Escolar Documentos
Profissional Documentos
Cultura Documentos
All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Documentation disclaimer Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avayas standard warranty language, as well as information regarding support for this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support. Please note that if you acquired the product from an authorized Avaya reseller outside of the United States and Canada, the warranty is provided to you by said Avaya reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS YOU AND END USER), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE (AVAYA). Copyright Except where expressly stated otherwise, no use should be made of materials on this site, the Documentation(s) and Product(s) provided by Avaya. All content on this site, the documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is
protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil, offense under the applicable law. Third-party components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements (Third Party Components), which may contain terms that expand or limit rights to use certain portions of the Product (Third Party Terms). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://www.avaya.com/support/Copyright/. Trademarks The trademarks, logos and service marks (Marks) displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All other trademarks are the property of their respective owners. Downloading documents For the most current versions of documentation, see the Avaya Support Web site: http://www.avaya.com/support Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http://www.avaya.com/ support
Configuring TACACS+ using CLI..........................................................................................................100 Configuring IP Manager using CLI.......................................................................................................103 Configuring password security using CLI.............................................................................................105 Displaying CLI Audit log using CLI.......................................................................................................106 Configuring Secure Socket Layer services using CLI..........................................................................107 Configuring Secure Shell protocol using CLI........................................................................................108 Configuring VLANs and Link Aggregation.....................................................................................................114 Configuring VLANs using CLI...............................................................................................................114 Configuring STP using CLI...................................................................................................................125 Configuring MLT using CLI...................................................................................................................135 Configuring LACP and VLACP using CLI.............................................................................................137 Configuring IP routing...................................................................................................................................146 IP routing configuration using CLI........................................................................................................146 Static route configuration using CLI......................................................................................................152 DHCP relay configuration using CLI.....................................................................................................155 Directed broadcasts configuration using CLI........................................................................................161 Static ARP and Proxy ARP configuration using CLI.............................................................................162 IGMP snooping configuration using CLI...............................................................................................165 Configuring Access Lists...............................................................................................................................180 Assigning ports to an access list..........................................................................................................180 Removing an access list assignment...................................................................................................181 Creating an IP access list.....................................................................................................................181 Removing an IP access list..................................................................................................................182 Creating a Layer 2 access list..............................................................................................................183 Removing a Layer 2 access list............................................................................................................184 Configuring Elements, Classifiers, and Classifier Blocks..............................................................................184 Configuring IP classifier element entries..............................................................................................185 Viewing IP classifier entries..................................................................................................................186 Removing IP classifier entries..............................................................................................................186 Adding Layer 2 elements......................................................................................................................186 Viewing Layer 2 elements....................................................................................................................188 Removing Layer 2 elements.................................................................................................................188 Linking IP and L2 classifier elements...................................................................................................188 Removing classifier entries...................................................................................................................189 Combining individual classifiers............................................................................................................189 Removing classifier block entries.........................................................................................................190 Configuring wired Quality of Service.............................................................................................................190 Displaying QoS Parameters.................................................................................................................191 Displaying QoS capability policy configuration.....................................................................................195 QoS Agent configuration......................................................................................................................196 Configuring Default Buffering Capabilities............................................................................................198 Configuring the CoS-to-Queue Assignments.......................................................................................199 Configuring QoS Interface Groups.......................................................................................................200 Configuring DSCP and 802.1p and Queue Associations.....................................................................201 Configuring QoS system-element.........................................................................................................203 Configuring QoS Actions......................................................................................................................205 Configuring QoS Interface Action Extensions......................................................................................207 Configuring QoS Meters.......................................................................................................................208 Configuring QoS Interface Shaper.......................................................................................................210 Configuring QoS Policies......................................................................................................................211 QoS Generic Filter set configuration....................................................................................................213
Configuring User Based Policies..........................................................................................................215 Maintaining the QoS Agent...................................................................................................................218 Configuring DoS Attack Prevention Package.......................................................................................221 Configuring Serviceability..............................................................................................................................222 Configuring RMON with the CLI...........................................................................................................223 Configuring IPFIX using CLI.................................................................................................................228 Configuring diagnostics and graphing...........................................................................................................232 System diagnostics and statistics using CLI.........................................................................................232 Network monitoring configuration using CLI.........................................................................................234
1. Log into the controller. If this is the first time accessing the device, connect a console cable and start a terminal session using the guidelines provided in the documentation. 2. Press CTRL + Y on the keyboard to enter the CLI. 3. Enter Privileged mode using the enable command. 4. Enter General Configuration mode using the configure terminal command. 5. Specify the system IP address, subnet mask, and default gateway using the ip address command. This command has the following syntax: ip address <ip_address> netmask <subnet_mask> defaultgateway <default_gateway> 6. Enable SNMP services using the command snmp-server enable. 7. Disable SNMP user lists using the command no ipmgr snmp. 8. Enable IP routing capabilities using the ip routing command. 9. Enter Wireless Configuration mode using the wireless command.
10. Specify the wireless IP address using the command interface-ip <ip_address> command. 11. Enable wireless capabilities using the enable command. 12. Enable MDC capability using the controller mdc-capable. 13. Enter the domain password at the prompt.
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select Command Line Interface from the menu. 4. Type the enable command to enter Privileged mode. 5. Type the configure terminal command to enter Configuration mode. 6. Set the logging level using the command logging level {critical | informational | serious | none}. 7. Enable logging using the command logging enable. 8. Set the remote logging level using the command logging remote level {critical | informational | serious | none}. 9. Set the IP address of the remote log server using the command logging remote address <ip_address>. 10. Enable remote logging using the command logging remote enable. 11. Enable individual SNMP traps using the command snmp-server notification-control <snmp_trap>. For a list of available SNMP traps use the command show snmp-server notification-control. Repeat this step for all traps that must be enabled. 12. Set the IP address of the SNMP server using the command snmp-server host <ip_address>.
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select Command Line Interface from the menu. 4. Type the enable command to enter Privileged mode. 5. Use the command show logging system to display logs concerning Layer 2 and Layer 3 operations. 6. Use the command show logging wireless-controller volatile to display logs concerning controller operation.
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select Command Line Interface from the menu. 4. Type the enable command to enter Privileged mode. 5. Use the command show wireless ap status to view the overall status of all registered access points. 6. Use the command show wireless ap status <ap_mac_address> detail to view detailed information about individual access points. 7. Use the command show wireless ap-profile network to view information about the correlation between network and AP profiles. 8. Use the command show wireless network-profile <profile_number> detail to view detailed information about a network profile. 9. Use the command show wireless switch vlan-map to view information about the correlation between wired and wireless VLANs.
10. Use the command show wireless security {mac-db | radius | userdb | wids-wips} to display information about wireless security settings. 11. Use the command show wireless client status to display information about the current status of wireless clients.
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select Command Line Interface from the menu. 4. Type the enable command to enter Privileged mode. 5. Use the command show wireless to view the overall status of the wireless system. 6. Use the command show wireless domain ap database to view information about the access points configured for the wireless domain. 7. Use the command show wireless domain ap discovered to view any access points that have been discovered. Access points listed here need to be added to main access point database to be used by the domain. 8. Use the command show wireless ap status to display all of the access points that are part of the wireless domain and under which controller it falls. 9. Use the command show wireless ap status detail command to display detailed information about each AP that is part of the wireless domain. 10. Use the command show wireless controller status to determine the current status of the wireless controller. This command should indicate the controller is either the Active or Backup MDC.
10
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select IP Configuration/Setup from the console menu to check the controller IP configuration. 4. Press CTRL + R to return to the console menu. 5. Select SNMP Configuration from the console menu to check the controller SNMP configuration. 6. Press CTRL + R to return to the console menu. 7. Select Switch Configuration from the console menu. 8. Use the options in this menu to track the various aspects of switch configuration. 9. Press CTRL + R to return to the console menu. 10. Select Spanning Tree Configuration from the console menu. 11. Use the options in this menu to track the various aspects of the spanning tree configuration. 12. Press CTRL + R to return to the console menu. 13. Select Command Line Interface from the menu. 14. Type the enable command to enter Privileged mode. 15. Use the command show ip to view the IP address configuration. 16. Use the command ping <ip_address> to ping another device on the network. 17. Use the command show wireless to view the overall status of the wireless system.
11
12
Managing AP operations
Use the following procedure to manage access point operations
13
1. Enter Privileged mode of the CLI. 2. Use the command wireless ap channel <ap_mac_address> <radio_interface> <channel_number> to manage access point channel options. 3. Use the command wireless ap image-update <ap_mac_address> to update the access point's software image. 4. Use the command wireless ap power <ap_mac_address> <radio_interface> <power_percentage> to adjust the access point radio transmit power. 5. Use the command wireless ap reset to reset a managed access point. 6. Use the command wireless radio-profile clone <source_profile_id> <target_profile_id> to clone an existing radio profile to the targeted radio profile. 7. Use the command wireless ap tech-dump <ap_mac_address> <tftp_ip_address> filename <file_name> to save the current AP configuration information to the specified TFTP server.
1. Enter Privileged mode of the CLI. 2. Use the command wireless auto-rf channel-plan {a-n | b/g-n} start to run the channel adjustment algorithm. 3. Use the command wireless auto-rf channel-plan {a-n | b/g-n} apply to apply the proposed channel adjustment plan. 4. Use the command wireless auto-rf power-plan start to run the power planning algorithm. 5. Use the command wireless auto-rf power-plan apply to apply the proposed power plan.
Managing portals
The following procedure is used to manage captive portals.
14
1. Enter Privileged mode of the CLI. 2. Use the command wireless captive-portal certificate-generate to generate HTTPS certificates. 3. Use the command wireless captive-portal client-deauthenticate <client_mac_address> to revoke authentication from a client.
Managing clients
This procedure is used to manage clients.
1. Enter Privileged mode of the CLI. 2. Use the command wireless client disassociate <client_mac_address> to remove a client from an access point.
1. Enter Privileged mode of the CLI. 2. Use the command wireless controller ap image-update start to update the software image of all controlled access points. This action can be stopped at any time with the wireless controller ap image-update stop command. 3. Use the command wireless controller ap reset to reset all controlled access points. 4. Use the command wireless controller config-sync to synchronize configurations with other controllers in the domain. 5. Use the command wireless controller join-domain domain-name <domain_name> mdc-address <ip_address> to join a domain. 6. Use the command wireless controller leave-domain to remove a controller from its current domain. 7. Use the command wireless peer-controller ap image-update <ip_address> start to update the images of all controlled access points on a
15
peer controller. This action can be stopped at any time using the command wireless peer-controller ap image-update <ip_address> stop.
1. Enter Privileged mode of the CLI. 2. Use the command wireless domain ap image-update start to update the software image of all access points in a domain. This action can be stopped at any time using the command wireless domain ap image-update stop. 3. Use the command wireless domain ap rebalance start to rebalance the access point distribution among all of the domain controllers. This action can be stopped at any time using the command wireless domain ap rebalance stop. 4. Use the command wireless domain ap redistribute start to rebalance the access point distribution to their preferred domain controllers. This action can be stopped at any time using the command wireless domain ap redistribute stop. 5. Use the command wireless domain ap reset to reset all domain access points. 6. Use the command wireless domain discovered-ap <ap_mac_address> {approve | discard} to take action on a discovered access point. 7. Use the command wireless domain purge-controller <controller_ip_address> to purge a controller from a domain. 8. Use the command wireless domain purge-stale-controllers to purge all stale controllers from the domain.
16
Configuring automatic radio frequency options on page 22 Configuring portals on page 22 Configuring domain options on page 23 Configuring wireless security on page 24
1. Enter Wireless Configuration mode of the CLI. 2. Use the command controller mdc-capable to mark a controller as available to be a Mobility Domain Controller. 3. Use the command interface-ip <ip_address> to set the wireless system interface IP address. 4. Use the command tcp-udp-base-port <49152 - 64983> to set the wireless system base port. 5. Use the command diffserv classifierblock <block_name> to configure a classifier block for the controller. This command has the options listed in the following table.
Command Option Description Match all packets. Match CoS. Match IP DSCP. Match destination IP address. Match destination MAC address. Match destination Layer 4 port. Match Ethernet Type. Match IP precedence. Match IP protocol. Match source IP address. Match source MAC address.
match all match cos match ds-field match dst-ip match dst-mac match dstport match ethertype match precedence match protocol match src-ip match src-mac
17
Command
Option
Description Match source Layer 4 port Match ToS. End Classifier Block. Exit Classifier Block.
6. Use the command diffserv policy <policy_name> to configure a policy for the controller. This command has the options listed in the following table.
Command Option Description Allow packets. Drop packets. Remark CoS. Remark DSCP. Remark precedence.
7. Use the command switch vlan-map <mobility_vlan_name> l3mobility server to set the mobility role to server. 8. Use the command switch vlan-map <mobility_vlan_name> l3mobility none to set the mobility role to none. 9. Use the command switch vlan-map <mobility_vlan_name> lvid <1 4094> to set the local VLAN ID. 10. Use the command switch vlan-map <mobility_vlan_name> track <port_list> to track a set of ports. 11. Use the command switch vlan-map <mobility_vlan_name> weight <1 - 7> to set the VLAN server preference. 12. Use the command enable to enable wireless operations on the device.
18
1. Enter Wireless Configuration mode of the CLI. 2. Use the command ap-profile <1 - 32> to create an access point profile. 3. Use the command network-profile <1 - 64> to create a network profile. This command has the options listed in the following table.
Command Option Description Enable wireless ARP suppression. Configure captive portal mapping. Configure client QoS settings. WMM values for CoS settings. Set default network profile settings. Configure 802.1x parameters. End configuration. Exit configuration. Enable SSID hiding in network beacons. Enable client authentication through client MAC addresses. Configure the default mobility VLAN. Enable response to broadcast probe request. Configure the network profile name. Configure RADIUS related parameters. Configure the security mode. Configure the network SSID.
arp-suppression captive-portal client-qos cos2wmm default dot1x end exit hide-ssid mac-validation
19
Command
Option
Description Configure the local user group. Configure user validation method if captive portal is enabled. Configure WEP-related parameters. CoS mapping for WMM. Configure WPA2 settings.
user-group user-validation
4. Use the command radio-profile <1 - 64> to create a radio profile. This command has the options listed in the following table.
Command Options Description Enable auto powersave delivery mode. Set the beacon interval. Configure radio channel settings. Configure basic/ supported data rates. Set default profile parameters. Configure the physical mode of the radio. Set the 802.11n configuration. Configure the 802.11n protection mode. Configure the Delivery Traffic Indication Map. End configuration. Exit configuration. Configure packet fragmentation threshold.
apsd beacon-interval channel data-rates default dot11mode dot11n dot11nprotection-mode dtim-period end exit fragmentationthreshold
20
Command
Options
Description Enable No-Ack for incorrectly received frames on radio. Configure load balancing parameters. Configure the maximum number of simultaneous clients. Configure the multicast transfer rate. Disable the radio profile. Configure the radio power settings. Set the radio profile name. Configure radio QoS queues. Configure the broadcast and multicast rates. Configure the RF scan mode parameters. Enable Radio Resource Measurement. Configure the threshold below which MPDU RTS/ CTS is not performed. Enable station isolation. Configure TSPEC settings. Enable WMM mode.
5. Use the command captive-portal profile <1 - 10> to create a captive portal profile.
21
1. Enter Wireless Configuration mode of the CLI. 2. Use the command auto-rf channel-plan {a-n | bg-n} historydepth <0 - 10> to set the number of saved historical channel plans. 3. Use the command auto-rf channel-plan {a-n | bg-n} interval <6 24> to set the channel adjustment interval in hours. 4. Use the command auto-rf channel-plan {a-n | bg-n} mode {interval | manual | time} to set the channel adjustment mode. 5. Use the command auto-rf channel-plan {a-n | bg-n} time <hh:mm> to set the time of day to perform channel adjustment. 6. Use the command auto-rf power-plan interval <15 - 1440> to set the power adjustment interval in minutes. 7. Use the command auto-rf power-plan {interval | manual} to set the power adjustment mode.
Configuring portals
The following procedure is used to configure portal options.
1. Enter Wireless Configuration mode of the CLI. 2. Use the command captive-portal auth-timeout <60 - 600> to set the authentication timeout value in seconds. 3. Use the command captive-portal http-port <0 - 65535> to configure the portal HTTP port. 4. Use the command captive-portal https-portal <0 - 65535> to configure the portal HTTPS port. 5. Use the command captive-portal stats-report-interval <15 3600> to configure the statistics reporting interval in seconds. 6. Use the command captive portal profile <profile_number> block to block profile traffic.
22
7. Use the command captive portal profile <profile_number> idletimeout to set the session idle timeout value. 8. Use the command captive portal profile <profile_number> locale to set the portal locale settings. 9. Use the command captive portal profile <profile_number> maxbandwidth to configure the maximum transmit and receive bandwidth limits. 10. Use the command captive portal profile <profile_number> maxoctets to configure the maximum session octets. 11. Use the command captive portal profile <profile_number> profile-name to set the profile name. 12. Use the command captive portal profile <profile_number> protocol-mode to the protocol mode. 13. Use the command captive portal profile <profile_number> session-timeout to set the session timeout value. 14. Use the command captive portal profile <profile_number> userlogout to enable user logout. 15. Use the command captive-portal enable to enable the captive portal. 16.
1. Enter Wireless Configuration mode of the CLI. 2. Use the command domain ap-client-qos to enable access point QoS operations for clients. 3. Use the command domain auto-promote-discovered-ap to enable auto promotion of discovered access points. 4. Use the command domain client-roam-agetime <1 - 120> to configure the client roaming timeout value in seconds. 5. Use the command domain country-code <country_code> to configure a code for domain operation. 6. Use the command domain tspec-violation-report-interval <0 900> to configure the reporting interval in seconds.
23
7. Use the command domain ap image-update download-group-size <1 100> to configure the percentage of access points forming a group. 8. Use the command domain ap lb-metric {least-load | local-CBF | local-CBFS | roundrobin} to set the domain load balancing metric. 9. Use the command domain ap reset-group-size <1 - 100> to configure the percentage of access points in the domain that will be reset. 10. Use the command domain ap <ap_mac> alternate-controller to configure an alternate wireless controller. 11. Use the command domain ap <ap_mac> label to configure the AP label. 12. Use the command domain ap <ap_mac> location to configure the AP location. 13. Use the command domain ap <ap_mac> model to configure the AP model. 14. Use the command domain ap <ap_mac> preferred-controller to configure the preferred AP controller. 15. Use the command domain ap <ap_mac> profile-id to assign the appropriate AP profile ID. 16. Use the command domain ap <ap_mac> radio to configure the AP radio. 17. Use the command domain ap <ap_mac> serial to configure the AP serial number. 18. Use the command domain mobility-vlan <vlan_name> to create a new mobility VLAN. 19. Use the command domain e911 address <ip_address> enable to enable the E911 server.
1. Enter Wireless Configuration mode of the CLI. 2. Use the command security to enter Security Configuration mode. 3. Use the command mac-db blacklist <mac_address> to add a device to the MAC address black list. 4. Use the command mac-db whitelist <mac_address> to add a device to the MAC address white list.
24
5. Use the command user-db group <group_name> to create a new user database group. 6. Use the following commands to create a new user database entry: user-db user-name <member_name> start-date <yyyy-mm-dd> user-db user-name <member_name> end-date <yyyy-mm-dd> user-db user-name <member_name> idle-timeout <0 - 900> user-db user-name <member_name> max-bandwidth-down <down_bps> user-db user-name <member_name> max-bandwidth-up <up_bps> user-db user-name <member_name> max-input-octets <octets> user-db user-name <member_name> max-output-octets <octets> user-db user-name <member_name> max-total-octets <octets> user-db user-name <member_name> password <password> user-db user-name <member_name> session-timeout <timeout_value> 7. Use the command user-db membership <member_name> <group_name> to add a member to an existing group. 8. Use the following commands to configure Wireless Intrusion Detection (WIDS) timeout settings: wids ageout adhoc-clients <0 - 10080> wids ageout ap-failure <0 - 10080> wids ageout detected-clients <0 - 10080> wids ageout rf-scan <0 - 10080> 9. Use the following commands to configure WIDS known access point settings: wids known-ap <mac_address> channel <0 - 216> wids known-ap <mac_address> security {any | open | wep | wpa} wids known-ap <mac_address> ssid <ssid_string> wids known-ap <mac_address> type {known-foreign | localenterprise | other} wids known-ap <mac_address> wds-mode {any | bridge | normal} wids known-ap <mac_address> wired-mode {allowed | notallowed}
25
10. Use the following commands to configure WIDS rogue access point settings: wids rogue-ap ack {all | rogue_mac_address} wids rogue-ap trap-interval <60 - 3600> wids rogue-ap wired-detection-interval <1 - 3600> 11. Use the command wips mitigation ap-threat to enable access threat mitigation. 12. Use the command wips mitigation client-threat to enable client threat mitigation. 13. Use the command radius server-retries to configure RADIUS server retries. 14. Use the command radius server-timeout to configure the RADIUS server timeout. 15. Use the command radius profile to configure global RADIUS profiles. 16. Use the command radius server to configure global RADIUS servers.
