Config Cli

Avaya WLAN 8100 Configuration - WC 8180 (CLI)
1.0.0.0 NN47251-500, 01.01 August 20, 2010
2010 Avaya Inc.
All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Documentation disclaimer Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avayas standard warranty language, as well as information regarding support for this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support. Please note that if you acquired the product from an authorized Avaya reseller outside of the United States and Canada, the warranty is provided to you by said Avaya reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS YOU AND END USER), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE (AVAYA). Copyright Except where expressly stated otherwise, no use should be made of materials on this site, the Documentation(s) and Product(s) provided by Avaya. All content on this site, the documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is
protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil, offense under the applicable law. Third-party components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements (Third Party Components), which may contain terms that expand or limit rights to use certain portions of the Product (Third Party Terms). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://www.avaya.com/support/Copyright/. Trademarks The trademarks, logos and service marks (Marks) displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All other trademarks are the property of their respective owners. Downloading documents For the most current versions of documentation, see the Avaya Support Web site: http://www.avaya.com/support Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http://www.avaya.com/ support
August 20, 2010
Contents Chapter 1: Command Line Interface workflows.....................................................................7

Basic controller configuration............................................................................................................................7 Enabling traps and logs.....................................................................................................................................8 Displaying system logs......................................................................................................................................9 Troubleshooting client-related issues................................................................................................................9 Troubleshooting AP-related issues.................................................................................................................10 Troubleshooting Layer 2 and 3 issues............................................................................................................10
Chapter 2: Command Line Interface Configuration.............................................................13

Configuring WLAN options..............................................................................................................................13 Managing wireless communications.......................................................................................................13 Configuring wireless communications....................................................................................................16 Configuring system options.............................................................................................................................26 General switch administration................................................................................................................26 Using Simple Network Time Protocol.....................................................................................................38 Real time clock configuration..................................................................................................................41 Custom Autonegotiation Advertisements...............................................................................................43 Connecting to another switch.................................................................................................................44 Domain Name Server (DNS) Configuration............................................................................................45 Changing switch software.......................................................................................................................48 Configuration files in CLI........................................................................................................................49 Terminal setup........................................................................................................................................52 Setting the default management interface..............................................................................................53 Setting Telnet access..............................................................................................................................53 Setting boot parameters.........................................................................................................................55 Defaulting to BootP-when-needed..........................................................................................................56 shutdown command...............................................................................................................................57 reload command.....................................................................................................................................58 CLI Help..................................................................................................................................................59 Clearing the default TFTP server with CLI.............................................................................................59 Configuring a default TFTP server with CLI...........................................................................................59 Configuring default clock source............................................................................................................59 Configuring daylight savings time with CLI.............................................................................................60 Configuring Dual Agent..........................................................................................................................61 Configuring local time zone with CLI......................................................................................................62 Customizing CLI banner with CLI...........................................................................................................63 Displaying the default TFTP server with CLI..........................................................................................64 Displaying complete GBIC information...................................................................................................65 Displaying hardware information............................................................................................................65 Enabling Autosave..................................................................................................................................65 Setting the server for Web-based management with CLI.......................................................................66 Setting the read-only and read-write passwords....................................................................................66 Enabling and disabling passwords.........................................................................................................67 Configuring RADIUS authentication.......................................................................................................68 Configuring system security............................................................................................................................70 Configuring MAC address-based security using CLI..............................................................................70 Configuring RADIUS authentication using CLI.......................................................................................78 SNMP configuration using CLI...............................................................................................................80
August 20, 2010
Configuring TACACS+ using CLI..........................................................................................................100 Configuring IP Manager using CLI.......................................................................................................103 Configuring password security using CLI.............................................................................................105 Displaying CLI Audit log using CLI.......................................................................................................106 Configuring Secure Socket Layer services using CLI..........................................................................107 Configuring Secure Shell protocol using CLI........................................................................................108 Configuring VLANs and Link Aggregation.....................................................................................................114 Configuring VLANs using CLI...............................................................................................................114 Configuring STP using CLI...................................................................................................................125 Configuring MLT using CLI...................................................................................................................135 Configuring LACP and VLACP using CLI.............................................................................................137 Configuring IP routing...................................................................................................................................146 IP routing configuration using CLI........................................................................................................146 Static route configuration using CLI......................................................................................................152 DHCP relay configuration using CLI.....................................................................................................155 Directed broadcasts configuration using CLI........................................................................................161 Static ARP and Proxy ARP configuration using CLI.............................................................................162 IGMP snooping configuration using CLI...............................................................................................165 Configuring Access Lists...............................................................................................................................180 Assigning ports to an access list..........................................................................................................180 Removing an access list assignment...................................................................................................181 Creating an IP access list.....................................................................................................................181 Removing an IP access list..................................................................................................................182 Creating a Layer 2 access list..............................................................................................................183 Removing a Layer 2 access list............................................................................................................184 Configuring Elements, Classifiers, and Classifier Blocks..............................................................................184 Configuring IP classifier element entries..............................................................................................185 Viewing IP classifier entries..................................................................................................................186 Removing IP classifier entries..............................................................................................................186 Adding Layer 2 elements......................................................................................................................186 Viewing Layer 2 elements....................................................................................................................188 Removing Layer 2 elements.................................................................................................................188 Linking IP and L2 classifier elements...................................................................................................188 Removing classifier entries...................................................................................................................189 Combining individual classifiers............................................................................................................189 Removing classifier block entries.........................................................................................................190 Configuring wired Quality of Service.............................................................................................................190 Displaying QoS Parameters.................................................................................................................191 Displaying QoS capability policy configuration.....................................................................................195 QoS Agent configuration......................................................................................................................196 Configuring Default Buffering Capabilities............................................................................................198 Configuring the CoS-to-Queue Assignments.......................................................................................199 Configuring QoS Interface Groups.......................................................................................................200 Configuring DSCP and 802.1p and Queue Associations.....................................................................201 Configuring QoS system-element.........................................................................................................203 Configuring QoS Actions......................................................................................................................205 Configuring QoS Interface Action Extensions......................................................................................207 Configuring QoS Meters.......................................................................................................................208 Configuring QoS Interface Shaper.......................................................................................................210 Configuring QoS Policies......................................................................................................................211 QoS Generic Filter set configuration....................................................................................................213
August 20, 2010
Configuring User Based Policies..........................................................................................................215 Maintaining the QoS Agent...................................................................................................................218 Configuring DoS Attack Prevention Package.......................................................................................221 Configuring Serviceability..............................................................................................................................222 Configuring RMON with the CLI...........................................................................................................223 Configuring IPFIX using CLI.................................................................................................................228 Configuring diagnostics and graphing...........................................................................................................232 System diagnostics and statistics using CLI.........................................................................................232 Network monitoring configuration using CLI.........................................................................................234
August 20, 2010
August 20, 2010
Chapter 1: Command Line Interface workflows

