15 8-19 8-22 8-25 8-28 8-37
SNMPnetworkmanagementapplications,suchastheEnterasysNetSightapplication,which communicatewithagentstogetstatisticsandalertsfromthemanageddevices.
SNMPv3
SNMPv3isaninteroperablestandardsbasedprotocolthatprovidessecureaccesstodevicesby authenticatingandencryptingframesoverthenetwork.Theadvancedsecurityfeaturesprovided inSNMPv3areasfollows: MessageintegrityCollectsdatasecurelywithoutbeingtamperedwithorcorrupted. AuthenticationDeterminesthemessageisfromavalidsource. EncryptionScramblesthecontentsofaframetopreventitfrombeingseenbyan unauthorizedsource.
UnlikeSNMPv1andSNMPv2c,inSNMPv3,theconceptofSNMPagentsandSNMPmanagersno longerapply.TheseconceptshavebeencombinedintoanSNMPentity.AnSNMPentityconsists ofanSNMPengineandSNMPapplications.AnSNMPengineconsistsofthefollowingfour components: DispatcherThiscomponentsendsandreceivesmessages. MessageprocessingsubsystemThiscomponentacceptsoutgoingPDUsfromthe dispatcherandpreparesthemfortransmissionbywrappingtheminamessageheaderand returningthemtothedispatcher.Themessageprocessingsubsystemalsoacceptsincoming messagesfromthedispatcher,processeseachmessageheader,andreturnstheenclosedPDU tothedispatcher. SecuritysubsystemThiscomponentauthenticatesandencryptsmessages. AccesscontrolsubsystemThiscomponentdetermineswhichusersandwhichoperations areallowedaccesstomanagedobjects.
8-2
SNMP Configuration
Table 8-1
Model v3
authPriv
MD5 or SHA
DES
Example
ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
C2(su)->set snmp access powergroup security-model usm
Configuration Considerations
CommandsforconfiguringSNMPontheSecureStackC2deviceareindependentduringthe SNMPsetupprocess.Forinstance,targetparameterscanbespecifiedwhensettingupoptional notificationfilterseventhoughtheseparametershavenotyetbeencreatedwiththesetsnmp targetparamscommand.
8-3
Commands
For information about... show snmp engineid show snmp counters Refer to page... 8-4 8-5
Syntax
show snmp engineid
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPengineproperties:
C2(su)->show snmp engineid EngineId: 80:00:15:f8:03:00:e0:63:9d:b5:87 Engine Boots = 12 Engine Time = 162181 Max Msg Size = 2048
Output Field EngineId Engine Boots Engine Time Max Msg Size
8-4
SNMP Configuration
Syntax
show snmp counters
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPcountervalues
C2(su)->show snmp counters --- mib2 SNMP group counters: snmpInPkts = 396601 snmpOutPkts = 396601 snmpInBadVersions = 0 snmpInBadCommunityNames = 0 snmpInBadCommunityUses = 0 snmpInASNParseErrs = 0 snmpInTooBigs = 0 snmpInNoSuchNames = 0 snmpInBadValues = 0 snmpInReadOnlys = 0 snmpInGenErrs = 0 snmpInTotalReqVars = 403661 snmpInTotalSetVars = 534 snmpInGetRequests = 290 snmpInGetNexts = 396279 snmpInSetRequests = 32 snmpInGetResponses = 0 snmpInTraps = 0 snmpOutTooBigs = 0 snmpOutNoSuchNames = 11 snmpOutBadValues = 0 snmpOutGenErrs = 0 snmpOutGetRequests = 0 snmpOutGetNexts = 0 snmpOutSetRequests = 0 snmpOutGetResponses = 396601 snmpOutTraps = 0 snmpSilentDrops = 0 snmpProxyDrops = 0 --- USM Stats counters: usmStatsUnsupportedSecLevels = 0 usmStatsNotInTimeWindows = 0 usmStatsUnknownUserNames = 0
8-5
= 0 = 0 = 0
snmpInASNParseErrs
8-6
SNMP Configuration
Table 8-3
Output Field snmpOutBadValues snmpOutGenErrs snmpOutGetRequests snmpOutGetNexts snmpOutSetRequests snmpOutGetResponses snmpOutTraps snmpSilentDrops
snmpProxyDrops
usmStatsUnknownUserNames
usmStatsUnknownEngineIDs
usmStatsWrongDigests usmStatsDecriptionErrors
8-7
Commands
For information about... show snmp user set snmp user clear snmp user show snmp group set snmp group clear snmp group show snmp community set snmp community clear snmp community Refer to page... 8-8 8-9 8-10 8-11 8-12 8-12 8-13 8-14 8-14
Syntax
show snmp user [list] | [user] | [remote remote] [volatile | nonvolatile | readonly]
Parameters
list user remoteremote (Optional)DisplaysalistofregisteredSNMPusernames. (Optional)Displaysinformationaboutaspecificuser. (Optional)DisplaysinformationaboutusersonaspecificremoteSNMP engine.
Defaults
Iflistisnotspecified,detailedSNMPinformationwillbedisplayed.
8-8
SNMP Configuration
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplayanSNMPuserlist:
C2(su)->show snmp user list --- SNMP user information ----- List of registered users: Guest admin1 admin2 netops
ThisexampleshowshowtodisplayinformationfortheSNMPguestuser:
(su)->show snmp user guest --- SNMP user information --EngineId: 00:00:00:63:00:00:00:a1:00:00:00:00 Username = Guest Auth protocol = usmNoAuthProtocol Privacy protocol = usmNoPrivProtocol Storage type = nonVolatile Row status = active
Syntax
set snmp user user [remote remoteid] [authentication {md5 | sha}] [authpassword] [privacy privpassword] [volatile | nonvolatile]
8-9
Parameters
user remoteremoteid SpecifiesanamefortheSNMPv3user. (Optional)RegisterstheuseronaspecificremoteSNMPengine.
Defaults
Ifremoteisnotspecified,theuserwillberegisteredforthelocalSNMPengine. Ifauthenticationisnotspecified,noauthenticationwillbeapplied. Ifprivacyisnotspecified,noencryptionwillbeapplied. Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanewSNMPusernamednetops.Bydefault,thisuserwillbe registeredonthelocalSNMPenginewithoutauthenticationandencryption.Entriesrelatedtothis userwillbestoredinpermanent(nonvolatile)memory:
C2(su)->set snmp user netops
Syntax
clear snmp user user [remote remote]
Parameters
user remoteremote SpecifiesanSNMPv3usertoremove. (Optional)RemovestheuserfromaspecificremoteSNMPengine.
Defaults
Ifremoteisnotspecified,theuserwillberemovedfromthelocalSNMPengine.
Mode
Switchcommand,readwrite.
8-10
SNMP Configuration
Example
ThisexampleshowshowtoremovetheSNMPusernamedbill:
C2(su)->clear snmp user bill
Syntax
show snmp group [groupname groupname] [user user] [security-model {v1 | v2c | usm}] [volatile | nonvolatile | read-only]
Parameters
groupname groupname useruser (Optional)DisplaysinformationforaspecificSNMPgroup. (Optional)Displaysinformationaboutuserswithinthespecifiedgroup.
Defaults
Ifgroupnameisnotspecified,informationaboutallSNMPgroupswillbedisplayed. Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed. Ifsecuritymodelisnotspecified,userinformationaboutallSNMPversionswillbedisplayed. Ifnotspecified,informationforallstoragetypeswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPgroupinformation:
C2(su)->show snmp group --- SNMP group information --Security model = SNMPv1 Security/user name = public Group name = Anyone Storage type = nonVolatile Row status = active Security model Security/user name Group name Storage type Row status = = = = = SNMPv1 public.router1 Anyone nonVolatile active
8-11
Syntax
set snmp group groupname user user security-model {v1 | v2c | usm} [volatile | nonvolatile]
Parameters
groupname useruser SpecifiesanSNMPgroupnametocreate. SpecifiesanSNMPv3usernametoassigntothegroup.
Defaults
Ifstoragetypeisnotspecified,nonvolatilestoragewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanSNMPgroupcalledanyone,assignausernamedpublic andassignSNMPv3securitytothegroup:
C2(su)->set snmp group anyone user public security-model usm
Syntax
clear snmp group groupname user [security-model {v1 | v2c | usm}]
8-12
SNMP Configuration
Parameters
groupname user SpecifiestheSNMPgrouptobecleared. SpecifiestheSNMPusertobecleared.
Defaults
If not specified, settings related to all security models will be cleared.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearallsettingsassignedtothepublicuserwithintheSNMPgroup anyone:
C2(su)->clear snmp group anyone public
Syntax
show snmp community [name]
Parameters
name (Optional)DisplaysSNMPinformationforaspecificcommunityname.
Defaults
Ifnameisnotspecified,informationwillbedisplayedforallSNMPcommunities.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayinformationabouttheSNMPpubliccommunityname.For adescriptionofthisoutput,refertosetsnmpcommunity(page814).
C2(su)->show snmp community public --- Configured community strings --Name Security name Context Transport tag Storage type Status = = = = = = ********* public
nonVolatile active
8-13
Syntax
set snmp community community [securityname securityname] [context context] [transport transport] [volatile | nonvolatile]
Parameters
community securityname securityname contextcontext Specifiesacommunitygroupname. (Optional)SpecifiesanSNMPsecuritynametoassociatewiththis community. (Optional)Specifiesasubsetofmanagementinformationthiscommunity willbeallowedtoaccess.Validvaluesarefullorpartialcontextnames.To reviewallcontextsconfiguredforthedevice,usetheshowsnmpcontext commandasdescribedinshowsnmpcontextonpage 820. (Optional)SpecifiesthesetoftransportendpointsfromwhichSNMP requestwiththiscommunitynamewillbeaccepted.Makesalinktoa targetaddresstable. (Optional)Specifiesthestoragetypefortheseentries.
transporttransport
volatile| nonvolatile
Defaults
Ifsecuritynameisnotspecified,thecommunitynamewillbeused. Ifcontextisnotspecified,accesswillbegrantedforthedefaultcontext. Iftransporttagisnotspecified,nonewillbeapplied. Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetanSNMPcommunitynamecalledvip
C2(su)->set snmp community vip
Syntax
clear snmp community name
Parameters
name SpecifiestheSNMPcommunitynametoclear.
8-14
SNMP Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodeletethecommunitynamevip.
C2(su)->clear snmp community vip
Commands
For information about... show snmp access set snmp access clear snmp access Refer to page... 8-15 8-17 8-18
Syntax
show snmp access [groupname] [security-model {v1 | v2c | usm}] [noauthentication | authentication | privacy] [context context] [volatile | nonvolatile | read-only]
Parameters
groupname (Optional)DisplaysaccessinformationforaspecificSNMPv3group. securitymodelv1| (Optional)DisplaysaccessinformationforSNMPsecuritymodelversion v2c|usm 1,2cor3(usm). noauthentication| authentication| privacy (Optional)Displaysaccessinformationforaspecificsecuritylevel.
8-15
contextcontext
Defaults
Ifgroupnameisnotspecified,accessinformationforallSNMPgroupswillbedisplayed. Ifsecuritymodelisnotspecified,accessinformationforallSNMPversionswillbedisplayed. Ifnoauthentication,authenticationorprivacyarenotspecified,accessinformationforall securitylevelswillbedisplayed. Ifcontextisnotspecified,allcontextswillbedisplayed. Ifvolatile,nonvolatileorreadonlyarenotspecified,allentriesofallstoragetypeswillbe displayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPaccessinformation:
C2(su)->show snmp Group = Security model = Security level = Read View = Write View = Notify View = Context match = Storage type = Row status = Group Security model Security level Read View Write View Notify View Context match Storage type Row status = = = = = = = = = access SystemAdmin USM noAuthNoPriv All All exact match nonVolatile active NightOperator USM noAuthNoPriv All All exact match nonVolatile active
8-16
SNMP Configuration
Table 8-6
Read View Write View Notify View Context match Storage type Row status
Name of the view that allows this group to view SNMP MIB objects. Name of the view that allows this group to configure the contents of the SNMP agent. Name of the view that allows this group to send an SNMP trap message. Whether or not SNMP context match must be exact (full context name match) or a partial match with a given prefix. Whether access entries for this group are stored in volatile, nonvolatile or read-only memory. Status of this entry: active, notInService, or notReady.
Syntax
set snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context] [exact | prefix] [read read] [write write] [notify notify] [volatile | nonvolatile]
Parameters
groupname SpecifiesanameforanSNMPv3group. securitymodelv1| SpecifiesSNMPversion1,2cor3(usm). v2c|usm noauthentication| authentication| privacy (Optional)AppliesSNMPsecuritylevelasnoauthentication, authentication(withoutprivacy)orprivacy.Privacyspecifiesthat messagessentonbehalfoftheuserareprotectedfromdisclosure.
contextcontextexact (Optional)Setsthecontextforthisaccessconfigurationandspecifiesthat |prefix thematchmustbeexact(matchingthewholecontextstring)oraprefix matchonly.ContextisasubsetofmanagementinformationthisSNMP groupwillbeallowedtoaccess.Validvaluesarefullorpartialcontext names.Toreviewallcontextsconfiguredforthedevice,usetheshow snmpcontextcommandasdescribedinshowsnmpcontexton page 820. readread writewrite notifynotify volatile| nonvolatile|read only (Optional)Specifiesareadaccessview. (Optional)Specifiesawriteaccessview. (Optional)Specifiesanotifyaccessview. (Optional)StoresassociatedSNMPentriesastemporaryorpermanent,or readonly.
8-17
Defaults
Ifsecuritylevelisnotspecified,noauthenticationwillbeapplied. Ifcontextisnotspecified,accesswillbeenabledforthedefaultcontext.Ifcontextisspecified withoutacontextmatch,exactmatchwillbeapplied. Ifreadviewisnotspecifiednonewillbeapplied. Ifwriteviewisnotspecified,nonewillbeapplied. Ifnotifyviewisnotspecified,nonewillbeapplied. Ifstoragetypeisnotspecified,entrieswillbestoredaspermanentandwillbeheldthroughdevice reboot.
Mode
Switchcommand,readwrite.
Example
ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
C2(su)->set snmp access powergroup security-model usm
Syntax
clear snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context]
Parameters
groupname SpecifiesthenameoftheSNMPgroupforwhichtoclearaccess. securitymodelv1| SpecifiesthesecuritymodeltobeclearedfortheSNMPaccessgroup. v2c|usm noauthentication| authentication| privacy contextcontext (Optional)ClearsaspecificsecuritylevelfortheSNMPaccessgroup.
(Optional)ClearsaspecificcontextfortheSNMPaccessgroup.Enter// toclearthedefaultcontext.
Defaults
Ifsecuritylevelisnotspecified,alllevelswillbecleared. Ifcontextisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
8-18
SNMP Configuration
Example
ThisexampleshowshowtoclearSNMPversion3accessforthemisgroupviathe authenticationprotocol:
C2(su)->clear snmp access mis-group security-model usm authentication
Commands
For information about... show snmp view show snmp context set snmp view clear snmp view Refer to page... 8-19 8-20 8-21 8-22
Syntax
show snmp view [viewname] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only]
Parameters
viewname subtreeoidormibobject volatile|nonvolatile| readonly (Optional)DisplaysinformationforaspecificMIBview. (Optional)DisplaysinformationforaspecificMIBsubtreewhen viewnameisspecified. (Optional)Displaysentriesforaspecificstoragetype.
Defaults
Ifnoparametersarespecified,allSNMPMIBviewconfigurationinformationwillbedisplayed.
Mode
Switchcommand,readonly.
8-19
Example
ThisexampleshowshowtodisplaySNMPMIBviewconfigurationinformation:
C2(su)->show snmp view --- SNMP MIB View information --View Name = All Subtree OID = 1 Subtree mask = View Type = included Storage type = nonVolatile Row status = active View Name Subtree OID Subtree mask View Type Storage type Row status View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = = = = = = = All 0.0 included nonVolatile active Network 1.3.6.1.2.1 included nonVolatile active
Table 87providesanexplanationofthecommandoutput.Fordetailsonusingthesetsnmpview commandtoassignvariables,refertosetsnmpviewonpage 821. Table 8-7 show snmp view Output Details
What It Displays... Name assigned to a MIB view. Name identifying a MIB subtree. Bitmask applied to a MIB subtree. Whether or not subtree use must be included or excluded for this view. Whether storage is in nonVolatile or Volatile memory Status of this entry: active, notInService, or notReady.
Output Field View Name Subtree OID Subtree mask View Type Storage type Row status
Syntax
show snmp context
Parameters
None.
Defaults
None.
8-20
SNMP Configuration
Mode
Switchcommand,readonly.
Usage
AnSNMPcontextisacollectionofmanagementinformationthatcanbeaccessedbyanSNMP agentorentity.ThedefaultcontextallowsallSNMPagentstoaccessallmanagementinformation (MIBs).Whencreatedusingthesetsnmpaccesscommand(setsnmpaccessonpage 817),other contextscanbeappliedtolimitaccesstoasubsetofmanagementinformation.
Example
ThisexampleshowshowtodisplayalistofallSNMPcontextsknowntothedevice:
C2(su)->show snmp context --- Configured contexts: default context (all mibs)
Syntax
set snmp view viewname viewname subtree subtree [mask mask] [included | excluded] [volatile | nonvolatile]
Parameters
viewnameviewname SpecifiesanameforaMIBview. subtreesubtree maskmask included| excluded volatile| nonvolatile SpecifiesaMIBsubtreename. (Optional)Specifiesabitmaskforasubtree. (Optional)Specifiessubtreeuse(default)ornosubtreeuse. (Optional)Specifiestheuseoftemporaryorpermanent(default)storage.
Defaults
Ifnotspecified,maskwillbesetto255.255.255.255 Ifnotspecified,subtreeusewillbeincluded. Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetanSNMPMIBviewtopublicwithasubtreenameof1.3.6.1 included:
C2(su)->set snmp view viewname public subtree 1.3.6.1 included
8-21
Syntax
clear snmp view viewname subtree
Parameters
viewname subtree SpecifiestheMIBviewnametobedeleted. SpecifiesthesubtreenameoftheMIBviewtobedeleted.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteSNMPMIBviewpublic:
C2(su)->clear snmp view public 1.3.6.1
Commands
For information about... show snmp targetparams set snmp targetparams clear snmp targetparams Refer to page... 8-22 8-24 8-24
Syntax
show snmp targetparams [targetParams] [volatile | nonvolatile | read-only]
8-22
SNMP Configuration
Parameters
targetParams volatile|nonvolatile| readonly (Optional)Displaysentriesforaspecifictargetparameter. (Optional)Displaystargetparameterentriesforaspecificstorage type.
Defaults
IftargetParamsisnotspecified,entriesassociatedwithalltargetparameterswillbedisplayed. Ifnotspecified,entriesofallstoragetypeswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPtargetparametersinformation:
C2(su)->show snmp targetparams --- SNMP TargetParams information --Target Parameter Name = v1ExampleParams Security Name = public Message Proc. Model = SNMPv1 Security Level = noAuthNoPriv Storage type = nonVolatile Row status = active Target Parameter Name = v2cExampleParams Security Name = public Message Proc. Model = SNMPv2c Security Level = noAuthNoPriv Storage type = nonVolatile Row status = active Target Parameter Name Security Name Message Proc. Model Security Level Storage type Row status = = = = = = v3ExampleParams CharlieDChief USM authNoPriv nonVolatile active
8-23
Syntax
set snmp targetparams paramsname user user security-model {v1 | v2c | usm} messageprocessing {v1 | v2c | v3} [noauthentication | authentication | privacy] [volatile | nonvolatile]
Parameters
paramsname useruser SpecifiesanameidentifyingparametersusedtogenerateSNMPmessages toaparticulartarget. SpecifiesanSNMPv1orv2communitynameoranSNMPv3username. Maximumlengthis32bytes.
securitymodelv1| SpecifiestheSNMPsecuritymodelappliedtothistargetparameteras v2c|usm version1,2cor3(usm). message SpecifiestheSNMPmessageprocessingmodelappliedtothistarget processingv1|v2c parameterasversion1,2cor3. |v3 noauthentication| authentication| privacy volatile| nonvolatile (Optional)SpecifiestheSNMPsecuritylevelappliedtothistarget parameterasnoauthentication,authentication(withoutprivacy)or privacy.Privacyspecifiesthatmessagessentonbehalfoftheuserare protectedfromdisclosure. (Optional)Specifiesthestoragetypeappliedtothistargetparameter.
Defaults
None. Ifnotspecified,securitylevelwillbesettonoauthentication. Ifnotspecified,storagetypewillbesettononvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetSNMPtargetparametersnamedv1ExampleParamsforauser namedfredusingversion3securitymodelandmessageprocessing,andauthentication:
C2(su)->set snmp targetparams v1ExampleParams user fred security-model usm message-processing v3 authentication
Syntax
clear snmp targetparams targetParams
8-24
SNMP Configuration
Parameters
targetParams SpecifiesthenameoftheparameterintheSNMPtargetparameterstable tobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearSNMPtargetparametersnamedv1ExampleParams:
C2(su)->clear snmp targetparams v1ExampleParams
Commands
For information about... show snmp targetaddr set snmp targetaddr clear snmp targetaddr Refer to page... 8-25 8-26 8-28
Syntax
show snmp targetaddr [targetAddr] [volatile | nonvolatile | read-only]
Parameters
targetAddr (Optional)Displaysinformationforaspecifictargetaddressname. volatile|nonvolatile (Optional)Whentargetaddressisspecified,displaystargetaddress |readonly informationforaspecificstoragetype.
Defaults
IftargetAddrisnotspecified,entriesforalltargetaddressnameswillbedisplayed.
8-25
Ifnotspecified,entriesofallstoragetypeswillbedisplayedforatargetaddress.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPtargetaddressinformation:
C2(su)->show snmp targetaddr Target Address Name = labmachine Tag List = v2cTrap IP Address = 10.2.3.116 UDP Port# = 162 Target Mask = 255.255.255.255 Timeout = 1500 Retry count = 4 Parameters = v2cParams Storage type = nonVolatile Row status = active
Output Field Target Address Name Tag List IP Address UDP Port# Target Mask Timeout Retry count Parameters Storage type Row status
Syntax
set snmp targetaddr targetaddr ipaddr param param [udpport udpport] [mask mask] [timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile]
8-26
SNMP Configuration
Parameters
targetaddr ipaddr paramparam udpportudpport maskmask timeouttimeout SpecifiesauniqueidentifiertoindexthesnmpTargetAddrTable. Maximumlengthis32bytes. SpecifiestheIPaddressofthetarget. SpecifiesanentryintheSNMPtargetparameterstable,whichisused whengeneratingamessagetothetarget.Maximumlengthis32bytes. (Optional)SpecifieswhichUDPportofthetargethosttouse. (Optional)SpecifiestheIPmaskofthetarget. (Optional)Specifiesthemaximumroundtriptimeallowedto communicatetothistargetaddress.Thisvalueisin.01secondsandthe defaultis1500(15seconds.) (Optional)Specifiesthenumberofmessageretriesallowedifaresponseis notreceived.Defaultis3. (Optional)SpecifiesalistofSNMPnotifytagvalues.Thistagsalocation tothetargetaddressasaplacetosendnotifications.Listmustbeenclosed inquotesandtagvaluesmustbeseparatedbyaspace(forexample, tag1tag2). (Optional)Specifiestemporary(default),orpermanentstorageforSNMP entries.
retriesretries taglisttaglist
volatile| nonvolatile
Defaults
Ifnotspecified,udpportwillbesetto162. Ifnotspecified,maskwillbesetto255.255.255.255 Ifnotspecified,timeoutwillbesetto1500. Ifnotspecified,numberofretrieswillbesetto3. Iftaglistisnotspecified,nonewillbeset. Ifnotspecified,storagetypewillbenonvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigureatrapnotificationcalledTrapSink.Thistrapnotification willbesenttotheworkstation192.168.190.80(whichistargetaddresstr).Itwillusesecurity andauthorizationcriteriacontainedinatargetparametersentrycalledv2cExampleParams.For moreinformationonconfiguringabasicSNMPtrap,refertoCreatingaBasicSNMPTrap Configurationonpage 837:
C2(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist TrapSink
8-27
Syntax
clear snmp targetaddr targetAddr
Parameters
targetAddr Specifiesthetargetaddressentrytodelete.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearSNMPtargetaddressentrytr:
C2(su)->clear snmp targetaddr tr
Purpose
ToconfigureSNMPnotificationparametersandoptionalfilters.Notificationsareentitieswhich handlethegenerationofSNMPv1andv2trapsorSNMPv3informsmessagestoselect managementtargets.Optionalnotificationfiltersidentifywhichtargetsshouldnotreceive notifications.ForasampleSNMPtrapconfigurationshowinghowSNMPnotificationparameters areassociatedwithsecurityandauthorizationcriteria(targetparameters)andmappedtoa managementtargetaddress,refertoCreatingaBasicSNMPTrapConfigurationonpage 837.
8-28
SNMP Configuration
show newaddrtrap
Commands
For information about... show newaddrtrap set newaddrtrap show snmp notify set snmp notify clear snmp notify show snmp notifyfilter set snmp notifyfilter clear snmp notifyfilter show snmp notifyprofile set snmp notifyprofile clear snmp notifyprofile Refer to page... 8-29 8-30 8-30 8-31 8-32 8-33 8-34 8-34 8-35 8-36 8-36
show newaddrtrap
UsethiscommandtodisplaytheglobalandportspecificstatusoftheSNMPnewMACaddresses trapfunction.
Syntax
show newaddrtrap [port-string]
Parameters
portstring (Optional)DisplaysthestatusofthenewMACaddressestrapfunction onspecificports.
Defaults
Ifportstringisnotspecified,thestatusofthenewMACaddressestrapfunctionwillbedisplayed forallports.
Mode
Switchcommand,readonly.
Usage
Bydefault,thisfunctionisdisabledgloballyandperport.
Example
ThisexampledisplaysthestatusforGigabitEthernetports1through5inslot1.
C2(ro)->show newaddrtrap ge.1.1-5 New Address Traps Globally disabled Port Enable State --------- ------------
8-29
set newaddrtrap
set newaddrtrap
UsethiscommandtoenableordisableSNMPtrapmessaging,globallyorononeormoreports, whennewsourceMACaddressesaredetected.
Syntax
set newaddrtrap [port-string] {enable | disable}
Parameters
portstring enable|disable (Optional)EnableordisablethenewMACaddressestrapfunctionon specificports. EnableordisablethenewMACaddressestrapfunction.Ifentered withouttheportstringparameter,enablesordisablesthefunction globally.Whenenteredwiththeportstringparameter,enablesor disablesthefunctiononspecificports.
Defaults
Ifportstringisnotspecified,thetrapfunctionissetglobally.
Mode
Switchmode,readwrite.
Usage
ThiscommandenablesanddisablessendingSNMPtrapmessageswhenanewsourceMAC addressisdetectedbyaport.IftheportisaCDPport,however,trapsfornewsourceMAC addresseswillnotbesent. Thedefaultmodeisdisabledgloballyandperport.
Example=
ThisexampleenablesthetrapfunctiongloballyandthenonGigabitEthernetports1through5in slot1.
C2(rw)->set newaddrtrap enable C2(rw)->set newaddrtrap ge.1.1-5 enable
Syntax
show snmp notify [notify] [volatile | nonvolatile | read-only]
8-30
SNMP Configuration
Parameters
notify volatile| nonvolatile|read only (Optional)Displaysnotifyentriesforaspecificnotifyname. (Optional)Displaysnotifyentriesforaspecificstoragetype.
Defaults
Ifanotifynameisnotspecified,allentrieswillbedisplayed. Ifvolatile,nonvolatile,orreadonlyarenotspecified,allstoragetypeentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSNMPnotifyinformation:
C2(su)->show snmp notify --- SNMP notifyTable information --Notify name = 1 Notify Tag = Console Notify Type = trap Storage type = nonVolatile Row status = active Notify name Notify Tag Notify Type Storage type Row status = = = = = 2 TrapSink trap nonVolatile active
8-31
Syntax
set snmp notify notify tag tag [trap | inform] [volatile | nonvolatile]
Parameters
notify tagtag trap|inform volatile| nonvolatile SpecifiesanSNMPnotifyname. SpecifiesanSNMPnotifytag.ThisbindsthenotifynametotheSNMP targetaddresstable. (Optional)SpecifiesSNMPv1orv2Trapmessages(default)orSNMPv3 InformRequestmessages. (Optional)Specifiestemporary(default),orpermanentstorageforSNMP entries.
Defaults
Ifnotspecified,messagetypewillbesettotrap. Ifnotspecified,storagetypewillbesettononvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetanSNMPnotifyconfigurationwithanotifynameofhelloanda notifytagofworld.Notificationswillbesentastrapmessagesandstoragetypewill automaticallydefaulttopermanent:
C2(su)->set snmp notify hello tag world trap
Syntax
clear snmp notify notify
Parameters
notify SpecifiesanSNMPnotifynametoclear.
Defaults
None.
Mode
Switchcommand,readwrite.
8-32
SNMP Configuration
Example
ThisexampleshowshowtocleartheSNMPnotifyconfigurationforhello:
C2(su)->clear snmp notify hello
Syntax
show snmp notifyfilter [profile] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only]
Parameters
profile subtreeoidor mibobject volatile| nonvolatile|read only (Optional)Displaysaspecificnotifyfilter. (Optional)Displaysanotifyfilterwithinaspecificsubtree. (Optional)Displaysnotifyfilterentriesofaspecificstoragetype.
Defaults
Ifnoparametersarespecified,allnotifyfilterinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Usage
SeeAboutSNMPNotifyFiltersonpage 828formoreinformationaboutnotifyfilters.
Example
ThisexampleshowshowtodisplaySNMPnotifyfilterinformation.Inthiscase,thenotifyprofile pilot1insubtree1.3.6willnotreceiveSNMPnotificationmessages:
C2(su)->show snmp notifyfilter --- SNMP notifyFilter information --Profile = pilot1 Subtree = 1.3.6 Filter type = included Storage type = nonVolatile Row status = active
8-33
Syntax
set snmp notifyfilter profile subtree oid-or-mibobject [mask mask] [included | excluded] [volatile | nonvolatile]
Parameters
profile subtreeoidor mibobject maskmask included| excluded volatile| nonvolatile SpecifiesanSNMPfilternotifyname. SpecifiesaMIBsubtreeIDtargetforthefilter. (Optional)Appliesasubtreemask. (Optional)Specifiesthatsubtreeisincludedorexcluded. (Optional)Specifiesastoragetype.
Defaults
Ifnotspecified,maskisnotset. Ifnotspecified,subtreewillbeincluded. Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.
Mode
Switchcommand,readwrite.
Usage
SeeAboutSNMPNotifyFiltersonpage 828formoreinformationaboutnotifyfilters.
Example
ThisexampleshowshowtocreateanSNMPnotifyfiltercalledpilot1withaMIBsubtreeIDof 1.3.6:
C2(su)->set snmp notifyfilter pilot1 subtree 1.3.6
Syntax
clear snmp notifyfilter profile subtree oid-or-mibobject
8-34
SNMP Configuration
Parameters
profile subtreeoidor mibobject SpecifiesanSNMPfilternotifynametodelete. SpecifiesaMIBsubtreeIDcontainingthefiltertobedeleted.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeletetheSNMPnotifyfilterpilot1:
C2(su)->clear snmp notifyfilter pilot1 subtree 1.3.6
Syntax
show snmp notifyprofile [profile] [targetparam targetparam] [volatile | nonvolatile | read-only]
Parameters
profile targetparam targetparam volatile| nonvolatile|read only (Optional)Displaysaspecificnotifyprofile. (Optional)Displaysentriesforaspecifictargetparameter. (Optional)Displaysnotifyfilterentriesofaspecificstoragetype.
Defaults
Ifnoparametersarespecified,allnotifyprofileinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPnotifyinformationfortheprofilenamedarea51:
C2(su)->show snmp notifyprofile area51 --- SNMP notifyProfile information --Notify Profile = area51 TargetParam = v3ExampleParams Storage type = nonVolatile
8-35
Row status
= active
Syntax
set snmp notifyprofile profile targetparam targetparam [volatile | nonvolatile]
Parameters
profile targetparam targetparam volatile| nonvolatile SpecifiesanSNMPfilternotifyname. SpecifiesanassociatedentryintheSNMPTargetParamsTable. (Optional)Specifiesastoragetype.
Defaults
Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanSNMPnotifyprofilenamedarea51andassociateatarget parametersentry.
C2(su)->set snmp notifyprofile area51 targetparam v3ExampleParams
Syntax
clear snmp notifyprofile profile targetparam targetparam
Parameters
profile targetparam targetparam SpecifiesanSNMPfilternotifynametodelete. SpecifiesanassociatedentryinthesnmpTargetParamsTable.
Defaults
None.
8-36
SNMP Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteSNMPnotifyprofilearea51:
C2(su)->clear snmp notifyprofile area51 targetparam v3ExampleParams
CompleteanSNMPv2trapconfigurationonaSecureStackC2deviceasfollows: 1. 2. 3. CreateacommunitynamethatwillactasanSNMPuserpassword. CreateanSNMPtargetparametersentrytoassociatesecurityandauthorizationcriteriatothe usersinthecommunitycreatedinStep1. VerifyifanyapplicableSNMPnotificationentriesexist,orcreateanewone.Youwillusethis entrytosendSNMPnotificationmessagestotheappropriatemanagementtargetscreatedin Step 2. CreateatargetaddressentrytobindamanagementIPaddressto: ThenotificationentryandtagnamecreatedinStep3and ThetargetparametersentrycreatedinStep2.
4.
8-37
Example
Thisexampleshowshowto: CreateanSNMPcommunitycalledmgmt. ConfigureatrapnotificationcalledTrapSink.
2. 3.
4.
5. 6.
8-38
SNMP Configuration
9
Spanning Tree Configuration
ThischapterdescribestheSpanningTreeConfigurationsetofcommandsandhowtousethem.
For information about... Spanning Tree Configuration Summary Configuring Spanning Tree Bridge Parameters Configuring Spanning Tree Port Parameters Configuring Spanning Tree Loop Protect Parameters Refer to page... 9-1 9-3 9-33 9-41
Caution: Spanning Tree configuration should be performed only by personnel who are very knowledgeable about Spanning Trees and the configuration of the Spanning Tree Algorithm. Otherwise, the proper operation of the network could be at risk.
RSTP
TheIEEE802.1wRapidSpanningProtocol(RSTP),anevolutionof802.1D,canachievemuch fasterconvergencethanlegacySTPinaproperlyconfigurednetwork.RSTPsignificantlyreduces thetimetoreconfigurethenetworksactivetopologywhenphysicaltopologyorconfiguration parameterchangesoccur.ItselectsoneswitchastherootofaSpanningTreeconnectedactive topologyandassignsportrolestoindividualportsontheswitch,dependingonwhetherthatport ispartoftheactivetopology. RSTPprovidesrapidconnectivityfollowingthefailureofaswitch,switchport,oraLAN.Anew rootportandthedesignatedportontheothersideofthebridgetransitiontoforwardingthrough anexplicithandshakebetweenthem.Bydefault,userportsareconfiguredtorapidlytransitionto forwardinginRSTP.
MSTP
TheIEEE802.1sMultipleSpanningTreeProtocol(MSTP)buildsupon802.1DandRSTPby optimizingutilizationofredundantlinksbetweenswitchesinanetwork.Whenredundantlinks existbetweenapairofswitchesrunningsingleSTP,onelinkisforwardingwhiletheothersare
9-1
blockingforalltrafficflowingbetweenthetwoswitches.Theblockinglinksareeffectivelyused onlyiftheforwardinglinkgoesdown.MSTPassignseachVLANpresentonthenetworktoa particularSpanningTreeinstance,allowingeachswitchporttobeinadistinctstateforeachsuch instance:blockingforoneSpanningTreewhileforwardingforanother.Thus,trafficassociated withonesetofVLANscantraverseaparticularinterswitchlink,whiletrafficassociatedwith anothersetofVLANscanbeblockedonthatlink.IfVLANsareassignedtoSpanningTrees wisely,nointerswitchlinkwillbecompletelyidle,maximizingnetworkutilization. FordetailsoncreatingSpanningTreeinstances,refertosetspantreemstionpage 912. FordetailsonmappingSpanningTreeinstancestoVLANs,refertosetspantreemstmapon page 914.
Note: MSTP and RSTP are fully compatible and interoperable with each other and with legacy STP 802.1D.
Note: The term bridge is used as an equivalent to the term switch or device in this document.
Loop Protect
TheLoopProtectfeaturepreventsorshortcircuitsloopformationinanetworkwithredundant pathsbyrequiringportstoreceivetype2BPDUs(RSTP/MSTP)onpointtopointinterswitch links(ISLs)beforetheirstatesareallowedtobecomeforwarding.Further,ifaBPDUtimeout occursonaport,itsstatebecomeslisteninguntilaBPDUisreceived. Bothupstreamanddownstreamfacingportsareprotected.Whenarootoralternateportlosesits pathtotherootbridgeduetoamessageageexpirationittakesontheroleofdesignatedport.It willnotforwardtrafficuntilaBPDUisreceived.Whenaportisintendedtobethedesignatedport inanISLitconstantlyproposesandwillnotforwarduntilaBPDUisreceived,andwillrevertto listeningifitfailstogetaresponse.Thisprotectsagainstmisconfigurationandprotocolfailureby theconnectedbridge. TheDisputedBPDUmechanismprotectsagainstloopinginsituationswherethereisoneway communication.AdisputedBPDUisoneinwhichtheflagsfieldindicatesadesignatedroleand
9-2
learningandthepriorityvectorisworsethanthatalreadyheldbytheport.IfadisputedBPDUis received,theportisforcedtothelisteningstate.WhenaninferiordesignatedBPDUwiththe learningbitsetisreceivedonadesignatedport,itsstateissettodiscardingtopreventloop formation.NotethattheDisputemechanismisalwaysactiveregardlessoftheconfiguration settingofLoopProtection. LoopProtectoperatesasaperport,perMSTinstancefeature.Itshouldbesetoninterswitch links.Itiscomprisedofseveralrelatedfunctions: ControlofportforwardingstatebasedonreceptionofagreementBPDUs ControlofportforwardingstatebasedonreceptionofdisputedBPDUs Communicatingportnonforwardingstatusthroughtrapsandsyslogmessages Disablingaportbasedonfrequencyoffailureevents
PortforwardingstateinthedesignatedportisgatedbyatimerthatissetuponBPDUreception.It isanalogoustothercvdInfoWhiletimertheportuseswhenreceivingrootinformationintheroot/ alternate/backuprole. TherearetwooperationalmodesforLoopProtectonaport.Iftheportisconnectedtoadevice knowntoimplementLoopProtect,itusesfullfunctionalmode.Otherwisetheportoperatesin limitedfunctionalmode. ConnectiontoaLoopProtectswitchguaranteesthatthealternateagreementmechanismis implemented.Thismeansthedesignatedportcanrelyonreceivingaresponsetoitsproposal regardlessoftheroleoftheconnectedport,whichhastwoimportantimplications.First,the designatedportconnectedtoanonrootportmaytransitiontoforwarding.Second,thereisno ambiguitywhenatimeouthappens;aLoopProtecteventhasoccurred. Infullfunctionalmode,whenatype2BPDUisreceivedandtheportisdesignatedandpointto point,thetimerissetto3timeshelloTime.Inlimitedfunctionalmodethereistheadditional requirementthattheflagsfieldindicatearootrole.IftheportisaboundaryporttheMSTIsfor thatportfollowtheCIST,thatis,theMSTIporttimersaresetaccordingtotheCISTporttimer.If theportisinternaltotheregionthentheMSTIporttimersaresetindependentlyusingthe particularMSTImessage. MessageageexpirationandtheexpirationoftheLoopProtecttimerarebothLoopProtectevents. Anoticelevelsyslogmessageisproducedforeachsuchevent.Trapsmaybeconfiguredtoreport theseeventsaswell.AsyslogmessageandtrapmaybeconfiguredfordisputedBPDUs. ItisalsoconfigurabletoforcethelockingofaSID/portfortheoccurrenceofoneormoreevents. Whentheconfigurednumberofeventshappenwithinagivenwindowoftime,theportisforced intoblockingandheldthereuntilitismanuallyunlockedviamanagement.
9-3
Commands
For information about... show spantree stats set spantree show spantree version set spantree version clear spantree version show spantree bpdu-forwarding set spantree bpdu-forwarding show spantree bridgeprioritymode set spantree bridgeprioritymode clear spantree bridgeprioritymode show spantree mstilist set spantree msti clear spantree msti show spantree mstmap set spantree mstmap clear spantree mstmap show spantree vlanlist show spantree mstcfgid set spantree mstcfgid clear spantree mstcfgid set spantree priority clear spantree priority set spantree hello clear spantree hello set spantree maxage clear spantree maxage set spantree fwddelay clear spantree fwddelay show spantree backuproot set spantree backuproot clear spantree backuproot show spantree tctrapsuppress set spantree tctrapsuppress clear spantree tctrapsuppress Refer to page... 9-5 9-7 9-7 9-8 9-8 9-9 9-9 9-10 9-10 9-11 9-12 9-12 9-13 9-13 9-14 9-14 9-15 9-15 9-16 9-16 9-17 9-17 9-18 9-18 9-19 9-19 9-20 9-21 9-21 9-22 9-22 9-23 9-23 9-24
9-4
For information about... set spantree protomigration show spantree spanguard set spantree spanguard clear spantree spanguard show spantree spanguardtimeout set spantree spanguardtimeout clear spantree spanguardtimeout show spantree spanguardlock clear/set spantree spanguardlock show spantree spanguardtrapenable set spanstree spanguardtrapenable clear spanstree spanguardtrapenable show spantree legacypathcost set spantree legacypathcost clear spantree legacypathcost
Refer to page... 9-24 9-25 9-25 9-26 9-27 9-27 9-28 9-28 9-29 9-29 9-30 9-30 9-31 9-31 9-32
Syntax
show spantree stats [port port-string] [sid sid] [active]
Parameters
portportstring (Optional)Displaysinformationforthespecifiedport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. (Optional)DisplaysinformationforaspecificSpanningTreeidentifier.If notspecified,SID0isassumed. (Optional)DisplaysinformationforportsthathavereceivedSTPBPDUs sinceboot.
sidsid active
Defaults
Ifportstringisnotspecified,SpanningTreeinformationforallportswillbedisplayed. Ifsidisnotspecified,informationforSpanningTree0willbedisplayed. Ifactiveisnotspecifiedinformationforallportswillbedisplayedregardlessofwhetherornot theyhavereceivedBPDUs.
Mode
Switchcommand,readonly.
9-5
Example
ThisexampleshowshowtodisplaythedevicesSpanningTreeconfiguration:
C2(su)->show spantree stats Spanning tree status Spanning tree instance Designated Root MacAddr Designated Root Priority Designated Root Cost Designated Root Port Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge ID Priority Bridge Max Age Bridge Hello Time Bridge Forward Delay Topology Change Count Time Since Top Change Max Hops enabled 0 00-e0-63-9d-c1-c8 0 10000 lag.0.1 20 sec 2 sec 15 sec 00-01-f4-da-5e-3d 32768 20 sec 2 sec 15 sec 7 00 days 03:19:15 20
9-6
set spantree
Table 9-1
Output
set spantree
UsethiscommandtogloballyenableordisabletheSpanningTreeprotocolontheswitch.
Syntax
set spantree {disable | enable}
Parameters
disable|enable GloballydisablesorenablesSpanningTree.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableSpanningTreeonthedevice:
C2(su)->set spantree disable
Syntax
show spantree version
Parameters
None.
Defaults
None.
SecureStack C2 Configuration Guide 9-7
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySpanningTreeversioninformationforthedevice:
C2(su)->show spantree version Force Version is mstp
Syntax
set spantree version {mstp | stpcompatible | rstp}
Parameters
mstp stpcompatible rstp SetstheversiontoSTP802.1scompatible. SetstheversiontoSTP802.1Dcompatible. Setstheversionto802.1wcompatible.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Inmostnetworks,SpanningTreeversionshouldnotbechangedfromitsdefaultsettingofmstp (MultipleSpanningTreeProtocol)mode.MSTPmodeisfullycompatibleandinteroperablewith legacySTP802.1DandRapidSpanningTree(RSTP)bridges.Settingtheversiontostpcompatible modewillcausethebridgetotransmitonly802.1DBPDUs,andwillpreventnonedgeportsfrom rapidlytransitioningtoforwardingstate.
Example
ThisexampleshowshowtogloballychangetheSpanningTreeversionfromthedefaultofMSTP toRSTP:
C2(su)->set spantree version rstp
Syntax
clear spantree version
9-8
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSpanningTreeversion:
C2(su)->clear spantree version
Syntax
show spantree bpdu-forwarding
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanningTreeBPDUforwardingmode:
C2(su)->show spantree bpdu-forwarding BPDU forwarding is disabled.
Syntax
set spantree bpdu-forwarding {disable | enable}
Parameters
disable|enable DisablesorenablesBPDUforwarding;.
9-9
Defaults
BydefaultBPDUforwardingisdisabled.
Mode
Switchcommand,readwrite.
Usage
TheSpanningTreeprotocolmustbedisabled(setspantreedisable)forthisfeaturetotakeeffect.
Example
ThisexampleshowshowtoenableBPDUforwarding:
C2(rw)-> set spantree bpdu-forwarding enable
Syntax
show spantree bridgeprioritymode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanningTreebridgeprioritymodesetting:
C2(rw)->show spantree bridgeprioritymode Bridge Priority Mode is set to IEEE802.1t mode.
Syntax
set spantree bridgeprioritymode {8021d | 8021t}
9-10
Parameters
8021d 8021t Setsthebridgeprioritymodetouse802.1D(legacy)values,whichare0 65535. Setsthebridgeprioritymodetouse802.1tvalues,whichare0to61440,in incrementsof4096.Valueswillautomaticallyberoundedupordown, dependingonthe802.1tvaluetowhichtheenteredvalueisclosest. Thisisthedefaultbridgeprioritymode.
Defaults
None
Mode
Switchcommand,readwrite.
Usage
Themodeaffectstherangeofpriorityvaluesusedtodeterminewhichdeviceisselectedasthe SpanningTreerootasdescribedinsetspantreepriority(setspantreepriorityonpage 917).The defaultfortheswitchistouse802.1tbridgeprioritymode.
Example
Thisexampleshowshowtosetthebridgeprioritymodeto802.1D:
C2(rw)->set spantree bridgeprioritymode 8021d
Syntax
clear spantree bridgeprioritymode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthebridgeprioritymodeto802.1t:
C2(rw)->clear spantree bridgeprioritymode
9-11
Syntax
show spantree mstilist
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayalistofMSTinstances.Inthiscase,SID2hasbeenconfigured:
C2(su)->show spantree mstilist Configured Multiple Spanning Tree instances: 2
Syntax
set spantree msti sid sid {create | delete}
Parameters
sidsid create|delete SetstheMultipleSpanningTreeID.Validvaluesare14094. SecureStackC2deviceswillsupportupto4MSTinstances. CreatesordeletesanMSTinstance.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanMSTinstance2:
C2(su)->set spantree msti sid 2 create
9-12
Syntax
clear spantree msti [sid sid]
Parameters
sidsid (Optional)DeletesaspecificmultipleSpanningTreeID.
Defaults
Ifsidisnotspecified,allMSTinstanceswillbecleared.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteallMSTinstances:
C2(su)->clear spantree msti
Syntax
show spantree mstmap [fid fid]
Parameters
fidfid (Optional)DisplaysinformationforspecificFIDs.
Defaults
Iffidisnotspecified,informationforallassignedFIDswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySIDtoFIDmappinginformationforFID1.Inthiscase,no newmappingshavebeenconfigured:
C2(su)->show spantree mstmap fid 1 FID: SID: 1 0
9-13
Syntax
set spantree mstmap fid [sid sid]
Parameters
fid sidsid SpecifiesoneormoreFIDstoassigntotheMST.Validvaluesare14093, andmustcorrespondtoaVLANIDcreatedusingthesetvlancommand. (Optional)SpecifiesaMultipleSpanningTreeID.Validvaluesare14094, andmustcorrespondtoaSIDcreatedusingthesetmsticommand.
Defaults
Ifsidisnotspecified,FID(s)willbemappedtoSpanningTree0.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtomapFID3toSID2:
C2(su)->set spantree mstmap 3 sid 2
Syntax
clear spantree mstmap fid
Parameters
fid SpecifiesoneormoreFIDstoresetto0.
Defaults
Iffidisnotspecified,allSIDtoFIDmappingswillbereset.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtomapFID2backtoSID0:
9-14
Syntax
show spantree vlanlist [vlan-list]
Parameters
vlanlist (Optional)DisplaysSIDsassignedtospecificVLAN(s).
Defaults
Ifnotspecified,SIDassignmentwillbedisplayedforallVLANs.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSIDsmappedtoVLAN1.Inthiscase,SIDs2,16and42 aremappedtoVLAN1.Forthisinformationtodisplay,theSIDinstancemustbecreatedusingthe setspantreemsticommandasdescribedinsetspantreemstionpage 912,andtheFIDsmust bemappedtoSID 1usingthesetspantreemstmapcommandasdescribedinsetspantree mstmaponpage 914:
C2(su)->show spantree vlanlist 1 The following SIDS are assigned to VLAN 1: 2 16 42
Syntax
show spantree mstcfgid
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheMSTconfigurationidentifierelements.Inthiscase,the defaultrevisionlevelof0,andthedefaultconfigurationname(astringrepresentingthebridge
9-15
Syntax
set spantree mstcfgid {cfgname name | rev level}
Parameters
cfgnamename revlevel SpecifiesanMSTconfigurationname. SpecifiesanMSTrevisionlevel.Validvaluesare065535.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheMSTconfigurationnametomstconfig:
C2(su)->set spantree mstconfigid cfgname mstconfig
Syntax
clear spantree mstcfgid
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
9-16
Example
ThisexampleshowshowtoresettheMSTconfigurationidentifierelementstodefaultvalues:
C2(su)->clear spantree mstcfgid
Syntax
set spantree priority priority [sid]
Parameters
priority Specifiesthepriorityofthebridge.Validvaluesarefrom0to61440(in incrementsof4096),with0indicatinghighestpriorityand61440 lowestpriority. (Optional)SetsthepriorityonaspecificSpanningTree.Validvalues are04094.Ifnotspecified,SID 0isassumed.
sid
Defaults
Ifsidisnotspecified,prioritywillbesetonSpanningTree0.
Mode
Switchcommand,readwrite.
Usage
Thedevicewiththehighestpriority(lowestnumericalvalue)becomestheSpanningTreeroot device.Ifalldeviceshavethesamepriority,thedevicewiththelowestMACaddresswillthen becometherootdevice.Dependingonthebridgeprioritymode(setwiththesetspantree bridgeprioritymodecommanddescribedinsetspantreebridgeprioritymodeonpage 910, somepriorityvaluesmayberoundedupordown.
Example
Thisexampleshowshowtosetthebridgepriorityto4096onSID1:
C2(su)->set spantree priority 4096 1
Syntax
clear spantree priority [sid]
Parameters
sid (Optional)ResetsthepriorityonaspecificSpanningTree.Validvalues are04094.Ifnotspecified,SID 0isassumed.
9-17
Defaults
Ifsidisnotspecified,prioritywillberesetonSpanningTree0.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthebridgepriorityonSID1:
C2(su)->clear spantree priority 1
Syntax
set spantree hello interval
Parameters
interval Specifiesthenumberofsecondsthesystemwaitsbeforebroadcastinga bridgehellomessage(amulticastmessageindicatingthatthesystemis active).Validvaluesare110.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballysettheSpanningTreehellotimeto10seconds:
C2(su)->set spantree hello 10
Syntax
clear spantree hello
Parameters
None.
Defaults
None.
9-18
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballyresettheSpanningTreehellotime:
C2(su)->clear spantree hello
Syntax
set spantree maxage agingtime
Parameters
agingtime Specifiesthemaximumnumberofsecondsthatthesystemretainsthe informationreceivedfromotherbridgesthroughSTP.Validvaluesare6 40.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thebridgemaximumagingtimeisthemaximumtime(inseconds)adevicecanwaitwithout receivingaconfigurationmessage(bridgehello)beforeattemptingtoreconfigure.Alldevice ports(exceptfordesignatedports)shouldreceiveconfigurationmessagesatregularintervals. AnyportthatagesoutSTPinformationprovidedinthelastconfigurationmessagebecomesthe designatedportfortheattachedLAN.Ifitisarootport,anewrootportisselectedfromamong thedeviceportsattachedtothenetwork.
Example
Thisexampleshowshowtosetthemaximumagingtimeto25seconds:
C2(su)->set spantree maxage 25
Syntax
clear spantree maxage
9-19
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtogloballyresetthemaximumagingtime:
C2(su)->clear spantree maxage
Syntax
set spantree fwddelay delay
Parameters
delay Specifiesthenumberofsecondsforthebridgeforwarddelay.Validvalues are430.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Theforwarddelayisthemaximumtime(inseconds)therootdevicewillwaitbeforechanging states(i.e.,listeningtolearningtoforwarding).Thisdelayisrequiredbecauseeverydevicemust receiveinformationabouttopologychangesbeforeitstartstoforwardframes.Inaddition,each portneedstimetolistenforconflictinginformationthatwouldmakeitreturntoablockingstate; otherwise,temporarydataloopsmightresult.
Example
Thisexampleshowshowtogloballysetthebridgeforwarddelayto16seconds:
C2(su)->set spantree fwddelay 16
9-20
Syntax
clear spantree fwddelay
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtogloballyresetthebridgeforwarddelay:
C2(su)->clear spantree fwddelay
Syntax
show spantree backuproot [sid]
Parameters
sid (Optional)DisplaybackuprootstatusforaspecificSpanningTree identifier.Validvaluesare04094.Ifnotspecified,SID0isassumed.
Defaults
IfaSIDisnotspecified,thenstatuswillbeshownforSpanningTreeinstance0.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythestatusofthebackuprootfunctiononSID0:
C2(rw)->show spantree backuproot Backup root is set to disable on sid 0
9-21
Syntax
set spantree backuproot sid {disable | enable}
Parameters
sid disable|enable SpecifiestheSpanningTreeinstanceonwhichtoenableordisablethe backuprootfunction.Validvaluesare04094. Enablesordisablesthebackuprootfunction.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheSpanningTreebackuprootfunctionisdisabledbydefaultontheSecureStackC2.Whenthis featureisenabledandtheswitchisdirectlyconnectedtotherootbridge,staleSpanningTree informationispreventedfromcirculatingiftherootbridgeislost.Iftherootbridgeislost,the backuprootwilldynamicallyloweritsbridgeprioritysothatitwillbeselectedasthenewroot overthelostrootbridge.
Example
ThisexampleshowshowtoenablethebackuprootfunctiononSID2:
C2(rw)->set spantree backuproot 2 enable
Syntax
clear spantree backuproot sid
Parameters
sid SpecifiestheSpanningTreeonwhichtoclearthebackuproot function.Validvaluesare04094.
Defaults
None.
Mode
Switchcommand,readwrite.
9-22
Example
ThisexampleshowshowtoresetthebackuprootfunctiontodisabledonSID2:
C2(rw)->clear spantree backuproot 2
Syntax
show spantree tctrapsuppress
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestatusoftopologychangetrapsuppression:
C2(rw)->show spantree tctrapsuppress Topology change Trap Suppression is set to enabled
Syntax
set spantree tctrapsuppress {disable | enable}
Parameters
disable|enable Disablesorenablestopologychangetrapsuppression.
Defaults
None.
Mode
Switchcommand,readwrite.
9-23
Usage
Bydefault,RSTPnonedge(bridge)portsthattransitiontoforwardingorblockingcausethe switchtoissueatopologychangetrap.Whentopologychangetrapsuppressionisenabled,which isthedevicedefault,edgeports(suchasendstationPCs)arepreventedfromsendingtopology changetraps.Thisisbecausethereisusuallynoneedfornetworkmanagementtomonitoredge portSTPtransitionstates,suchaswhenPCsarepoweredon.Whentopologychangetrap suppressionisdisabled,allports,includingedgeandbridgeports,willtransmittopologychange traps.
Example
ThisexampleshowshowtoallowRapidSpanningTreeedgeportstotransmittopologychange traps:
C2(rw)->set spantree tctrapsuppress disable
Syntax
clear spantree tctrapsuppress
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocleartopologychangetrapsuppressionsetting:
C2(rw)->clear spantree tctrapsuppress
Syntax
set spantree protomigration <port-string>
Parameters
portstring Resettheprotocolstatemigrationmachineforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
9-24
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresettheprotocolstatemigrationmachineonport20:
C2(su)->set spantree protomigration ge.1.20
Syntax
show spantree spanguard
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanGuardfunctionstatus:
C2(su)->show spantree spanguard Spanguard is disabled
Syntax
set spantree spanguard {enable | disable}
Parameters
enable|disable EnablesordisablestheSpanGuardfunction.
Defaults
None.
9-25
Mode
Switchcommand,readwrite.
Usage
SpanGuardisdesignedtodisable,orlockoutanedgeportwhenanunexpectedBPDUis received.Theportcanbeconfiguredtobereenabledafterasettimeperiod,oronlyaftermanual intervention. Aportcanbedefinedasanedge(user)portusingthesetspantreeadminedgecommand, describedinsetspantreeadminedgeonpage 939.Aportdesignatedasanedgeportis expectedtobeconnectedtoaworkstationorotherendusertypeofdevice,andnottoanother switchinthenetwork.WhenSpanGuardisenabled,ifanonloopbackBPDUisreceivedonan edgeport,theSpanningTreestateofthatportwillbechangedtoblockingandwillnolonger forwardtraffic.Theportwillremaindisableduntiltheamountoftimedefinedbysetspantree spanguardtimeout(setspantreespanguardtimeoutonpage 927)haspassedsincethelastseen BPDU,theportismanuallyunlocked(setorclearspantreespanguardlock,clear/setspantree spanguardlockonpage 929),theconfigurationoftheportischangedsoitisnotlongeranedge port,ortheSpanGuardfunctionisdisabled. SpanGuardisenabledanddisabledonlyonaglobalbasis(acrossthestack,ifapplicable).By default,SpanGuardisdisabledandSpanGuardtrapsareenabled.