26
Connecting to another switch on page 44 Domain Name Server (DNS) Configuration on page 45
This command is executed in the Global Configuration command mode. copy nvram config block command This command copies the configuration stored in flash memory at the specified location and makes it the active configuration. The syntax for this command is: copy nvram config block <1-2> Substitute <1-2> with the configuration file to load. This command causes the switch to reset so that the new configuration can be loaded. This command is executed in the Global Configuration command mode.
27
3. Change the IP address. 4. Join the controller to the domain. ip address command The ip address command sets the IP address and subnet mask for the switch. The syntax for the ip address command is: ip address <A.B.C.D> [netmask <A.B.C.D>] [default-gateway <A.B.C.D.DX>] The ip address command is executed in the Global Configuration command mode. The following table describes the parameters for the ip address command. Table 2: ip address parameters
Parameters A.B.C.D netmask Default Gateway A.B.C.D Description Denotes the IP address in dotted-decimal notation; netmask is optional. Signifies the IP subnet mask. Displays the IP address of the default gateway. Enter the IP address of the default IP gateway.
Note: When the IP address or subnet mask is changed, connectivity to Telnet and the Web can be lost. ip address source command If you want to automatically obtain an IP address, subnet mask and default gateway, you can use the ip address command with the source parameter. When you use DHCP, the switch can also obtain up to three DNS server IP addresses. The syntax for the ip address source command is: ip address source {bootpalways | bootp-last-address | bootp-when-needed | configured-address | dhcp-always | dhcp-last-address | dhcp-when-needed} Execute the ip address source command in the Global Configuration command mode. The following table describes the variables for the ip address source command: Table 3: ip address source command parameters
Parameter bootp-always bootp-last-address bootp-when-needed dhcp-always dhcp-last-address dhcp-when-needed Description Always use the bootp server. Use the last bootp server. Use bootp server when needed. Always use the DHCP server. Use the last DHCP server. Use DHCP client when needed.
28
no ip address command The no ip address command clears the IP address and subnet mask for a switch. This command sets the IP address and subnet mask for a switch to all zeros (0). The syntax for the no ip address command is: no ip address switch The no ip address command is executed in the Global Configuration command mode. Note: When the IP address or subnet mask is changed, connectivity to Telnet and the Web Interface can be lost. Any new Telnet connection can be disabled and is required to connect to the serial console port to configure a new IP address. ip default-gateway command The ip default-gateway command sets the default IP gateway address for a switch to use. The syntax for the ip default-gateway command is: ip default-gateway <A.B.C.D> The ip default-gateway command is executed in the Global Configuration command mode. The following table describes the parameters for the ip default-gateway command. Table 4: ip default-gateway command parameters
Parameters A.B.C.D Description Enter the dotted-decimal IP address of the default IP gateway.
Note: When the IP gateway is changed, connectivity to Telnet and the Web Interface can be lost. show ip command The show ip command displays the IP configurations, BootP/DHCP mode, switch address, subnet mask, and gateway address. This command displays these parameters for what is configured, what is in use, and the last BootP/DHCP. The syntax for the show ip command is: show ip [bootp] [dhcp] [defaultgateway] [address] The show ip command is executed in the User EXEC command mode. If you do not enter any parameters, this command displays all IP-related configuration information. The following table describes the parameters for the show ip command.
Parameters bootp Description Displays BootP/DHCP-related IP information. The possibilities for status returned are: BootP Always Disabled BootP or Last Address
29
Parameters
Description BootP When Needed DHCP Always DHCP or Last Address DHCP When Needed
Displays DHCP client lease information. The command displays information about configured lease time and lease time granted by the DHCP server. Displays the IP address of the default gateway. Displays the current IP address. Displays the BootP or DHCP client information.Assigning and clearing IP addresses for specific units DHCP always DHCP when needed DHCP or last address Disabled BootP always BootP when needed BootP or last address
Displaying interfaces
The status of all interfaces on the switch can be viewed, including Multi-Link Trunk membership, link status, autonegotiation and speed using the following command. show interfaces command The show interfaces command displays the current configuration and status of all interfaces. The syntax for the show interfaces command is: show interfaces [names] [<portlist>] The show interfaces command is executed in the User EXEC command mode. Table 5: show interfaces command parameters
Parameters names <portlist> Description Displays the interface names; enter specific ports if you want to see only those.
30
10|100|1000|auto
Note: Enabling and disabling autonegotiation for speed also enables and disables it for duplex operation.When you set the port speed for autonegotiation, ensure that the other side of the link is also set for autonegotiation. default speed command The default speed command sets the speed of the port to the factory default speed. The syntax for the default speed command is: default speed [port <portlist>] The default speed command is executed in the Interface Configuration command mode. The following table describes the parameters for this command.
31
Description Specifies the port numbers to set the speed to factory default. Enter the port numbers you want to set. Note: If you omit this parameter, the system uses the port number you specified in the interface command.
duplex command The duplex command specifies the duplex operation for a port. The syntax for the duplex command is: duplex [port <portlist>] {full | half | auto} The duplex command is executed in the Interface Configuration command mode. The following table describes the parameters for this command.
Parameters port <portlist> Description Specifies the port numbers for which to reset the duplex mode to factory default values. Enter the port number you want to configure. The default value is autonegotiation. Note: If you omit this parameter, the system uses the ports you specified in the interface command. Sets duplex to: full full-duplex mode half half-duplex mode autoautonegotiation
Note: Enabling/disabling autonegotiation for speed also enables/disables it for duplex operation.When you set the duplex mode for autonegotiation, ensure that the other side of the link is also set for autonegotiation. default duplex command The default duplex command sets the duplex operation for a port to the factory default duplex value. The syntax for the default duplex command is: default duplex [port <portlist>] The default duplex command is executed in the Interface Configuration command mode. The following table describes the parameters for this command.
Parameters port <portlist> Description Specifies the port numbers to reset the duplex mode to factory default values. Enter the port numbers you want to configure. The default value is autonegotiation.
32
Parameters
Description Note: If you omit this parameter, the system uses the ports you specified in the interface command.
33
Enabling Autotopology
The Optivity Autotopology protocol can be configured with CLI. To enable autotopology with CLI, refer to the following: autotopology command on page 34 no autotopology command on page 34 default autotopology command on page 34 show autotopology settings command on page 34 show autotopology nmm-table command on page 34 autotopology command The autotopology command enables the Autotopology protocol. The syntax for the autotopology command is: autotopology The autotopology command is executed in the Global Configuration command mode. no autotopology command The no autotopology command disables the Autotopology protocol. The syntax for the no autotopology command is: no autotopology The no autotopology command is executed in the Global Configuration command mode. default autotopology command The default autotopology command enables the Autotopology protocol. The syntax for the default autotopology command is: default autotopology The default autotopology command is executed in the Global Configuration command mode. show autotopology settings command The show autotopology settings command displays the global autotopology settings. The syntax for the show autotopology settings command is: show autotopology settings The show autotopology settings command is executed in the Privileged EXEC command mode. show autotopology nmm-table command The show autotopology nmm-table command displays the Autotopology network management module (NMM) table. The syntax for the show autotopology nmm-table command is: show autotopology nmmtable
34
The show autotopology nmm-table command is executed in the Privileged EXEC command mode.
no flowcontrol command The no flowcontrol command is used only on Gigabit Ethernet ports and disables flow control. The syntax for the no flowcontrol command is: no flowcontrol [port <portlist>]
35
The no flowcontrol command is executed in the Interface Configuration mode. The following table describes the parameters for this command. Table 8: no flowcontrol command parameters
Parameters port <portlist> Description Specifies the port numbers for which to disable flow control. Note: If you omit this parameter, the system uses the ports you specified in the interface command, but only those ports that have speed set to 1000/full.
default flowcontrol command The default flowcontrol command is used only on Gigabit Ethernet ports and sets the flow control to auto, which automatically detects the flow control. The syntax for the default flowcontrol command is: default flowcontrol [port <portlist>] The default flowcontrol command is executed in the Interface Configuration mode. The following table describes the parameters for this command.
Parameters port <portlist> Description Specifies the port numbers to default to auto flow control. Note: If you omit this parameter, the system uses the port number you specified in the interface command.
default rate-limit command The default rate-limit command restores the rate-limiting value for the specified port to the default setting. The syntax for the default rate-limit command is: default rate-limit [port <portlist>] The default rate-limit command is executed in the Interface Configuration command mode. The following table describes the parameters for this command. Table 9: default rate-limit command parameters
Parameters port <portlist> Description Specifies the port numbers on which to reset rate-limiting to factory default. Enter the port numbers on which to set ratelimiting to default. Note: If you omit this parameter, the system uses the port number you specified in the interface command.
36
Enabling rate-limiting
The percentage or packets per seconds of multicast traffic, or broadcast traffic, or both can be limited with CLI. For details, refer to the following: show rate-limit command on page 37 rate-limit command on page 37 no rate-limit command on page 38 default rate-limit command on page 36 show rate-limit command The show rate-limit command displays the rate-limiting settings and statistics. The syntax for the show rate-limit command is: show rate-limit The show rate-limit command is executed in the Privileged EXEC command mode. rate-limit command The rate-limit command configures rate-limiting on the port. The syntax for the rate-limit command is: rate-limit {multicast | broadcast | both} {percent <0-10>} The rate-limit command is executed in the Interface Configuration command mode. The following table describes the parameters for this command. Table 10: rate-limit command parameters
Parameters multicast | broadcast | both Description Applies rate-limiting to the type of traffic. multicast--applies rate-limiting to multicast packets broadcast--applies rate-limiting to broadcast packets both--applies rate-limiting to both multicast and broadcast packets percent <0-10> Specifies the mode for setting the rates of the incoming traffic. percent <0-10>--enter and integer from 1 to 10 to set the rate-limiting percentage. For 10 Gb/s links, the default value for limiting both broadcast and multicast is 10 percent. Rate limiting using packet per seconds can only be configured using CLI.
37
no rate-limit command The no rate-limit command disables rate-limiting on the port. The syntax for the no rate-limit command is: no rate-limit [port <portlist>] The no rate-limit command is executed in the Interface Configuration command mode. The following table describes the parameters for this command. Table 11: no rate-limit command parameters
Parameters port <portlist> Description Specifies the port numbers to disable for rate-limiting. Enter the port numbers you want to disable. Note: If you omit this parameter, the system uses the port number you specified in the interface command.
38
39
The syntax for the SNTP server primary address command is: sntp server primary address <A.B.C.D> The SNTP server primary address command can be executed in the Global Configuration command mode. The following table describes the parameters for this command. Table 12: sntp server primary address command parameters
Parameters <A.B.C.D> Description Enter the IP address of the primary NTP server in dotteddecimal notation.
40
41
no clock sync-rtc-with-SNTP enable command on page 42 Default clock sync-rtc-with-SNTP enable command on page 42 Clock source command on page 43 default clock source command on page 43
42
Configuring CANA
Use the auto-negotiation-advertisements command to configure CANA. To configure port 5 to advertise the operational mode of 10 Mb/s and full duplex enter the following command line: auto-negotiation-advertisements port 5 10-full
43
no auto-negotiation-advertisements command
The no auto-negotiation-advertisements command makes a port silent. The syntax for the no auto-negotiation-advertisements command is: no autonegotiation-advertisements [port <portlist>] The no auto-negotiation-advertisements command can be executed in the Interface Configuration mode.
ping command
Use the ping command to determine if communication with another switch can be established. The syntax for this command is: ping<dns_host_name> [datasize <64-4096> [{count <1-999>} | continuous] [{timeout | -t} <1-120>] [interval <1-60] [debug] Substitute <dns_host_name> with the DNS host name of the unit to test. Run this command in User EXEC command mode or any of the other command modes. The following table describes the parameters for this command.
44
timeout | -t | <1120>
telnet command
Use the telnet command to establish communications with another switch during the current CLI session. Communication can be established to only one external switch at a time using the telnet command. The syntax for this command is: telnet <dns_host_name> Substitute <dns_host_name> with the DNS hostname of the unit with which to communicate. This command is executed in the User EXEC command mode.
45
ip domain-name command
The ip domain-name command is used to set the default DNS domain name for the switch. This default domain name is appended to all DNS queries or commands that do not already contain a DNS domain name. The syntax for this command is: ip domain-name <domain_name> Substitute <domain_name> with the default domain name to be used. A domain name is determined to be valid if it contains alphanumeric characters and contains at least one period (.). This command is executed in the Global Configuration command mode.
no ip domain-name command
The no ip domain-name command is used to clear a previously configured default DNS domain name for the switch. The syntax for this command is: no ip domain-name This command is executed in the Global Configuration command mode.
46
ip name-server command
The ip name-server command is used to set the domain name servers the switch uses to resolve a domain name to an IP address. A switch can have up to three domain name servers specified for this purpose. The syntax of this command is: ip name-server <ip_address_1> ip name-server <ip_address_2> ip nameserver <ip_address_3> Note: To enter all three server addresses you must enter the command three times, each with a different server address. The following table outlines the parameters for this command. Table 18: ip name-server command parameters
Parameters <ip_address_1> <ip_address_2> <ip_address_3> Description The IP address of the domain name server used by the switch. Optional. The IP address of a domain name server to add to the list of servers used by the switch. Optional. The IP address of a domain name server to add to the list of servers used by the switch.
no ip name-server command
The no ip name-server command is used to remove domain name servers from the list of servers used by the switch to resolve domain names to an IP address. The syntax for this command is: no ip name-server <ip_address_1> no ip name-server [<ip_address_2>] no ip name-server [<ip_address_2>] Note: To remove all three server addresses you must enter the command three times, each with a different server address. The following table outlines the parameters for this command.
Parameters <ip_address_1> <ip_address_2> Description The IP address of the domain name server to remove. Optional. The IP address of a domain name server to remove from the list of servers used by the switch.
47
Parameters <ip_address_3>
Description Optional. The IP address of a domain name server to remove from the list of servers used by the switch.
During the download process the switch is not operational. The progress of the download process can be tracked by observing the front panel LEDs. To change the software version running on the switch with CLI, follow this procedure:
1. Access CLI through the Telnet protocol or a Console connection. 2. From the command prompt, use the download command with the following parameters to change the software version: download [address <a.b.c.d>] {primary | secondary} {image <image name> | image-if-newer <image name> | diag <image name>} [no-reset] [usb] The following table explains the parameters for the download command. Table 20: download command parameters
Parameter address <a.b.c.d> Description This parameter is the IP address of the TFTP server to be used. The address <ip> parameter is optional and if omitted the switch defaults to the TFTP server specified by the tftpserver command unless software
48
Parameter
primary | secondary
This parameter determines if the image is the primary or secondary image. This parameter is the name of the software image to be downloaded from the TFTP server. This parameter is the name of the software image to be downloaded from the TFTP server if newer than the currently running image. This parameter is the name of the diagnostic image to be downloaded from the TFTP server. This parameter forces the switch to not reset after the software download is complete. In the WC 8180, this parameter specifies that the software download is performed using a USB Mass Storage Device and the front panel USB port.
no-reset
usb
3. Press Enter.
49
50
Description The name of the file that is created when the configuration is saved to the TFTP server or USB Mass Storage Device.
The copy running-config command only can be executed in the Privileged EXEC mode.
51
This command must be run in the Privileged EXEC mode. The current switch settings relevant to this process can be viewed using the show confignetwork command. This command takes no parameters and must be executed in Privileged EXEC mode.
Terminal setup
Switch terminal settings can be customized to suit the preferences of a switch administrator. This operation must be performed in CLI.
52
The terminal command configures terminal settings. These settings are transmit and receive speeds, terminal length, and terminal width. The syntax of the terminal command is: terminal speed {2400 | 4800 | 9600 | 19200 | 38400} length <0-132> width <1-132> The terminal command is executed in the User EXEC command mode. The following table describes the parameters for this command. Table 24: terminal command parameters
Parameters speed {2400|4800|19200|38400} Description Sets the transmit and receive baud rates for the terminal. The speed can be set at one of the five options shown; the default is 9600. Sets the length of the terminal display in lines; the default is 23. Note: If the terminal length is set to a value of 0, the pagination is disabled and the display continues to scroll without stopping. Sets the width of the terminal display in characters; the default is 79.
length
width
The show terminal command can be used at any time to display the current terminal settings. This command takes no parameters and is executed in the EXEC command mode.
53
Note: Multiple users can access CLI system simultaneously, through the serial port, Telnet, and modems. The maximum number of simultaneous users is four. All users can configure simultaneously. For details on viewing and changing the Telnet-allowed IP addresses and settings, refer to the following: telnet-access command on page 54 no telnet-access command default telnet-access command on page 55
telnet-access command
The telnet-access command configures the Telnet connection that is used to manage the switch. The telnet-access command is executed through the console serial connection. The syntax for the telnet-access command is: telnet-access [enable | disable] [login-timeout <1-10>] [retry<1-100>] [inactive-timeout <0-60>] [logging {none | access | failures | all}] [source-ip <1-50> <A.B.C.D> <WORD> [mask <A.B.C.D>] Execute the telnet-access command in the Global Configuration command mode. The following table describes the parameters for the telnet-access command. Table 25: telnet-access command parameters
Parameters enable | disable login-timeout <1-10> Description Enables or disables Telnet connection. Specify in minutes the time to wait for Telnet and Console login before the connection closes. Enter an integer between 1 and 10. Specify the number of times the user can enter an incorrect password before closing the connection. Enter an integer between 1 and 100. Specify in minutes the duration for an inactive session to be terminated. Specify the events whose details you want to store in the event log: none-do not save access events in the log access-save only successful access events in the log
retry <1-100>
54
Parameters
Description failure-save failed access events in the log all-save all access events in the log
Specify the source IP address from which connections are allowed. Enter the IP address in dotted-decimal notation. Mask specifies the subnet mask from which connections are allowed; enter IP mask in dotted-decimal notation.
boot command
The boot command performs a soft-boot of the switch. The syntax for the boot command is: boot [default] [partial default] The boot command is executed in the Privileged EXEC command mode. The following table describes the parameters for the boot command. Table 26: boot command parameters
Parameters default Description Reboot the switch and use the factory default configurations
55
Parameters partial-default
Description Reboot the switch and use partial factory default configurations
Note: When you reset to factory defaults, the switch retains the last reset count and reason for last reset; these two parameters do not default to factory defaults.
Defaulting to BootP-when-needed
The BootP default value is BootP-when-needed. This enables the switch to be booted and the system to automatically seek a BootP server for the IP address. If an IP address is assigned to the device and the BootP process times out, the BootP mode remains in the default mode of BootP-when-needed. However, if the device does not have an assigned IP address and the BootP process times out, the BootP mode automatically changes to BootP disabled. But this change to BootP disabled is not stored, and the BootP reverts to the default value of BootP-when-needed after rebooting the device. When the system is upgraded, the switch retains the previous BootP value. When the switch is defaulted after an upgrade, the system moves to the default value of BootP-when-needed. Refer to the following commands to configure BootP parameters: ip bootp server command on page 56 no ip bootp server command on page 57 default ip bootp server command on page 57
56
Parameters
Description always-Always use BootP disable-never use BootP last-use BootP or the last known address needed-use BootP only when needed Note: The default value is to use BootP when needed.
shutdown command
The shutdown command proves a mechanism for safely shutting down a switch without interfering with device processes or corrupting the software image. After this command is issued, the configuration is saved, auto-save functionality is temporarily disabled, and configuration changes are not allowed until the switch restarts. If the shutdown is cancelled, auto-save functionality returns to the state in which it was previously functioning. The shutdown command has the following syntax: shutdown [force] [minutes-towait <1-60>] [cancel] The following table describes the parameters of the shutdown command.
57
cancel
reload command
The reload command operates in a similar fashion to the shutdown command. However, the reload command is intended more to be used by system administrators using the command functionality to configure remote devices and reset them when the configuration is complete. The reload command differs from the shutdown command in that the configuration is not explicitly saved after the command is issued. This means that any configuration changes must be explicitly saved before the switch reloads. The reload command does temporarily disable auto-save functionality until the reload occurs. Cancelling the reload returns auto-save functionality to any previous setting. The reload command has the following syntax: reload [force] [minutes-to-wait <1-60>] [cancel] The following table describes the parameters of the reload command. Table 29: reload command parameters
Parameter force minutes-to-wait <1-60> Description This parameter forces the reload without confirmation. This parameter represents the number of minutes to wait before the reload occurs. If no value is specified, the default value of 10 minutes is used. This parameter cancels a scheduled reload any time during the time period specified by the minutes-to-wait parameter.
cancel
58
CLI Help
To obtain help on the navigation and use of Command Line Interface (CLI), use the following command: help {commands | modes} Use help commands to obtain information about the commands available in CLI organized by command mode. A short explanation of each command is also included. Use help modes to obtain information about command modes available and CLI commands used to access them. These commands are available in any command mode.