The following section provides workflows for commonly used Command Line Interface procedures. This section contains the following topics: Basic controller configuration on page 7 Enabling traps and logs on page 8 Displaying system logs on page 9 Troubleshooting client-related issues on page 9 Troubleshooting AP-related issues on page 10 Troubleshooting Layer 2 and 3 issues on page 10
Basic controller configuration

Perform the following procedure to place a basic configuration on a WC 8180 device:
1. Log into the controller. If this is the first time accessing the device, connect a console cable and start a terminal session using the guidelines provided in the documentation. 2. Press CTRL + Y on the keyboard to enter the CLI. 3. Enter Privileged mode using the enable command. 4. Enter General Configuration mode using the configure terminal command. 5. Specify the system IP address, subnet mask, and default gateway using the ip address command. This command has the following syntax: ip address <ip_address> netmask <subnet_mask> defaultgateway <default_gateway> 6. Enable SNMP services using the command snmp-server enable. 7. Disable SNMP user lists using the command no ipmgr snmp. 8. Enable IP routing capabilities using the ip routing command. 9. Enter Wireless Configuration mode using the wireless command.
August 20, 2010
Command Line Interface workflows
10. Specify the wireless IP address using the command interface-ip <ip_address> command. 11. Enable wireless capabilities using the enable command. 12. Enable MDC capability using the controller mdc-capable. 13. Enter the domain password at the prompt.
Enabling traps and logs

Perform the following procedure to enable SNMP trap and logging functionality.
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select Command Line Interface from the menu. 4. Type the enable command to enter Privileged mode. 5. Type the configure terminal command to enter Configuration mode. 6. Set the logging level using the command logging level {critical | informational | serious | none}. 7. Enable logging using the command logging enable. 8. Set the remote logging level using the command logging remote level {critical | informational | serious | none}. 9. Set the IP address of the remote log server using the command logging remote address <ip_address>. 10. Enable remote logging using the command logging remote enable. 11. Enable individual SNMP traps using the command snmp-server notification-control <snmp_trap>. For a list of available SNMP traps use the command show snmp-server notification-control. Repeat this step for all traps that must be enabled. 12. Set the IP address of the SNMP server using the command snmp-server host <ip_address>.
August 20, 2010
Displaying system logs
Displaying system logs

Perform the following procedure to display system logs.
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select Command Line Interface from the menu. 4. Type the enable command to enter Privileged mode. 5. Use the command show logging system to display logs concerning Layer 2 and Layer 3 operations. 6. Use the command show logging wireless-controller volatile to display logs concerning controller operation.
Troubleshooting client-related issues

Perform the following procedure to troubleshoot client-related issues.
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select Command Line Interface from the menu. 4. Type the enable command to enter Privileged mode. 5. Use the command show wireless ap status to view the overall status of all registered access points. 6. Use the command show wireless ap status <ap_mac_address> detail to view detailed information about individual access points. 7. Use the command show wireless ap-profile network to view information about the correlation between network and AP profiles. 8. Use the command show wireless network-profile <profile_number> detail to view detailed information about a network profile. 9. Use the command show wireless switch vlan-map to view information about the correlation between wired and wireless VLANs.
August 20, 2010
10. Use the command show wireless security {mac-db | radius | userdb | wids-wips} to display information about wireless security settings. 11. Use the command show wireless client status to display information about the current status of wireless clients.
Troubleshooting AP-related issues

Perform the following procedure to troubleshoot AP-related issues.
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select Command Line Interface from the menu. 4. Type the enable command to enter Privileged mode. 5. Use the command show wireless to view the overall status of the wireless system. 6. Use the command show wireless domain ap database to view information about the access points configured for the wireless domain. 7. Use the command show wireless domain ap discovered to view any access points that have been discovered. Access points listed here need to be added to main access point database to be used by the domain. 8. Use the command show wireless ap status to display all of the access points that are part of the wireless domain and under which controller it falls. 9. Use the command show wireless ap status detail command to display detailed information about each AP that is part of the wireless domain. 10. Use the command show wireless controller status to determine the current status of the wireless controller. This command should indicate the controller is either the Active or Backup MDC.
Troubleshooting Layer 2 and 3 issues

Perform the following procedure to troubleshoot Layer 2 and 3 issues.
10
August 20, 2010
Troubleshooting Layer 2 and 3 issues
1. Log into the controller. 2. Press CTRL + Y on the keyboard to enter the console menu. 3. Select IP Configuration/Setup from the console menu to check the controller IP configuration. 4. Press CTRL + R to return to the console menu. 5. Select SNMP Configuration from the console menu to check the controller SNMP configuration. 6. Press CTRL + R to return to the console menu. 7. Select Switch Configuration from the console menu. 8. Use the options in this menu to track the various aspects of switch configuration. 9. Press CTRL + R to return to the console menu. 10. Select Spanning Tree Configuration from the console menu. 11. Use the options in this menu to track the various aspects of the spanning tree configuration. 12. Press CTRL + R to return to the console menu. 13. Select Command Line Interface from the menu. 14. Type the enable command to enter Privileged mode. 15. Use the command show ip to view the IP address configuration. 16. Use the command ping <ip_address> to ping another device on the network. 17. Use the command show wireless to view the overall status of the wireless system.
August 20, 2010
11
12
August 20, 2010
Chapter 2: Command Line Interface Configuration