Example
ThisexampleshowshowtoenabletheSpanGuardfunction:
C2(rw)->set spantree spanguard enable
Syntax
clear spantree spanguard
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthestatusoftheSpanGuardfunctiontodisabled:
C2(rw)->clear spantree spanguard
9-26
Syntax
show spantree spanguardtimeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanGuardtimeoutsetting:
C2(su)->show spantree spanguardtimeout Spanguard timeout: 300
Syntax
set spantree spanguardtimeout timeout
Parameters
timeout Specifiesatimeoutvalueinseconds.Validvaluesare0to65535. Avalueof0willkeeptheportlockeduntilmanuallyunlocked.Thedefault valueis300seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSpanGuardtimeoutto600seconds:
C2(su)->set spantree spanguardtimeout 600
9-27
Syntax
clear spantree spanguardtimeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSpanGuardtimeoutto300seconds:
C2(rw)->clear spantree spanguardtimeout
Syntax
show spantree spanguardlock [port-string]
Parameters
portstring (Optional)Specifiestheport(s)forwhichtoshowSpanGuardlockstatus. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifnoportstringisspecified,theSpanGuardlockstatusforallportsisdisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanGuardlockstatusforge.1.1:
C2(su)->show spantree spanguardlock ge.1.1 Port ge.1.1 is Unlocked
9-28
Syntax
clear spantree spanguardlock port-string set spantree spanguardlock port-string
Parameters
portstring Specifiesport(s)tounlock.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtounlockportge.1.16:
C2(rw)->clear spantree spanguardlock ge.1.16
Syntax
show spantree spanguardtrapenable
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythestateoftheSpanGuardtrapfunction:
C2(ro)->show spantree spanguardtrapenable Spanguard SNMP traps are enabled
9-29
Syntax
set spantree spanguardtrapenable {disable | enable}
Parameters
disable|enable DisablesorenablessendingSpanGuardtraps.Bydefault,sendingtraps isenabled.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisabletheSpanGuardtrapfunction:
C2(su)->set spantree spanguardtrapenable disable
Syntax
clear spantree spanguardtrapenable
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSpanGuardtrapfunctiontoenabled:
C2(rw)->clear spantree spanguardtrapenable
9-30
Syntax
show spantree legacypathcost
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythedefaultSpanningTreepathcostsetting.
C2(su)->show spantree legacypathcost Legacy Path Cost is disabled.
Syntax
set spantree legacypathcost {disable | enable}
Parameters
disable enable Use802.1t2001valuestocalculatepathcost. Use802.1d1998valuestocalculatepathcost.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Bydefault,legacypathcostisdisabled.Enablingthedevicetocalculatelegacypathcostsaffects therangeofvalidvaluesthatcanbeenteredinthesetspantreeadminpathcostcommand.
Example
Thisexampleshowshowtosetthedefaultpathcostvaluesto802.1D.
C2(rw)->set spantree legacypathcost enable
9-31
Syntax
clear spantree legacypathcost
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthelegacypathcostto802.1tvalues.
C2(rw)->clear spantree legacypathcost
9-32
Commands
For information about... set spantree portadmin clear spantree portadmin show spantree portadmin show spantree portpri set spantree portpri clear spantree portpri show spantree adminpathcost set spantree adminpathcost clear spantree adminpathcost show spantree adminedge set spantree adminedge clear spantree adminedge Refer to page... 9-33 9-34 9-34 9-35 9-35 9-36 9-37 9-37 9-38 9-38 9-38 9-39
Syntax
set spantree portadmin port-string {disable | enable}
Parameters
portstring Specifiestheport(s)forwhichtoenableordisableSpanningTree.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. DisablesorenablesSpanningTree.
disable|enable
Defaults
None.
Mode
Switchcommand,readwrite.
9-33
Example
ThisexampleshowshowtodisableSpanningTreeonge.1.5:
C2(rw)->set spantree portadmin ge.1.5 disable
Syntax
clear spantree portadmin port-string
Parameters
portstring Resetsthedefaultadminstatusonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthedefaultSpanningTreeadminstatetoenableonge.1.12:
C2(rw)->clear spantree portadmin ge.1.12
Syntax
show spantree portadmin [port port-string]
Parameters
portportstring (Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage 72.
Defaults
Ifportstringisnotspecified,statuswillbedisplayedforallports.
Mode
Switchcommand,readonly.
9-34
Example
Thisexampleshowshowtodisplayportadminstatusforge.1.1:
C2(ro)->show spantree portadmin port ge.1.1 Port ge.1.1 has portadmin set to enabled
Syntax
show spantree portpri [port port-string] [sid sid]
Parameters
portportstring (Optional)Specifiestheport(s)forwhichtodisplaySpanningTreepriority. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. (Optional)DisplaysportpriorityforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0isassumed.
sidsid
Defaults
Ifportstringisnotspecified,portprioritywillbedisplayedforallSpanningTreeports. Ifsidisnotspecified,portprioritywillbedisplayedforSpanningTree0.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportpriorityforge.2.7:
C2(su)->show spantree portpri port ge.2.7 Port ge.2.7 has a Port Priority of 128 on SID 0
Syntax
set spantree portpri port-string priority [sid sid]
9-35
Parameters
portstring Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. SpecifiesanumberthatrepresentsthepriorityofalinkinaSpanningTree bridge.Validvaluesarefrom0to240(inincrementsof16)with0 indicatinghighpriority. (Optional)SetsportpriorityforaspecificSpanningTreeidentifier.Valid valuesare04094.Ifnotspecified,SID0isassumed.
priority
sidsid
Defaults
Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthepriorityofge.1.3to240onSID1
C2(su)->set spantree portpri ge.1.3 240 sid 1
Syntax
clear spantree portpri port-string [sid sid]
Parameters
portstring Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. (Optional)ResetstheportpriorityforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
sidsid
Defaults
Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthepriorityofge.1.3to128onSID1
C2(su)->clear spantree portpri ge.1.3 sid 1
9-36
Syntax
show spantree adminpathcost [port port-string] [sid sid]
Parameters
portportstring (Optional)Displaystheadminpathcostvalueforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. (Optional)DisplaystheadminpathcostforaspecificSpanningTree identifier.Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
sidsid
Defaults
Ifportstringisnotspecified,adminpathcostforallSpanningTreeportswillbedisplayed. Ifsidisnotspecified,adminpathcostforSpanningTree0willbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheadminpathcostforge.3.4onSID1:
C2(su)->show spantree adminpathcost port ge.3.4 sid 1 Port ge.3.4 has a Port Admin Path Cost of 0 on SID 1
Syntax
set spantree adminpathcost port-string cost [sid sid]
Parameters
portstring Specifiestheport(s)onwhichtosetanadminpathcost.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. Specifiestheportpathcost.Va1idvaluesare0200000000. (Optional)SetstheadminpathcostforaspecificSpanningTreeidentifier. Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
cost sidsid
Defaults
Ifsidisnotspecified,adminpathcostwillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
9-37
Example
Thisexampleshowshowtosettheadminpathcostto200forge.3.2onSID1:
C2(su)->set spantree adminpathcost ge.3.2 200 sid 1
Syntax
clear spantree adminpathcost port-string [sid sid]
Parameters
portstring Specifiestheport(s)forwhichtoresetadminpathcost.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage 72. (Optional)ResetstheadminpathcostforspecificSpanningTree(s). Validvaluesare04094.Ifnotspecified,SID0isassumed.
sidsid
Defaults
Ifsidisnotspecified,adminpathcostwillberesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresettheadminpathcostto0forge.3.2onSID1:
C2(su)->clear spantree adminpathcost ge.3.2 sid 1
Syntax
show spantree adminedge [port port-string]
Parameters
portstring (Optional)Displaysedgeportadministrativestatusforspecific port(s).Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 72.
Defaults
IfportstringisnotspecifiededgeportadministrativestatuswillbedisplayedforallSpanningTree ports.
9-38
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheedgeportstatusforge.3.2:
C2(su)->show spantree adminedge port ge.3.2 Port ge.3.2 has a Port Admin Edge of Edge-Port
Syntax
set spantree adminedge port-string {true | false}
Parameters
portstring true|false Specifiestheedgeport.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 72. Enables(true)ordisables(false)thespecifiedportasaSpanningTreeedge port.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thedefaultbehavioroftheedgeportadministrativestatusbeginswiththevaluesettofalse initiallyafterthedeviceispoweredup.IfaSpanningTreeBDPUisnotreceivedontheportwithin afewseconds,thestatussettingchangestotrue.
Example
Thisexampleshowshowtosetge.1.11asanedgeport:
C2(su)->set spantree adminedge ge.1.11 true
Syntax
clear spantree adminedge port-string
9-39
Parameters
portstring Specifiesport(s)onwhichtoresetedgeportstatus.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetge.1.11asanonedgeport:
C2(su)->clear spantree adminedge ge.1.11
9-40
Commands
For information about... set spantree lp show spantree lp clear spantree lp show spantree lplock clear spantree lplock set spantree lpcapablepartner show spantree lpcapablepartner clear spantree lpcapablepartner set spantree lpthreshold show spantree lpthreshold clear spantree lpthreshold set spantree lpwindow show spantree lpwindow clear spantree lpwindow set spantree lptrapenable show spantree lptrapenable clear spantree lptrapenable set spantree disputedbpduthreshold show spantree disputedbpduthreshold clear spantree disputedbpduthreshold show spantree nonforwardingreason Refer to page... 9-42 9-42 9-43 9-43 9-44 9-45 9-45 9-46 9-46 9-47 9-47 9-48 9-48 9-49 9-49 9-50 9-50 9-51 9-52 9-52 9-53
9-41
set spantree lp
set spantree lp
UsethiscommandtoenableordisabletheLoopProtectfeatureperportandoptionally,perSID. TheLoopProtectfeatureisdisabledbydefault.SeeLoopProtectonpage 2.formore information.
Syntax
set spantree lp port-string {enable | disable} [sid sid]
Parameters
portstring enable|disable sidsid Specifiesport(s)onwhichtoenableordisabletheLoopProtectfeature. Enablesordisablesthefeatureonthespecifiedport. (Optional)EnablesordisablesthefeatureforspecificSpanningTree(s). Validvaluesare04094.Ifnotspecified,SID0isassumed.
Defaults
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readwrite.
Usage
LoopProtecttakesprecedenceoverperportSTPenable/disable(portAdmin).Normally portAdmindisabledwouldcauseaporttogoimmediatelytoforwarding.IfLoopProtectis enabled,thatportshouldgotolisteningandremainthere.
Note: The Loop Protect enable/disable settings for an MSTI port should match those for the CIST port.
Example
ThisexampleshowshowtoenableLoopProtectonge.2.3:
C2(su)->set spantree lp ge.1.11 enable
show spantree lp
UsethiscommandtodisplaytheLoopProtectstatusperportand/orperSID.
Syntax
show spantree lp [port port-string] [sid sid]
Parameters
portstring sidsid (Optional)Specifiesport(s)forwhichtodisplaytheLoopProtect featurestatus. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay theLoopProtectfeaturestatus.Validvaluesare04094.Ifnot specified,SID0isassumed.
9-42
clear spantree lp
Defaults
Ifnoportstringisspecified,statusisdisplayedforallports. IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLoopProtectstatusonge.2.3:
C2(su)->show spantree lp port ge.2.3 LoopProtect is disabled on port ge.2.3 , SI
clear spantree lp
UsethiscommandtoreturntheLoopProtectstatusperportandoptionally,perSID,toitsdefault stateofdisabled.
Syntax
clear spantree lp port-string [sid sid]
Parameters
portstring sidsid Specifiesport(s)forwhichtocleartheLoopProtectfeaturestatus. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtoclearthe LoopProtectfeaturestatus.Validvaluesare04094.Ifnotspecified, SID0isassumed.
Defaults
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoreturntheLoopProtectstateonge.2.3todisabled:
C2(rw)->clear spantree lp port ge.2.3
Syntax
show spantree lplock [port port-string] [sid sid]
9-43
Parameters
portstring sidsid (Optional)Specifiesport(s)forwhichtodisplaytheLoopProtectlock status. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay theLoopProtectlockstatus.Validvaluesare04094.Ifnotspecified, SID0isassumed.
Defaults
Ifnoportstringisspecified,statusisdisplayedforallports. IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLoopProtectlockstatusonge.1.1:
C2(rw)->show spantree lplock port ge.1.1 The LoopProtect lock status for port ge.1.1 , SID 0 is UNLOCKED
Syntax
clear spantree lplock port-string [sid sid]
Parameters
portstring sidsid Specifiesport(s)forwhichtocleartheLoopProtectlock. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtoclearthe LoopProtectlock.Validvaluesare04094.Ifnotspecified,SID0is assumed.
Defaults
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoclearLoopProtectlockfromge.1.1:
C2(rw)->show spantree lplock port ge.1.1 The LoopProtect lock status for port ge.1.1 C2(rw)->clear spantree lplock ge.1.1 C2(rw)->show spantree lplock port ge.1.1 The LoopProtect lock status for port ge.1.1 , SID 0 is LOCKED
, SID 0 is UNLOCKED
9-44
Syntax
set spantree lpcapablepartner port-string {true | false}
Parameters
portstring true|false Specifiesport(s)forwhichtoconfigureaLoopProtectcapablelink partner. Specifieswhetherthelinkpartneriscapable(true)ornot(false).
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThedefaultvalueforLoopProtectcapablepartnerisfalse.IftheportisconfiguredwithaLoop Protectcapablepartner(true),thenthefullfunctionalityoftheLoopProtectfeatureisused.Ifthe valueisfalse,thenthereissomeambiguityastowhetheranActivePartnertimeoutisduetoa loopprotectioneventorisanormalsituationduetothefactthatthepartnerportdoesnot transmitAlternateAgreementBPDUs.Therefore,aconservativeapproachistakeninthat designatedportswillnotbeallowedtoforwardunlessreceivingagreementsfromaportwithroot role. Thistypeoftimeoutwillnotbeconsideredaloopprotectionevent.Loopprotectionismaintained bykeepingtheportfromforwardingbutsincethisisnotconsideredaloopeventitwillnotbe factoredintolockingtheport.
Example
ThisexampleshowshowtosettheLoopProtectcapablepartnertotrueforge.1.1:
C2(rw)->set spantree lpcapablepartner ge.1.1 true
Syntax
show spantree lpcapablepartner [port port-string]
Parameters
portstring (Optional)Specifiesport(s)forwhichtodisplayLoopProtectcapability foritslinkpartner.
9-45
Defaults
Ifnoportstringisspecified,LoopProtectcapabilityforlinkpartnersisdisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheLoopProtectpartnercapabilityforge.1.1:
C2(rw)->show spantree lpcapablepartner port ge.1.1 Link partner of port ge.1.1 is not LoopProtect-capable
Syntax
clear spantree lpcapablepartner port-string
Parameters
portstring Specifiesport(s)forwhichtocleartheirlinkpartnersLoopProtect capability(resettofalse).
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheLoopProtectpartnercapabilityforge.1.1:
C2(rw)->clear spantree lpcapablepartner ge.1.1
Syntax
set spantree lpthreshold value
Parameters
value Specifiesthenumberofeventsthatmustoccurduringtheevent windowinordertolockaport/SID.Thedefaultvalueis3events.A thresholdof0specifiesthatportswillneverbelocked.
9-46
Defaults
None.Thedefaulteventthresholdis3.
Mode
Switchcommand,readwrite.
Usage
TheLoopProtecteventthresholdisaglobalintegervariablethatprovidesprotectioninthecaseof intermittentfailures.Thedefaultvalueis3.Iftheeventcounterreachesthethresholdwithina givenperiod(theeventwindow),thentheport,forthegivenSID,becomeslocked(thatis,held indefinitelyintheblockingstate).Ifthethresholdis0,theportsareneverlocked.
Example
ThisexampleshowshowtosettheLoopProtectthresholdvalueto4:
C2(rw)->set spantree lpthreshold 4
Syntax
show spantree lpthreshold
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythecurrentLoopProtectthresholdvalue:
C2(rw)->show spantree lpthreshold The Loop Protect event threshold value is 4
Syntax
clear spantree lpthreshold
Parameters
None.
9-47
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheLoopProtecteventthresholdtothedefaultof3:
C2(rw)->clear spantree lpthreshold
Syntax
set spantree lpwindow value
Parameters
value Specifiesthenumberofsecondsthatcomprisetheperiodduringwhich LoopProtecteventsarecounted.Thedefaulteventwindowis180 seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheLoopProtectWindowisatimervalue,inseconds,thatdefinesaperiodduringwhichLoop Protecteventsarecounted.Thedefaultvalueis180seconds.Ifthetimerissetto0,theevent counterisnotresetuntiltheLoopProtecteventthresholdisreached.Ifthethresholdisreached, thatconstitutesaloopprotectionevent.
Example
ThisexampleshowshowtosettheLoopProtecteventwindowto120seconds:
C2(rw)->set spantree lpwindow 120
Syntax
show spantree lpwindow
9-48
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythecurrentLoopProtectwindowvalue:
C2(rw)->show spantree lpwindow The Loop Protect event window is set to 120 seconds
Syntax
clear spantree lpwindow
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheLoopProtecteventwindowtothedefaultof180seconds:
C2(rw)->clear spantree lpwindow
Syntax
set spantree lptrapenable {enable | disable}
Parameters
enable|disable EnablesordisablesthesendingofLoopProtecttraps.Defaultis disabled.
9-49
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
LoopProtecttrapsaresentwhenaLoopProtecteventoccurs,thatis,whenaportgoestolistening duetonotreceivingBPDUs.Thetrapindicatesport,SIDandloopprotectionstatus.
Example
ThisexampleshowshowtoenablesendingofLoopProtecttraps:
C2(rw)->set spantree lptrapenable enable
Syntax
show spantree lptrapenable
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythecurrentLoopProtecteventnotificationstatus:
C2(rw)->show spantree lptrapenable The Loop Protect event notification status is enable
Syntax
clear spantree lptrapenable
Parameters
None.
9-50
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheLoopProtecteventnotificationstatetothedefaultof disabled.
C2(rw)->clear spantree lptrapenable
Syntax
set spantree disputedbpduthreshold value
Parameters
value SpecifiesthenumberofdisputedBPDUsthatmustbereceivedona givenport/SIDtocauseadisputedBPDUtraptobesent. Athresholdof0indicatesthattrapsshouldnotbesent.Thedefault valueis0.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
AdisputedBPDUisoneinwhichtheflagsfieldindicatesadesignatedroleandlearning,andthe priorityvectorisworsethanthatalreadyheldbytheport.IfadisputedBPDUisreceivedtheport isforcedtothelisteningstate.Refertothe802.1Q2005standard,IEEEStandardforLocaland MetropolitanAreaNetworksVirtualBridgedLocalAreaNetworks,forafulldescriptionofthedispute mechanism,whichpreventsloopingincasesofonewaycommunication. ThedisputedBPDUthresholdisanintegervariablethatrepresentsthenumberofdisputed BPDUsthatmustbereceivedonagivenport/SIDuntiladisputedBPDUtrapissentandasyslog messageisissued.Forexample,ifthethresholdis10,thenatrapisissuedwhen10,20,30,andso on,disputedBPDUshavebeenreceived. Ifthevalueis0,trapsarenotsent.Thetrapindicatesport,SIDandtotalDisputedBPDUcount. Thedefaultis0.
9-51
Example
ThisexampleshowshowtosetthedisputedBPDUthresholdvalueto5:
C2(rw)->set spantree disputedbpduthreshold 5
Syntax
show spantree disputedbpduthreshold
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythecurrentdisputedBPDUthreshold:
C2(rw)->show spantree disputedbpduthreshold The disputed BPDU threshold value is 0
Syntax
clear spantree disputedbpduthreshold
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthedisputedBPDUthresholdtothedefaultof0:
C2(rw)->clear spantree disputedbpduthreshold
9-52
Syntax
show spantree nonforwardingreason port-string [sid sid]
Parameters
portstring sidsid Specifiesport(s)forwhichtodisplaythenonforwardingreason. (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay thenonforwardingreason.Validvaluesare04094.Ifnotspecified, SID0isassumed.
Defaults
Ifnoportstringisspecified,nonforwardingreasonisdisplayedforallports. IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readonly.
Usage
ExceptionalconditionscausingaporttobeplacedinlisteningorblockingstateincludeaLoop Protectevent,receiptofdisputedBPDUs,andloopbackdetection.
Example
Thisexampleshowshowtodisplaythenonforwardingreasononge.1.1:
C2(rw)->show spantree nonforwardingreason port ge.1.1 The non-forwarding reason for port ge.1.1 on SID 0 is None
9-53
9-54
10
802.1Q VLAN Configuration
ThischapterdescribestheSecureStackC2systemscapabilitiestoimplement802.1QvirtualLANs (VLANs).
For information about... VLAN Configuration Summary Viewing VLANs Creating and Naming Static VLANs Assigning Port VLAN IDs (PVIDs) and Ingress Filtering Configuring the VLAN Egress List Setting the Host VLAN Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Refer to page... 10-1 10-2 10-5 10-8 10-13 10-18 10-20
10-1
Viewing VLANs
Set the PVID to the new VLAN. Add the port to the new VLANs egress list. Remove the port from the default VLANs egress list. Assign host status to the VLAN. Set a private community name and access policy and confirm settings.
set port vlan ge.1.1 2 (set port vlan on page 10-9) set vlan egress 2 ge.1.1 untagged (set vlan egress on page 10-15) clear vlan egress 1 ge.1.1 (clear vlan egress on page 10-15) set host vlan 2 (set host vlan on page 10-18) set snmp community private (set snmp community on page 8-14) (Optional) show snmp community (show snmp community on page 8-13)
Viewing VLANs
Purpose
TodisplayalistofVLANscurrentlyconfiguredonthedevice,todeterminehowoneormore VLANswerecreated,theportsallowedanddisallowedtotransmittrafficbelongingtoVLAN(s), andifthoseportswilltransmitthetrafficwithaVLANtagincluded.
10-2
show vlan
Command
For information about... show vlan Refer to page... 10-3
show vlan
UsethiscommandtodisplayallinformationrelatedtooneormoreVLANs.
Syntax
show vlan [static] [vlan-list] [portinfo [vlan vlan-list | vlan-name] [port portstring]]
Parameters
static (Optional)DisplaysinformationrelatedtostaticVLANs.StaticVLANsare manuallycreatedusingthesetvlancommand(setvlanonpage 105), SNMPMIBs,ortheWebViewmanagementapplication.ThedefaultVLAN, VLAN1,isalwaysstaticallyconfiguredandcantbedeleted.Onlyports thatuseaspecifiedVLANastheirdefaultVLAN(PVID)willbedisplayed. (Optional)DisplaysinformationforaspecificVLANorrangeofVLANs. (Optional)DisplaysVLANattributesrelatedtooneormoreports. (Optional)DisplaysportinformationforoneormoreVLANs. (Optional)Displaysportinformationforoneormoreports.
Defaults
Ifnooptionsarespecified,allinformationrelatedtostaticanddynamicVLANswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayinformationforVLAN1.Inthiscase,VLAN1isnamed DEFAULTVLAN.PortsallowedtotransmitframesbelongingtoVLAN1arelistedasegress ports.PortsthatwontincludeaVLANtagintheirtransmittedframesarelistedasuntagged ports.Therearenoforbiddenports(preventedfromtransmittedframes)onVLAN1:
C2(su)->show vlan 1 VLAN: 1 NAME: DEFAULT VLAN VLAN Type: Default Egress Ports ge.1.1-10, ge.2.1-4, ge.3.1-7, Forbidden Egress Ports None. Untagged Ports ge.1.1-10, ge.2.1-4, ge.3.1-7,
Table 102providesanexplanationofthecommandoutput.
10-3
show vlan
Table 10-2
Output Field VLAN NAME Status VLAN Type Egress Ports
10-4
Commands
For information about... set vlan set vlan name clear vlan clear vlan name Refer to page... 10-5 10-6 10-6 10-7
set vlan
UsethiscommandtocreateanewstaticIEEE802.1QVLAN,ortoenableordisableanexisting VLAN.
Syntax
set vlan {create | enable | disable} vlan-list
Parameters
create|enable| disable vlanlist Creates,enablesordisablesVLAN(s). SpecifiesoneormoreVLANIDstobecreated,enabledordisabled.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
OnceaVLANiscreated,youcanassignitanameusingthesetvlannamecommanddescribedin setvlannameonpage 106. EachVLANIDmustbeunique.IfaduplicateVLANIDisentered,thedeviceassumesthatthe AdministratorintendstomodifytheexistingVLAN. EntertheVLANIDusingauniquenumberbetween1and4093.TheVLANIDsof0and4094and highermaynotbeusedforuserdefinedVLANs.
Examples
ThisexampleshowshowtocreateVLAN3:
C2(su)->set vlan create 3
SecureStack C2 Configuration Guide 10-5
Syntax
set vlan name vlan-list vlan-name
Parameters
vlanlist vlanname SpecifiestheVLANIDoftheVLAN(s)tobenamed. SpecifiesthestringusedasthenameoftheVLAN(1to32characters).
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthenameforVLAN7togreen:
C2(su)->set vlan name 7 green
clear vlan
UsethiscommandtoremoveastaticVLANfromthelistofVLANsrecognizedbythedevice.
Syntax
clear vlan vlan-list
Parameters
vlanlist SpecifiestheVLANIDoftheVLAN(s)toberemoved.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoremoveastaticVLAN9fromthedevicesVLANlist:
C2(su)->clear vlan 9
10-6
Syntax
clear vlan name vlan-list
Parameters
vlanlist SpecifiestheVLANIDoftheVLAN(s)forwhichthenamewillbecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthenameforVLAN9:
C2(su)->clear vlan name 9
10-7
Commands
For information about... show port vlan set port vlan clear port vlan show port ingress filter set port ingress filter show port discard set port discard Refer to page... 10-8 10-9 10-9 10-10 10-11 10-11 10-12
Syntax
show port vlan [port-string]
Parameters
portstring (Optional)DisplaysPVIDinformationforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifportstringisnotspecified,portVLANinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPVIDsassignedtoge.2.1through6.Inthiscase,untagged framesreceivedontheseportswillbeclassifiedtoVLAN1:
C2(su)->show port vlan ge.2.1-6 ge.2.1 is set to 1 ge.2.2 is set to 1 ge.2.3 is set to 1 ge.2.4 is set to 1
10-8 802.1Q VLAN Configuration
Syntax
set port vlan port-string pvid [modify-egress | no-modify-egress]
Parameters
portstring Specifiestheport(s)forwhichtoconfigureaVLANidentifier.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. SpecifiestheVLANIDoftheVLANtowhichport(s)willbeadded. (Optional)Addsport(s)toVLANsuntaggedegresslistandremovesthem fromotheruntaggedegresslists. (Optional)Doesnotpromptforormakeegresslistchanges.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThePVIDisusedtoclassifyuntaggedframesastheyingressintoagivenport.
Example
Thisexampleshowshowtoaddge.1.10totheportVLANlistofVLAN4(PVID4).
C2(su)->set vlan create 4 C2(su)->set port vlan ge.1.10 4 modify-egress
Syntax
clear port vlan port-string
10-9
Parameters
portstring Specifiestheport(s)toberesettothehostVLANID1.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetportsge.1.3through11toaVLAN IDof1(HostVLAN):
C2(su)->clear port vlan ge.1.3-11
Syntax
show port ingress-filter [port-string]
Parameters
portstring (Optional)Specifiestheport(s)forwhichtodisplayingressfilteringstatus. Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifportstringisnotspecified,ingressfilteringstatusforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportingressfilterstatusforports10through15inslot1. Inthiscase,theportsaredisabledforingressfiltering:
C2(su)->show port ingress-filter ge.1.10-15 Port State -------- --------ge.1.10 disabled ge.1.11 disabled ge.1.12 disabled ge.1.13 disabled ge.1.14 disabled ge.1.15 disabled
10-10
Syntax
set port ingress-filter port-string {disable | enable}
Parameters
portstring Specifiestheport(s)onwhichtoenableofdisableingressfiltering.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. Disablesorenablesingressfiltering.
disable|enable
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Wheningressfilteringisenabledonaport,theVLANIDsofincomingframesarecomparedtothe portsegresslist.IfthereceivedVLANIDdoesnotmatchaVLANIDontheportsegresslist,then theframeisdropped. IngressfilteringisimplementedaccordingtotheIEEE802.1Qstandard.
Example
Thisexampleshowshowtoenableportingressfilteringonge.1.3:
C2(su)->set port ingress-filter ge.1.3 enable
Syntax
show port discard [port-string]
Parameters
portstring (Optional)Displaystheframediscardmodeforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
If port-string is not specified, frame discard mode will be displayed for all ports.
10-11
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheframediscardmodeforge.2.7.Inthiscase,theporthas beensettodiscardalltaggedframes:
C2(su)->show port discard ge.2.7 Port Discard Mode ------------ ------------ge.2.7 tagged
Syntax
set port discard port-string {tagged | untagged | both | none}
Parameters
portstring Specifiestheport(s)forwhichtosetframediscardmode.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. TaggedDiscardallincoming(received)taggedpacketsonthedefined port(s). UntaggedDiscardallincominguntaggedpackets. BothAlltrafficwillbediscarded(taggedanduntagged). NoneNopacketswillbediscarded.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Theoptionsaretodiscardallincomingtaggedframes,allincominguntaggedframes,neither (essentiallyallowalltraffic),orboth(essentiallydiscardingalltraffic). Acommonpracticeistodiscardalltaggedpacketonuserports.TypicallyanAdministratordoes notwanttheendusersdefiningwhatVLANtheyuseforcommunication.
Example
Thisexampleshowshowtodiscardalltaggedframesreceivedonportge.3.3:
C2(su)->set port discard ge.3.3 tagged
10-12
Commands
For information about... show port egress set vlan forbidden set vlan egress clear vlan egress show vlan dynamicegress set vlan dynamicegress Refer to page... 10-13 10-14 10-15 10-15 10-16 10-17
Syntax
show port egress [port-string]
Parameters
portstring (Optional)DisplaysVLANmembershipforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifportstringisnotspecified,VLANmembershipwillbedisplayedforallports.
10-13
Mode
Switchcommand,readwrite.
Example
ThisexampleshowsyouhowtoshowVLANegressinformationforge.1.1through3.Inthiscase, allthreeportsareallowedtotransmitVLAN1framesastaggedandVLAN10framesas untagged.BotharestaticVLANs:
C2(su)->show port egress ge.1.1-3 Port Vlan Egress Registration Number Id Status Status ------------------------------------------------------ge.1.1 1 tagged static ge.1.1 10 untagged static ge.1.2 1 tagged static ge.1.2 10 untagged static ge.1.3 1 tagged static ge.1.3 10 untagged static
Syntax
set vlan forbidden vlan-id port-string
Parameters
vlanid portstring SpecifiestheVLANforwhichtosetforbiddenport(s). Specifiestheport(s)tosetasforbiddenforthespecifiedvlanid.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowsyouhowtosetge.1.3toforbiddenforVLAN6:
C2(su)->set vlan forbidden 6 ge.1.3
10-14
Syntax
set vlan egress vlan-list port-string [untagged | forbidden | tagged]
Parameters
vlanlist portstring
Specifies the VLAN where a port(s) will be added to the egress list.
SpecifiesoneormoreportstoaddtotheVLANegresslistofthespecified vlanlist.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72. (Optional)Addsthespecifiedportsas: untaggedCausestheport(s)totransmitframeswithoutanIEEE 802.1Qheadertag. forbiddenInstructsthedevicetoignoredynamicrequests(either throughGVRPordynamicegress)fromtheport(s)tojointheVLAN anddisallowsegressonthatport. taggedCausestheport(s)totransmit802.1Qtaggedframes.
Defaults
Ifuntagged,forbiddenortaggedisnotspecified,theportwillbeaddedtotheVLANegresslist astagged.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoaddge.1.5through10totheegresslistofVLAN7.Thismeansthat theseportswilltransmitVLAN7framesastagged:
C2(su)->set vlan egress 7 ge.1.5-10 untagged
Thisexampleshowshowtoforbidports13through15inslot1fromjoiningVLAN7anddisallow egressonthoseports:
C2(su)->set vlan egress 7 ge.1.13-15 forbidden
Thisexampleshowshowtoallowport2inslot1totransmitVLAN7framesasuntagged:
C2(su)->set vlan egress 7 ge.1.2 untagged
10-15
Syntax
clear vlan egress vlan-list port-string [forbidden]
Parameters
vlanlist portstring SpecifiesthenumberoftheVLANfromwhichaport(s)willberemoved fromtheegresslist. SpecifiesoneormoreportstoberemovedfromtheVLANegresslistofthe specifiedvlanlist.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 72. (Optional)Clearstheforbiddensettingfromthespecifiedport(s)andresets theport(s)asabletoegressframesifsoconfiguredbyeitherstaticor dynamicmeans.
forbidden
Defaults
Ifforbiddenisnotspecified,taggedanduntaggedsettingswillbecleared.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoremovege.3.14fromtheegresslistofVLAN 9:
C2(su)->clear vlan egress 9 ge.3.14
ThisexampleshowshowtoremoveallEthernetportsinslot2fromtheegresslistofVLAN4:
C2(su)->clear vlan egress 4 ge.2.*
Syntax
show vlan dynamicegress [vlan-list]
Parameters
vlanlist (Optional)DisplaysdynamicegressstatusforspecificVLAN(s).
Defaults
Ifvlanlistisnotspecified,thedynamicegressstatusforallVLANswillbedisplayed.
Mode
Switchcommand,readwrite.
10-16
Example
ThisexampleshowshowtodisplaythedynamicegressstatusforVLANs5055:
C2(rw)->show vlan dynamicegress 50-55 VLAN 50 is disabled VLAN 51 is disabled VLAN 52 is disabled VLAN 53 is enabled VLAN 54 is enabled VLAN 55 is enabled
Syntax
set vlan dynamicegress vlan-list {enable | disable}
Parameters
vlanlist enable|disable SpecifiestheVLANsbyIDtoenableordisabledynamicegress. Enablesordisablesdynamicegress.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
IfdynamicegressisenabledforaparticularVLAN,whenaportreceivesaframetaggedwiththat VLANsID,theswitchwilladdthereceivingporttothatVLANsegresslist.Dynamicegressis disabledontheSecureStackC2bydefault. Forexample,assumeyouhave20AppleTalkusersonyournetworkwhoaremobileusers(thatis, usedifferentportseveryday),butyouwanttokeeptheAppleTalktrafficisolatedinitsown VLAN.YoucancreateanAppleTalkVLANwithaVLANIDof55withaclassificationrulethatall AppleTalktrafficgetstaggedwithVLANID55.Then,youenabledynamicegressforVLAN55. Now,whenanAppleTalkuserplugsintoportge.3.5andsendsanAppleTalkpacket,theswitch willtagthepackettoVLAN55andalsoaddportge.3.5toVLAN55segresslist,whichallowsthe AppleTalkusertoreceiveAppleTalktraffic.
Example
ThisexampleshowshowtoenabledynamicegressonVLAN55:
C2(rw)->set vlan dynamicegress 55 enable
10-17
Commands
For information about... show host vlan set host vlan clear host vlan Refer to page... 10-18 10-18 10-19
Syntax
show host vlan
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythehostVLAN:
C2(su)->show host vlan Host vlan is 7.
Syntax
set host vlan vlan-id
10-18
Parameters
vlanid SpecifiesthenumberoftheVLANtosetasthehostVLAN.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThehostVLANshouldbeasecureVLANwhereonlydesignatedusersareallowedaccess.For example,ahostVLANcouldbespecificallycreatedfordevicemanagement.Thiswouldallowa managementstationconnectedtothemanagementVLANtomanageallportsonthedeviceand makemanagementsecurebypreventingmanagementviaportsassignedtootherVLANs.
Note: Before you can designate a VLAN as the host VLAN, you must create a VLAN using the set of commands described in Creating and Naming Static VLANs on page 10-5.
Example
ThisexampleshowshowtosetVLAN7asthehostVLAN:
C2(su)->set host vlan 7
Syntax
clear host vlan
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthehostVLANtothedefaultsetting:
C2(su)->clear host vlan
10-19
Overview
ThepurposeofGVRPistodynamicallycreateVLANsacrossaswitchednetwork.WhenaVLAN isdeclared,theinformationistransmittedoutGVRPconfiguredportsonthedeviceinaGARP formattedframeusingtheGVRPmulticastMACaddress.Aswitchthatreceivesthisframe, examinestheframe,andextractstheVLANIDs.GVRPthencreatestheVLANsandaddsthe receivingporttoitstaggedmemberlistfortheextractedVLANID(s).Theinformationisthen transmittedouttheotherGVRPconfiguredportsofthedevice.Figure 101showsanexampleof howVLANbluefromendstationAwouldbepropagatedacrossaswitchnetwork.
How It Works
InFigure 101onpage 1021,Switch4,port1isregisteredasbeingamemberofVLANBlueand thendeclaresthisfactoutallitsports(2and3)toSwitch1andSwitch 2.Thesetwodevices registerthisintheportegresslistsoftheports(Switch1,port1andSwitch2,port1)thatreceived theframeswiththeinformation.Switch2,whichisconnectedtoSwitch3andSwitch5declares thesameinformationtothosetwodevicesandtheportegresslistofeachportisupdatedwiththe newinformation,accordingly. ConfiguringaVLANonan802.1QswitchcreatesastaticVLANentry.Theentrywillalways remainregisteredandwillnottimeout.However,dynamicentrieswilltimeoutandtheir registrationswillberemovedfromthememberlistiftheendstationAisremoved.Thisensures that,ifswitchesaredisconnectedorifendstationsareremoved,theregisteredinformation remainsaccurate. TheendresultisthattheportegresslistofaportisupdatedwithinformationaboutVLANsthat resideonthatport,eveniftheactualstationontheVLANisseveralhopsaway.
10-20
Figure 10-1
1 Switch 1
R 2D
2 End Station A
D 3 D
Switch 4
R Switch 5
R D
Purpose
TodynamicallycreateVLANsacrossaswitchednetwork.TheGVRPcommandsetisusedto displayGVRPconfigurationinformation,thecurrentglobalGVRPstatesetting,individualport settings(enableordisable)andtimersettings.Bydefault,GVRPisenabledgloballyonthedevice, butdisabledonallports.
Commands
For information about... show gvrp show garp timer set gvrp clear gvrp set garp timer Refer to page... 10-22 10-22 10-23 10-24 10-24
10-21
show gvrp
show gvrp
UsethiscommandtodisplayGVRPconfigurationinformation.
Syntax
show gvrp [port-string]
Parameters
portstring (Optional)DisplaysGVRPconfigurationinformationforspecificport(s).For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifportstringisnotspecified,GVRPconfigurationinformationwillbedisplayedforallportsand thedevice.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayGVRPstatusforthedeviceandforfw.2.1:
C2(su)->show gvrp ge.2.1 Global GVRP status is enabled. Port Number ----------ge.2.1 GVRP status ----------disabled
Syntax
show garp timer [port-string]
Parameters
portstring (Optional)DisplaysGARPtimerinformationforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifportstringisnotspecified,GARPtimerinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
10-22
set gvrp
Example
ThisexampleshowshowtodisplayGARPtimerinformationonports1through10inslot1:
Note: For a functional description of the terms join, leave, and leaveall timers, refer to the standard IEEE 802.1Q documentation, which is not supplied with this device. C2(su)->show garp timer ge.1.1-10 Port based GARP Configuration: (Timer units are centiseconds) Port Number Join Leave Leaveall ----------- ---------- ---------- ---------ge.1.1 20 60 1000 ge.1.2 20 60 1000 ge.1.3 20 60 1000 ge.1.4 20 60 1000 ge.1.5 20 60 1000 ge.1.6 20 60 1000 ge.1.7 20 60 1000 ge.1.8 20 60 1000 ge.1.9 20 60 1000 ge.1.10 20 60 1000
set gvrp
UsethiscommandtoenableordisableGVRPgloballyonthedeviceorononeormoreports.
Syntax
set gvrp {enable | disable} [port-string]
Parameters
disable| enable portstring DisablesorenablesGVRPonthedevice. (Optional)DisablesorenablesGVRPonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsedin theCLIonpage 72.
Defaults
Ifportstringisnotspecified,GVRPwillbedisabledorenabledforallports.
10-23
clear gvrp
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoenableGVRPgloballyonthedevice:
C2(su)->set gvrp enable
ThisexampleshowshowtodisableGVRPgloballyonthedevice:
C2(su)->set gvrp disable
ThisexampleshowshowtoenableGVRPonge.1.3:
C2(su)->set gvrp enable ge.1.3
clear gvrp
UsethiscommandtoclearGVRPstatusorononeormoreports.
Syntax
clear gvrp [port-string]
Parameters
portstring (Optional)ClearsGVRPstatusonspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72.
Defaults
Ifportstringisnotspecified,GVRPstatuswillbeclearedforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearGVRPstatusgloballyonthedevice:
C2(su)->clear gvrp
Syntax
set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]} port-string
Parameters
jointimervalue leavetimervalue SetstheGARPjointimerincentiseconds(Referto802.1Qstandard.) SetstheGARPleavetimerincentiseconds(Referto802.1Qstandard.)
10-24
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thesettingofthesetimersiscriticalandshouldonlybechangedbypersonnelfamiliarwiththe 802.1Qstandardsdocumentation,whichisnotsuppliedwiththisdevice.
Examples
ThisexampleshowshowtosettheGARPjointimervalueto100centisecondsforallports:
C2(su)->set garp timer join 100 *.*.*
Thisexampleshowshowtosettheleavetimervalueto300centisecondsforallports:
C2(su)->set garp timer leave 300 *.*.*
Thisexampleshowshowtosettheleavealltimervalueto20000centisecondsforallports:
C2(su)->set garp timer leaveall 20000 *.*.*
10-25
10-26
11
Policy Classification Configuration
ThischapterdescribesthePolicyClassificationsetofcommandsandhowtousethem.
For information about... Policy Classification Configuration Summary Configuring Policy Profiles Configuring Classification Rules Assigning Ports to Policy Profiles Configuring Policy Class of Service (CoS) Refer to page... 11-1 11-1 11-6 11-15 11-17
11-1
Commands
For information about... show policy profile set policy profile clear policy profile Refer to page... 11-2 11-3 11-4
Syntax
show policy profile {all | profile-index [consecutive-pids] [-verbose]}
Parameters
all|profileindex consecutivepids verbose Displayspolicyinformationforallprofileindexesoraspecificprofileindex. (Optional)Displaysinformationforspecifiedconsecutiveprofileindexes. (Optional)Displaysdetailedinformation.
Defaults
Ifoptionalparametersarenotspecified,summaryinformationwillbedisplayedforthespecified indexorallindices.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaypolicyinformationforprofile11:
C2(su)->show policy profile 11 Profile Index : 11 Profile Name : MacAuth1 Row Status : active Port VID Status : Enable Port VID Override : 11 CoS : 0 CoS Status : Disable Egress Vlans : none Forbidden Vlans : none Untagged Vlans : none Rule Precedence : 1-31 :MACSource(1),MACDest(2),Unknown(3), :Unknown(4),Unknown(5),Unknown(6), :Unknown(7),Unknown(8),Unknown(9), :Unknown(10),Unknown(11),IPSource(12), :IPDest(13),IPFrag(14),UDPSrcPort(15), :UDPDestPort(16),TCPSrcPort(17),TCPDestPort(18), :ICMPType(19),Unknown(20),IPTOS(21), :IPProto(22),Unknown(23),Unknown(24), :Ether(25),Unknown(26),VLANTag(27),
11-2
Admin Profile Usage Ports administratively assigned to use this policy profile. Oper Profile Usage Dynamic Profile Usage Ports currently assigned to use this policy profile. Port dynamically assigned to use this policy profile.
Syntax
set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid] [cos-status {enable | disable}] [cos cos] [precedence precedence-list]
Parameters
profileindex namename pvidstatus enable|disable Specifiesanindexnumberforthepolicyprofile.Validvaluesare1255. (Optional)Specifiesanameforthepolicyprofile.Thisisastringfrom1to 64characters. (Optional)EnablesordisablesPVIDoverrideforthisprofile.Ifall classificationrulesassociatedwiththisprofilearemissed,thenthis parameter,ifspecified,determinesdefaultbehavior.
11-3
Defaults
Ifoptionalparametersarenotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocreateapolicyprofile1namednetadminwithPVIDoverride enabledforPVID10,andClassofServiceoverrideenabledforCoS5:
C2(su)->set policy profile 1 name netadmin pvid-status enable pvid 10 cos-status enable cos 5
Syntax
clear policy profile profile-index
Parameters
profileindex Specifiestheindexnumberoftheprofileentrytobedeleted.Validvalues are1to255.
Defaults
None.
Mode
Switchcommand,readwrite.
11-4
Example
Thisexampleshowshowtodeletepolicyprofile8:
C2(su)->clear policy profile 8
11-5
Commands
For information about... show policy rule show policy capability set policy rule clear policy rule clear policy all-rules Refer to page... 11-6 11-8 11-10 11-13 11-14
Syntax
show policy rule [all | admin-profile | profile-index] [ether | icmptype | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport] [data] [mask mask] [port-string portstring] [rule-status {active | not-in-service | not-ready}] [storage-type {nonvolatile | volatile}] [vlan vlan] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid] [-verbose] [usage-list] [display-if-used]
Parameters
all|admin profile|profile index ether icmptype ipproto ipdestsocket ipsourcesocket iptos macdest macsource Displayspolicyclassificationrulesforallprofiles,theadminprofile,orfor aspecificprofileindexnumber.Validvaluesare11023. DisplaysEthernettypeIIrules. DisplaysICMPtyperules. DisplaysIPprotocolfieldinIPpacketrules. DisplaysIPdestinationaddressrules. DisplaysIPsourceaddressrules. DisplaysTypeofServicerules. DisplaysMACdestinationaddressrules. DisplaysMACsourceaddressrules.
11-6
DisplaysTCPdestinationportrules. DisplaysTCPsourceportrules. DisplaysUDPdestinationportrules. DisplaysUDPsourceportrules. Displaysrulesforapredefinedclassifier.Thisvalueisdependentonthe classificationtypeentered.RefertoTable 113forvalidvaluesforeach classificationtype. (Optional)Displaysrulesforaspecificdatamask.RefertoTable 113for validvaluesforeachclassificationtypeanddatavalue. (Optional)Displaysrulesrelatedtoaspecificingressport.
rulestatusactive (Optional)Displaysrulesrelatedtoaspecificrulesstatus. |notinservice| notready storagetypenon volatile|volatile vlanvlan drop|forward dynamicpid dynamicpid coscos adminpid adminpid verbose usagelist displayifused (Optional)Displaysrulesconfiguredforeithernonvolatileorvolatile storage. (Optional)DisplaysrulesforaspecificVLANID. Displaysrulesbasedonwhethermatchingpacketswillbedroppedor forwarded. DisplaysrulesassociatedwithaspecificdynamicpolicyID. (Optional)DisplaysrulesforaClassofServicevalue. DisplaysrulesassociatedwithaspecificadministrativepolicyID[1..1023]. (Optional)Displaysdetailedinformation. (Optional)Ifselected,eachrulesusagelistshallbecheckedandshall displayonlythoseportswhichhaveappliedthisrule. (Optional)Displaysrule(s)onlyiftheyareappliedtoatleastoneport.
Defaults
Ifverboseisnotspecified,summaryinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaypolicyclassificationinformationforEthernettype2rules
C2(su)->show policy rule ether |PID |Rule Type |Rule Data |02 |Ether |2048 (0x0800) |02 |Ether |2049 (0x0801) |02 |Ether |2989 (0x0bad) |02 |Ether |33079 (0x8137) |Mk|PortStr |16|All |16|All |16|All |16|All |RS|ST|VLAN|CoS | A|NV|fwrd| | A|NV|drop| | A|NV|drop| | A|NV|drop| |U| |?| |?| |?| |?|
Thisexampleshowshowtodisplaypolicyclassificationinformationforadministrativerule1
C2(su)->show policy rule admin-pid 1 |Admin|Rule Type |Rule Data |Mk|PortStr |RS|ST|dPID|aPID|U|
11-7
|admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port
|ge.1.1 |ge.1.2 |ge.1.3 |ge.1.4 |ge.1.5 |ge.1.6 |ge.1.7 |ge.1.8 |ge.1.9 |ge.1.10 |ge.1.11 |ge.1.12
|16|ge.1.1 |16|ge.1.2 |16|ge.1.3 |16|ge.1.4 |16|ge.1.5 |16|ge.1.6 |16|ge.1.7 |16|ge.1.8 |16|ge.1.9 |16|ge.1.10 |16|ge.1.11 |16|ge.1.12
| | | | | | | | | | | |
A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV| A|NV|
| | | | | | | | | | | |
1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?| 1|?|
Syntax
show policy capability
Parameters
None.
Defaults
None.
11-8
Mode
Switchcommand,readonly.
Usage
Usethiscommandtodisplaydetailedpolicyclassificationcapabilitiessupportedbyyour SecureStackC2device.Theoutputofthiscommandshowsatablelistingclassifiabletraffic attributesandthetypeofactions,byruletype,thatcanbeexecutedrelativetoeachattribute. Abovethetableisalistofalltheactionspossibleonthisdevice. Theleftmostcolumnofthetablelistsallpossibleclassifiabletrafficattributes.Thenexttwo columnsfromtheleftindicatehowpolicyprofilesmaybeassigned,eitheradministrativelyor dynamically.Thenextfourcolumnsfromtheleftindicatetheactionsthatmaybeperformed.The lastthreecolumnsindicateauditingoptions. Anxinanactioncolumnforatrafficattributerowindicatesthatyoursystemhasthecapabilityto performthatactionfortrafficclassifiedbythatattribute.
Example
Thisexampleshowshowtodisplaythedevicespolicyclassificationcapabilities.Refertoset policyruleonpage 1110foradescriptionoftheparametersdisplayed:
C2(su)->show policy capability The following supports related to policy are supported in this device: VLAN Forwarding Priority Permit Deny Precedence Reordering Rules Table Rule-Use Notification Longest Prefix Rules ============================================================= | | D | | | | | F | | | D | | | Y | | | | | O | S | | I | | | N | A | | | | R | Y | | S | | | A | D | V | | D | W | S | T | A | | | M | M | L | C | R | A | L | R | B | | | I | I | A | O | O | R | O | A | L | | SUPPORTED RULE TYPES | C | N | N | S | P | D | G | P | E | ============================================================= |MAC source address | | | | X | X | X | | | | |MAC destination address | | | | X | X | X | | | | |IPX source address | | | | | | | | | | |IPX destination address | | | | | | | | | | |IPX source socket | | | | | | | | | | |IPX destination socket | | | | | | | | | | |IPX transmission control | | | | | | | | | | |IPX type field | | | | | | | | | | |IPv6 source address | | | | | | | | | | |IPv6 destination address | | | | | | | | | | |IPv6 flow label | | | | | | | | | | |IP source address | | | | X | X | X | | | | |IP destination address | | | | X | X | X | | | | |IP fragmentation | | | | | | | | | | |UDP port source | | | | X | X | X | | | | |UDP port destination | | | | X | X | X | | | | |TCP port source | | | | X | X | X | | | | |TCP port destination | | | | X | X | X | | | | |ICMP packet type | | | | X | X | X | | | | |TTL | | | | | | | | | | |IP type of service | | | | X | X | X | | | | |IP proto | | | | X | X | X | | | |
11-9
|Ether II packet type | | | X | X | X | X | | | |LLC DSAP/SSAP/CTRL | | | | | | | | | |VLAN tag | | | | | | | | | |Replace tci | | | | | | | | | |Port string | X | X | X | X | X | X | | | =============================================================
| | | | |
Syntax
Thiscommandhastwoformsofsyntaxonetocreateanadminrule,andtheothertocreatea trafficclassificationruleandattachittoapolicyprofile.
set policy rule admin-profile {vlantag data [mask mask] admin-pid profile-index} [port-string port-string] set policy rule profile-index {ether | icmptype | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport} data [mask mask] {[vlan vlan] [cos cos] | [drop | forward]}
Parameters
Thefollowingparametersapplytocreatinganadminrule.SeetheUsagesectionbelowformore informationaboutadminrules. adminprofile vlantagdata maskmask Specifiesthatthisisanadminrule. ClassifiesbasedonVLANtagspecifiedbydata.Valueofdatacanrange from1to4094or0xFFF. (Optional)Specifiesthenumberofsignificantbitstomatch,dependent onthedatavalueentered.Valueofmaskcanrangefrom1to12. RefertoTable 113forvalidvaluesforeachclassificationtypeanddata value. adminpid profileindex Associatesthisadminrulewithapolicyprofile,identifiedbyitsindex number.Policyprofilesareconfiguredwiththesetpolicyprofile commandasdescribedinsetpolicyprofileonpage 113. Validprofileindexvaluesare1255. portstringportstring (Optional)Assignsthisrulewiththespecifiedpolicyprofileonspecific ingressport(s).Rulewouldnotbeuseduntilpolicyisassignedtothe specifiedport(s)usingthesetpolicyportcommandasdescribedinset policyportonpage 1115.
Thefollowingparametersapplytocreatingatrafficclassificationrule.
11-10
profileindex
Specifiesapolicyprofilenumbertowhichthisrulewillbeassigned. Policyprofilesareconfiguredwiththesetpolicyprofilecommandas describedinsetpolicyprofileonpage 113.Validprofileindexvalues are1255. Specifiesthattheruleshouldapplytotrafficwiththespecifiedtypefield inEthernetIIpacket. ClassifiesbasedonICMPtype. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedProtocol fieldinIPpacket. Specifiesthattheruleshouldapplytotrafficwiththespecified destinationIPaddresswithoptionalpostfixedport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedsourceIP address,withoptionalpostfixedport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTypeof ServicefieldinIPpacket. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedMAC destinationaddress. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedMAC sourceaddress. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTCP destinationport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTCP sourceport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedUDP destinationport. SpecifiesthattheruleshouldapplytotrafficwiththespecifiedUDP sourceport. Specifiesthecodeforthespecifiedtrafficclassifier(listedabove).This valueisdependentontheclassificationtypeentered.RefertoTable 113 forvalidvaluesforeachclassificationtype. (Optional)Specifiesthenumberofsignificantbitstomatch,dependenton thedatavalueentered.RefertoTable 113forvalidvaluesforeach classificationtypeanddatavalue. SpecifiestheactionoftheruleistoclassifytoaVLANID. SpecifiestheactionoftheruleistoclassifytoaClassofServiceID.Valid valuesare04095.Avalueof1indicatesthatnoCoSforwarding behaviormodificationisdesired.(NotsupportedonB3,C3,andG3.) Specifiesthatpacketswithinthisclassificationwillbedroppedor forwarded.
ether icmptype ipproto ipdestsocket ipsourcesocket iptos macdest macsource tcpdestport tcpsourceport udpdestport udpsourceport data
maskmask
vlanvlan coscos
drop|forward
Defaults
None.
Mode
Switchcommand,readwrite.
11-11
Usage
Anadminrulecanbeusedtomapincomingtaggedframestoapolicyrole(profile).Therecanbe onlyoneadminruleconfiguredpersystem(stack).Typically,thisruleisusedtoimplementthe User+IPphonefeature.RefertoConfiguringMultiUserAuthentication(User+IPphone)on page 2333formoreinformation.Youwouldconfigureapolicyprofile/roleforIPphones(for example,assigningthetraffictoavoiceVLAN),thenassociatethatpolicyprofilewiththe adminrule,andassociatetheadminrulewiththedesiredports.Usersauthenticatingoverthe sameportwilltypicallyuseadynamicallyassignedpolicyrole. Apolicyclassificationrulehastwomainparts:TrafficDescriptionandActions.TheTraffic Descriptionidentifiesthetypeoftraffictowhichtherulewillpertain.Actionsspecifywhether thattrafficwillbeassignedclassofservice,assignedtoaVLAN,orboth. Table 113providesthesetpolicyruledatavaluesthatcanbeenteredforaparticularparameter, andthemaskbitsthatcanbeenteredforeachclassifierassociatedwiththatparameter. Table 11-3 Valid Values for Policy Classification Rules
data value Type field in Ethernet II packet: 1536 - 65535 or 0x600 - 0xFFFF ICMP Type: a.b Protocol field in IP packet: 0 - 255 or 0 - 0xFF IP Address in dotted decimal format: 000.000.000.000 and (Optional) post-fixed port: 0 65535 Type of Service field in IP packet: 0 - 252 or 0 - 0xFC MAC Address: 00-00-00-00-0000 TCP Port Number: 0 - 65535 or 0 - 0xFFFF UDP Port Number: 0 - 65535 or 0 - 0xFFFF VLAN tag: 1- 4094 mask bits Not applicable. Not applicable. Not applicable. 1 - 48
Classification Rule Parameter ether icmptype ipproto Destination or Source IP Address: ipdestsocket ipsourcesocket iptos Destination or Source MAC: macdest macsource Destination or Source TCP port: tcpdestport tcpsourceport Destination or Source UDP port: udpsourceport udpdestport vlantag
Not applicable. 1 - 48
1 - 16
1 - 16
Not applicable.