59
1. In CLI, set the Global Configuration command mode. configure 2. Enable sntp server. 3. Set the date to change to daylight savings time. clock summer-time zone date day month year hh:mm day month year hh:mm [offset]
Job aid
The following table defines the variables for the clock summer-time command: Table 30: clock summer-time command parameters
Parameters date Description Indicates that daylight savings time should start and end on the specified days every year. Date to start daylight savings time. Month to start daylight savings time. Year to start daylight savings time. Hour and minute to start daylight savings time. Date to end daylight savings time. Month to end daylight savings time. Year to end daylight savings time. Hour and minute to end daylight savings time. Number of minutes to add during the summer time. The time zone acronym to be displayed when daylight savings time is in effect. If it is
day month year hh:mm day month year hh:mm offset zone
60
Parameters
Description unspecified, it defaults to the time zone acronym set when the time zone was set.
Note: Dual Agent supports the WLAN switches NBUs through AAUR.
61
62
1. In CLI, set the Global Configuration command mode. configure 2. Enable sntp server. 3. Set clock time zone using the clock command. clock time-zone zone hours [minutes]
Job aid
The following table defines the variables for the clock time-zone command: Table 32: clock time-zone command
Variables zone hours minutes Description Time zone acronym to be displayed when showing system time (up to 4 characters). Difference from UTC in hours. This can be any value between -12 and +12. Optional: This is the number of minutes difference from UTC. Minutes can be any value between 0 and 59.
63
Description
banner command
The banner command specifies the banner displayed at startup; either static or custom. The syntax for the banner command is: banner {static | custom} <line number> "<LINE>" The following table outlines the parameters for this command. Table 34: banner command parameters
Parameters static | custom static custom line number LINE Enter the banner line number you are setting. The range is 1 to 19. Specifies the characters in the line number. Description Sets the display banner as:
no banner command
The no banner command clears all lines of a previously stored custom banner. This command sets the banner type to the default setting (STATIC). Displaying the default TFTP server with CLI no banner The no banner command is executed in the Privileged EXEC command mode.
64
Enabling Autosave
With autosave enabled the system checks every minute to see if there is any new configuration data. If there is, it will automatically be saved to NVRAM. While autosave is enabled, the AUR feature should perform normally. Use the following command to enable the autosave feature.
65
web-server command
The web-server command enables or disables the web server used for Web-based management. The syntax for the web-server command is: web-server {enable | disable} The web-server command is executed in the Global Configuration command mode. The following table describes the parameters for this command. Table 35: web-server command parameters
Parameter enable | disable Description Enables or disables the web server.
no web-server command
The no web-server command disables the web server used for Web-based management. The syntax for the no web-server command is: no web-server The no web-server command is executed in the Global Configuration command mode.
66
1. Access CLI through the Telnet protocol or a Console connection. 2. From the command prompt, use the cli password command to change the desired password. cli password {read-only | read-write} <password> The following table describes the parameters for this command. Table 36: cli password command parameters
Parameter {read-only | read-write} Description This parameter specifies if the password change is for read-only access or read-write access. If password security is disabled, the length can be 1-15 chars. If password security is enabled, the range for length is 10-15 chars.
<password>
3. Press Enter.
1. Access CLI through the Telnet protocol or a Console connection. 2. From the command prompt, use the cli password command to enable or disable the desired password. cli password {telnet | serial} {none | local | radius | tacacs} The following table describes the parameters for this command. Table 37: cli password parameters
Parameter {telnet | serial} Description This parameter specifies if the password is enabled or disabled for telnet or the console. Telnet and web access are tied together so that
67
Parameter
Description enabling or disabling passwords for one enables or disables it for the other.
This parameter specifies if the password is to be disabled (none), or if the password to be used is the locally stored password created in the previous procedure, or if RADIUS authentication or TACACS +AAA services is used.
3. Press Enter.
1. Access CLI through the Telnet protocol or a Console connection. 2. From the command prompt, use the radius-server command to configure the server settings. radius-server host <address> [secondary-host <address>] port <num> key <string> [password fallback] The following table describes the parameters for this command. Table 38: radius-server parameters
Parameter host <address> Description This parameter is the IPv6 or IPv4 address of the RADIUS server that is used for authentication. The secondary-host <address> address> parameter is optional. If a
[secondary-host <address>]
68
Parameter
Description backup RADIUS server is to be specified, include this parameter with the IPv6 or IPv4 address of the backup server.
port <num>
This parameter is the UDP port number the RADIUS server uses to listen for requests. This parameter prompts you to supply a secret text string or password that is shared between the switch and the RADIUS server. Enter the secret string, which is a string up to 16 characters in length. The password is hidden when entered. This parameter is optional and enables the password fallback feature on the RADIUS server. This option is disabled by default.
key
[password fallback]
3. Press Enter.
69
70
no mac-security security-list command on page 74 mac-security command for specific ports on page 74 show mac-security command on page 75 mac-security mac-da-filter command on page 75 CLI commands for MAC address auto-learning on page 75 mac-security auto-learning aging-time command on page 76 no mac-security auto-learning aging-time command on page 76 default mac-security auto-learning aging-time command on page 76 mac-security auto-learning port command on page 76 no mac-security auto-learning command on page 77 default mac-security auto-learning command on page 77
The show mac-security command is executed in the Privileged EXEC command mode.
71
The syntax for the show mac-security mac-da-filter command is show mac-security mac-da-filter The show mac-security mac-da-filter command is executed in the Privileged EXEC command mode. The show mac-security mac-da-filter command has no parameters or variables.
mac-security command
The mac-security command modifies the BaySecure configuration. The syntax for the mac-security command is mac-security [disable|enable] [filtering {enable|disable}] [intrustion-detect {enable|disable|forever}] [intrusion-timer <1-65535>] [learning-ports <portlist>] [learning {enable|disable}] [snmp-lock {enable|disable}] [snmp-trap {enable|disable}] The following table outlines the parameters for this command. Table 40: mac-security parameters
Parameter disable|enable filtering {enable|disable} intrusion-detect {enable|disable|forever} Description Disables or enables MAC address-based security. Enables or disables DA filtering on intrusion detected. Specifies partitioning of a port when an intrusion is detected: enableport is partitioned for a period of time disabledport is not partitioned on detection foreverport is partitioned until manually changed intrustion-timer <1-65535> Specifies, in seconds, length of time a port is partitioned when an intrusion is detected; enter the number of seconds desired. Specifies MAC address learning. Learned addresses are added to the table of allowed MAC addresses. Enter the ports to learn; a single port, a range of ports, several ranges, all ports, or no ports can be entered. Specifies MAC address learning:
learning-ports <portlist>
learning {enable|disable}
72
Parameter
Enables or disables a lock on SNMP writeaccess to the BaySecure MIBs. Enables or disables trap generation upon intrusion detection.
73
74
Parameter disable|enable|learning
Description Directs the specific port disabledisables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is being performed enableenables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is being performed learningdisables BaySecure on the specified port and adds these port to the list of ports for which MAC address learning is being performed
The mac-security command for specific ports executes in the Interface Configuration mode.
75
76
The following table outlines the parameters for this command. Table 44: mac-security auto-learning parameters
Parameter <portlist> disable|enable max-addrs <1-25> Description The ports to configure for auto-learning. Disables or enables auto-learning on the specified ports. The default is disabled. Sets the maximum number of addresses the port learns. The default is 2.
77
The default mac-security auto-learning command executes in the Interface Configuration mode.
78
Description Specifies the UDP port for RADIUS. <port> is an integer in the range 0 65535. The default port number is 1812.
[secondary-host <IPaddr>]
Specifies the IP address of the secondary server. The secondary server is used only if the primary server does not respond. Specifies the number of seconds before the service request times out. RADIUS allows three retries for each server (primary and secondary).
[timeout <timeout>]
<timeout>
is an integer in the range 160. The default timeout interval is 2 seconds.
Delete a RADIUS server and restore default RADIUS settings by using one of the following commands in Global or Interface Configuration mode: no radius-server default radius-server
79
80
snmp-server user command on page 92 no snmp-server user command on page 94 snmp-server view command on page 94 no snmp-server view command on page 95 snmp-server bootstrap command on page 95 show snmp-server notification-control on page 96 snmp-server notification-control command on page 97 no snmp-server notification-control on page 97 default snmp-server notification-control on page 98 spanning-tree rstp traps command on page 98 no spanning-tree rstp traps command on page 99 default spanning-tree rstp traps command on page 99 show spanning-tree rstp traps config conmmand on page 99
81
community, or four trap destinations of the proprietary method of configuring SNMP. Otherwise, the commands change or display SNMPv3 MIB data. The WLAN 8100 Series software supports MD5 and SHA authentication, as well as AES and DES encryption. The SNMP agent supports exchanges using SNMPv1, SNMPv2c and SNMPv3. Support for SNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1 communities. SNMPv3 support introduces industrial-grade user authentication and message security. This includes MD5 and SHA-based user authentication and message integrity verification, as well as AES- and DES-based privacy encryption. Export restrictions on SHA and DES necessitate support for domestic and non-domestic executable images or defaulting to no encryption for all customers. The traps can be configured in SNMPv1, v2, or v3 format. If you do not identify the version (v1, v2, or v3), the system formats the traps in the v1 format. A community string can be entered if the system requires one.
82
83
The syntax for the default snmp-server authentication-trap command is default snmp-server authentication-trap The default snmp-server authentication-trap command executes in the Global Configuration mode.
84
The snmp-server community command executes in the Global Configuration mode. The following table outlines the parameters for this command. Table 50: snmp-server community command parameters
Parameter read-view <view-name> Description Changes the read view used by the new community string for different types of SNMP operations. view-namespecifies the name of the view which is a set of MIB objects/instances that can be accessed; enter an alphanumeric string. Changes the write view used by the new community string for different types of SNMP operations. view-namespecifies the name of the view which is a set of MIB objects/instances that can be accessed; enter an alphanumeric string. Changes the notify view settings used by the new community string for different types of SNMP operations. view-namespecifies the name of the view which is a set of MIB objects/instances that can be accessed; enter an alphanumeric string.
write-view <view-name>
notify-view <view-name>
85
Parameters
Description ro|rwsets the specified old-style community string value to NONE, thereby disabling it. community-stringdeletes the specified community string from the SNMPv3 MIBs (that is, from the new-style configuration).
86
default snmp-server contact The default snmp-server contact command executes in the Global Configuration mode.
snmp-server command
The snmp-server command enables or disables the SNMP server. The syntax for the snmp-server command is: snmp-server {enable|disable} The following table describes the parameters for this command. Table 53: snmp-server command parameters
Parameter enable|disable Description Enables or disables the SNMP server.
no snmp-server command
The no snmp-server command disables SNMP access. The syntax for the no snmp-server command is no snmp-server The no snmp-server command executes in the Global Configuration mode. The no snmp-server command has no parameters or variables. Important: If you disable SNMP access to the switch, you cannot use Device Manager for the switch.
87
Using the new standards-based SNMP method, you can create several entries in SNMPv3 MIBs. Each can generate v1, v2c, or v3 traps. Important: Before using the desired community string or user in this command, ensure that it is configured with a notify-view. The new standards-based method syntax for the snmp-server host command is snmp-server host <host-ip> [port <trap-port>] {v1 <community-string>| v2c <community-string>|v3 {auth|no-auth|auth-priv}<username> The snmp-server host command executes in the Global Configuration mode. The following table describes the parameters for this command. Table 54: snmp-server host command parameters
Parameter host-ip community-string Description Enter a dotted-decimal IP address of a host to be the trap destination. If you are using the proprietary method for SNMP, enter a community string that works as a password and permits access to the SNMP protocol. Enter a value for the SNMP trap port between 1 and 65535. To configure the new standards-based tables, using v1 creates trap receivers in the SNMPv3 MIBs. Multiple trap receivers with varying access levels can be created. To configure the new standards-based tables, using v2c creates trap receivers in the SNMPv3 MIBs. Multiple trap receivers with varying access levels can be created. To configure the new standards-based tables, using v3 creates trap receivers in the SNMPv3 MIBs. Multiple trap receivers with varying access levels can be created. Enter the following variables: authauth specifies SNMPv3 traps are sent using authentication and no privacy. no-authno-auth specifies SNMPv3 traps are sent using with no authentication and no privacy. auth-privspecifies traps are sent using authentication and privacy; this parameter
v2c<community-string>
v3{auth|no-auth|auth-priv}
88
Parameter
Description is available only if the image has full SHA/ DES support.
username
To configure the new standards-based tables; specifies the SNMPv3 username for trap destination; enter an alphanumeric string.
89
Parameter
Description host-ipthe IP address of a trap destination host. community-stringthe community string that works as a password and permits access to the SNMP protocol. If both parameters are omitted, all hosts are cleared, proprietary and standards-based. If a host IP is included, the community-string is required or an error is reported.
Using the standards-based method, enter the IP address of a trap destination host. Using the standards-based method, enter the SNMP trap port. Using the standards-based method, specifies trap receivers in the SNMPv3 MIBs. <community-string>the community string that works as a password and permits access to the SNMP protocol.
90
91
92
The sha and 3des/aes/des parameters are only available if the switch image has SSH support. For authenticated access, you must specify the md5 or sha parameter. For authenticated and encrypted access, you must also specify the 3des, aes, or des parameter. For each level of access, you can specify read, write, and notify views. If you do not specify view parameters for authenticated access, the user will have access to the views specified for unauthenticated access. If you do not specify view parameters for encrypted access, the user will have access to the views specified for authenticated access or, if no authenticated views were specified, the user will have access to the views specified for unauthenticated access. The following table describes the parameters for this command. Table 58: snmp-server user command parameters
Parameters username md5 <password> Description Specifies the user name. Enter an alphanumeric string of up to 255 characters. Specifies the use of an md5 password. <password> specifies the new user md5 password; enter an alphanumeric string. If this parameter is omitted, the user is created with only unauthenticated access rights. Specifies the read view to which the new user has access: view-namespecifies the viewname; enter an alphanumeric string of up to 255 characters. write-view <view-name> Specifies the write view to which the new user has access: view-namespecifies the viewname; enter an alphanumeric string that can contain at least some of the nonalphanumeric characters. notify-view <view-name> Specifies the notify view to which the new user has access: view-namespecifies the viewname; enter an alphanumeric string that can contain at least some of the nonalphanumeric characters. SHA 3DES AES DES engine-id Specifies SHA authentication. Specifies 3DES privacy encryption. Specifies AES privacy encryption. Specifies DES privacy encryption. Specifies the new remote user to receive notifications. notify-viewspecifies the viewname to notify.
read-view <view-name>
93
Important: If a view parameter is omitted from the command, that view type cannot be accessed.
94
Parameters OID
Description Specifies Object identifier. OID can be entered as a dotted form OID. Each OID must be preceded by a + or - sign (if this is omitted, a + sign is implied). The + is not optional. For the dotted form, a sub-identifier can be an asterisk, indicating a wildcard. Here are some examples of valid OID parameters: sysName +sysName -sysName +sysName.0 +ifIndex.1 -ifEntry..1 (this matches all objects in the ifTable with an instance of 1; that is, the entry for interface #1) 1.3.6.1.2.1.1.1.0 (the dotted form of sysDescr) The + or - indicates whether the specified OID is included in or excluded from, the set of MIB objects accessible using this view. There are 10 possible OID values.
95
configuration data for SNMPv3. This configuration data follows the conventions described in the SNMPv3 standard (in RFC 3414 and 3415). This commands creates a set of initial users, groups and views. Important: This command deletes all existing SNMP configurations, hence must be used with care. The syntax for the snmp-server bootstrap command is: snmp-server bootstrap <minimum-secure>|<semi-secure>|<very-secure> The snmp-server bootstrap command is executed in the Global Configuration mode. The following table describes the parameters for this command. Table 62: snmp-server bootstrap command parameters
Parameters <minimum-secure> Description Specifies a minimum security configuration that allows read access and notify access to all processes (view restricted) with noAuth-noPriv and read, write, and notify access to all processes (internet view) using Auth-noPriv and Auth-Priv. Important: In this configuration, view restricted matches view internet. <semi-secure> Specifies a minimum security configuration that allows read access and notify access to all processes (view restricted) with noAuth-noPriv and read, write, and notify access to all processes (internet view) using Auth-noPriv and Auth-Priv. Important: In this configuration, restricted contains a smaller subset of views than internet view. The subsets are defined according to RFC 3515 Appendix A. <very-secure> Specifies a maximum security configuration that allows no access to the users.
96
no snmp-server notification-control
The no snmp-server notification-control command disables the notification identified by the command parameter. The notification options are: DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort IP Source Guard: bsSourceGuardReachedMaxIpEntries, bsSourceGuardCannotEnablePort The syntax for the no snmp-server notification-control command is no snmp-server notification-control <WORD/1-128> The no snmp-server notification-control command executes in Global Configuration mode. The following table describes the parameters for this command.
97
98
Trap: RSTP Topology Change Trap: RSTP Protocol Migration Type: Send (RSTP/STP) for Port: t If the traps are not received on the traps receiver host (should be configured) but the traps are logged into the system log, the network connectivity should be checked. The spanning-tree rstp traps command enables RSTP traps. The syntax for the spanning-tree rstp traps command is spanning-tree rstp traps The spanning-tree rstp traps command executes in the Global Configuration mode.
99
100
Parameter
Description on the server. You are prompted to confirm the key when you enter it. Important: The key parameter is a required parameter when you create a new server entry. The parameter is optional when you are modifying an existing entry.
Specifies the IP address of the secondary server. The secondary server is used only if the primary server does not respond. Specifies the TCP port for TACACS+ where port is an integer in the range of 0-65535. The default port number is 49.
[port <port>]
To delete a TACACS+ server, use one of the following commands in Global or Interface Configuration mode: no tacacs default tacacs The commands erase settings for the TACACS+ primary and secondary servers and secret key, and restore default port settings.
101
To disable TACACS+ authorization globally on the switch, use the following command in Global or Interface Configuration mode: tacacs authorization disable The default is disabled.
none
102
Enabling IP Manager
To enable IP Manager to control Telnet, SNMP, SSH, or HTTP access, use the following command in Global Configuration mode: ipmgr {telnet|snmp|web|ssh} The following table describes the parameters for this command. Table 68: Enabling IP manager command parameters
Parameter telnet snmp web ssh Description Enables the IP Manager list check for Telnet access. Enables the IP Manager list check for SNMP, including Device Manager. Enables the IP Manager list check for Web-based management system. Enables the IP Manager list check for SSH access.
To disable IP Manager for a management system, use the no keyword at the start of the command.
103
The following table describes the parameters for this command. Table 69: ipmgr source-ip command parameters
Parameter <list ID> Description An integer in the range 1-50 for Ipv4 entries and 51-100 for Ipv6 entries that uniquely identifies the entry in the IP Manager list. Specifies the source IP address from which access is allowed. Enter the IP address either as an integer or in dotted-decimal notation. Specifies the subnet mask from which access is allowed. Enter the IP mask in dotted-decimal notation.
<Ipv4addr>
[mask <mask>]
104
105
the associated read-write password confers the same rights and limitation as the default readwrite user.
106
ssl reset
The following table describes the output for the show ssl command.
107
108
default ssh dsa-auth command on page 112 ssh pass-auth command on page 112 no ssh pass-auth command on page 112 default ssh pass-auth command on page 113 ssh port command on page 113 default ssh port command on page 113 ssh timeout command on page 113 default ssh timeout command on page 114
The show ssh global command is executed in the Privileged EXEC command mode.
109
110
ssh command
The ssh command enables SSH in a non secure mode. If the host keys do not exist, they are generated. The syntax for the ssh command is: ssh The ssh command is executed in the Global Configuration mode. This command has no parameters.
no ssh command
The no ssh command disables SSH. The syntax for the no ssh command is: no ssh {dsa-auth|dsa-auth-key|dsa-host-key|pass-auth} The following table describes the parameters for this command. Table 75: no ssh command parameters
Parameter dsa-auth dsa-auth-key dsa-host-key pass-auth Description Disable SSH DSA authentication. Delete SSH DSA auth key. Delete SSH DSA host key. Disable SSH password authentication.
111
no ssh dsa-auth
The no ssh dsa-auth command disables user log on using DSA key authentication. The syntax for the no ssh dsa-auth command is: no ssh dsa-auth The no ssh dsa-auth command is executed in the Global Configuration mode.
112
no ssh pass-auth The no ssh pass-auth command is executed in the Global Configuration mode.