The following sections provide information and procedures for the configuration of the WLAN Controller 8180 (WC 8180).
Configuring WLAN options

This section describes the procedures for the management and configuration of WLAN Controller 8180 (WC 8180) wireless options. Navigation Managing wireless communications on page 13 Configuring wireless communications on page 16
Managing wireless communications

The procedures in this section are used for the management of the various aspects of wireless communications. Navigation Managing AP operations on page 13 Managing automatic radio frequency operations on page 14 Managing portals on page 14 Managing clients on page 15 Managing wireless controller actions on page 15 Managing wireless domains on page 16
Managing AP operations
Use the following procedure to manage access point operations
August 20, 2010
13
Command Line Interface Configuration
1. Enter Privileged mode of the CLI. 2. Use the command wireless ap channel <ap_mac_address> <radio_interface> <channel_number> to manage access point channel options. 3. Use the command wireless ap image-update <ap_mac_address> to update the access point's software image. 4. Use the command wireless ap power <ap_mac_address> <radio_interface> <power_percentage> to adjust the access point radio transmit power. 5. Use the command wireless ap reset to reset a managed access point. 6. Use the command wireless radio-profile clone <source_profile_id> <target_profile_id> to clone an existing radio profile to the targeted radio profile. 7. Use the command wireless ap tech-dump <ap_mac_address> <tftp_ip_address> filename <file_name> to save the current AP configuration information to the specified TFTP server.
Managing automatic radio frequency operations

This following procedure is used to manage automatic radio frequency functionality.
1. Enter Privileged mode of the CLI. 2. Use the command wireless auto-rf channel-plan {a-n | b/g-n} start to run the channel adjustment algorithm. 3. Use the command wireless auto-rf channel-plan {a-n | b/g-n} apply to apply the proposed channel adjustment plan. 4. Use the command wireless auto-rf power-plan start to run the power planning algorithm. 5. Use the command wireless auto-rf power-plan apply to apply the proposed power plan.
Managing portals
The following procedure is used to manage captive portals.
14
August 20, 2010
1. Enter Privileged mode of the CLI. 2. Use the command wireless captive-portal certificate-generate to generate HTTPS certificates. 3. Use the command wireless captive-portal client-deauthenticate <client_mac_address> to revoke authentication from a client.
Managing clients
This procedure is used to manage clients.
1. Enter Privileged mode of the CLI. 2. Use the command wireless client disassociate <client_mac_address> to remove a client from an access point.
Managing wireless controller actions

The following procedure is used to manage wireless controller actions.
1. Enter Privileged mode of the CLI. 2. Use the command wireless controller ap image-update start to update the software image of all controlled access points. This action can be stopped at any time with the wireless controller ap image-update stop command. 3. Use the command wireless controller ap reset to reset all controlled access points. 4. Use the command wireless controller config-sync to synchronize configurations with other controllers in the domain. 5. Use the command wireless controller join-domain domain-name <domain_name> mdc-address <ip_address> to join a domain. 6. Use the command wireless controller leave-domain to remove a controller from its current domain. 7. Use the command wireless peer-controller ap image-update <ip_address> start to update the images of all controlled access points on a
August 20, 2010
15
peer controller. This action can be stopped at any time using the command wireless peer-controller ap image-update <ip_address> stop.
Managing wireless domains

This procedure is used to manage wireless domains.
1. Enter Privileged mode of the CLI. 2. Use the command wireless domain ap image-update start to update the software image of all access points in a domain. This action can be stopped at any time using the command wireless domain ap image-update stop. 3. Use the command wireless domain ap rebalance start to rebalance the access point distribution among all of the domain controllers. This action can be stopped at any time using the command wireless domain ap rebalance stop. 4. Use the command wireless domain ap redistribute start to rebalance the access point distribution to their preferred domain controllers. This action can be stopped at any time using the command wireless domain ap redistribute stop. 5. Use the command wireless domain ap reset to reset all domain access points. 6. Use the command wireless domain discovered-ap <ap_mac_address> {approve | discard} to take action on a discovered access point. 7. Use the command wireless domain purge-controller <controller_ip_address> to purge a controller from a domain. 8. Use the command wireless domain purge-stale-controllers to purge all stale controllers from the domain.
Configuring wireless communications

The procedures in this section are used for the configuraton of the various aspects of wireless communications. Navigation Configuring general controller options on page 17 Configuring wireless profiles on page 18
16
August 20, 2010
Configuring automatic radio frequency options on page 22 Configuring portals on page 22 Configuring domain options on page 23 Configuring wireless security on page 24
Configuring general controller options