Examples
ThisexampleshowshowtouseTable 113toassignaruletopolicyprofile3thatwillfilter EthernetIIType1526framestoVLAN7:
C2(su)->set policy rule 3 ether 1526 vlan 7
11-12
Syntax
Thiscommandhastwoformsofsyntaxonetoclearanadminrule(forpolicyID0),andtheother toclearaclassificationrule.
clear policy rule admin-profile {vlantag data [mask mask] clear policy rule profile-index {all-pid-entries | {ether | icmptype | ipproto | ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport | udpsourceport}}
Parameters
Thefollowingparametersapplytodeletinganadminrule. adminprofile vlantagdata maskmask SpecifiesthattheruletobedeletedisanadminruleforpolicyID0. DeletestherulebasedonVLANtagspecifiedbydata.Valueofdatacan rangefrom1to4094or0xFFF. (Optional)Specifiesthenumberofsignificantbitstomatch,dependent onthedatavalueentered.Valueofmaskcanrangefrom1to12. RefertoTable 113forvalidvaluesforeachclassificationtypeanddata value. Thefollowingparametersapplytodeletingaclassificationrule. profileindex allpidentries ether icmptype ipproto ipdestsocket ipsourcesocket iptos macdest macsource tcpdestport tcpsourceport Specifiesapolicyprofileforwhichtodeleteclassificationrules.Valid profileindexvaluesare1255. Deletesallentriesassociatedwiththespecifiedpolicyprofile. DeletesassociatedEthernetIIclassificationrule. DeletesassociatedICMPclassificationrule. DeletesassociatedIPprotocolclassificationrule. DeletesassociatedIPdestinationclassificationrule. DeletesassociatedIPsourceclassificationrule. DeletesassociatedIPTypeofServiceclassificationrule. DeletesassociatedMACdestinationaddressclassificationrule. DeletesassociatedMACsourceaddressclassificationrule. DeletesassociatedTCPdestinationportclassificationrule. DeletesassociatedTCPsourceportclassificationrule.
11-13
udpdestport udpsourceport
DeletesassociatedUDPdestinationportclassificationrule. DeletesassociatedUDPsourceportclassificationrule.
Defaults
Whenapplicable,dataandmaskmustbespecifiedforindividualrulestobecleared.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtodeleteEthernetIIType1526classificationruleentriesassociatedwith policyprofile1fromallports
C2(su)->clear policy rule 1 ether 1526
Thisexampleshowshowtoremovearulefrompolicyprofile5thatwillforwardUDPframes fromsourceport45:
C2(su)->clear policy rule 5 udpportsource 45 forward
Syntax
clear policy all-rules
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovealladministrativeandpolicyindexrules:
C2(su)->clear policy all-rules
11-14
Purpose
Toassignandunassignportstopolicyprofiles.
Commands
For information about... set policy port clear policy port Refer to page... 11-15 11-16
Syntax
set policy port port-string profile-index
Parameters
portstring Specifiestheport(s)toaddtothepolicyprofile.Foradetaileddescription ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI onpage 72. SpecifiestheIDofthepolicyprofile(role)towhichtheport(s)willbe added.Thisvaluemustmatchtheprofileindexvalueassignedusingthe setpolicyprofilecommand(setpolicyprofileonpage 113)inorder forapolicyprofiletobeactiveonthespecifiedport.
profileindex
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoallowGigabitEthernetports5through15inslot1totransmitframes accordingtopolicyprofile1:
C2(su)->set policy port ge.1.5-15 1
11-15
Syntax
clear policy port port-string profile-index
Parameters
portstring Specifiestheport(s)fromwhichtoremovethepolicyprofile.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. SpecifiestheIDofthepolicyprofile(role)towhichtheport(s)willbe added.Thisvaluemustmatchtheprofileindexvalueassignedusingthe setpolicyprofilecommand(setpolicyprofileonpage 113)inorder forapolicyprofiletobeactiveonthespecifiedport.
profileindex
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovepolicyprofile10fromport21inslot1:
C2(rw)->clear policy port ge.1.21 10
11-16
TheSecureStackC2supportsClassofService(CoS),whichallowsyoutoassignmissioncritical datatoahigherprioritythroughthedevicebydelayinglesscriticaltrafficduringperiodsof congestion.Thehigherprioritytrafficgoingthroughthedeviceisservicedfirst(beforelower prioritytraffic).TheClassofServicecapabilityofthedeviceisimplementedbyapriority queueingmechanism.ClassofServiceisbasedontheIEEE802.1D(802.1p)standardspecification, andallowsyoutodefineeightpriorities(07,with7grantedhighestpriority)andupto8transmit queues(07)foreachport. Bydefault,policybasedCoSisdisabledonthedevice,anddefaultoruserassignedportbased 802.1D(802.1p)settingsareusedtodeterminetrafficprioritization.WhenpolicybasedCoSis enabled,thedefaultanduserassignedpolicybasedsettingswilloverrideportbasedsettings describedinChapter 12. ClassofServicefunctionalitycanalsobeusedtocontrolbroadcast,unknownunicast,and/or multicastflooding.Thisfeaturepreventsconfiguredportsfrombeingdisruptedbyatrafficstorm byratelimitingspecifictypesofpacketsthroughthoseports.RefertoAboutCoSBasedFlood Controlonpage 1119formoreinformation.
Co
Note: Unlike CoS-based rate limiting, CoS-based flood control does not require a policy license on SecureStack B2 and B3 switches or on standalone D2 switches.
Example
Thisexamplecreatesdifferentinboundratelimitersfortwoportgroupsandthenassignsthemto trafficwithaCoSsettingof0. 1. Configuretwoportgroups,oneforuserportsandoneforuplinkportsandassignportstothe groups.Portgroup1.0willrepresentuserports,group2.0willrepresentuplinkports.
C2(su)->set cos port-config irl 1.0 name Users ports ge.1.1-46 C2(su)->set cos port-config irl 2.0 name Uplink ports ge.1.47-48
11-17
C2(su)->show cos port-config Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name :Default Port Group :0 Port Type :0 Assigned Ports :none ---------------------------------------------------------------------Port Group Name :Users Port Group :1 Port Type :0 Assigned Ports :ge.1.1-46 ---------------------------------------------------------------------Port Group Name :Uplink Port Group :2 Port Type :0 Assigned Ports :ge.1.47-48 ----------------------------------------------------------------------
2.
3.
IntheCoSIRLreferencemappingtableforeachportgroup,createareferenceforeachIRL resourcecreatedinthepreviousstep.Wewillusereferencenumber1.
C2(su)->set cos reference irl 1.0 1 rate-limit 1 C2(su)->set cos reference irl 2.0 1 rate-limit 1 C2(su)->show cos reference irl 1.0 Group Index ----------1.0 1.0 1.0 1.0 ... 1.0 1.0 1.0 Reference --------0 1 2 3 97 98 99 Type ---irl irl irl irl irl irl irl Rate Limiter -----------none 1 none none none none none
C2(su)->show cos reference irl 2.0 Group Index ----------2.0 2.0 Reference --------0 1 Type ---irl irl Rate Limiter -----------none 1
11-18
2 3 97 98 99
4.
IntheCoSsettingstable,configureaCoSsettingforCoSindex1,whichhasapriorityof0.We entertheIRLreference,createdinthepreviousstep.
C2(su)->set cos settings 0 irl-reference 1 C2(su)->show cos settings CoS Index Priority ToS IRL --------- ---------- ------- ----0 0 * 1 1 1 * * 2 2 * * 3 3 * * 4 4 * * 5 5 * * 6 6 * * 7 7 * *
Note: CoS-based flood control does not require a policy license on SecureStack B2 and B3 switches or on standalone D2 switches.
CoSbasedfloodcontrolpreventsconfiguredportsfrombeingdisruptedbyatrafficstormbyrate limitingspecifictypesofpacketsthroughthoseports.Whenfloodcontrolisenabledonaport, incomingtrafficismonitoredoveronesecondintervals.Duringaninterval,theincomingtraffic levelforeachconfiguredtraffictypeiscomparedwiththeconfiguredtrafficstormcontrollevel, specifiedasapercentageofthetotalavailablebandwidthofthelink.Thedefaultthresholdis5% oflinkspeed. If,duringaonesecondinterval,theincomingtrafficofaconfiguredtypereachesthetrafficstorm controllevelconfiguredontheport,CoSbasedfloodcontroldropsthetrafficuntiltheinterval ends.Packetsarethenallowedtoflowagainuntilthelimitisagainreached. ThefollowingproceduredescribesthestepsandcommandsrequiredtoconfigureCoSbased floodcontrol. Procedure 11-2
Step 1. 2. Task Enable CoS. Create a CoS flood control port resource, which specifies flood control rate limiters that can be mapped to specific ports. Assign the flood control resource to specific ports. Command(s) set cos state enable set cos port-resource flood-ctrl
3.
Example
Thisexamplecreatesabroadcastratelimiter(index1.0)of5packetspersecondandassignsitto portsge.1.2andge.2.2.
11-19
C2(su)->set cos state enable C2(su)->set cos port-resource flood-ctrl 1.0 broadcast rate 5 C2(su)->set cos port-config flood-ctrl 1.0 ports ge.1.2;ge.2.2 append
Commands
For information about... set cos state show cos state clear cos state set cos settings clear cos settings show cos settings set cos port-config show cos port-config clear cos port-config set cos port-resource irl show cos port-resource clear cos port-resource irl set cos reference show cos reference clear cos reference show cos unit clear cos all-entries show cos port-type Refer to page... 11-20 11-21 11-21 11-22 11-23 11-23 11-24 11-25 11-26 11-27 11-29 11-30 11-31 11-32 11-33 11-34 11-35 11-35
Syntax
set cos state {enable | disable}
Parameters
enable|disable EnablesordisablesClassofServiceontheswitch.Defaultstateis disabled.
Defaults
None.
11-20
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableClassofService:
C2(rw)->set cos state enable
Syntax
show cos state
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoshowtheClassofServiceenablestate:
C2(rw)->show cos state Class-of-Service application is enabled
Syntax
clear cos state
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
11-21
Example
ThisexampleshowshowtocleartheCoSstatebacktoitsdefaultsettingofdisabled:
C2(su)->clear cos state
Syntax
set cos settings cos-index priority priority [tos-value tos-value] [irl-reference irl-reference]
Parameters
cosindex prioritypriority tosvaluetosvalue irlreference irlreference SpecifiesaClassofServiceentry.Validvaluesare0to255. Specifiesan802.1dpriorityvalue.Validvaluesare0to7,with0beingthe lowestpriority.SeeUsagesectionbelowformoreinformation. (Optional)SpecifiesaTypeofServicevalue.Validvaluesare0to255.See Usagesectionbelowformoreinformation. (Optional)Settheinboundratelimiterassociatedwiththisentry.Valid valuesare0to99.SeeUsagesectionbelowformoreinformation.
Defaults
Ifnooptionalparametersarespecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Usage
TheCoSsettingstabletakesindividualclassofservicefeaturesanddisplaysthemasbelongingto aCoSentry.Essentially,itisusedforCoSfeatureassignment.Eachclassofserviceentryconsists ofanindex,802.1ppriority,anoptionalToSvalue,andanIRLreference. CoSIndex IndexesareuniqueidentifiersforeachCoSsetting.CoSindexes0through7arecreatedby defaultandmappeddirectlyto802.1ppriorityforbackwardscompatibility.Theseentries cannotberemoved,and802.1ppriorityvaluescannotbechanged.WhenCoSisenabled, indexesareassigned.Upto256CoSindexesorentriescanbeconfigured. Priority 802.1pprioritycanbeappliedperCoSindex.ForeachnewCoSindexcreated,theuserhasthe optiontoassignan802.1ppriorityvalue0to7fortheclassofservice.CoSindexes0through7 mapdirectlyto802.1pprioritiesandcannotbechangedastheyexistforbackward compatibility. ToS Thisvaluecanbesetperclassofservice,butisnotrequired.Whenaframeisassignedtoa classofserviceforwhichthisvalueisconfigured,theToSfieldoftheincomingIPpacketwill beoverwrittentotheuserdefinedvalue.AllbutthelasttwobitsoftheToSfieldare rewritable.ToScanbesetforCoSindexes0through7.
11-22 Policy Classification Configuration
Example
ThisexampleshowshowtocreateCoSentry8withapriorityvalueof3:
C2(rw)->set cos settings 8 priority 3
Syntax
clear cos settings cos-list {[all] | [priority] [tos-value] [irl-reference]}
Parameters
coslist all priority tosvalue irlreference SpecifiesaClassofServiceentrytoclear. Clearsallsettingsassociatedwiththisentry. Clearsthepriorityvalueassociatedwiththisentry. ClearstheTypeofServicevalueassociatedwiththisentry. CleartheIRLreferenceassociatedwiththisentry.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthepriorityforCoSentry8:
C2(rw)->clear cos settings 8 priority
Syntax
show cos settings [cos-list]
Parameters
coslist (Optional)SpecifiesaClassofServiceentrytodisplay.
11-23
Defaults
Ifnotspecified,allCoSentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoshowallCoSsettings:
C2(su)->show cos settings CoS Index Priority ToS IRL --------- ---------- ------- ------0 0 48 * 1 1 * * 2 2 * * 3 3 * * 4 4 * * 5 5 * * 6 6 * * 7 7 * * flood-ctrl ---------enabled enabled enabled enabled enabled enabled enabled enabled
Syntax
set cos port-config {irl|flood-ctrl} group-type-index [name name] [ports portlist] [append] | [clear]
Parameters
irl floodctrl grouptypeindex Specifiesthatthisisaninboundratelimiting(IRL)portgroup. Specifiesthatthisisafloodcontrolportgroup. Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. namename portsportlist append clear (Optional)Userdefinednameforthegroup. (Optional)Portsassignedtothegroup.Allportsmustbeofthesameport type(FastEthernet,GigabitEthernet). (Optional)Append(add)theportstotheportsthatarealreadyinthe group. (Optional)Clearthegivenportsfromthoseassignedtothegroup.
Defaults
None.
11-24
Mode
Switchcommand,readwrite.
Usage
CoSportgroupsareidentifiedbygroupnumberandthetypeofportsinthegroup,intheformof group#.porttype.Theportgroup0.0existsbydefault.Thisdefaultportgroupcannotberemoved andallphysicalportsinthesystemareassignedtoit.Uptosevenadditionalportgroups(1 through7)canbeconfigured.Currently,onlyoneporttype(type0)issupported.Thisporttype supports100limiters. Additionalportgroupsmaybecreatedforflexibility.Portsassignedtoanewportgroupmustbe mutuallyexclusivefromtheotherportgroupentriesportsareautomaticallyremovedfromthe defaultportgroupandmustbecomprisedofthesameporttypeasdefinedbytheportgroup. Thecreationofadditionalportgroupscouldbeusedtocombinesimilarportsbytheirfunctionfor flexibility.Forinstance,portsassociatedtouserscanbeaddedtoaportgroupcalledUsersand portsassociatedtouplinkportscanbeaddedtoaportgroupcalledUplink.Usingtheseport groups,asingleclassofservicecanassigndifferentratelimitstoeachportgroup.Userports canbeassignedoneratelimit,whileUplinkportscanbeassignedanother. Thecommandshowcosportconfigdisplayseachportgroupconfiguredbygroupandtype,with thegroupnameandassociated(assigned)ports.Thecommandshowcosporttypedisplaysthe availableinboundratelimitingresourcesfortheporttype.
Example
Thisexampleconfigurestwoportgroups,oneforuserportsandoneforuplinkportsandassign portstothegroups.Portgroup1.0willrepresentuserports,group2.0willrepresentuplinkports.
C2(su)->set cos port-config irl 1.0 name Users ports ge.1.1-46 C2(su)->set cos port-config irl 2.0 name Uplink ports ge.1.47-48
Syntax
show cos port-config [irl|flood-ctrl [group-type-index]]
Parameters
irl floodctrl grouptypeindex (Optional)Specifiesthatinboundratelimitingconfigurationinformation shouldbedisplayed. (Optional)Specifiesthatfloodcontrolrateconfigurationinformation shouldbedisplayed. (Optional)Showassignedportsforaspecificportgroup.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0.
Defaults
Theshowcosportconfig commandbyitselfwillshowallPortGroups.
11-25
Mode
Switchcommand,readonly.
Example
Thisexampleshowsallinboundratelimitingportgroups.Notethatportsge.1.1throughge.1.48 wereremovedfromthedefaultportgroup0.0whentheywereaddedtoportgroups1.0and2.0.
C2(su)->show cos port-config irl Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name :Default Port Group :0 Port Type :0 Assigned Ports :none ---------------------------------------------------------------------Port Group Name :Users Port Group :1 Port Type :0 Assigned Ports :ge.1.1-46 ---------------------------------------------------------------------Port Group Name :Uplink Port Group :2 Port Type :0 Assigned Ports :ge.1.47-48 ----------------------------------------------------------------------
Syntax
clear cos port-config {irl|flood-ctrl} {all | group-type-index [entry] | [name] [ports]}
Parameters
irl floodctrl all grouptypeindex ClearanIRLportgroupconfiguration. Clearafloodcontrolportgroupconfiguration. Clearallinboundratelimitingportconfignondefaultentries. Deleteaspecificportgrouporgroupname,orcleartheportsfromthat group.Validentriesareintheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. entry name ports Deletethisnondefaultinboundratelimiterentry. Cleartheadministrativelyassignedtextualdescriptionofthisportgroup entrytoitsdefault. Cleartheportsassignedtothisgrouptoitsdefault.
11-26
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thedefaultportgroup0.0cannotbedeleted.
Example
ThisexampledeletesallIRLPortGroupsexceptfortheDefaultgroup0.0:
C2(su)->clear cos port-config irl all
Syntax
set cos port-resource irl group-type-index irl-index {[unit {kbps}] [rate rate] [type {drop}]}[syslog enable | disable] [trap enable|disable]
Parameters
grouptypeindex Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. irlindex unit kbps raterate typedrop syslog enable|disable Indexnumberoftheinboundratelimiterresourceassociatedwiththis entry.Validvaluesrangefrom0to99. Unitofmeasurefortheinboundratelimiter(onlyoptionisKbps). Kilobitspersecond. Datarateforthisinboundratelimiter.Thisistheactualratelimit.Valid valuesrangefrom512to1,000,000KbpsforaGigabitport. Actionfortheratelimiter.Theonlyactionoptionisdroptheframeifall limitersareexceeded. Enableordisablereportingasyslogentryiflimitersareexceeded.
trapenable|disable Enableordisablesendingatrapiflimitersareexceeded.
Defaults
None.
Mode
Switchcommand,readwrite.
11-27
Usage
CoSportresourcesarewhereactualphysicalratelimitersareconfigured.Resourcesmapdirectly tothenumberofratelimiterssupportedbytheporttype.(Porttype0supports100IRLresources.) Resourcesexistforeachportgroupandareindexedasgroup#.porttype.irlindex.Portresources arenotinitiallyconfiguredasratelimiting. Inboundratelimiting,orratepolicing,simplydropsorclipstrafficinboundifaconfiguredrateis exceeded.CoSinboundratelimitingallowstheusertoconfigureratelimitsbasedonkilobitsper second. Theshowcosportresourcecommanddisplaystheresourcesavailableforeachportgroup.By default,noIRLresourcesareconfigured.ThedefaultRateLimitingalgorithmisdropandcannot beconfiguredotherwise.
Example
Thisexamplesetstheinboundratelimitresourceindexnumber1forportgroup2.0to10000Kbps or1MB:
C2(su)->set cos port-resource irl 2.0 1 unit kbps rate 10000 type drop
Syntax
set cos port-resource flood-ctrl group-type-index {unicast | multicast | broadcast | all} rate rate
Parameters
grouptypeindex Specifiesaportgroup/typeindex.Validentriesareintheformof group#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. unicast multicast broadcast all raterate Specifiesratelimitingwillbeappliedtounknownunicasttraffic. Specifiesratelimitingwillbeappliedtomulticasttraffic. Specifiesratelimitingwillbeappliedtobroadcasttraffic. Specifiesratelimitingwillbeappliedtounknownunicast,multicast, andbroadcasttraffic. Specifiesaratelimitinpacketspersecond.
Defaults
None.
Mode
Switchcommand,readwrite.
11-28
Usage
CoSportresourcesarewhereactualphysicalratelimitersareconfigured.Thiscommandcanbe usedtocreateuptothreedifferentfloodcontrollimitresourcesfortheporttypeindexof0.The resourcesareassignedtospecificportswiththesetcosportconfigcommand.
Example
Thisexamplecreatesaportresourcebroadcastratelimiterof5packetspersecondfortheport grouptypeindexof1.0(group#1ofporttypeindex0).
C2(su)->set cos port-resource flood-ctrl 1.0 broadcast rate 5
Syntax
show cos port-resource [irl [group-type-index [irl-index]]] | [flood-ctrl [grouptype-index]]
Parameters
irl floodctrl grouptypeindex (Optional)Specifiesthatinboundratelimitingportresourcesshouldbe displayed. (Optional)Specifiesthatfloodcontrolportresourcesshouldbedisplayed. (Optional)Specifiesaportgroup/typeindex.Validentriesareintheform ofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. irlindex (Optional)Inboundratelimiterresourceindexconfiguredforthe specifiedportgroup.Validvaluesrangefrom0to99.
Defaults
Ifirlorfloodctrlarenotspecified,allportresourcesareshown. IfaportgroupandIRLindexarenotspecified,theIRLconfigurationforallresources(099)forall configuredportgroupswillbeshown. Ifaportgroupisnotspecifiedwiththefloodctrlparameter,floodcontrolresourcesforall configuredportgroupswillbeshown.
Mode
Switchcommand,readonly.
Examples
ThisexampledisplaystheIRLresourceindexnumber1configurationforgroup2.0.
C2(su)->show cos port-resource irl 2.0 1 '?' after the rate value indicates an invalid rate value Group Index Resource Type Unit Rate Rate Limit Type Action
SecureStack C2 Configuration Guide 11-29
Thisexampledisplaysthefloodcontrolresourcesconfiguredforgroup0.0.
C2(su)->show cos port-resource flood-ctrl 0.0 '?' after the rate value indicates an invalid rate value Group Resource Index --------- ----------0.0 ucast 0.0 mcast 0.0 bcast Type ---------flood-ctrl flood-ctrl flood-ctrl Unit ---pps pps pps Rate Limit type ---------- --------------disable drop disable drop disable drop Rate Action -----none none none
Syntax
clear cos port-resource irl {all | group-type-index [irl-index [unit] [rate] [type]]}
Parameters
all grouptypeindex ClearallIRLresourcesforallportgroups. Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. irlindex unit rate type (Optional)Inboundratelimiterresourceindexassociatedwiththe specifiedportgroup.Validvaluesrangefrom0to99. Cleartheunitofmeasurefortheinboundratelimiter. Clearthedatarateforthisinboundratelimiter. Cleartheactionfortheratelimiter.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthedatarateto0forIRLresourceindex1forgroup2.0.
C2(su)->clear cos port-resource irl 2.0 1 rate
11-30
Syntax
clear cos port-resource flood-ctrl {all | group-type-index {unicast | multicast | broadcast | all [rate]}}
Parameters
all grouptypeindex Clearallfloodcontrolresourcesforallportgroups. Specifiesaportgroup/typeindex.Validentriesareintheformof group#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. unicast multicast broadcast all rate Clearunicastportresourcesforthespecifiedportgroup. Clearmulticastportresourcesforthespecifiedportgroup. Clearbroadcastportresourcesforthespecifiedportgroup. Clearallfloodcontrolportresourcesforthespecifiedportgroup. (Optional)Clearthedataratelimiterofthespecifiedtypeofport resourcetothedefault(noneordisabled).
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearstheunicastportresourceforportgroup1.0todefaultvalues.
C2(su)->clear cos port-resource flood-ctrl 1.0 unicast
Syntax
set cos reference irl group-type-index reference rate-limit irl-index
11-31
Parameters
irl grouptypeindex SpecifiesthatanIRLreferenceisbeingconfigured. Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare intheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0. reference ratelimitirlindex IRLreferencenumberassociatedwiththisentry. Ratelimiter(IRLresourceindex)tobindthisreferenceto.Validvalues rangefrom0to99.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheCoSreferencetablemapstheuserdefinedIRLreferencesfoundintheCoSsettingstable(see setcossettingsonpage 1122)toratelimiterscreatedintheportresourcetable(seesetcos portresourceirlonpage 1127).TheCoSreferencetableindexescanbethoughtofasvirtualrate limiters.Thetableaccountsforthemaximumnumberofratelimiterssupportedbythedevice. Thevirtuallimitersthenmaptothephysicalratelimiters.TheCoSIRLReferenceTableisnot configuredbydefault. TheCoSIRLreferencetableuses100indexesorvirtualratelimiters,andmapseachvirtuallimiter toaphysicallimiterorresource.AnIRLreferencetableexistsforeachportgroupconfigured,and isindexedsimilarlytoportresources,asportgroup#,porttype,reference.IRLreferencesarenot populatedwithlimiters(resources),butcanbeconfiguredbytheuser.TheIRLreferencetablecan bedisplayedusingtheshowcosreferencecommand.
Example
IntheCoSIRLreferencemappingtableforportgroups1.0and2.0,createareferencefortheIRL resourcenumber1createdforeachgroup.Thereferencenumber1isused.
C2(su)->set cos reference irl 1.0 1 rate-limit 1 C2(su)->set cos reference irl 2.0 1 rate-limit 1
Syntax
show cos reference [irl [group-type-index]]
11-32
Parameters
irl grouptypeindex (Optional)Specifiesthatinboundratelimitingreferenceinformation shouldbedisplayed. (Optional)Specifiesaninboundratelimitingportgroup/typeindex.Valid entriesareintheformofgroup#.porttype. Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype canrangefrom0to1,althoughonlyporttype0iscurrentlysupported. Forexample,portgroup3wouldbespecifiedas3.0.
Defaults
Ifirlisnotspecified,allCoSreferenceinformationisdisplayed. Ifaspecificportgroupisnotspecified,informationforallportgroupsisdisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowstheClassofServiceIRLreferencesforportgroup1.0.Notethatnotallofthe 100possiblereferencesaredisplayedinthisoutputexample.
C2(su)->show cos reference irl 1.0 Group Index ----------1.0 1.0 1.0 1.0 ... 1.0 1.0 1.0 Reference --------0 1 2 3 97 98 99 Type ---irl irl irl irl irl irl irl Rate Limiter -----------none 1 none none none none none
Syntax
clear cos reference irl {all | group-type-index reference}
Parameters
irl all SpecifiesthatIRLreferencesarebeingcleared. Clearallgroupsindexesandreferences.
11-33
grouptypeindex
reference
Clearaspecificreferenceforthespecifiedportgroup.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheCoSinboundratelimitingreferenceconfigurationforall groups:
C2(su)->clear cos reference irl all
Syntax
show cos unit [irl [port-type index] [kbps]] [flood-ctrl [port-type index] [pps]]
Parameters
irl porttypeindex kbps floodctrl pps (Optional)DisplayonlyIRLunitinformation. (Optional)Displayinformationaboutthespecifiedporttype.(Only porttypeindex0issupported.) (Optional)Displaykbpsinformation. (Optional)Displayonlyfloodcontrolunitinformation. (Optional)Displayppsinformation.
Defaults
Ifnoparametersareentered,allCosunitinformationisdisplayed.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowspossibleunitentriesforinboundratelimiting:
C2(su)->show cos unit irl Type: irl = inbound rate limiting Unit: Kbps = Kilobits per second
11-34
Type ---irl
Unit ---Kbps
Granularity ----------1
Thisexamplesshowsfloodcontrolunitinformation.
C2(su)->show cos unit flood-ctrl Type: flood-ctrl = flood control type Port Type ----------0 Type ----------flood-ctrl Unit ---pps Unit: pps = packets per second Maximum Rate -----------148810 Minimum Rate -----------0 Granularity ----------1
Syntax
clear cos all-entries
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheCoSconfigurationforallentriesexceptentries07:
C2(su)->clear cos all-entries
Syntax
show cos port-type [irl [port-type]] [flood-ctrl [port-type]]
Parameters
irl floodctrl porttype (Optional)Displaysinboundratelimitinginformation. (Optional)Displaysfloodcontrolinformation. (Optional)Displaysinformationforaspecificporttype.(Onlyporttype 0issupported.)
11-35
Defaults
Ifnoparametersarespecified,inboundratelimitingandfloodcontrolinformationforallport typesisdisplayed.
Mode
Switchcommand,readonly.
Usage
TheC2implementationprovidesonedefaultporttype(0)fordesignatingavailableinboundrate limitingorfloodcontrolresources.Porttype0includesallports. Theporttype0IRLdescriptionisC2100IRL,whichindicatesthatthisporttypeprovidesa maximumof100inboundratelimitingresourcesperportgroup.Theporttype0floodcontrol descriptionisC23floodctrlwhichindicatesthatthisporttypeprovidesamaximumof3flood controlresourcesperportgroup.
Examples
Thisexampleshowsinboundratelimitinginformationforporttype0.
C2(su)->show cos port-type irl 0 Number of resources: irl = inbound rate limiter(s) Port type description -----------C2 100 IRL Number of limiters --------100 Supported rate types: Kbps = kilobits per second Supported rate type --------kbps Eligible ports ----------------ge.1.1-48 Unselected ports ----------------ge.1.1-4
Index ----0
Thisexampleshowsfloodcontrolinformationforporttype0.
C2(su)->show cos port-type flood-ctrl 0 Number of resources: flood-ctrl = flood control type Port type Number of description limiters -------------------C2 3 flood-ctrl 3 Supported rate types: Pps = Packets per second Supported rate type --------pps Eligible ports ---------------ge.1.1-24 Unselected ports -----------ge.1.1-24
Index ----0
11-36
12
Port Priority and Rate Limiting Configuration
ThischapterdescribesthePortPriorityandRateLimitingsetofcommandsandhowtousethem.
For information about... Port Priority Configuration Summary Configuring Port Priority Configuring Priority to Transmit Queue Mapping Configuring Quality of Service (QoS) Configuring Port Traffic Rate Limiting Refer to page... 12-1 12-1 12-4 12-6 12-10
Displaythecurrenttrafficclassmappingtopriorityofeachport. Seteachporttotransmitframesaccordingto802.1D(802.1p)prioritysetintheframeheader.
Commands
For information about... show port priority set port priority clear port priority Refer to page... 12-4 12-2 12-3
Syntax
show port priority [port-string]
Parameters
portstring (Optional)Displayspriorityinformationforaspecificport.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
If port-string is not specified, priority for all ports will be displayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportpriorityforthege.2.1through5.
C2(su)->show ge.2.1 is set ge.2.2 is set ge.2.3 is set ge.2.4 is set ge.2.5 is set port priority ge.2.1-5 to 0 to 0 to 0 to 0 to 0
12-2
Syntax
set port priority port-string priority
Parameters
portstring Specifiestheportforwhichtosetpriority.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72. Specifiesavalueof0to7tosettheCoSpriorityfortheportenteredinthe portstring.Priorityvalueof0isthelowestpriority.
priority
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thesetportprioritycommandwillnotchangethe802.1pprioritytagontaggedtrafficwitha defaultprioritytag.Thecommandonlyhasaneffectonhowuntaggedtrafficwillbeprioritized asitpassesinternallythroughthedevice.
Example
Thisexampleshowshowtosetadefaultpriorityof6onge.1.3.Framesreceivedbythisport withoutpriorityinformationintheirframeheaderaresettothedefaultsettingof6:
C2(su)->set port priority ge.1.3 6
Syntax
clear port priority port-string
Parameters
portstring Specifiestheportforwhichtoclearpriority.Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72.
Defaults
None.
Mode
Switchcommand,readwrite.
12-3
Example
Thisexampleshowshowtoresetge.1.11tothedefaultpriority:
C2(rw)->clear port priority ge.1.11
Commands
For information about... show port priority-queue set port priority-queue clear port priority-queue Refer to page... 12-4 12-5 12-6
Syntax
show port priority-queue [port-string]
Parameters
portstring (Optional)Displaysthemappingofprioritiestotransmitqueuesforone ormoreports.
Defaults
Ifportstringisnotspecified,priorityqueueinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
12-4
Example
Thisexampleshowshowtodisplaypriorityqueueinformationforge.1.1.Inthiscase,frameswith apriorityof0areassociatedwithtransmitqueue1;frameswith1or2priority,areassociatedwith transmitqueue0;andsoforth:
C2(su)->show Port P0 --------- -ge.1.1 1 port priority-queue ge.1.1 P1 P2 P3 P4 P5 P6 P7 -- -- -- -- -- -- -0 0 2 3 4 5 5
Syntax
set port priority-queue port-string priority queue
Parameters
portstring Specifiestheport(s)forwhichtosetprioritytoqueuemappings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. Specifiesavalueof0through7(0isthelowestlevel)thatdetermines whatpriorityframeswillbetransmittedonthetransmitqueueenteredin thiscommand. Specifiesavalueof0through5(0isthelowestlevel)thatdeterminesthe queueonwhichtotransmittheframeswiththeportpriorityenteredin thiscommand.
Note: Although there are 8 queues, only queues 0 through 5 may be configured. Queues 6 and 7 are reserved for management traffic.l
priority
queue
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
PrioritytotransmitqueuemappingonanindividualportbasiscanonlybeconfiguredonGigabit Ethernetports(ge.x.x).OnswitchesthatprovideFastEthernetports,whenyouusethesetport priorityqueuecommandtoconfigureaFastEthernetport(fe.x.x),themappingvaluesare appliedgloballytoallFastEthernetportsonthesystem.
Example
Thisexampleshowshowtosetpriority5framesreceivedonge.2.12totransmitonqueue0.
C2(su)->set port priority-queue ge.2.12 5 0
12-5
Syntax
clear port priority-queue port-string
Parameters
portstring Specifiestheportforwhichtoclearprioritytoqueuemappings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthepriorityqueuesettingsonge.2.12:
C2(su)->clear port priority-queue ge.2.12
Commands
For information about... show port txq set port txq clear port txq Refer to page... 12-6 12-7 12-8
Syntax
show port txq [port-string]
12-6
Parameters
portstring (Optional)Specifiesport(s)forwhichtodisplayQoSsettings.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. Onlyphysicalportswillbedisplayed.LAGportshavenotransmitqueue information.
Defaults
Iftheportstringisnotspecified,theQoSsettingofallphysicalportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythecurrentalgorithmandtransmitqueueweightsconfigured onportge.1.10:
C2(su)->show port txq ge.1.10 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 ------- --- --- --- --- --- --- --- ---
ge.1.10 WRR 10
10
15
20
25
20
Syntax
set port txq port-string value0 value1 value2 value3 value4 value5 value6 value7
Parameters
portstring Specifiesport(s)onwhichtosetqueuearbitrationvalues.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports cannotbeconfigured. value0value7 Specifiespercentagetoallocatetoaspecifictransmitqueue.Thevalues musttotal100percent.
Defaults
None.
Mode
Switchcommand,readwrite.
12-7
Usage
Queuescanbesetforstrictpriority(SP)orweightedroundrobin(WRR).IfsetforWRRmode, weightsmaybeassignedtothosequeueswiththiscommand.Weightsarespecifiedintherangeof 0to100percent.Weightsspecifiedforqueues0through7onanyportmusttotal100percent.
Examples
Thisexampleshowshowtochangethearbitrationvaluesfortheeighttransmitqueuesbelonging toge.1.1:
C2(su)->set port txq ge.1.1 10 10 10 10 10 10 10 30
Thisexampleshowshowtochangethealgorithmtostrictpriorityfortheeighttransmitqueues belongingtoge.1.1:
C2(su)->set port txq ge.1.1 0 0 0 0 0 O O 100 C2(su)->show port txq ge.1.1 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 ------- --- --- --- --- --- --- --- ---
ge.1.1
STR SP
SP
SP
SP
SP
SP
SP
SP
Syntax
clear port txq port-string
Parameters
portstring Clearstransmitqueuevaluesonspecificport(s)backtotheirdefault values.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72. Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports cannotbeconfigured.
Defaults
Bydefault,transmitqueuesaredefinedasfollows:
Queue 0 1 2 3 Mode WRR WRR WRR WRR Weight 1 2 3 4 Queue 4 5 6 7 Mode WRR WRR WRR WRR Weight 5 6 7 8
Mode
Switchcommand,readwrite.
12-8
Example
Thisexampleshowshowtocleartransmitqueuevaluesonge.1.1:
C2(su)->clear port txq ge.1.1
12-9
Commands
Thecommandstoconfiguretrafficratelimitingarelistedbelow.
For information about... show port ratelimit set port ratelimit clear port ratelimit Refer to page... 12-10 12-12 12-13
Syntax
show port ratelimit [port-string]
Parameters
portstring (Optional)Displaysratelimitinginformationforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifportstringisnotspecified,ratelimitinginformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
12-10
Example
Thisexampleshowshowtodisplaythecurrentratelimitinginformationforfe.2.1:
C2(su)->show port ratelimit fe.2.1 Global Ratelimiting status is disabled. Port Number ----------fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 Threshold (kB/s) --------64 64 64 64 64 64 64 64 Priority List ----------0 0 0 0 0 0 0 0
Index ----1 2 3 4 5 6 7 8
12-11
Syntax
set port ratelimit {disable | enable} | port-string priority threshold {disable | enable} [inbound] [index]
Parameters
disable|enable Whenenteredwithoutaportstring,globallydisablesorenablestheport ratelimitingfunction.Whenenteredwithaportstring,disablesor enablesratelimitingonspecificport(s)whentheglobalfunctionis enabled. Specifiesaportonwhichtosettheratelimitingthresholdandother parameters.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 72. Specifiesthe802.1D(802.1p)portprioritylevelassociatedwiththeport string.Thevaluecanbe0to7,with0specifyingthelowestpriority. Specifiesaportratelimitingthresholdinkilobytespersecond.Rangeis 64uptoamaximumof2,147,483,647kilobytespersecond. (Optional)Appliesthisratepolicingruletoinboundtraffic. (Optional)Assignsaresourceindexforthisport.
portstring
Defaults
Thresholdwillbeappliedtoinboundtrafficontheport/priority. Ifindexisnotspecified,settingswillbeappliedtoindex1,andwilloverwriteindex1forany subsequentratelimitsconfigured.
Mode
Switch command, read-write.
Example
Thisexampleshowshowto: globallyenableratelimiting configureratelimitingforinboundtrafficonportfe.2.1,index1,priority5,toathresholdof 125 KBps:
C2(rw)->set port ratelimit enable C2(rw)->set port ratelimit fe.2.1 5 125 enable inbound
12-12
Syntax
clear port ratelimit port-string [index]
Parameters
portstring Specifiestheport(s)onwhichtoclearratelimiting.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntax UsedintheCLIonpage 72. (Optional)Specifiestheassociatedresourceindextobereset.
index
Defaults
Ifnotspecified,allindexentrieswillbereset.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearallratelimitingparametersonportfe.2.1.
C2(su)->clear port ratelimit fe.2.1
12-13
12-14
13
IGMP Configuration
ThischapterdescribestheIGMPConfigurationsetofcommandsandhowtousethem.
For information about... IGMP Overview Configuring IGMP at Layer 2 Configuring IGMP on Routing Interfaces Refer to page... 13-1 13-2 13-10
IGMP Overview
About IP Multicast Group Management
TheInternetGroupManagementProtocol(IGMP)runsbetweenhostsandtheirimmediately neighboringmulticastdevice.Theprotocolsmechanismsallowahosttoinformitslocaldevice thatitwantstoreceivetransmissionsaddressedtoaspecificmulticastgroup. Amulticastenableddevicecanperiodicallyaskitshostsiftheywanttoreceivemulticasttraffic.If thereismorethanonedeviceontheLANperformingIPmulticasting,oneofthesedevicesis electedquerierandassumestheresponsibilityofqueryingtheLANforgroupmembers. BasedonthegroupmembershipinformationlearnedfromIGMP,adevicecandeterminewhich(if any)multicasttrafficneedstobeforwardedtoeachofitsports.AtLayer3,multicastdevicesuse thisinformation,alongwithamulticastroutingprotocol,tosupportIPmulticastingacrossanIP network. IGMPprovidesthefinalstepinanIPmulticastpacketdeliveryservice,sinceitisonlyconcerned withforwardingmulticasttrafficfromthelocaldevicetogroupmembersonadirectlyattached subnetworkorLANsegment. ThisdevicesupportsIPmulticastgroupmanagementbypassivelysnoopingontheIGMPquery andIGMPreportpacketstransferredbetweenIPmulticastdevicesandIPmulticasthostgroupsto learnIPmulticastgroupmembers. ThepurposeofIPmulticastgroupmanagementistooptimizeaswitchednetworksperformance somulticastpacketswillonlybeforwardedtothoseportscontainingmulticastgrouphostsor multicastdevicesinsteadoffloodingtoallportsinthesubnet(VLAN). InadditiontopassivelymonitoringIGMPqueryandreportmessages,theSecureStackC2canalso activelysendL3IGMPquerymessagestolearnlocationsofmulticastdevicesandmemberhosts inmulticastgroupswithineachVLAN. However,notethatIGMPneitheraltersnorroutesanyIPmulticastpackets.SinceIGMPisnot concernedwiththedeliveryofIPmulticastpacketsacrosssubnetworks,multicastroutingis neededifIPmulticastpacketshavetoberoutedacrossdifferentsubnetworks.
SecureStack C2 Configuration Guide 13-1
About Multicasting
Multicastingisusedtosupportrealtimeapplicationssuchasvideoconferencesorstreaming audio.Amulticastserverdoesnothavetoestablishaseparateconnectionwitheachclient.It merelybroadcastsitsservicetothenetwork,andanyhoststhatwanttoreceivethemulticast registerwiththeirlocalmulticastswitch/router.Althoughthisapproachreducesthenetwork overheadrequiredbyamulticastserver,thebroadcasttrafficmustbecarefullyprunedatevery multicastswitch/routeritpassesthroughtoensurethattrafficisonlypassedtothehoststhat subscribedtothisservice. TheSecureStackC2switchdeviceusesIGMP(InternetGroupManagementProtocol)toqueryfor anyattachedhostswhowanttoreceiveaspecificmulticastservice.ThedevicelooksuptheIP MulticastGroupusedforthisserviceandaddsittotheegresslistoftheLevel3interface.Itthen propagatestheservicerequestontoanyneighboringmulticastswitch/routertoensurethatitwill continuetoreceivethemulticastservice.
Commands
For information about... show igmpsnooping set igmpsnooping adminmode set igmpsnooping interfacemode set igmpsnooping groupmembershipinterval set igmpsnooping maxresponse set igmpsnooping mcrtrexpiretime set igmpsnooping add-static set igmpsnooping remove-static show igmpsnooping static show igmpsnooping mfdb clear igmpsnooping Refer to page... 13-2 13-3 13-4 13-4 13-5 13-6 13-6 13-7 13-8 13-8 13-9
show igmpsnooping
UsethiscommandtodisplayIGMPsnoopinginformation.
Syntax
show igmpsnooping
13-2
IGMP Configuration
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
ConfiguredinformationisdisplayedwhetherornotIGMPsnoopingisenabled.Status informationisdisplayedonlywhenthefunctionisenabled.ForinformationonenablingIGMPon thesystem,refertosetigmpsnoopingadminmodeonpage 133.Forinformationonenabling IGMPononeormoreports,refertosetigmpsnoopinginterfacemodeonpage 134.
Example
ThisexampleshowshowtodisplayIGMPsnoopinginformation:
C2(su)->show igmpsnooping Admin Mode..................................... Group Membership Interval...................... Max Response Time.............................. Multicast Router Present Expiration Time....... Interfaces Enabled for IGMP Snooping........... Multicast Control Frame Count.................. Data Frames Forwarded by the CPU............... Enable 260 100 0 ge.1.1,ge.1.2,ge.1.3 0 0
Syntax
set igmpsnooping adminmode {enable | disable}
Parameters
enable|disable EnablesordisablesIGMPsnoopingonthesystem.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe devicewiththiscommand,andthenenabledonaport(s)usingthesetigmpsnoopinginterface modecommandasdescribedinsetigmpsnoopinginterfacemodeonpage 134.
13-3
Example
ThisexampleshowshowtoenableIGMPonthesystem:
C2(su)->set igmpsnooping adminmode enable
Syntax
set igmpsnooping interfacemode port-string {enable | disable}
Parameters
portstring enable|disable SpecifiesoneormoreportsonwhichtoenableordisableIGMP. EnablesordisablesIGMP.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe deviceusingthesetigmpsnoopingadminmodecommandasdescribedinsetigmpsnooping adminmodeonpage 133,andthenenabledonaport(s)usingthiscommand.
Example
ThisexampleshowshowtoenableIGMPonportge.1.10:
C2(su)->set igmpsnooping interfacemode ge.1.10 enable
Syntax
set igmpsnooping groupmembershipinterval time
13-4
IGMP Configuration
Parameters
time SpecifiestheIGMPgroupmembershipinterval.Validvaluesare23600 seconds. Thisvalueworkstogetherwiththesetigmpsnoopingmaxresponsetime commandtoremoveportsfromanIGMPgroupandmustbegreaterthan themaxresponsetimevalue.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheIGMPgroupmembershipintervaltimesetsthefrequencyofhostqueryframetransmissions andmustbegreaterthantheIGMPmaximumresponsetimeasdescribedinsetigmpsnooping maxresponseonpage 135.
Example
ThisexampleshowshowtosettheIGMPgroupmembershipintervalto250seconds:
C2(su)->set igmpsnooping groupmembershipinterval 250
Syntax
set igmpsnooping maxresponse time
Parameters
time SpecifiestheIGMPmaximumqueryresponsetime.Validvaluesare100 255seconds.Thedefaultvalueis100seconds. Thisvalueworkstogetherwiththesetigmpsnooping groupmembershipintervalcommandtoremoveportsfromanIGMPgroup andmustbelesserthanthegroupmembershipintervalvalue.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThisvaluemustbelessthantheIGMPmaximumresponsetimedescribedinsetigmpsnooping groupmembershipintervalonpage 134.
13-5
Example
ThisexampleshowshowtosettheIGMPmaximumresponsetimeto100seconds:
C2(su)->set igmpsnooping maxresponse 100
Syntax
set igmpsnooping mcrtrexpire time
Parameters
time SpecifiestheIGMPmulticastrouterexpirationtime.Validvaluesare0 3600seconds.Avalueof0willconfigurethesystemwithaninfinite expirationtime.Thedefaultvalueis0.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thistimerisforexpiringtheswitchfromthemulticastdatabase.Ifthetimerexpires,andtheonly addressleftisthemulticastswitch,thentheentrywillberemoved.
Example
ThisexampleshowshowtosettheIGMPmulticastrouterexpirationtimetoinfinity:
C2(su)->set igmpsnooping mcrtrexpiretime 0
Syntax
set igmpsnooping add-static group vlan-list [modify] [port-string]
Parameters
group vlanlist modify portstring SpecifiesthemulticastgroupIPaddressfortheentry. SpecifiestheVLANsonwhichtoconfiguretheentry. (Optional)Addsthespecifiedportorportstoanexistingentry. (Optional)Specifiestheportorportstoaddtotheentry.
Defaults
Ifnoportsarespecified,allportsareaddedtotheentry.
13-6 IGMP Configuration
Ifmodifyisnotspecified,anewentryiscreated.
Mode
Switchcommand,readwrite.
Usage
UsethiscommandtocreateandconfigureLayer2IGMPentries.
Example
ThisexamplecreatesanIGMPentryforthemulticastgroupwithIPaddressof233.11.22.33 configuredonVLAN20configuredwiththeportge.1.1.
C2(su)->set igmpsnooping add-static 233.11.22.33 20 ge.1.1
Syntax
set igmpsnooping remove-static group vlan-list [modify] [port-string]
Parameters
group vlanlist modify portstring SpecifiesthemulticastgroupIPaddressoftheentry. SpecifiestheVLANsonwhichtheentryisconfigured. (Optional)Removesthespecifiedportorportsfromanexistingentry. (Optional)Specifiestheportorportstoremovefromtheentry.
Defaults
Ifnoportsarespecified,allportsareremovedfromtheentry.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesportge.1.1fromtheentryforthemulticastgroupwithIPaddressof 233.11.22.33configuredonVLAN20.
C2(su)->set igmpsnooping remove-static 233.11.22.33 20 ge.1.1
Syntax
show igmpsnooping static vlan-list [group group]
13-7
Parameters
vlanlist groupgroup SpecifiestheVLANforwhichtodisplaystaticIGMPports. (Optional)SpecifiestheIGMPgroupforwhichtodisplaystaticIGMP ports.
Defaults
Ifnogroupisspecified,informationforallgroupsisdisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampledisplaysthestaticIGMPportsforVLAN20.
C2(su)->show igmpsnooping static 20 -------------------------------------------------------------------------------Vlan Id = 20 Static Multicast Group Address = 233.11.22.33 Type = IGMP IGMP Port List = ge.1.1
Syntax
show igmpsnooping mfdb [stats]
Parameters
stats (Optional)DisplaysMFDBstatistics.
Defaults
Ifstatsisnotspecified,allMFDBtableentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplaymulticastforwardingdatabaseentries:
C2(su)->show igmpsnooping mfdb MAC Address Type Description ----------------------- ------- ---------------00:14:01:00:5E:02:CD:B0 Dynamic Network Assist 00:32:01:00:5E:37:96:D0 Dynamic Network Assist 00:32:01:00:5E:7F:FF:FA Dynamic Network Assist Interfaces ------------------------Fwd: ge.1.1,ge.3.1,ge.4.1 Fwd: ge.4.7 Fwd: ge.4.7
Thisexampleshowshowtodisplaymulticastforwardingdatabasestatistics:
C2(su)->show igmpsnooping mfdb stats Max MFDB Table Entries......................... 256 Most MFDB Entries Since Last Reset............. 1 Current Entries................................ 0
13-8 IGMP Configuration
clear igmpsnooping
clear igmpsnooping
UsethiscommandtoclearallIGMPsnoopingentries.
Syntax
clear igmpsnooping
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearallIGMPsnoopingentries:
C2(su)->clear igmpsnooping Are you sure you want to clear all IGMP snooping entries? (y/n) y IGMP Snooping Entries Cleared.
13-9
Purpose
ToconfigureIGMPonroutinginterfaces.
Commands
For information about... ip igmp ip igmp enable ip igmp version show ip igmp interface show ip igmp groups ip igmp query-interval ip igmp query-max-response-time ip igmp startup-query-interval ip igmp startup-query-count ip igmp last-member-query-interval ip igmp last-member-query-count ip igmp robustness Refer to page... 13-10 13-11 13-11 13-12 13-13 13-13 13-14 13-14 13-15 13-15 13-16 13-16
ip igmp
UsethiscommandtoenabletheL3IGMPQuerierfunctionalityontheswitch.Thenoformofthis commanddisablesIGMPQuerierfunctionality.
Syntax
ip igmp no ip igmp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C2(su)>router(Config)#
13-10
IGMP Configuration
ip igmp enable
Usage
EnablingIGMPonaroutinginterfacerequiresboththeipigmpcommand(page1310),which enablesitontherouter,andtheipigmpenablecommand(page1311),whichenablesitonan interface.Oncethesecommandsareexecuted,thedevicewillstartsendingandprocessingIGMP multicasttraffic.IGMPisdisabledbydefault,bothgloballyandonaperinterfacebasis.
Example
ThisexampleshowshowtoenableIGMPontherouter:
C2(su)->router(Config)#ip igmp
ip igmp enable
UsethiscommandtoenableIGMPonaninterface.ThenoformofthiscommanddisablesIGMP onaninterface.
Syntax
ip igmp enable no ip igmp enable
Parameters
None.
Defaults
None.
Usage
EnablingIGMPonaroutinginterfacerequiresboththeipigmpcommand(page1310),which enablesitontherouter,andtheipigmpenablecommand(page1311),whichenablesitonan interface.Oncethesecommandsareexecuted,thedevicewillstartsendingandprocessingIGMP multicasttraffic.IGMPisdisabledbydefault,bothgloballyandonaperinterfacebasis.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableIGMPontheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp enable
ip igmp version
UsethiscommandtosettheversionofIGMPrunningontherouter.Thenoformofthiscommand resetsIGMPtothedefaultversionof2(IGMPv2).
Syntax
ip igmp version version no ip igmp
13-11
Parameters
version SpecifiestheIGMPversionnumbertorunontherouter.Validvaluesare 1,2,or3.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPversiontoversion1onVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp version 1
Syntax
show ip igmp interface [vlan vlan-id]
Parameters
vlanvlanid (Optional)DisplaysinformationforoneormoreVLANs.
Defaults
Ifnotspecified,informationwillbedisplayedforallVLANsconfiguredforIGMProuting.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayIGMProutinginformationforVLAN1:
C2(su)->router#show ip igmp interface vlan 1 Vlan 1 is Admin UP Vlan 1 is Oper UP IGMP is configured via the Switch IGMP ACL currently not supported Multicast TTL currently defaults to 1 IGMP Version is 2 Query Interval is 125 (secs) Query Max Response Time is 100 (1/10 of a second) Robustness is 2 Startup Query Interval is 31 (secs) Startup Query Count is 2 Last Member Query Interval is 10 (1/10 of a second) Last Member Query Count is 2
13-12
IGMP Configuration
Syntax
show ip igmp groups
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayinformationaboutIGMPgroups:
C2(su)->router#show ip igmp groups REGISTERED MULTICAST GROUP DETAILS Multicast IP Address Last Reporter Up Time Expiry Time Host Timer --------------- --------------- ------- ------------ -----------228.1.1.1 12.12.12.2 27
Version1 ----------
ip igmp query-interval
UsethiscommandtosettheIGMPqueryintervalonaroutinginterface.Thenoformofthis commandresetstheIGMPqueryintervaltothedefaultvalueof125seconds.
Syntax
ip igmp query-interval time no ip igmp query-interval
Parameters
time SpecifiestheIGMPqueryinterval.Validvaluesarefrom1to3600 seconds.Defaultis125seconds.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPqueryintervalto1800secondsonVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp query-interval 1800
13-13
ip igmp query-max-response-time
ip igmp query-max-response-time
UsethiscommandtosetthemaximumresponsetimeintervaladvertisedinIGMPv2queries.The
no form of this command resets the IGMP maximum response time to the default value of 100 (one tenth of a second).
Syntax
ip igmp query-max-response-time time no ip igmp query-max-response-time
Parameters
time SpecifiestheIGMPmaximumresponsetimeinterval.Validvaluesare from0to255tenthsofasecond.The default value is 100 (one tenth of a
second).
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPquerymaximumresponsetimeintervalto200(2tenths ofasecond)onVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp query-max-response-time 200
ip igmp startup-query-interval
UsethiscommandtosettheintervalbetweengeneralIGMPqueriessentonstartup.Thenoform ofthiscommandresetstheIGMPstartupqueryintervaltothedefaultvalueof31seconds.
Syntax
ip igmp startup-query-interval time no ip igmp startup-query-interval
Parameters
time SpecifiestheIGMPstartupqueryinterval.Validvaluesarefrom1to300 seconds.Thedefaultvalueis31seconds.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
13-14
IGMP Configuration
ip igmp startup-query-count
Example
ThisexampleshowshowtosettheIGMPstartupqueryintervalto100secondsonVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp startup-query-interval 100
ip igmp startup-query-count
UsethiscommandtosetthenumberofIGMPqueriessentoutonstartup,separatedbythe startupqueryintervalasdescribedinipigmpstartupqueryinterval(page1314).Thenoformof thiscommandresetstheIGMPstartupquerycounttothedefaultvalueof2.
Syntax
ip igmp startup-query-count count no ip igmp startup-query-count
Parameters
count SpecifiesthenumberofIGMPstartupqueries.Validvaluesarefrom1to 20.Thedefaultvalueis2.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPstartupquerycountto10onVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp startup-query-count 10
ip igmp last-member-query-interval
Usethiscommandtosetthemaximumresponsetimebeinginsertedintogroupspecificqueries sentinresponsetoleavegroupmessages.ThenoformofthiscommandresetstheIGMPlast memberqueryintervaltothedefaultvalueof1second.
Syntax
ip igmp last-member-query-interval time no ip igmp last-member-query-interval
Parameters
time SpecifiestheIGMPlastmemberqueryinterval.Validvaluesarefrom0to 255seconds.Thedefaultvalueis1second.
Defaults
None.
13-15
ip igmp last-member-query-count
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPlastmemberqueryintervalto10secondsonVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp last-member-query-interval 10
ip igmp last-member-query-count
Usethiscommandtosetthenumberofgroupspecificqueriessentbeforeassumingthereareno localmembers.ThenoformofthiscommandresetstheIGMPlastmemberquerycounttothe defaultvalueof2.
Syntax
ip igmp last-member-query-count count no ip igmp last-member-query-count
Parameters
count SpecifiesthenumberofIGMPstartupqueries.Validvaluesarefrom1to 20.Thedefaultvalueis2.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPlastmemberquerycountto10onVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp last-member-query-count 10
ip igmp robustness
UsethiscommandtoconfiguretherobustnesstuningforexpectedpacketlossonanIGMP routinginterface.ThenoformofthiscommandresetstheIGMProbustnessvaluetothedefaultof 2.
Syntax
ip igmp robustness robustness no ip igmp robustness
Parameters
robustness SpecifiestheIGMProbustnessvalue.Validvaluesarefrom1to255.The defaultvalueis2.
13-16
IGMP Configuration
ip igmp robustness
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Usage
ThisvaluedetermineshowmanytimesIGMPmessageswillbesent.Ahighernumberwillmean thatendstationswillbemorelikelytoseethepacket.Aftertherobustnessvalueisreached,IGMP willassumethereisnoresponsetoqueries.
Example
ThisexampleshowshowtosettheIGMProbustnessvalueto5onVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip igmp robustness 5
13-17
ip igmp robustness
13-18
IGMP Configuration
14
Logging and Network Management
Thischapterdescribesswitchrelatedloggingandnetworkmanagementcommandsandhowto usethem.
Note: The commands in this chapter pertain to network management of the SecureStack C2 device from the switch CLI only. For information on router-related network management tasks, including reviewing router ARP tables and IP traffic, refer to Chapter 19. For information about... Configuring System Logging Monitoring Network Events and Status Managing Switch Network Addresses and Routes Configuring Simple Network Time Protocol (SNTP) Configuring Node Aliases Refer to page... 14-1 14-12 14-17 14-27 14-35
Commands
For information about... show logging server set logging server clear logging server show logging default set logging default clear logging default show logging application set logging application Refer to page... 14-2 14-3 14-4 14-4 14-5 14-6 14-6 14-7
14-1
For information about... clear logging application show logging local set logging local clear logging local show logging buffer
Syntax
show logging server [index]
Parameters
index (Optional)DisplaysSysloginformationpertainingtoaspecificserver tableentry.Validvaluesare18.