113
114
Enabling automatic PVID on page 119 Configuring VLAN port settings on page 119 Configuring VLAN members on page 120 Configuring VLAN Configuration Control on page 120 Managing the MAC address forwarding database table on page 122 IP Directed Broadcasting on page 124
To display VLAN information, use the following command from Privileged EXEC mode. show vlan [configcontrol] [dhcp-relay <1-4094>] [igmp {<1-4094>| unknown-mcast-allow-flood | unknown-mcast-noflood}] [interface { info | vids}] [ip <vid>] [mgmt] [multicast <membership>] [type {port | protocol-ipEther2| protocolipx802.3 | protocol-ipx802.2 | protocol-ipxSnap | protocol-ip xEther2 | protocol-decEther2 | protocol-snaEther2 | protocolNetbios | protocol-xnsEther2 | protocol-vi nesEther2 | protocol-ipv6Ether2 | protocol-Userdef |protocol-RarpEther2] [vid <1-4094>]
Variable definitions
The following table describes the variables for this command.
Variable vid <1-4094> type Value Enter the number of the VLAN to display. Enter the type of VLAN to display: port - port-based protocol - protocol-based (see following list) protocol-ipEther2 protocol-ipx802.3 protocol-ipx802.2 protocol-ipxSnap Specifies an ipEther2 protocol-based VLAN. Specifies an ipx802.3 protocol-based VLAN. Specifies an ipx802.2 protocol-based VLAN. Specifies an ipxSnap protocol-based VLAN.
115
Variable protocol-ipxEther2 protocol-decEther2 protocol-snaEther2 protocol-Netbios protocol-xnsEther2 protocol-vinesEther2 protocol-ipv6Ether2 protocol-Userdef protocol-RarpEther2
Value Specifies an ipxEther2 protocol-based VLAN. Specifies a decEther2 protocol-based VLAN. Specifies an snaEther2 protocol-based VLAN. Specifies a NetBIOS protocol-based VLAN. Specifies an xnsEther2 protocol-based VLAN. Specifies a vinesEther2 protocol-based VLAN. Specifies an ipv6Ether2 protocol-based VLAN. Specifies a user-defined protocol-based VLAN. Specifies a RarpEther2 protocol-based VLAN.
To display VLAN interface information, use the following command from Privileged EXEC mode. show vlan interface info [<portlist>]
To display VLAN port memberships, use the following command from Privileged EXEC mode. show vlan interface vids [<portlist>]
116
To set the management VLAN, use the following command from Global Configuration mode. vlan mgmt <1-4094>
To reset the management VLAN to default, use the following command from Global Configuration mode. default vlan mgmt
Creating a VLAN
Use the following procedure to create a VLAN. A VLAN is created by setting the state of a previously nonexistent VLAN.
To create a VLAN, use the following command from Global Configuration mode. vlan create <1-4094> [name<line>] type {port | protocolipEther2 | protocol-ipx802.3 | protocolipx802.2 | protocolipxSnap | protocol-ipxEther2 | protocol-decEther2 | protocolsnaEther2 | protocol-N etbios | protocol-xnsEther2 | protocolvinesEther2 | protocol-ipv6Ether2 | protocol-Userdef <4096-65534>| protocol-RarpEther2}
Variable definitions
Variable <1-4094> name <line> type Value Enter the number of the VLAN to create. Enter the name of the VLAN to create. Enter the type of VLAN to create:
117
Value
protocol - protocol-based (see following list) protocol-ipEther2 protocol-ipx802.3 protocol-ipx802.2 protocol-ipxSnap protocol-ipxEther2 protocol-decEther2 protocol-snaEther2 protocol-Netbios protocol-xnsEther2 protocol-vinesEther2 protocol-Userdef <4096-65534> protocol-ipv6Ether2 Specifies an ipEther2 protocol-based VLAN. Specifies an ipx802.3 protocol-based VLAN. Specifies an ipx802.2 protocol-based VLAN. Specifies an ipxSnap protocol-based VLAN. Specifies an ipxEther2 protocol-based VLAN. Specifies a decEther2 protocol-based VLAN. Specifies an snaEther2 protocol-based VLAN. Specifies a NetBIOS protocol-based VLAN. Specifies an xnsEther2 protocol-based VLAN. Specifies a vinesEther2 protocol-based VLAN. Specifies a user-defined protocol-based VLAN. Specifies an ipv6Ether2 protocol-based VLAN.
Deleting a VLAN
Use the following procedure to delete a VLAN.
To delete a VLAN, use the following command from Global Configuration mode. vlan delete <2-4094>
To modify VLAN MAC address flooding, or to delete a VLAN, use the following command from Global Configuration mode. no vlan [<2-4094>] [igmp unknown-mcast-allow-flood <H.H.H>]
118
To configure the VLAN name, use the following command from Global Configuration mode. vlan name <1-4094> <line>
To enable automatic PVID, use the following command from Global Configuration mode. [no] auto-pvid Use the no form of this command to disable
To configure VLAN port settings, use the following command from Global Configuration mode. vlan ports [<portlist>] [tagging {enable | disable | tagAll | untagAll | tagPvidOnly | untagPvidOnly}] [pvid <1-4094>] [filter-untagged-frame {enable | disable}] [filterunregistered-frames {enable | disable}] [priority <0-7>] [name <line>] Variable Definitions
Variable <portlist> Value Enter the port numbers to be configured for a VLAN.
119
Variable tagging {enable|disable|tagAll| untagAll| tagPvidOnly| untagPvidOnly} pvid <1-4094> filter-untagged-frame {enable| disable}
Value Enables or disables the port as a tagged VLAN member for egressing packet. Sets the PVID of the port to the specified VLAN. Enables or disables the port to filter received untagged packets.
filter-unregistered-frames {enable | Enables or disables the port to filter received disable} unregistered packets. Enabling this feature on a port means that any frames with a VID to which the port does not belong to are discarded. priority <0-7> name <line> Sets the port as a priority for the switch to consider as it forwards received packets. Enter the name you want for this port. Note: This option can only be used if a single port is specified in the <portlist>
To configure VLAN members, use the following command from Global Configuration mode. vlan members [add | remove] <1-4094> <portlist> Variable Definitions
Variable add | remove Value Adds a port to or removes a port from a VLAN. Note: If this parameter is omitted, set the exact port membership for the VLAN; the prior port membership of the VLAN is discarded and replaced by the new list of ports. Specifies the target VLAN. Enter the list of ports to be added, removed, or assigned to the VLAN.
<1-4094> portlist
120
incorporates this functionality for backwards compatibility. VLAN Configuration Control is globally applied to all VLANs on the switch. VLAN Configuration Control offers four options for controlling VLAN modification: Strict Automatic AutoPVID Flexible Note: The factory default setting is Strict. VLAN Configuration Control is only applied to ports with the tagging modes of Untag All and Tag PVID Only. To configure VCC using the CLI, refer to the following commands: Displaying VLAN Configuration Control settings on page 121 Modifying VLAN Configuration Control settings on page 121 Displaying VLAN Configuration Control settings Use the following procedure to display the current VLAN Configuration Control setting.
To display VLAN Configuration Control settings, use the following command from Global Configuration mode. show vlan configcontrol Modifying VLAN Configuration Control settings Use the following procedure to modify the current VLAN Configuration Control setting. This command applies the selected option to all VLANs on the switch.
To modify VLAN Configuration Control settings, use the following command from Global Configuration more vlan configcontrol <vcc_option> Variable Definitions
Variable <vcc_option> Value This parameter denotes the VCC option to use on the switch. The valid values are: automatic -- Changes the VCC option to Automatic. autopvid -- Changes the VCC option to AutoPVID.
121
Variable
Value flexible -- Changes the VCC option to Flexible. strict -- Changes the VCC option to Strict. This is the default VCC value.
122
To displaying the MAC address forwarding table, use the following command from Privileged EXEC mode show mac-address-table [vid<1-4094>] [aging-time] [address<H.H.H>] [port<portlist>] Variable Definitions
Variable vid <1-4094> Value Enter the number of the VLAN for which you want to display the forwarding database. Default is to display the management VLANs database. Displays the time in seconds after which an unused entry is removed from the forwarding database. Displays a specific MAC address if it exists in the database. Enter the MAC address you want displayed.
Configuring MAC address retention Use the following procedure to set the time during which the switch retains unseen MAC addresses.
To configure unseen MAC address retention, use the following command from Global Configuration mode. mac-address-table aging-time <10-1 000 000> Variable Definitions
Variable vid <10-1 000 000> Value Enter the aging time in seconds that you want for MAC addresses before they expire.
Setting MAC address retention time to default Use the following procedure to set the retention time for unseen MAC addresses to 300 seconds.
To set the MAC address retention time to default, use the following command from Global Configuration mode. default mac-address-table aging-time
123
Clearing the MAC address table Use the following procedure to clear the MAC address table.
To flush the MAC address table, use the following command from Privileged EXEC mode. clear mac-address-table Clearing the MAC address table on a VLAN Use the following procedure to flush the MAC addresses for the specified VLAN.
To flush the MAC address table for a specific VLAN, use the following command from Privileged EXEC mode. clear mac-address-table interface vlan <vlan#> Clearing the MAC address table on a FastEthernet interface Use the following procedure to flush the MAC addresses for the specified ports. This command does not flush the addresses learned on the trunk.
To clear the MAC address table on a FastEthernet interface, use the following command from Privileged EXEC mode. clear mac-address-table interface FastEthernet <port-list|ALL> Clearing the MAC address table on a trunk Use the following procedure to flush the MAC addresses for the specified trunk. This command flushes only addresses that are learned on the trunk.
To flush a single MAC address, use the following command from Privileged EXEC mode. clear mac-address-table address <H.H.H>
IP Directed Broadcasting
IP directed broadcasting takes the incoming unicast Ethernet frame, determines that the destination address is the directed broadcast for one of its interfaces, and then forwards the datagram onto the appropriate network using a link-layer broadcast.
124
IP directed broadcasting in a VLAN forwards direct broadcast packets in two ways: Through a connected VLAN subnet to another connected VLAN subnet. Through a remote VLAN subnet to the connected VLAN subnet. By default, this feature is disabled. The following CLI commands are used to work with IP directed broadcasting: Enabling IP directed broadcast on page 125 Enabling IP directed broadcast Use the following procedure to enable IP directed broadcast.
To enable IP directed broadcast, use the following command from Global Configuration mode. [no] ip directed-broadcast enable Use the no form of this command to disable.
To set the STP mode, use the following command from Global Configuration mode. spanning-tree op-mode {stpg | rstp }
125
1. To enable STP BPDU filtering, use the following command from Interface Configuration mode. [no] spanning-tree bpdu-filtering [port<portlist>] [enable] [timeout <10-65535> | 0>] Use the no form of this command to disable. 2. To set the STP BPDU Filtering properties on a port to their default values, use the following command from the Interface Configuration command mode: default spanning-tree bpdu-filtering [port<portlist>] [enable] [timeout] 3. To show the current status of the BPDU Filtering parameters, use the following command from the Privileged EXEC mode: show spanning-tree bpdu-filtering [<interface-type>] [port<portlist>] Variable Definitions
Variable port <portlist> enable timeout <10-65535| 0> Value Specifies the ports affected by the command. Enables STP BPDU Filtering on the specified ports. The default value is disabled. When BPDU filtering is enabled, this indicates the time (in seconds) during which the port remains disabled after it receives a BPDU. The port timer is disabled if this value is set to 0. The default value is 120 seconds.
126
Creating a Spanning Tree Group on page 128 Deleting a Spanning Tree Group on page 128 Enabling a Spanning Tree Group on page 128 Disabling a Spanning Tree Group on page 128 Configuring STP values on page 129 Restoring default Spanning Tree values on page 130 Adding a VLAN to a STG on page 130 Removing a VLAN from a STG on page 131 Configuring STP and MSTG participation on page 131 Resetting Spanning Tree values for ports to default on page 132 Configuring path cost calculation mode Use the following procedure to set the path cost calculation mode for all Spanning Tree Groups on the switch.
To configure path cost calculation mode, use the following command from Privileged EXEC mode. spanning-tree cost-calc-mode {dot1d | dot1t} Configuring STG port membership mode Use the following procedure to set the STG port membership mode for all Spanning Tree Groups on the switch.
To configure STG port membership mode, use the following command from Privileged EXEC mode. spanning-tree port-mode {auto | normal} Displaying STP configuration information Use the following procedure to display spanning tree configuration information that is specific to either the Spanning Tree Group or to the port.
To display STP configuration information, use the following command from Privileged EXEC mode. show spanning-tree [stp <1-8>] {config | port| port-mode | vlans}
127
Variable Definitions
Variable stp <1-8> Value Displays specified Spanning Tree Group configuration; enter the number of the group to be displayed. Displays spanning tree configuration for: config--the specified (or default) Spanning Tree Group port--the ports within the Spanning Tree Group port-mode--the port mode vlans--the VLANs that are members of the specified Spanning Tree Group
Creating a Spanning Tree Group Use the following procedure to create a Spanning Tree Group.
To create a Spanning Tree Group, use the following command from Global Configuration mode. spanning-tree stp <1-8> create Deleting a Spanning Tree Group Use the following procedure to delete a Spanning Tree Group.
To delete a Spanning Tree Group, use the following command from Global Configuration mode. spanning-tree stp <1-8> delete Enabling a Spanning Tree Group Use the following procedure to enable a Spanning Tree Group.
To enable a Spanning Tree Group, use the following command from Global Configuration mode. spanning-tree stg <1-8> enable Disabling a Spanning Tree Group Use the following procedure to disable a Spanning Tree Group.
128
To disable a Spanning tree Group, use the following command from Global Configuration mode. spanning-tree stp <1-8> disable Configuring STP values Use the following procedure to set STP values by STG.
To configure STP values, use the following command from Global Configuration mode. spanning-tree [stp <1-8>] [forward-time <4-30>] [hello-time <1-10>] [max-age <6-40> [priority {0*0000 | 0*1000| 0*2000 | 0*3000 | ... | 0*E000 | 0*F000}] [tagged-bpdu {enable | disable}] [tagged-bpdu-vid >1-4094>] [multicast-address <H.H.H>] [add-vlan] [remove-vlan] Variable Definitions
Variable stp <1-8> forward-time <4-30> Value Specifies the Spanning Tree Group; enter the STG ID. Enter the forward time of the STG in seconds; the range is 4 -- 30, and the default value is 15. Enter the hello time of the STG in seconds; the range is 1 --10, and the default value is 2. Enter the max-age of the STG in seconds; the range is 6 -- 40, and the default value is 20. Sets the spanning tree priority (in Hex); if 802.1T compliant, this value must be a multiple of 0x1000. Sets the BPDU as tagged or untagged. The default value for Spanning Tree Group 1 (default group) is untagged; the default for the other groups is tagged. Sets the VLAN ID (VID) for the tagged BPDU. The default value is 4001 -- 4008 for STG 1 -- 8, respectively. Sets the spanning tree multicast address. Adds a VLAN to the Spanning Tree Group.
priority {0x000 | 0x1000 | 0x2000 | 0x3000 | .... | 0xE000 | 0xF000} tagged-bpdu {enable | disable}
tagged-bpdu-vid <1-4094>
129
Variable remove-vlan
Restoring default Spanning Tree values Use the following procedure to restore default spanning tree values for the Spanning Tree Group.
To restore Spanning Tree values to default, use the following command from Global Configuration mode. default spanning-tree [stp <1-8> [forward-time] [hello-time] [max-age] [priority] [tagged-bpdu] [multicast address] Variable Definitions
Variable stp <1-8> forward-time hello-time max-age priority Value Disables the Spanning Tree Group; enter the STG ID. Sets the forward time to the default value of 15 seconds. Sets the hello time to the default value of 2 seconds. Sets the maximum age time to the default value of 20 seconds. Sets spanning tree priority (in Hex); if 802.1T compliant, this value must be a multiple of 0x1000. Sets the tagging to the default value. The default value for Spanning Tree Group 1 (default group) is untagged; the default for the other groups is tagged. Sets the spanning tree multicast MAC address to the default.
tagged-bpdu
multicast address
Adding a VLAN to a STG Use the following procedure to add a VLAN to a specified Spanning Tree Group.
To add a VLAN to a STG, use the following command from Global Configuration mode. spanning-tree [stp <1-8>] add-vlan <1-4094>
130
Removing a VLAN from a STG Use the following procedure to remove a VLAN from a specified Spanning Tree Group.
To remove a VLAN from a STG, use the following command from Global Configuration mode. spanning-tree [stp <1-8>] remove-vlan <1-4094> Configuring STP and MSTG participation Use the following procedure to set the Spanning Tree Protocol (STP) and multiple Spanning Tree Group (STG) participation for the ports within the specified Spanning Tree Group.
To configure STP and MSTG participation, use the following command from Interface Configuration mode. [no] spanning-tree [port <portlist>] [stp <1-8>] [learning {disable | normal | fast}] [cost <1-65535>] [priority] Use the no form of this command to disable. Variable Definitions
Variable port <portlist> Value Enables the spanning tree for the specified port or ports; enter port or ports you want enabled for the spanning tree. Note: If you omit this parameter, the system uses the port number you specified when you issued the interface command to enter the Interface Configuration mode. Specifies the spanning tree group; enter the STG ID. Specifies the STP learning mode: disable -- disables FastLearn mode normal -- changes to normal learning mode fast -- enables FastLearn mode cost <1-65535> priority Enter the path cost of the spanning tree; range is 1 -- 65535. Sets the spanning tree priority for a port as a hexadecimal value. If the Spanning Tree Group is 802.1T compliant, this value must be a multiple of 0x10.
131
Resetting Spanning Tree values for ports to default Use the following procedure to set the spanning tree values for the ports within the specified Spanning Tree Group to the factory default settings.
To reset Spanning Tree values to default, use the following command from Interface Configuration mode. default spanning-tree [port <portlist>] [stp <1-8>] [learning] [cost] [priority] Variable Definitions
Variable port <portlist> Value Enables spanning tree for the specified port or ports; enter port or ports to be set to factory spanning tree default values. Note: If this parameter is omitted, the system uses the port number specified when the interface command was used to enter Interface Configuration mode. Specifies the Spanning Tree Group to set to factory default values; enter the STG ID. This command places the port into the default STG. The default value for STG is 1. Sets the spanning tree learning mode to the factory default value. The default value for learning is Normal mode. Sets the path cost to the factory default value. The default value for path cost depends on the type of port. Sets the priority to the factory default value. The default value for the priority is 0x8000.
stp <1-8>
learning
cost
priority
Managing RSTP using the CLI Use the following command to configure RSTP: Configuring RSTP parameters on page 132 Configuring RSTP on a port on page 134 Displaying RSTP configuration on page 134 Displaying RSTP port configuration on page 133 Configuring RSTP parameters Use the following procedure to set the RSTP parameters which include forward delay, hello time, maximum age time, default path cost version, bridge priority, transmit holdcount, and version for the bridge.
132
To configure RSTP parameters, use the following command from Global Configuration mode. spanning-tree rstp [ forward-time <4-30>] [hello-time <1-10>] [max-age <6-40>] [pathcost-type {bits16 | bits32}] [priority {0000|1000|2000| ...| F000}] [tx-holdcount <1-10>] [version {stp-compatible | rstp}] Variable Definitions
Variable forward-time <4-30> hello-time <1-10> max-age <6-40> pathcost-type {bits16 | bits32} priority {0000 | 1000 | ... | F000} tx-hold count version {stp-compatible | rstp} Value Sets the RSTP forward delay for the bridge in seconds; the default is 15. Sets the RSTP hello time delay for the bridge in seconds; the default is 2. Sets the RSTP maximum age time for the bridge in seconds; the default is 20. Sets the RSTP default path cost version; the default is bits32. Sets the RSTP bridge priority (in hex); the default is 8000. Sets the RSTP Transmit Hold Count; the default is 3. Sets the RSTP version; the default is rstp.
Displaying RSTP port configuration Use the following procedure to display the Rapid Spanning Tree Protocol (RSTP) related portlevel configuration details.
To display RSTP port configuration, use the following command from Privileged EXEC mode. show spanning-tree rstp port {config | status | statistics | role} [<portlist>] Variable Definitions
Variable config status Value Displays RSTP port-level configuration. Displays RSTP port-level role information.
133
Configuring RSTP on a port Use the following procedure to set the RSTP parameters, which include path cost, edge-port indicator, learning mode, point-to-point indicator, priority, and protocol migration indicator on the single or multiple port.
To configure RSTP on a port, use the following command from Interface Configuration mode. spanning-tree rstp [port <portlist>] [cost <1-200000000> [edgeport {false | true}] [learning {disable | enable}] [p2p {auto | force-false | force-true}] [priority {00 | 10 | ... | F0}] [protocol-migration {false | true}] Variable Definitions
Variable port <portlist> cost <1-200000000> edge-port {false | true} Value Filter on list of ports. Sets the RSTP path cost on the single or multiple ports; the default is 200000. Indicates whether the single or multiple ports are assumed to be edge ports. This parameter sets the Admin value of edge port status; the default is false. Enables or disables RSTP on the single or multiple ports; the default is enable. Indicates whether the single or multiple ports are to be treated as point-to-point links. This command sets the Admin value of P2P Status; the default is force-true. Sets the RSTP port priority on the single or multiple ports; the default is 80. Forces the single or multiple port to transmit RSTP BPDUs when set to true, while operating in RSTP mode; the default is false.