The following procedure is used to configure general wireless controller options.
1. Enter Wireless Configuration mode of the CLI. 2. Use the command controller mdc-capable to mark a controller as available to be a Mobility Domain Controller. 3. Use the command interface-ip <ip_address> to set the wireless system interface IP address. 4. Use the command tcp-udp-base-port <49152 - 64983> to set the wireless system base port. 5. Use the command diffserv classifierblock <block_name> to configure a classifier block for the controller. This command has the options listed in the following table.
Command Option Description Match all packets. Match CoS. Match IP DSCP. Match destination IP address. Match destination MAC address. Match destination Layer 4 port. Match Ethernet Type. Match IP precedence. Match IP protocol. Match source IP address. Match source MAC address.
diffserv classifierblock <block_name>
match all match cos match ds-field match dst-ip match dst-mac match dstport match ethertype match precedence match protocol match src-ip match src-mac
August 20, 2010
17
Command
Option
Description Match source Layer 4 port Match ToS. End Classifier Block. Exit Classifier Block.
match srcport match tos end exit
6. Use the command diffserv policy <policy_name> to configure a policy for the controller. This command has the options listed in the following table.
Command Option Description Allow packets. Drop packets. Remark CoS. Remark DSCP. Remark precedence.
diffserv policy <policy_name>
allow drop remark-cos remark-dscp remarkprecedence
7. Use the command switch vlan-map <mobility_vlan_name> l3mobility server to set the mobility role to server. 8. Use the command switch vlan-map <mobility_vlan_name> l3mobility none to set the mobility role to none. 9. Use the command switch vlan-map <mobility_vlan_name> lvid <1 4094> to set the local VLAN ID. 10. Use the command switch vlan-map <mobility_vlan_name> track <port_list> to track a set of ports. 11. Use the command switch vlan-map <mobility_vlan_name> weight <1 - 7> to set the VLAN server preference. 12. Use the command enable to enable wireless operations on the device.
Configuring wireless profiles

The following procedure is used to configure wireless profiles.
18
August 20, 2010
1. Enter Wireless Configuration mode of the CLI. 2. Use the command ap-profile <1 - 32> to create an access point profile. 3. Use the command network-profile <1 - 64> to create a network profile. This command has the options listed in the following table.
Command Option Description Enable wireless ARP suppression. Configure captive portal mapping. Configure client QoS settings. WMM values for CoS settings. Set default network profile settings. Configure 802.1x parameters. End configuration. Exit configuration. Enable SSID hiding in network beacons. Enable client authentication through client MAC addresses. Configure the default mobility VLAN. Enable response to broadcast probe request. Configure the network profile name. Configure RADIUS related parameters. Configure the security mode. Configure the network SSID.
network profile <1 64>
arp-suppression captive-portal client-qos cos2wmm default dot1x end exit hide-ssid mac-validation
mobility-vlan probe-response profile-name radius security-mode ssid
August 20, 2010
19
Command
Option
Description Configure the local user group. Configure user validation method if captive portal is enabled. Configure WEP-related parameters. CoS mapping for WMM. Configure WPA2 settings.
user-group user-validation
wep wmm2cos wpa2
4. Use the command radio-profile <1 - 64> to create a radio profile. This command has the options listed in the following table.
Command Options Description Enable auto powersave delivery mode. Set the beacon interval. Configure radio channel settings. Configure basic/ supported data rates. Set default profile parameters. Configure the physical mode of the radio. Set the 802.11n configuration. Configure the 802.11n protection mode. Configure the Delivery Traffic Indication Map. End configuration. Exit configuration. Configure packet fragmentation threshold.
radio-profile <1 64>
apsd beacon-interval channel data-rates default dot11mode dot11n dot11nprotection-mode dtim-period end exit fragmentationthreshold
20
August 20, 2010
Command
Options
Description Enable No-Ack for incorrectly received frames on radio. Configure load balancing parameters. Configure the maximum number of simultaneous clients. Configure the multicast transfer rate. Disable the radio profile. Configure the radio power settings. Set the radio profile name. Configure radio QoS queues. Configure the broadcast and multicast rates. Configure the RF scan mode parameters. Enable Radio Resource Measurement. Configure the threshold below which MPDU RTS/ CTS is not performed. Enable station isolation. Configure TSPEC settings. Enable WMM mode.
incorrect-frameno-ack load-balance max-clients
multicast-txrate no power profile-name qos rate-limit rf-scan rrm rts-threshold
stationisolation tspec wmm-mode
5. Use the command captive-portal profile <1 - 10> to create a captive portal profile.
August 20, 2010
21
Configuring automatic radio frequency options

This procedure is used to configure automatic radio frequency options
1. Enter Wireless Configuration mode of the CLI. 2. Use the command auto-rf channel-plan {a-n | bg-n} historydepth <0 - 10> to set the number of saved historical channel plans. 3. Use the command auto-rf channel-plan {a-n | bg-n} interval <6 24> to set the channel adjustment interval in hours. 4. Use the command auto-rf channel-plan {a-n | bg-n} mode {interval | manual | time} to set the channel adjustment mode. 5. Use the command auto-rf channel-plan {a-n | bg-n} time <hh:mm> to set the time of day to perform channel adjustment. 6. Use the command auto-rf power-plan interval <15 - 1440> to set the power adjustment interval in minutes. 7. Use the command auto-rf power-plan {interval | manual} to set the power adjustment mode.
Configuring portals
The following procedure is used to configure portal options.
1. Enter Wireless Configuration mode of the CLI. 2. Use the command captive-portal auth-timeout <60 - 600> to set the authentication timeout value in seconds. 3. Use the command captive-portal http-port <0 - 65535> to configure the portal HTTP port. 4. Use the command captive-portal https-portal <0 - 65535> to configure the portal HTTPS port. 5. Use the command captive-portal stats-report-interval <15 3600> to configure the statistics reporting interval in seconds. 6. Use the command captive portal profile <profile_number> block to block profile traffic.
22
August 20, 2010
7. Use the command captive portal profile <profile_number> idletimeout to set the session idle timeout value. 8. Use the command captive portal profile <profile_number> locale to set the portal locale settings. 9. Use the command captive portal profile <profile_number> maxbandwidth to configure the maximum transmit and receive bandwidth limits. 10. Use the command captive portal profile <profile_number> maxoctets to configure the maximum session octets. 11. Use the command captive portal profile <profile_number> profile-name to set the profile name. 12. Use the command captive portal profile <profile_number> protocol-mode to the protocol mode. 13. Use the command captive portal profile <profile_number> session-timeout to set the session timeout value. 14. Use the command captive portal profile <profile_number> userlogout to enable user logout. 15. Use the command captive-portal enable to enable the captive portal. 16.
Configuring domain options