Defaults
Ifindexisnotspecified,allSyslogserverinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySyslogserverconfigurationinformation:
C2(ro)->show logging server IP Address Facility Severity Description Port Status ------------------------------------------------------------------------1 132.140.82.111 local4 warning(5) default 514 enabled 2 132.140.90.84 local4 warning(5) default 514 enabled
14-2
Syntax
set logging server index [ip-addr ip-addr] [facility facility] [severity severity] [descr descr] [port port] [state {enable | disable}]
Parameters
index ipaddripaddr facilityfacility severityseverity Specifiestheservertableindexnumberforthisserver.Validvaluesare1 8. (Optional)SpecifiestheSyslogmessageserversIPaddress. (Optional)Specifiestheserversfacilityname.Validvaluesare:local0to local7. (Optional)Specifiestheseveritylevelatwhichtheserverwilllog messages.Validvaluesandcorrespondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages descrdescr portport stateenable| disable (Optional)Specifiesatextualstringdescriptionofthisfacility/server. (Optional)SpecifiesthedefaultUDPporttheclientusestosendtothe server. (Optional)Enablesordisablesthisfacility/serverconfiguration.
Defaults
Ifipaddrisnotspecified,anentryintheSyslogservertablewillbecreatedwiththespecified indexnumberandamessagewilldisplayindicatingthatnoIPaddresshasbeenassigned. Ifnotspecified,facility,severityandportwillbesettodefaultsconfiguredwiththesetlogging defaultcommand(setloggingdefaultonpage 145). Ifstateisnotspecified,theserverwillnotbeenabledordisabled.
Mode
Switchcommand,readwrite.
14-3
Example
ThiscommandshowshowtoenableaSyslogserverconfigurationforindex1,IPaddress 134.141.89.113,facilitylocal4,severitylevel3onport514:
C2(su)->set logging server 1 ip-addr 134.141.89.113 facility local4 severity 3 port 514 state enable
Syntax
clear logging server index
Parameters
index Specifiestheservertableindexnumberfortheservertoberemoved. Validvaluesare18.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThiscommandshowshowtoremovetheSyslogserverwithindex1fromtheservertable:
C2(su)->clear logging server 1
Syntax
show logging default
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
14-4
Example
ThiscommandshowshowtodisplaytheSyslogserverdefaultvalues.Foranexplanationofthe commandoutput,referbacktoTable 141onpage 142.
C2(su)->show logging default Facility Severity Port ----------------------------------------local4 warning(5) 514
Defaults:
Syntax
set logging default {[facility facility] [severity severity] port port]}
Parameters
facilityfacility severityseverity Specifiesthedefaultfacilityname.Validvaluesare:local0tolocal7. Specifiesthedefaultloggingseveritylevel.Validvaluesand correspondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages portport SpecifiesthedefaultUDPporttheclientusestosendtotheserver.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSyslogdefaultfacilitynametolocal2andtheseveritylevelto4 (errorlogging):
C2(su)->set logging default facility local2 severity 4
14-5
Syntax
clear logging default {[facility] [severity] [port]}
Parameters
facility severity port (Optional)Resetsthedefaultfacilitynametolocal4. (Optional)Resetsthedefaultloggingseveritylevelto6(notificationsof significantconditions). (Optional)ResetsthedefaultUDPporttheclientusestosendtotheserver to514.
Defaults
Atleastoneoptionalparametermustbeentered. Allthreeoptionalkeywordsmustbeenteredtoresetallloggingvaluestodefaults.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSyslogdefaultseveritylevelto6:
C2(su)->clear logging default severity
Syntax
show logging application [mnemonic | all]
Parameters
mnemonic (Optional)Displaysseveritylevelforoneapplicationconfiguredfor logging.Mnemonicswillvarydependingonthenumberandtypesof applicationsrunningonyoursystem.Samplemnemonicsandtheir correspondingapplicationsarelistedinTable 143onpage 148.
Note: Mnemonic values are case sensitive and must be typed as they appear in Table 14-3.
all
(Optional)Displaysseveritylevelforallapplicationsconfiguredfor logging.
Defaults
Ifnoparameterisspecified,informationforallapplicationswillbedisplayed.
14-6
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaysystemlogginginformationpertainingtotheSNMP application.
C2(ro)->show logging application SNMP Application Current Severity Level --------------------------------------------90 SNMP 6 1(emergencies) 4(errors) 7(information) 2(alerts) 5(warnings) 8(debugging) 3(critical) 6(notifications)
Syntax
set logging application {[mnemonic | all]} [level level]
Parameters
mnemonic Specifiesacasesensitivemnemonicabbreviationofanapplicationtobe logged.Thisparameterwillvarydependingonthenumberandtypesof applicationsrunningonyoursystem.Todisplayacompletelist,usethe showloggingapplicationcommandasdescribedinshowlogging applicationonpage 146.Samplemnemonicsandtheircorresponding applicationsarelistedinTable 143onpage 148.
Note: Mnemonic values are case sensitive and must be typed as they appear in Table 14-3.
all
Setstheloggingseveritylevelforallapplications.
14-7
levellevel
(Optional)Specifiestheseveritylevelatwhichtheserverwilllog messagesforapplications.Validvaluesandcorrespondinglevelsare: 1emergencies(systemisunusable) 2alerts(immediateactionrequired) 3criticalconditions 4errorconditions 5warningconditions 6notifications(significantconditions) 7informationalmessages 8debuggingmessages
Table 14-3
Mnemonic CLIWEB SNMP STP Driver System Stacking UPN Router
Defaults
Iflevelisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheseveritylevelforSNMPto4sothaterrorconditionswillbe loggedforthatapplication.
C2(rw)->set logging application SNMP level 4
Syntax
clear logging application {mnemonic | all}
14-8
Parameters
mnemonic Resetstheseveritylevelforaspecificapplicationto6.Validmnemonic valuesandtheircorrespondingapplicationsarelistedinTable 143on page 148. Resetstheseveritylevelforallapplicationsto6.
all
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresettheloggingseveritylevelto6forSNMP.
C2(rw)->clear logging application SNMP
Syntax
show logging local
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestateofmessagelogging.Inthiscase,loggingtothe consoleisenabledandloggingtoapersistentfileisdisabled.
C2(su)->show logging local Syslog Console Logging enabled Syslog File Logging disabled
Syntax
set logging local console {enable | disable} file {enable | disable}
14-9
Parameters
consoleenable|disable fileenable|disable Enablesordisablesloggingtotheconsole. Enablesordisablesloggingtoapersistentfile.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thiscommandshowshowtoenableloggingtotheconsoleanddisableloggingtoapersistentfile:
C2(su)->set logging local console enable file disable
Syntax
clear logging local
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearlocallogging:
C2(su)->clear logging local
Syntax
show logging buffer
Parameters
None.
14-10
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowsaportionoftheinformationdisplayedwiththeshowloggingbuffer command:
C2(su)->show logging buffer <165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.122 (telnet) <165>Sep 4 07:43:24 10.42.71.13 CLI[5]User: debug failed login from 10.4.1.100 (telnet)
14-11
Commands
For information about... history show history set history ping show users disconnect show netstat Refer to page... 14-12 14-13 14-13 14-14 14-14 14-15 14-15
history
Usethiscommandtodisplaythecontentsofthecommandhistorybuffer.Thecommandhistory bufferincludesalltheswitchcommandsentereduptoamaximumof100,asspecifiedintheset historycommand(sethistoryonpage 1413).
Syntax
history
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythecontentsofthecommandhistorybuffer.Itshowsthereare fivecommandsinthebuffer:
C2(su)->history 1 hist 2 show gvrp 3 show vlan 4 show igmp 5 show ip address
14-12
show history
show history
Usethiscommandtodisplaythesize(inlines)ofthehistorybuffer.
Syntax
show history
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythesizeofthehistorybuffer:
C2(su)->show history History buffer size: 20
set history
Usethiscommandtosetthesizeofthehistorybuffer.
Syntax
set history size [default]
Parameters
size default Specifiesthesizeofthehistorybufferinlines.Validvaluesare1to100. (Optional)Makesthissettingpersistentforallfuturesessions.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesizeofthecommandhistorybufferto30lines:
C2(su)->set history 30
14-13
ping
ping
UsethiscommandtosendICMPechorequestpacketstoanothernodeonthenetworkfromthe switchCLI.
Syntax
ping host
Parameters
host SpecifiestheIPaddressofthedevicetowhichthepingwillbesent.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtopingIPaddress134.141.89.29.Inthiscase,thishostisalive:
C2(su)->ping 134.141.89.29 134.141.89.29 is alive
Inthisexample,thehostatIPaddressisnotresponding:
C2(su)->ping 134.141.89.255 no answer from 134.141.89.255
show users
UsethiscommandtodisplayinformationabouttheactiveconsoleportorTelnetsession(s)logged intotheswitch.
Syntax
show users
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtousetheshowuserscommand.Inthisoutput,therearetwoTelnet usersloggedinwithReadWriteaccessprivilegesfromIPaddresses134.141.192.119and 134.141.192.18:
14-14
disconnect
C2(su)->show users Session User Location -------- ----- -------------------------* telnet rw 134.141.192.119 telnet rw 134.141.192.18
disconnect
UsethiscommandtocloseanactiveconsoleportorTelnetsessionfromtheswitchCLI.
Syntax
disconnect {ip-addr | console}
Parameters
ipaddr console SpecifiestheIPaddressoftheTelnetsessiontobedisconnected.This addressisdisplayedintheoutputshowninshowusersonpage 1215. Closesanactiveconsoleport.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtocloseaTelnetsessiontohost134.141.192.119:
C2(su)->disconnect 134.141.192.119
Thisexampleshowshowtoclosethecurrentconsolesession:
C2(su)->disconnect console
show netstat
Usethiscommandtodisplaynetworklayerstatistics.
Syntax
show netstat
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
14-15
show netstat
Example
Thefollowingexampleshowstheoutputofthiscommand.
C2(su)->show netstat Prot Local Address ---- ----------------------------TCP 127.0.0.1.2222 TCP 0.0.0.0.80 TCP 0.0.0.0.23 TCP 10.1.56.17.23 UDP 0.0.0.0.17185 UDP 127.0.0.1.49152 UDP 0.0.0.0.161 UDP 0.0.0.0.* UDP 0.0.0.0.514 Foreign Address ----------------------------0.0.0.0.* 0.0.0.0.* 0.0.0.0.* 134.141.99.104.47718 0.0.0.0.* 127.0.0.1.17185 0.0.0.0.* 0.0.0.0.* 0.0.0.0.* State ----------LISTEN LISTEN LISTEN ESTABLISHED
14-16
Commands
For information about... show arp set arp clear arp traceroute show mac show mac agetime set mac agetime clear mac agetime set mac algorithm show mac algorithm clear mac algorithm set mac multicast clear mac address show mac unreserved-flood set mac unreserved-flood Refer to page... 14-17 14-18 14-19 14-19 14-20 14-21 14-22 14-22 14-23 14-23 14-24 14-24 14-25 14-26 14-26
show arp
UsethiscommandtodisplaytheswitchsARPtable.
Syntax
show arp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
14-17
set arp
Example
ThisexampleshowshowtodisplaytheARPtable:
C2(su)->show arp LINK LEVEL ARP TABLE IP Address Phys Address Flags Interface ----------------------------------------------------10.20.1.1 00-00-5e-00-01-1 S host 134.142.21.194 00-00-5e-00-01-1 S host 134.142.191.192 00-00-5e-00-01-1 S host 134.142.192.18 00-00-5e-00-01-1 S host 134.142.192.119 00-00-5e-00-01-1 S host -----------------------------------------------------
set arp
UsethiscommandtoaddmappingentriestotheswitchsARPtable.
Syntax
set arp ip-address mac-address
Parameters
ipaddress macaddress SpecifiestheIPaddresstomaptotheMACaddressandaddtotheARP table. SpecifiestheMACaddresstomaptotheIPaddressandaddtotheARP table.TheMACaddresscanbeformattedasxx:xx:xx:xx:xx:xxorxxxx xxxxxxxx.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtomapIPaddress192.168.219.232toMACaddress00000c400fbc:
C2(su)->set arp 192.168.219.232 00-00-0c-40-0f-bc
14-18
clear arp
clear arp
UsethiscommandtodeleteaspecificentryorallentriesfromtheswitchsARPtable.
Syntax
clear arp {ip-address | all}
Parameters
ipaddress|all SpecifiestheIPaddressintheARPtabletobecleared,orclearsallARP entries.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodeleteentry10.1.10.10fromtheARPtable:
C2(su)->clear arp 10.1.10.10
traceroute
UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa specificdestinationhost.ThreeUDPorICMPprobeswillbetransmittedforeachhopbetweenthe sourceandthetraceroutedestination.
Syntax
traceroute [-w waittime] [-f first-ttl] [-m max-ttl] [-p port] [-q nqueries] [-r] [-d] [-n] [-v] host
Parameters
wwaittime ffirstttl mmaxttl pport qnqueries r d n (Optional)Specifiestimeinsecondstowaitforaresponsetoaprobe. (Optional)Specifiesthetimetolive(TTL)ofthefirstoutgoingprobe packet. (Optional)Specifiesthemaximumtimetolive(TTL)usedinoutgoing probepackets. (Optional)SpecifiesthebaseUDPportnumberusedinprobes. (Optional)Specifiesthenumberofprobeinquiries. (Optional)Bypassesthenormalhostroutingtables. (Optional)Setsthedebugsocketoption. (Optional)Displayshopaddressesnumerically.(Supportedinafuture release.)
14-19
show mac
v host
Defaults
Ifnotspecified,waittimewillbesetto5seconds. Ifnotspecified,firstttlwillbesetto1second. Ifnotspecified,maxttlwillbesetto30seconds. Ifnotspecified,portwillbesetto33434. Ifnotspecified,nquerieswillbesetto3. Ifrisnotspecified,normalhostroutingtableswillbeused. Ifdisnotspecified,thedebugsocketoptionwillnotbeused. Ifvisnotspecified,summaryoutputwillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.167.252.17.In thiscase,hop1istheSecureStackC2switch,hop2is14.1.0.45,andhop3isbacktothehostIP address.RoundtriptimesforeachofthethreeUDPprobesaredisplayednexttoeachhop:
C2(su)->traceroute 192.167.252.17 traceroute to 192.167.252.17 (192.167.252.17), 30 hops max, 40 byte packets 1 matrix.enterasys.com (192.167.201.40) 20.000 ms 20.000 ms 20.000 ms 2 14.1.0.45 (14.1.0.45) 40.000 ms 10.000 ms 20.000 ms 3 192.167.252.17 (192.167.252.17) 50.000 ms 0.000 ms 20.000 ms
show mac
UsethiscommandtodisplayMACaddressesintheswitchsfilteringdatabase.Theseare addresseslearnedonaportthroughtheswitchingprocess.
Syntax
show mac [address mac-address] [fid fid] [port port-string] [type {other | learned | self | mgmt}]
Parameters
addressmacaddress fidfid portportstring typeother|learned| self|mgmt (Optional)DisplaysaspecificMACaddress(ifitisknownbythe device). (Optional)DisplaysMACaddressesforaspecificfilterdatabase identifier. (Optional)DisplaysMACaddressesforspecificport(s). (Optional)Displaysinformationrelatedtoother,learned,selfor mgmt(management)addresstype.
14-20
Defaults
Ifnoparametersarespecified,allMACaddressesforthedevicewillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMACaddressinformationforge.3.1:
C2(su)->show mac port ge.3.1 MAC Address FID Port Type ----------------- ---- ------------- -------00-09-6B-0F-13-E6 15 ge.3.1 Learned MAC Address VLAN Port Type Status Egress Ports ----------------- ---- ------------- ------- ------- --------------------------01-01-23-34-45-56 20 any mcast perm ge.3.1
The VLAN ID configured for the multicast MAC address. The status of the multicast address. The ports which have been added to the egress ports list.
Syntax
show mac agetime
Parameters
None.
14-21
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheMACtimeoutperiod:
C2(su)->show mac agetime Aging time: 300 seconds
Syntax
set mac agetime time
Parameters
time SpecifiesthetimeoutperiodinsecondsforaginglearnedMAC addresses.Validvaluesare10to1,000,000seconds.Defaultvalueis300 seconds.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtosettheMACtimeoutperiod:
C2(su)->set mac agetime 250
Syntax
clear mac agetime
Parameters
None.
Defaults
None.
14-22 Logging and Network Management
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoresettheMACtimeoutperiodtothedefaultvalueof300seconds.
C2(su)->clear mac agetime
Syntax
set mac algorithm {mac-crc16-lowerbits | mac-crc16-upperbits | mac-crc32-lowerbits | mac-crc32-upperbits}
Parameters
maccrc16lowerbits maccrc16upperbits maccrc32lowerbits maccrc32upperbits SelecttheMACCRC16lowerbitsalgorithmforhashing. SelecttheMACCRC16upperbitsalgorithmforhashing. SelecttheMACCRC32lowerbitsalgorithmforhashing. SelecttheMACCRC32upperbitsalgorithmforhashing.
Defaults
ThedefaultMACalgorithmismaccrc16upperbits.
Mode
Switchcommand,readwrite.
Usage
EachalgorithmisoptimizedforadifferentspreadofMACaddresses.Whenchangingthismode, theswitchwilldisplayawarningmessageandpromptyoutorestartthedevice. ThedefaultMACalgorithmismaccrc16upperbits.
Example
Thisexamplesetsthehashingalgorithmtomaccrc32upperbits.
C2(rw)->set mac algorithm mac-crc32-upperbits
Syntax
show mac algorithm
14-23
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowstheoutputofthiscommand.
C2(su)->show mac algorithm Mac hashing algorithm is mac-crc16-upperbits.
Syntax
clear mac algorithm
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleresetstheMAChashingalgorithmtothedefaultvalue.
C2(su)->clear mac algorithm
Syntax
set mac multicast mac-address vlan-id [port-string] [{append | clear} port-string]
14-24
Parameters
macaddress vlanid portstring append|clear SpecifiesthemulticastMACaddress.TheMACaddresscanbe formattedasxx:xx:xx:xx:xx:xxorxxxxxxxxxxxx. SpecifiestheVLANIDcontainingtheports. SpecifiestheportorrangeofportsthemulticastMACaddresscanbe learnedonorfloodedto. Appendsorclearstheportorrangeofportsfromtheegressportlist.
Defaults
Ifnoportstringisdefined,thecommandwillapplytoallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleconfiguresmulticastMACaddress010122334455forVLAN24.
C2(su)->set mac multicast 01-01-22-33-44-55 24
Syntax
clear mac address mac-address [vlan-id]
Parameters
macaddress vlanid SpecifiesthemulticastMACaddresstobecleared.TheMACaddress canbeformattedasxx:xx:xx:xx:xx:xxorxxxxxxxxxxxx. (Optional)SpecifiestheVLANIDfromwhichtoclearthestatic multicastMACaddress.
Defaults
Ifnovlanidisspecified,themulticastMACaddressisclearedfromallVLANs.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearsmulticastMACaddress010122334455fromVLAN24.
C2(su)->clear mac multicast 01-01-22-33-44-55 24
14-25
Syntax
show mac unreserved-flood
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledisplaysthestatusofmulticastfloodprotection.
C2(su)->show mac unreserved-flood mac unreserved flood is disabled.
Syntax
set mac unreserved-flood {disable | enable}
Parameters
disable|enable Disablesorenablesmulticastfloodprotection.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thefollowingaddresseswillbeforwardedwhenthisfunctionisenabled: 01:80:C2:00:00:11 01:80:C2:00:00:14 01:80:C2:00:00:15 Thedefaultstateisdisabled,andtheseaddresseswillnotbeforwarded.
14-26
Example
Thisexampleenablesmulticastfloodprotection.
C2(su)->set mac unreserved-flood enable
Commands
For information about... show sntp set sntp client clear sntp client set sntp server clear sntp server set sntp poll-interval clear sntp poll-interval set sntp poll-retry clear sntp poll-retry set sntp poll-timeout clear sntp poll-timeout set timezone Refer to page... 14-27 14-29 14-29 14-30 14-30 14-31 14-31 14-32 14-32 14-33 14-33 14-33
show sntp
UsethiscommandtodisplaySNTPclientsettings.
Syntax
show sntp
Parameters
None.
14-27
show sntp
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNTPclientsettings:
C2(su)->show sntp SNTP Version: 3 Current Time: TUE SEP 09 16:13:33 2003 Timezone: 'EST', offset from UTC is -4 hours and 0 minutes Client Mode: unicast Broadcast Count: 0 Poll Interval: 512 seconds Poll Retry: 1 Poll Timeout: 5 seconds SNTP Poll Requests: 1175 Last SNTP Update: TUE SEP 09 16:05:24 2003 Last SNTP Request: TUE SEP 09 16:05:24 2003 Last SNTP Status: Success SNTP-Server Precedence Status ------------------------------------------10.2.8.6 2 Active 144.111.29.19 1 Active
SNTP Poll Requests Total number of SNTP poll requests. Last SNTP Update Last SNTP Request Date and time of most recent SNTP update. Date and time of most recent SNTP request.
14-28
Table 14-7
Output Field
Status
Syntax
set sntp client {broadcast | unicast | disable}
Parameters
broadcast unicast disable EnablesSNTPinbroadcastclientmode. EnablesSNTPinunicast(pointtopoint)clientmode.Inthismode,the clientmustsupplytheIPaddressfromwhichtoretrievethecurrenttime. DisablesSNTP.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableSNTPinbroadcastmode:
C2(su)->set sntp client broadcast
Syntax
clear sntp client
Parameters
None.
Defaults
None.
SecureStack C2 Configuration Guide 14-29
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNTPclientsoperationalmode:
C2(su)->clear sntp client
Syntax
set sntp server ip-address [precedence]
Parameters
ipaddress precedence SpecifiestheSNTPserversIPaddress. (Optional)SpecifiesthisSNTPserversprecedenceinrelationtoitspeers. Validvaluesare1(highest)to10(lowest).
Defaults
Ifprecedenceisnotspecified,1willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheserveratIPaddress10.21.1.100 asan SNTPserver:
C2(su)->set sntp server 10.21.1.100
Syntax
clear sntp server {ip-address | all}
Parameters
ipaddress all SpecifiestheIPaddressofaservertoremovefromtheSNTPserverlist. RemovesallserversfromtheSNTPserverlist.
Defaults
None.
14-30
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoremovetheserveratIPaddress10.21.1.100 fromtheSNTPserverlist:
C2(su)->clear sntp server 10.21.1.100
Syntax
set sntp poll-interval interval
Parameters
interval Specifiesthepollintervalinseconds.Validvaluesare16to16284.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSNTPpollintervalto30seconds:
C2(su)->set sntp poll-interval 30
Syntax
clear sntp poll-interval
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
14-31
Example
ThisexampleshowshowtocleartheSNTPpollinterval:
C2(su)->clear sntp poll-interval
Syntax
set sntp poll-retry retry
Parameters
retry Specifiesthenumberofretries.Validvaluesare0to10.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthenumberofSNTPpollretriesto5:
C2(su)->set sntp poll-retry 5
Syntax
clear sntp poll-retry
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthenumberofSNTPpollretries:
C2(su)->clear sntp poll-retry
14-32
Syntax
set sntp poll-timeout timeout
Parameters
timeout Specifiesthepolltimeoutinseconds.Validvaluesare1to30.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSNTPpolltimeoutto10seconds:
C2(su)->set sntp poll-timeout 10
Syntax
clear sntp poll-timeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNTPpolltimeout:
C2(su)->clear sntp poll-timeout
set timezone
UsethiscommandtoconfigurethecurrenttimezoneasanoffsetfromUTC.
Syntax
set timezone name [hours] [minutes]
14-33
set timezone
Parameters
name Thenameofthetimezone.Typically,thisnameisastandard abbreviationsuchasEST(EasternStandardTime)orEDT(Eastern DaylightTime). (Optional)SpecifiestheoffsetinhoursfromUTC.Thevaluecanrange from13to13.Thedefaultis0hours. (Optional)SpecifiesadditionaloffsetinminutesfromUTC.Thevalue canrangefrom0to59.Thedefaultis0minutes.
hours minutes
Defaults
Ifyouenteratimezonenamewithoutspecifyinganoffsetinhoursandminutes,thedefaultisan offsetfromUTCof0hoursand0minutes.
Mode
Switchcommand,readwrite.
Usage
Typically,thiscommandisusedtoconfigurethelocaltimezoneoffsetfromUTC(UniveralTime) whenSNTPisusedtosynchronizethetimeusedbydevicesonthenetwork. TodisplaythecurrenttimezonesettingusedbySNTP,usetheshowsntpcommand.Toclearan existingoffsettozero,enterthecommandwithoutspecifyinganyhoursorminutes. StandardtimezonenamesandoffsetscanbefoundatthefollowingURL,amongothers: http://www.timeanddate.com/library/abbreviations/timezones/
Example
ThefollowingexamplesetsthetimezonenametoESTandtheoffsettoNorthAmericanEastern StandardTimeoffsetof5hoursfromUTC,thendisplaysthetimezoneusedwithSNTP.
C2(su)->set timezone EST -5 C2(su)->show sntp SNTP Version: 3 Current Time: WED JUL 16 11:35:52 2008 Timezone: 'EST' offset from UTC is -5 hours and 0 minutes Client Mode: unicast Broadcast Count: 0 Poll Interval: 6 (64 seconds) Poll Retry: 1 Poll Timeout: 5 seconds SNTP Poll Requests: 2681 Last SNTP Update: WED JUL 16 16:35:23 2008 Last SNTP Request: WED JUL 16 16:35:23 2008 Last SNTP Status: Success SNTP-Server Precedence Status ------------------------------------------192.255.255.254 2 Active
14-34
Purpose
Toreview,disable,andreenablenode(port)aliasfunctionalityontheswitch.
Commands
For information about... show nodealias config set nodealias clear nodealias config Refer to page... 14-35 14-36 14-37
Syntax
show nodealias config [port-string]
Parameters
portstring (Optional)Displaysnodealiasconfigurationsettingsforspecificport(s).
Defaults
Ifportstringisnotspecified,nodealiasconfigurationswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaynodealiasconfigurationsettingsforportsge.2.1through9:
C2(rw)->show nodealias config ge.2.1-9 Port Number Max Entries Used Entries Status
14-35
set nodealias
----------16 47 47 47 47 47 47 47 4000
-----------0 0 2 0 0 2 0 0 1
set nodealias
Usethiscommandtoenableordisableanodealiasagentononeormoreports,orsetthe maximumnumberofaliasentriesstoredperport.
Syntax
set nodealias {enable | disable | maxentries maxentries} port-string
Parameters
enable|disable maxentriesmaxentries portstring Enablesordisablesanodealiasagent. Setthemaximumnumberofaliasentriesstoredperport.Validrange is0to4096.Thedefaultvalueis32. Specifiestheport(s)onwhichtoenable/disablenodealiasagentorset amaximumnumberofstoredentries.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Uponpacketreception,nodealiasesaredynamicallyassignedtoportsenabledwithanalias agent,whichisthedefaultsettingonSecureStackC2devices.Nodealiasescannotbestatically created,butcanbedeletedusingthecommandclearnodealiasconfig(page 1437).
14-36
Itsimportanttomakesurethatinterswitchlinksarenotlearningnode/aliasinformation,asit wouldslowdownsearchesbytheNetSightCompassandASMtoolsandgiveinaccurateresults.
Example
Thisexampleshowshowtodisablethenodealiasagentonge.1.3:
C2(su)->set nodealias disable ge.1.3
Syntax
clear nodealias config port-string
Parameters
portstring Specifiestheport(s)onwhichtoresetthenodealiasconfiguration.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthenodealiasconfigurationonge.1.3:
C2(su)->clear nodealias config ge.1.3
14-37
14-38
15
RMON Configuration
ThischapterdescribesthecommandsusedtoconfigureRMONonaSecureStackC2switch.
For information about... RMON Monitoring Group Functions Design Considerations Statistics Group Commands History Group Commands Alarm Group Commands Event Group Commands Filter Group Commands Packet Capture Commands Refer to page... 15-1 15-2 15-3 15-6 15-9 15-13 15-17 15-22
15-1
Design Considerations
Table 15-1
RMON Group History
Alarm
Periodically gathers statistical samples from variables in the probe and compares them with previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. Controls the generation and notification of events from the device.
show rmon alarm on page 15-9 set rmon alarm properties on page 15-10 set rmon alarm status on page 15-11 clear rmon alarm on page 15-12
Event
show rmon event on page 15-13 set rmon event properties on page 15-14 set rmon event status on page 15-15 clear rmon event on page 15-15
Filter
Allows packets to be matched by a filter equation. These matched packets form a data stream or channel that may be captured.
show rmon channel on page 15-17 set rmon channel on page 15-18 clear rmon channel on page 15-19 show rmon filter on page 15-19 set rmon filter on page 15-20 clear rmon filter on page 15-21
Packet Capture
show rmon capture on page 15-22 set rmon capture on page 15-23 clear rmon capture on page 15-24
Design Considerations
TheC2supportsRMONPacketCapture/FilterSamplingthroughboththeCLIandMIBs,butwith thefollowingconstraints:
15-2
RMON Configuration
AsdescribedintheMIB,thefilterisonlyappliedaftertheframeiscaptured,thusonlya subsetoftheframescapturedwillbeavailablefordisplay. ThereisonlyoneBufferControlEntrysupported. Duetothelimitationsofthehardware,theBufferControlEntrytablewillhavelimitsonafew ofitselements: MaxOctetsRequestedcanonlybesettothevalue1whichindicatestheapplicationwill captureasmanypacketsaspossiblegivenitsrestrictions. CaptureSliceSizecanonlybesetto1518. TheFullActionelementcanonlybesettolocksincethedevicedoesnotsupport wrappingthecapturebuffer.
Configuredchannel,filter,andbufferinformationwillbesavedacrossresets,butnotframes withinthecapturebuffer.
Note: Due to hardware limitations, the only frame error counted is oversized frames.
Commands
For information about... show rmon stats set rmon stats clear rmon stats Refer to page... 15-4 15-4 15-5
15-3
Syntax
show rmon stats [port-string]
Parameters
portstring (Optional)DisplaysRMONstatisticsforspecificport(s).
Defaults
Ifportstringisnotspecified,RMONstatswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONstatisticsforGigabitEthernetport1inswitch1.
:
C2(su)->show rmon stats ge.1.1 Port: ge.1.1 ------------------------------------Index = 1 Owner = monitor Data Source = ifIndex.1 Drop Events Collisions Jabbers Broadcast Pkts Multicast Pkts CRC Errors Undersize Pkts Oversize Pkts Fragments = = = = = = = = = 0 0 0 0 0 0 0 0 0 Packets Octets 0 64 65 - 127 128 - 255 256 - 511 512 - 1023 1024 - 1518 = = = = = = = = 0 0 0 0 0 0 0 0
Table 152providesanexplanationofthecommandoutput.
Syntax
set rmon stats index port-string [owner]
Parameters
index portstring owner Specifiesanindexforthisstatisticsentry. Specifiesport(s)towhichthisentrywillbeassigned. (Optional)Assignsanownerforthisentry.
15-4
RMON Configuration
Defaults
Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigureRMONstatisticsentry2forge.1.20:
C2(rw)->set rmon stats 2 ge.1.20
Syntax
clear rmon stats {index-list | to-defaults}
Parameters
indexlist todefaults Specifiesoneormorestatsentriestobedeleted,causingthemtodisappear fromanyfutureRMONqueries. Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto reappearinRMONqueries.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteRMONstatisticsentry2:
C2(rw)->clear rmon stats 2
15-5
Commands
For information about... show rmon history set rmon history clear rmon history Refer to page... 15-6 15-7 15-7
Syntax
show rmon history [port-string]
Parameters
portstring (Optional)DisplaysRMONhistoryentriesforspecificport(s).
Defaults
Ifportstringisnotspecified,informationaboutallRMONhistoryentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONhistoryentriesforGigabitEthernetport1inswitch1. Acontrolentrydisplaysfirst,followedbyactualentriescorrespondingtothecontrolentry.Inthis case,thedefaultsettingsforentryowner,samplinginterval,andmaximumnumberofentries. (buckets)havenotbeenchangedfromtheirdefaultvalues.Foradescriptionofthetypesof statisticsshown,refertoTable 152.
:
C2(su)->show rmon history ge.1.1 Port: ge.1.1 ------------------------------------Index 1 Owner = monitor Status = valid Data Source = ifIndex.1 Interval = 30 Buckets Requested = 50 Buckets Granted = 10
15-6
RMON Configuration
Sample 2779 Drop Events Octets Packets Broadcast Pkts Multicast Pkts CRC Align Errors
= = = = = =
Interval Start: 1 days 0 hours 2 minutes 22 seconds 0 Undersize Pkts = 0 0 Oversize Pkts = 0 0 Fragments = 0 0 Jabbers = 0 0 Collisions = 0 0 Utilization(%) = 0
Syntax
set rmon history index [port-string] [buckets buckets] [interval interval] [owner owner]
Parameters
indexlist portstring bucketsbuckets intervalinterval ownerowner Specifiesanindexnumberforthisentry. (Optional)Assignsthisentrytoaspecificport. (Optional)Specifiesthemaximumnumberofentriestomaintain. (Optional)Specifiesthesamplingintervalinseconds. (Optional)Specifiesanownerforthisentry.
Defaults
Ifbucketsisnotspecified,themaximumnumberofentriesmaintainedwillbe50. Ifnotspecified,intervalwillbesetto30seconds. Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowconfigureRMONhistoryentry1onportge.2.1tosampleevery20 seconds:
C2(rw)->set rmon history 1 ge.2.1 interval 20
Syntax
clear rmon history {index-list | to-defaults}
15-7
Parameters
indexlist todefaults Specifiesoneormorehistoryentriestobedeleted,causingthemto disappearfromanyfutureRMONqueries. Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto reappearinRMONqueries.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteRMONhistoryentry1:
C2(rw)->clear rmon history 1
15-8
RMON Configuration
Commands
For information about... show rmon alarm set rmon alarm properties set rmon alarm status clear rmon alarm Refer to page... 15-9 15-10 15-11 15-12
Syntax
show rmon alarm [index]
Parameters
index (Optional)DisplaysRMONalarmentriesforaspecificentryindexID.
Defaults
Ifindexisnotspecified,informationaboutallRMONalarmentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONalarmentry3:
C2(rw)->show rmon alarm 3 Index 3 --------------------Owner = Status = Variable = Sample Type = Interval = Rising Threshold = Rising Event Index =
Manager valid 1.3.6.1.4.1.5624.1.2.29.1.2.1.0 delta Startup Alarm 30 Value 1 Falling Threshold 2 Falling Event Index
= = = =
rising 0 0 0
Table 152providesanexplanationofthecommandoutput.
SecureStack C2 Configuration Guide 15-9
Table 15-2
Output Field Index Owner Status Variable Sample Type
Startup Alarm Interval Rising Threshold Falling Threshold Rising Event Index Falling Event Index
Syntax
set rmon alarm properties index [interval interval] [object object] [type {absolute | delta}] [startup {rising | falling | either}] [rthresh rthresh] [fthresh fthresh] [revent revent] [fevent fevent] [owner owner]
Parameters
index intervalinterval objectobject Specifiesanindexnumberforthisentry.Maximumnumberorentriesis 50.Maximumvalueis65535. (Optional)Specifiesaninterval(inseconds)forRMONtoconductsample monitoring. (Optional)SpecifiesaMIBobjecttobemonitored.
Note: This parameter is not mandatory for executing the command, but must be specified in order to enable the alarm entry configuration.
typeabsolute| delta
(Optional)Specifiesthemonitoringmethodas:samplingtheabsolute valueoftheobject,orthedifference(delta)betweenobjectsamples.
15-10
RMON Configuration
startuprising| falling|either
(Optional)Specifiesthetypeofalarmgeneratedwhenthiseventisfirst enabledas: RisingSendsalarmwhenanRMONeventreachesamaximum thresholdconditionisreached,forexample,morethan30collisions persecond. FallingSendsalarmwhenRMONeventfallsbelowaminimum thresholdcondition,forexamplewhenthenetworkisbehaving normallyagain. EitherSendsalarmwheneitherarisingorfallingthresholdis reached.
Defaults
interval3600seconds typeabsolute startuprising rthresh0 fthresh0 revent0 fevent0 ownermonitor
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigurearisingRMONalarm.Thisentrywillconductmonitoring ofthedeltabetweensamplesevery30seconds:
C2(rw)->set rmon alarm properties 3 interval 30 object 1.3.6.1.4.1.5624.1.2.29.1.2.1.0 type delta rthresh 1 revent 2 owner Manager
Syntax
set rmon alarm status index enable
SecureStack C2 Configuration Guide 15-11
Parameters
index enable Specifiesanindexnumberforthisentry.Maximumnumberorentriesis 50.Maximumvalueis65535. Enablesthisalarmentry.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
AnRMONalarmentrycanbecreatedusingthiscommand,configuredusingthesetrmonalarm propertiescommand(setrmonalarmpropertiesonpage 1510),thenenabledusingthis command.AnRMONalarmentrycanbecreatedandconfiguredatthesametimebyspecifying anunusedindexwiththesetrmonalarmpropertiescommand.
Example
ThisexampleshowshowtoenableRMONalarmentry3:
C2(rw)->set rmon alarm status 3 enable
Syntax
clear rmon alarm index
Parameters
index Specifiestheindexnumberofentrytobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONalarmentry1:
C2(rw)->clear rmon alarm 1
15-12
RMON Configuration
Commands
For information about... show rmon event set rmon event properties set rmon event status clear rmon event Refer to page... 15-13 15-14 15-15 15-15
Syntax
show rmon event [index]
Parameters
index (Optional)DisplaysRMONpropertiesandlogentriesforaspecificentry indexID.
Defaults
Ifindexisnotspecified,informationaboutallRMONentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONevententry3:
C2(rw)->show rmon event 3 Index 3 ---------------Owner = Status = Description = Type = Community = Last Time Sent =
Manager valid STP Topology change log-and-trap public 0 days 0 hours 0 minutes 37 seconds
Table 153providesanexplanationofthecommandoutput.
15-13
Table 15-3
Output Field Index Owner Status Description Type Community
Syntax
set rmon event properties index [description description] [type {none | log | trap | both}] [community community] [owner owner]
Parameters
index description description typenone|log| trap|both community community Specifiesanindexnumberforthisentry.Maximumnumberofentriesis 100.Maximumvalueis65535. (Optional)Specifiesatextstringdescriptionofthisevent. (Optional)SpecifiesthetypeofRMONeventnotificationas:none,alog tableentry,anSNMPtrap,orbothalogentryandatrapmessage. (Optional)SpecifiesanSNMPcommunitynametouseifthemessage typeissettotrap.FordetailsonsettingSNMPtrapsandcommunity names,refertoCreatingaBasicSNMPTrapConfigurationon page 837. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
ownerowner
Defaults
Ifdescriptionisnotspecified,nonewillbeapplied. Ifnotspecified,typenonewillbeapplied. Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
15-14
RMON Configuration
Example
ThisexampleshowshowtocreateandenableanRMONevententrycalledSTPtopology changethatwillsendbothalogentryandanSNMPtrapmessagetothepubliccommunity:
C2(rw)->set rmon event properties 2 description "STP topology change" type both community public owner Manager
Syntax
set rmon event status index enable
Parameters
index enable Specifiesanindexnumberforthisentry.Maximumnumberofentriesis 100.Maximumvalueis65535. Enablesthisevententry.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
AnRMONevententrycanbecreatedusingthiscommand,configuredusingthesetrmonevent propertiescommand(setrmoneventpropertiesonpage 1514),thenenabledusingthis command.AnRMONevententrycanbecreatedandconfiguredatthesametimebyspecifyingan unusedindexwiththesetrmoneventpropertiescommand.
Example
ThisexampleshowshowtoenableRMONevententry1:
C2(rw)->set rmon event status 1 enable
Syntax
clear rmon event index
Parameters
index Specifiestheindexnumberoftheentrytobecleared.
15-15
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONevent1:
C2(rw)->clear rmon event 1
15-16
RMON Configuration
Note: Packet capture is sampling only and does not guarantee receipt of back to back packets.
Commands
For information about... show rmon channel set rmon channel clear rmon channel show rmon filter set rmon filter clear rmon filter Refer to page... 15-17 15-18 15-19 15-19 15-20 15-21
Syntax
show rmon channel [port-string]
Parameters
portstring (Optional)DisplaysRMONchannelentriesforaspecificport(s).
Defaults
Ifportstringisnotspecified,informationaboutallchannelswillbedisplayed.
Mode
Switchcommand,readonly.
15-17
Example
ThisexampleshowshowtodisplayRMONchannelinformationforge.2.12:
C2(rw)->show rmon channel ge.2.12 Port ge.2.12 Channel index= 628 EntryStatus= valid ---------------------------------------------------------Control off AcceptType matched OnEventIndex 0 OffEventIndex 0 EventIndex 0 Status ready Matches 4498 Description Thu Dec 16 12:57:32 EST 2004 Owner NetSight smith
Syntax
set rmon channel index port-string [accept {matched | failed}] [control {on | off}] [description description] [owner owner]
Parameters
index Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe createdifanunusedindexnumberischosen.Maximumnumberof entriesis2.Maximumvalueis65535. Specifiestheportonwhichtrafficwillbemonitored. (Optional)Specifiestheactionofthefiltersonthischannelas: controlon|off description description ownerowner matchedPacketswillbeacceptedonfiltermatches failedPacketswillbeacceptediftheyfailamatch
Defaults
Ifanactionisnotspecified,packetswillbeacceptedonfiltermatches. Ifnotspecified,controlwillbesettooff. Ifadescriptionisnotspecified,nonewillbeapplied. Ifownerisnotspecified,itwillbesettomonitor.
Mode
Switchcommand,readwrite.
15-18
RMON Configuration
Example
ThisexampleshowshowtocreateanRMONchannelentry:
C2(rw)->set rmon channel 54313 ge.2.12 accept failed control on description "capture all"
Syntax
clear rmon channel index
Parameters
index Specifiesthechannelentrytobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONchannelentry2:
C2(rw)->clear rmon channel 2
Syntax
show rmon filter [index index | channel channel]
Parameters
indexindex| channelchannel (Optional)Displaysinformationaboutaspecificfilterentry,oraboutall filterswhichbelongtoaspecificchannel.
Defaults
Ifnooptionsarespecified,informationforallfilterentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayallRMONfilterentriesandchannelinformation:
15-19
C2(rw)->show rmon filter Index= 55508 Channel Index= 628 EntryStatus= valid ---------------------------------------------------------Data Offset 0 PktStatus 0 PktStatusMask 0 PktStatusNotMask 0 Owner ETS,NAC-D ----------------------------Data ff ff ff ff ff ff ----------------------------DataMask ff ff ff ff ff ff ----------------------------DataNotMask 00 00 00 00 00 00
Syntax
set rmon filter index channel-index [offset offset] [status status] [smask smask] [snotmask snotmask] [data data] [dmask dmask] [dnotmask dnotmask] [owner owner]
Parameters
index Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe createdifanunusedindexnumberischosen.Maximumnumberof entriesis10.Maximumvalueis65535. Specifiesthechanneltowhichthisfilterwillbeapplied. (Optional)Specifiesanoffsetfromthebeginningofthepackettolookfor matches. (Optional)Specifiespacketstatusbitsthataretobematched. (Optional)Specifiesthemaskappliedtostatustoindicatewhichbitsare significant. (Optional)Specifiestheinversionmaskthatindicateswhichbitsshould besetornotset (Optional)Specifiesthedatatobematched. (Optional)Specifiesthemaskappliedtodatatoindicatewhichbitsare significant. (Optional)Specifiestheinversionmaskthatindicateswhichbitsshould besetornotset. (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
Defaults
Ifownerisnotspecified,itwillbesettomonitor. Ifnootheroptionsarespecified,none(0)willbeapplied.
15-20
RMON Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateRMONfilter1andapplyittochannel9:
C2(rw)->set rmon filter 1 9 offset 30 data 0a154305 dmask ffffffff
Syntax
clear rmon filter {index index | channel channel}
Parameters
indexindex| channelchannel Clearsaspecificfilterentry,orallentriesbelongingtoaspecificchannel.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONfilterentry1:
C2(rw)->clear rmon filter index 1
15-21
Purpose
TodisplayRMONcaptureentries,configure,enable,ordisablecaptureentries,andclearcapture entries.
Commands
For information about... show rmon capture set rmon capture clear rmon capture Refer to page... 15-22 15-23 15-24
Syntax
show rmon capture [index [nodata]]
Parameters
index nodata (Optional)Displaysthespecifiedbuffercontrolentryandallcaptured packetsassociatedwiththatentry. (Optional)Displaysonlythebuffercontrolentryspecifiedbyindex.
Defaults
Ifnooptionsarespecified,allbuffercontrolentriesandassociatedcapturedpacketswillbe displayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONcaptureentriesandassociatedbufferentries:
C2(rw)->show rmon capture Buf.control= 28062 Channel= 38283 EntryStatus= valid ---------------------------------------------------------FullStatus avail FullAction lock Captured packets 251 Capture slice 1518 Download size 100 Download offset 0 Max Octet Requested 50000 Max Octet Granted 50000 Start time 1 days 0 hours 51 minutes 15 seconds
15-22
RMON Configuration
Owner
monitor
captureEntry= 1 Buff.control= 28062 -------------------------------------------Pkt ID 9 Pkt time 1 days 0 hours 51 minutes 15 seconds Pkt Length 93 Pkt status 0 Data: 00 00 5e 00 01 01 00 01 f4 00 7d ce 08 00 45 00 00 4b b4 b9 00 00 40 11 32 5c 0a 15 43 05 86 8d bf e5 00 a1 0e 2b 00 37 cf ca 30 2d 02 01 00 04 06 70 75 62 6c 69 63 a2 20 02 02 0c 92 02 01 00 02 01 00 30 14 30 12 06 0d 2b 06 01 02 01 10 07 01 01 0b 81 fd 1c 02 01 01 00 11 0b 00
Syntax
set rmon capture index {channel [action {lock}] [slice slice] [loadsize loadsize] [offset offset] [asksize asksize] [owner owner]}
Parameters
index channel actionlock Specifiesabuffercontrolentry. Specifiesthechanneltowhichthiscaptureentrywillbeapplied. (Optional)Specifiestheactionofthebufferwhenitisfullas: sliceslice loadsizeloadsize offsetoffset asksizeasksize lockPacketswillceasetobeaccepted
owner
Defaults
Ifnotspecified,actiondefaultstolock. Ifnotspecified,offsetdefaultsto0. Ifnotspecified,asksizedefaultsto1(whichwillrequestasmanyoctetsaspossible). Ifsliceisnotspecified,1518willbeapplied. Ifloadsizeisnotspecified,100willbeapplied. Ifownerisnotspecified,itwillbesettomonitor.
15-23
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateRMONcaptureentry1tolistenonchannel628:
C2(rw)->set rmon capture 1 628
Syntax
clear rmon capture index
Parameters
index Specifiesthecaptureentrytobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONcaptureentry1:
C2(rw)->clear rmon capture 1
15-24
RMON Configuration
16
DHCP Server Configuration
ThischapterdescribesthecommandstoconfiguretheIPv4DHCPserverfunctionalityona SecureStackC2switch.
For information about... DHCP Overview Configuring General DHCP Server Parameters Configuring IP Address Pools Refer to page... 16-1 16-3 16-12
DHCP Overview
DynamicHostConfigurationProtocol(DHCP)forIPv4isanetworklayerprotocolthat implementsautomaticormanualassignmentofIPaddressesandotherconfigurationinformation toclientdevicesbyservers.ADHCPservermanagesauserconfiguredpoolofIPaddressesfrom whichitcanmakeassignmentsuponclientrequests.ArelayagentpassesDHCPmessages betweenclientsandserverswhichareondifferentphysicalsubnets.
DHCP Server
DHCPserverfunctionalityallowstheSecureStackC2switchtoprovidebasicIPconfiguration informationtoaclientonthenetworkwhorequestssuchinformationusingtheDHCPprotocol. DHCPprovidesthefollowingmechanismsforIPaddressallocationbyaDHCPserver: AutomaticDHCPserverassignsanIPaddresstoaclientforalimitedperiodoftime(or untiltheclientexplicitlyrelinquishestheaddress)fromadefinedpoolofIPaddresses configuredontheserver. ManualAclientsIPaddressisassignedbythenetworkadministrator,andDHCPisused simplytoconveytheassignedaddresstotheclient.Thisismanagedbymeansofstatic addresspoolsconfiguredontheserver.
TheamountoftimethataparticularIPaddressisvalidforasystemiscalledalease.The SecureStackC2maintainsaleasedatabasewhichcontainsinformationabouteachassignedIP
16-1
DHCP Overview
address,theMACaddresstowhichitisassigned,theleaseexpiration,andwhethertheaddress assignmentisdynamic(automatic)orstatic(manual).TheDHCPleasedatabaseisstoredinflash memory. InadditiontoassigningIPaddresses,theDHCPservercanalsobeconfiguredtoassignthe followingtorequestingclients: Defaultrouter(s) DNSserver(s)anddomainname NetBIOSWINSserver(s)andnodename Bootfile DHCPoptionsasdefinedbyRFC2132
Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the entire switch, can be configured on the SecureStack C2.
2. 3.
16-2
2.
3. 4.
SetotherDHCPserverparameterssuchasthenumberofpingpacketstobesentbefore assigninganIPaddress,orenablingconflictlogging.
Commands
For information about... set dhcp set dhcp bootp set dhcp conflict logging show dhcp conflict Refer to page... 16-4 16-4 16-5 16-5
16-3
set dhcp
For information about... clear dhcp conflict set dhcp exclude clear dhcp exclude set dhcp ping clear dhcp ping show dhcp binding clear dhcp binding show dhcp server statistics clear dhcp server statistics
Refer to page... 16-6 16-7 16-7 16-8 16-8 16-9 16-9 16-10 16-10
set dhcp
UsethiscommandtoenableordisabletheDHCPserverfunctionalityontheSecureStackC2.
Syntax
set dhcp {enable | disable}
Parameters
enable|disable EnablesordisablesDHCPserverfunctionality.Bydefault,DHCPserveris disabled.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesDHCPserverfunctionality.
C2(rw)->set dhcp enable
Syntax
set dhcp bootp {enable | disable}
Parameters
enable|disable EnablesordisablesaddressallocationforBOOTPclients.
16-4
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesaddressallocationforBOOTPclients.
C2(rw)->set dhcp bootp enable
Syntax
set dhcp conflict logging
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesDHCPconflictlogging.
C2(rw)->set dhcp conflict logging
Syntax
show dhcp conflict [address]
Parameters
address [Optional]Specifiestheaddressforwhichtodisplayconflictinformation.
Defaults
Ifnoaddressisspecified,conflictinformationforalladdressesisdisplayed.
16-5
Mode
Readonly.
Example
Thisexampledisplaysconflictinformationforalladdresses.Notethatpingistheonlydetection methodused.
C2(ro)->show dhcp conflict IP address ----------192.0.0.2 192.0.0.3 192.0.0.4 192.0.0.12 Detection Method ----------------Ping Ping Ping Ping Detection Time --------------0 days 19h:01m:23s 0 days 19h:00m:46s 0 days 19h:01m:25s 0 days 19h:01m:26s
Syntax
clear dhcp conflict {logging | ip-address| *}
Parameters
logging ipaddress * Disablesconflictlogging. ClearstheconflictinformationforthespecifiedIPaddress. ClearstheconflictinformationforallIPaddresses.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampledisablesDHCPconflictlogging.
C2(rw)->clear dhcp conflict logging
ThisexampleclearstheconflictinformationfortheIPaddress192.0.0.2.
C2(rw)->clear dhcp conflict 192.0.0.2
16-6
Syntax
set dhcp exclude low-ipaddr [high-ipaddr]
Parameters
lowipaddr highipaddr SpecifiesthefirstIPaddressintheaddressrangetobeexcludedfrom assignment. (Optional)SpecifiesthelastIPaddressintheaddressrangetobe excluded.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplefirstconfigurestheaddresspoolnamedauto1with255addressesfortheClassC network172,20.28.0,withthesetdhcppoolnetworkcommand.Then,theexamplelimitsthe scopeoftheaddressesthatcanbeassignedbyaDHCPserverbyexcludingaddresses172.20.28.80 100,withthesetdhcpexcludecommand.
C2(rw)->set dhcp pool auto1 network 172.20.28.0 24 C2(rw)->set dhcp exclude 172.20.28.80 172.20.28.100
Syntax
clear dhcp exclude low-ipaddr [high-ipaddr]
Parameters
lowipaddr highipaddr SpecifiesthefirstIPaddressintheaddressrangetobecleared. (Optional)SpecifiesthelastIPaddressintheaddressrangetobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
16-7
Example
ThisexampleclearsthepreviouslyexcludedrangeofIPaddressesbetween192.168.1.88through 192.168.1.100.
C2(rw)->clear dhcp exclude 192.168.1.88 192.168.1.100
Syntax
set dhcp ping packets number
Parameters
packetsnumber Specifiesthenumberofpingpacketstobesent.Thevalueofnumbercan be0,orrangefrom2to10.Entering0disablesthisfunction.Thedefault valueis2packets.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthenumberofpingpacketssentto3.
C2(rw)->set dhcp ping packets 3
Syntax
clear dhcp ping packets
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
16-8
Example
Thisexampleresetsthenumberofpingpacketssentbacktothedefaultvalue.
C2(rw)->clear dhcp ping packets
Syntax
show dhcp binding [ip-address]
Parameters
ipaddress (Optional)SpecifiestheIPaddressforwhichtodisplaybinding information.
Defaults
IfnoIPaddressisspecified,bindinginformationforalladdressesisdisplayed.
Mode
Readonly.
Example
Thisexampledisplaysbindinginformationaboutalladdresses.
C2(rw)->show dhcp binding IP address Hardware Address --------------------------192.0.0.6 00:33:44:56:22:39 192.0.0.8 00:33:44:56:22:33 192.0.0.10 00:33:44:56:22:34 192.0.0.11 00:33:44:56:22:35 192.0.0.12 00:33:44:56:22:36 192.0.0.13 00:33:44:56:22:37 192.0.0.1400:33:44:56:22:38 Lease Expiration ----------------00:11:02 00:10:22 00:09:11 00:10:05 00:10:30 infinite infinite Type ----Automatic Automatic Automatic Automatic Automatic Manual Manual
Syntax
clear dhcp binding {ip-addr | *}
Parameters
ipaddr * SpecifiestheIPaddressforwhichtoclear/deletetheDHCPbinding. Deletesalladdressbindings.
Defaults
None.
SecureStack C2 Configuration Guide 16-9
Mode
Switchcommand,readwrite.
Example
ThisexampledeletestheDHCPaddressbindingforIPaddress192.168.1.1.
C2(rw)->clear dhcp binding 192.168.1.1
Syntax
show dhcp server statistics
Parameters
None.
Defaults
None.
Mode
Readonly.
Example
Thisexampledisplaysserverstatistics.
C2(ro)->show dhcp server statistics Automatic Bindings Expired Bindings Malformed Bindings Messages ---------DHCP DISCOVER DHCP REQUEST DHCP DECLINE DHCP RELEASE DHCP INFORM Messages ---------DHCP OFFER DHCP ACK DHCP NACK 36 6 0 Received ---------382 3855 0 67 1 Sent -----381 727 2
Syntax
clear dhcp server statistics
16-10
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearsallDHCPservercounters.
C2(rw)->clear dhcp server statistics
16-11
Purpose
ToconfigureandclearDHCPaddresspoolparameters,andtodisplayaddresspoolconfiguration information.
Note: A total of 16 address pools, dynamic and/or static, can be configured on the SecureStack C2.
Commands
For information about... set dhcp pool clear dhcp pool set dhcp pool network clear dhcp pool network set dhcp pool hardware-address clear dhcp pool hardware-address set dhcp pool host clear dhcp pool host set dhcp pool client-identifier clear dhcp pool client-identifier set dhcp pool client-name clear dhcp pool client-name set dhcp pool bootfile clear dhcp pool bootfile Refer to page... 16-13 16-14 16-14 16-15 16-15 16-16 16-16 16-17 16-17 16-18 16-19 16-19 16-20 16-20
16-12
For information about... set dhcp pool next-server clear dhcp pool next-server set dhcp pool lease clear dhcp pool lease set dhcp pool default-router clear dhcp pool default-router set dhcp pool dns-server clear dhcp pool dns-server set dhcp pool domain-name clear dhcp pool domain-name set dhcp pool netbios-name-server clear dhcp pool netbios-name-server set dhcp pool netbios-node-type clear dhcp pool netbios-node-type set dhcp pool option clear dhcp pool option show dhcp pool configuration
Refer to page... 16-21 16-21 16-22 16-22 16-23 16-23 16-24 16-24 16-25 16-25 16-26 16-26 16-27 16-27 16-28 16-29 16-29
Syntax
set dhcp pool poolname
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplecreatesanaddresspoolnamedauto1.
C2(rw)->set dhcp pool auto1
16-13
Syntax
clear dhcp pool poolname
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheaddresspoolnamedauto1.
C2(rw)->clear dhcp pool auto1
Syntax
set dhcp pool poolname network number {mask | prefix-length}
Parameters
poolname number mask prefixlength Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiesanIPsubnetfortheaddresspool. Specifiesthesubnetmaskindottedquadnotation. Specifiesthesubnetmaskasaninteger.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
UsethiscommandtoconfigureasetofIPaddressestobeassignedbytheDHCPserverusingthe specifiedaddresspool.Inordertolimitthescopeoftheaddressesconfiguredwiththiscommand, usethesetdhcpexcludecommandonpage167.