Displaying RSTP configuration Use the following procedure to display the Rapid Spanning Tree Protocol (RSTP) related bridge-level configuration details.
134
To display RSTP configuration details, use the following command from Privileged EXEC mode. show spanning-tree rstp {config | status | statistics} Variable Definitions
Variable config status statistics Value Displays RSTP bridge-level configuration. Displays RSTP bridge-level role information. Displays RSTP bridge-level statistics.
To display MLT configuration and utilization, use the following command from Privileged EXEC mode. show mlt [utilization <1-32>]
135
To configure a Multi-Link trunk, use the following command from Global Configuration mode. mlt <id> [name<trunkname>] [enable | disable] [member <portlist>] [learning {disable | fast | normal}] [bpdu {allports | single-port}] loadbalance {basic | advance} Variable Definitions
Variable id name <trunkname> enable | disable member <portlist> learning <disable | fast | normal> bpdu {all-ports | single-port} loadbalance {basic | advance} Value Enter the trunk ID; the range is 1 to 32. Specifies a text name for the trunk; enter up to 16 alphanumeric characters. Enables or disables the trunk. Enter the ports that are members of the trunk. Sets STP learning mode. Sets trunk to send and receive BPDUs on either all ports or a single port. Sets the MLT load-balancing mode: basic: MAC-based load-balancing advance: IP-based load-balancing
Disabling a MLT
Use the following procedure to disable a Multi-Link trunk (MLT), clearing all the port members.
To disable a MLT, use the following command from Global Configuration mode. no mlt [<id>]
136
To display MLT properties, use the following command from Global Configuration mode. show mlt spanning-tree <1-32>
To configure STP participation for MLTs, use the following command from Global Configuration mode. mlt spanning-tree <1-32> [stp <1-8>, ALL>] [learning {disable | normal | fast}] Variable Definitions
Variable <1-32> stp <1-8> learning {disable | normal | fast} Value Specifies the ID of the MLT to associate with the STG. Specifies the spanning tree group. Specifies the STP learning mode: disable -- disables learning normal -- sets the learning mode to normal fast -- sets the learning mode to fast
137
To configure Link Aggregation using the CLI, refer to the fo Displaying LACP system settings on page 138 Displaying LACP per port configuration on page 138 Displaying LACP port mode on page 138 Displaying LACP port statistics on page 139 Clearing LACP port statistics on page 139 Displaying LACP port debug information on page 139 Displaying LACP aggregators on page 139 Configuring LACP system priority on page 140 Enabling LACP port aggregation mode on page 140 Configuring the LACP administrative key on page 140 Configuring LACP operating mode on page 140 Configuring per port LACP priority on page 141 Configuring LACP periodic transmission timeout interval on page 142 Configuring LACP port mode on page 142 Displaying LACP port mode Use the following procedure to display the current port mode (default or advanced).
To display the port mode, use the following command from Privileged EXEC mode. show lacp port-mode Displaying LACP system settings Use the following procedure to display system-wide LACP settings.
To display system settings, use the following command from Privileged EXEC mode. show lacp system Displaying LACP per port configuration Use the following procedure to display information on the per-port LACP configuration. Select ports either by port number or by aggregator value.
To display per port configuration, use the following command from Privileged EXEC mode. show lacp port [<portList> | aggr <1-65535>]
138
Variable Definitions
Variable <portList> aggr <1-65535> Value Enter the specific ports for which to display LACP information. Enter the aggregator value to display ports that are members of it.
Displaying LACP port statistics Use the following procedure to displayLACP port statistics. Select ports either by port number or by aggregator value.
To display port statistics, use the following command from Privileged EXEC mode. show lacp stats [<portList> | aggr <1-65535>] Variable Definitions
Variable <portList> aggr <1-65535> Value Enter the specific ports for which to display LACP information. Enter the aggregator value to display ports that are members of it.
Clearing LACP port statistics Use the following procedure to clear existing LACP port statistics.
To clear statistics, use the following command from Interface Configuration mode. lacp clear-stats <portList> Displaying LACP port debug information Use the following procedure to display port debug information.
To display port debug information, use the following command from Privileged EXEC mode. show lacp debug member [<portList>] Displaying LACP aggregators Use the following procedure to display LACP aggregators or LACP trunks.
139
To display aggregators, use the following command from Privileged EXEC mode. show lacp aggr <1-65535> Configuring LACP system priority Use the following procedure to configure the LACP system priority. It is used to set the systemwide LACP priority. The factory default priority value is 32768.
To configure system priority, use the following command from Global Configuration mode. lacp system-priority <0-65535> Enabling LACP port aggregation mode Use the following procedure to enable the port aggregation mode.
To enable the port aggregation mode, use the following command from Interface Configuration mode. [no] lacp aggregation [port <portList>] enable Use the no form of the command to disable. Configuring the LACP administrative key Use the following procedure to configure the administrative LACP key for a set of ports.
To set the administrative key, use the following command from Interface Configuration mode. lacp key [port <portList>] <1-4095> Variable Definitions
Variable port <portList> <1-4095> Value The ports to configure the LACP key for. The LACP key to use.
Configuring LACP operating mode Use the following procedure to configure the LACP mode of operations for a set of ports.
140
To configure the operating mode, use the following command from Interface Configuration mode. lacp mode [port <portList>] {active | passive | off} Variable Definitions
Variable port <portList> {active | passive | off} Value The ports for which the LACP mode is to be set. The type of LACP mode to set for the port. The LACP modes are: active -- The port will participate as an active Link Aggregation port. Ports in active mode send LACPDUs periodically to the other end to negotiate for link aggregation. passive -- The port will participate as a passive Link Aggregation port. Ports in passive mode send LACPDUs only when the configuration is changed or when its link partner communicates first. off -- The port does not participate in Link Aggregation. LACP requires at least one end of each link to be in active mode.
Configuring per port LACP priority Use the following procedure to configure the per-port LACP priority for a set of ports.
To configure priority, use the following command from Interface Configuration mode. lacp priority [port <portList> <0-65535> Variable Definitions
Variable port <portList> <0-65535> Value The ports for which to configure LACP priority. The priority value to assign.
141
Configuring LACP periodic transmission timeout interval Use the following procedure to configure the LACP periodic transmission timeout interval for a set of ports.
To configure the interval, use the following command from Interface Configuration mode. lacp timeout-time [port <portList>] {long | short} Variable Definitions
Variable port <portList> {long | short} Value The ports for which to configure the timeout interval. Specify the long or short timeout interval.
Configuring LACP port mode Use the following procedure to configure the LACP port mode on the switch.
To configure the port mode, use the following command from Interface Configuration mode. lacp port-mode {default | advance} Variable Definitions
Variable default advance Value Default LACP port mode. Advanced LACP port mode.
142
Enabling VLACP globally Use the following procedure to globally enable VLACP for the device.
To enable VLACP, use the following command from Global Configuration mode. [no] vlacp enable Use the no form of this command to disable. Configuring VLACP port parameters Use the following procedure to configure VLACP parameters on a port.
To configure parameters, use the following command from Interface Configuration mode. [no] vlacp port <port> [enable | disable] [timeout <long/ short>][fast-periodic-time <integer>] [slow-periodic-time <integer>] [timeout-scale <integer>] [funcmac-addr <mac>] [ethertype <hex>] Use the no form of this command to remove parameters. Variable Definitions
Variable <port> enable|disable timeout <long/short> Value Specifies the port number. Enables or disables VLACP. Specifies whether the timeout control value for the port is a long or short timeout. long sets the port timeout value to: (timeout-scale value) (slow-periodictime value). short sets the ports timeout value to: (timeout-scale value) (fast-periodic-time value). For example, if the timeout is set to short while the timeout-scale value is 3 and the fast-periodic-time value is 400 ms, the timer expires after 1200 ms. Default is long. fast-periodic-time <integer> Specifies the number of milliseconds between periodic VLACPDU transmissions using short timeouts.
143
Variable
slow-periodic-time <integer>
Specifies the number of milliseconds between periodic VLACPDU transmissions using long timeouts. The range is 10000-30000 milliseconds. Default is 30000. Sets a timeout scale for the port, where timeout = (periodic time) (timeout scale). The range is 1-10. Default is 3. Note: With VLACP, a short interval exists between a port transmitting a VLACPDU and the partner port receiving the same VLACPDU. However, if the timeout-scale is set to less than 3, the port timeout value does not take into account the normal travel time of the VLACPDU. The port expects to receive a VLACPDU at the same moment the partner port sends it. Therefore, the delayed VLACPDU results in the link being blocked, and then enabled again when the packet arrives. To prevent this scenario from happening, set the timeout-scale to a value larger than 3. VLACP partners must also wait 3 synchronized VLACPDUs to have the link enabled. If VLACP partner miss 3 consecutive packets from the other partner, sets the link as VLACP down. Specifies the address of the far-end switch configured to be the partner of this switch. If none is configured, any VLACP-enabled switch communicating with the local switch through VLACP PDUs is considered to be the partner switch. Note: VLACP has only one multicast MAC address, configured using the vlacp macaddress command, which is the Layer 2 destination address used for the VLACPDUs. The port-specific funcmac-addr parameter does not specify a multicast MAC address, but instead specifies the MAC address of the switch to which this port is sending VLACPDUs. You are not always required to configure funcmac-addr. If not configured, the first VLACP-enabled switch that receives the
timeout-scale <integer>
funcmac-addr <mac>
144
Variable
Value PDUs from a unit assumes that it is the intended recipient and processes the PDUs accordingly. If you want an intermediate switch to drop VLACP packets, configure the funcmacaddr parameter to the desired destination MAC address. With funcmac-addr configured, the intermediate switches do not misinterpret the VLACP packets.
ethertype <hex>
Sets the VLACP protocol identification for this port. Defines the ethertype value of the VLACP frame. The range is 8101-81FF. Default is 8103.
Configuring VLACP multicast MAC address Use the following procedure to set the multicast MAC address used by the device for VLACPDUs.
To configure the multicast MAC address, use the following command from Global Configuration mode. [no] vlacp macaddress <macaddress> Use the no form of this command to delete the address. Displaying VLACP status Use the following procedure to display the status of VLACP on the switch.
To display VLACP status, use the following command from Privileged EXEC mode. show vlacp Displaying VLACP port configuration Use the following procedure to display the VLACP configuration details for a port or list of ports.
To display port configuration, use the following command from Privileged EXEC mode. show vlacp interface <slot/port> where <slot/port> specifies a port or list of ports. Among other properties, the show vlacp interface command displays a column called HAVE PARTNER, with possible values of yes or no.
145
If HAVE PARTNER is yes when ADMIN ENABLED and OPER ENABLED are true, then that port has received VLACPDUs from a port and those PDUs were recognized as valid according to the interface settings. If HAVE PARTNER is no, when ADMIN ENABLED is true and OPER ENABLED is FALSE, then the partner for that port is down (that port received at least one correct VLACPDU, but did not receive additional VLACPDUs within the configured timeout period). In this case VLACP blocks the port. This scenario is also seen if only one unit has VLACP enabled and the other has not enabled VLACP. The show vlacp interface command is in the privExec command mode. Note: If VLACP is enabled on an interface, the interface will not forward traffic unless it has a valid VLACP partner. If one partner has VLACP enabled and the other is not enabled, the unit with VLACP enabled will not forward traffic, however the unit with VLACP disabled will continue to forward traffic.
Configuring IP routing
IP routing configuration using CLI
This chapter describes the procedures you can use to configure routable VLANs using the CLI. The WC 8180 can function as a Layer 3 (L3) switch. This means that a regular Layer 2 VLAN becomes a routable Layer 3 VLAN if an IP address and MAC address are attached to the VLAN. When routing is enabled in Layer 3 mode, every Layer 3 VLAN is capable of routing as well as carrying the management traffic. You can use any Layer 3 VLAN instead of the Management VLAN to manage the switch. Refer to the following sections to configure IP routing using CLI: IP routing configuration procedures on page 147 Configuring global IP routing status on page 147 Displaying global IP routing status on page 148 Configuring an IP address for a VLAN on page 148 Configuring IP routing status on a VLAN on page 149 Configuring a secondary IP address for a VLAN on page 149 Displaying the IP address configuration and routing status for a VLAN on page 150 Displaying IP routes on page 151
146
Configuring IP routing
1. Enable IP routing globally. 2. Assign an IP address to a specific VLAN or brouter port. Routing is automatically enabled on the VLAN or brouter port when you assign an IP address to it.
To configure the status of IP routing on the switch, enter the following from the Global Configuration mode: [no] ip routing
147
Variable Definitions
Variable no Value Disables IP routing on the switch
To display the status of IP blocking on the switch, enter the following from the User EXEC mode: show ip routing
To configure an IP address on a VLAN, enter the following from the VLAN Interface Configuration mode: [no] ip address <ipaddr> <mask> [<MAC-offset>] Variable Definitions
Variable [no] <ipaddr> <mask> [<MAC-offset>] Value Removes the configured IP address and disables routing on the VLAN. Specifies the IP address to attach to the VLAN. Specifies the subnet mask to attach to the VLAN Specifies the value used to calculate the VLAN MAC address, which is offset from the switch MAC address. The valid range is 1-256. Specify the value 1 for the Management VLAN only. If no MAC offset is specified, the switch applies one automatically.
148
Configuring IP routing
To configure the status of IP routing on a VLAN, enter the following from the VLAN Interface Configuration mode: [default] [no] ip routing Variable Definitions
Variable default no Value Disables IP routing on the VLAN. Disables IP routing on the VLAN.
<ipaddr>
149
Value Specifies the subnet mask to attach to the VLAN Specifies the value used to calculate the VLAN MAC address, which is offset from the switch MAC address. The valid range is 1-256. Specify the value 1 for the Management VLAN only. If no MAC offset is specified, the switch applies one automatically.
Job aid: Example of adding a secondary IP interface to a VLAN Primary and secondary interfaces must reside on different subnets. In the following example, 4.1.0.10 is the primary IP and 4.1.1.10 is the secondary IP.
(config)# interface vlan 4 (config)# ip address 4.1.0.10 255.255.255.0 6 (config-if)# ip address 4.1.1.10 255.255.255.0 7 secondary
To display the IP address configuration on a VLAN, enter the following from the VLAN Privileged Exec mode: show vlan ip [vid <vid>] Variable Definitions
Variable [vid <vid>] Value Specifies the VLAN ID of the VLAN to be displayed. Range is 1-4094.
Job aid The following table shows the field descriptions for the show vlan ip command.
Field Vid ifindex Address Mask MacAddress Description Specifies the VLAN ID. Specifies an index entry for the interface. Specifies the IP address associated with the VLAN. Specifies the mask. Specifies the MAC address associated with the VLAN.
150
Configuring IP routing
Description Specifies the value used to calculate the VLAN MAC address, which is offset from the switch MAC address. Specifies the status of routing on the VLAN: enabled or disabled.
Displaying IP routes
Use this procedure to display all active routes in the routing table. Route entries appear in ascending order of the destination IP addresses.
To display all active routes in the routing table, enter the following from the User EXEC command mode: show ip route [<dest-ip>] [-s <subnet><mask>] [summary] Variable Definitions
Variable [<dest-ip>] [-s <subnet><mask>] [summary] Value Specifies the destination IP address of the route to display. Specifies the destination subnet of the routes to display. Displays a summary of IP route information.
Performing a traceroute
Use this procedure to display the route taken by IP packets to a specified host.
1. To perform a traceroute, enter the following from the Global Configuration mode: traceroute <Hostname|A.B.C.D.> <-m> <-p> <-q> <-v> <-w> <1-1464> 2. Type CTRL+C to interrupt the command.
151
Variable Definitions
Variable Hostname A.B.C.D -m Value Specifies the name of the remote host. Specifies the IP address of the remote host. Specifies the maximum time to live (ttl). The value for this parameter is in the rage from 1-255. The default value is 10. Example: traceroute 10.3.2.134 -m 10 Specifies the base UDP port number. The value for this parameter is in the range from 0-65535. Example: traceroute 1.2.3.4 -p 87 Specifies the number of probes per time to live. The value for this parameter is in the range from 1-255. The default value is 3. Example: traceroute 10.3.2.134 -q 3 Specifies verbose mode. Example: traceroute 10.3.2.134 -v Specifies the wait time per probe. The value for this parameter is in the range from 1-255. The default value is 5 seconds. Example: traceroute 10.3.2.134 -w 15 Specifies the UDP probe packet size. TIP: probe packet size is 40 plus specified data length in bytes. Example: traceroute 10.3.2.134 -w 60
-p
-q
-v -w
<1-1464>
152
Configuring IP routing
Prerequisites Enable IP routing globally Enable IP routing and configure an IP address on the VLANs to be routed. To configure a static route, enter the following from the Global Configuration command mode: [no] ip route <dest-ip> <mask> <next-hop> [<cost>] [disable] [enable] [weight<cost>] Variable Definitions
Variable [no] <dest-ip> <mask> <next-hop> [<cost>] [disable] [enable] [weight<cost>] Value Removes the specified static route. Specifies the destination IP address for the route being added. 0.0.0.0 is considered the default route. Specifies the destination subnet mask for the route being added. Specifies the next hop IP address for the route being added. Specifies the weight, or cost, of the route being added. Range is 1-65535. Disables the specified static route. Enables the specified static route. Changes the weight, or cost, of an existing static route. Range is 1-65535.
To display a static route, enter the following from the User EXEC command mode: show ip route static [<dest-ip>] [-s<subnet><mask>] Variable Definitions
Variable <dest-ip> Value Specifies the destination IP address of the static routes to display.
153
Variable [-s<subnet><mask>]
Job aid The following table shows the field descriptions for the show ip route static command.
Field DST MASK NEXT COST VLAN PORT PROT TYPE PRF Description Identifies the route destination. Identifies the route mask. Identifies the next hop in the route. Identifies the route cost. Identifies the VLAN ID on the route. Specifies the ports. Specifies the routing protocols. For static routes, options are LOC (local route) or STAT (static route). Indicates the type of route as described by the Type Legend on the CLI screen. Specifies the route preference.
154
Configuring IP routing
Value Specifies the destination IP address for the route being added. Specifies the destination subnet mask for the route being added. Specifies the next hop IP address for the route being added.
To display the static routes configured for the management VLAN, enter the following from the User EXEC mode: show ip mgmt route
Job aid
The following table shows the shows the field descriptions for the show ip mgmt route command.
Field Destination IP Subnet Mask Gateway IP Description Identifies the route destination. Identifies the route mask. Identifies the next hop in the route.
155
Prerequisites Enable IP routing globally. Enable IP routing and configure an IP address on the VLAN to be set as the DHCP relay agent. Ensure that a route to the destination DHCP server is available on the switch.
1. Ensure that DHCP relay is enabled globally. (DHCP relay is enabled by default.) 2. Configure the DHCP relay forwarding path, specifying the VLAN IP as the DHCP relay agent and the remote DHCP server as the destination. 3. Enable DHCP for the specific VLAN.
To configure the global DHCP relay status, enter the following from the Global Configuration mode: [no] ip dhcp-relay
156
Configuring IP routing
Variable Definitions
Variable [no] Disables DHCP relay. Value
To display the global DHCP relay status, enter the following from the User EXEC command mode: show ip dhcp-relay
157
Value Enables the specified DHCP relay forwarding path. Disables the specified DHCP relay forwarding path. Specifies the mode for DHCP relay. BootP only BootP and DHCP DHCP only If you do not specify a mode, the default DHCP and BootP is used.
To display the DHCP relay configuration, enter the following from the User EXEC command mode: show ip dhcp-relay fwd-path
Job aid
The following table shows the field descriptions for the show ip dhcp-relay fwd-path command.
Field INTERFACE SERVER ENABLE MODE Description Specifies the interface IP address of the DHCP relay agent. Specifies the IP address of the DHCP server. Specifies whether DHCP is enabled. Specifies the DHCP mode.
158
Configuring IP routing
To configure DHCP relay on a VLAN, enter the following from the VLAN Interface Configuration mode: [no] ip dhcp-relay [broadcast] [min-sec <min-sec>] [mode {bootp | dhcp | bootp_dhcp}] Variable Definitions
Variable [no] [broadcast] min-sec <min-sec> Value Disables DHCP relay on the specified VLAN. Enables the broadcast of DHCP reply packets to the DHCP clients on this VLAN interface. The switch immediately forwards a BootP/ DHCP packet if the secs field in the BootP/ DHCP packet header is greater than the configured min-sec value; otherwise, the packet is dropped. Range is 0-65535. The default is 0. Specifies the type of DHCP packets this VLAN supports: bootp - Supports BootP only dhcp - Supports DHCP only bootp_dhcp - Supports both BootP and DHCP
To display the DHCP relay VLAN parameters, enter the following from the Privileged EXEC command mode: show vlan dhcp-relay [<vid>] Variable Definitions
Variable [<vid>] Value Specifies the VLAN ID of the VLAN to be displayed. Range is 1-4094.