The following procedure is used to configure domain options.
1. Enter Wireless Configuration mode of the CLI. 2. Use the command domain ap-client-qos to enable access point QoS operations for clients. 3. Use the command domain auto-promote-discovered-ap to enable auto promotion of discovered access points. 4. Use the command domain client-roam-agetime <1 - 120> to configure the client roaming timeout value in seconds. 5. Use the command domain country-code <country_code> to configure a code for domain operation. 6. Use the command domain tspec-violation-report-interval <0 900> to configure the reporting interval in seconds.
August 20, 2010
23
7. Use the command domain ap image-update download-group-size <1 100> to configure the percentage of access points forming a group. 8. Use the command domain ap lb-metric {least-load | local-CBF | local-CBFS | roundrobin} to set the domain load balancing metric. 9. Use the command domain ap reset-group-size <1 - 100> to configure the percentage of access points in the domain that will be reset. 10. Use the command domain ap <ap_mac> alternate-controller to configure an alternate wireless controller. 11. Use the command domain ap <ap_mac> label to configure the AP label. 12. Use the command domain ap <ap_mac> location to configure the AP location. 13. Use the command domain ap <ap_mac> model to configure the AP model. 14. Use the command domain ap <ap_mac> preferred-controller to configure the preferred AP controller. 15. Use the command domain ap <ap_mac> profile-id to assign the appropriate AP profile ID. 16. Use the command domain ap <ap_mac> radio to configure the AP radio. 17. Use the command domain ap <ap_mac> serial to configure the AP serial number. 18. Use the command domain mobility-vlan <vlan_name> to create a new mobility VLAN. 19. Use the command domain e911 address <ip_address> enable to enable the E911 server.
Configuring wireless security

The following procedure is used to configure wireless security options.
1. Enter Wireless Configuration mode of the CLI. 2. Use the command security to enter Security Configuration mode. 3. Use the command mac-db blacklist <mac_address> to add a device to the MAC address black list. 4. Use the command mac-db whitelist <mac_address> to add a device to the MAC address white list.
24
August 20, 2010
5. Use the command user-db group <group_name> to create a new user database group. 6. Use the following commands to create a new user database entry: user-db user-name <member_name> start-date <yyyy-mm-dd> user-db user-name <member_name> end-date <yyyy-mm-dd> user-db user-name <member_name> idle-timeout <0 - 900> user-db user-name <member_name> max-bandwidth-down <down_bps> user-db user-name <member_name> max-bandwidth-up <up_bps> user-db user-name <member_name> max-input-octets <octets> user-db user-name <member_name> max-output-octets <octets> user-db user-name <member_name> max-total-octets <octets> user-db user-name <member_name> password <password> user-db user-name <member_name> session-timeout <timeout_value> 7. Use the command user-db membership <member_name> <group_name> to add a member to an existing group. 8. Use the following commands to configure Wireless Intrusion Detection (WIDS) timeout settings: wids ageout adhoc-clients <0 - 10080> wids ageout ap-failure <0 - 10080> wids ageout detected-clients <0 - 10080> wids ageout rf-scan <0 - 10080> 9. Use the following commands to configure WIDS known access point settings: wids known-ap <mac_address> channel <0 - 216> wids known-ap <mac_address> security {any | open | wep | wpa} wids known-ap <mac_address> ssid <ssid_string> wids known-ap <mac_address> type {known-foreign | localenterprise | other} wids known-ap <mac_address> wds-mode {any | bridge | normal} wids known-ap <mac_address> wired-mode {allowed | notallowed}
August 20, 2010
25
10. Use the following commands to configure WIDS rogue access point settings: wids rogue-ap ack {all | rogue_mac_address} wids rogue-ap trap-interval <60 - 3600> wids rogue-ap wired-detection-interval <1 - 3600> 11. Use the command wips mitigation ap-threat to enable access threat mitigation. 12. Use the command wips mitigation client-threat to enable client threat mitigation. 13. Use the command radius server-retries to configure RADIUS server retries. 14. Use the command radius server-timeout to configure the RADIUS server timeout. 15. Use the command radius profile to configure global RADIUS profiles. 16. Use the command radius server to configure global RADIUS servers.
Configuring system options

This section describes the system configuration procedures for the WLAN Controller 8180 (WC 8180).
General switch administration

This section outlines the Command Line Interface commands used in general switch administration. It contains information about the following topics: Multiple switch configurations on page 27 Assigning and clearing IP addresses on page 27 Displaying interfaces on page 30 Setting port speed on page 31 Testing cables with the Time Domain Reflectometer on page 33 Enabling Autotopology on page 34 Enabling rate-limiting on page 37 Using Simple Network Time Protocol on page 38 Real time clock configuration on page 41 Custom Autonegotiation Advertisements on page 43
26
August 20, 2010
Connecting to another switch on page 44 Domain Name Server (DNS) Configuration on page 45
Multiple switch configurations

The following CLI commands are used to configure and use multiple switch configuration: show nvram block command This command shows the configurations currently stored on the switch. The syntax for this command is: show nvram block This command is executed in the Global Configuration command mode. copy config nvram block command This command copies the current configuration to one of the flash memory spots. The syntax for this command is: copy config nvram block <1-2> name <block_name> The following table outlines the parameters for this command. Table 1: copy config nvram block parameters
Parameter block <1-2> name <block_name> Description The flash memory location to store the configuration. The name to attach to this block. Names can be up to 40 characters in length with no spaces.
This command is executed in the Global Configuration command mode. copy nvram config block command This command copies the configuration stored in flash memory at the specified location and makes it the active configuration. The syntax for this command is: copy nvram config block <1-2> Substitute <1-2> with the configuration file to load. This command causes the switch to reset so that the new configuration can be loaded. This command is executed in the Global Configuration command mode.
Assigning and clearing IP addresses