16-14 DHCP Server Configuration
Examples
ThisexampleconfigurestheIPsubnet172.20.28.0withaprefixlengthof24fortheautomatic DHCPpoolnamedauto1.Alternatively,themaskcouldhavebeenspecifiedas255.255.255.0.
C2(rw)->set dhcp pool auto1 network 172.20.28.0 24
Thisexamplelimitsthescopeof255addressescreatedfortheClassCnetwork172,20.28.0bythe previousexample,byexcludingaddresses172.20.28.80100.
C2(rw)->set dhcp exclude 172.20.28.80 172.20.28.100
Syntax
clear dhcp pool poolname network
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletesthenetworkandmaskfromtheaddresspoolnamedauto1.
C2(rw)->clear dhcp pool auto1 network
Syntax
set dhcp pool poolname hardware-address hw-addr [type]
Parameters
poolname hwaddr type Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheMACaddressoftheclientshardwareplatform.Thisvalue canbeenteredusingdottedhexadecimalnotationorcolons. (Optional)Specifiestheprotocolofthehardwareplatform.Validvalues are1forEthernetor6forIEEE802.Defaultvalueis1,Ethernet.
16-15
Defaults
Ifnotypeisspecified,Ethernetisassumed.
Mode
Switchcommand,readwrite.
Example
Thisexamplespecifies0001.f401.2710astheEthernetMACaddressforthemanualaddresspool namedmanual1.Alternatively,theMACaddresscouldhavebeenteredas00:01:f4:01:27:10.
C2(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710
Syntax
clear dhcp pool poolname hardware-address
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclienthardwareaddressfromtheaddresspoolnamedmanual1.
C2(rw)->clear dhcp pool manual1 hardware-address
Syntax
set dhcp pool poolname host ip-address [mask | prefix-length]
Parameters
poolname ipaddress Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressformanualbinding.
16-16
mask prefixlength
(Optional)Specifiesthesubnetmaskindottedquadnotation. (Optional)Specifiesthesubnetmaskasaninteger.
Defaults
Ifamaskorprefixisnotspecified,theclassA,B,orCnaturalmaskwillbeused.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress pool.First,thehardwareaddressoftheclientshardwareplatformisconfigured,followedby configurationoftheaddresstobeassignedtothatclientmanually.
C2(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710 C2(rw)->set dhcp pool manual1 host 15.12.1.99 255.255.248.0
Syntax
clear dhcp pool poolname host
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampledeletesthehostIPaddressfromtheaddresspoolnamedmanual1.
C2(rw)->clear dhcp pool manual1 host
Syntax
set dhcp pool poolname client-identifier id
16-17
Parameters
poolname id Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiestheuniqueclientidentifierforthisclient.Thevaluemustbe enteredinxx:xx:xx:xx:xx:xxformat.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheclientidentifierisformedbyconcatenatingthemediatypeandtheMACaddress.For example,iftheclienthardwaretypeisEthernetandtheclientMACaddressis00:01:22:33:44:55, thentheclientidentifierconfiguredwiththiscommandmustbe01:00:01:22:33:44:55.
Example
Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress pool,usingaclientidentifierratherthanthehardwareaddressoftheclientshardwareplatform.
C2(rw)->set dhcp pool manual2 client-identifier 01:00:01:22:33:44:55 C2(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0
Syntax
clear dhcp pool poolname client-identifier
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclientidentifierfromtheaddresspoolnamedmanual1.
C2(rw)->clear dhcp pool manual1 client-identifier
16-18
Syntax
set dhcp pool poolname client-name name
Parameters
poolname name Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthenametobeassignedtothisclient.Clientnamesmaybeupto 31charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfigurestheclientnameappsvr1tothemanualbindingpoolmanual2.
C2(rw)->set dhcp pool manual2 client-identifier 01:22:33:44:55:66 C2(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0 C2(rw)->set dhcp pool manual2 client-name appsvr1
Syntax
clear dhcp pool poolname client-name
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclientnamefromthemanualbindingpoolmanual2.
C2(rw)->clear dhcp pool manual2 client-name
16-19
Syntax
set dhcp pool poolname bootfile filename
Parameters
poolname filename Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthebootimagefilename.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthebootimagefilenameforaddresspoolnamedauto1.
C2(rw)->set dhcp pool auto1 bootfile image1.img
Syntax
clear dhcp pool poolname bootfile
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthebootimagefilenamefromaddresspoolnamedauto1.
C2(rw)->clear dhcp pool auto1 bootfile
16-20
Syntax
set dhcp pool poolname next-server ip-address
Parameters
poolname ipaddress Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofthefileservertheDHCPclientshouldcontact toloadthedefaultbootimage.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplespecifiesthefileserverfromwhichclientsbeingservedbyaddresspoolauto1 shoulddownloadthebootimagefileimage1.img.
C2(rw)->set dhcp pool auto1 bootfile image1.img C2(rw)->set dhcp pool auto1 next-server 10.1.1.10
Syntax
clear dhcp pool poolname next-server
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthefileserverfromaddresspoolauto1.
C2(rw)->clear dhcp pool auto1 next-server
16-21
Syntax
set dhcp pool poolname lease {days [hours [minutes]] | infinite}
Parameters
poolname days hours minutes Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthenumberofdaysanaddressleasewillremainvalid.Valuecan rangefrom0to59. (Optional)Whenadaysvaluehasbeenassigned,specifiesthenumberof hoursanaddressleasewillremainvalid.Valuecanrangefrom0to1439. (Optional)Whenadaysvalueandanhoursvaluehavebeenassigned, specifiesthenumberofminuteanaddressleasewillremainvalid.Value canrangefrom0to86399. Specifiesthatthedurationoftheleasewillbeunlimited.
infinite
Defaults
Ifnoleasetimeisspecified,aleasedurationof1dayisconfigured.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfiguresaleasedurationof12hoursfortheaddresspoolbeingconfigured.Note thattoconfigurealeasetimelessthanoneday,enter0fordays,thenthenumberofhoursand minutes.
C2(rw)->set dhcp pool auto1 lease 0 12
Syntax
clear dhcp pool poolname lease
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
Clearstheleasetimeforthisaddresspooltothedefaultvalueofoneday.
16-22
Mode
Switchcommand,readwrite.
Example
Thisexamplerestoresthedefaultleasedurationofonedayforaddresspoolauto1.
C2(rw)->clear dhcp pool auto1 lease
Syntax
set dhcp pool poolname default-router address [address2 ... address8]
Parameters
poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofadefaultrouter. (Optional)Specifies,inorderofpreference,upto7additionaldefault routeraddresses.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleassignsadefaultrouterat10.10.10.1totheaddresspoolnamedauto1.
C2(rw)->set dhcp pool auto1 default-router 10.10.10.1
Syntax
clear dhcp pool poolname default-router
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
16-23
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthedefaultrouterfromtheaddresspoolauto1.
C2(rw)->clear dhcp pool auto1 default-router
Syntax
set dhcp pool poolname dns-server address [address2 ... address8]
Parameters
poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofaDNSserver. (Optional)Specifies,inorderofpreference,upto7additionalDNS serveraddresses.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleassignsaDNSserverat10.14.10.1totheaddresspoolauto1.
C2(rw)->set dhcp pool auto1 dns-server 10.14.10.1
Syntax
clear dhcp pool poolname dns-server
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
16-24
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheDNSserverlistfromtheaddresspoolauto1.
C2(rw)->clear dhcp pool auto1 dns-server
Syntax
set dhcp pool poolname domain-name domain
Parameters
poolname domain Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. Specifiesthedomainnamestring.Thedomainnamecanbeupto255 charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleassignsthemycompany.comdomainnametotheaddresspoolauto1.
C2(rw)->set dhcp pool auto1 domain-name mycompany.com
Syntax
clear dhcp pool poolname domain-name
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
16-25
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthedomainnamefromtheaddresspoolauto1.
C2(rw)->clear dhcp pool auto1 domain-name
Syntax
set dhcp pool poolname netbios-name-server address [address2 ... address8]
Parameters
poolname address address2...address8 Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheIPaddressofaNetBIOSnameserver. (Optional)Specifies,inorderofpreference,upto7additionalNetBIOS nameserveraddresses.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleassignsaNetBIOSnameserverat10.15.10.1totheaddresspoolbeingconfigured.
C2(rw)->set dhcp pool auto1 netbios-name-server 10.15.10.1
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
16-26
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheNetBIOSnameserverlistfromtheaddresspoolauto1.
C2(rw)->clear dhcp pool auto1 netbios-name-server
Syntax
set dhcp pool poolname netbios-node-type {b-node | h-node | p-node | m-node}
Parameters
poolname bnode hnode pnode mnode Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheNetBIOsnodetypetobebroadcast(noWINS). SpecifiestheNetBIOsnodetypetobehybrid(WINS,thenbroadcast). SpecifiestheNetBIOsnodetypetobepeer(WINSonly). SpecifiestheNetBIOsnodetypetobemixed(broadcast,thenWINS).
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexamplespecifieshybridastheNetBIOSnodetypefortheaddresspoolauto1.
C2(rw)->set dhcp pool auto1 netbios-node-type h-node
Syntax
clear dhcp pool poolname netbios-node-type
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
16-27
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheNetBIOSnodetypefromtheaddresspoolauto1.
C2(rw)->clear dhcp pool auto1 netbios-node-type
Syntax
set dhcp pool poolname option code {ascii string | hex string-list | ip addresslist}
Parameters
poolname code asciistring hexstringlist ipaddresslist Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange from1to254. SpecifiesthedatainASCIIformat.AnASCIIcharacterstringcontaininga spacemustbeenclosedinquotations. SpecifiesthedatainHEXformat.Upto8HEXstringscanbeentered. SpecifiesthedatainIPaddressformat.Upto8IPaddressescanbeentered.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleconfiguresDHCPoption19,whichspecifieswhethertheclientshouldconfigureits IPlayerforpacketforwarding.Inthiscase,IPforwardingisenabledwiththe01value.
C2(rw)->set dhcp pool auto1 option 19 hex 01
ThisexampleconfiguresDHCPoption72,whichassignsoneormoreWebserversforDHCP clients.Inthiscase,twoWebserveraddressesareconfigured.
C2(rw)->set dhcp pool auto1 option 72 ip 168.24.3.252 168.24.3.253
16-28
Syntax
clear dhcp pool poolname option code
Parameters
poolname code Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength. SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange from1to254.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesoption19fromaddresspoolauto1.
C2(rw)->clear dhcp pool auto1 option 19
Syntax
show dhcp pool configuration {poolname | all}
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31 charactersinlength.
Defaults
None.
Mode
Readonly.
Example
Thisexampledisplaysconfigurationinformationforalladdresspools.
C2(rw)->show dhcp pool configuration all Pool: Atg_Pool Pool Type
Dynamic
16-29
Network Lease Time Default Routers Pool: static1 Pool Type Client Name Client Identifier Host Lease Time Option Pool: static2 Pool Type Hardware Address Hardware Address Type Host Lease Time
16-30
17
DHCP Snooping and Dynamic ARP Inspection
Thischapterdescribestwosecurityfeatures: DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserver tofilterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping featuretorejectinvalidandmaliciousARPpackets
Refer to page... 17-1 17-4 17-16 17-20
For information about... DHCP Snooping Overview DHCP Snooping Commands Dynamic ARP Inspection Overview Dynamic ARP Inspection Commands
17-1
DHCPsnoopingcanbeconfiguredonswitchingVLANsandroutingVLANs.WhenaDHCP packetisreceivedonaroutingVLAN,theDHCPsnoopingapplicationappliesitsfilteringrules andupdatesthebindingsdatabase.Ifaclientmessagepassesfilteringrules,themessageisplaced intothesoftwareforwardingpath,whereitmaybeprocessedbytheDHCPrelayagent,thelocal DHCPserver,orforwardedasanIPpacket. DHCPsnoopingforwardsvalidDHCPclientmessagesreceivedonnonroutingVLANs.The messageisforwardedonalltrustedinterfacesintheVLAN.IfaDHCPrelayagentorlocalDHCP servercoexistwiththeDHCPsnoopingfeature,DHCPclientmessageswillbesenttotheDHCP relayagentorlocalDHCPservertoprocessfurther. TheDHCPsnoopingapplicationdoesnotforwardservermessagessincetheyareforwardedin hardware.
DHCPsnoopingcreatesatentativebindingfromDHCPDISCOVERandREQUESTmessages. Tentativebindingstieaclienttoaport(theportwheretheDHCPclientmessagewasreceived). TentativebindingsarecompletedwhenDHCPsnoopinglearnstheclientsIPaddressfroma DHCPACKmessageonatrustedport.DHCPsnoopingremovesbindingsinresponseto DECLINE,RELEASE,andNACKmessages.TheDHCPsnoopingapplicationignorestheACK messagessentinreplytotheDHCPInformmessagesreceivedontrustedports.Youcanalso enterstaticbindingsintothebindingsdatabase. Whenaswitchlearnsofnewbindingsorwhenitlosesbindings,theswitchimmediatelyupdates theentriesinthedatabase. Iftheabsoluteleasetimeofasnoopingdatabaseentryexpires,thenthatentrywillberemoved. Careshouldbetakentoensurethatsystemtimeisconsistentacrossthereboots.Otherwise, snoopingentrieswillnotexpireproperly.IfahostsendsaDHCPRELEASEmessagewhilethe
17-2
switchisrebooting,whentheswitchreceivesaDHCPDISCOVERYorREQUESTmessage,the clientsbindingwillgotoatentativebindingstate.
Rate Limiting
ToprotecttheswitchagainstDHCPattackswhenDHCPsnoopingisenabled,thesnooping applicationenforcesaratelimitforDHCPpacketsreceivedonuntrustedinterfaces.DHCP snoopingmonitorsthereceiverateoneachinterfaceseparately.Ifthereceiverateexceedsa configurablelimit,DHCPsnoopingbringsdowntheinterface.Usethesetportenablecommand toreenabletheinterface.Boththerateandtheburstintervalcanbeconfigured.
Basic Configuration
Thefollowingconfigurationproceduredoesnotchangethewritedelaytothesnoopingdatabase oranyofthedefaultratelimitingvalues.Additionalconfigurationnotesfollowthisprocedure. Procedure 17-1
Step 1. 2. Task Enable DHCP snooping globally on the switch. Determine where DHCP clients will be connected and enable DHCP snooping on their VLANs. Determine which ports will be connected to the DHCP server and configure them as trusted ports. If desired, enable logging of invalid DHCP messages on specfic ports. If desired, add static bindings to the database.
3.
4. 5.
Configuration Notes
DHCP Server
Whentheswitchisoperatinginswitchmode,thentheDHCPserverandDHCPclientsmust beinthesameVLAN. Iftheswitchisinroutingmode(onthoseplatformsthatsupportrouting),thentheDCHP servercanberemotelyconnectedtoaroutinginterface,orrunninglocally. IftheDHCPserverisremotelyconnected,thentheuseofanIPhelperaddressisrequiredand MACaddressverificationshouldbedisabled(setdhcpsnoopingverifymacaddress disable). TheDHCPservermustuseScopesinordertoprovidetheIPaddressesperVLAN. DHCPsnoopingmustbeenabledontheinterfaceswheretheDHCPclientsareconnected, andtheinterfacesmustbeuntrustedDHCPsnoopingports. TheroutinginterfacethatisconnectedtotheDHCPservermustbeenabledforDHCP snoopingandmustbeatrustedDHCPsnoopingport.
17-3
set dhcpsnooping
UsethiscommandtoenableordisableDHCPsnoopingglobally.
Syntax
set dhcpsnooping {enable | disable}
Parameters
enable disable EnableDHCPsnoopinggloballyontheswitch. DisableDHCPsnoopinggloballyontheswitch.
Defaults
Disabledglobally.
Mode
Switchcommand,readwrite.
Usage
Bydefault,DHCPsnoopingisdisabledgloballyandonallVLANs.Youmustenableitglobally withthiscommand,andthenenableitonspecificVLANs.
17-4 DHCP Snooping and Dynamic ARP Inspection
Example
ThefollowingexampleenablesDHCPsnoopingglobally.
C2(rw)->set dhcpsnooping enable
Syntax
set dhcpsnooping vlan vlan-range {enable | disable}
Parameters
vlanrange enable|disable SpecifiestheVLANorrangeofVLANsonwhichDHCPsnoopingisto beenabledordisabled. EnablesordisablesDHCPsnoopingforthespecifiedVLANs.
Defaults
DHCPsnoopingisdisabledbydefaultonallVLANs.
Mode
Switchcommand,readwrite.
Usage
Bydefault,DHCPsnoopingisdisabledgloballyandonallVLANs.Youmustenableitglobally withthesetdhcpsnoopingcommand,andthenenableitonspecificVLANswiththiscommand.
Example
ThisexampleenablesDHCPsnoopingonVLANS10through20.
C2(rw)->set dhcpsnooping vlan 10-20 enable
Syntax
set dhcpsnooping database write-delay seconds
Parameters
second Specifytheintervalinsecondsbetweenupdatestothestoredbindings database.Thevaluecanrangefrom15to86400seconds.
Defaults
Every5minutes(300seconds).
17-5
Mode
Switchcommand,readwrite.
Usage
Whenaswitchlearnsofnewbindingsorwhenitlosesbindings,theswitchupdatestheentriesin thebindingsdatabaseaccordingtothewritedelaytimer.Theswitchalsoupdatestheentriesin thebindingfile.Thefrequencyatwhichthefileisupdatedisbasedonthedelayconfiguredwith thiscommand,andtheupdatesarebatched.
Example
Thefollowingexamplespecifiesthatthestoreddatabaseshouldbeupdatedonceanhour.
C2(rw)->set dhcpsnooping database write-delay 3600
Syntax
set dhcpsnooping trust port port-string {enable | disable}
Parameters
portportstring enable|disable Specifiestheportorportstobeenabledordisabledastrustedports.The portscanbephysicalportsorLAGsthataremembersofaVLAN. Enablesordisablesthespecifiedportsastrustedports.
Defaults
Bydefault,portsareuntrusted.
Mode
Switchcommand,readwrite.
Usage
InorderforDHCPsnoopingtooperate,snoopinghastobeenabledgloballyandonspecific VLANs,andtheportswithintheVLANshavetobeconfiguredastrustedoruntrusted.On trustedports,DHCPclientmessagesareforwardeddirectlybythehardware.Onuntrustedports, clientmessagesaregiventotheDHCPsnoopingapplication. TheDHCPsnoopingapplicationbuildsthebindingsdatabasefromclientmessagesreceivedon untrustedports.DHCPsnoopingcreatesatentativebindingfromDHCPDISCOVERand REQUESTmessages.Tentativebindingstieaclienttotheportonwhichthemessagepacketwas received.TentativebindingsarecompletedwhenDHCPsnoopinglearnstheclientsIPaddress fromaDHCPACKmessageonatrustedport. TheportsontheswitchthroughwhichDHCPserversarereachedmustbeconfiguredastrusted portssothatpacketsreceivedfromthoseportswillbeforwardedtoclients.DCHPpacketsfroma DHCPserver(DHCPOFFER,DHCPACK,DHCPNAK)aredroppedifreceivedonanuntrusted port.
17-6
Example
Thisexampleconfiguresportge.1.1asatrustedport. C2(rw)->set dhcpsnooping trust port ge.1.1 enable
Syntax
set dhcpsnooping binding mac-address vlan vlan-id ipaddr port port-string
Parameters
macaddress vlanvlanid ipaddr portportstring SpecifiestheMACaddressofthebindingentry. SpecifiestheVLANofthebindingentry. SpecifiestheIPaddressofthebindingentry. Specifiestheportofthebindingentry.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
WhenenabledgloballyandonVLANs,DHCPsnoopingbuildsitsbindingsdatabasefromDHCP clientmessagesreceivedonuntrustedports.Suchentriesinthedatabasearedynamicentries whichwillberemovedinresponsetovalidDECLINE,RELEASE,andNACKmessagesorwhen theabsoluteleasetimeoftheentryexpires. Youcanaddstaticentriestothebindingsdatabasewiththiscommand.
Example
Thisexamplecreatesastaticentry,associatingMACaddress00:01:02:33:44:55withIPaddress 192.168.10.10andVLAN10,portge.1.1. C2(rw)->set dhcpsnooping binding 00:01:02:33:44:55 vlan 10 192.168.10.10 port
ge.1.1
Syntax
set dhcpsnooping verify mac-address {enable | disable}
17-7
Parameters
enable disable EnablesverificationofthesourceMACaddressinclientmessages againsttheclienthardwareaddress. DisablesverificationofthesourceMACaddressinclientmessages againsttheclienthardwareaddress.
Defaults
SourceMACaddressverificationisenabledbydefault.
Mode
Switchcommand,readwrite.
Usage
Whenthisverificationisenabled,theDHCPsnoopingapplicationcomparesthesourceMAC addresscontainedinvalidclientmessageswiththeclientshardwareaddress.Ifthereisa mismatch,DHCPsnoopinglogstheeventanddropsthepacket. Usetheshowdhcpsnoopingcommandtodisplaythestatus(enabledordisabled)ofsourceMAC addressverificationforeachinterfaceinanenabledVLAN.Theshowdhcpsnoopingstatistics commandshowstheactualnumberofMACverificationerrorsthatoccurredonuntrustedports.
Example
ThisexampledisablessourceMACaddressverificationandlogging. C2(rw)->set dhcpsnooping verify mac-address disable
Syntax
set dhcpsnooping log-invalid port port-string {enable | disable}
Parameters
portportstring enable|disable Specifiestheportorportsonwhichtoenableordisableloggingof invalidpackets. Enablesordisablesloggingonthespecifiedports.
Defaults
Disabled.
Mode
Switchcommand,readwrite.
Usage
TheDHCPsnoopingapplicationprocessesincomingDHCPmessages.ForDHCPRELEASEand DHCPDECLINEmessages,theapplicationcomparesthereceiveinterfaceandVLANwiththe
17-8
Example
ThisexampleenablesloggingofinvalidDHCPmessagesonportge.1.1andthendisplaysthe DHCPconfigurationsettings. C2(rw)->set dhcpsnooping log invalid port ge.1.1 enable
C2(su)->show dhcpsnooping DHCP snooping is Disabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs: 3
Syntax
set dhcpsnooping limit port-string {none | rate pps {burst interval secs]}
Parameters
portstring none ratepps burstintervalsecs Specifiestheportorportstowhichtoapplytheseratelimiting parameters. ConfiguresnolimitonincomingDHCPpackets. Specifiesaratelimitinpacketspersecond.Thevalueofppscanrange from0to100packetspersecond. Specifiesaburstintervalinseconds.Thevalueofsecscanrangefrom1 to15seconds.
Defaults
Rate=15packetspersecond BurstInterval=1second
Mode
Switchcommand,readwrite.
17-9
show dhcpsnooping
Usage
ToprotecttheswitchfromDHCPattackswhenDHCPsnoopingisenabled,thesnooping applicationenforcesaratelimitforDHCPpacketsreceivedonuntrustedinterfaces.DHCP snoopingmonitorsthereceiverateoneachinterfaceseparately.Ifthereceiverateexceedsthe configuredlimit,DHCPsnoopingbringsdowntheinterface.Youcanreenabletheinterfacewith thesetportenablecommand.Boththerateandtheburstintervalcanbeconfigured. Youcandisplaythecurrentlyconfiguredratelimitparameterswiththeshowdhcpsnoopingport command.
Example
Thisexampleconfiguresratelimitparametersonportge.1.1.
C2(rw)->set dhcpsnooping limit ge.1.1 rate 20 burst interval 2 C2(rw)->show dhcpsnooping port ge.1.1 Interface Trust State Rate Limit (pps) ---------ge.1.1 ------------No ------------20 Burst Interval (seconds) --------------2
show dhcpsnooping
UsethiscommandtodisplayDHCPsnoopingconfigurationparameters.
Syntax
show dhcpsnooping
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommanddisplaysthestatus(enabledordisabled)ofDHCPsnoopingglobally,liststhe VLANsonwhichDHCPsnoopingisenabled,displayswhethersourceMACaddressverification isenabledordisabled,andforportsthatareenabledforsnooping,displayswhethertheyare trustedoruntrustedandwhetherloggingofinvalidpacketshasbeenenabled.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingcommand.
C2(su)->show dhcpsnooping DHCP snooping is Enabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs:
17-10
Trusted ---------Yes No No
Syntax
show dhcpsnooping database
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommanddisplayswherethedatabasefileisstored(locally)andwhatthewritedelayvalue is.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingdatabasecommand.
C2(su)->show dhcpsnooping database agent url: local
write-delay:
300
Syntax
show dhcpsnooping port port-string
Parameters
portstring Specifiestheportorportsforwhichtodisplayconfiguration information.
17-11
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommanddisplaysthetruststateandratelimitingparametersconfiguredonthespecified ports.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingportcommand.
C2(su)->show dhcpsnooping port ge.1.1 Interface Trust State Rate Limit (pps) ---------ge.1.1 ------------No ------------20 Burst Interval (seconds) --------------2
Syntax
show dhcpsnooping binding [dynamic | static] [port port-string] [vlan vlan-id]
Parameters
dynamic|static portportstring vlanvlanid (Optional)Limitsthedisplayofbindingsinthedatabasebytypeof entry,eitherdynamicorstatic. (Optional)Limitsthedisplayofbindingsinthedatabasebyport. (Optional)LimitsthedisplayofbindingsinthedatabasebyVLANid.
Defaults
Ifnoparametersareentered,allbindingsinthedatabasearedisplayed.
Mode
Switchcommand,readwrite.
Usage
ThiscommanddisplaysinformationabouttheDHCPbindingsintheDHCPsnoopingdatabase.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingbindingcommandwhenno parametersareentered.
C2(su)->show dhcpsnooping binding Total number of bindings: 2
17-12
VLAN ---3 5
1440
Syntax
show dhcpsnooping statistics
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheDHCPsnoopingapplicationprocessesincomingDHCPmessagesonenableduntrusted interfaces.ForDHCPRELEASEandDHCPDECLINEmessages,theapplicationcomparesthe receiveinterfaceandVLANwiththeclientsinterfaceandVLANinthebindingsdatabase.Ifthe interfacesdonotmatch,theapplicationlogstheevent(ifloggingofinvalidmessagesisenabled) anddropsthemessage.IfsourceMACverificationisenabled,forvalidclientmessages,DHCP snoopingcomparesthesourceMACaddresstotheDHCPclienthardwareaddress.Wherethereis amismatch,DHCPsnoopinglogsanddropsthepacket. Thiscommanddisplays,foreachenableduntrustedinterface,thenumberofsourceMAC verificationfailuresandclientinterfacemismatchesthatoccurredsincethelasttimethese statisticswerecleared. SinceDHCPserversshouldnotbeconnectedthroughanuntrustedport,theDHCPsnooping applicationwilldropincomingDHCPservermessagesonuntrustedinterfacesandincrementa counterthatisdisplayedwiththiscommand.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingstatisticscommand.
C2(su)->show dhcpsnooping statistics Interface MAC Verify Failures ----------ge.1.48 lag.0.1 ---------0 0 Client Ifc Mismatch ---------0 0 DHCP Server Msgs Rec'd ----------0 0
17-13
Syntax
clear dhcpsnooping binding [port port-string | mac mac-addr]
Parameters
portportstring macmacaddr (Optional)Specifiestheentryorentriestoremovebyportidentifier. (Optional)SpecifiestheentrytoremovebyMACaddress.
Defaults
Ifnoparametersareentered,allbindings(staticanddynamic)areremoved.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthestaticbindingentrythatincludesportge.1.2.
C2(su)->clear dhcpsnooping binding port ge.1.2
Syntax
clear dhcpsnooping statistics
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearstheDHCPsnoopingstatisticscountersforallenableduntrustedports. C2(su)->clear dhcpsnooping statistics
17-14
Syntax
clear dhcpsnooping database [write-delay]
Parameters
writedelay (Optional)Specifiesthatthewritedelayvalueshouldbereturnedtothe defaultvalueof300seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommandwillsetthedatabasewritedelayvaluetothedefaultof300seconds.
Example
Thisexamplesetsthedatabasestoragelocationtothedefaultoflocal.
C2(su)->clear dhcpsnooping database
Syntax
clear dhcpsnooping limit port-string
Parameters
portstring Specifiestheportorportstowhichthiscommandapplies.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleresetstheratelimitvaluestotheirdefaultsonportge.1.1. C2(su)->clear dhcpsnooping limit ge.1.1
17-15
Functional Description
DAIisenabledonVLANs,effectivelyenablingDAIontheinterfaces(physicalportsorLAGs)that aremembersofthatVLAN.Individualinterfacesareconfiguredastrustedoruntrusted.Thetrust configurationforDAIisindependentofthetrustconfigurationforDHCPsnooping.Atrusted portisaportthenetworkadministratordoesnotconsidertobeasecuritythreat.Anuntrusted portisonewhichcouldpotentiallybeusedtolaunchanetworkattack. DAIconsidersallphysicalportsandLAGsuntrustedbydefault.
Static Mappings
StaticmappingsareusefulwhenhostsconfigurestaticIPaddresses,DHCPsnoopingcannotbe run,orotherswitchesinthenetworkdonotrundynamicARPinspection.Astaticmapping associatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstaticmappingsbeforeit consultsDHCPsnoopingthus,staticmappingshaveprecedenceoverDHCPsnooping bindings. ARPACLsareusedtodefinestaticmappingsforDAI.Inthisimplementation,onlythesubsetof ARPACLsyntaxrequiredforDAIissupported.ARPACLsarecompletelyindependentofACLs usedforQoS.Amaximumof100ARPACLscanbeconfigured.WithinanACL,amaximumof20 rulescanbeconfigured.
17-16
Loopbackaddresses(intherange127.0.0.0/8)
Packet Forwarding
DAIforwardsvalidARPpacketswhosedestinationMACaddressisnotlocal.TheingressVLAN couldbeaswitchingorroutingVLAN.ARPrequestsarefloodedintheVLAN.ARPresponsesare unicasttowardtheirdestination.DAIqueriestheMACaddresstabletodeterminetheoutgoing port.IfthedestinationMACaddressislocal,DAIgivesvalidARPpacketstotheARPapplication.
Rate Limiting
ToprotecttheswitchfromDHCPattackswhenDAIisenabled,theDAIapplicationenforcesarate limitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach interfaceseparately.Ifthereceiverateexceedsaconfigurablelimit,DAIerrordisablesthe interface,whicheffectivelybringsdowntheinterface.Youcanusethesetportenablecommand toreenabletheport. Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted interfacewitharangeof0to100pps.Thedefaultburstintervalis1secondwitharangeto1to15 seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted interfacesdonotcometotheCPU.
Eligible Interfaces
DynamicARPinspectionisenabledperVLAN,effectivelyenablingDAIonthemembersofthe VLAN,eitherphysicalportsorLAGs.TrustisspecifiedontheVLANmembers. DAIcannotbeenabledonportbasedroutinginterfaces.Itmaybeconnectedto: Asinglehostthroughatrustedlink(forexample,aserver) Ifmultiplehostsneedtoconnected,theremustbeaswitchbetweentherouterandthehosts, withDAIenabledonthatswitch
17-17
Basic Configuration
Thefollowingbasicconfigurationdoesnotchangethedefaultratelimitingparameters. Procedure 17-2
Step 1. 2. Task Configure DHCP snooping. Enable ARP inspection on the VLANs where clients are connected, and optionally, enable logging of invalid ARP packets. Determine which ports are not security threats and configure them as DAI trusted ports. If desired, configure optional validation parameters. If desired, configure static mappings for DAI by creating ARP ACLs: Create the ARP ACL Apply the ACL to a VLAN
3. 4. 5.
Example Configuration
ThefollowingexampleconfiguresDHCPsnoopinganddynamicARPinspectioninarouting environmentusingRIP.Theexampleconfigurestwointerfacesontheswitch,configuringRIPon bothinterfaces,assigningeachtoadifferentVLAN,andthenenablingDHCPsnoopingand dynamicARPinspectiononthem: Interfacege.1.1,whichisconnectedtoaremoteDHCPserver,onVLAN192 Interfacege.1.2,whichisconnectedtoDHCPclients,onVLAN10
Router Configuration
router enable configure interface vlan 10 no shutdown ip address 10.2.0.1 255.255.0.0 ip helper-address 192.168.0.200 ip rip send version 2 ip rip receive version 2 ip rip enable
17-18
exit
interface vlan 192 no shutdown ip address 192.168.0.1 255.255.255.0 ip rip send version 2 ip rip receive version 2 ip rip enable exit router rip exit
VLAN Configuration
set vlan create 10 set vlan create 192 clear vlan egress 1 ge.1.1-2 set vlan egress 10 ge.1.2 untagged set vlan egress 192 ge.1.1 untagged
17-19
Syntax
set arpinspection vlan vlan-range [logging]
Parameters
vlanrange logging SpecifiestheVLANorrangeofVLANsonwhichtoenabledynamic ARPinspection. (Optional)EnablesloggingofinvalidARPpacketsforthatVLAN.
Defaults
Loggingisdisabledbydefault.
Mode
Switchcommand,readwrite.
Usage
ThiscommandenablesdynamicARPinspection(DAI)ononeormoreVLANs.WhenDAIis enabledonaVLAN,DAIiseffectivelyenabledontheinterfaces(physicalportsorLAGs)thatare membersofthatVLAN.
17-20
Example
ThisexampleenablesDAIonVLANs2through5andalsoenablesloggingofinvalidARPpackets onthoseVLANs.
C2(su)->set arpinspection vlan 2-5 logging
Syntax
set arpinspection trust port port-string {enable | disable}
Parameters
portstring SpecifiestheportorportstobeenabledordisabledasDAItrusted ports.TheportscanbephysicalportsorLAGsthataremembersofa VLAN. EnablesordisablesthespecifiedportsastrustedforDAI.
enable|disable
Defaults
Bydefault,allphysicalportsandLAGsareuntrusted.
Mode
Switchcommand,readwrite.
Usage
Individualinterfacesareconfiguredastrustedoruntrusted.ThetrustconfigurationforDAIis independentofthetrustconfigurationforDHCPsnooping.Atrustedportisaportthenetwork administratordoesnotconsidertobeasecuritythreat.Anuntrustedportisonewhichcould potentiallybeusedtolaunchanetworkattack. DAIconsidersallphysicalportsandLAGsuntrustedbydefault.Packetsarrivingontrusted interfacesbypassallDAIvalidationchecks.
Example
Thisexampleenablesportge.1.1astrustedforDAI.
C2(su)->set arpinspection trust port ge.1.1 enable
17-21
Syntax
set arpinspection validate {[src-mac] [dst-mac] [ip]}
Parameters
srcmac dstmac SpecifiesthatDAIshouldverifythatthesenderMACaddressequals thesourceMACaddressintheEthernetheader. SpecifiesthatDAIshouldverifythatthetargetMACaddressequalsthe destinationMACaddressintheEthernetheader. ThischeckonlyappliestoARPresponses,sincethetargetMACaddress isunspecifiedinARPrequests. ip SpecifiesthatDAIshouldchecktheIPaddressanddropARPpackets withaninvalidaddress.Aninvalidaddressisoneofthefollowing:
0.0.0.0 255.255.255.255 All IP multicast addresses All class E addresses (240.0.0.0/4) Loopback addresses (in the range 127.0.0.0/8)
Defaults
Allparametersareoptional,butatleastoneparametermustbespecified.
Mode
Switchcommand,readwrite.
Usage
ThiscommandaddsadditionalvalidationofARPpacketsbyDAI,beyondthebasicvalidation thattheARPpacketssenderMACaddressandsenderIPaddressmatchanentryintheDHCP snoopingbindingsdatabase.
Example
ThisexampleaddstheoptionalverificationthatsenderMACaddressesarethesameasthesource MACaddressesintheEthernetheadersofARPpackets.
C2(su)->set arpinspection validate src-mac
Syntax
set arpinspection limit port port-string {none | rate pps {burst interval secs]}
17-22
Parameters
portstring none ratepps burstintervalsecs Specifiestheportorportstowhichtoapplytheseratelimiting parameters. ConfiguresnolimitonincomingARPpackets. Specifiesaratelimitinpacketspersecond.Thevalueofppscanrange from0to100packetspersecond. Specifiesaburstintervalinseconds.Thevalueofsecscanrangefrom1 to15seconds.
Defaults
Rate=15packetspersecond BurstInterval=1second
Mode
Switchcommand,readwrite.
Usage
ToprotecttheswitchagainstDHCPattackswhenDAIisenabled,theDAIapplicationenforcesa ratelimitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach interfaceseparately.Ifthereceiverateexceedsthelimitconfiguredwiththiscommand,DAI disablestheinterface,whicheffectivelybringsdowntheinterface.Youcanusethesetportenable commandtoreenabletheport. Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted interfacewitharangeof0to100pps.Thedefaultburstintervalis1secondwitharangeto1to15 seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted interfacesdonotcometotheCPU.
Example
Thisexamplesetstherateto20packetspersecondandtheburstintervalto2secondsonports ge.1.1andge.1.2.
C2(su)->set arpinspection limit port ge.1.1-2 rate 20 burst interval 2
Syntax
set arpinspection filter name {permit ip host sender-ipaddr mac host sender-macaddr | vlan vlan-range [static]}
Parameters
name permit iphostsenderipaddr SpecifiesthenameoftheARPACL. Specifiesthatapermitruleisbeingcreated. SpecifiestheIPaddressintherulebeingcreated.
17-23
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ARPACLsareusedtodefinestaticmappingsforDAI.ARPACLsarecompletelyindependentof ACLsusedforQoS.Amaximumof100ARPACLscanbeconfigured.WithinanACL,a maximumof20rulescanbeconfigured. AstaticmappingassociatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstatic mappingsbeforeitconsultstheDHCPsnoopingbindingsdatabasethus,staticmappingshave precedenceoverDHCPsnoopingbindings.
Example
ThisexamplecreatesanACLnamedstaticARPandcreatesapermitruleforIPaddress 192.168.1.10.Then,theACLisassignedtoaVLANasastaticmapping.
C2(su)->set arpinspection filter staticARP permit ip host 192.168.1.10 mac host 00:01:22:33:44:55 C2(su)->set arpinspection filter staticARP vlan 10 static
Syntax
show arpinspection access-list [acl-name]
Parameters
aclname (Optional)SpecifiestheARPACLtodisplay.
Defaults
IfaspecificACLisnotspecified,informationaboutallconfiguredARPACLsisdisplayed.
Mode
Switchcommand,readwrite.
Example
ThisexampledisplaysinformationabouttheARPACLnamedstaticARP.
C2(su)->show arpinspection access-list staticARP
17-24
staticARP
permit ip host 192.168.1.10 mac host 00:01:22:33:44:55 permit ip host 192.168.1.20 mac host 00:0A:11:22:33:66
Syntax
show arpinspection ports [port-string]
Parameters
portstring (Optional)SpecifiestheportorportsforwhichtodisplayARP configurationinformation.
Defaults
Ifaportstringisnotspecified,informationaboutallDAIenableduntrustedportsisdisplayed.
Mode
Switchcommand,readwrite.
Example
ThisexampledisplaystheARPconfigurationoflag.0.1.
C2(su)->show arpinspection ports lag.0.1 Interface ---------lag.0.1 Trust State ------------No Rate Limit (pps) ------------15 Burst Interval (seconds) --------------1
Syntax
show arpinspection vlan vlan-range
Parameters
vlanrange SpecifiestheVLANsforwhichtodisplayconfigurationinformation.
Defaults
None.
Mode
Switchcommand,readwrite.
17-25
Example
ThisexampledisplaysARPconfigurationinformationforVLAN5.
C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Static flag ----------Enabled
Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Disabled Enabled staticARP
Syntax
show arpinspection statistics [vlan vlan-range]
Parameters
vlanvlanrange (Optional)SpecifiestheVLANsforwhichtodisplaystatistics.
Defaults
IfnoVLANsarespecified,limitedstatisticsforallDAIenabledVLANsisdisplayed.
Mode
Switchcommand,readwrite.
Usage
WhennospecificVLANsareentered,thiscommanddisplaysthenumberofForwardedand DroppedARPpacketsperDAIenabledVLAN.WhenoneormoreVLANsarespecified,this commanddisplaysmoredetailedstatistics.
Examples
ThisexampleshowswhatisdisplayedwhennoVLANsarespecified.
C2(su)->show arpinspection statistics VLAN ---5 Forwarded -----------0 Dropped --------0
ThisexampleshowswhatinformationisdisplayedwhenoneormoreVLANsarespecified.
C2(su)->show arpinspection statistics vlan 5 VLAN DHCP ACL DHCP ACL Bad Src Bad Dest Invalid Drops Drops Permits Permits MAC MAC IP ---- ---------- ---------- ---------- ---------- ---------- ---------- --------5 0 0 0 0 0 0 0
17-26
Syntax
clear arpinspection validate {[src-mac] [dst-mac] [ip]}
Parameters
srcmac dstmac ip Clear,orremove,theverificationthatthesenderMACaddressequals thesourceMACaddressintheEthernetheader. Clear,orremove,theverificationthatthetargetMACaddressequals thedestinationMACaddressintheEthernetheader. Clear,orremove,checkingtheIPaddressanddroppingARPpackets withaninvalidaddress.
Defaults
Allparametersareoptional,butatleastoneparametermustbespecified.
Mode
Switchcommand,readwrite.
Usage
ThiscommandremovespreviouslyconfiguredadditionalvalidationofARPpacketsbyDAI, beyondthebasicvalidationthattheARPpacketssenderMACaddressandsenderIPaddress matchanentryintheDHCPsnoopingbindingsdatabase. Usetheshowarpinspectionvlancommandtodisplaythecurrentstatusoftheadditional validationrules.
Example
Thisexampleremovesall3additionalvalidationconditions.
C2(su)->clear arpinspection validate src-mac dst-mac ip
Syntax
clear arpinspection vlan vlan-range [logging]
Parameters
vlanrange logging SpecifiestheVLANorrangeofVLANsonwhichtodisabledynamic ARPinspection. (Optional)DisableloggingofinvalidARPpacketsforthespecified VLANs.
17-27
Defaults
IfloggingisenabledforthespecifiedVLANbutloggingisnotenteredwiththiscommand, loggingwillremainenabled.
Mode
Switchcommand,readwrite.
Usage
YoucanusethiscommandtodisabledynamicARPinspectionononeormoreVLANs,oryoucan disableloggingofinvalidARPpacketsonspecifiedVLANs.TodisablebothloggingandDAI,you mustenterthiscommandtwice.
Example
ThisexamplefirstdisplaystheDAIconfigurationforVLAN5,thendisablesDAIonVLAN5,then disablesloggingofinvalidARPpacketsonVLAN5.
C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Static flag ----------Enabled
Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Enabled Enabled staticARP
C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Static flag ----------Enabled
Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Disabled Enabled staticARP
C2(su)->clear arpinspection vlan 5 logging C2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Static flag ----------Enabled
Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Disabled Disabled staticARP
17-28
Syntax
clear arpinspection filter name [permit ip host sender-ipaddr mac host sender-macaddr] | [vlan vlan-range [static]
Parameters
name permit iphostsenderipaddr machost sendermacaddr vlanvlanrange SpecifiesthenameoftheARPACL. (Optional)Specifiesthatapermitruleisbeingdeleted. SpecifiestheIPaddressintherulebeingdeleted. SpecifiestheMACaddressintherulebeingdeleted. (Optional)SpecifiestheVLANorVLANstowhichthiscommand shouldapply.RemovetheACLfromtheVLAN,ifstaticisnotspecified also. (Optional)SpecifiesthatstaticmappingshouldbedisabledforthisARP ACLforthespecifiedVLANorVLANs.
static
Defaults
Ifonlythenameisspecified,theACLisdeletedfromtheswitch.
Mode
Switchcommand,readwrite.
Usage
Youcanusethiscommandto: RemoveaconfiguredARPACLfromtheswitch,or RemoveapermitrulefromaconfiguredARPACL,or RemovetheassociationofanARPACLwithaVLANorVLANs,or DisablestaticmappingofanARPACLassociatedwithaVLANorVLANs.
UsethesetarpinspectionfiltercommandtocreateandassignanARPACL. UsetheshowarpinspectionaccesslistcommandtodisplaycurrentlyconfiguredARPACLs.
Examples
ThisexampleremovesapermitrulefromtheARPACLnamedstaticARP.
C2(su)->clear arpinspection filter staticARP permit ip host 192.168.1.10 mac host 00:01:22:33:44:55
ThisexampledisablesstaticmappingoftheARPACLnamedstaticARPthatisassociatedwith VLAN5.
C2(su)->clear arpinspection filter staticARP vlan 5 static
17-29
ThisexampleremovestheARPACLnamedstaticARPfromVLAN5.
C2(su)->clear arpinspection filter staticARP vlan 5
ThisexampleremovestheARPACLnamedstaticARPfromtheswitchcompletely.
C2(su)->clear arpinspection filter staticARP
Syntax
clear arpinspection limit port port-string
Parameters
portstring Specifiestheportsonwhichtoreturntheratelimitingvaluesto defaults.
Defaults
Rate=15packetspersecond BurstInterval=1second
Mode
Switchmode,readwrite.
Usage
Usethesetarpinspectionlimitcommandtochangethevaluesoftheratelimitandburstinterval. Usetheshowarpinspectionportscommandtodisplaythecurrentlyconfiguredratelimits.
Example
ThisexamplereturnstheDAIratelimitingvaluestotheirdefaultsforportge.1.1.
C2(su)->clear arpinspection limit port ge.1.1
Syntax
clear arpinspection statistics
Parameters
None.
Defaults
None.
17-30
Mode
Switchcommand,readwrite.
Example
ThisexampleclearsallDAIstatisticsfromtheswitch.
C2(su)->clear arpinspection statistics
17-31
17-32
18
Preparing for Router Mode
Thischapterdescribeshowtopreparetheswitchforrouting.
For information about... Pre-Routing Configuration Tasks Enabling Router Configuration Modes Refer to page... 18-1 18-2
18-1
Table 18-1
Step 1 2 3 4
To do this task... From admin (su) mode, enable router mode. Enable router Privileged EXEC mode. Enable global router configuration mode. Enable interface configuration mode using the routing VLAN or loopback id. Assign an IP address to the routing interface. Enable the interface for IP routing.
no shutdown
Example
ThefollowingexampleshowshowtoconfigureVLAN1onIPaddress182.127.63.1255.255.255.0 asaroutinginterface.
C2(su)->router C2(su)->router>enable C2(su)->router#configure Enter configuration commands: C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip address 182.127.63.1 255.255.255.0 C2(su)->router(Config-if(Vlan 1))#no shutdown
18-2
Table 18-2
Note: To jump to a lower configuration mode, type exit at the command prompt. To revert back to switch CLI, type exit from Privileged EXEC router mode.
18-3
18-4
19
IP Configuration
ThischapterdescribestheInternetProtocol(IP)configurationsetofcommandsandhowtouse them.
Router: Unless otherwise noted, the commands covered in this chapter can be executed only when the device is in router mode. For details on how to enable router configuration modes, refer to Enabling Router Configuration Modes on page 18-2. For information about... Configuring Routing Interface Settings Reviewing and Configuring the ARP Table Configuring Broadcast Settings Reviewing IP Traffic and Configuring Routes Configuring ICMP Redirects Refer to page... 19-1 19-8 19-12 19-15 19-19
Commands
For information about... show interface interface show ip interface ip address show running-config no shutdown no ip routing Refer to page... 19-2 19-2 19-4 19-5 19-6 19-6 19-7
19-1
show interface
show interface
Usethiscommandtodisplayinformationaboutoneormoreinterfaces(VLANsorloopbacks) configuredontherouter.
Syntax
show interface [vlan vlan-id] [loopback loop-id]
Parameters
vlanvlanid (Optional)DisplaysinterfaceinformationforaspecificVLANinterface. ThisinterfacemustbeconfiguredforIProutingasdescribedinPre RoutingConfigurationTasksonpage 181. (Optional)Displaysinterfaceinformationforaspecificloopbackinterface.
loopbackloopid
Defaults
Ifinterfacetypeisnotspecified,informationforallroutinginterfaceswillbedisplayed.
Mode
Anyroutermode.
Examples
Thisexampleshowshowtodisplayinformationforallinterfacesconfiguredontherouter.Fora detaileddescriptionofthisoutput,refertoTable 191:
C2(su)->router#show interface Vlan 1 is Administratively DOWN Vlan 1 is Operationally DOWN Mac Address is: 0001.f4da.2cba The name of this device is Vlan 1 The MTU is 1500 bytes The bandwidth is 10000 Mb/s Encapsulation ARPA, Loopback not set ARP type: ARPA, ARP Timeout: 14400 seconds
Thisexampleshowshowtodisplayinformationforloopbackinterface1.
C2(su)->router#show interface loopback 1 Loopback 1 is Administratively UP Loopback 1 is Operationally UP Internet Address is 10.1.192.100, Subnet Mask is 255.255.255.0 The name of this device is Loopback 1 The MTU is 1500 bytes
interface
UsethiscommandtoconfigureinterfacesforIProuting.
Syntax
interface vlan vlan-id | loopback loop-id
19-2
IP Configuration
interface
Parameters
vlanvlanid SpecifiesthenumberoftheVLANinterfacetobeconfiguredforrouting. ThisinterfacemustbeconfiguredforIProutingasdescribedinPre RoutingConfigurationTasksonpage 181. Specifiesthenumberoftheloopbackinterfacetobeconfiguredforrouting. Thevalueofloopidcanrangefrom0to7.
loopbackloopid
Defaults
None.
Mode
Routerglobalconfigurationmode:C2(su)>router(Config)#
Usage
Thiscommandenablesinterfaceconfigurationmodefromglobalconfigurationmode,and,ifthe interfacehasnotpreviouslybeencreated,thiscommandcreatesanewroutinginterface.For detailsonconfigurationmodessupportedbytheSecureStackC2deviceandtheiruses,referto Table 182inEnablingRouterConfigurationModesonpage 182. VLANsmustbecreatedfromtheswitchCLIbeforetheycanbeconfiguredforIProuting.For detailsoncreatingVLANsandconfiguringthemforIP,refertoEnablingRouterConfiguration Modesonpage 182. EachVLANinterfacemustbeconfiguredforroutingseparatelyusingtheinterfacecommand.To endconfigurationononeinterfacebeforeconfiguringanother,typeexitatthecommandprompt. Enablinginterfaceconfigurationmodeisrequiredforcompletinginterfacespecificconfiguration tasks.Foranexampleofhowthesecommandsareused,refertoPreRoutingConfiguration Tasksonpage 181. Aloopbackinterfaceisalwaysexpectedtobeup.Thisinterfacecanprovidethesourceaddressfor sentpacketsandcanreceivebothlocalandremotepackets.Theloopbackinterfaceistypically usedbyroutingprotocols.IfRADIUSisconfiguredwithnohostIPaddressonthedevice,itwill usetheloopbackinterface0IPaddress(ifithasbeenconfigured)asitssourcefortheNASIP attribute. EachSecureStackC2system(stack)cansupportupto24routinginterfaces.Eachinterfacecanbe configuredfortheRIPand/orOSPFroutingprotocols.
Examples
ThisexampleshowshowtoenterconfigurationmodeforVLAN1:
C2(su)->router#configure C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#
Thisexampleshowshowtoenterconfigurationmodeforloopback1:
C2(su)->router#configure C2(su)->router(Config)#interface loopback 1 C2(su)->router(Config-if(Lpbk 1))#
19-3
show ip interface
show ip interface
Usethiscommandtodisplayinformation,includingadministrativestatus,IPaddress,MTU (MaximumTransmissionUnit)sizeandbandwidth,andACLconfigurations,forinterfaces configuredforIP.
Syntax
show ip interface [vlan vlan-id] [loopback loop-id]
Parameters
vlanvlanid (Optional)DisplaysinformationforaspecificVLANinterface.This interfacemustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage 181. (Optional)Displaysinterfaceinformationforaspecificloopbackinterface.
loopbackloopid
Defaults
Ifinterfacetypeisnotspecified,statusinformationforallroutinginterfaceswillbedisplayed.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayconfigurationinformationforVLAN1:
C2(su)->router#show ip interface vlan 1 Vlan 1 is Admin DOWN Vlan 1 is Oper DOWN Primary IP Address is 192.168.10.1 Frame Type Ethernet MAC-Address 0001.F45C.C993 Incoming Accesslist is not set Outgoing AccessList is not set MTU is 6145 bytes ARP Timeout is 1 seconds Direct Broadcast Disabled Proxy ARP is Disabled
Mask 255.255.255.0
19-4
IP Configuration
ip address
Table 19-1
Output Field
Outgoing Access List MTU ARP Timeout Direct Broadcast Proxy Arp
ip address
Usethiscommandtoset,remove,ordisableaprimaryorsecondaryIPaddressforaninterface. ThenoformofthiscommandremovesthespecifiedIPaddressanddisablestheinterfaceforIP processing.
Syntax
ip address ip-address ip-mask [secondary] no ip address ip-address ip-mask
Parameters
ipaddress ipmask secondary SpecifiestheIPaddressoftheinterfacetobeaddedorremoved. SpecifiesthemaskfortheassociatedIPsubnet. (Optional)SpecifiesthattheconfiguredIPaddressisasecondaryaddress.
Defaults
Ifsecondaryisnotspecified,theconfiguredaddresswillbetheprimaryaddressfortheinterface.
Mode
Routerinterfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Usage
EachSecureStackC2systemsupportsupto24routinginterfaces,withupto8secondary addressesallowedforeachprimaryIPaddress.
Example
ThisexamplesetstheIPaddressto192.168.1.1andthenetworkmaskto255.255.255.0forVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip address 192.168.1.1 255.255.255.0
19-5
show running-config
show running-config
Usethiscommandtodisplaythenondefault,usersuppliedcommandsenteredwhileconfiguring thedevice.
Syntax
show running-config
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
Thisexampleshowshowtodisplaythecurrentrouteroperatingconfiguration:
C2(su)->router#show running-config ! interface vlan 10 ip address 99.99.2.10 255.255.255.0 no shutdown ! router ospf 1 network 99.99.2.0 0.0.0.255 area 0.0.0.0 network 192.168.100.1 0.0.0.0 area 0.0.0.0
no shutdown
UsethiscommandtoenableaninterfaceforIProutingandtoallowtheinterfacetoautomatically beenabledatdevicestartup.
Syntax
no shutdown shutdown
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Usage
TheshutdownformofthiscommanddisablesaninterfaceforIProuting.
19-6 IP Configuration
no ip routing
Example
ThisexampleshowshowtoenableVLAN1forIProuting:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#no shutdown
no ip routing
UsethiscommandtodisableIProutingonthedevice.Bydefault,IProutingisenabledwhen interfacesareconfiguredforitasdescribedinConfiguringRoutingInterfaceSettingson page 191.
Syntax
no ip routing
Parameters
None.
Mode
Globalconfiguration:C2(su)>router(Config)#
Defaults
None.
Example
This example shows how to disable IP routing on the device:
C2(su)->router(Config)#no ip routing
19-7
Commands
For information about... show ip arp arp ip proxy-arp arp timeout clear arp-cache Refer to page... 19-8 19-9 19-10 19-11 19-11
show ip arp
UsethiscommandtodisplayentriesintheARP(AddressResolutionProtocol)table.ARP convertsanIPaddressintoaphysicaladdress.
Syntax
show ip arp [ip-address]|[vlan vlan-id]|[output-modifier]
Parameters
ipaddress vlanvlanid (Optional)DisplaysARPentriesrelatedtoaspecificIPaddress. (Optional)DisplaysonlyARPentrieslearnedthroughaspecificVLAN interface.ThisVLANmustbeconfiguredforIProutingasdescribedin PreRoutingConfigurationTasksonpage 181. (Optional)DisplaysARPentrieswithinaspecificrange.Optionsare: |beginipaddressDisplaysonlyARPentriesthatbeginwiththe specifiedIPaddress. |excludeipaddressExcludesARPentriesmatchingthespecified IPaddress. |includeipaddressIncludesARPentriesmatchingthespecified IPaddress.
outputmodifier
Defaults
Ifnoparametersarespecified,allentriesintheARPcachewillbedisplayed.
Mode
Anyroutermode.
19-8
IP Configuration
arp
Example
Thisexampleshowshowtousetheshowiparpcommand:
C2(su)->router#show ip arp Protocol Address Age (min) Hardware Addr Type Interface
-----------------------------------------------------------------------------Internet Internet Internet 134.141.235.251 134.141.235.165 134.141.235.167 0 4 0003.4712.7a99 0002.1664.a5b3 00d0.cf00.4b74 ARPA ARPA ARPA Vlan1 Vlan1 Vlan2
C2(su)->router#show ip arp 134.141.235.165 Protocol Address Age (min) Hardware Addr Type Interface
C2(su)->router#show ip arp vlan 2 Protocol Address Age (min) Hardware Addr Type Interface
arp
Usethiscommandtoaddorremovepermanent(static)ARPtableentries.Upto1,000staticARP entriesaresupportedperSecureStackC2system.AmulticastMACaddresscanbeusedinastatic ARPentry.ThenoformofthiscommandremovesthespecifiedpermanentARPentry:
Syntax
arp ip-address mac-address no arp ip-address
Parameters
ipaddress macaddress SpecifiestheIPaddressofadeviceonthenetwork.ValidvaluesareIP addressesindotteddecimalnotation. Specifiesthe48bithardwareaddresscorrespondingtotheipaddress expressedinhexadecimalnotation.
SecureStack C2 Configuration Guide 19-9
ip proxy-arp
Defaults
None.
Mode
Globalconfiguration:C2(su)>router(Config)#
Usage
TheIPaddressspecifiedforthestaticARPentrymustfallwithinoneofthesubnetsornetworks definedontheroutedinterfacesofthesystem(orstack,ifapplicable).Thesystemcanthenmatch theIPaddressofthestaticARPentrywiththeappropriateroutedinterfaceandassociateitwith thecorrectVLAN.
Example
ThisexampleshowshowtoaddapermanentARPentryfortheIPaddress130.2.3.1andMAC address0003.4712.7a99:
C2(su)->router(Config)#arp 130.2.3.1 0003.4712.7a99
ip proxy-arp
UsethiscommandtoenableproxyARPonaninterface.Thenoformofthiscommanddisables proxyARP.