Job aid The following table shows the field descriptions for the show ip dhcp-relay command.
159
Description Indicates the VLAN interface index. Indicates the minimum time, in seconds, to wait between receiving a DHCP packet and forwarding the DHCP packet to the destination device. A value of zero indicates forwarding is done immediately without delay. Indicates whether DHCP relay is enabled on the VLAN. Indicates the type of DHCP packets this interface supports. Options include none, BootP, DHCP, and both. Indicates whether DHCP reply packets are broadcast to the DHCP client on this VLAN interface.
ENABLED MODE
ALWAYS_BROADCAST
To display the DHCP relay counters, enter the following from the User EXEC command mode: show ip dhcp-relay counters
Job aid
The following table shows the field descriptions for the show ip dhcp-relay counters command.
Field INTERFACE REQUESTS REPLIES Description Indicates the interface IP address of the DHCP relay agent. Indicates the number of DHCP requests. Indicates the number of DHCP replies.
160
Configuring IP routing
To clear the DHCP relay counters, enter the following from the VLAN Interface Configuration command mode: ip dhcp-relay clear-counters
To display directed broadcast status, enter the following from the User EXEC mode: show ip directed-broadcast
161
Displaying the ARP table Use the following procedures to display the ARP table, configure a global timeout for ARP entries, and clear the ARP cache.
162
Configuring IP routing
Navigation Displaying ARP entries on page 163 Configuring a global timeout for ARP entries on page 163 Clearing the ARP cache on page 164 Displaying ARP entries Use this procedure to display ARP entries.
To display ARP entries, enter the following from the User Exec mode: show arp-table OR show ip arp [static | dynamic] [<ip-addr> | {-s <subnet> <mask>{] [summary] The show ip arp command is invalid if the switch is not in Layer 3 mode. Variable Definitions
Variable <ip-addr> -s <subnet> <mask> static Value Specifies the IP address of the ARP entry to be displayed. Displays ARP entries for the specified subnet only. Displays all configured static entries, including those without a valid route.
Job aid The following table shows the field descriptions for the show ip arp command.
Field IP Address Age (min) MAC Address VLAN-Unit/Port/Trunk Flags Description Specifies the IP address of the ARP entry. Displays the ARP age time. Specifies the MAC address of the ARP entry. Specifies the VLAN/port of the ARP entry. Specifies the type of ARP entry. S=Static, D=Dynamic, L=Local, B=Broadcast.
Configuring a global timeout for ARP entries Use this procedure to configure an aging time for the ARP entries.
163
To configure a global timeout for ARP entries, enter the following from the Global Configuration mode: ip arp timeout <timeout> Variable Definitions
Variable <timeout> Value Specifies the amount of time in minutes before an ARP entry ages out. Range is 5-360. The default value is 360 minutes.
Clearing the ARP cache Use this procedure to clear the cache of ARP entries.
To clear the ARP cache, enter the following from the Global Configuration mode: clear arp-cache
164
Configuring IP routing
Variable Definitions
Variable default no Value Disables proxy ARP functionality on the VLAN. Disables proxy ARP functionality on the VLAN.
Displaying proxy ARP status on a VLAN Use this procedure to display the status of proxy ARP on a VLAN.
To display proxy ARP status for a VLAN, enter the following from the User EXEC mode: show ip arp-proxy interface [vlan<vid>] Variable Definitions
Variable <vid> Value Specifies the ID of the VLAN to display. Range is 1-4094.
Job aid The following table shows the field descriptions for the show ip arp-proxy interfaces command.
Field Vlan Proxy ARP status Identifies a VLAN. Specifies the status of Proxy ARP on the VLAN. Description
To configure IGMP snooping, the only required configuration is to enable snooping on the VLAN. All related configurations, listed below, are optional and can be configured to suit the requirements of your network.
165
To enable IGMP snooping, enter the following from the VLAN Interface Configuration command mode: [default] [no] ip igmp snooping OR Enter the following from the Global Configuration command mode: [default] vlan igmp <vid> [snooping {enable | disable}]
166
Configuring IP routing
Variable Definitions
Variable default no enable disable Value Disables IGMP snooping on the selected VLAN. Disables IGMP snooping on the selected VLAN. Enables IGMP snooping on the selected VLAN. Disables IGMP snooping on the selected VLAN.
167
[default] [no] vlan igmp <vid> [proxy {enable | disable}] Variable Definitions
Variable default no <vid> enable disable Value Disables IGMP proxy on the selected VLAN. Disables IGMP proxy on the selected VLAN. Specifies the VLAN ID. Enables IGMP proxy on the selected VLAN. Disables IGMP proxy on the selected VLAN.
To configure the IGMP version, enter the following from the VLAN Interface Configuration mode: [default] ip igmp version <1-3> Variable Definitions
Variable default <1-3> Value Restores the default IGMP protocol version (IGMPv2). Specifies the IGMP version.
168
Configuring IP routing
To configure static mrouter ports on a VLAN (IGMPv1, IGMPv2, and IGMPv3 according to the supported version on the VLAN), enter the following from the VLAN Interface Configuration mode: [default] [no] ip igmp mrouter <portlist> OR To configure IGMPv1 or IGMPv2 static mrouter ports, enter the following from the Global Configuration command mode: [no] vlan igmp <vid> {v1-members | v2-members} [add | remove] <portlist> Variable Definitions
Variable default no <portlist> {v1-members | v2-members} [add | remove] Value Removes all static mrouter ports. Removes the specified static mrouter port. Specifies the list of ports to add or remove as static mrouter ports. Specifies whether the static mrouter ports are IGMPv1 or IGMPv2. Specifies whether to add or remove the static mrouter ports.
To display IGMP snoop information, enter: show ip igmp snooping Variable Definitions
Variable Vlan Snoop Enable Indicates the Vlan ID. Indicates whether snoop is enabled (true) or disabled (false). Value
169
Variable Proxy Snoop Enable Static Mrouter Ports Active Mrouter Ports Mrouter Expiration Time
Value Indicates whether IGMP proxy is enabled (true) or disabled (false). Indicates the static mrouter ports in this VLAN that provide connectivity to an IP multicast router. Displays all dynamic (querier port) and static mrouter ports that are active on the interface. Specifies the time remaining before the multicast router is aged out on this interface. If the switch does not receive queries before this time expires, it flushes out all group memberships known to the VLAN. The Query Max Response Interval (obtained from the queries received) is used as the timer resolution.
<last-mbr-query-int>
170
Configuring IP routing
Variable
Value leave group messages. This parameter is also the time between group-specific query messages. This value is not configurable for IGMPv1. Decreasing the value reduces the time to detect the loss of the last member of a group. The range is from 0255, and the default is 10 (1 second). Avaya recommends configuring this parameter to values higher than 3. If a fast leave process is not required, Avaya recommends values above 10. (The value 3 is equal to 0.3 of a second, and 10 is equal to 1.0 second.)
<query-int>
Sets the frequency (in seconds) at which host query packets are transmitted on the VLAN. The range is 165535. The default value is 125 seconds. Specifies the maximum response time (in 1/10 seconds) advertised in IGMPv2 general queries on this interface. The range is 0255. The default value is 100 (10 seconds). Specifies tuning for the expected packet loss of a network. This value is equal to the number of expected query packet losses for each serial query interval, plus 1. If you expect a network to lose query packets, you must increase the robustness value. Ensure that the robustness value is the same as the configured value on the multicast router (IGMP querier). The range is from 2 to 255, and the default is 2. The default value of 2 means that one query for each query interval can be dropped without the querier aging out.
<query-max-resp>
<robust-val>
171
Variable Definitions
Variable default no Value Disables the router alert option. Disables the router alert option.
To display the IGMP interface information, enter: show ip igmp interface [vlan <vid>] OR Enter: show vlan igmp <vid>
Job aid
The following table shows the field descriptions for the show ip igmp interface command command.
Field VLAN Query Intvl Vers Oper Vers Querier Query MaxRsp T Wrong Query Description Indicates the VLAN on which IGMP is configured. Specifies the frequency (in seconds) at which host query packets are transmitted on the interface. Specifies the version of IGMP configured on this interface. Specifies the version of IGMP running on this interface. Specifies the IP address of the IGMP querier on the IP subnet to which this interface is attached. Indicates the maximum query response time (in tenths of a second) advertised in IGMPv2 queries on this interface. Indicates the number of queries received whose IGMP version does not match the Interface version. You must configure all routers on a LAN to run the same version of IGMP. Thus, if queries are received with the wrong version, a configuration error occurs.
172
Configuring IP routing
Description Indicates the number of times a group membership was added on this interface. Specifies the robust value configured for expected packet loss on the interface. Indicates the maximum response time (in tenths of a second) inserted into group-specific queries sent in response to leave group messages, and is also the amount of time between group-specific query messages. Use this value to modify the leave latency of the network. A reduced value results in reduced time to detect the loss of the last member of a group. This does not apply if the interface is configured for IGMPv1. Indicates whether the ip igmp send-query feature is enabled or disabled. Values are YES of NO. Default is disabled.
Send Query
The following table shows the field descriptions for the show vlan igmp command.
Field Snooping Proxy Robust Value Query Time IGMPv1 Static Router Ports IGMPv2 Static Router Ports Send Query Description Indicates whether snooping is enabled or disabled. Indicates whether proxy snoop is enabled or disabled. Indicates the robust value configured for expected packet loss on the interface. Indicates the frequency (in seconds) at which host query packets are transmitted on the interface. Indicates the IGMPv1 static mrouter ports. Indicates the IGMPv2 static mrouter ports. Indicates whether the ip igmp send-query feature is enabled or disabled. Values are YES of NO. Default is disabled.
173
show ip igmp group [count] [group <A.B.C.D>] [membersubnet<A.B.C.D>/<0-32>] OR Enter: show vlan multicast membership <vid> Variable Definitions
Variable count group <A.B.C.D> member-subnet <A.B.C.D>/<0-32 Value Displays the number of IGMP group entries. Displays group information for the specified group. Displays group information for the specified member subnet.
Job aid The following table shows the field descriptions for the show ip igmp group command.
Field Group Address VLAN Member Address Description Indicates the multicast group address. Indicates the VLAN interface on which the group exists. Indicates the IP address of the IGMP receiver (host or IGMP reporter). The IP address is 0.0.0.0 if the type is static. Indicates the time left before the group report expires. This variable is updated upon receiving a group report. Specifies the type of membership: static or dynamic. Identifies the member port for the group. This is the port on which group traffic is forwarded and in those case where the type is dynamic, it is the port on which the IGMP join was received.
The following table shows the field descriptions for the show vlan multicast membership command.
Field Multicast Group Address In Port Description Indicates the multicast group address. Indicates the physical interface or a logical interface (VLAN) that received group reports from various sources.
174
Configuring IP routing
To configure unknown multicast packet flooding, enter the following from the Global Configuration mode: [no] [default] vlan igmp <vid> unknown-mcast-no-flood {enable | disable} Variable Definitions
Variable no default enable disable Value Enables the flooding of multicast packets on the VLAN. Enables the flooding of multicast packets on the VLAN. Prevents the flooding of multicast packets on the VLAN. Enables the flooding of multicast packets on the VLAN.
To display the unknown multicast flooding configuration, enter: show vlan igmp unknown-mcast-no-flood
Job aid
The following table shows the field descriptions for the show vlan igmp unknown-mcastno-flood command.
Field Unknown Multicast No-Flood Description Specifies the status of unknown multicast filtering: enabled or disabled.
175
To allow particular unknown multicast packets to be flooded, enter the following from the Global Configuration mode: vlan igmp unknown-mcast-allow-flood {<H.H.H> | <mcast_ip_address>} Variable Definitions
Variable <H.H.H> Value Specifies the multicast MAC address to be flooded. Accepted formats are: H.H.H xx:xx:xx:xx:xx:xx xx.xx.xx.xx.xx.xx xx-xx-xx-xx-xx-xx <mcast_ip_address> Specifies the multicast IP address to be flooded.
To display the multicast MAC addresses for which flooding is allowed, enter: show vlan igmp unknown-mcast-allow-flood
176
Configuring IP routing
Job aid
The following table shows the field descriptions for the show vlan igmp unknown-mcastallow-flood command.
Field Allowed Multicast Addresses Description Indicates multicast addresses that can flood.
Job aid
The following table shows the field descriptions for the show ip igmp cache command.
Field Group Address Vlan ID Last Reporter Expiration V1 Host Timer Description Indicates the multicast group address. Indicates the VLAN interface on which the group exists. Indicates the last IGMP host to join the group. Indicates the group expiration time (in seconds). Indicates the time remaining until the local router assumes that no IGMP version 1 members exist on the IP subnet attached to the interface. Upon hearing an IGMPv1 membership report, this value is reset to the group membership timer. When the time remaining is nonzero, the local interface ignores IGMPv2 leave messages that it receives for this group.
177
Field Type
To flush the router table, enter the following from the Global Configuration mode: ip igmp flush vlan <vid> {grp-member|mrouter} Variable Definitions
Variable {grp-member|mrouter} Value Flushes the table specified by type.
178
Configuring IP routing
1. From Global Configuration mode, enter the ip igmp profile <profile number (1-65535)> command. 2. Enter the deny command. 3. Enter the range <ip multicast address><ip multicast address> command.
To delete an IGMP profile enter the following command from Global Configuration mode: no ip igmp profile <profile number (1-65535)>
1. From Global Configuration mode enter the interface <interface-id> command. 2. Enter the ip igmp filter <profile number> command.
179
1. From Global Configuration mode enter the interface <interface-id> command. 2. Enter the no ip igmp filter <profile number> command.
To display an IGMP profile enter the following command from Global Configuration mode: show ip igmp profile <cr> or <profile number>
Assign ports to an access list by using the following command in Global Configuration mode.
180
Variable Definitions
Variable port <port_list> acl-type {ip | l2} name <name> Value Specifies the list of ports assigned to the specified access list. Specifies the type of access list used; IP or Layer 2. Specifies the name of the access list to be used. Access lists must be configured before ports can be assigned to them.
Remove an access list assignment by using the following command from Global Configuration mode. no qos acl-assign <aclassignid>
Create an access list by using the following procedure from Global Configuration mode. qos ip-acl name <name> [addr-type <addrtype>] [src-ip <source_ip>] [dst-ip <destination_ip>] [ds-field <dscp>] [{protocol <protocol_type> | next_header <header>}] [src-portmin <port> src-port-max <port>] [dst-port-min <port> dst-portmax <port>] [flow-id <flowid>] [drop-action {drop | pass}] [update-dscp <0 - 63>] [update-1p <0 - 7>] [set-drop-prec {high drop | low drop}] [block <block_name>]
181
Variable Definitions
Variable name <name> addr-type <addrtype> src-ip <source_ip> dst-ip <destination_ip> ds-field <dscp> Value Specifies the name assigned to this access list. Specifies the IP address type to use for the access list. Specifies the source IP address to use for this access list. Specifies the destination IP address to use for this access list. Specifies the DSCP value to use for this access list.
{protocol <protocol_type> Specifies the protocol type or IP header to use with this access | next_header <header>} list. src-port-min <port> srcport-max <port> dst-port-min <port> dstport-max <port> flow-id <flowid> drop-action {drop | pass} update-dscp <0 - 63> update-1p <0 - 7> Specifies the minimum and maximum source ports to use with this access list. Both values must be specified. Specifies the minimum and maximum destination ports to use with the access list. Both values must be specified. Specifies the flow ID to use with this access list. Specifies the drop action to use for this access list. Specifies the DSCP value to update for this access list. Specifies the 802.1p value to update for this access list.
set-drop-prec {high drop | Specifies the drop precedence to configure for this access list. low drop} block <block_name> Specifies the block name to associate with the access list.
Remove an access list by using the following command from Global Configuration mode. no qos ip-acl <aclid>
182
Create an access list by using the following command from Global Configuration mode. qos l2-acl name <name> [src-mac <source_mac_address>] [src-macmask <source_mac_address_mask>] [dst-mac <destination_mac_address>] [dst-mac-mask <destination_mac_address_mask>] [vlan-min <vid_min> vlan-max <vid_max>] [vlan-tag <vtag>] [ethertype <etype>] [priority <ieee1p_seq>] [drop-action {drop | pass}] [update-dscp <0 63>] [update-1p <0 - 7>] [set-drop-prec {high-drop | lowdrop}] [block <block_name>] Note: Possible values for vlan-max are based on the binary value of vlan-min, and are obtained by replacing consecutive trailing zeros in this binary value with ones, starting at the right-most position. For example, if vlan-min = 200, then there are 4 possible values for vlan-max: 11001000 (200) 11001001 (201) 11001011 (203) 11001111 (207) The value of vlan-max is vlan-min + 2n - 1, where n is the number of consecutive trailing zeros replaced.
Variable Definitions
Variable name <name> src-mac <source_mac_address> src-mac-mask <source_mac_address_ mask> [dst-mac <destination_mac_addre ss>] dst-mac-mask <destination_mac_addre ss_mask> Value Specifies the name assigned to this access list. Specifies the source MAC address to use for this access list. Specifies the source MAC address mask to use for this access list. Specifies the destination MAC address to use for this access list.
Specifies the destination MAC address mask to use for this access list.
vlan-min <vid_min> vlan- Specifies the minimum and maximum VLANs to use with this max <vid_max> access list. Both values must be specified.
183
Variable vlan-tag <vtag> ethertype <etype> priority <ieee1p_seq> drop-action {drop | pass} update-dscp <0 - 63> update-1p <0 - 7>
Value Specifies the VLAN tag to use with this access list. Specifies the Ethernet protocol type to use with the access list. Specifies the priority value to use with this access list. Specifies the drop action to use for this access list. Specifies the DSCP value to update for this access list. Specifies the 802.1p value to update for this access list.
set-drop-prec {high-drop | Specifies the drop precedence to configure for this access list. low-drop} block <block_name> Specifies the block name to associate with the access list.
Remove an access list by using the following command from Global Configuration mode. no qos l2-acl <aclid>
184
Combining individual classifiers on page 189 Removing classifier block entries on page 190
Add and configure classifier entries by using the following command from Global Configuration mode. qos ip-element <cid> [addr-type <addrtype>] [ds-field <dscp>] [dst-ip <dst-ip-info>] [dst-port-min <port>] [flow-id <flowid>] [ip-flag <ip-flags>] [ipv4-options <no-opt | with-opt>] [nextheader <nextheader>] [session-id] [src-ip <src-ip-info>] [srcport-min <port>] [tcp-control <tcp-flags>]
Variable Definitions
Variable <cid> addr-type <addrtype> Value Specifies the element ID, value ranges from 155000. Specifies the address type. Use the value ipv4 to indicate an IPv4 address or the value ipv6 to indicate an IPv6 address. The default value is ipv4. Specifies a 6-bit DSCP value; value ranges from 0 63. Default is ignore. Specifies the source IP address and mask in the form of a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6. Default is 0.0.0.0. Specifies the L4 destination port minimum value. Specifies the IPv6 flow identifier. Specifies the flags present in an IPv4 header. Specifies whether the Option field is present in the packet header. Valid values are no-optindicates that only IPv4 packets without options will match this classifier element. with-optindicates that only IPv4 packets with options will match this classifier element.
185
Value Specifies the IPv6 next header classifier criteria; range is 0255. Specifies the source IP address and mask in the form of a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6. Default is 0.0.0.0. Specifies the session ID. Specifies the L4 source port minimum value. Specifies the control flags present in an TCP header.
View IP classifier element entries by using the following commands from the Privileged EXEC Configuration mode. show qos ip-element [<1-65535>] [all] [system] [user]
Remove IP classifier entries by using the following command from Global Configuration mode. no qos ip-element <1-55000>
186
Add Layer 2 elements by using the following command from the Global Configuration mode. qos l2-element <1-55000> [dst-mac <dst-mac>] [dst-mac-mask <dst-mac-mask>] [ethertype <etype>] [ivlan-min <vid-min>] [pkttype <etherII | llc | snap>] [priority <ieee1p-seq>] [sessionid <session-id>] [src-mac <src-mac>] [src-mac-mask <src-macmask>] [vlan-min <vid-min>] [vlan-tag <vtag>]
Variable Definitions
Variable <1-55000> dst-mac <dst-mac> dst-mac-mask <dst-mac-mask> ethertype <etype> ivlan-min <vid-min> pkt-type <etherII | llc | snap> Value Specifies the element ID; range is 155000. Specifies the destination MAC element criteria. Valid format is H.H.H. Specifies the destination MAC mask element criteria. Valid format is H.H.H. Specifies the Ethernet type. Valid format is 0xXXXX, for example, 0x0801. Default is ignore. Specifies the inner VLAN ID minimum value element criteria. Range is 14094. Specifies the packet frame format. etherIIindicates that only Ethernet II format frames match this classifier component. snapindicates that only EEE 802 SNAP format frames match this classifier component. llcindicates that only IEEE 802 LLC format frames match this classifier component. priority <ieee1p-seq> session-id <session-id> src-mac <src-mac> src-mac-mask <src-mac-mask> vlan-min <vid-min> Specifies the 802.1p priority values; range from 07 or all. Default is ignore. Specifies the session ID. Specifies the source MAC element criteria. Enter in the format H.H.H. Specifies the source MAC mask element criteria. Valid format is H.H.H. Specifies the VLAN ID minimum value element criteria. Range is 14094.