You can assign, clear, and view IP addresses and gateway addresses with CLI. The commands discussed in this section are used to perform these tasks. Note: Users should not change the Wireless System IP address of the controller after the controller joins a domain. Do the following if a change is required after the controller joins a domain: 1. Remove the controller from the mobility domain. 2. Disable wireless operations.
August 20, 2010
27
3. Change the IP address. 4. Join the controller to the domain. ip address command The ip address command sets the IP address and subnet mask for the switch. The syntax for the ip address command is: ip address <A.B.C.D> [netmask <A.B.C.D>] [default-gateway <A.B.C.D.DX>] The ip address command is executed in the Global Configuration command mode. The following table describes the parameters for the ip address command. Table 2: ip address parameters
Parameters A.B.C.D netmask Default Gateway A.B.C.D Description Denotes the IP address in dotted-decimal notation; netmask is optional. Signifies the IP subnet mask. Displays the IP address of the default gateway. Enter the IP address of the default IP gateway.
Note: When the IP address or subnet mask is changed, connectivity to Telnet and the Web can be lost. ip address source command If you want to automatically obtain an IP address, subnet mask and default gateway, you can use the ip address command with the source parameter. When you use DHCP, the switch can also obtain up to three DNS server IP addresses. The syntax for the ip address source command is: ip address source {bootpalways | bootp-last-address | bootp-when-needed | configured-address | dhcp-always | dhcp-last-address | dhcp-when-needed} Execute the ip address source command in the Global Configuration command mode. The following table describes the variables for the ip address source command: Table 3: ip address source command parameters
Parameter bootp-always bootp-last-address bootp-when-needed dhcp-always dhcp-last-address dhcp-when-needed Description Always use the bootp server. Use the last bootp server. Use bootp server when needed. Always use the DHCP server. Use the last DHCP server. Use DHCP client when needed.
28
August 20, 2010
no ip address command The no ip address command clears the IP address and subnet mask for a switch. This command sets the IP address and subnet mask for a switch to all zeros (0). The syntax for the no ip address command is: no ip address switch The no ip address command is executed in the Global Configuration command mode. Note: When the IP address or subnet mask is changed, connectivity to Telnet and the Web Interface can be lost. Any new Telnet connection can be disabled and is required to connect to the serial console port to configure a new IP address. ip default-gateway command The ip default-gateway command sets the default IP gateway address for a switch to use. The syntax for the ip default-gateway command is: ip default-gateway <A.B.C.D> The ip default-gateway command is executed in the Global Configuration command mode. The following table describes the parameters for the ip default-gateway command. Table 4: ip default-gateway command parameters
Parameters A.B.C.D Description Enter the dotted-decimal IP address of the default IP gateway.
Note: When the IP gateway is changed, connectivity to Telnet and the Web Interface can be lost. show ip command The show ip command displays the IP configurations, BootP/DHCP mode, switch address, subnet mask, and gateway address. This command displays these parameters for what is configured, what is in use, and the last BootP/DHCP. The syntax for the show ip command is: show ip [bootp] [dhcp] [defaultgateway] [address] The show ip command is executed in the User EXEC command mode. If you do not enter any parameters, this command displays all IP-related configuration information. The following table describes the parameters for the show ip command.
Parameters bootp Description Displays BootP/DHCP-related IP information. The possibilities for status returned are: BootP Always Disabled BootP or Last Address
August 20, 2010
29
Parameters
Description BootP When Needed DHCP Always DHCP or Last Address DHCP When Needed
dhcp client lease
Displays DHCP client lease information. The command displays information about configured lease time and lease time granted by the DHCP server. Displays the IP address of the default gateway. Displays the current IP address. Displays the BootP or DHCP client information.Assigning and clearing IP addresses for specific units DHCP always DHCP when needed DHCP or last address Disabled BootP always BootP when needed BootP or last address
default-gateway address address source
Displaying interfaces
The status of all interfaces on the switch can be viewed, including Multi-Link Trunk membership, link status, autonegotiation and speed using the following command. show interfaces command The show interfaces command displays the current configuration and status of all interfaces. The syntax for the show interfaces command is: show interfaces [names] [<portlist>] The show interfaces command is executed in the User EXEC command mode. Table 5: show interfaces command parameters
Parameters names <portlist> Description Displays the interface names; enter specific ports if you want to see only those.
30
August 20, 2010
Setting port speed

To set port speed and duplexing with CLI, refer to the following: speed command on page 31 default speed command on page 31 duplex command on page 32 default duplex command on page 32 speed command The speed command sets the speed of the port. The syntax for the speed command is: speed [port <portlist>] {10 | 100 | 1000 | auto} The speed command is executed in the Interface Configuration command mode. The following table describes the parameters for the speed command. Table 6: speed command parameters
Parameters port <portlist> Description Specifies the port numbers for which to configure the speed. Enter the port numbers you want to configure. Note: If you omit this parameter, the system uses the port number you specified in the interface command. Sets speed to: 1010Mb/s 100 100 Mb/s 1000 1000 Mb/s or 1GB/s auto autonegotiation
10|100|1000|auto
Note: Enabling and disabling autonegotiation for speed also enables and disables it for duplex operation.When you set the port speed for autonegotiation, ensure that the other side of the link is also set for autonegotiation. default speed command The default speed command sets the speed of the port to the factory default speed. The syntax for the default speed command is: default speed [port <portlist>] The default speed command is executed in the Interface Configuration command mode. The following table describes the parameters for this command.
August 20, 2010
31
Parameters port <portlist>
Description Specifies the port numbers to set the speed to factory default. Enter the port numbers you want to set. Note: If you omit this parameter, the system uses the port number you specified in the interface command.
duplex command The duplex command specifies the duplex operation for a port. The syntax for the duplex command is: duplex [port <portlist>] {full | half | auto} The duplex command is executed in the Interface Configuration command mode. The following table describes the parameters for this command.
Parameters port <portlist> Description Specifies the port numbers for which to reset the duplex mode to factory default values. Enter the port number you want to configure. The default value is autonegotiation. Note: If you omit this parameter, the system uses the ports you specified in the interface command. Sets duplex to: full full-duplex mode half half-duplex mode autoautonegotiation
full | half | auto
Note: Enabling/disabling autonegotiation for speed also enables/disables it for duplex operation.When you set the duplex mode for autonegotiation, ensure that the other side of the link is also set for autonegotiation. default duplex command The default duplex command sets the duplex operation for a port to the factory default duplex value. The syntax for the default duplex command is: default duplex [port <portlist>] The default duplex command is executed in the Interface Configuration command mode. The following table describes the parameters for this command.
Parameters port <portlist> Description Specifies the port numbers to reset the duplex mode to factory default values. Enter the port numbers you want to configure. The default value is autonegotiation.
32
August 20, 2010
Parameters
Description Note: If you omit this parameter, the system uses the ports you specified in the interface command.
Testing cables with the Time Domain Reflectometer