Syntax
ip proxy-arp no ip proxy-arp
Parameters
None.
Defaults
Disabled.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Usage
ThisvariationoftheARPprotocolallowstheroutertosendanARPresponseonbehalfofanend nodetotherequestinghost.ProxyARPcanbeusedtoresolveroutingissuesonendstationsthat areunabletorouteinthesubnettedenvironment.TheSecureStackC2willanswertoARP requestsonbehalfoftargetedendstationsonneighboringnetworks.Itisdisabledbydefault.
Example
ThisexampleshowshowtoenableproxyARPonVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip proxy-arp
19-10
IP Configuration
arp timeout
arp timeout
Usethiscommandtosettheduration(inseconds)fordynamicallylearnedentriestoremaininthe ARPtablebeforeexpiring.Thenoformofthiscommandrestoresthedefaultvalueof14,400 seconds.
arp timeout seconds no arp timeout
Parameters
seconds SpecifiesthetimeinsecondsthatanentryremainsintheARPcache.Valid valuesare065535.Avalueof0specifiesthatARPentrieswillneverbe agedout.
Defaults
14,400seconds.
Mode
Globalconfiguration:C2(su)>router(Config)#
Example
ThisexampleshowshowtosettheARPtimeoutto7200seconds:
C2(su)->router(Config)#arp timeout 7200
clear arp-cache
Usethiscommandtodeleteallnonstatic(dynamic)entriesfromtheARPtable.
clear arp-cache
Parameters
None.
Mode
PrivilegedEXEC:C2(su)>router#
Defaults
None.
Example
ThisexampleshowshowtodeletealldynamicentriesfromtheARPtable:
C2(su)->router#clear arp-cache
19-11
Commands
For information about... ip directed-broadcast ip forward-protocol ip helper-address Refer to page... 19-12 19-13 19-14
ip directed-broadcast
UsethiscommandtoenableordisableIPdirectedbroadcastsonaninterface.Bydefault, interfacesontheSecureStackC2donotforwarddirectedbroadcasts.Thenoformofthis commanddisablesIPdirectedbroadcastontheinterface.
Syntax
ip directed-broadcast no ip directed-broadcast
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>Router1(Configif(Vlan1))#
Usage
Directedbroadcastisanefficientmechanismforcommunicatingwithmultiplehostsonanetwork whileonlytransmittingasingledatagram.Adirectedbroadcastisapacketsenttoallhostsona specificnetworkorsubnet.Thedirectedbroadcastaddressincludesthenetworkorsubnetfields, withthebinarybitsofthehostportionoftheaddresssettoone.Forexample,foranetworkwith theaddress192.168.0.0/16,thedirectedbroadcastaddresswouldbe192.168.255.255.Forasubnet withtheaddress192.168.12.0/24,thedirectedbroadcastaddresswouldbe192.168.12.255. InordertominimizebroadcastDoSattacks,forwardingofdirectedbroadcastsisdisabledby defaultontheSecureStackC2,asrecommendedbyRFC2644. Iftheabilitytosenddirectedbroadcaststoanetworkisrequired,youshouldenabledirected broadcastsonlyontheoneinterfacethatwillbetransmittingthedatagrams.Forexample,ifa SecureStackC2hasfiveroutedinterfacesforthe10,20,30,40,and50networks,enablingdirected
19-12
IP Configuration
ip forward-protocol
broadcastonlyonthe30networkinterfacewillallowanyonefromanyothernetworks(10,20,40, 50)tosenddirectedbroadcasttothe30network.
Example
ThisexampleshowshowtoenableIPdirectedbroadcastsonVLAN1:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip directed-broadcast
ip forward-protocol
UsethiscommandtoenableUDPbroadcastforwardingandspecifywhichprotocolswillbe forwarded.
Syntax
ip forward-protocol udp [port] no ip forward-protocol udp [port]
Parameters
udp port SpecifiesUDPastheIPforwardingprotocol. (Optional)SpecifiesadestinationportthatcontrolswhichUDPservices areforwarded.
Defaults
Ifportisnotspecified,thefollowingdefaultsareused: TrivialFileTransferProtocol(TFTP)(port69) DomainNamingSystem(port53) Timeservice(port37) NetBIOSNameServer(port137) NetBIOSDatagramServer(port138) TACACSservice(port49) EN116NameService(port42)
Mode
Routercommand,Globalconfiguration:C2(su)>router(Config)# Routerinterfaceconfiguration:C2(su)>router(Configif(Vlan1)#
Usage
Inordertoactuallyforwardprotocols,youmustconfigureanIPhelperaddressontheindividual routerinterfaceswiththecommandiphelperaddress(page 1914). Ifacertainserviceexistsinsidethenode,andthereisnoneedtoforwardtherequesttoremote networks,thenoformofthiscommandshouldbeusedtodisabletheforwardingforthespecific port.Suchrequestswillnotbeautomaticallyblockedfrombeingforwardedjustbecauseaservice forthemexistsinthenode. ThenoformofthiscommandremovesaUDPportorprotocol,disablingforwarding.
19-13
ip helper-address
Examples
ThefollowingexamplegloballydisablesIPforwardingforUDPport69.
C2(su)->router(Config)#no ip forward-protocol udp 69
ThefollowingexampledisablesIPforwardingforUDPport69onaspecificinterface.
C2(su)->router(Config)#interface vlan 10 C2(su)->router(Config-if(Vlan 10))#no ip forward-protocol udp 69
ip helper-address
UsethiscommandtoenabletheDHCP/BOOTPrelayagentonaSecureStackC2routedinterface. EnablingtherelayagentallowsforwardingofclientDHCP/BOOTPrequeststoaDHCP/BOOTP serverthatdoesnotresideonthesamebroadcastdomainastheclient.Upto6IPhelperaddresses maybeconfiguredperinterface. ThenoformofthiscommanddisablestheforwardingofUDPdatagramstothespecifiedaddress.
Syntax
ip helper-address address no ip helper-address address
Parameters
address AddressofthehostwhereUDPbroadcastpacketsshouldbeforwarded.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>Router1(Configif(Vlan1))#
Usage
WhenahostrequestsanIPaddress,itsendsoutaDHCPbroadcastpacket.Normally,therouter dropsallbroadcastpackets.However,byexecutingthiscommand,youenabletherouted interfacetopassDHCPbroadcastframesthrough,sendingthemdirectlytotheremoteDHCP serversIPaddress. TheDHCP/BOOTPrelayagentwilldetectDHCP/BOOTPrequestsbasedonUDPsourceand destinationports.Itwillthenmakethenecessarychangestothepacketandsendthepackettothe DHCPserver.Thechangesinclude: ReplacingthedestinationIPaddresswiththeaddressoftheDHCPserver, ReplacingthesourceIPaddresswithitsownaddress(thatis,theIPaddressofthelocal routedinterface),and WithintheBOOTPpartofthepacket,changingtheRelayAgentIPaddressfrom0.0.0.0tothe addressofthelocalroutedinterface.
19-14
IP Configuration
Example
ThisexampleshowhowtohaveallclientDHCPrequestsforusersinVLAN1tobeforwardedto theremoteDHCPserverwithIPaddress192.168.1.28.
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip helper-address 192.168.1.28
Commands
For information about... show ip route ip route ping traceroute Refer to page... 19-15 19-17 19-17 19-18
show ip route
UsethiscommandtodisplayinformationaboutIProutes.
Syntax
show ip route [destination-prefix [destination-prefix-match] | connected | ospf | rip | static | summary]
Parameters
destinationprefix destinationprefix match connected ospf rip static summary (Optional)Convertsthespecifiedaddressandmaskintoaprefixand displaysanyroutesthatmatchtheprefix. (Optional)Displaysconnectedroutes. (Optional)DisplaysroutesconfiguredfortheOSPFroutingprotocol.For detailsonconfiguringOSPF,refertoConfiguringOSPFonpage 2011. (Optional)DisplaysroutesconfiguredfortheRIProutingprotocol.For detailsonconfiguringRIP,refertoConfiguringRIPonpage 201. (Optional)Displaysstaticroutes. (Optional)DisplaysasummaryoftheIProutingtable.
Defaults
Ifnoparametersarespecified,allIProuteinformationwillbedisplayed.
19-15
show ip route
Mode
Anyroutermode.
Usage
Theroutingtablecontainsallactivestaticroutes,alltheRIProutes,anduptothreebestOSPF routeslearnedforeachnetwork.
Example
ThisexampleshowshowtousetheshowiproutecommandtodisplayallIProuteinformation.A portionoftheoutputisshown:
C2(su)->router#show ip route Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2 * - candidate default, U - per user static route IA O O C O O O E2 IA IA E2 O C O O E2 E2 IA E2 E2 E2 O E2 O E2 E2 O O IA IA IA O IA E2 E2 C O E2 C O 1.255.255.248/29 [10/30] via 168.0.0.249, Vlan 3205 2.0.0.0/10 [8/30] via 168.1.0.254, Vlan 1200 2.224.0.0/11 [8/30] via 168.1.0.254, Vlan 1200 7.15.0.0/24 [0/0] directly connected, Vlan 715 11.11.12.12/32 [8/30] via 168.0.0.249, Vlan 3205 11.11.13.13/32 [8/10] via 168.1.0.249, Vlan 1300 11.11.16.16/32 [8/20] via 168.0.0.249, Vlan 3205 11.11.17.17/32 [150/20] via 168.0.0.249, Vlan 3205 11.11.21.21/32 [10/30] via 168.0.0.249, Vlan 3205 11.11.22.22/32 [10/30] via 168.0.0.249, Vlan 3205 11.11.24.24/32 [150/20] via 168.0.0.249, Vlan 3205 11.11.25.25/32 [8/20] via 168.0.0.249, Vlan 3205 11.11.26.26/32 [0/0] directly connected, Loopback 0 11.11.27.27/32 [8/10] via 168.1.0.254, Vlan 1200 11.11.28.28/32 [8/20] via 168.1.0.254, Vlan 1200 12.0.0.0/17 [150/20] via 168.0.0.249, Vlan 3205 19.0.0.0/30 [150/20] via 168.0.0.249, Vlan 3205 20.0.0.0/24 [10/40] via 168.0.0.249, Vlan 3205 22.22.0.0/16 [150/20] via 168.0.0.249, Vlan 3205 22.22.10.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.12.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.13.0/24 [8/30] via 168.1.0.254, Vlan 1200 22.22.14.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.15.0/24 [8/20] via 168.1.0.249, Vlan 1300 via 168.1.0.254, Vlan 1200 22.22.16.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.17.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.18.0/24 [8/30] via 168.1.0.254, Vlan 1200 22.22.19.0/24 [8/20] via 168.1.0.249, Vlan 1300 via 168.1.0.254, Vlan 1200 22.22.20.0/24 [10/40] via 168.0.0.249, Vlan 3205 22.22.21.0/24 [10/50] via 168.0.0.249, Vlan 3205 22.22.22.0/24 [10/30] via 168.0.0.249, Vlan 3205 22.22.23.0/24 [8/30] via 168.0.0.249, Vlan 3205 22.22.24.0/24 [10/40] via 168.0.0.249, Vlan 3205 22.22.25.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.26.0/24 [150/20] via 168.0.0.249, Vlan 3205 22.22.27.0/24 [0/0] directly connected, Vlan 4027 22.22.28.0/24 [8/20] via 168.1.0.249, Vlan 1300 via 168.1.0.254, Vlan 1200 22.22.29.0/24 [150/20] via 168.0.0.249, Vlan 3205 26.0.0.0/8 [0/0] directly connected, Vlan 26 33.9.8.0/28 [8/20] via 168.1.0.254, Vlan 1200
19-16
IP Configuration
ip route
E2
ip route
UsethiscommandtoaddorremoveastaticIProute.Thenoformofthiscommandremovesthe staticIProute.
ip route prefix mask dest-addr [distance] no ip route prefix mask forward-addr
Parameters
prefix mask destaddr distance SpecifiesadestinationIPaddressprefix. Specifiesadestinationprefixmask. Specifiesaforwarding(gateway)IPaddress. (Optional)Specifiesanadministrativedistancemetricforthisroute.Valid valuesare1(default)to255.Routeswithlowervaluesreceivehigher preferenceinrouteselection.
Defaults
Ifdistanceisnotspecified,thedefaultvalueof1willbeapplied.
Mode
Globalconfiguration:C2(su)>router(Config)#
Example
ThisexampleshowshowtosetIPaddress10.1.2.3asthenexthopgatewaytodestinationaddress 10.0.0.0:
C2(su)->router(Config)#ip route 10.0.0.0 255.0.0.0 10.1.2.3
ping
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ip-address
Parameters
ipaddress SpecifiestheIPaddressofthesystemtoping.
Defaults
None.
Mode
PrivilegedEXEC:C2(su)>router#
19-17
traceroute
Usage
Thiscommandisalsoavailableinswitchmode.
Examples
ThisexampleshowsoutputfromasuccessfulpingtoIPaddress182.127.63.23:
C2(su)->router#ping 182.127.63.23 182.127.63.23 is alive
ThisexampleshowsoutputfromanunsuccessfulpingtoIPaddress182.127.63.24:
C2(su)->router#ping 182.127.63.24 no answer from 182.127.63.24
traceroute
UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa specificdestinationhost.ThreeICMPprobeswillbetransmittedforeachhopbetweenthesource andthetraceroutedestination.
Syntax
traceroute host
Parameters
host SpecifiesahosttowhichtherouteofanIPpacketwillbetraced.
Defaults
None.
Mode
PrivilegedEXEC:C2(su)>router#
Usage
Thereisalsoatraceroutecommandavailableinswitchmode.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.141.90.183.
C2(su)->router#traceroute 192.141.90.183 Traceroute to 192.141.90.183, 30 hops max, 40 byte packets 1 10.1.56.1 0.000 ms 0.000 ms 2 10.1.48.254 10.000 ms 0.000 ms 3 10.1.0.2 0.000 ms 0.000 ms 4 192.141.89.17 0.000 ms 0.000 ms 5 192.141.100.13 0.000 ms 10.000 ms 6 192.141.100.6 0.000 ms 0.000 ms 7 192.141.90.183 0.000 ms 0.000 ms
ms ms ms ms ms ms ms
19-18
IP Configuration
Commands
For information about... ip icmp redirect enable show ip icmp redirect Refer to page... 19-19 19-20
Syntax
ip icmp redirect enable no ip icmp redirect enable
Parameters
None.
Defaults
Bydefault,sendingICMPredirectstotheCPUisenabledgloballyandonallinterfaces.
Mode
Routerglobalconfigurationmode:C2(su)>router(Config)# Interfaceconfigurationmode:C2(su)>Router1(Configif(Vlan1))#
Usage
YoucanusethiscommandinrouterglobalconfigurationmodetoenableordisablesendingICMP redirectsgloballyontheswitch. Youcanusethiscommandinrouterinterfaceconfigurationmodetoenableordisablesending ICMPredirectsonlyonspecificinterfaces.
Examples
ThisexampledisablessendingICMPredirectsontheinterfaceVLAN5.
C2(su)->router#configure C2(su)->router(Config)#interface vlan 5 C2(su)->Router1(Config-if(Vlan 5))# no ip icmp redirect enable
19-19
ThisexampledisablessendingICMPredirectsglobally.
C2(su)->router#configure C2(su)->router(Config)#no ip icmp redirect enable
Syntax
show ip icmp redirect {status | interface [vlan vlan-id]}
Parameters
status interface vlanvlanid DisplaytheglobalICMPredirectstatus. DisplayICMPredirectstatusforinterfaces. (Optional)DisplayICMPredirectstatusforthespecifiedVLAN.
Defaults
IfnoVLANisspecifiedwiththeinterfaceparameter,informationforallVLANinterfacesis displayed.
Mode
PrivilegedEXECmode:C2(su)>router# Routerglobalconfigurationmode:C2(su)>router(Config)#
Examples
ThisexampledisplaystheglobalICMPredirectstatus.
C2(su)->router#show ip icmp redirect status Global ICMP Redirect status - Enabled
ThisexampledisplaystheICMPredirectstatusforVLAN5.
C2(su)->router#show ip icmp redirect interface vlan 5 Vlan Id Admin Status -----------------5 Enabled
19-20
IP Configuration
20
IPv4 Routing Protocol Configuration
ThischapterdescribestheIPv4RoutingProtocolConfigurationsetofcommandsandhowtouse them.
Router: The commands covered in this chapter can be executed only when the device is in router mode. For details on how to enable router configuration modes, refer to Enabling Router Configuration Modes on page 18-2. For information about... Activating Advanced Routing Features Configuring RIP Configuring OSPF Configuring DVMRP Configuring IRDP Configuring VRRP Configuring PIM-SM Refer to page... 20-1 20-1 20-11 20-33 20-37 20-42 20-49
Configuring RIP
Purpose
ToenableandconfiguretheRoutingInformationProtocol(RIP).
20-1
router rip
router rip
UsethiscommandtoenableordisableRIPconfigurationmode.Thenoformofthiscommand disablesRIP.
Syntax
router rip no router rip
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C2(su)>router(Config)#
Usage
YoumustexecutetherouterripcommandtoenabletheprotocolbeforecompletingmanyRIP specificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182in EnablingRouterConfigurationModesonpage182.
20-2
ip rip enable
Example
ThisexampleshowshowtoenableRIP:
C2(su)->router#configure C2(su)->router(Config)#router rip C2(su)->router(Config-router)#
ip rip enable
UsethiscommandtoenableRIPonaninterface.ThenoformofthiscommanddisablesRIPonan interface:Bydefault,RIPisdisabledonallinterfaces.
Syntax
ip rip enable no ip rip enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableRIPontheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip enable
distance
UsethiscommandtoconfiguretheadministrativedistanceforRIProutes.Thenoformofthis commandresetsRIPadministrativedistancetothedefaultvalueof120.
Syntax
distance weight no distance [weight]
Parameters
weight SpecifiesanadministrativedistanceforRIProutes.Validvaluesare1255.
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
20-3
Usage
Ifseveralroutes(comingfromdifferentprotocols)arepresentedtotheSecureStackC2,the protocolwiththelowestadministrativedistancewillbechosenforrouteinstallation.Bydefault, RIPadministrativedistanceissetto120.Thedistancecommandcanbeusedtochangethisvalue, resettingRIPsroutepreferenceinrelationtootherroutesasshowninthetablebelow.
Route Source Connected Static OSPF RIP Default Distance 0 1 110 120
Example
ThisexampleshowshowtochangethedefaultadministrativedistanceforRIPto1001:
C2(su)->router(Config)#router rip C2(su)->router(Config-router)#distance 100
Syntax
ip rip send version {1 | 2 | r1compatible} no ip rip send version
Parameters
1 2 r1compatible SpecifiesRIPversion1.Thisisthedefaultsetting. SpecifiesRIPversion2. Specifiesthatpacketsbesentasversion2packets,buttransmitstheseas broadcastpacketsratherthanmulticastpacketssothatsystemswhichonly understandRIPversion1canreceivethem.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheRIPsendversionto2forpacketstransmittedontheVLAN1 interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip send version 2
20-4
Syntax
ip rip receive version {1 | 2 | 1 2 | none} no ip rip receive version
Parameters
1 2 12 none SpecifiesRIPversion1.Thisisthedefaultsetting. SpecifiesRIPversion2. SpecifiesRIPversions1and2. SpecifiesthatnoRIProuteswillbeprocessedonthisinterface.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Defaults
None.
Example
ThisexampleshowshowtosettheRIPreceiveversionto2forupdatepacketsreceivedonthe VLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip receive version 2
ip rip authentication-key
UsethiscommandtoenableordisableaRIPauthenticationkey(password)foruseonan interface.ThenoformofthiscommandpreventsRIPfromusingauthentication.
Syntax
ip rip authentication-key name no ip rip authentication-key
Parameters
name SpecifiesthepasswordtoenableordisableforRIPauthentication.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
20-5
ip rip message-digest-key
Example
ThisexampleshowshowtosettheRIPauthenticationkeychaintopasswordontheVLAN1 interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip authentication-key password
ip rip message-digest-key
UsethiscommandtoenableordisableaRIPMD5authenticationkey(password)foruseonan interface.ThenoformofthiscommandpreventsRIPfromusingauthentication.
Syntax
ip rip message-digest-key keyid md5 key no ip rip message-digest-key keyid
Parameters
keyid md5 key SpecifiesthekeyIDtoenableordisableforRIPauthentication.Validvalues are1to255. SpecifiesuseoftheMD5algorithm. SpecifiestheRIPauthenticationpassword.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Defaults
None.
Examples
ThisexampleshowshowtosettheMD5authenticationIDto5fortheRIPauthenticationkeyset ontheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip rip message-digest-key 5 md5 password
no auto-summary
Usethiscommandtodisableautomaticroutesummarization.
Syntax
no auto-summary auto-summary
Parameters
None.
Defaults
None.
20-6
split-horizon poison
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
Bydefault,RIPversion2supportsautomaticroutesummarization,whichsummarizes subprefixestotheclassfulnetworkboundarywhencrossingnetworkboundaries.Disabling automaticroutesummarizationenablesCIDR,allowingRIPtoadvertiseallsubnetsandhost routinginformationontheSecureStackC2device.Toverifywhichroutesaresummarizedforan interface,usetheshowiproutecommandasdescribedinshowiprouteonpage1915.The reverseofthecommandreenablesautomaticroutesummarization.Bydefault,RIPauto summarizationaffectsbothRIPv1andRIPv2routes.
Note: This command is necessary for enabling CIDR for RIP on the SecureStack C2 device.
Example
ThisexampleshowshowtodisableRIPautomaticroutesummarization:
C2(su)->router(Config)#router rip C2(su)->router(Config-router)#no auto-summary
split-horizon poison
UsethiscommandtoenableordisablesplithorizonpoisonreversemodeforRIPpackets.Theno formofthiscommanddisablessplithorizonpoisonreverse.
Syntax
split-horizon poison no split-horizon poison
Parameters
None.
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
Splithorizonpreventsanetworkfrombeingadvertisedoutthesameinterfaceitwasreceivedon. Thisfunctionisdisabledbydefault.
Example
ThisexampleshowshowtodisablesplithorizonpoisonreverseforRIPpacketstransmittedon theVLAN1interface:
C2(su)->router(Config)#router rip C2(su)->Router1(Config-router)#no split-horizon poison
20-7
passive-interface
passive-interface
UsethiscommandtopreventRIPfromtransmittingupdatepacketsonaninterface.Thenoform ofthiscommanddisablespassiveinterface.
Syntax
passive-interface vlan vlan-id no passive-interface vlan vlan-id
Parameters
vlanvlanid SpecifiesthenumberoftheVLANtomakeapassiveinterface.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181.
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
ThiscommanddoesnotpreventRIPfrommonitoringupdatesontheinterface.
Example
ThisexampleshowshowtosetVLAN2asapassiveinterface.NoRIPupdateswillbetransmitted onVLAN2:
C2(su)->router(Config)#router rip C2(su)->router(Config-router)#passive-interface vlan 2
receive-interface
UsethiscommandtoallowRIPtoreceiveupdatepacketsonaninterface.Thenoformofthis commanddeniesthereceptionofRIPupdates.Bydefault,receivingisenabledonallrouting interfaces.
Syntax
receive-interface vlan vlan-id no receive-interface vlan vlan-id
Parameters
vlanvlanid SpecifiesthenumberoftheVLANtomakeareceiveinterface.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181.
Defaults
None.
20-8
redistribute
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
ThiscommanddoesnotaffectthesendingofRIPupdatesonthespecifiedinterface.
Example
ThisexampleshowshowtodenythereceptionofRIPupdatesonVLAN2:
C2(su)->router(Config)#router rip C2(su)->router(Config-router)#no receive-interface vlan 2
redistribute
UsethiscommandtoallowroutinginformationdiscoveredthroughnonRIPprotocolstobe distributedinRIPupdatemessages.Thenoformofthiscommandclearsredistribution parameters.
Syntax
redistribute {connected | ospf process-id | static} [metric metric value] [subnets] no redistribute {connected | ospf process-id | static}
Parameters
connected ospf processid SpecifiesthatnonRIProutinginformationdiscoveredviadirectly connectedinterfaceswillberedistributed. SpecifiesthatOSPFroutinginformationwillberedistributedinRIP. SpecifiestheprocessID,aninternallyusedidentificationnumberforeach instanceoftheOSPFroutingprocessrunonarouter.Validvaluesare1to 65535. SpecifiesthatnonRIProutinginformationdiscoveredviastaticrouteswill beredistributed.Staticroutesarethosecreatedusingtheiproute commanddetailediniprouteonpage1917. (Optional)Specifiesametricfortheconnected,OSPForstatic redistributionroute.Thisvalueshouldbeconsistentwiththedesignation protocol. (Optional)Specifiesthatconnected,OSPForstaticroutesthatare subnettedwillberedistributed.
static
metricmetricvalue
subnets
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Defaults
Ifmetricvalueisnotspecified,1willbeapplied. Ifsubnetsisnotspecified,onlynonsubnettedrouteswillberedistributed.
20-9
redistribute
Example
Thisexampleshowshowtoredistributeroutinginformationdiscoveredthroughstaticrouteswill beredistributedintoRIPupdatemessages:
C2(su)->router(Config)#router rip C2(su)->router(Config-router)#redistribute static
20-10
Configuring OSPF
Configuring OSPF
* Advanced License Required *
OSPF is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the chapter entitiled Activating Licensed Features in order to enable the OSPF command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales.
Purpose
ToenableandconfiguretheOpenShortestPathFirst(OSPF)routingprotocol.
Enable or disable RFC 1583 compatibility. Configure OSPF Interface Parameters. Enable OSPF on the interface. Configure an OSPF area. Set the cost of sending a packet on an OSPF interface. Set a priority to help determine the OSPF designated router for the network. Adjust timers and message intervals.
ip ospf enable on page 20-14 ip ospf areaid on page 20-14 ip ospf cost on page 20-15 ip ospf priority on page 20-15 timers spf on page 20-16 ip ospf retransmit-interval on page 20-17 ip ospf transmit-delay on page 20-17 ip ospf hello-interval on page 20-18 ip ospf dead-interval on page 20-18
ip ospf authentication-key on page 20-19 ip ospf message digest key md5 on page 20-20
Configure OSPF Areas. Configure an administrative distance. Define the range of addresses to be used by Area Boundary Routers (ABRs). distance ospf on page 20-20 area range on page 20-21
20-11
router id
Table 20-2
To do this...
Define an area as a stub area. Set the cost value for the default route that is sent into a stub area. Define an area as an NSSA. Create virtual links. Enable redistribution from non-OSPF routes. Monitor and maintain OSPF.
router id
UsethiscommandtosettheOSPFrouterIDforthedevice.ThisIPaddressmustbesetmanually inordertorunOSPF.ThenoformofthiscommandremovestherouterIDforthedevice.
Syntax
router id ip-address no router id
Parameters
ipaddress SpecifiestheIPaddressthatOSPFwilluseastherouterID.
Defaults
None.
Mode
Globalconfiguration:C2(su)>router(Config)#
Usage
ThiscommandsetstheOSPFrouterID.TheOSPFareaIDofaroutedVLANisconfiguredoneach interfacewiththeinterfacecommandipospfareaidonpage2014.Ifyoudonotconfigurean areaIDonaroutedinterfacerunningOSPF,thedefaultareaIDof0.0.0.0willbeused.
Example
ThisexampleshowshowtosettheOSPFrouterIDtoIPaddress182.127.62.1:
C2(su)->router(Config-router)#router id 182.127.62.1
20-12
router ospf
router ospf
UsethiscommandtoenableordisableOpenShortestPathFirst(OSPF)configurationmode.The noformofthiscommanddisablesOSPFconfigurationmode.
Syntax
router ospf process-id no router ospf process-id
Parameters
processid SpecifiestheprocessID,aninternallyusedidentificationnumberforan OSPFroutingprocessrunonarouter.OnlyoneOSPFprocessisallowedper stackorstandalone.Validvaluesare1to65535.
Defaults
None.
Mode
Globalconfiguration:C2(su)>router(Config)#
Usage
YoumustexecutetherouterospfcommandtoenabletheprotocolbeforecompletingmanyOSPF specificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182on page 182. OnlyoneOSPFprocess(processid)isallowedperSecureStackC2router.
Example
ThisexampleshowshowtoenableroutingforOSPFprocess1:
C2(su)->router#conf terminal C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#
1583compatibility
UsethiscommandtoenableRFC1583compatibilityonOSPFinterfaces.Thenoformofthis commanddisablesRFC1583compatibilityonOSPFinterfaces.
Syntax
1583compatability no 1583compatability
Parameters
None.
Defaults
None.
20-13
ip ospf enable
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Example
ThisexampleshowshowtoenableRFC1583compatibility:
C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#1583compatability
ip ospf enable
UsethiscommandtoenableOSPFonaninterface.ThenoformofthiscommanddisablesOSPFon aninterface.
Syntax
ip ospf enable no ip ospf enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableOSPFontheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf enable
ip ospf areaid
UsethiscommandtoconfigureareaIDsforOSPFinterfaces.IfOSPFisenabledonaninterfaceas describedinipospfenableonpage2014,theOSPFareawilldefaultto0.0.0.0.Thenoformof thiscommandremovesOSPFroutingfortheinterfaces.
Syntax
ip ospf areaid area-id no ip ospf areaid
Parameters
areaid SpecifiestheareaidtobeassociatedwiththeOSPFinterface.Validvalues aredecimalvaluesorIPaddresses.
Defaults
None.
20-14 IPv4 Routing Protocol Configuration
ip ospf cost
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoconfiguretheVLAN1interfaceasarea0.0.0.31:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf areaid 0.0.0.31
ip ospf cost
UsethiscommandtosetthecostofsendinganOSPFpacketonaninterface.Thenoformofthis commandresetstheOSPFcosttothedefaultof10.
Syntax
ip ospf cost cost no ip ospf cost
Parameters
cost Specifiesthecostofsendingapacket.Validvaluesrangefrom1to65535.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Usage
EachrouterinterfacethatparticipatesinOSPFroutingisassignedadefaultcost.Thiscommand overwritesthedefaultof10.
Example
ThisexampleshowshowtosettheOSPFcostto20fortheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf cost 20
ip ospf priority
UsethiscommandtosettheOSPFpriorityvalueforrouterinterfaces.Thenoformofthis commandresetsthevaluetothedefaultof1.
Syntax
ip ospf priority number no ip ospf priority
20-15
timers spf
Parameters
number SpecifiestheroutersOSPFpriorityinarangefrom0to255.Defaultvalueis 1.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Usage
Thepriorityvalueiscommunicatedbetweenroutersbymeansofhellomessagesandinfluences theelectionofadesignatedrouter.
Example
ThisexampleshowshowtosettheOSPFpriorityto20fortheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf priority 20
timers spf
UsethiscommandtochangeOSPFtimervaluestofinetunetheOSPFnetwork.Thenoformof thiscommandrestoresthedefaulttimervalues(5secondsfordelayand10secondsforholdtime).
Syntax
timers spf spf-delay spf-hold no timers spf
Parameters
spfdelay spfhold Specifiesthedelay,inseconds,betweenthereceiptofanupdateandtheSPF execution.Validvaluesare0to4294967295. Specifiestheminimumamountoftime,inseconds,betweentwo consecutiveOSPFcalculations.Validvaluesare0to4294967295.Avalueof 0meansthattwoconsecutiveOSPFcalculationsareperformedone immediatelyaftertheother.
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Example
ThisexampleshowshowtosetSPFdelaytimeto7secondsandholdtimeto3:
C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#timers spf 7 3
20-16
ip ospf retransmit-interval
ip ospf retransmit-interval
Usethiscommandtosettheamountoftimebetweenretransmissionsoflinkstateadvertisements (LSAs)foradjacenciesthatbelongtoaninterface.Thenoformofthiscommandresetsthe retransmitintervalvaluetothedefault,5seconds.
Syntax
ip ospf retransmit-interval seconds no ip ospf retransmit-interval
Parameters
seconds Specifiestheretransmittimeinseconds.Validvaluesare1to65535.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheOSPFretransmitintervalfortheVLAN1interfaceto20:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf retransmit-interval 20
ip ospf transmit-delay
Usethiscommandtosettheamountoftimerequiredtotransmitalinkstateupdatepacketonan interface.Thenoformofthiscommandresetstheretransmitintervalvaluetothedefault,1 second.
Syntax
ip ospf transmit-delay seconds no ip ospf transmit-delay
Parameters
seconds Specifiesthetransmitdelayinseconds.Validvaluesarefrom1to65535.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
20-17
ip ospf hello-interval
Example
Thisexampleshowshowtosetthetimerequiredtotransmitalinkstateupdatepacketonthe VLAN1interfaceat20seconds:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf transmit-delay 20
ip ospf hello-interval
Usethiscommandtosetthenumberofsecondsaroutermustwaitbeforesendingahellopacket toneighborroutersonaninterface.Thenoformofthiscommandsetsthehellointervalvalueto thedefaultvalueof10seconds.
Syntax
ip ospf hello-interval seconds no ip ospf hello-interval
Parameters
seconds Specifiesthehellointervalinseconds.Hellointervalmustbethesameon neighboringrouters(onaspecificsubnet),butcanvarybetweensubnets. Thisparameterisanunsignedintegerwithvalidvaluesbetween1and 65535.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthehellointervalto5fortheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf hello-interval 5
ip ospf dead-interval
Usethiscommandtosetthenumberofsecondsaroutermustwaittoreceiveahellopacketfrom itsneighborbeforedeterminingthattheneighborisoutofservice.Thenoformofthiscommand setsthedeadintervalvaluetothedefaultvalueof40seconds.
Syntax
ip ospf dead-interval seconds no ip ospf dead-interval
20-18
ip ospf authentication-key
Parameters
seconds Specifiesthenumberofsecondsthataroutermustwaittoreceiveahello packetbeforedeclaringtheneighborasdeadandremovingitfromthe OSPFneighborlist.Deadintervalmustbethesameonneighboringrouters (onaspecificsubnet),butcanvarybetweensubnets.Thisparameterisan unsignedintegerrangingfrom1to65535.Defaultvalueis40seconds.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthedeadintervalto20fortheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf dead-interval 20
ip ospf authentication-key
UsethiscommandtoassignapasswordtobeusedbyneighboringroutersusingOSPFssimple passwordauthentication.ThenoformofthiscommandremovesanOSPFauthentication passwordonaninterface.
Syntax
ip ospf authentication-key password no ip ospf authentication-key
Parameters
password SpecifiesanOSPFauthenticationpassword.Validvaluesarealphanumeric stringsupto8charactersinlength.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Usage
ThispasswordisusedasakeythatisinserteddirectlyintotheOSPFheaderinroutingprotocol packets.AseparatepasswordcanbeassignedtoeachOSPFnetworkonaperinterfacebasis. Allneighboringroutersonthesamenetworkmusthavethesamepasswordconfiguredtobeable toexchangeOSPFinformation.
20-19
Example
ThisexampleshowshowtoenablesanOSPFauthenticationkeyontheVLAN1interfacewiththe passwordyourpass:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf authentication-key yourpass
Syntax
ip ospf message-digest-key keyid md5 key no ip ospf message-digest-key keyid
Parameters
keyid key SpecifiesthekeyidentifierontheinterfacewhereMD5authenticationis enabled.Validvaluesareintegersfrom1to255. SpecifiesapasswordforMD5authenticationtobeusedwiththekeyid.Valid valuesarealphanumericstringsofupto16characters.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableOSPFMD5authenticationontheVLAN1interface,setthekey identifierto20,andsetthepasswordtopassone:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip ospf message-digest-key 20 md5 passone
distance ospf
UsethiscommandtoconfiguretheadministrativedistanceforOSPFroutes.Thenoformofthis commandresetsOSPFadministrativedistancetothedefaultvalues.
Syntax
distance ospf {external | inter-area | intra-area} weight no distance ospf {external | inter-area | intra-area}
20-20
area range
Parameters
external|inter area|intraarea Appliesthedistancevaluetoexternal(type5andtype7),tointerarea,orto intraarearoutes.
Note: The value for intra-area distance must be less than the value for inter-area distance, which must be less than the value for external distance.
weight
SpecifiesanadministrativedistanceforOSPFroutes.Validvaluesare1 255.
Defaults
Ifroutetypeisnotspecified,thedistancevaluewillbeappliedtoallOSPFroutes.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
Ifseveralroutes(comingfromdifferentprotocols)arepresentedtotheSecureStackC2,the protocolwiththelowestadministrativedistancewillbechosenforrouteinstallation.Bydefault, OSPFadministrativedistanceissetto110.Thedistanceospfcommandcanbeusedtochangethis value,resettingOSPFsroutepreferenceinrelationtootherroutesasshowninthetablebelow.
Route Source Connected Static OSPF RIP Default Distance 0 1 Intra-area - 8; Inter-area - 10; External type 1 - 13; External type 2 - 150 15
Example
ThisexampleshowshowtochangethedefaultadministrativedistanceforexternalOSPFroutesto 100:
C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#distance ospf external 100
area range
UsethiscommandtodefinetherangeofaddressestobeusedbyAreaBorderRouters(ABRs) whentheycommunicateroutestootherareas.EachSecureStackC2stackcansupportupto4 OSPFareas.Thenoformofthiscommandstopstheroutesfrombeingsummarized.
Syntax
area area-id range ip-address ip-mask [advertise | no-advertise] no area area-id range ip-address ip-mask
20-21
area stub
Parameters
areaid ipaddress ipmask advertise|no advertise Specifiestheareafromwhichroutesaretobesummarized.Thisisa decimalvaluefrom0to429496295. SpecifiestheIPaddressassociatedwiththeareaID. SpecifiesthemaskfortheIPaddress. (Optional)Entersaddressrangeinadvertisemode,ordonotadvertise mode.
Defaults
Ifnotspecified,advertisemodewillbeset.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Example
Thisexampleshowshowtodefinetheaddressrangeas172.16.0.0/16forsummarizedroutesfrom area0.0.0.8:
C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 0.0.0.8 range 172.16.0.0 255.255.0.0
area stub
UsethiscommandtodefineanOSPFareaasastubarea.ThisisanareaintowhichAutonomous SystemexternalASAswillnotbeflooded.Thenoformofthiscommandchangesthestubbackto aplainarea.
Syntax
area area-id stub [no-summary] no area area-id stub [no-summary]
Parameters
areaid nosummary Specifiesthestubarea.Validvaluesaredecimalvaluesoripaddresses. (Optional)PreventsanAreaBorderRouter(ABR)fromsendingLinkState Advertisements(LSAs)intothestubarea.Whenthisparameterisused,it meansthatalldestinationsoutsideofthestubareaarerepresentedby meansofadefaultroute.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Defaults
Ifnosummaryisnotspecified,thestubareawillbeabletoreceiveLSAs.
20-22
Example
ThefollowingexampleshowshowtodefineOSPFarea10asastubarea:
C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 stub
Syntax
area area-id default-cost cost no area area-id default-cost
Parameters
areaid cost Specifiesthestubarea.ValidvaluesaredecimalvaluesorIPaddresses. Specifiesacostvalueforthesummaryroutethatissentintoastubareaby default.Validvaluesare24bitnumbers,from0to16777215.
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
TheuseofthiscommandisrestrictedtoABRsattachedtostubandNSSAareas.
Example
Thisexampleshowshowtosetthecostvalueforstubarea10to99:
C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 default-cost 99
area nssa
UsethiscommandtoconfigureanareaasaNotSoStubbyArea(NSSA).Thenoformofthis commandchangestheNSSAbacktoaplainarea.
Syntax
area area-id nssa [default-information-originate] no area area-id nssa [default-information-originate]
20-23
area virtual-link
Parameters
areaid default information originate SpecifiestheNSSAarea.ValidvaluesaredecimalvaluesorIPaddresses. (Optional)GeneratesadefaultofType7intotheNSSA.Thisisusedwhen therouterisanNSSAABR.
Defaults
Ifdefaultinformationoriginateisnotspecified,nodefaulttypewillbegenerated.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
AnNSSAallowssomeexternalroutesrepresentedbyexternalLinkStateAdvertisements(LSAs) tobeimportedintoit.Thisisincontrasttoastubareathatdoesnotallowanyexternalroutes. ExternalroutesthatarenotimportedintoanNSSAcanberepresentedbymeansofadefault route.ThisconfigurationisusedwhenanOSPFinternetworkisconnectedtomultiplenonOSPF routingdomains.
Example
Thisexampleshowshowtoconfigurearea10asanNSSAarea:
C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 10 nssa default-information-originate
area virtual-link
UsethiscommandtodefineanOSPFvirtuallink,whichrepresentsalogicalconnectionbetween thebackboneandanonbackboneOSPFarea.Thenoformofthiscommandremovesthevirtual linkand/oritsassociatedsettings.
Syntax
area area-id virtual-link router-id no area area-id virtual-link router-id
Inadditiontothesyntaxabove,theoptionsforusingthiscommandare:
area area-id virtual-link router-id authentication-key key no area area-id virtual-link router-id authentication-key key area area-id virtual-link router-id dead-interval seconds no area area-id virtual-link router-id dead-interval seconds area area-id virtual-link router-id hello-interval seconds no area area-id virtual-link router-id hello-interval seconds area area-id virtual-link router-id retransmit-interval seconds no area area-id virtual-link router-id retransmit-interval seconds area area-id virtual-link router-id transmit-delay seconds no area area-id virtual-link router-id transmit-delay seconds
20-24
redistribute
Parameters
areaid Specifiesthetransitareaforthevirtuallink.Validvaluesaredecimalvalues orIPaddresses.Atransitareaisanareathroughwhichavirtuallinkis established. SpecifiestherouterIDofthevirtuallinkneighbor. Specifiesapasswordtobeusedbythevirtuallink.Validvaluesare alphanumericstringsofupto8characters.Neighborvirtuallinkrouterson anetworkmusthavethesamepassword. Specifiesthenumberofsecondsthataroutermustwaittoreceiveahello packetbeforedeclaringtheneighborasdeadandremovingitfromthe OSPFneighborlist.Thisvaluemustbethesameforallvirtuallinksattached toacertainsubnet,anditisavaluerangingfrom1to8192. Specifiesthenumberofsecondsbetweenhellopacketsonthevirtuallink. Thisvaluemustbethesameforallvirtuallinksattachedtoanetworkandit isavaluerangingfrom1to8192. Specifiesthenumberofsecondsbetweensuccessiveretransmissionsofthe sameLSAs.Validvaluesaregreaterthantheexpectedamountoftime requiredfortheupdatepackettoreachandreturnfromtheinterface,and rangefrom1to8192.Defaultis5seconds. Specifiestheestimatednumberofsecondsbeforealinkstateupdatepacket ontheinterfacetobetransmitted.Validvaluesrangefrom1to8192.Default is1second.
transmitdelay seconds
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Example
Thisexampleshowshowtoconfigureavirtuallinkovertransitionarea0.0.0.2torouterID 192.168.7.2:
C2(su)->router(Config)#router ospf 1 C2(su)->router(Config-router)#area 0.0.0.2 virtual-link 192.168.7.2
redistribute
UsethiscommandtoallowroutinginformationdiscoveredthroughnonOSPFprotocolstobe distributedinOSPFupdatemessages.Thenoformofthiscommandclearsredistribution parameters.
Syntax
redistribute {connected | rip | static} [metric metric value] [metric-type typevalue] [subnets] no redistribute {connected | rip | static}
20-25
show ip ospf
Parameters
connected rip static SpecifiesthatnonOSPFinformationdiscoveredviadirectlyconnected interfaceswillberedistributed. SpecifiesthatRIProutinginformationwillberedistributedinOSPF. SpecifiesthatnonOSPFinformationdiscoveredviastaticrouteswillbe redistributed.Staticroutesarethosecreatedusingtheiproutecommand detailediniprouteonpage1917. (Optional)Specifiesametricfortheconnected,RIPorstaticredistribution route.Thisvalueshouldbeconsistentwiththedesignationprotocol. (Optional)Specifiestheexternallinktypeassociatedwiththedefault connected,RIPorstaticrouteadvertisedintotheOSPFroutingdomain. Validvaluesare1fortype1externalroute,and2fortype2externalroute. (Optional)Specifiesthatconnected,RIP,orstaticroutesthataresubnetted routeswillberedistributed.
Defaults
Ifmetricvalueisnotspecified,0willbeapplied. Iftypevalueisnotspecified,type2(externalroute)willbeapplied. Ifsubnetsisnotspecified,onlytheshortestprefixmatchingrouteswillberedistributed.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Example
ThisexampleshowshowtoredistributeRIProutinginformationtononsubnettedroutesinOSPF routes:
C2(su)->router(Config)#router ospf C2(su)->router(Config-router)#redistribute rip
show ip ospf
UsethiscommandtodisplayOSPFinformation.
Syntax
show ip ospf
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
20-26
Example
ThisexampleshowshowtodisplayOSPFinformation:
C2(su)->router#show ip ospf Routing process "ospf 1" with ID 155.155.155.155 Supports only Normal TOS route. It is not an area border router and is an autonomous system boundary router. Redistributing External Routes from static Number of areas in this router is 2 Area 0.0.0.0 SPF algorithm executed 0 times Area ranges are Link State Age Interval is 10 Area 0.0.0.8 SPF algorithm executed 302 times Area ranges are Link State Age Interval is 10
Syntax
show ip ospf database
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayallOSPFlinkstatedatabaseinformation.Thisisaportionof thecommandoutput:
C2(su)->router#show ip ospf database OSPF Router with ID(155.155.155.155) Displaying Ipnet Sum Link States(Area 0.0.0.0) LinkID ADV Router Age Seq# 192.168.16.0 155.155.155.155 1751 0x80000036 Displaying As External Link States(Area 0.0.0.0) ADV Router Age Seq# 155.155.155.155 1306 0x8000003c 155.155.155.155 1306 0x8000003c 155.155.155.155 1306 0x8000003c 155.155.155.155 1306 0x8000003c 155.155.155.155 1307 0x8000003c 155.155.155.155 1307 0x8000003c 155.155.155.155 1307 0x8000003c 155.155.155.155 1307 0x8000003c
Checksum 0x18a
191.4.0.0
155.155.155.155
1307
0x8000003c
0x8e98
Displaying Router Link States(Area 0.0.0.8) LinkID ADV Router Age Seq# 3.3.3.3 3.3.3.3 986 0x8000008e 155.155.155.155 155.155.155.155 977 0x8000009c Displaying Net Link States(Area 0.0.0.8) LinkID ADV Router Age Seq# 192.168.30.2 155.155.155.155 310 0x8000003b 192.168.31.2 155.155.155.155 997 0x80000002 192.168.32.2 155.155.155.155 997 0x80000002 192.168.33.2 155.155.155.155 998 0x80000002 Displaying Ipnet Sum Link States(Area 0.0.0.8) LinkID ADV Router Age Seq# 0.0.0.0 3.3.3.3 361 0x80000005 8.1.1.0 3.3.3.3 1512 0x80000003 8.1.2.0 3.3.3.3 1512 0x80000003 8.1.3.0 3.3.3.3 1502 0x80000003 8.1.4.0 3.3.3.3 1512 0x80000003
Checksum 0x59ab 0xc07c 0xb586 0xaa90 Checksum 0x311d 0x3de1 0x32eb 0x27f5 0x1c00
Router ID of the router originating the link state record. Age (in seconds) of the link state record. OSPF sequence number assigned to each link state record. Field in the link state record used to verify the contents upon receipt by another router. Link count of router link state records. This number is equal to, or greater than, the number of active OSPF interfaces on the originating router.
Syntax
show ip ospf interface [vlan vlan-id]
Parameters
vlanvlanid (Optional)DisplaysOSPFinformationforaspecificVLAN.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181.
20-28
Defaults
Ifvlanidisnotspecified,OSPFstatisticswillbedisplayedforallVLANs.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayallOSPFrelatedinformationfortheVLAN6interface:
C2(su)->router#show ip ospf interface vlan 6 Vlan 6 Internet Address 192.168.6.2 Mask 255.255.255.0, Area 0.0.0.0 Router ID 3.3.3.3 , Cost: 10 (computed) Transmit Delay is 1 sec , State designated-router , Priority 1 Designated Router id 3.3.3.3 , Interface Addr 192.168.6.2 Backup Designated Router id 2.2.2.2 , Timer intervals configured , Hello 10 , Dead 40 , Retransmit 5
20-29
Syntax
show ip ospf neighbor [detail] [ip-address] [vlan vlan-id]
Parameters
detail (Optional)Displaysdetailedinformationabouttheneighbors,includingthe areainwhichtheyareneighbors,whothedesignatedrouter/backup designatedrouterisonthesubnet,ifapplicable,andthedecimalequivalent oftheEbitvaluefromthehellopacketoptionsfield. (Optional)DisplaysOSPFneighborsforaspecificIPaddress. (Optional)DisplaysOSPFneighborsforaspecificVLAN.ThisVLANmust beconfiguredforIProutingasdescribedinPreRoutingConfiguration Tasksonpage181.
ipaddress vlanvlanid
Defaults
Ifdetailisnotspecified,summaryinformationwillbedisplayed. Ifipaddressisnotspecified,OSPFneighborswillbedisplayedforallIPaddressesconfiguredfor routing. Ifvlanidisnotspecified,OSPFneighborswillbedisplayedforallVLANsconfiguredforrouting.
Mode
Anyroutermode.
Example
Thisexampleshowshowtousetheshowospfneighborcommand:
C2(su)->router#show ip ospf neighbor ID Pri State Dead-Int 182.127.62.1 1 FULL 40 Address 182.127.63.1 Interface vlan1
20-30
Syntax
show ip ospf virtual-links
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayOSPFvirtuallinksinformation:
C2(su)->router#show ip ospf virtual-links Neighbor ID 155.155.155.155 Transit area 0.0.0.8 Transmit delay is 1 sec State point-to-point Timer intervals configured: Hello 10, Dead 40, Retransmit 5 Adjacency State Full
Syntax
clear ip ospf process process-id
20-31
Parameters
processid SpecifiestheprocessID,aninternallyusedidentificationnumberforeach instanceoftheOSPFroutingprocessrunonarouter.Validvaluesare1to 65535.
Defaults
None.
Mode
PrivilegedEXEC:C2(su)>router#
Example
ThisexampleshowshowtoresetOSPFprocess1:
C2(su)->router#clear ip ospf process 1
20-32
Configuring DVMRP
Configuring DVMRP
* Advanced License Required *
DVMRP is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the chapter entitled Activating Licensed Features in order to enable the DVMRP command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales.
Purpose
ToenableandconfiguretheDistanceVectorMulticastRoutingProtocol(DVMRP)onaninterface. DVMRProutesmulticasttrafficusingatechniqueknownasReversePathForwarding.Whena routerreceivesapacket,itfloodsthepacketoutofallpathsexcepttheonethatleadsbacktothe packetssource.DoingsoallowsadatastreamtoreachallVLANs(possiblymultipletimes).Ifa routerisattachedtoasetofVLANsthatdonotwanttoreceivefromaparticularmulticastgroup, theroutercansendaprunemessagebackupthedistributiontreetostopsubsequentpackets fromtravelingwheretherearenomembers.DVMRPwillperiodicallyrefloodinordertoreach anynewhoststhatwanttoreceivefromaparticulargroup.
Note: IGMP must be enabled on all VLANs running DVMRP, and must also be globally enabled on the SecureStack C2. For details on enabling IGMP, refer to Chapter 13.
Commands
For information about... ip dvmrp ip dvmrp enable ip dvmrp metric show ip dvmrp
Seealsoshowipmrouteonpage2059,whichcanbeusedtodisplaytheIPmulticastrouting table.
20-33
ip dvmrp
ip dvmrp
UsethiscommandtoenabletheDVMRPprocess.Thenoformofthiscommanddisablesthe DVMRPprocess:
Syntax
ip dvmrp no ip dvmrp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C2(su)>router(Config)#
Example
ThisexampleshowshowtoenabletheDVMRPprocess:
C2(su)->router(Config)#ip dvmrp
ip dvmrp enable
UsethiscommandtoenableDVMRPonaninterface.Thenoformofthiscommanddisables DVMRPonaninterface:
Syntax
ip dvmrp enable no ip dvmrp enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableDVMRPontheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip dvmrp enable
20-34
ip dvmrp metric
ip dvmrp metric
UsethiscommandtoconfigurethemetricassociatedwithasetofdestinationsforDVMRP reports.
Syntax
ip dvmrp metric metric
Parameters
metric SpecifiesametricassociatedwithasetofdestinationsforDVMRP reports.Validvaluesarefrom1to31.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Usage
ToresettheDVMRPmetricbacktothedefaultvalueof1,enteripdvmrpmetric1.
Example
ThisexampleshowshowtosetaDVMRPof16ontheVLAN1interface:
C2(su)->router(Config-if(Vlan 1))#ip dvmrp metric 16
show ip dvmrp
UsethiscommandtodisplayDVMRProutinginformation.
Syntax
show ip dvmrp [route | neighbor | status]
Parameters
route|neighbor| status (Optional)Displays,DVMRProutinginformation,neighborinformation, orDVMRPenablestatus.
Defaults
Ifnooptionalparametersarespecified,statusinformationwillbedisplayed.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayDVMRPstatusinformation:
C2(su)->router#show ip dvmrp Vlan Id Metric Admin Status Oper. Status
20-35
show ip dvmrp
------10 18 20 25 32 500
-------
20-36
Configuring IRDP
Configuring IRDP
Purpose
ToenableandconfiguretheICMPRouterDiscoveryProtocol(IRDP)onaninterface.Thisprotocol enablesahosttodeterminetheaddressofarouteritcanuseasadefaultgateway.Itisdisabledby default.
Commands
For information about... ip irdp enable ip irdp maxadvertinterval ip irdp minadvertinterval ip irdp holdtime ip irdp preference ip irdp broadcast show ip irdp Refer to page... 20-37 20-38 20-38 20-39 20-39 20-40 20-40
ip irdp enable
UsethiscommandtoenableIRDPonaninterface.ThenoformofthiscommanddisablesIRDPon aninterface.
Syntax
ip irdp enable no ip irdp enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableIRDPontheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp enable
20-37
ip irdp maxadvertinterval
ip irdp maxadvertinterval
UsethiscommandtosetthemaximumintervalinsecondsbetweenIRDPadvertisements.Theno formofthiscommandresetsthemaximumadvertisementintervaltothedefaultvalueof600 seconds.
Syntax
ip irdp maxadvertinterval interval no irdp maxadvertinterval
Parameters
interval Specifiesamaximumadvertisementintervalinseconds.Validvaluesare 4to1800.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosetthemaximumIRDPadvertisementintervalto1000secondsonthe VLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp maxadvertinterval 1000
ip irdp minadvertinterval
UsethiscommandtosettheminimumintervalinsecondsbetweenIRDPadvertisements.Theno formofthiscommanddeletesthecustomholdtimesetting,andresetstheminimum advertisementintervaltothedefaultvalueofthreefourthsofthemaxadvertintervalvalue,which isequalto450seconds.
Syntax
ip irdp minadvertinterval interval no irdp minadvertinterval
Parameters
interval Specifiesaminimumadvertisementintervalinseconds.Validvaluesare3 to1800.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
20-38
ip irdp holdtime
Example
ThisexampleshowshowtosettheminimumIRDPadvertisementintervalto500secondsonthe VLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp minadvertinterval 500
ip irdp holdtime
UsethiscommandtosetthelengthoftimeinsecondsIRDPadvertisementsareheldvalid.Theno formofthiscommandresetstheholdtimetothedefaultvalueofthreetimesthe maxadvertintervalvalue,whichisequalto1800seconds.
Syntax
ip irdp holdtime holdtime no irdp holdtime
Parameters
holdtime Specifiestheholdtimeinseconds.Validvaluesare0to 9000.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIRDPholdtimeto4000secondsontheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp holdtime 4000
ip irdp preference
UsethiscommandtosettheIRDPpreferencevalueforaninterface.ThisvalueisusedbyIRDPto determinetheinterfacesselectionasadefaultgatewayaddress.Thenoformofthiscommand resetstheinterfacesIRDPpreferencevaluetothedefaultof0.
Syntax
ip irdp preference preference no irdp preference
Parameters
preference Specifiesthevaluetoindicatetheinterfacesuseasadefaultrouter address.Validvaluesare2147483648to2147483647. Theminimumvalueindicatesthattheaddress,eventhoughitmaybe advertised,isnottobeusedbyneighboringhostsasadefaultrouter address.
20-39
ip irdp broadcast
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosetIRDPpreferenceontheVLAN1interfacesothattheinterfaces addressmaystillbeadvertised,butcannotbeusedbyneighboringhostsasadefaultrouter address:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp preference -2147483648
ip irdp broadcast
UsethiscommandtoconfigureIRDPtousethelimitedbroadcastaddressof255.255.255.255.The defaultismulticastwithaddress224.0.0.1.ThenoformofthiscommandresetsIRDPtouse multicastonIPaddress224.0.0.1.
Syntax
ip irdp broadcast no ip irdp broadcast
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenablebroadcastforIRDPontheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip irdp broadcast
show ip irdp
UsethiscommandtodisplayIRDPinformation.
Syntax
show ip irdp [vlan vlan-id]
20-40
show ip irdp
Parameters
vlanvlanid (Optional)DisplaysIRDPinformationforaspecificVLAN.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181.
Defaults
Ifvlanvlanidisnotspecified,IRDPinformationforallinterfaceswillbedisplayed.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtodisplayIRDPinformationfortheVLAN1interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(vlan 1))#show ip irdp vlan 1 Interface vlan 1 has router discovery enabled Advertisements will occur between 450 and 600 seconds Advertisements are sent with broadcasts Advertisements are valid for 1800 seconds Default preference will be 0
20-41
Configuring VRRP
Configuring VRRP
* Advanced License Required *
VRRP is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the chapter entitled Activating Licensed Features in order to enable the VRRP command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales.