187
View Layer 2 element entries by using the following commands from the Privileged EXEC Configuration mode. show qos l2-element [<1-65535>] [all] [system] [user]
Delete element entries by using the following command from Global Configuration mode. no qos l2-element <1-55000>
Link elements by using the following command from Global Configuration mode. qos classifier <1-55000> set-id <1-55000> [name <WORD>] element-type {ip | l2 | system} element-id <1-55000>
188
Variable Definitions
Variable classifier <1-55000> set-id <1-55000> name <WORD> element-type {ip| l2 |system} element-id <1-55000> Value Specifies the classifier ID; range is 155000. Specifies the classifier set ID; range is 155000. Specifies the set label; maximum is 16 alphanumeric characters. Specifies the element type; either ip or l2, or system classifier. Specifies the element ID; range is 155000.
Delete classifier entries by using the following command from Global Configuration mode. no qos classifier <1-55000>
Combine individual classifiers by using the following command from Global Configuration mode. qos classifier-block <1-55000> block-number <1-55000> [name <WORD>]{set-id <1-55000> | set-name <WORD>} [{in-profileaction <1-55000> | in-profile-action-name <WORD>} | {meter <1-55000> | meter-name <WORD>}]
189
Variable Definitions
Variable classifier-block<1-55000> block-number <1-55000> name <WORD> set-id <1-55000> set-name <WORD> in-profile-action <1-55000> in-profile-action-name <WORD> meter <1-55000> meter-name <WORD> Value Specifies an the classifier block ID; range is 155000. Specifies the classifier block number; range is 155000. Specifies the label for the classifier block; maximum is 16 alphanumeric characters. Specifies the classifier set to be linked to the classifier block; range is 155000. Specifies the classifier set name to be linked to the classifier block; maximum is 16 alphanumeric characters. Specifies the in profile action to be linked to the filter block; range is 155000. Specifies the in profile action name to be linked to the classifier block; maximum is 16 alphanumeric characters. Specifies the meter to be linked to the classifier block; range is 155000. Specifies the meter name to be linked to the classifier block; maximum is 16 alphanumeric characters.
Delete classifier block entries by using the following command from Global Configuration mode. no qos classifier-block <1-55000>
190
Navigation Displaying QoS Parameters on page 191 Displaying QoS capability policy configuration on page 195 Configuring Access Lists on page 180 Configuring QoS Security QoS Agent configuration on page 196 Configuring Default Buffering Capabilities on page 198 Configuring the CoS-to-Queue Assignments on page 199 Configuring QoS Interface Groups on page 200 Configuring DSCP and 802.1p and Queue Associations on page 201 Configuring Elements, Classifiers, and Classifier Blocks on page 184 Configuring QoS system-element on page 203 Configuring QoS Actions on page 205 Configuring QoS Interface Action Extensions on page 207 Configuring QoS Meters on page 208 Configuring QoS Interface Shaper on page 210 Configuring QoS Policies on page 211 QoS Generic Filter set configuration on page 213 Configuring User Based Policies on page 215 Maintaining the QoS Agent on page 218 Configuring DoS Attack Prevention Package on page 221
Display QoS parameters by using the following command from Privileged EXEC mode. show qos { acl-assign <1 - 65535> | action [user | system | all | <1-65535>] | agent [details]| arp {spoofing [port] } | bpdu {blocker [port] } | capability [meter|shaper] | classifier [user | system | all | <1-65535>] | classifier-block [user | system | all |<1-65535> ] | dhcp {snooping [port] | spoofing [port] } | diag [unit] | dos {nachia [port] | sqlslam [port] | tcp-dnsport [port] | egressmap [ds| status]| if-actionextension [user | system | all | <1-65535>] | if-assign [port] | if-group | if-shaper [port] | ingressmap | ip-acl <1 - 65535> | ip-element [user | system | all | <1-65535>] | l2-acl <1 -
191
65535> | l2-element [user | system | all | <1-65535>] | meter [user | system | all | <1-65535>] | nsna | policy [user | system | all | <1-65535>] | queue-set | queue-set-assignment | statistics <1-65535> | system-element [user | system | all | <1-65535>] | ubp | user-policy}
Variable Definitions
Variable acl-assign <1 - 65535> Value Displays the specified access list assignment entry. <1-65535>Displays a particular entry. action [<1-65535> | all | system | user] Displays the base action entries. The applicable values are: <1-65535>displays a particular entry. alldisplays user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. agent <details> arp spoofing bpdu blocker Displays the global QoS parameters. detailsdisplays the policy class support table. Displays QoS ARP spoofing prevention settings. This parameter not available on 8100 Series. Displays QoS BPDU settings. blockerdisplays QoS BPDU blocker settings. This parameter not available on 8100 Series. Displays the current QoS meter and shaper capabilities of each interface. The applicable values are: meterdisplays QoS port meter capabilities. shaperdisplays QoS port shaper capabilities. classifier [<1-65535> | all | system user] Displays the classifier set entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all.
192
Variable
Value
classifier-block [<1-65535> Displays the classifier block entries. The applicable values are: | all | system | user] <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. dhcp [snooping | spoofing] Displays QoS DHCP settings. The applicable values are: snoopingdisplays QoS DHCP snooping settings. spoofingdisplays QoS DHCP spoofing prevention settings. This parameter not available on 8100 Series. diag [unit] Displays the diagnostics entries. unit <1-8>displays diagnostic entries for particular unit
dos [nachia | sqlslam | tcp- Displays QoS DoS settings. The applicable values are: dnsport | tcp-ftpport | tcp nachiadisplays QoS DoS Nachia settings. synfinscan | xmas] sqlslamdisplays QoS DoS SQLSlam settings. tcp-dnsportdisplays QoS DoS TCP DnsPort settings. tcp-ftpportdisplays QoS DoS TCP FtpPort settings. tcp-synfinscandisplays QoS DoS TCP SynFinScan settings. xmasdisplays QoS DoS Xmas settings. This parameter not available on 8100 Series. egressmap if-action-extension [<1-65535> | all | system | user] Displays the association between the DSCP and the 802.1p priority and drop precedence. Displays the interface action extension entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. if-assign [port] Displays the list of interface assignments. portList of ports. Displays the configuration for particular ports Displays the interface groups.
if-group
193
Value Displays the interface shaping parameters. portList of ports. Displays the configuration for particular ports Displays the 802.1p priority to DSCP mapping. Displays the specified IP access list assignment entry. <1-65535>displays a particular entry.
ip-element [<1-65535> | all Displays the IP classifier element entries. The applicable | system | user] values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. l2-acl <1 - 65535> Displays the specified Layer 2 access list assignment entry. <1-65535>displays a particular entry. l2-element [<1-65535> | all Displays the Layer 2 classifier element entries. The applicable | system | user] values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. meter [<1-65535> | all | system | user] Displays the meter entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. nsna [classifier | interface | Displays QoS NSNA entries. The applicable values are: name] classifierdisplays QoS NSNA classifier entries. interfacedisplays QoS NSNA interface entries. namespecifies the label to display a particular NSNA template entry.
194
Value Displays the policy entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all.
Displays the queue set configuration. Displays the association between the 802.1p priority to that of a specific queue. Displays the policy and filter statistics values. <1-65535>displays a particular entry.
Displays the system classifier element entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries.
Displays QoS UBP entries. The applicable values are: classifierdisplays QoS UBP classifier entries. interfacedisplays QoS UBP interface entries. namespecifies the label to display a particular UBP template entry.
user-policy
Display QoS capability policy configuration by using the following command from Privileged EXEC mode: show qos capability {meter [port] | shaper [port]}
195
Variable Definitions
Variable meter [port] Value Displays granularity for committed rate, maximum committed rate and maximum bucket that can be used on ports for meters. portspecifies list of ports. Displays the information for particular ports Displays granularity for committed rate, maximum committed rate and maximum bucket that can be used on ports for shapers. portspecifies list of ports. Displays the information for particular ports
shaper [port]
1. Globally enable QoS Agent support using the following command: qos agent oper-mode [enable] OR default qos agent [oper-mode] 2. Globally disable QoS Agent support using the following commands: qos agent oper-mode [disable] OR
196
Configure the queue set by using the following command from Global Configuration mode. default qos agent [buffer | dos-attack-prevention | nt-mode | nvram-delay | queue-set | statistics-tracking | ubp] Variable Definitions
Variable buffer dos-attack-prevention nt-mode nvram-delay queue-set statistics-tracking ubp Value Restores default QoS resource buffer allocation. Restores default QoS DoS Attack Prevention. This parameter is only available on the 5600 Series switch. Restores default QoS NT application traffic processing mode. Restores default maximum time in seconds to write configuration data to a nonvolatile storage. Restores default QoS queue set. Restores default QoS statistics tracking support. Restores default QoS UBP support level.
Job aid: Viewing the QoS agent The following is an example for viewing the qos agent 5530-24TFD(config)#show qos agent QoS Operational Mode: Enabled QoS NVRam Commit Delay: 10 seconds QoS Queue Set: 2 QoS Buffering: Large QoS UBP Support Level: Low Security Local Data QoS Default Statistics Tracking: Aggregate QoS DOS Attack Prevention: Disabled Minimum TCP
197
Header Length: 20 Maximum IPv4 ICMP Length: 512 Maximum IPv6 ICMP Length: 512 QoS NT mode: Disabled
Modify the configuration by using the following command from Global Configuration mode. qos agent queue-set <1-8>
Restore the default the resource buffer by using the following command from Global Configuration mode. default qos agent buffer
Modify resource buffer allocation by using the following command from Global Configuration mode.
198
Configure priority values by using the following command from Global Configuration mode. qos queue-set-assignment queue-set <1-56> 1p <0-7> queue <1-8> Variable Definitions
Variable queue-set <1-56> 1p <0-7> queue <1-8> Value Specifies the queue-set, value ranges from 156. Specifies the 802.1p priority value for which the queue association is being modified; value ranges from 07. Specifies the queue within the identified queue set to assign the 802.1p priority traffic at egress, value ranges from 18.
199
Add ports by using the following command from Interface Configuration mode. qos if-assign [port <portlist>] name [<WORD>] Variable Definitions
Variable port <portlist> name <WORD> Value Specifies the ports to add to interface group. Specifies name of interface group.
Delete ports by using the following command from Interface Configuration mode. no qos if-assign [port <portlist>]
200
Create interface groups by using the following command from Global Configuration mode. qos if-group name <WORD> class <trusted | untrusted | unrestricted> Variable Definitions
Variable name <WORD> Value Specifies the name of the interface group; maximum is 32 USASCII. Name must begin with a letter a..z or A..Z.
class <trusted | untrusted Defines a new interface group and specifies the class of traffic | unrestricted> received on interfaces associated with this interface group: trusted untrusted unrestricted
Delete interface groups by using the following command from Global Configuration mode. no qos if-group name <WORD>
201
Navigation Configuring DSCP to 802.1p priority on page 202 Restoring egress mapping entries to default on page 202 Configuring 802.1p priority to DSCP on page 203 Restoring ingress mapping entries to default on page 203
Configure priority by using the following command from Global Configuration mode. qos egressmap [name <WORD>] ds <0-63> 1p <0-7> dp <low-drop | high-drop> Variable Definitions
Variable name <WORD> ds <0-63> Value Specifies the label for the egress mapping. Specifies the DSCP value used as a lookup key for 802.1p priority and drop precedence at egress when appropriate; range is between 0 and 63. Specifies the 802.1p priority value associated with the DSCP; range is between 0 and 7.
1p <0-7>
dp <low-drop | high-drop> Specifies the drop precedence values associated with the DSCP: low-drop high-drop
Reset the entries by using the following command from Global Configuration mode. default qos egressmap
202
Configure priority by using the following command from Global Configuration mode. qos ingressmap [name <WORD>] 1p <0-7> ds <0-63> Variable Definitions
Variable name <WORD> 1p <0-7> ds <0-63> Value Specifies the label for the ingress mapping. Specifies the 802.1p priority used as lookup key for DSCP assignment at ingress; range is between 0 and 7. Specifies the DSCP value associated with the target 802.1p priority; range is between 0 and 63.
Reset the entries by using the following command from Global Configuration mode. default qos ingressmap
203
Configure system classifier element parameters by using the following command from Global Configuration mode. qos system-element <1-55000> [known-mcast | unknown-mcast | unknown-ucast] [pattern-format {tagged | untagged}] [patternip-version {ipv4 | ipv6 | non-ip}] [pattern-data <WORD> pattern-mask <WORD>] [session-id] Variable Definitions
Variable <1-55000> known-mcast unknown-mcast unknown-ucast Value Specifies the system classifier element entry id; range is 155000. Specifies the filter on known multicast destination address. Specifies the filter on unknown multicast destination address. Specifies the Filter on unknown unicast destination address.
pattern-format { tagged | untagged } Specifies the format of data/mask pattern. Specifies the available values are: tagged Data/mask pattern describes a tagged packet untaggedData/mask pattern describes an untagged packet pattern-data <WORD> Specifies the byte pattern data to filter on. Note: The format of the WORD string is in the form of XX:XX:XX:....:XX. Specifies the byte pattern mask to filter on. Note: The format of the WORD string is in the form of XX:XX:XX:....:XX. Specifies the IP version of the pattern data or mask.
pattern-mask <WORD>
pattern-ip-version
204
Variable
Value ipv4Filter IPv4 Header ipv6Filter IPv6 Header non-ipFilter non-ip packets
session-id
View system classifier elements parameters by using the following commands from the Privileged EXEC Configuration mode. show qos system-element [<1-65535>] [all] [system] [user]
Remove system classifier element entries by using the following command from Global Configuration mode. no qos system-element <1-55000>
205
Note: Certain options can be restricted based on the policy associated with the specific action. An action that is referenced in a meter or an installed policy cannot be deleted.
Create or update QoS actions by using the following command from Global Configuration mode. qos action <10-55000> [name <WORD>] [drop-action <enable | disable | deferred-pass>] [update-dscp <0-63>] [update-1p {<0-7> | use-tos-prec | use-egress}] [set-drop-prec <low-drop | high-drop>] [action-ext <1-55000> | action-ext-name <WORD>] Variable Definitions
Variable <10-55000> name <WORD> Value Specifies the QoS action; range is 1055000. Assigns a name to a QoS action with the designated action ID. Enter the name for the action; maximum is 16 alphanumeric characters
drop-action<enable | disable Specifies whether packets are dropped or not: | deferred-pass> enabledrop the traffic flow disabledo not drop the traffic flow deferred-passtraffic flow decision deferred to other installed policies Default is deferred pass. Note: If you omit this parameter, the default value applies. update-dscp <0-63> Specifies whether DSCP value are updated or left unchanged; unchanged equals ignore. Enter the 6-bit DSCP value; range is 0 to 63. Default is ignore. Specifies whether 802.1p priority value are updated or left unchanged; unchanged equals ignore: ieee1penter the value you want; range is 0 to 7 use-egressuses the egress map to assign value use-tos-precuses the type of service precedence to assign value. Default is ignore. Note: Requires specification of update-dscp value. set-drop-prec <low-drop | high-drop> Specifies the drop precedence value: low-drop high-drop
update-1p<0-7>
206
Value
Specifies the action extension; range is 155000. Specifies a label for the action extension; maximum is 16 alphanumeric characters.
Delete QoS action entries by using the following command from Global Configuration mode. no qos action <10-55000>
Create interface action extension entries by using the following command from Global Configuration mode. qos if-action-extension <1-55000> [name <WORD>] {egress-ucast <port> | egress-non-ucast <port>}
207
Variable Definitions
Variable <1-55000> name <WORD> Value Specifies the QoS action. The range is 155000 Assigns a name to a QoS action with the designated action ID. Enter the name for the action; maximum is 16 alphanumeric characters Specifies redirection of unicast/non-unicast to specified port.
Remove interface action extension entries by using the following command from Global Configuration mode. no qos if-action-extension <1-55000>
Create QoS meter entries by using the following command from Global Configuration mode. qos meter <1-55000> [name <WORD>] committed-rate <64-10230000> {burst-size <burst-size> max-burst-rate <64-4294967295> [maxburst-duration <1-4294967295>]} {in-profile-action <1-55000> |
208
burst-size <4,8,16,...,16384>
max-burst-rate <64-4294967295>
max-burst-duration <1-4294967295>
Remove QoS meter entries by using the following command from Global Configuration mode.
209
Configure interface shaping by using the following command from Interface Configuration mode. qos if-shaper [port <portlist>] [name <WORD>] shape-rate <64-10230000> {burst-size <burst-size> max-burst-rate <64-4294967295> [max-burst-duration <1-4294967295>]} Variable Definitions
Variable burst-size <4,8,16, ..., 16384> Value Specifies the committed burst size in Kilobytes. The value range is: 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384. Specifies the ports to configure shaping parameters. Specifies name for if-shaper; maximum is 16 alphanumeric characters. Specifies the shaping rate in kilobits/sec; range is 64-10230000 kilobits/sec. Specifies the largest burst of traffic that can be received a given time for the traffic to be considered in-profile. Used in calculating the committed burst size. Enter the burst size in Kb/s for in-profile traffic; range is 64 to 4294967295 Kbits/sec. Specifies the amount of time that the largest burst of traffic that can be received for the traffic to be considered in-profile. Used in calculating the
max-burst-duration <1-4294967295>
210
Variable
Value committed burst size. Enter the burst duration in ms for in-profile traffic; range is 14294967295 ms.
Disable interface shaping by using the following command from Interface Configuration mode. no qos if-shaper [port <portlist>]
Create a QoS policy by using the following command from Global Configuration mode. qos policy <1-55000> {enable|disable [name <WORD>] {port <port_list> | if-group <WORD>} clfr-type {classifier | block} {clfr-id <1-55000> | clfr-name <WORD>} {{in-profile-action <1-55000> | in-profile-action-name <WORD>} | meter <1-55000> | meter-name <WORD>}} [non-match-action <1-55000> | non-matchaction-name <WORD>] precedence <1-15> [track-statistics <individual | aggregate>]}
211
Variable Definitions
Variable <1-55000> enable|disable name <WORD> port <portlist> if-group <WORD> Value Specifies the QoS policy; range is 155000. Enables or disables the QoS policy. Specifies the name for the policy; maximum is 16 alphanumeric characters. Specifies the ports to which to directly apply this policy. Specifies the interface group name to which this policy applies; maximum number of characters is 32 USASCII. The group name must begin with a letter within the range a..z or A..Z. Specifies the classifier type; classifier or block. Specifies the classifier ID; range is 155000. Specifies the classifier name or classifier block name; maximum is 16 alphanumeric characters. Specifies the action ID for in-profile traffic; range is 1 55000. Specifies the action name for in-profile traffic; maximum is 16 alphanumeric characters. Specifies meter ID associated with this policy; range is 155000. Specifies the meter name associated with this policy; maximum of 16 alphanumeric characters. Specifies the action ID for non-match traffic; range is 155000. This parameter is not applicable to 5600 Series switches. Specifies the action name for non-match traffic; maximum is 16 alphanumeric characters. Specifies the precedence of this policy in relation to other policies associated with the same interface group. Enter precedence number; range is 115. Note: Policies with a lower precedence value are evaluated after policies with a higher precedence number. Evaluation goes from highest value to lowest. Specifies statistics tracking on this policy, either: individualstatistics on individual classifiers aggregateaggregate statistics
clfr-type <classifier | block> clfr-id <1-55000> clfr-name <WORD> in-profile-action <1-55000> in-profile-action-name <WORD> meter <1-55000> meter-name <WORD> non-match-action <1-55000>
212
Use the following command to configure a traffic profile classifier entry. qos traffic-profile set port <port> name <name> [commited-rate <64-10230000>] [drop-nm-action <drop | pass>] [enable] This command is used in the Global Configuration mode. Variable Definitions
Variable port <port> name <name> commited-rate <64-10230000> Value Specifies the ports to apply the traffic profile to. Specifies the name of the traffic profile. Specifies the committed rate in Kilobits per second.
213
Value Specifies the action to take when the packet is nonmatching. This action is applied to all traffic that was not previously matched by the specified filtering data. Options are drop (packet is dropped) and pass (packet is not dropped). Enables the traffic profile.
enable
1. Delete a Traffic Profile classifier by using the following command from the Global Configuration mode. no qos traffic-profile classifier name <classifier-name> 2. Delete a Traffic Profile set by using the following command from the Global Configuration mode. no qos traffic-profile set {name <name> | port <port>}
1. View classifier entries by using the following commands from the Privileged EXEC Configuration mode. show qos traffic-profile classifier OR show qos traffic-profile classifier name <classifier name> 2. View the parameters for a specific set by using the following command from the Privileged EXEC Configuration mode. show qos traffic-profile set <set name> port <port> 3. View ports and the filter sets assigned to those ports by using the following command from the Privileged EXEC Configuration mode. show qos traffic-profile interface
214
Configure User Based Policies by using the following command from the Global configuration mode. qos ubp Note: To modify an entry in a filter set, you must delete the entry and add a new entry with the desired modifications.