The WC 8180 is equipped with a Time Domain Reflectometer (TDR). The TDR provides a diagnostic capability to test connected cables for defects (such as short pin and pin open). You can obtain TDR test results from CLI or Device Manager. The cable diagnostic tests only apply to Ethernet copper ports; fiber ports cannot be tested. You can initiate a test on multiple ports at the same time. When you test a cable with the TDR, if the cable has a 10/100 MB/s link, the link is broken during the test and restored only when the test is complete. If the cable has a 10/100 MB/s link, the test results may be incomplete as the test does not test all of the pins in the connector. Use of the TDR does not affect 1 GB/s links. See the Troubleshooting Guide (NN47251-700) for more information on troubleshooting cables and for connector pin tables. Note: The accuracy margin of cable length diagnosis is between three to five meters. Avaya suggests the shortest cable for length information be five meters long. With the following CLI commands, you can initiate a TDR cable diagnostic test and obtain test reports. tdr test command on page 33 show tdr command on page 33 tdr test command The tdr test command initiates a TDR test on a port or ports. The syntax for this command is: tdr test <portlist> where <portlist> specifies the ports to be tested. The tdr test command is in the privExec command mode. show tdr command The show tdr command displays the results of a TDR test. The syntax for this command is: show tdr <portlist> where <portlist> specifies the ports for which to display the test results. The show tdr command is in the privExec command mode.
August 20, 2010
33
Enabling Autotopology
The Optivity Autotopology protocol can be configured with CLI. To enable autotopology with CLI, refer to the following: autotopology command on page 34 no autotopology command on page 34 default autotopology command on page 34 show autotopology settings command on page 34 show autotopology nmm-table command on page 34 autotopology command The autotopology command enables the Autotopology protocol. The syntax for the autotopology command is: autotopology The autotopology command is executed in the Global Configuration command mode. no autotopology command The no autotopology command disables the Autotopology protocol. The syntax for the no autotopology command is: no autotopology The no autotopology command is executed in the Global Configuration command mode. default autotopology command The default autotopology command enables the Autotopology protocol. The syntax for the default autotopology command is: default autotopology The default autotopology command is executed in the Global Configuration command mode. show autotopology settings command The show autotopology settings command displays the global autotopology settings. The syntax for the show autotopology settings command is: show autotopology settings The show autotopology settings command is executed in the Privileged EXEC command mode. show autotopology nmm-table command The show autotopology nmm-table command displays the Autotopology network management module (NMM) table. The syntax for the show autotopology nmm-table command is: show autotopology nmmtable
34
August 20, 2010
The show autotopology nmm-table command is executed in the Privileged EXEC command mode.
Enabling flow control