Purpose
ToenableandconfiguretheVirtualRouterRedundancyProtocol(VRRP).Thisprotocoleliminates thesinglepointoffailureinherentinthestaticdefaultroutedenvironmentbytransferringthe responsibilityfromoneroutertoanotheriftheoriginalroutergoesdown.VRRPenabledrouters decidewhowillbecomemasterandwhowillbecomebackupintheeventthemasterfails.
Commands
For information about... router vrrp create address priority advertise-interval preempt enable ip vrrp authentication-key show ip vrrp Refer to page... 20-42 20-43 20-44 20-45 20-45 20-46 20-47 20-48 20-48
router vrrp
UsethiscommandtoenableordisableVRRPconfigurationmode.Thenoformofthiscommand removesallVRRPconfigurationsfromtherunningconfiguration.
Syntax
router vrrp no router vrrp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C2(su)>router(Config)#
20-42 IPv4 Routing Protocol Configuration
create
Usage
Youmustexecutetheroutervrrpcommandtoenabletheprotocolbeforecompletingother VRRPspecificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182 onpage 182.
Example
ThisexampleshowshowenableVRRPconfigurationmode:
C2(su)->router#configure C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#
create
UsethiscommandtocreateaVRRPsession.EachSecureStackC2systemsupportsupto20VRRP sessions.ThenoformofthiscommanddisablestheVRRPsession.
Syntax
create vlan vlan-id vrid no create vlan vlan-id vrid
Parameters
vlanvlanid SpecifiesthenumberoftheVLANonwhichtocreateaVRRPsession.This VLANmustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)toassociatewiththerouting interface.
vrid
Defaults
None.
Mode
Router configuration: C2(su)->router(Config-router)#
Usage
ThiscommandmustbeexecutedtocreateaninstanceofVRRPonaroutinginterface(VLAN) beforeanyotherVRRPsettingscanbeconfigured.
Example
ThisexampleshowshowtocreateaVRRPsessionontheVLAN1interfacewithaVRIDof1:
C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#create vlan 1 1
20-43
address
address
UsethiscommandtoconfigureavirtualrouterIPaddress.Thenoformofthiscommandclears theVRRPaddressconfiguration.
Syntax
address vlan vlan-id vrid ip-address owner no address vlan vlan-id vrid ip-address owner
Parameters
vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfigureavirtualrouter address.ThisVLANmustbeconfiguredforIProutingasdescribedinPre RoutingConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting interface. SpecifiesthevirtualrouterIPaddresstoassociatewiththerouter. SpecifiesavaluetoindicateiftherouterownstheIPaddressasoneofits interfaces.Validvaluesare: 1toindicatetherouterownstheaddress. 0toindicatetherouterdoesnotowntheaddress.
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
IfthevirtualrouterIPaddressisthesameastheinterface(VLAN)addressownedbyaVRRP router,thentherouterowningtheaddressbecomesthemaster.Themastersendsan advertisementtoallotherVRRProutersdeclaringitsstatusandassumesresponsibilityfor forwardingpacketsassociatedwithitsvirtualrouterID(VRID). IfthevirtualrouterIPaddressisnotownedbyanyoftheVRRProuters,thentherouterscompare theirprioritiesandthehigherpriorityownerbecomesthemaster.Ifpriorityvaluesarethesame, thentheVRRProuterwiththehigherIPaddressisselectedmaster.Fordetailsonusingthe prioritycommand,refertopriorityonpage2045.
Example
Thisexampleshowshowtoconfigureavirtualrouteraddressof182.127.62.1ontheVLAN1 interface,VRID1,andtosettherouterconnectedtotheVLANviathisinterfaceasthemaster:
C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#address vlan 1 1 182.127.62.1 1
20-44
priority
priority
UsethiscommandtosetapriorityvalueforaVRRProuter.Thenoformofthiscommandclears theVRRPpriorityconfiguration.
Syntax
priority vlan vlan-id vrid priority-value no priority vlan vlan-id vrid priority-value
Parameters
vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfigureVRRPpriority. ThisVLANmustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting interface.Validvaluesarefrom1to255. SpecifiestheVRRPpriorityvaluetoassociatewiththevrid.Validvaluesare from1to254,withthehighestvaluesettingthehighestpriority.Priority valueof255isreservedfortheVRRProuterthatownstheIPaddress associatedwiththevirtualrouter.Priority0isreservedforsignalingthatthe masterhasstoppedworkingandthebackuproutermusttransitionto masterstate.
vrid priorityvalue
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Example
ThisexampleshowshowsetaVRRPpriorityof200ontheVLAN1interface,VRID1:
C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#priority vlan 1 1 200
advertise-interval
UsethiscommandtosettheintervalinsecondsbetweenVRRPadvertisements.Thenoformof thiscommandclearstheVRRPadvertiseintervalvalue.
Syntax
advertise-interval vlan vlan-id vrid interval no advertise-interval vlan vlan-id vrid interval
20-45
preempt
Parameters
vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfiguretheVRRP advertisementinterval.ThisVLANmustbeconfiguredforIProutingas describedinPreRoutingConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting interface.Validvaluesarefrom1to255. SpecifiesaVRRPadvertisementintervaltoassociatewiththevrid.Valid valuesarefrom1to255seconds.
vrid interval
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
VRRPadvertisementsaresentbythemasterroutertootherroutersparticipatingintheVRRP masterselectionprocess,informingthemofitsconfiguredvalues.Oncethemasterisselected, thenadvertisementsaresenteveryadvertisingintervaltoletotherVRRProutersinthisVLAN/ VRIDknowtherouterisstillactingasmasteroftheVLAN/VRID. AllrouterswiththesameVRIDshouldbeconfiguredwiththesameadvertisementinterval.
Example
Thisexampleshowshowsetanadvertiseintervalof3secondsontheVLAN1interface,VRID1:
C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#advertise-interval vlan 1 1 3
preempt
UsethiscommandtoenableordisablepreemptmodeonaVRRProuter.Thenoformofthis commanddisablespreemptmode.
Syntax
preempt vlan-id vrid no preempt vlan-id vrid
Parameters
vlanvlanid SpecifiesthenumberoftheVLANonwhichtosetpreemptmode.This VLANmustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181. SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting interface.Validvaluesarefrom1to255.
vrid
Defaults
None.
20-46
enable
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Usage
PreemptisenabledonVRRProutersbydefault,whichallowsahigherprioritybackuprouterto preemptalowerprioritymaster. TherouterthatownsthevirtualrouterIPaddressalwayspreemptsotherrouters,regardlessof thissetting.
Example
ThisexampleshowshowtodisablepreemptmodeontheVLAN1interface,VRID1:
C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#no preempt vlan 1 1
enable
UsethiscommandtoenableVRRPonaninterface.ThenoformofthiscommanddisablesVRRP onaninterface.
Syntax
enable vlan vlan-id vrid no enable vlan vlan-id vrid
Parameters
vlanvlanid SpecifiesthenumberoftheVLANonwhichtoenableVRRP.ThisVLAN mustbeconfiguredforIProutingasdescribedinPreRouting ConfigurationTasksonpage181. SpecifiestheVirtualRouterID(VRID)associatedwiththevlanid.Valid valuesarefrom1to255.
vrid
Defaults
None.
Mode
Routerconfiguration:C2(su)>router(Configrouter)#
Example
ThisexampleshowshowtoenableVRRPontheVLAN1interface,VRID1:
C2(su)->router(Config)#router vrrp C2(su)->router(Config-router)#enable vlan 1 1
20-47
ip vrrp authentication-key
ip vrrp authentication-key
UsethiscommandtoenableordisableaVRRPauthenticationkey(password)foruseonan interface.ThenoformofthiscommandpreventsVRRPfromusingauthentication.
Syntax
ip vrrp authentication-key name no ip vrrp authentication-key
Parameters
name SpecifiesthepasswordtoenableordisableforVRRPauthentication.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheVRRPauthenticationkeychaintopasswordontheVLAN1 interface:
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip vrrp authentication-key password
show ip vrrp
UsethiscommandtodisplayVRRProutinginformation.
Syntax
show ip vrrp
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayVRRPinformation
C2(su)->router(Config)#show ip vrrp -----------VRRP CONFIGURATION----------Vlan Vrid State Owner AssocIpAddr 2 1 Initialize 0 25.25.2.1
Priority 100
20-48
Configuring PIM-SM
Configuring PIM-SM
* Advanced License Required *
PIM is an advanced routing feature that must be enabled with a license key. If you have purchased an advanced license key, and have enabled routing on the device, you must activate your license as described in the chapter entitled Activating Licensed Features in order to enable the PIM command set. If you wish to purchase an advanced routing license, contact Enterasys Networks Sales.
Design Considerations
Enterasys Networksrecommendsthatadministratorsconsiderthefollowingrecommendations beforeconfiguringtheSecureStackC2foraPIMSMenvironment. ASecureStackC2cannotbeconfiguredasaCandidateRPoraCandidateBSR. ASecureStackC2shouldnotbethefirsthoprouterforamulticaststream.Inotherwords,the multicaststreamshouldnotoriginateonaSecureStackC2. ASecureStackC2shouldnotbepositionedinthecoreofaPIMSMtopology,andshould onlybepositionedattheedgeinaPIMSMtopology.Inotherwords,theSecureStackC2 shouldonlybeusedtodelivermulticaststreamstoendclients.
Purpose
ToenableandconfigureProtocolIndependentMulticastinSparseMode(PIMSM).Thisprotocol providesthemeansofdynamicallylearninghowtoforwardmulticasttrafficinanenvironment wheregroupmembersaresparselylocatedthroughoutthenetworkandbandwidthislimited.In situationswheremembersaredenselylocatedandbandwidthisplentiful,DVMRPwouldsuffice (seeConfiguringDVMRPonpage2033.) PIMSMdeterminesthenetworktopologyusingtheunderlyingunicastroutingprotocoltobuild aMulticastRoutingInformationBase(MRIB).
Note: IGMP must be enabled on all VLANs running PIM-SM, and must also be globally enabled on the SecureStack C2. For details on enabling IGMP, refer to Chapter 13.
Commands
For information about... Global configuration commands ip pimsm ip pimsm staticrp Interface configuration commands ip pimsm enable ip pimsm query-interval Display commands show ip pimsm show ip pimsm componenttable 20-52 20-53 20-51 20-52 20-50 20-50 Refer to page...
20-49
ip pimsm
For information about... show ip pimsm interface show ip pimsm neighbor show ip pimsm rp show ip pimsm rphash show ip pimsm staticrp show ip mroute
ip pimsm
ThiscommandsetsadministrativemodeofPIMSMmulticastroutingacrosstherouterto enabled.IGMPmustbeenabledbeforePIMSMcanbeenabled.Bydefault,bothIGMPandPIM aregloballydisabled.ThenoformofthiscommanddisablesPIM(acrosstheentirestack,if applicable).
Syntax
ip pimsm no ip pimsm
Parameters
None.
Defaults
None.
Mode
Globalrouterconfiguration:C2(su)>router(Config)#
Example
ThisexampleshowshowtogloballyenableanddisablePIM:
C2(su)->router(Config)# ip pimsm C2(su)->router(Config)# no ip pimsm
ip pimsm staticrp
ThiscommandisusedtocreateamanualRendezvousPointIPaddressforthePIMSMrouter. ThenoformofthiscommandremovesapreviouslyconfiguredRP.
Syntax
ip pimsm staticrp ipaddress groupadress groupmask no ip pimsm staticrp ipaddress groupadress groupmask
20-50
ip pimsm enable
Parameters
ipaddress groupadress groupmask TheIPaddressoftheRendezvousPoint ThegroupaddresssupportedbytheRendezvousPoint Thegroupmaskforthegroupaddress
Defaults
None.
Mode
GlobalRouterconfiguration:C2(su)>router(Config)#
Example
ThisexampleshowshowtosetanRPforaspecificmulticastgroup.
C2(su)->router(Config)# ip pimsm staticrp 192.15.18.3 224.0.0.0 240.0.0.0
ip pimsm enable
ThiscommandsetstheadministrativemodeofPIMSMmulticastroutingonaroutinginterfaceto enabled.Bydefault,PIMisdisabledonallIPinterfaces.Thenoformofthiscommanddisables PIMonthespecificinterface.
Syntax
ip pimsm enable no ip pimsm enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenablePIMonIPinterfaceforVLAN1.
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip pimsm enable
20-51
ip pimsm query-interval
ip pimsm query-interval
Thiscommandconfiguresthetransmissionfrequencyofhellomessagesinsecondsbetween PIMenabledneighbors.Thenoformofthiscommandresetsthehellointervaltothedefault,30 seconds.
Syntax
ip pimsm query-interval seconds no ip pimsm query-interval
Parameters
seconds Thisfieldhasarangeof10to3600seconds.Defaultis30.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthehellointervalrateto100seconds.
C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip pimsm query-interval 100
show ip pimsm
UsethiscommandtodisplaysystemwidePIMSMroutinginformation.
Syntax
show ip pimsm
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayPIMinformation.
C2(su)->router# show ip pimsm Admin Mode Enable Join/Prune Interval (secs) 60
20-52
PIM-SM INTERFACE STATUS VlanId Interface Mode --------- -------------8 Disable 16 Enable 17 Enable 20 Enable 30 Enable 31 Disable 32 Disable 33 Disable
Protocol State ---------------Non-Operational Operational Operational Operational Operational Non-Operational Non-Operational Non-Operational
Syntax
show ip pimsm componenttable
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayPIMrouterinformation:
C2(su)->router> show ip pimsm componenttable
20-53
COMPONENT TABLE Component Index ---------1 Component BSR Address Component BSR Expiry Time (hh:mm:ss) --------------- --------------192.168.30.2 00:02:10 Component CRP Hold Time (hh:mm:ss) ------------00:00:00
Syntax
show ip pimsm interface {vlan vlan-id | stats {vlan-id | all}}
Parameters
vlanvlanid stats vlanid|all DisplayPIMSMinformationforthespecifiedIPinterfaceenabledfor PIM. DisplayPIMSMinterfacestatistics. DisplaystatisticsforaspecificVLANorallVLANs.
Defaults
None.
Mode
Anyroutermode.
Examples
ThisexampleshowshowtodisplayPIMinterfaceinformation.
.
C2(su)->router> show ip pimsm interface vlan 30 VLAN ID IP Address Subnet Mask Mode 30 192.168.30.1 255.255.255.0 enable
20-54
Hello Interval (secs) CBSR Preference CRP Preference CBSR Hash Mask Length
30 secs -1 -1 30
ThisexampleshowshowtodisplayPIMinterfacestatistics.
.
C2(su)->router> show ip pimsm interface stats all Vlan ID --------6 7 8 30 IP Address --------------192.168.6.2 192.168.7.1 192.168.8.1 192.168.30.1 Subnet Mask --------------255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Neighbor Designated Router count ----------------- ---------0.0.0.0 0 192.168.7.1 0 0.0.0.0 0 192.168.30.2 1
Syntax
show ip pimsm neighbor [vlan-id]
20-55
show ip pimsm rp
Parameters
vlanid (Optional)DisplayallneighborsdiscoveredonaspecificInterface.
Mode
Anyroutermode.
Defaults
IftheVLANidisomitted,allneighborsoffallinterfaceswillbedisplayed.
Example
ThisexampleshowshowtodisplayPIMinformation:
C2(su)->router> show ip pimsm neighbor NEIGHBOR TABLE IP Address Up Time (hh:mm:ss) ---------------- ---------192.168.30.2 01:36:41 192.168.6.1 01:36:41
Vlan ID --------30 6
show ip pimsm rp
ThiscommanddisplaysthePIMinformationforcandidateRendezvousPoints(RPs)forallIP multicastgroupsorforaspecificgroupaddress.Theinformationinthetableisdisplayedforeach IPmulticastgroup.
Syntax
show ip pimsm rp {group-address group-mask | all | candidate}
Parameters
groupaddress groupmask all candidate ThemulticastgroupIPaddress. Themulticastgroupaddresssubnetmask. Forallknowngroupaddresses. DisplayPIMSMcandidateRPtableinformation.
20-56
Defaults
None.
Mode
Anyroutermode.
Examples
ThisexampleshowshowtodisplaytheRPsetforaspecificgroupaddress.
C2(su)->router> show ip pimsm rp 224.0.0.0 240.0.0.0 RP SET TABLE Group Address Hold Time Expiry Time Component C-RP Priority (hh:mm:ss) (hh:mm:ss) --------- ---------- ----------- ---------- ----------- --------- ----------224.0.0.0 240.0.0.0 192.168.30.2 00:02:15 00:02:30 1 0 Group Mask Address
ThisexampleshowshowtodisplaythecandidateRPsforeachgroupaddress.
C2(su)->router> show ip pimsm rp candidate CANDIDATE RP TABLE Group Address Group Mask Address --------------- --------------- --------------224.0.0.0 240.0.0.0 192.168.30.2
Syntax
show ip pimsm rphash group-address
20-57
Parameters
groupaddress TheGroupAddressfortheRP.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayRPthatwillbeselectedforgroupaddress224.0.0.0:
C2(su)->router> show ip pimsm rphash 224.0.0.0 192.168.129.223
Syntax
show ip pimsm staticrp
Parameters
None.
Mode
Anyroutermode.
Defaults
None.
Example
ThisexampleshowshowtodisplayPIMinformation.
C2(su)->router# show ip pimsm staticrp STATIC RP TABLE Address Group Address Group Mask --------------- --------------- --------------123.231.111.121 234.0.0.0 255.0.0.0 192.168.129.223 224.0.0.0 240.0.0.0
Table 2013providesanexplanationofthecommandoutput.
20-58
show ip mroute
Table 20-13
Output Field Address
show ip mroute
UsethiscommandtodisplaytheIPmulticastroutingtable.
Syntax
show ip mroute
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Usage
Themulticastroutingtableshowshowamulticastroutingprotocol,suchasPIMandDVMRP, willforwardamulticastpacket.Informationinthetableincludessourcenetwork/maskand upstreamneighbors. ForinformationaboutDVMRP,seeConfiguringDVMRPonpage2033.
Example
Thisexampleshowstheoutputofthiscommand.
C2(su)->router#show ip mroute Active IP Multicast Sources Flags: D - Dense, S - Sparse, C - Connected, L - Local,P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode Source Network : Source Mask : MultiCast Group : Uptime : Upstream Neighbor: Upstream Vlan : Downstream Vlans : Source Network Source Mask MultiCast Group Uptime : : : : 192.168.111.10 0.0.0.0 239.1.8.9 6336 0.0.0.0 111 8 192.168.111.10 0.0.0.0 239.1.7.105 6336
20-59
show ip mroute
Upstream Neighbor: 0.0.0.0 Upstream Vlan : 111 Downstream Vlans : 8 Source Network : Source Mask : MultiCast Group : Uptime : Upstream Neighbor: Upstream Vlan : Downstream Vlans : Source Network : Source Mask : MultiCast Group : Uptime : Upstream Neighbor: Upstream Vlan : Downstream Vlans : 192.168.111.10 0.0.0.0 239.1.8.169 6582 0.0.0.0 111 8 192.168.111.10 0.0.0.0 239.1.4.173 6582 0.0.0.0 111 8
20-60
21
IPv6 Management
ThischapterdescribestheswitchmodesetofcommandsusedtomanageIPv6.
Purpose
ToenableordisabletheIPv6managementfunction,toconfigureanddisplaytheIPv6host addressandIPv6gatewayfortheswitch,andtodisplayIPv6statusinformation.
Commands
For information about... show ipv6 status set ipv6 set ipv6 address show ipv6 address clear ipv6 address set ipv6 gateway clear ipv6 gateway show ipv6 neighbors show ipv6 netstat ping ipv6 traceroute ipv6 Refer to page... 21-1 21-2 21-3 21-4 21-4 21-5 21-6 21-6 21-7 21-8 21-9
Syntax
show ipv6 status
Parameters
None.
21-1
set ipv6
Defaults
None.
Mode
Switchmode,readonly.
Example
ThisexampleshowshowtodisplayIPv6managementfunctionstatus.
C2(ro)->show ipv6 status IPv6 Administrative Mode: Disabled
set ipv6
UsethiscommandtogloballyenableordisabletheIPv6managementfunction.
Syntax
set ipv6 {enable | disable}
Parameters
enable|disable EnableordisabletheIPv6managementfunction.
Defaults
Bydefault,IPv6managementisdisabled.
Mode
Switchmode,readwrite.
Usage
WhenyouenableIPv6managementontheswitch,thesystemautomaticallygeneratesalinklocal hostaddressfortheswitchfromthehostMACaddress.YoucansetadifferenthostIPv6address withthesetipv6addresscommand.
Example
ThisexampleshowshowtoenableIPv6management.
C2(su)-> set ipv6 enable C2(su)->show ipv6 status IPv6 Administrative Mode: Enabled C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64
21-2
IPv6 Management
Syntax
set ipv6 address ipv6-addr/prefix-length [eui64]
Parameters
ipv6addr TheIPv6addressorprefixtobeconfigured.Thisparametermustbeinthe formdocumentedinRFC4291,withtheaddressspecifiedinhexadecimal using16bitvaluesbetweencolons. ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlengthisa decimalnumberindicatingthenumberofhighordercontiguousbitsofthe addressthatcomprisethenetworkportionoftheaddress. (Optional)FormulatetheIPv6addressusinganEUI64IDinthelower order64bitsoftheaddress.
prefixlength
eui64
Defaults
NoglobalunicastIPv6addressisdefinedbydefault.
Mode
Switchmode,readwrite.
Usage
UsethiscommandtomanuallyconfigureaglobalunicastIPv6addressforIPv6management.You canspecifytheaddresscompletely,oryoucanusetheoptionaleui64parametertoallowthe switchtogeneratethelowerorder64bitsoftheaddress. Whenusingtheeui64parameter,youspecifyonlythenetworkprefixandlength.
Examples
ThisexampleshowshowtocompletelyspecifyanIPv6addressbyenteringall128bitsandthe prefix:
C2(su)->set ipv6 address 2001:0db8:1234:5555::9876:2/64 C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555::9876:2/64
Thisexampleshowshowtousetheeui64parametertoconfigurethelowerorder64bits:
C2(su)->set ipv6 address 2001:0db8:1234:5555::/64 eui64 C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555:201:F4FF:FE5C:2880/64
21-3
Syntax
show ipv6 address
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
ThiscommanddisplaystheIPv6addressesconfiguredautomaticallyandwiththesetipv6 addressandsetipv6gatewaycommands.
Example
ThisexampledisplaysthreeIPv6managementaddressesconfiguredfortheswitch.
C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555:201:F4FF:FE5C:2880/64 gateway FE80::201:F4FF:FE5D:1234
Syntax
clear ipv6 [address {all|ipv6-addr/prefix-length}]
Parameters
ipv6addr TheIPv6addresstobecleared.Thisparametermustbeintheform documentedinRFC4291,withtheaddressspecifiedinhexadecimalusing 16bitvaluesbetweencolons. ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlengthisa decimalnumberindicatingthenumberofhighordercontiguousbitsofthe addressthatcomprisethenetworkportionoftheaddress. DeletesallIPv6globaladdresses.
prefixlength
all
Defaults
Ifaddressisnotentered,allmanuallyconfiguredglobalIPv6addressesarecleared.
21-4 IPv6 Management
Mode
Switchmode,readwrite.
Usage
Thiscommandclearsaddressesmanuallyconfiguredwiththesetipv6addresscommand.Usethe clearipv6gatewaycommandtocleartheIPv6gatewayaddress.
Example
ThisexampleillustratesthatthiscommandclearsonlythoseIPv6addressesconfiguredwiththe setipv6addresscommand.Thelinklocaladdressforthehostinterfaceandthegatewayaddress arenotremovedwiththiscommand.
C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555:201:F4FF:FE5C:2880/64 host 2001:DB8:1234:5555::9876:2/64 gateway FE80::201:F4FF:FE5D:1234 C2(su)->clear ipv6 address all C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 gateway FE80::201:F4FF:FE5D:1234
Syntax
set ipv6 gateway ipv6-addr
Parameters
ipv6addr TheIPv6addresstobeconfigured.Theaddresscanbeaglobalunicastor linklocalIPv6address,intheformdocumentedinRFC4291,withthe addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Defaults
None.
Mode
Switchmode,readwrite.
Usage
ThiscommandconfigurestheIPv6gatewayaddress.OnlyoneIPv6gatewayaddresscanbe configuredfortheswitch,soexecutingthiscommandwhenagatewayaddresshasalreadybeen configuredwilloverwritethepreviouslyconfiguredaddress.
21-5
Usetheshowipv6addresscommandtodisplayaconfiguredIPv6gatewayaddress.
Example
ThisexampleshowshowtoconfigureanIPv6gatewayaddressusingalinklocaladdress.
C2(su)->set ipv6 gateway fe80::201:f4ff:fe5d:1234 C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 gateway FE80::201:F4FF:FE5D:1234
Syntax
clear ipv6 gateway
Parameters
None.
Defaults
None.
Mode
Switchmode,readwrite.
Example
ThisexampleshowshowtoremoveaconfiguredIPv6gatewayaddress.
C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64 gateway FE80::201:F4FF:FE5D:1234 C2(su)->clear ipv6 gateway C2(su)->show ipv6 address Name IPv6 Address --------------------------------------------------host FE80::201:F4FF:FE5C:2880/64
Syntax
show ipv6 neighbors
21-6
IPv6 Management
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowsexampleoutputofthiscommand.
C2(su)->show ipv6 neighbors Last IPv6 Address MAC Address isRtr State Updated --------------------------------------- ----------------- ----- ------- ------2001:db8:1234:6666::2310:3 00:04:76:73:42:31 True Reachable 00:01:16
Syntax
show ipv6 netstat
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowstheoutputofthiscommand.
C2(su)->show ipv6 netstat Prot Local Address Foreign Address ---- -------------------------------------------TCP 3333::211:88FF:FE59:4424.22 2020::D480:1384:F58C:B114.1049 TCP 3333::211:88FF:FE59:4424.443 2020::D480:1384:F58C:B114.1056 TCP ::.23 ::.* TCP 3333::211:88FF:FE59:4424.22 2020::D480:1384:F58C:B114.1050 TCP 3333::211:88FF:FE59:4424.22 3333::2117:F1C0:90B:910D.1045 TCP ::.80 State ----------ESTABLISHED TIME_WAIT LISTEN ESTABLISHED ESTABLISHED LISTEN
21-7
ping ipv6
TCP
::.* ::.22 ::.* 3333::211:88FF:FE59:4424.80 2020::D480:1384:F58C:B114.1053 3333::211:88FF:FE59:4424.80 2020::D480:1384:F58C:B114.1054 ::.443 ::.* 3333::211:88FF:FE59:4424.22 2020::D480:1384:F58C:B114.1048 3333::211:88FF:FE59:4424.443 2020::D480:1384:F58C:B114.1055
LISTEN
ping ipv6
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ipv6-addr [size num]
Parameters
ipv6addr SpecifiestheIPv6addressofthesystemtoping.Entertheaddressinthe formdocumentedinRFC4291,withtheaddressspecifiedinhexadecimal using16bitvaluesbetweencolons. (Optional)Specifiesthesizeofthedatagrampacket.Thevalueofnumcan rangefrom48to2048bytes.
sizenum
Defaults
None.
Mode
Switchmode,readwrite.
Usage
Thiscommandisalsoavailableinroutermode.
Examples
ThisexampleshowsoutputfromasuccessfulpingtoIPv6address2001:0db8:1234:5555::1234:1.
C2(su)->ping ipv6 2001:0db8:1234:5555::1234:1 2001:DB8:1234:5555::1234:1 is alive
ThisexampleshowsoutputfromanunsuccessfulpingtoIPv6address 2001:0db8:1234:5555::1234:1.
C2(su)->ping ipv6 2001:0db8:1234:5555::1234:1 no answer from 2001:DB8:1234:5555::1234:1
21-8
IPv6 Management
traceroute ipv6
traceroute ipv6
Usethiscommandtodiscovertheroutesthatpacketsactuallytakewhentravelingtotheir destinationthroughthenetworkonahopbyhopbasis.
Syntax
traceroute ipv6 ipv6-addr
Parameters
ipv6addr SpecifiesahosttowhichtherouteofanIPv6packetwillbetraced.Enterthe addressintheformdocumentedinRFC4291,withtheaddressspecifiedin hexadecimalusing16bitvaluesbetweencolons.
Defaults
None.
Mode
Switchmode,readwrite.
Usage
Thiscommandisalsoavailableinroutermode.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost
2001:0db8:1234:5555 C2(su)->router#traceroute ipv6 2001:0db8:1234:5555::1 Traceroute to 2001:0db8:1234:5555, 30 hops max, 40 byte packets 1 2001:0db8:1234:5555 1.000000e+00 ms 1.000000e+00 ms
1.000000e+00 ms
21-9
traceroute ipv6
21-10
IPv6 Management
22
IPv6 Proxy Routing
ThischapterdescribesthecommandsusedtoenableIPv6proxyroutingandthesuggested proceduretoconfigureamixedC2andC3stacktouseIPv6proxyrouting.
For information about... Overview Preparing a Mixed Stack for IPv6 Proxy Routing Commands Refer to page... 22-1 22-2 22-3
Overview
IPv6proxyroutingallowsamixedC2/C3stacktosupportsomeIPv6routingfunctionality.When IPv6proxyroutingisenabled,alltheswitchesinthestackcansupportIPv6unicastroutingand IPv6tunneling.YoucanconfigureportbasedandVLANbasedIPv6routinginterfacesonanyC2 orC3stackunit.ThereisnochangeinexistingIPv4routingcapabilities. Sincethisisafunctionthatexistsonlyinamixedstack,itisimplementedonlyintheC2firmware, release5.01andlater.ForIPv6proxyroutingtoexistinthestack,aC3unitmustrunasthe managerofthestack.Tofacilitatethis,thestackmanagerpreferenceofC3unitsshouldbesettoa highervaluethanC2units.IfaC3unitisaddedtoanallC2stack,youmustmovethemanagerto aC3unittousethisfeature. MultipleC3unitscanexistinthemixedstack.AlltheC3unitsinthemixedstackwill independentlyperformhardwareIPv6routing/tunneling.ThemanagerC3unitwilltransparently dothehardwareIPv6routing/tunnelingforalltheC2units. WhenIPv6proxyroutingisenabled,theC2beingconfiguredforrouting/tunneling(calledthe proxyclient)isconfiguredtoredirecttheroutedIPV6/Tunnelingpacketstooneofthestacking portsoftheC3stackmanager(calledtheproxyserver).TheC2isonlyconfigurediftheproxy featureisalreadyenabledonthestack.ItshouldbenotedthatonlyIPv6packetswitha destinationMACoftherouterMACofthesystemareredirectedtotheproxyserver. Ontheproxyserver,allincomingpacketstothestackingportswithadestinationofoneofthe stackingportswillbeprocessedthroughL2andL3switchinglogic.Ifthedestinationportisnot oneofthestackingports(notanIPv6packet),thentheincomingpacketisforwardedbasedon headerinformation. Thisfeatureisdisabledbydefault. InordertousetheOSPF,PIM,DVMRP,orVRRPprotocols,youmusthavepurchasedand installedtheC2advancedroutinglicense.
22-1
Limitations
Proxyroutingwilluseuptotwomasksinthefastforwardingprocessorassociatedwitheach portinvolvedinroutingofIPv6packets.Thiswillrequirerestrictionsontheuseofpolicy whenproxyroutingisenabled. AllIPv6packetsingressingoregressingaC2portmustbesentoverthestacktotheC3stack master.LimitedstackbandwidthandtheamountofIPv6trafficmustbecarefullyconsidered whenconfiguringmultipleC2portsforIPv6routing. IfthestackmastermovesfromaC3unittoaC2unitinthestack,proxyroutingwillnolonger beavailable.Toensurethatproxyroutingcontinuestooperateintheeventofafailover,C3 unitsmustbeconfiguredtobepreferredwhenanewmasteriselected.
Usetheshowswitchunitcommandtodisplayswitchpriority(AdminManagementPreference).
C2(su)->show switch 7 Switch Management Status Hardware Management Preference Admin Management Preference Switch Type Preconfigured Model Identifier Plugged-in Model Identifier Switch Status Switch Family Switch Description Detected Code Version Detected Code in Flash Detected Code in Back Image Up Time 05.02.00.0031 05.02.00.0031 05.01.06.0006 0 days 0 hrs 13 mins 9 secs 7 Management Switch Unassigned 15 C3G124-48 C3G124-48 C3G124-48 OK XGS3
22-2
Commands
Commands
For information about... ipv6 proxy-routing show ipv6 proxy-routing Refer to page... 22-3 22-3
ipv6 proxy-routing
UsethiscommandtoenableordisableIPv6proxyroutingonamixedC2/C3stack.
Syntax
ipv6 proxy-routing no ipv6 proxy-routing
Parameters
None.
Defaults
IPv6proxyroutingisdisabledbydefault.
Mode
Routerglobalconfiguration:C2(su)>router(Config)#
Usage
IPv6proxyroutingisdisabledbydefault.ItmustbeenabledwiththiscommandbeforetheC2 switchesinthestackwillstartredirectingroutedIPv6/tunnelingpacketstotheC3proxyserver. UsesthenoformofthiscommandtodisableIPv6proxyrouting.
Example
ThisexampleenablesIPv6proxyrouting.
c2(su)->router c2(su)->router>enable c2(su)->router#config Enter configuration commands: c2(su)->router(Config)#ipv6 proxy-routing
Syntax
show ipv6 proxy-routing
Parameters
None.
SecureStack C2 Configuration Guide 22-3
Defaults
None.
Mode
Anyroutingmode.
Example
ThisexampleshowstheoutputofthiscommandwhenIPv6proxyroutingisdisabled.
c2(su)->router(Config)#show ipv6 proxy-routing IPv6 Proxy Routing Mode................................... Disable
22-4
23
Authentication and Authorization Configuration
Thischapterdescribestheauthenticationandauthorizationcommandsandhowtousethem.
For information about... Overview of Authentication and Authorization Methods Configuring RADIUS Configuring 802.1X Authentication Configuring MAC Authentication Configuring Multiple Authentication Methods Configuring VLAN Authorization (RFC 3580) Configuring MAC Locking Configuring Port Web Authentication (PWA) Configuring Secure Shell (SSH) Configuring Access Lists Refer to page... 23-1 23-3 23-11 23-21 23-33 23-45 23-50 23-61 23-73 23-75
23-1
MACAuthenticationprovidesamechanismforadministratorstosecurelyauthenticate sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith SecureStackC2ports.Fordetails,refertoConfiguringMACAuthenticationonpage 2321. MultipleAuthenticationMethodsallowsuserstoauthenticateusingmultiplemethodsof authenticationonthesameport.Fordetails,refertoConfiguringMultipleAuthentication Methodsonpage 2333. MultiUserAuthenticationUser+IPPhone.TheUser+IPPhoneauthenticationfeature supportsauthenticationandauthorizationoftwodevices,specificallyaPCcascadedwithan IPphone,onasingleportontheC2.TheIPphonemustauthenticateusingMACor802.1X authentication,buttheusermayauthenticatebyanymethod.Thisfeatureallowsboththe usersPCandIPphonetosimultaneouslyauthenticateonasingleportandeachreceivea uniquelevelofnetworkaccess.Fordetails,refertoConfiguringMultiUserAuthentication (User+IPphone)onpage 2333. RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedorMAC authenticatedusertoaVLANregardlessofthePVID.Uptosixuserscanbeconfiguredper Gigabitport.RefertoConfiguringVLANAuthorization(RFC3580)onpage 2345.
Notes: The C2 supports up to six authenticated users per port. The C2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are configured to use a port, and the C2 is then switched from "policy" mode to "tunnel" mode (RFC3580 VLAN to port mapping), the total number of users supported to use a port will be reset to one. RFC-3580 VLAN authorization is not supported by PWA authentication.
MACLockinglocksaporttooneormoreMACaddresses,preventingtheuseof unauthorizeddevicesandMACspoofingontheportFordetails,refertoConfiguringMAC Lockingonpage 2350. PortWebAuthentication(PWA)passesalllogininformationfromtheendstationtoa RADIUSserverforauthenticationbeforeallowingausertoaccessthenetwork.PWAisan alternativeto802.1XandMACauthentication.Fordetails,refertoConfiguringPortWeb Authentication(PWA)onpage 2361. SecureShell(SSH)providessecureTelnet.Fordetails,refertoConfiguringSecureShell (SSH)onpage 2373. IPAccessLists(ACLs)permitsordeniesaccesstoroutinginterfacesbasedonprotocoland inboundand/oroutboundIPaddressrestrictionsconfiguredinaccesslists.Fordetails,referto ConfiguringAccessListsonpage 2375.
23-2
Configuring RADIUS
Configuring RADIUS
Purpose
Toperformthefollowing: ReviewtheRADIUSclient/serverconfigurationontheswitch. EnableordisabletheRADIUSclient. Setlocalandremoteloginoptions. Setprimaryandsecondaryserverparameters,includingIPaddress,timeoutperiod, authenticationrealm,andnumberofuserloginattemptsallowed. ResetRADIUSserversettingstodefaultvalues. ConfigureaRADIUSaccountingserver.
23-3
show radius
Commands
For information about... show radius set radius clear radius show radius accounting set radius accounting clear radius accounting Refer to page... 23-4 23-5 23-7 23-7 23-8 23-9
show radius
UsethiscommandtodisplaythecurrentRADIUSclient/serverconfiguration.
Syntax
show radius [status | retries | timeout | server [index | all]]
Parameters
status retries timeout server index|all (Optional)DisplaystheRADIUSserversenablestatus. (Optional)DisplaysthenumberofretryattemptsbeforetheRADIUSserver timesout. (Optional)Displaysthemaximumamountoftime(inseconds)toestablish contactwiththeRADIUSserverbeforeretryattemptsbegin. (Optional)DisplaysRADIUSserverconfigurationinformation. Forusewiththeserverparametertoshowserverconfigurationforall serversoraspecificRADIUSserverasdefinedbyanindex.
Defaults
Ifnoparametersarespecified,allRADIUSconfigurationinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRADIUSconfigurationinformation:
C2(rw)->show radius RADIUS status: Enabled RADIUS retries: 3 RADIUS timeout: 20 seconds RADIUS Server IP Address ----------------------10 172.16.20.10
Auth-Port --------1812
Realm-Type ----------------management-access
Table 231providesanexplanationofthecommandoutput.
23-4
set radius
Table 23-1
Output Field
RADIUS timeout
set radius
Usethiscommandtoenable,disable,orconfigureRADIUSauthentication.
Syntax
set radius {enable | disable} | {retries number-of-retries} | {timeout timeout} | {server index ip-address port [secret-value] [realm {management-access | any | network-access}} | {realm {management-access | any | network-access} {index| all}}
Parameters
enable|disable retriesnumberof retries timeouttimeout EnablesordisablestheRADIUSclient. SpecifiesthenumberofretryattemptsbeforetheRADIUSservertimesout. Validvaluesarefrom0to10.Defaultis3. Specifiesthemaximumamountoftime(inseconds)toestablishcontact withtheRADIUSserverbeforeretryattemptsbegin.Validvaluesarefrom1 to30.Defaultis20seconds. Specifiestheindexnumber,IPaddressandtheUDPauthenticationportfor theRADIUSserver. (Optional)Specifiesanencryptionkeytobeusedforauthentication betweentheRADIUSclientandserver.
23-5
set radius
Note: If the management-access or any access realm has been configured, the local admin account is disabled for access to the switch using the console, Telnet, or Local Management. Only the network-access realm allows access to the local admin account.
index|all
Appliestherealmsettingtoaspecificserverortoallservers.
Defaults
Ifsecretvalueisnotspecified,nonewillbeapplied. Ifrealmisnotspecified,theanyaccessrealmwillbeused.
Mode
Switchcommand,readwrite.
Usage
TheSecureStackC2deviceallowsupto10RADIUSaccountingserverstobeconfigured,withup totwoserversactiveatanygiventime. TheRADIUSclientcanonlybeenabledontheswitchonceaRADIUSserverisonline,anditsIP address(es)hasbeenconfiguredwiththesamepasswordtheRADIUSclientwilluse.
Note: If RADIUS is configured with no host IP address on the device, it will use the loopback interface 0 IP address (if it has been configured) as its source for the NAS-IP attribute. For information about configuring loopback interfaces, refer to interface on page 19-2.
Examples
ThisexampleshowshowtoenabletheRADIUSclientforauthenticatingwithRADIUSserver1at IPaddress192.168.6.203,UDPauthenticationport1812,andanauthenticationpasswordof pwsecret.Aspreviouslynoted,theserversecretpasswordenteredheremustmatchthat alreadyconfiguredastheReadWrite(rw)passwordontheRADIUSserver:
C2(su)->set radius server 1 192.168.6.203 1812 pwsecret
ThisexampleshowshowtosettheRADIUStimeoutto5seconds:
C2(su)->set radius timeout 5
ThisexampleshowshowtosetRADIUSretriesto10:
C2(su)->set radius retries 10
23-6
clear radius
clear radius
UsethiscommandtoclearRADIUSserversettings.
Syntax
clear radius [retries] | [timeout] | [server {index | all | realm {index | all}}]
Parameters
retries timeout server index|all realm ResetsthemaximumnumberofattemptsausercancontacttheRADIUS serverbeforetimingoutto3. ResetsthemaximumamountoftimetoestablishcontactwiththeRADIUS serverbeforetimingoutto20seconds. Deletesserversettings. Forusewiththeserverparametertocleartheserverconfigurationforall serversoraspecificRADIUSserverasdefinedbyanindex. ResetstherealmsettingforallserversoraspecificRADIUSserveras definedbyanindex.
Mode
Switchcommand,readwrite.
Defaults
None.
Examples
ThisexampleshowshowtoclearallsettingsonallRADIUSservers:
C2(su)->clear radius server all
ThisexampleshowshowtoresettheRADIUStimeouttothedefaultvalueof20seconds:
C2(su)->clear radius timeout
Syntax
show radius accounting [server] | [counter ip-address] | [retries] | [timeout]
23-7
Parameters
server counteripaddress retries timeout (Optional)DisplaysoneorallRADIUSaccountingserverconfigurations. (Optional)DisplayscountersforaRADIUSaccountingserver. (Optional)Displaysthemaximumnumberofattemptstocontactthe RADIUSaccountingserverbeforetimingout. (Optional)Displaysthemaximumamountoftimebeforetimingout.
Mode
Switchcommand,readonly.
Defaults
Ifnoparametersarespecified,allRADIUSaccountingconfigurationinformationwillbe displayed.
Example
ThisexampleshowshowtodisplayRADIUSaccountingconfigurationinformation.Inthiscase, RADIUSaccountingisnotcurrentlyenabledandglobaldefaultsettingshavenotbeenchanged. Oneserverhasbeenconfigured. FordetailsonenablingandconfiguringRADIUSaccounting,refertosetradiusaccountingon page 238:
C2(ro)->show radius accounting RADIUS accounting status: Disabled RADIUS Acct Server IP Address Acct-Port Retries Timeout Status ------------------ ---------- --------- ------- ------- -----1 172.16.2.10 1856 3 20 Disabled
Syntax
set radius accounting {[enable | disable] [retries retries] [timeout timeout] [server ip_address port [server-secret]
Parameters
enable|disable retriesretries EnablesordisablestheRADIUSaccountingclient. SetsthemaximumnumberofattemptstocontactaspecifiedRADIUS accountingserverbeforetimingout.Validretryvaluesare010.
23-8
timeouttimeout
serverip_address portserversecret
Mode
Switchcommand,readwrite.
Defaults
None.
Examples
ThisexampleshowshowtoenabletheRADIUSaccountingclientforauthenticatingwiththe accountingserveratIPaddress10.2.4.12,UDPauthenticationport1800.Aspreviouslynoted,the serversecretpasswordenteredheremustmatchthatalreadyconfiguredastheReadWrite(rw) passwordontheRADIUSaccountingserver:
C2(su)->set radius accounting server 10.2.4.12 1800 Enter secret: Re-enter secret:
ThisexampleshowshowtosettheRADIUSaccountingtimeoutto30seconds:
C2(su)->set radius accounting timeout 30
ThisexampleshowshowtosetRADIUSaccountingretriesto10:
C2(su)->set radius accounting retries 10
Syntax
clear radius accounting {server ip-address | retries | timeout | counter}
Parameters
serveripaddress retries timeout counter Clearstheconfigurationononeormoreaccountingservers. Resetstheretriestothedefaultvalueof3. Resetsthetimeoutto5seconds. Clearscounters.
Mode
Switchcommand,readwrite.
23-9
Defaults
None.
Example
ThisexampleshowshowtoresettheRADIUSaccountingtimeoutto5seconds.
C2(su)->clear radius accounting timeout
23-10
Commands
For information about... show dot1x show dot1x auth-config set dot1x set dot1x auth-config clear dot1x auth-config show eapol set eapol clear eapol Refer to page... 23-11 23-13 23-14 23-15 23-16 23-17 23-19 23-19
show dot1x
Usethiscommandtodisplay802.1Xstatus,diagnostics,statistics,andreauthenticationor initializationcontrolinformationforoneormoreports.
Syntax
show dot1x [auth-diag] [auth-stats] [port [init | reauth]] [port-string]
Parameters
authdiag authstats portinit|reauth portstring (Optional)Displaysauthenticationdiagnosticsinformation. (Optional)Displaysauthenticationstatistics. (Optional)Displaysthestatusofportinitializationandreauthentication controlfortheport. (Optional)Displaysinformationforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifnoparametersarespecified,802.1Xstatuswillbedisplayed.
23-11
show dot1x
Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplay802.1Xstatus:
C2(su)->show dot1x DOT1X is disabled.
Thisexampleshowshowtodisplayauthenticationdiagnosticsinformationforfe.1.1:
C2(su)->show dot1x auth-diag fe.1.1 Port : 1 Auth-Diag Enter Connecting: EAP Logoffs While Connecting: Enter Authenticating: Success While Authenticating Timeouts While Authenticating: Fails While Authenticating: ReAuths While Authenticating: EAP Starts While Authenticating: EAP logoff While Authenticating: Backend Responses: Backend Access Challenges: Backend Others Requests To Supp: Backend NonNak Responses From: Backend Auth Successes: Backend Auth Fails:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Thisexampleshowshowtodisplayauthenticationstatisticsforfe.1.1:
C2(su)->show dot1x auth-stats Port: 1 Auth-Stats EAPOL Frames Rx: EAPOL Frames Tx: EAPOL Start Frames Rx: EAPOL Logoff Frames Rx: EAPOL RespId Frames Rx: EAPOL Resp Frames Rx: EAPOL Req Frames Tx: EAP Length Error Frames Rx: Last EAPOL Frame Version: Last EAPOL Frame Source:
fe.1.1
0 0 0 0 0 0 0 0 0 00:00:00:00:00:00
Thisexampleshowshowtodisplaythestatusofportreauthenticationcontrolforfe.1.1through fe.1.6:
C2(su)->show dot1x port reauth fe.1.1-6 Port 1: Port reauthenticate: FALSE Port 2: Port reauthenticate: FALSE Port 3: Port reauthenticate: FALSE Port 4: Port reauthenticate: FALSE Port 5: Port reauthenticate: FALSE Port 6: Port reauthenticate: FALSE
23-12
Syntax
show dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [port-string]
Parameters
authcontrolled portcontrol maxreq quietperiod reauthenabled reauthperiod servertimeout supptimeout txperiod portstring (Optional)DisplaysthecurrentvalueofthecontrolledPortcontrol parameterfortheport. (Optional)Displaysthevaluesetformaximumrequestscurrentlyinuseby thebackendauthenticationstatemachine. (Optional)Displaysthevaluesetforquietperiodcurrentlyinusebythe authenticatorPAEstatemachine. (Optional)Displaysthestateofreauthenticationcontrolusedbythe ReauthenticationTimerstatemachine. (Optional)Displaysthevalue,inseconds,setforthereauthentication periodusedbythereauthenticationtimerstatemachine. (Optional)Displaystheservertimeoutvalue,inseconds,currentlyinuse bythebackendauthenticationstatemachine. (Optional)Displaystheauthenticationsupplicanttimeoutvalue,in seconds,currentlyinusebythebackendauthenticationstatemachine. (Optional)Displaysthetransmissionperiodvalue,inseconds,currentlyin usebytheauthenticatorPAEstatemachine. (Optional)Limitsthedisplayofdesiredinformationinformationtospecific port(s).Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72.
Defaults
Ifnoparametersarespecified,all802.1Xsettingswillbedisplayed. Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplaytheEAPOLportcontrolmodeforfe.1.1:
C2(su)->show dot1x auth-config authcontrolled-portcontrol fe.1.1 Port 1: Auth controlled port control: Auto
Thisexampleshowshowtodisplaythe802.1Xquietperiodsettingsforfe.1.1:
C2(su)->show dot1x auth-config quietperiod fe.1.1 Port 1: Quiet period: 30
Thisexampleshowshowtodisplayall802.1Xauthenticationconfigurationsettingsforge.1.1:
C2(ro)->show dot1x auth-config ge.1.1
23-13
set dot1x
Port : 1 Auth-Config PAE state: Backend auth state: Admin controlled directions: Oper controlled directions: Auth controlled port status: Auth controlled port control: Quiet period: Transmission period: Supplicant timeout: Server timeout: Maximum requests: Reauthentication period: Reauthentication control:
set dot1x
Usethiscommandtoenableordisable802.1Xauthentication,toreauthenticateoneormoreaccess entities,ortoreinitializeoneormoresupplicants.
Syntax
set dot1x {enable | disable | port {init | reauth} {true | false} [port-string]}
Parameters
enable|disable port init|reauth true|false portstring Enablesordisables802.1X. Enableordisable802.1Xreauthenticationorinitializationcontrolononeor moreports. Configureinitializationorreauthenticationcontrol. Enable(true)ordisable(false)reinitialization/reauthentication. (Optional)Specifiestheport(s)toreinitializeorreauthenticate.
Defaults
Ifnoportsarespecified,thereinitializationorreauthenticationsettingwillbeappliedtoallports.
Mode
Switchcommand,readwrite.
Usage
Disabling802.1Xauthenticationglobally,bynotenteringaspecificportstringvalue,willenable theEAPpassthroughfeature.EAPpassthroughallowsclientauthenticationpacketstobe forwardedunmodifiedthroughtheswitchtoanupstreamdevice.
Examples
Thisexampleshowshowtoenable802.1X:
C2(su)->set dot1x enable
Thisexampleshowshowtoreinitializege.1.2:
C2(rw)->set dot1x port init true ge.1.2
23-14
Syntax
set dot1x auth-config {[authcontrolled-portcontrol {auto | forced-auth | forced-unauth}] [maxreq value] [quietperiod value] [reauthenabled {false | true}] [reauthperiod value] [servertimeout timeout] [supptimeout timeout] [txperiod value]} [port-string]
Parameters
authcontrolled portcontrol auto|forcedauth| forcedunauth Specifiesthe802.1Xportcontrolmode. maxreqvalue autoSetportcontrolmodetoautocontrolledportcontrol.This isthedefaultvalue. forcedauthSetportcontrolmodetoForcedAuthorized controlledportcontrol. forcedunauthSetportcontrolmodetoForcedUnauthorized controlledportcontrol.
Specifiesthemaximumnumberofauthenticationrequestsallowed bythebackendauthenticationstatemachine.Validvaluesare110. Defaultvalueis2. Specifiesthetime(inseconds)followingafailedauthentication beforeanotherattemptcanbemadebytheauthenticatorPAEstate machine.Validvaluesare065535.Defaultvalueis60seconds. Enables(true)ordisables(false)reauthenticationcontrolofthe reauthenticationtimerstatemachine.Defaultvalueisfalse. Specifiesthetimelapse(inseconds)betweenattemptsbythe reauthenticationtimerstatemachinetoreauthenticateaport.Valid valuesare065535.Defaultvalueis3600seconds. Specifiesatimeoutperiod(inseconds)fortheauthenticationserver, usedbythebackendauthenticationstatemachine.Validvaluesare1 300.Defaultvalueis30seconds. Specifiesatimeoutperiod(inseconds)fortheauthentication supplicantusedbythebackendauthenticationstatemachine.Valid valuesare1300.Defaultvalueis30seconds. Specifiestheperiod(inseconds)whichpassesbetweenauthenticator PAEstatemachineEAPtransmissions.Validvaluesare065535. Defaultvalueis30seconds. (Optional)Limitstheconfigurationofdesiredsettingstospecified port(s).Foradetaileddescriptionofpossibleportstringvalues,refer toPortStringSyntaxUsedintheCLIonpage 72.
quietperiodvalue
servertimeouttimeout
supptimeouttimeout
txperiodvalue
portstring
Defaults
Ifportstringisnotspecified,authenticationparameterswillbesetonallports.
Mode
Switchcommand,readwrite.
23-15
Examples
Thisexampleshowshowtoenablereauthenticationcontrolonportsfe.1.13:
C2(su)->set dot1x auth-config reauthenabled true fe.1.1-3
Thisexampleshowshowtosetthe802.1Xquietperiodto120secondsonportsfe.1.13:
C2(su)->set dot1x auth-config quietperiod 120 fe.1.1-3
Syntax
clear dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [portstring]
Parameters
authcontrolled portcontrol maxreq quietperiod reauthenabled reauthperiod servertimeout supptimeout txperiod portstring (Optional)Resetsthe802.1Xportcontrolmodetoauto. (Optional)Resetsthemaximumrequestsvalueto2. (Optional)Resetsthequietperiodvalueto60seconds. (Optional)Resetsthereauthenticationcontrolstatetodisabled(false). (Optional)Resetsthereauthenticationperiodvalueto3600seconds. (Optional)Resetstheservertimeoutvalueto30seconds. (Optional)Resetstheauthenticationsupplicanttimeoutvalueto30 seconds. (Optional)Resetsthetransmissionperiodvalueto30seconds. (Optional)Resetssettingsonspecificport(s).Foradetaileddescriptionof possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72.
Defaults
Ifnoparametersarespecified,allauthenticationparameterswillbereset. Ifportstringisnotspecified,parameterswillbesetonallports.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoresetthe802.1Xportcontrolmodetoautoonallports:
C2(su)->clear dot1x auth-config authcontrolled-portcontrol
Thisexampleshowshowtoresetreauthenticationcontroltodisabledonportsfe.1.13:
C2(su)->clear dot1x auth-config reauthenabled fe.1.1-3
23-16
show eapol
Thisexampleshowshowtoresetthe802.1Xquietperiodto60secondsonportsfe.1.13:
C2(su)->clear dot1x auth-config quietperiod fe.1.1-3
show eapol
UsethiscommandtodisplayEAPOLstatusorsettingsforoneormoreports.
Syntax
show eapol [port-string]
Parameters
portstring (Optional)DisplaysEAPOLstatusforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifportstringisnotspecified,onlyEAPOLenablestatuswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayEAPOLstatusforportsfe.1.13:
C2(su)->show eapol fe.1.1-3 EAPOL is disabled. Port -------fe.1.1 fe.1.2 fe.1.3 Authentication State -------------------Initialize Initialize Initialize Authentication Mode -------------------Auto Auto Auto
23-17
show eapol
Table 23-2
Output Field Port
Authentication State
authentication is disabled, authentication is enabled and the port is not linked, or authentication is enabled and the port is linked. (In this case very little time is spent in this state, it immediately transitions to the connecting state, via disconnected.
disconnected: The port passes through this state on its way to connected whenever the port is reinitialized, via link state change, reauthentication failure, or management intervention. connecting: While in this state, the authenticator sends request/ID messages to the end user. authenticating: The port enters this state from connecting after receiving a response/ID from the end user. It remains in this state until the entire authentication exchange between the end user and the authentication server completes. authenticated: The port enters this state from authenticating state after the exchange completes with a favorable result. It remains in this state until linkdown, logoff, or until a reauthentication begins. aborting: The port enters this state from authenticating when any event occurs that interrupts the login exchange. held: After any login failure the port remains in this state for the number of seconds equal to quietPeriod (can be set using MIB). forceAuth: Management is allowing normal, unsecured switching on this port. forceUnauth: Management is preventing any frames from being forwarded to or from this port. Authentication Mode Mode enabling network access for each port. Modes include: Auto: Frames are forwarded according to the authentication state of each port. Forced Authorized Mode: Meant to disable authentication on a port. It is intended for ports that support ISLs and devices that cannot authenticate, such as printers and file servers. If a default policy is applied to the port via the policy profile MIB, then frames are forwarded according to the configuration set by that policy, otherwise frames are forwarded according to the current configuration for that port. Authentication using 802.1X is not possible on a port in this mode. Forced Unauthorized Mode: All frames received on the port are discarded by a filter. Authentication using 802.1X is not possible on a port in this mode.
23-18
set eapol
set eapol
UsethiscommandtoenableordisableEAPOLportbaseduserauthenticationwiththeRADIUS serverandtosettheauthenticationmodeforoneormoreports.
Syntax
set eapol [enable | disable] [auth-mode {auto | forced-auth | forced-unauth} port-string
Parameters
enable|disable authmode auto| forcedauth| forcedunauth EnablesordisablesEAPOL. Specifiestheauthenticationmodeas: autoAutoauthorizationmode.Thisisthedefaultmodeandwill forwardframesaccordingtotheauthenticationstateoftheport.For detailsonthismode,refertoTable 232. forcedauthForcedauthorizedmode,whichdisablesauthentication ontheport. forcedunauthForcedunauthorizedmode,whichfiltersanddiscards allframesreceivedontheport.
portstring
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoenableEAPOL:
C2(su)->set eapol enable
ThisexampleshowshowtoenableEAPOLwithforcedauthorizedmodeonportfe.1.1:
C2(su)->set eapol auth-mode forced-auth fe.1.1
clear eapol
UsethiscommandtogloballycleartheEAPOLauthenticationmode,ortoclearsettingsforoneor moreports.