Variable Definitions
Variable Value
classifier name [addr-type {ipv4| Creates the User Based Policy classifier entry. ipv6}] [block] [drop-action] [dsOptional parameters: field] [dst-ip] [dst-mac] [dst-port addr-type {ipv4|ipv6} specifies the type of IP address min] [ethertype] [eval-order] [flowused by this classifier entry. The type is limited to id] [next-header] [priority] [protocol] IPv4 and IPv6 addresses. [set-drop-prec] [src-ip] [src-mac] [src-port-min] [update-1p] [update- block specifies the label to identify access list elements that are of the same block. dscp] [vlan-min] [ vlan-tag] drop-action specifies whether or not to drop nonconforming traffic. ds-field specifies the value for the DiffServ Codepoint (DSCP) in a packet. dst-ip specifies the IP address to match against the destination IP address of a packet. dst-mac specifies the MAC address against which the MAC destination address of incoming packets is compared. dst-port-min specifies the minimum value for the layer 4 destination port number in a packet. dstport-max must be terminated prior to configuring this parameter. ethertype specifies a value indicating the version of Ethernet protocol being used. eval-order specifies the evaluation order for all elements with the same name.
215
Variable
Value flow-id specifies the flow identifier for IPv6 packets. next-header specifies the IPv6 next-header value. Values are in the range 0-255. priority specifies a value for the 802.1p user priority. protocol specifies the IPv4 protocol value. set-drop-prec specifies drop precendence src-ip specifies the IP address to match against the source IP address of a packet. src-mac specifies the MAC source address of incoming packets. src-port-min specifies the minimum value for the Layer 4 source port number in a packet. srcport-max must be terminated prior to configuring this parameter. update-1p specifies an 802.1p value used to update user priority. update-dscp specifies a value used to update the DSCP field in an IPv4 packet. vlan-min specifies the minimum value for the VLAN ID in a packet. vlan-max must be terminated prior to configuring this parameter. vlan-tag specifies the type of VLAN tagging in a packet.
Creates the User Based Policy set. Optional parameters: commited-rate specifies the commited rate in Kbps. drop-nm-action specifies the action to take when the packet is non-matching. This action is applied to all traffic that was not previously matched by the specified filtering data. Options are enable (packet is dropped) and disable (packet is not dropped). drop-out-action specifies the action to take when a packet is out-of-profile. This action is only applied if metering is being enforced, and if the traffic is deemed out of profile based on the level of traffic and the metering criteria. Options are enable (packet is dropped) and disable (packet is not dropped). max-burst-rate specifies the maximum number of bytes allowed in a single transmission burst.
216
Variable
Value max-burst-duration specifies the maximum burst duration in milliseconds. update-dscp-out-action specifies an updated DSCP value for an IPv4 packet for out of profile traffic.. set-priority specifies the priority level of this filter set.
1. Delete an entire filter set by using the following command from the Global configuration mode. no qos ubp name <filter name> Note: You cannot delete a filter set while it is in use. 2. Delete a classifier by using the following command from the Global configuration mode. no qos ubp name <filter name> eval-order <value>
1. View User Based Policy filter parameters by using the following command from the Privileged EXEC configuration mode. show qos ubp 2. View the parameters for a specific filter set by using the following command from the Privileged EXEC configuration mode. show qos ubp name <filter name> 3. View ports and the filter sets assigned to those ports by using the following command from the Privileged EXEC configuration mode.
217
show qos ubp interface 4. View classifier entries by using the following command from the Privileged EXEC configuration mode. show qos ubp classifier
Reset QoS to factory defaults by using the following command from Global Configuration mode. qos agent reset-default
218
Configure QoS NT mode by using the following command from Global Configuration mode. qos agent nt-mode [pure|mixed|disabled] Variable Definitions
Variable disabled mixed pure Value NT application traffic processing is disabled on all ports. NT application traffic processing enabled on all port with egress DSCP mapping. NT application traffic processing enabled on all ports without egress DSCP mapping.
Configure the UBP support level by using the following command from Global Configuration mode. qos agent ubp [disable|epm|high-security-local|low-securitylocal] Variable Definitions
Variable disable epm high-security-local low-security-local Value QoS agent rejects information forwarded by other applications. QoS Agent notifications generated for EPM based on user information forwarded by other applications. User may be rejected if resources needed to install the UBP filter set are not available. User may be accepted even if the UBP filter set could not be applied.
219
Configure the QoS statistics tracking type by using the following command from Global Configuration mode. qos agent statistics-tracking [aggregate|disable|individual] Variable Definitions
Variable aggregate disable individual Value Allocates a single statistics counter to track data for all classifiers contained in the QoS policy being created. Disable statistics tracking. Allocates individual statistics counters to track data for each classifier contained in the QoS policy being created.
Configure NVRAM delay by using the following command from Global Configuration mode. qos agent nvram-delay <0-604800> Default is 10 seconds.
Reset NVRAM delay to default by using the following command from Global Configuration mode. default qos agent nvram-delay
220
Reset the QoS agent by using the following command from Global Configuration mode. default qos agent
Enabling DAPP
This procedure describes the steps necessary to enable DAPP.
Enable DAPP by using the following command from Global Configuration mode: [no] qos agent dos-attack-prevention enable Use the no form of this command to disable.
221
Enable DAPP status tracking by using the following command from Global Configuration mode: qos agent dos-attack-prevention status-tracking [enable | maxipv4-icmp | max-ipv6-icmp | min-tcp-header] Configuring DAPP maximum IPv6 ICMP length This procedure describes how to set the maximum IPv6 ICMP length used by DAPP.
Set the maximum IPv6 ICMP length by using the following command from Global Configuration mode: qos agent dos-attack-prevention max-ipv6-icmp <0-16383>
Set the minimum TCP header size by using the following command from Global Configuration mode: qos agent dos-attack-prevention min-tcp-header <0-255>
Set the maximum IPv4 ICMP length by using the following command from Global Configuration mode: qos agent dos-attack-prevention max-ipv4-icmp <0-1023>
Configuring Serviceability
This chapter describes the methods and procedures necessary to configure RMON and IPFIX.
222
Configuring Serviceability
Navigation Configuring RMON with the CLI on page 223 Configuring IPFIX using CLI on page 228
1. Enter Privileged Executive mode. 2. Use the show rmon alarm command to display information about RMON alarms.
223
1. Enter Privileged Executive mode. 2. Enter the show rmon event command.
1. Enter Privileged Executive mode. 2. Enter the show rmon history [<port>] command. Variable Definitions
Variable <port> Definition The specified port number for which RMON history settings is displayed.
1. Enter Privileged Executive mode. 2. Enter the show rmon stats command.
1. Enter Global Configuration mode. 2. Enter the rmon alarm <1-65535> <WORD> <1-2147483647> {absolute | delta} rising-threshold <-2147483648-2147483647> [<1-65535>]
224
Configuring Serviceability
rising-threshold The first integer value is the rising threshold value. The optional <-2147483648-21474836 second integer specifies the event entry to be triggered after the 47 > [<1-65535>] rising threshold is crossed. If omitted, or if an invalid event entry is referenced, no event is triggered. falling-threshold The first integer value is the falling threshold value. The optional <-2147483648-21474836 second integer specifies the event entry to be triggered after the 47 > [<1-65535>] falling threshold is crossed. If omitted, or if an invalid event entry is referenced, no event is triggered. [owner <LINE>] Specify an owner string to identify the alarm entry.
1. Enter Global Configuration mode. 2. Enter the no rmon alarm [<1-65535>] command. Variable Definitions
Variable [<1-65535>] Definition The number assigned to the alarm. If no number is selected, all RMON alarm table entries are deleted.
225
1. Enter Global Configuration mode. 2. Enter the rmon event <1-65535> [log] [trap] [description <LINE>] [owner <LINE>] command. Variable Definitions
Parameter <1-65535> [log] [trap] [description <LINE>] [owner <LINE>] Description Unique index for the event entry. Record events in the log table. Generate SNMP trap messages for events. Specify a textual description for the event. Specify an owner string to identify the event entry.
1. Enter Global Configuration mode. 2. Enter the no rmon event [<1-65535>] command to delete the entries. Variable Definitions
Variable [<1-65535>] Definition Unique identifier of the event. If not given, all table entries are deleted.
226
Configuring Serviceability
1. Enter Global Configuration mode. 2. Enter the rmon history <1-65535> <LINE> <1-65535> <1-3600> [owner <LINE>] command to configure the RMON history.. Variable Definitions
Parameter <1-65535> <LINE> <1-65535> <1-3600> [owner <LINE>] Description Unique index for the history entry. Specify the port number to be monitored. The number of history buckets (records) to keep. The sampling rate (how often a history sample is collected). Specify an owner string to identify the history entry.
1. Enter Global Configuration mode. 2. Enter the no rmon history [<1-65535>] command to delete the entries. Variable Definitions
Variable [<1-65535>] Definition Unique identifier of the event. If not given, all table entries are deleted.
1. Enter Global Configuration mode. 2. Enter the rmon stats <1-65535> <LINE> [owner <LINE>] command to configure RMON statistics.
227
Variable Definitions
Parameter <1-65535> [owner <LINE>] Description Unique index for the stats entry. Specify an owner string to identify the stats entry.
1. Enter Global Configuration mode. 2. Enter the no rmon stats [<1-65535>] command to disable RMON statistics. Variable Definitions
Variable <1-65535> Definition Unique index for the statistics entry. If omitted, all statistics are disabled.
228
Configuring Serviceability
Release 5.0, the only external collector supported is NetQOS. At this time, up to two collectors can be supported. IPFIX data is exported from the switch in Netflow version 9 format. Data is exported using UDP port 9995. IPFIX data is not load balanced when two collectors are in use. Identical information is sent to both collectors. Use the following procedure to configure the IPFIX collectors.
1. Enter Global Configuration mode. 2. Use the ip ipfix collector <unit_number> <collector_ip_address> command to configure the IPFIX collector. Variable Definitions
Parameter <unit_number> <collector_ip_address> Description The unit number of the collector. Currently up to two collectors are supported so the values 1 or 2 are valid. The IP address of the collector.
1. Enter Global Configuration mode. 2. Use the ip ipfix enable command to enable IPFIX on the switch.
1. Enter Global Configuration mode. 2. Use the ip ipfix slot <unit_number> [aging-interval <aging_interval>] [export-interval <export_interval>] [exporter-enable] [template-refresh-interval
229
<template_refresh_interval>] [template-refresh-packets <template_refresh_packets>] command to enable IPFIX on the switch. Variable Definitions
Parameter <unit_number> <aging_interval> <export_interval> Description The unit number of the collector. Currently up to two collectors are supported so the values 1 or 2 are valid. The IPFIX aging interval. This value is in seconds from 0 to 2147400. The IPFIX export interval. This interval is the value at which IPFIX data is exported in seconds from 10 to 3600.
<template_refresh_interval The IPFIX template refresh interval. This value is in seconds > from 300 to 3600. <template_refresh_packet s> The IPFIX template refresh packet setting. This value is the number of packets from 10000 - 100000.
1. Enter Interface Configuration mode. 2. Use the ip ipfix enable command to enable IPFIX on the interface.
1. Enter Interface Configuration mode. 2. Use the ip ipfix port <port_list> command to enable IPFIX on the interface. Variable Definitions
Variable port-list Definition Single or comma-separated list of ports.
230
Configuring Serviceability
1. Enter Privileged Executive mode. 2. Use the ip ipfix flush port <port_list> [export-and-flush] command to delete the collected IPFIX information for the port or ports. Variable Definitions
Variable port-list export-and-flush Definition Single or comma-separated list of ports. Export data to a collector before it is deleted.
1. Enter Privileged Executive mode. 2. Use the show ip ipfix table <unit_number> sort-by <sort_by> sort-order <sort_order> display <num_entries> command view the IPFIX data. Variable Definitions
Variable <unit_number> <sort_by> Definition The unit number of the collector. Currently up to two collectors are supported so the values 1 or 2 are valid. The value on which the data is sorted. Valid options are: byte-count dest-addr first-pkt-time last-pkt-time pkt-count port
231
Definition
The order in which the data is sorted. Valid options are ascending and descending. The number of data rows to display. Valid options are: all top-10 top-25 top-50 top-100 top-200
232
Viewing port-statistics
Use this procedure to view the statistics for the port on both received and transmitted traffic.
1. Enter Global Configuration mode. 2. Enter the show port-statistics [port <portlist>] command. Variable Definitions
Variable port <portlist> Definition The ports to display statistics for. When no port list is specified, all ports are shown.
233
After a while (15 seconds is the forward delay default value, only if you did not configure another time interval for STP forward delay), if you type show interfaces again, STP Status should be forwarding.
1. Enter Privileged Executive mode. 2. Enter the show interfaces <portlist> config command. 3. Observe the CLI output.
1. Enter Privileged Executive mode. 2. Enter the show cpu-utilization command. 3. Observe the displayed information.
234
1. Enter Privileged Executive mode. 2. Enter the show memory-utilization command. 3. Observe the displayed information.
Enter the show show logging [config] [critical] [serious] [informational] [sort-reverse] command Privileged Executive mode. Variable Definitions
Variable config critical serious informational sort-reverse Value Display configuration of event logging. Display critical log messages. Display serious log messages. Display informational log messages. Display informational log messages in reverse chronological order (beginning with most recent).
235
Configuring the system log Use this procedure to configure the system settings for the system event log.
Enter the logging [enable | disable] [level critical | serious | informational | none] [nv-level critical | serious | none] command Privileged Executive mode. Variable Definitions
Variable enable | disable Value Enables or disables the event log (default is Enabled).
level critical | serious | informational Specifies the level of logging stored in DRAM. | none nv-level critical | serious | none Specifies the level of logging stored in NVRAM.
Disabling the system log Use this procedure to disable the system event log.
Enter the no logging command in global configuration mode. Setting the system log to default Use this procedure to default the system event log configuration.
Enter the default logging command in global configuration mode. Clearing the system log Use this procedure to clear all log messages in DRAM.
Enter the clear logging system [non-volatile] [nv] [volatile] command in global configuration mode. Variable Definitions
Variable non-volatile nv Value Clears log messages from NVRAM. Clears log messages from NVRAM and DRAM.
236
Variable volatile
1. Enter Global Configuration mode. 2. Enter the show logging command to display the log. Enabling remote logging Use this procedure to enable remote logging. By default, remote logging is disabled.
1. Enter Global Configuration mode. 2. Enter the logging remote enable command to enable the use of a remote syslog server. Disabling remote logging Use this procedure to disable remote logging.
237
1. Enter Global Configuration mode. 2. Enter the no logging remote enable command to disable the use of a remote syslog server. Setting the remote logging address Use this procedure to set the address of the remote server for the syslog.
1. Enter Global Configuration mode. 2. Enter the logging remote address <A.B.C.D> command to disable the use of a remote syslog server. Variable Definitions
Parameters and variables <A.B.C.D> Description Specifies the IP address of the remote server in dotted-decimal notation. The default address is 0.0.0.0.
Clearing the remote server IP address Use this procedure to clear the IP address of the remote server.
1. Enter Global Configuration mode. 2. Enter the no logging remote address command to clear the IP address of the remote syslog server. Setting the log severity Use this command to set the severity level of the logs sent to the remote server.
1. Enter Global Configuration mode. 2. Enter the logging remote level {critical | informational | serious | none} command to set the severity level of the logs that will be sent to the server.
238
Variable Definitions
Parameters and variables {critical | serious | informational | none} Description Specifies the severity level of the log messages to be sent to the remote server: critical informational serious none
Resetting the severity level Use this command to remove severity level setting
1. Enter Global Configuration mode. 2. Enter the no logging remote level command to remove the severity level of the logs that will be sent to the server. The level is set to none. Setting the default remote logging level Use this procedure to set the remote logging level to default.
1. Enter Global Configuration mode. 2. Enter the default logging remote level command to sets the severity level of the logs sent to the remote server. The default level is none.
239
1. Enter Privileged Executive mode. 2. Enter the show port-mirroring command to display the port-mirroring configuration. Configure port-mirroring Use this procedure to set the port-mirroring configuration
1. Enter Global Configuration mode. 2. Enter the port-mirroring mode {disable | Xrx monitor-port <portlist> mirror-ports <portlist> | Xtx monitor-port <portlist> mirror-ports <portlist> | ManytoOneRx monitorport <portlist> mirror-ports <portlist> | ManytoOneTx monitor-port <portlist> mirror-port-X <portlist> | ManytoOneRxTx monitor-port <portlist> mirror-port-X <portlist> | XrxOrXtx monitor-port <portlist> mirror-port-X <portlist> | XrxOrYtx monitor-port <portlist> mirror-port-X <portlist> mirror-port-Y <portlist> | XrxYtxmonitor-port <portlist> mirror-port-X <portlist> mirror-port-Y <portlist> | XrxYtxOrYrxXtx monitor-port <portlist> mirror-port-X <portlist> mirror-port-Y <portlist> | Asrc monitor-port <portlist> mirror-MAC-A <macaddr> | Adst monitor-port <portlist> mirror-MAC-A <macaddr> | AsrcOrAdst monitor-port <portlist> mirror-MAC-A <macaddr> | AsrcBdst monitor-port <portlist> mirror-MAC-A <macaddr> mirror-MAC-B <macaddr> | AsrcBdstOrBsrcAdst monitor-port <portlist> mirror-MAC-A <macaddr> mirror-MAC-B <macaddr>} command to display the portmirroring configuration. Variable Definitions
Parameter disable monitor-port mirror-port-X mirror-port-Y mirror-MAC-A mirror-MAC-B portlist Description Disables port-mirroring. Specifies the monitor port. Specifies the mirroring port X. Specifies the mirroring port Y. Specifies the mirroring MAC address A. Specifies the mirroring MAC address B. Enter the port numbers.
240
Description Many to one port mirroring on ingress packets. Many to one port mirroring on egress packets. Many to one port mirroring on ingress and egress traffic. Mirror packets received on port X. Mirror packets transmitted on port X. Mirror packets received or transmitted on port X. Mirror packets received on port X and transmitted on port Y. This mode is not recommended for mirroring broadcast and multicast traffic. Mirror packets received on port X and transmitted on port Y or packets received on port Y and transmitted on port X. Mirror packets received on port X or transmitted on port Y. Enter the MAC address in format H.H.H. Mirror packets with source MAC address A. Mirror packets with destination MAC address A. Mirror packets with source or destination MAC address A. Mirror packets with source MAC address A and destination MAC address B. Mirror packets with source MAC address A and destination MAC address B or packets with source MAC address B and destination MAC address A.
XrxYtxOrXtxYrx
1. Enter Global Configuration mode 2. Enter the no port-mirroring command to disable port-mirroring. Displaying Many-to-Many port-mirroring Use this procedure to display Many-to-Many port-mirroring settings
241
1. Enter Privileged Executive mode 2. Enter the show port-mirroring command. 3. Observe the displayed information. Configuring Many-to-Many port-mirroring Use this procedure to configure Many-to-Many port-mirroring
1. Enter Global Configuration mode 2. Enter the port-mirroring <1-4> mode {disable | Adst | Asrc | AsrcBdst | AsrcBdstOrBsrcAdst | AsrcOrAdst | ManyToOneRx | ManyToOneRxTx | ManyToOneTx | Xrx | XrxOrXtx | XrxOrYtx | XrxYtx | XrxYtxOrYrxXtx | Xtx} command. 3. Enter the command from step 2 for up to four instances. Variable Definitions
Variable disable Adst Asrc AsrcBdst AsrcBdstOrBsrcAdst Disable mirroring. Mirror packets with destination MAC address A Mirror packets with source MAC address A. Mirror packets with source MAC address A and destination MAC address B. Mirror packets with source MAC address A and destination MAC address B or packets with source MAC address B and destination MAC address A. Mirror packets with source or destination MAC address A. Mirror many to one port mirroring on ingress packets. Mirror many to one port mirroring on ingress and egress packets. Mirror many to one port mirroring on egress packets. Mirror packets received on port X. Value
242
Value Mirror packets received on port X and transmitted on port Y. Mirror packets received on port X and transmitted on port Y. Mirror packets received on port X and transmitted on port Y or packets received on port Y and transmitted on port X. Mirror packets received on port X or transmitted on port Y
Xtx
1. Enter Global Configuration mode 2. Enter the port-mirroring [<1-4>] mode disable or no portmirroring [<1-4>] command to disable a specific instance. 3. Enter the no port-mirroring command to disable all instances. Variable Definitions
Variable <1-4> Definition The port-mirroring instance.
243
244