Syntax
clear eapol [auth-mode] [port-string]
23-19
clear eapol
Parameters
authmode portstring (Optional)GloballyclearstheEAPOLauthenticationmode. Specifiestheport(s)onwhichtoclearEAPOLparameters.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifauthmodeisnotspecified,allEAPOLsettingswillbecleared. Ifportstringisnotspecified,settingswillbeclearedforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheEAPOLauthenticationmodeforportge.1.3:
C2(su)->clear eapol auth-mode ge.1.3
23-20
Commands
For information about... show macauthentication show macauthentication session set macauthentication set macauthentication password clear macauthentication password set macauthentication port set macauthentication portinitialize set macauthentication portquietperiod clear macauthentication portquietperiod set macauthentication macinitialize set macauthentication reauthentication set macauthentication portreauthenticate set macauthentication macreauthenticate set macauthentication reauthperiod clear macauthentication reauthperiod set macauthentication significant-bits clear macauthentication significant-bits Refer to page... 23-21 23-23 23-24 23-24 23-25 23-25 23-26 23-26 23-27 23-27 23-28 23-28 23-29 23-29 23-30 23-31 23-31
show macauthentication
UsethiscommandtodisplayMACauthenticationinformationforoneormoreports.
Syntax
show macauthentication [port-string]
23-21
show macauthentication
Parameters
portstring (Optional)DisplaysMACauthenticationinformationforspecificport(s). Foradetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifportstringisnotspecified,MACauthenticationinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMACauthenticationinformationforge.2.1through8:
C2(su)->show macauthentication ge.2.1-8 MAC authentication: - enabled MAC user password: - NOPASSWORD Port username significant bits - 48 Port ------ge.2.1 ge.2.2 ge.2.3 ge.2.4 ge.2.5 ge.2.6 ge.2.7 ge.2.8 Port State -------disabled disabled disabled disabled disabled disabled disabled disabled Reauth Period ---------3600 3600 3600 3600 3600 3600 3600 3600 Auth Allowed -------1 1 1 1 1 1 1 1 Auth Allocated --------1 1 1 1 1 1 1 1 Reauthentications ----------------disabled disabled disabled disabled disabled disabled disabled disabled
23-22
Table 23-3
Output Field
Syntax
show macauthentication session
Parameters
None.
Defaults
Ifportstringisnotspecified,MACsessioninformationwillbedisplayedforallMAC authenticationports.
Mode
Switchcommand,readonly.
Usage
ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot affectcurrentsessions.Newsessionsdisplaythecorrectperiod.
Example
ThisexampleshowshowtodisplayMACsessioninformation:
C2(su)->show macauthentication session Port MAC Address Duration Reauth Period --------------------- ---------- ------------ge.1.2 00:60:97:b5:4c:07 0,00:52:31 3600 Reauthentications ----------------disabled
23-23
set macauthentication
Table 23-4
Output Field Duration
Reauth Period
Reauthentications
set macauthentication
UsethiscommandtogloballyenableordisableMACauthentication.
Syntax
set macauthentication {enable | disable}
Parameters
enable|disable GloballyenablesordisablesMACauthentication.
Mode
Switchcommand,readwrite.
Defaults
None.
Example
ThisexampleshowshowtogloballyenableMACauthentication:
C2(su)->set macauthentication enable
Syntax
set macauthentication password password
Parameters
password SpecifiesatextstringMACauthenticationpassword.
Defaults
None.
Mode
Switchcommand,readwrite.
23-24 Authentication and Authorization Configuration
Example
ThisexampleshowshowtosettheMACauthenticationpasswordtomacauth:
C2(su)->set macauthentication password macauth
Syntax
clear macauthentication password
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheMACauthenticationpassword:
C2(su)->clear macauthentication password
Syntax
set macauthentication port {enable | disable} port-string
Parameters
enable|disable portstring EnablesordisablesMACauthentication. Specifiesport(s)onwhichtoenableordisableMACauthentication.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
23-25
Usage
Enablingport(s)forMACauthenticationrequiresgloballyenablingMACauthenticationonthe switchasdescribedinsetmacauthenticationonpage 2324,andthenenablingitonaportby portbasis.Bydefault,MACauthenticationisgloballydisabledanddisabledonallports.
Example
ThisexampleshowshowtoenableMACauthenticationonge.2.1though5:
C2(su)->set macauthentication port enable ge.2.1-5
Syntax
set macauthentication portinitialize port-string
Parameters
portstring SpecifiestheMACauthenticationport(s)toreinitialize.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoforcege.2.1through5toinitialize:
C2(su)->set macauthentication portinitialize ge.2.1-5
Syntax
set macauthentication portquietperiod time port-string
Parameters
time portstring Periodinsecondstowaitafterafailedauthentication.Bydefault,thisis30 seconds. Specifiestheportsforwhichthequitperiodistobeapplied.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
23-26
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsport1towait5secondsafterafailedauthenticationattemptbeforeanew attemptcanbemade:
C2(su)->set macauthentication portquietperiod 5 ge.1.1
Syntax
clear macauthentication portquietperiod [port-string]
Parameters
portstring (Optional)Specifiestheportsforwhichthequietperiodistobereset.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifaportstringisnotspecifiedthenallportswillbesettothedefaultportquietperiod.
Mode
Switchcommand,readwrite.
Example
Thisexampleresetsthedefaultquietperiodonport1:
C2(su)->clear macauthentication portquietperiod ge.1.1
Syntax
set macauthentication macinitialize mac-addr
Parameters
macaddr SpecifiestheMACaddressofthesessiontoreinitialize.
23-27
Mode
Switchcommand,readwrite.
Defaults
None.
Example
ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07 toreinitialize:
C2(su)->set macauthentication macinitialize 00-60-97-b5-4c-07
Syntax
set macauthentication reauthentication {enable | disable} port-string
Parameters
enable|disable portstring EnablesordisablesMACreauthentication. Specifiesport(s)onwhichtoenableordisableMACreauthentication.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableMACreauthenticationonge.4.1though5:
C2(su)->set macauthentication reauthentication enable ge.4.1-5
Syntax
set macauthentication portreauthenticate port-string
23-28
Parameters
portstring SpecifiesMACauthenticationport(s)tobereauthenticated.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoforcege.2.1though5toreauthenticate:
C2(su)->set macauthentication portreauthentication ge.2.1-5
Syntax
set macauthentication macreauthenticate mac-addr
Parameters
macaddr SpecifiestheMACaddressofthesessiontoreauthenticate.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07 toreauthenticate:
C2(su)->set macauthentication macreauthenticate 00-60-97-b5-4c-07
Syntax
set macauthentication reauthperiod time port-string
23-29
Parameters
time portstring Specifiesthenumberofsecondsbetweenreauthenticationattempts.Valid valuesare14294967295. Specifiestheport(s)onwhichtosettheMACreauthenticationperiod.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot affectcurrentsessions.Newsessionswillusethecorrectperiod.
Example
ThisexampleshowshowtosettheMACreauthenticationperiodto7200seconds(2hours)on ge.2.1through5:
C2(su)->set macauthentication reauthperiod 7200 ge.2.1-5
Syntax
clear macauthentication reauthperiod [port-string]
Parameters
portstring (Optional)ClearstheMACreauthenticationperiodonspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifportstringisnotspecified,thereauthenticationperiodwillbeclearedonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballycleartheMACreauthenticationperiod:
C2(su)->clear macauthentication reauthperiod
23-30
Syntax
set macauthentication significant-bits number
Parameters
number Specifiesthenumberofsignificantbitstobeusedforauthentication.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThiscommandallowsyoutospecifyamasktoapplytoMACaddresseswhenauthenticating usersthroughaRADIUSserver.Themostcommonuseofsignificantbitmasksisfor authenticationofallMACaddressesforaspecificvendor. OnswitchesusingMACauthentication,theMACaddressofauserattemptingtologinissentto theRADIUSserverastheusername.Ifaccessisdenied,andifasignificantbitmaskhasbeen configured(otherthan48)withthiscommand,theswitchwillapplythemaskandresendthe maskedaddresstotheRADIUSserver.Forexample,ifauserwithMACaddressof0016CF12 3456isdeniedaccess,anda32bitmaskhasbeenconfigured,theswitchwillapplythemaskand resendaMACaddressof0016CF120000totheRADIUSserver. Touseasignificantbitsmaskforauthenticationofdevicesbyaparticularvendor,specifya24bit mask,tomaskouteverythingexceptthevendorportionoftheMACaddress.
Example
ThisexamplesetstheMACauthenticationsignificantbitsmaskto24.
C2(su)->set macauthentication significant-bits 24
Syntax
clear macauthentication significant-bits
Parameters
None.
Defaults
None.
23-31
Mode
Switchcommand,readwrite.
Example
ThisexampleresetstheMACauthenticationsignificantbitsto48.
C2(su)->clear macauthentication significant-bits
23-32
User+IPPhoneAuthenticationontheSecureStackC2isimplementedbyassigninganingressed packetreceivedonaporttoapolicyrolebasedontheVLANthepacketwasassignedto,andnot thepacketssourceMACaddress.Therefore,onaportconfiguredforUser+IPPhone Authentication,thereexiststwodifferentVLANtopolicyrolemappings. ThepolicyrolefortheIPphoneisstaticallymappedusingtheVLANtopolicymappingfeature whichassignsanypacketsreceivedwithaVLANtagsettoaspecificVID(forexample,Voice VLAN)toanindicatedpolicyrole(forexample,IPPhonepolicyrole).Therefore,itisrequiredthat IPphoneisconfiguredtosendVLANtaggedpacketstotheVoiceVLAN.RefertotheUsage sectionforthecommandsetpolicyruleonpage 1110foradditionalinformation. Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole ontheportordynamicallyassignedthroughauthenticationtothenetwork.Whenthedefault policyroleisassignedonaport,theVLANsetastheportsPVIDismappedtothedefaultpolicy role.Whenapolicyroleisdynamicallyappliedtoaportastheresultofasuccessfully authenticatedsession,theauthenticatedVLANismappedtothepolicyrolesetintheFilterID returnedfromtheRADIUSserver.TheauthenticatedVLANmayeitherbethePVIDoftheport, ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedinthePVIDOverride ifthePVIDOverrideisenabled.
Commands
For information about... show multiauth set multiauth mode clear multiauth mode Refer to page... 23-34 23-35 23-35
23-33
show multiauth
For information about... set multiauth precedence clear multiauth precedence show multiauth port set multiauth port clear multiauth port show multiauth station show multiauth session show multiauth idle-timeout set multiauth idle-timeout clear multiauth idle-timeout show multiauth session-timeout set multiauth session-timeout clear multiauth session-timeout
Refer to page... 23-36 23-36 23-37 23-37 23-38 23-39 23-39 23-40 23-41 23-42 23-42 23-43 23-44
show multiauth
Usethiscommandtodisplaymultipleauthenticationsystemconfiguration.
Syntax
show multiauth
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaymultipleauthenticationsystemconfiguration:
C2(rw)->show multiauth Multiple authentication system configuration ------------------------------------------------Supported types : dot1x, pwa, mac Maximum number of users : 768 Current number of users : 2 System mode : multi Default precedence : dot1x, pwa, mac Admin precedence : dot1x, pwa, mac Operational precedence : dot1x, pwa, mac
23-34
Syntax
set multiauth mode {multi | strict}
Parameters
multi strict Allowsthesystemtousemultipleauthenticatorssimultaneously(802.1x, PWA,andMACAuthentication)onaport.Thisisthedefaultmode. Usermustauthenticateusing802.1xauthenticationbeforenormaltraffic (anythingotherthanauthenticationtraffic)canbeforwarded.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
MultiauthmultimoderequiresthatMAC,PWA,and802.1Xauthenticationbeenabledglobally, andconfiguredappropriatelyonthedesiredportsaccordingtotheircorrespondingcommand setsdescribedinthischapter.RefertoConfiguring802.1XAuthenticationonpage 2311and ConfiguringMACAuthenticationonpage 2321andConfiguringPortWebAuthentication (PWA)onpage 2361.
Example
Thisexampleshowshowtoenablesimultaneousmultipleauthentications:
C2(rw)->set multiauth mode multi
Syntax
clear multiauth mode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
23-35
Example
Thisexampleshowshowtoclearthesystemauthenticationmode:
C2(rw)->clear multiauth mode
Syntax
set multiauth precedence {[dot1x] [mac] [pwa]}
Parameters
dot1x mac pwa Setsprecedencefor802.1Xauthentication. SetsprecedenceforMACauthentication. Setsprecedenceforportwebauthentication
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Whenauserissuccessfullyauthenticatedbymorethanonemethodatthesametime,the precedenceoftheauthenticationmethodswilldeterminewhichRADIUSreturnedfilterIDwillbe processedandresultinanappliedtrafficpolicyprofile.
Example
ThisexampleshowshowtosetprecedenceforMACauthentication:
C2(rw)->set multiauth precedence mac dot1x
Syntax
clear multiauth precedence
Parameters
None.
Defaults
None.
23-36
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthemultipleauthenticationprecedence:
C2(rw)->clear multiauth precedence
Syntax
show multiauth port [port-string]
Parameters
portstring (Optional)Displaysmultipleauthenticationinformationforspecificport(s).
Defaults
Ifportstringisnotspecified,multipleauthenticationinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaymultipleauthenticationinformationforportsge.3.14:
C2(rw)->show multiauth port ge.3.1-4 Port Max Allowed Current users users users ------------ ------------ ---------- ---------- ---------ge.3.1 auth-opt 8 8 0 ge.3.2 auth-opt 8 8 0 ge.3.3 auth-opt 8 8 0 ge.3.4 auth-opt 8 8 0 Mode
Syntax
set multiauth port mode {auth-opt | auth-reqd | force-auth | force-unauth} | numusers numusers port-string
23-37
Parameters
mode authopt| authreqd| forceauth| forceunauth Specifiestheport(s)multipleauthenticationmodeas: authoptAuthenticationoptional(nonstrictbehavior).Ifauser doesnotattempttoauthenticateusing802.1x,orif802.1x authenticationfails,theportwillallowtraffictobeforwarded accordingtothedefineddefaultVLAN. authreqdAuthenticationisrequired. forceauthAuthenticationconsidered. forceunauthAuthenticationdisabled.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtosettheportmultipleauthenticationmodetorequiredonge.3.14:
C2(rw)->set multiauth port mode auth-reqd ge.3.14
Thisexampleshowshowtosetthenumberofusersallowedtoauthenticateonportge.3.14to8:
C2(rw)->set multiauth port numusers 8 ge.3.14
Syntax
clear multiauth port {mode | numusers} port-string
Parameters
mode numusers portstring Clearsthespecifiedportsmultipleauthenticationmode. Clearsthevaluesetforthenumberofusersallowedauthenticationonthe specifiedport. Specifiestheportorportsonwhichtoclearmultipleauthentication properties.
Defaults
None.
23-38
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtocleartheportmultipleauthenticationmodeonportge.3.14:
C2(rw)->clear multiauth port mode ge.3.14
Thisexampleshowshowtoclearthenumberofusersonportge.3.14:
C2(rw)->clear multiauth port numusers ge.3.14
Syntax
show multiauth station [mac address] [port port-string]
Parameters
macaddress portportstring (Optional)DisplaysmultipleauthenticationstationentriesforspecificMAC address(es). (Optional)Displaysmultipleauthenticationstationentriesforspecific port(s).
Mode
Switchcommand,readonly.
Defaults
Ifnooptionsarespecified,multipleauthenticationstationentrieswillbedisplayedforallMAC addressesandports.
Example
Thisexampleshowshowtodisplaymultipleauthenticationstationentries.Inthiscase,twoend userMACaddressesareshown:
C2(rw)->show Port -----------fe.1.20 fe.2.16 multiauth station Address type Address ------------ -----------------------mac 00-10-a4-9e-24-87 mac 00-b0-d0-e5-0c-d0
Syntax
show multiauth session [all] [agent {dot1x | mac | pwa}] [mac address] [port port-string]
23-39
Parameters
all agentdot1x|mac| pwa macaddress portportstring (Optional)Displaysinformationaboutallsessions,includingthosewith terminatedstatus. (Optional)Displays802.1X,orMAC,orportwebauthenticationsession information. (Optional)Displaysmultipleauthenticationsessionentriesforspecific MACaddress(es). (Optional)Displaysmultipleauthenticationsessionentriesforthe specifiedportorports.
Defaults
Ifnooptionsarespecified,multipleauthenticationsessionentrieswillbedisplayedforall sessions,authenticationtypes,MACaddresses,andports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaymultipleauthenticationsessioninformationforportge.1.1.
C2(su)->show multiauth session port ge.1.1 __________________________________________ Port | ge.1.1 Station address Auth status | success Last attempt Agent type | dot1x Session applied Server type | radius VLAN-Tunnel-Attr Policy index | 0 Policy name Session timeout | 0 Session duration Idle timeout | 5 Idle time Termination time | Not Terminated
| | | | | | |
00-01-03-86-0A-87 FRI MAY 18 11:16:36 2007 true none Administrator 0,00:00:25 0,00:00:00
Syntax
show multiauth idle-timeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
23-40
Example
Thisexampleshowshowtodisplaytimeoutvaluesforanidlesessionforallauthenticationtypes.
C2(su)->show multiauth idle-timeout Authentication type Timeout (sec) ------------------- ------------dot1x 0 pwa 0 mac 0
Syntax
set multiauth idle-timeout [dot1x | mac | pwa] timeout
Parameters
dot1x mac pwa timeout (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol authenticationmethodforwhichtosetthetimeoutvalue. (Optional)SpecifiestheEnterasysMACauthenticationmethodfor whichtosetthetimeoutvalue. (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor whichtosetthetimeoutvalue. Specifiesthetimeoutvalueinseconds.Thevaluecanrangefrom0to 65535.Avalueof0meansthatnoidletimeoutwillbeappliedunlessan idletimeoutvalueisprovidedbytheauthenticatingserver.
Defaults
Ifnoauthenticationmethodisspecified,theidletimeoutvalueissetforallauthentication methods.
Mode
Switchmode,readwrite.
Usage
Ifyousetanidletimeoutvalue,aMACuserwhoseMACaddresshasagedoutoftheforwarding databasewillbeunauthenticatedifnotraffichasbeenseenfromthataddressforthespecifiedidle timeoutperiod. Avalueofzeroindicatesthatnoidletimeoutwillbeappliedunlessanidletimeoutvalueis providedbytheauthenticatingserver.Forexample,ifasessionisauthenticatedbyaRADIUS server,thatservermayencodeaIdleTimeoutAttributeinitsauthenticationresponse.
Example
Thisexamplesetstheidletimeoutvalueforallauthenticationmethodsto300seconds.
C2(su)->set multiauth idle-timeout 300
23-41
Syntax
clear multiauth idle-timeout [dot1x | mac | pwa]
Parameters
dot1x (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol authenticationmethodforwhichtoresetthetimeoutvaluetoits default. (Optional)SpecifiestheEnterasysMACauthenticationmethodfor whichtoresetthetimeoutvaluetoitsdefault. (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor whichtoresetthetimeoutvaluetoitsdefault.
mac pwa
Defaults
Ifnoauthenticationmethodisspecified,theidletimeoutvalueisresettoitsdefaultvalueof0for allauthenticationmethods.
Mode
Switchmode,readwrite.
Example
Thisexampleresetstheidletimeoutvalueforallauthenticationmethodsto0seconds.
C2(su)->clear multiauth idle-timeout
Syntax
show multiauth session-timeout
Parameters
None.
Defaults
None.
Mode
Switchmode,readonly.
23-42
Example
Thisexampledisplaysthesessiontimeoutvaluesforallauthenticationmethods.
C2(su)->show multiauth session-timeout Authentication type Timeout (sec) ------------------- ------------dot1x 0 pwa 0 mac 0
Syntax
set multiauth session-timeout [dot1x | mac | pwa] timeout
Parameters
dot1x mac pwa timeout (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol authenticationmethodforwhichtosetthesessiontimeoutvalue. (Optional)SpecifiestheEnterasysMACauthenticationmethodfor whichtosetthesessiontimeoutvalue. (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor whichtosetthesessiontimeoutvalue. Specifiesthetimeoutvalueinseconds.Thevaluecanrangefrom0to 65535.Avalueof0meansthatnosessiontimeoutwillbeappliedunless asessiontimeoutvalueisprovidedbytheauthenticatingserver.
Defaults
Ifnoauthenticationmethodisspecified,thesessiontimeoutvalueissetforallauthentication methods.
Mode
Switchmode,readwrite.
Usage
Avalueofzeromaybesupersededbyasessiontimeoutvalueprovidedbytheauthenticating server.Forexample,ifasessionisauthenticatedbyaRADIUSserver,thatservermayencodea SessionTimeoutAttributeinitsauthenticationresponse.
Example
ThisexamplesetsthesessiontimeoutvaluefortheIEEE802.1Xauthenticationmethodto300 seconds.
C2(su)->set multiauth session-timeout dot1x 300
23-43
Syntax
clear multiauth session-timeout [dot1x | mac | pwa]
Parameters
dot1x (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol authenticationmethodforwhichtoresetthetimeoutvaluetoits default. (Optional)SpecifiestheEnterasysMACauthenticationmethodfor whichtoresetthetimeoutvaluetoitsdefault. (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor whichtoresetthetimeoutvaluetoitsdefault.
mac pwa
Defaults
Ifnoauthenticationmethodisspecified,thesessiontimeoutvalueisresettoitsdefaultvalueof0 forallauthenticationmethods.
Mode
Switchmode,readwrite.
Example
ThisexampleresetsthesessiontimeoutvaluefortheIEEE802.1Xauthenticationmethodto0 seconds.
C2(su)->clear multiauth session-timeout dot1x
23-44
InordertoauthenticatemultipleRFC3580users,policymaptableresponsemustbesettotunnel asdescribedinthissection.
Notes: The C2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are configured to use a port, and the C2 is then switched from "policy" mode to RFC-3580 "tunnel" mode, the total number of users supported to use a port will be reset to one. A policy license, if applicable, is not required to run RFC3580.
Commands
For information about... show policy maptable response set policy maptable response set vlanauthorization set vlanauthorization egress clear vlanauthorization show vlanauthorization Refer to page... 23-45 23-46 23-47 23-48 23-48 23-49
23-45
multiauthportcommand(page2337)tosetthenumberofRFC3580users(numusers)allowed perGigabitport.UptosixuserscanbeconfiguredperGigabitport.
Syntax
show policy maptable response
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythecurrentpolicymaptableresponsesetting:
C2(rw)->show policy maptable response
policy
Syntax
set policy maptable response {policy | tunnel}
Parameters
policy tunnel Setsthemaptableresponsetopolicy.Thisisthedefaultsetting,which allowsauthenticationofuptosixmultiauthusersperport. Setsthemaptableresponsetotunnel,whichallowsauthenticationofup tosixmultiauthusersperport.Thissettingisrequiredtoconfigure VLANauthorizationformultipleusersperGigabitport.
Defaults
Settopolicy.
Mode
Switchcommand,readwrite.
Usage
Thiscommandputstheswitchineitherpolicymode(thedefault)ortunnelmode,whichis RFC3580VLANmapping.
23-46
set vlanauthorization
Examples
Thisexampleshowshowtosetthepolicymaptableresponsetotunnel:
C2(rw)-> set policy maptable response tunnel
set vlanauthorization
EnableordisabletheuseoftheRADIUSVLANtunnelattributetoputaportintoaparticular VLANbasedontheresultofauthentication.
Syntax
set vlanauthorization {enable | disable} [port-string]
Parameters
enable|disable portstring Enablesordisablesvlanauthorization/tunnelattributes. (Optional)SpecifieswhichportstoenableordisabletheuseofVLAN tunnelattributes/authorization.Foradetaileddescriptionofpossibleport stringvalues,refertoPortStringSyntaxUsedintheCLIonpage 72.
Defaults
VLANauthenticationisdisabledbydefault.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoenableVLANauthenticationforallGigabitEthernetports:
C2(rw)-> set vlanauthorization enable ge.*.*
ThisexampleshowshowtodisableVLANauthenticationforallGigabitEthernetportsonswitch unit/module 3:
C2(rw)-> set vlanauthorization disable ge.3.*
23-47
Syntax
set vlanauthorization egress {none | tagged | untagged} port-string
Parameters
none tagged untagged portstring Specifiesthatnoegressmanipulationwillbemade. Specifiesthattheauthenticatingportwillbeaddedtothecurrenttagged egressfortheVLANIDreturned. Specifiesthattheauthenticatingportwillbeaddedtothecurrent untaggedegressfortheVLANIDreturned(default). Specifiesthattheportorlistofports.towhichthiscommandwillapply. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage 72.
Defaults
Bydefault,administrativeegressissettountagged.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenabletheinsertionoftheRADIUSassignedVLANtoan802.1qtag foralloutboundframesforports10through15onunit/modulenumber3.
C2(rw)->set vlanauthorization egress tagged ge.3.10-15
clear vlanauthorization
Usethiscommandtoreturnport(s)tothedefaultconfigurationofVLANauthorizationdisabled, egressuntagged.
Syntax
clear vlanauthorization [port-string]
Parameters
portstring (Optional)Specifieswhichportsaretoberestoredtodefault configuration.Ifnoportstringisentered,theactionwillbeaglobal setting.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72.
Defaults
Ifnoportstringisentered,allportsawillberesettodefaultconfigurationwithVLAN authorizationdisabledandegressframesuntagged.
23-48
show vlanauthorization
Mode
Switchcommand,readwrite.
Example
ThisexampleshowhowtoclearVLANauthorizationforallportsonslots3,4,and5:
C2(rw)->clear vlanauthorization ge.3-5.*
show vlanauthorization
DisplaystheVLANauthenticationstatusandconfigurationinformationforthespecifiedports.
Syntax
show vlanauthorization [port-string]
Parameters
portstring (Optional)DisplaysVLANauthenticationstatusforthespecifiedports.If noportstringisentered,thentheglobalstatusofthesettingisdisplayed. Foradetaileddescriptionofpossibleportstringvalues,refertoPort StringSyntaxUsedintheCLIonpage 72.
Defaults
Ifnoportstringisentered,thestatusforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThiscommandshowshowtodisplayVLANauthorizationstatusforge.1.1: C2(su)>showvlanauthorizationge.1.1 VlanAuthorization:enabled
port ------ge.1.1 status administrative egress -------- -------------enabled untagged operational egress ----------authenticated vlan id mac address ----------------- -------
23-49
Table 23-5
Output Field
Purpose
Toreview,disable,enable,andconfigureMAClocking.
Commands
For information about... show maclock show maclock stations set maclock enable set maclock disable set maclock clear maclock Refer to page... 23-51 23-52 23-53 23-54 23-54 23-55
23-50
show maclock
For information about... set maclock static clear maclock static set maclock firstarrival clear maclock firstarrival set maclock agefirstarrival clear maclock agefirstarrival set maclock move set maclock trap
Refer to page... 23-56 23-56 23-57 23-58 23-58 23-59 23-59 23-60
show maclock
UsethiscommandtodisplaythestatusofMAClockingononeormoreports.
Syntax
show maclock [port-string]
Parameters
portstring (Optional)DisplaysMAClockingstatusforspecifiedport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifportstringisnotspecified,MAClockingstatuswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMAClockinginformationforge.1.1.
C2(su)->show maclock ge.1.1 MAC locking is globally enabled Port Number ------ge.1.1 Port Trap Status Status ------- -------enabled disabled Aging Status ------enabled Max Static Max FirstArrival Last Violating Allocated Allocated MAC Address ---------- --------------- --------------20 1 00:a0:c9:39:5c:b4
Table 236providesanexplanationofthecommandoutput.
23-51
Table 23-6
Output Field Port Number Port Status
Trap Status Aging Status Max Static Allocated Max FirstArrival Allocated Last Violating MAC Address
Syntax
show maclock stations [firstarrival | static] [port-string]
Parameters
firstarrival static portstring (Optional)DisplaysMAClockinginformationaboutendstationsfirst connectedtoMAClockedports. (Optional)DisplaysMAClockinginformationaboutstatic(management defined)endstationsconnectedtoMAClockedports. (Optional)Displaysendstationinformationforspecifiedport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifnoparametersarespecified,MAClockinginformationwillbedisplayedforallendstations.
Mode
Switchcommand,readonly.
23-52
Example
ThisexampleshowshowtodisplayMAClockinginformationfortheendstationsconnectedtoall GigabitEthernetportsinunit/module2:
C2(su)->show maclock stations fe.2.* Port Number MAC Address Status State Aging ------------ ------------------------------ -------------- ----fe.2.1 00:a0:c9:39:5c:b4 active first arrival true fe.2.7 00:a0:c9:39:1f:11 active static false
Note: MAC locking needs to be enabled globally and on appropriate ports for it to function.
Syntax
setmaclockenable[portstring]
Parameters
portstring (Optional)EnablesMAClockingonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifportstringisnotspecified,MAClockingwillbeenabledglobally.
Mode
Switchcommand,readwrite.
Usage
Whenenabledandconfigured,MAClockingdefineswhichMACaddresses,aswellashowmany MACaddressesarepermittedtousespecificport(s).
SecureStack C2 Configuration Guide 23-53
MAClockingisdisabledbydefaultatdevicestartup.ConfiguringoneormoreportsforMAC lockingrequiresgloballyenablingitonthedeviceandthenenablingitonthedesiredports.
Example
ThisexampleshowshowtoenableMAClockingonfe.2.3:
C2(su)->set maclock enable fe.2.3
Syntax
set maclock disable [port-string]
Parameters
portstring (Optional)DisablesMAClockingonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifportstringisnotspecified,MAClockingwillbedisabledgloballyontheswitch.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableMAClockingonfe.2.3:
C2(su)->set maclock disable fe.2.3
set maclock
UsethiscommandtocreateastaticMACaddresstoportlocking,andtoenableordisableMAC lockingforthespecifiedMACaddressandport.
Syntax
set maclock mac-address port-string {create | enable | disable}
Parameters
macaddress portstring SpecifiestheMACaddressforwhichMAClockingwillbecreated, enabledordisabled. Specifiestheportonwhichtocreate,enableordisableMAClockingfor thespecifiedMAC.Foradetaileddescriptionofpossibleportstring values,refertoPortStringSyntaxUsedintheCLIonpage 72.
23-54
clear maclock
create
enable|disable
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ConfiguringaportforMAClockingrequiresgloballyenablingitontheswitchfirstusingtheset maclockenablecommandasdescribedinsetmaclockenableonpage 2353. StaticMAClockingauseronmultipleportsisnotsupported. StaticallyMAClockedaddresseswilldisplayintheshowmacoutput(asdescribedonpage1420) asaddresstypeotherandwillnotremovethemonlinkdown.
Example
ThisexampleshowshowtocreateaMAClockingassociationbetweenMACaddress0e03efd8 4455andportge.3.2:
C2(rw)->set maclock 0e-03-ef-d8-44-55 ge.3.2 create
clear maclock
UsethiscommandtoremoveastaticMACaddresstoportlockingentry.
Syntax
clear maclock mac-address port-string
Parameters
macaddress portstring SpecifiestheMACaddressthatwillberemovedfromthelistofstatic MACsallowedtocommunicateontheport. SpecifiestheportonwhichtocleartheMACaddress.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
23-55
Usage
TheMACaddressthatisclearedwillnolongerbeabletocommunicateontheportunlessthefirst arrivallimithasbeensettoavaluegreaterthan0andthislimithasnotyetbeenmet. Forexample,ifuserBsMACisremovedfromthestaticMACaddresslistandthefirstarrival limithasbeensetto0,thenuserBwillnotbeabletocommunicateontheport.IfuserAsMACis removedfromthestaticMACaddresslistandthefirstarrivallimithasbeensetto10,butonlyhas 7entries,userAwillbecomethe8thentryandallowedtocommunicateontheport.
Example
ThisexampleshowshowtoremoveaMACfromthelistofstaticMACsallowedtocommunicate onportge.3.2:
C2(rw)->clear maclock 0e-03-ef-d8-44-55 ge.3.2
Syntax
set maclock static port-string value
Parameters
portstring SpecifiestheportonwhichtosetthemaximumnumberofstaticMACs allowed.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72. SpecifiesthemaximumnumberofstaticMACaddressesallowedper port.Validvaluesare0to20.
value
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthemaximumnumberofallowablestaticMACsto2onge.3.1:
C2(rw)->set maclock static ge.3.1 2
Syntax
clear maclock static port-string
23-56
Parameters
portstring SpecifiestheportonwhichtoresetnumberofstaticMACaddresses allowed.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthenumberofallowablestaticMACsonfe.2.3:
C2(rw)->clear maclock static fe.2.3
Syntax
set maclock firstarrival port-string value
Parameters
portstring SpecifiestheportonwhichtolimitMAClocking.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72. SpecifiesthenumberoffirstarrivalendstationMACaddressestobe allowedconnectionstotheport.Validvaluesare0to600.
value
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Themaclockfirstarrivalcountresetswhenthelinkgoesdown.Thisfeatureisbeneficialifyou haveroamingusersthefirstarrivalcountwillbereseteverytimeausermovestoanotherport, butwillstillprotectagainstconnectingmultipledevicesonasingleportandwillprotectagainst MACaddressspoofing.
Note: Setting a ports first arrival limit to 0 does not deny the first MAC address learned on the port from passing traffic.
23-57
Example
ThisexampleshowshowtorestrictMAClockingto6MACaddressesonfe.2.3:
C2(su)->set maclock firstarrival fe.2.3 6
Syntax
clear maclock firstarrival port-string
Parameters
portstring Specifiestheportonwhichtoresetthefirstarrivalvalue.Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetMACfirstarrivalsonfe.2.3:
C2(su)->clear maclock firstarrival fe.2.3
Syntax
set maclock agefirstarrival port-string {enable | disable}
Parameters
portstring Specifiestheport(s)onwhichtoenableordisablefirstarrivalaging.For adetaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72. Enableordisablefirstarrivalaging.Bydefault,firstarrivalagingis disabled.
enable|disable
Defaults
None.
23-58
Mode
Switchmode,readwrite.
Example
Thisexampleenablesfirstarrivalagingonportge.1.1.
C2(su)-> set maclock agefirstarrival ge.1.1 enable
Syntax
clear maclock agefirstarrival port-string
Parameters
portstring Specifiestheport(s)onwhichtodisablefirstarrivalaging.Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampledisablesfirstarrivalagingonportge.1.1.
C2(su)-> clear maclock agefirstarrival ge.1.1 enable
Syntax
set maclock move port-string
Parameters
portstring SpecifiestheportonwhichMACwillbemovedfromfirstarrivalMACs tostaticentries.Foradetaileddescriptionofpossibleportstringvalues, refertoPortStringSyntaxUsedintheCLIonpage 72.
Defaults
None.
23-59
Mode
Switchcommand,readwrite.
Usage
IftherearemorefirstarrivalMACsthantheallowedmaximumstaticMACs,thenonlythelatest firstarrivalMACswillbemovedtostaticentries.Forexample,ifyousetthemaximumnumberof staticMACsto2withthesetmaclockstaticcommand,andthenexecutedthesetmaclockmove command,eventhoughtherewerefiveMACsinthefirstarrivaltable,onlythetwomostrecent MACentrieswouldbemovedtostaticentries.
Example
ThisexampleshowshowtomoveallcurrentfirstarrivalMACstostaticentriesonportsge.3.140:
C2(rw)->set maclock move ge.3.1-40
Syntax
set maclock trap port-string {enable | disable}
Parameters
portstring SpecifiestheportonwhichMAClocktrapmessagingwillbeenabledor disabled.Foradetaileddescriptionofpossibleportstringvalues,referto PortStringSyntaxUsedintheCLIonpage 72. EnablesordisablesMAClocktrapmessaging.
enable|disable
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Whenenabled,thisfeatureauthorizestheswitchtosendanSNMPtrapmessageifanendstation isconnectedthatexceedsthemaximumvaluesconfiguredusingthesetmaclockfirstarrivaland setmaclockstaticcommands.ViolatingMACaddressesaredroppedfromthedevices(orstacks) filteringdatabase.
Example
ThisexampleshowshowtoenableMAClocktrapmessagingonfe.2.3:
C2(su)->set maclock trap fe.2.3 enable
23-60
Purpose
Toreview,enable,disable,andconfigurePortWebAuthentication(PWA).
Commands
For information about... show pwa set pwa show pwa banner set pwa banner clear pwa banner set pwa displaylogo set pwa ipaddress set pwa protocol set pwa guestname clear pwa guestname set pwa guestpassword set pwa gueststatus set pwa initialize set pwa quietperiod set pwa maxrequest set pwa portcontrol show pwa session set pwa enhancedmode Refer to page... 23-62 23-63 23-64 23-64 23-65 23-65 23-66 23-66 23-67 23-67 23-68 23-68 23-69 23-69 23-70 23-70 23-71 23-72
23-61
show pwa
show pwa
Usethiscommandtodisplayportwebauthenticationinformationforoneormoreports.
Syntax
show pwa [port-string]
Parameters
portstring (Optional)DisplaysPWAinformationforspecificport(s).
Defaults
Ifportstringisnotspecified,PWAinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPWAinformationforge.2.1:
C2(su)->show pwa ge.2.1 PWA Status PWA IP Address PWA Protocol PWA Enhanced Mode PWA Logo PWA Guest Networking Status PWA Guest Name PWA Redirect Time Port Mode -------- ---------------ge.2.1 disabled enabled 192.168.62.99 PAP N/A enabled disabled guest N/A QuietPeriod ----------60 MaxReq --------16
AuthStatus -------------disconnected
PWA IP Address
PWA Protocol
23-62
set pwa
Table 23-8
Output Field PWA Logo
PWA Guest Password PWA Redirect Time Port Mode Auth Status Quiet Period
MaxReq
set pwa
Usethiscommandtoenableordisableportwebauthentication.
Syntax
set pwa {enable | disable}
Parameters
enable|disable Enablesordisablesportwebauthentication.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableportwebauthentication:
C2(su)->set pwa enable
23-63
Syntax
show pwa banner
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythePWAloginbanner:
C2(su)->show pwa banner Welcome to Enterasys Networks
Syntax
set pwa banner string
Parameters
string SpecifiesthePWAloginbanner.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAloginbannertoWelcometoEnterasysNetworks:
C2(su)->set pwa banner Welcome to Enterasys Networks
23-64
Syntax
clear pwa banner
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthePWAloginbannertoablankstring
C2(su)->clear pwa banner
Syntax
set pwa displaylogo {display | hide}
Parameters
display|hide DisplaysorhidestheEnterasysNetworkslogowhenthePWAwebsite displays.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtohidetheEnterasysNetworkslogo:
C2(su)->set pwa displaylogo hide
23-65
Syntax
set pwa ipaddress ip-address
Parameters
ipaddress SpecifiesagloballyuniqueIPaddress.Thissamevaluemustbe configuredintoeveryauthenticatingswitchinthedomain.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetaPWAIPaddressof1.2.3.4:
C2(su)->set pwa ipaddress 1.2.3.4
Syntax
set pwa protocol {chap | pap}
Parameters
chap|pap SetsthePWAprotocolto: CHAP(PPPChallengeHandshakeProtocol)encryptstheusername andpasswordbetweentheendstationandtheswitchport. PAP(PasswordAuthenticationProtocoldoesnotprovideany encryptionbetweentheendstationtheswitchport.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetathePWAprotocoltoCHAP:
C2(su)->set pwa protocol chap
23-66
Syntax
set pwa guestname name
Parameters
name Specifiesaguestusername.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAguestusernametoguestuser:
C2(su)->set pwa guestname guestuser
Syntax
clear pwa guestname
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthePWAguestusername
C2(su)->clear pwa guestname
23-67
Syntax
set pwa guestpassword
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
PWAwillusethispasswordandtheguestusernametograntnetworkaccesstoguestswithout establishedloginnamesandpasswords.
Example
ThisexampleshowshowtosetthePWAguestuserpasswordname:
C2(su)->set pwa guestpassword Guest Password: ********* Retype Guest Password: *********
Syntax
set pwa gueststatus {authnone | authradius | disable}
Parameters
authnone authradius Enablesguestnetworkingwithnoauthenticationmethod. EnablesguestnetworkingwithRADIUSauthentication.Uponsuccessful authenticationfromRADIUS,PWAwillapplythepolicyreturnedfrom RADIUStothePWAport. Disablesguestnetworking.
disable
Defaults
None.
Mode
Switchcommand,readwrite.
23-68
Usage
PWAwilluseaguestpasswordandguestusernametograntnetworkaccesswithdefaultpolicy privilegestouserswithoutestablishedloginnamesandpasswords.
Example
ThisexampleshowshowtoenablePWAguestnetworkingwithRADIUSauthentication:
C2(su)->set pwa guestnetworking authradius
Syntax
set pwa initialize [port-string]
Parameters
portstring (Optional)Initializesspecificport(s).Foradetaileddescriptionofpossible portstringvalues,refertoPortStringSyntaxUsedintheCLIon page 72.
Defaults
Ifportstringisnotspecified,allportswillbeinitialized.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoinitializeportsge.1.57:
C2(su)->set pwa initialize ge.1.5-7
Syntax
set pwa quietperiod time [port-string]
Parameters
time portstring Specifiesquiettimeinseconds. (Optional)Setsthequietperiodforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
23-69
Defaults
Ifportstringisnotspecified,quietperiodwillbesetforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAquietperiodto30secondsforportsge.1.57:
C2(su)->set pwa quietperiod 30 ge.1.5-7
Syntax
set pwa maxrequests requests [port-string]
Parameters
maxrequests portstring Specifiesthemaximumnumberoflogonattempts. (Optional)Setsthemaximumrequestsforspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifportstringisnotspecified,maximumrequestswillbesetforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAmaximumrequeststo3forallports:
C2(su)->set pwa maxrequests 3
Syntax
set pwa portcontrol {enable | disable} [port-string]
23-70
Parameters
enable|disable portstring EnablesordisablesPWAonspecifiedports. (Optional)Setsthecontrolmodeonspecificport(s).Foradetailed descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed intheCLIonpage 72.
Defaults
Ifportstringisnotspecified,PWAwillenabledonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePWAonports122:
C2(su)->set pwa portcontrol enable ge.1.1-22
Syntax
show pwa session [port-string]
Parameters
portstring (Optional)DisplaysPWAsessioninformationforspecificport(s).Fora detaileddescriptionofpossibleportstringvalues,refertoPortString SyntaxUsedintheCLIonpage 72.
Defaults
Ifportstringisnotspecified,sessioninformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPWAsessioninformation:
C2(su)->show pwa session Port MAC -------- ----------------ge.2.19 00-c0-4f-20-05-4b ge.2.19 00-c0-4f-24-51-70 ge.2.19 00-00-f8-78-9c-a7 IP --------------172.50.15.121 172.50.15.120 172.50.15.61 User ------------pwachap10 pwachap1 pwachap11 Duration -----------0,14:46:55 0,15:43:30 0,14:47:58 Status --------active active active
23-71
Syntax
set pwa enhancedmode {enable | disable}
Parameters
enable|disable EnablesordisablesPWAenhancedmode.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePWAenhancedmode:
C2(su)->set pwa enhancedmode enable
23-72
Commands
For information about... show ssh status set ssh set ssh hostkey Refer to page... 23-73 23-73 23-74
Syntax
show ssh status
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySSHstatusontheswitch:
C2(su)->show ssh status SSH Server status: Disabled
set ssh
Usethiscommandtoenable,disableorreinitializeSSHserverontheswitch.Bydefault,theSSH serverisdisabled.
Syntax
set ssh {enable | disable | reinitialize}
23-73
Parameters
enable|disable reinitialize EnablesordisablesSSH,orreinitializestheSSHserver. ReinitializestheSSHserver.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableSSH:
C2(su)->set ssh disable
Syntax
set ssh hostkey [reinitialize]
Parameters
reinitialize (Optional)Reinitializestheserverhostauthenticationkeys.
Defaults
Ifreinitializeisnotspecified,theusermustsupplySSHauthenticationkeyvalues.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoregenerateSSHkeys:
C2(su)->set ssh hostkey reinitialize
23-74
Purpose
Toreviewandconfiguresecurityaccesscontrollists(ACLs),whichpermitordenyaccessto routinginterfacesbasedonprotocolandIPaddressrestrictions.
Commands
For information about... show access-lists access-list (standard) access-list (extended) ip access-group Refer to page... 23-75 23-76 23-77 23-79
show access-lists
UsethiscommandtodisplayconfiguredIPaccesslistswhenoperatinginroutermode.
Syntax
showaccesslists[number]
Parameters
accesslist number (Optional)Displaysaccesslistinformationforaspecificaccesslistnumber. Validvaluesarebetween1and199.
Defaults
Ifnumberisnotspecified,theentiretableofaccesslistswillbedisplayed.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayIPaccesslistnumber101.Thisisanextendedaccesslist, whichpermitsordeniesICMP,UDPandIPframesbasedonrestrictionsconfiguredwiththeone oftheaccesslistcommands.Fordetailsonconfiguringstandardaccesslists,refertoaccesslist
23-75
access-list (standard)
access-list (standard)
UsethiscommandtodefineastandardIPaccesslistbynumberwhenoperatinginroutermode. Thenoformofthiscommandremovesthedefinedaccesslistorentry.
Syntax
To create an ACL entry:
access-list access-list-number {deny | permit} source [source-wildcard] no access-list access-list-number [entry]
Parameters
accesslist number deny|permit source Specifiesastandardaccesslistnumber.Validvaluesarefrom1to99. Deniesorpermitsaccessifspecifiedconditionsaremet. Specifiesthenetworkorhostfromwhichthepacketwillbesent.Valid optionsforexpressingsourceare: sourcewildcard insert|replace entry movedestination source1source2 IPaddressorrangeofaddresses(A.B.C.D) anyAnysourcehost hostsourceIPaddressofasinglesourcehost
Defaults
Ifinsert,replaceormovearenotspecified,thenewentrywillbeappendedtotheaccesslist.
23-76
access-list (extended)
Ifsource2isnotspecifiedwithmove,onlyoneentrywillbemoved.
Mode
Globalconfiguration:C2(su)>router(Config)#
Usage
Note: ACLs are not supported on routed VLANs which incorporate LAG ports.
Examples
Thisexampleshowshowtocreateaccesslist1withthreeentriesthatallowaccesstoonlythose hostsonthethreespecifiednetworks.Thewildcardbitsapplytothehostportionsofthenetwork addresses.Anyhostwithasourceaddressthatdoesnotmatchtheaccesslistentrieswillbe rejected:
C2(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255 C2(su)->router(Config)#access-list 1 permit 128.88.0.0 0.0.255.255 C2(su)->router(Config)#access-list 1 permit 36.0.0.0 0.255.255.255
Thisexamplemovesentry16tothebeginningofACL22:
C2(su)->router(Config)#access-list 22 move 1 16
access-list (extended)
UsethiscommandtodefineanextendedIPaccesslistbynumberwhenoperatinginroutermode. Thenoformofthiscommandremovesthedefinedaccesslistorentry:
Syntax
To apply ACL restrictions to IP, UDP, ICMP or TCP packets:
access-list access-list-number {deny | permit} protocol source [source-wildcard] [operator [port]] destination [destination-wildcard] no access-list access-list-number [entry]
Parameters
accesslistnumber deny|permit Specifiesanextendedaccesslistnumber.Validvaluesarefrom100to199. Deniesorpermitsaccessifspecifiedconditionsaremet.
23-77
access-list (extended)
protocol
source
sourcewildcard operatorport
destination
Defaults
Ifinsert,replace,ormovearenotspecified,thenewentrywillbeappendedtotheaccesslist. Ifsource2isnotspecifiedwithmove,onlyoneentrywillbemoved. Ifoperatorandportarenotspecified,accessparameterswillbeappliedtoallTCPorUDPports.
Mode
Globalconfiguration:C2(su)>router(Config)#
Usage
Accesslistsareappliedtointerfacesbyusingtheipaccessgroupcommandasdescribedinip accessgrouponpage 2379.
23-78
ip access-group
ValidaccesslistnumbersforextendedACLsare100to199.ForstandardACLs,validvaluesare1 to99.
Example
Thisexampleshowshowtodefineaccesslist101todenyICMPtransmissionsfromanysource andforanydestination:
C2(su)->router(Config)#access-list 101 deny ICMP any any
ip access-group
Usethiscommandtoapplyaccessrestrictionstoinboundframesonaninterfacewhenoperating inroutermode.Thenoformofthiscommandremovesthespecifiedaccesslist.
Syntax
ip access-group access-list-number in no ip access-group access-list-number in
Parameters
accesslistnumber in Specifiesthenumberoftheaccesslisttobeappliedtotheaccesslist.This isadecimalnumberfrom1to199. Filtersinboundframes.
Defaults
None.
Mode
Interfaceconfiguration:C2(su)>router(Configif(Vlan<vlan_id>))#
Usage
ACLsmustbeappliedperroutinginterface.Anentry(rule)canbeappliedtoinboundframes only.
Example
Thisexampleshowshowtoapplyaccesslist1forallinboundframesontheVLAN1interface. Throughthedefinitionofaccesslist1,onlyframeswithasourceaddressonthe192.5.34.0/24 networkwillberouted.AlltheframeswithothersourceaddressesreceivedontheVLAN1 interfacearedropped:
C2(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255 C2(su)->router(Config)#interface vlan 1 C2(su)->router(Config-if(Vlan 1))#ip access-group 1 in
23-79
ip access-group
23-80
Index
Numerics
802.1D 9-1 802.1p 11-17, 12-1 802.1Q 10-1 802.1s 9-1 802.1w 9-1 802.1x 23-5, 23-19 Command Line Interface. See also CLI Configuration clearing switch parameters 3-49 modes for router operation 18-2 Configuration Files copying 3-43 deleting 3-44 displaying 3-41 executing 3-42 show running config 3-44 show running-config 19-6 Contexts (SNMP) 8-3 Copying Configuration or Image Files 3-43 CoS flood control 11-19 rate limiting 11-17 Cost area default 20-23 OSPF 20-15, 20-23 Spanning Tree port 9-39 show system 3-14, 3-25 Hello Packets 20-18 Help keyword lookups 1-8 Host VLAN 10-18
I
ICMP 14-14 IGMP 13-1 enabling and disabling 13-2, 13-10 Image File copying 3-43 downloading 3-30 Ingress Filtering 10-8, 10-11 Interface Configuration Mode 19-2 Interface(s) configuring OSPF parameters 20-11 configuring settings for IP 19-1 RIP passive 20-8 RIP receive 20-8 RIP send 20-4 IP access lists 23-76 to 23-77 address, setting for a routing interface 19-5 routes, adding in router mode 19-17 routes, managing in switch mode 14-17 IPv6 addresses, setting 21-3 default router, setting 21-5 gateway, setting 21-5 management 21-1 Neighbor Discovery Protocol displaying cache 21-6 IPv6 proxy routing 22-1 IRDP 20-37
A
Access Groups 23-79 Access Lists 23-76 to 23-77 Addresses MAC, adding entries to routing table 19-5 setting the router ID address 20-12 Advertised Ability 7-15 Alias node 14-35 Area Border Routers (ABRs) 20-21 ARP dynamic inspection 17-16 entries, adding in routing mode 19-9 proxy, enabling 19-10 timeout 19-11 Authentication EAPOL 23-19 MAC 23-21 MD5 20-20 OSPF MD5 20-20 simple password 20-19 Port web 23-61 RADIUS server 23-5, 23-8 SSH 23-74 Auto-negotiation 7-15
D
Defaults CLI behavior, described 1-8 factory installed 1-2 DHCP server, configuring 16-1 DHCP snooping basic configuration 17-3 database 17-2 overview 17-1 DHCP/BOOTP Relay 16-1 DVMRP 20-33 Dynamic ARP inspection basic configuration 17-18 overview 17-16 Dynamic policy profile assignment 23-2
B
banner motd 3-24 Baud Rate 3-30 Broadcast settings for IP routing 19-12 suppression, enabling on ports 7-30
J
Jumbo Frame Support 7-13
E
EAP pass-through 23-2, 23-14 EAPOL 23-19
K
Keyword Lookups 1-8
C
CDP Discovery Protocol 6-1 CIDR 20-6 Cisco Discovery Protocol 6-7 Class of Service 11-7, 11-11, 11-17 to 11-23, 12-1 Class of Service (CoS) 11-17 Classification Policies 11-1 Clearing NVRAM 3-49 CLI closing 3-47 scrolling screens 1-9 starting 1-6 Command History Buffer 14-12, 14-13
F
Flood control, via CoS 11-19 Flow Control 7-19 Forbidden VLAN port 10-14
L
License key advanced routing 20-1 Line Editing Commands 1-10 Link Layer Discovery Protocol (LLDP) configuring 6-13 Link State Advertisements displaying 20-27 retransmit interval 20-17 transmit delay 20-17 LLDP configuring 6-13 LLDP-MED
G
Getting Help xxxii GVRP enabling and disabling 10-23 purpose of 10-20 timer 10-24
H
Hardware
Index -1
configuring 6-13 Lockout set system 3-7 Logging 14-1 Login administratively configured 1-7 default 1-7 setting accounts 3-2 via Telnet 1-7
P
Password aging 3-6 history 3-6, 3-7 set new 3-5 setting the login 3-5 PIM-SM 20-49 Ping 14-14, 19-17 Policy Management assigning ports 11-15 classifying to a VLAN or Class of Service 11-7, 11-11 dynamic assignment of profiles 23-2 profiles 11-1, 11-17 Port Mirroring 7-33 Port Priority configuring 12-1 Port String syntax used in the CLI 7-2 Port Trunking 7-38 Port web authentication configuring 23-61 Port(s) alias 7-8 assignment scheme 7-2 auto-negotiation and advertised ability 7-15 broadcast suppression 7-30 counters, reviewing statistics 7-5 duplex mode, setting 7-10 flow control 7-19 link flap about 7-21 configuration defaults 7-23 configuring 7-22 link traps, configuring 7-21 MAC lock 23-53 priority, configuring 12-1 speed, setting 7-10 status, reviewing 7-3 Power over Ethernet (PoE), configuring 5-1 Priority OSPF 20-15 VRRP 20-45 Priority to Transmit Queue Mapping 12-4 Prompt in router mode 18-2 set 3-23 Protocol Independant Multicast 20-49 PWA 23-61
M
MAC Addresses displaying 14-20 MAC Authentication 23-21 MAC Locking 23-50 maximum static entries 23-56 static 23-56 Management VLAN 10-1 MD5 Authentication 20-20 motd 3-24 Multicast 20-49 Multicast Filtering 13-1, 13-2 Multiple Spanning Tree Protocol (MSTP) 9-1
N
Name setting for a VLAN 10-6 setting for the system 3-26 Neighbors OSPF 20-30 Network Management addresses and routes 14-17 monitoring switch events and status 14-12 Networks OSPF 20-14 Node Alias 14-35 NSSA Areas 20-23 NVRAM clearing 3-49
RADIUS server 23-5, 23-8 Rapid Spanning Tree Protocol (RSTP) 9-1 Rate Limiting 12-10 Rate limiting, via CoS 11-17 Redistribute 20-9, 20-25 Related Manuals xxxi Reset 3-48 RFC 3580 23-45 RIP CIDR 20-6 configuration mode, enabling 20-2 configuration tasks 20-1 passive interface 20-8 redistribute 20-9 Router Mode(s) enabling 18-2 Routing Interfaces configuring 19-2 Routing Protocol Configuration DVMRP 20-33 IRDP 20-37 OSPF 20-11 RIP 20-1 VRRP 20-42
S
Scrolling Screens 1-9 Secure Shell (SSH) 23-73 enabling 23-73 regenerating new keys 23-74 Security methods, overview of 23-1 Serial Port downloading upgrades via 3-30 show system utilization cpu 3-15 SNMP access rights 8-15 accessing in router mode 8-3 enabling on the switch 8-17 MIB views 8-19 notification parameters 8-28 notify filters 8-28 security models and levels 8-2 statistics 8-3 target addresses 8-25 target parameters 8-22 trap configuration example 8-37 users, groups and communities 8-8 SNTP 14-27 Spanning Tree 9-1 backup root 9-21, 9-22 bridge parameters 9-3 features 9-2 port parameters 9-33 Rapid Spanning Tree Protocol (RSTP) 9-1 Split Horizon 20-7 SSL WebView 3-52 stacks installing units 2-2
O
OSPF Area Border Routers (ABRs) 20-21 areas, defining NSSAs 20-23 areas, defining range 20-21 areas, defining stub 20-22 configuration mode, enabling 20-13 configuration tasks 20-11 cost 20-15, 20-23 hello packet intervals 20-18 information, displaying 20-26 to 20-31 link state advertisements 20-27 neighbors 20-30 networks 20-14 priority 20-15 redistribute 20-25 retransmit interval 20-17 timers 20-16
R
RADIUS 23-3 realm 23-6 RADIUS Filter-ID 23-2 attribute formats 23-3
Index - 2
operation 2-1 virtual switch configuration 2-3 Stub Areas 20-22 Syslog 14-1 System Information displaying basic 3-13 setting basic 3-9
W
WebView 1-2, 3-50 WebView SSL 3-52
T
Technical Support xxxii Telnet disconnecting 14-15 enabling in switch mode 3-36 Terminal Settings 3-27 TFTP downloading firmware upgrades via 3-30 Timeout ARP 19-11 CLI, system 3-29 RADIUS 23-5 Timers OSPF 20-16 Traceroute in router mode 19-18 Trap SNMP configuration example 8-37 Tunnel Attributes RFC 3580 RADIUS attributes 23-45
U
User Accounts default 1-7 setting 3-2
V
Version RIP receive 20-5 RIP send 20-4 Version Information 3-25 Virtual Links 20-24, 20-31 virtual switch, configuring 2-3 VLANs assigning ingress filtering 10-11 assigning port VLAN IDs 10-8 authentication 23-45, 23-49 classifying to 11-7, 11-11 creating static 10-5 dynamic egress 10-17 egress lists 10-13, 23-48 enabling GVRP 10-20 forbidden ports 10-14 host, setting 10-18 ingress filtering 10-8 naming 10-6 RADIUS 23-45 secure management, creating 10-1 VRRP configuration mode, enabling 20-42 creating a session 20-43 enabling on an interface 20-47
Index -3
Index - 4