Gigabit Ethernet, when used with the WC 8180, can control traffic on this port using the flowcontrol command. To enable flow control with CLI, refer to the following: flow control command on page 35 no flowcontrol command on page 35 default flowcontrol command on page 36 flow control command The flowcontrol command is used only on Gigabit Ethernet ports and controls the traffic rates during congestion. The syntax for the flowcontrol command is: flowcontrol [port <portlist>] {asymmetric | symmetric | auto | disable} The flowcontrol command is executed in the Interface Configuration mode. The following table describes the parameters for this command. Table 7: flowcontrol command parameters
Parameters port <portlist> Description Specifies the port numbers to configure for flow control. Note: If you omit this parameter, the system uses the ports you specified in the interface command but only those ports which have speed set to 1000/full. Sets the mode for flow control: asymmetric- PAUSE frames can only flow in one direction. symmetric- PAUSE frames con flow in either direction. auto- sets the port to automatically determine the flow control mode (default) disabledisables flow control
asymmetric | symmetric | auto | disable
no flowcontrol command The no flowcontrol command is used only on Gigabit Ethernet ports and disables flow control. The syntax for the no flowcontrol command is: no flowcontrol [port <portlist>]
August 20, 2010
35
The no flowcontrol command is executed in the Interface Configuration mode. The following table describes the parameters for this command. Table 8: no flowcontrol command parameters
Parameters port <portlist> Description Specifies the port numbers for which to disable flow control. Note: If you omit this parameter, the system uses the ports you specified in the interface command, but only those ports that have speed set to 1000/full.
default flowcontrol command The default flowcontrol command is used only on Gigabit Ethernet ports and sets the flow control to auto, which automatically detects the flow control. The syntax for the default flowcontrol command is: default flowcontrol [port <portlist>] The default flowcontrol command is executed in the Interface Configuration mode. The following table describes the parameters for this command.
Parameters port <portlist> Description Specifies the port numbers to default to auto flow control. Note: If you omit this parameter, the system uses the port number you specified in the interface command.
default rate-limit command The default rate-limit command restores the rate-limiting value for the specified port to the default setting. The syntax for the default rate-limit command is: default rate-limit [port <portlist>] The default rate-limit command is executed in the Interface Configuration command mode. The following table describes the parameters for this command. Table 9: default rate-limit command parameters
Parameters port <portlist> Description Specifies the port numbers on which to reset rate-limiting to factory default. Enter the port numbers on which to set ratelimiting to default. Note: If you omit this parameter, the system uses the port number you specified in the interface command.
36
August 20, 2010
Enabling rate-limiting
The percentage or packets per seconds of multicast traffic, or broadcast traffic, or both can be limited with CLI. For details, refer to the following: show rate-limit command on page 37 rate-limit command on page 37 no rate-limit command on page 38 default rate-limit command on page 36 show rate-limit command The show rate-limit command displays the rate-limiting settings and statistics. The syntax for the show rate-limit command is: show rate-limit The show rate-limit command is executed in the Privileged EXEC command mode. rate-limit command The rate-limit command configures rate-limiting on the port. The syntax for the rate-limit command is: rate-limit {multicast | broadcast | both} {percent <0-10>} The rate-limit command is executed in the Interface Configuration command mode. The following table describes the parameters for this command. Table 10: rate-limit command parameters
Parameters multicast | broadcast | both Description Applies rate-limiting to the type of traffic. multicast--applies rate-limiting to multicast packets broadcast--applies rate-limiting to broadcast packets both--applies rate-limiting to both multicast and broadcast packets percent <0-10> Specifies the mode for setting the rates of the incoming traffic. percent <0-10>--enter and integer from 1 to 10 to set the rate-limiting percentage. For 10 Gb/s links, the default value for limiting both broadcast and multicast is 10 percent. Rate limiting using packet per seconds can only be configured using CLI.
August 20, 2010
37
no rate-limit command The no rate-limit command disables rate-limiting on the port. The syntax for the no rate-limit command is: no rate-limit [port <portlist>] The no rate-limit command is executed in the Interface Configuration command mode. The following table describes the parameters for this command. Table 11: no rate-limit command parameters
Parameters port <portlist> Description Specifies the port numbers to disable for rate-limiting. Enter the port numbers you want to disable. Note: If you omit this parameter, the system uses the port number you specified in the interface command.
Using Simple Network Time Protocol

The Simple Network Time Protocol (SNTP) feature synchronizes the Universal Coordinated Time (UCT) to an accuracy within 1 second. This feature adheres to the IEEE RFC 2030 (MIB is the s5agent). With this feature, the system can obtain the time from any RFC 2030compliant NTP/SNTP server. Note: If you have trouble using this feature, try various NTP servers. Some NTP servers can be overloaded or currently inoperable.The system retries connecting with the NTP server a maximum of three times, with 5 minutes between each retry. Using SNTP provides a real-time timestamp for the software, shown as Greenwich Mean Time (GMT). If SNTP is enabled, the system synchronizes with the configured NTP server at boot-up and at user-configurable periods thereafter (the default synchronization interval is 24 hours). The first synchronization is not performed until network connectivity is established. SNTP supports primary and secondary NTP servers. The system tries the secondary NTP server only if the primary NTP server is unresponsive. To configure SNTP, refer to the following commands: show SNTP command on page 39 show sys-info command on page 39 SNTP enable command on page 39 no SNTP enable command on page 39 SNTP server primary address command on page 39 SNTP server secondary address command on page 40 no SNTP server command on page 40
38
August 20, 2010
SNTP sync-now command on page 41 SNTP sync-interval command on page 41
show SNTP command

The show SNTP command displays the SNTP information, as well as the configured NTP servers. The syntax for the show SNTP command is: show sntp The show SNTP command is executed in the Privileged EXEC command mode.
show sys-info command

The show sys-info command displays the current system characteristics. The syntax for the show sys-info command is: show sys-info The show sys-info command is executed in the Privileged EXEC command mode. Note: You must have SNTP enabled and configured to display GMT time.
SNTP enable command

The SNTP enable command enables SNTP. The syntax for the SNTP enable command is: sntp enable The SNTP enable command is executed in the Global Configuration command mode. Note: The default setting for SNTP is disabled.
no SNTP enable command

The no SNTP enable command disables SNTP. The syntax for the no SNTP enable command is: no sntp enable The no SNTP enable command is executed in the Global Configuration command mode.
SNTP server primary address command

The SNTP server primary address command specifies the IP addresses of the primary NTP server.
August 20, 2010
39
The syntax for the SNTP server primary address command is: sntp server primary address <A.B.C.D> The SNTP server primary address command can be executed in the Global Configuration command mode. The following table describes the parameters for this command. Table 12: sntp server primary address command parameters
Parameters <A.B.C.D> Description Enter the IP address of the primary NTP server in dotteddecimal notation.
SNTP server secondary address command

The SNTP server secondary address command specifies the IP addresses of the secondary NTP server. The syntax for the SNTP server secondary address command is: sntp server secondary address <A.B.C.D> The SNTP server secondary address command is executed in the Global Configuration command mode. The following table describes the parameters for this command. Table 13: sntp server secondary address command parameters
Parameters <A.B.C.D> Description Enter the IP address of the secondary NTP server in dotted-decimal notation.
no SNTP server command

The no SNTP server command clears the NTP server IP addresses. The command clears the primary and secondary server addresses. The syntax for the no SNTP server command is: no sntp server {primary | secondary} The no SNTP server command is executed in the Global Configuration command mode. The following table describes the parameters for this command.
40
August 20, 2010
Table 14: no sntp server command parameters

Parameters primary secondary Description Clear primary SNTP server address. Clear secondary SNTP server address.
SNTP sync-now command

The SNTP sync-now command forces a manual synchronization with the NTP server. The syntax for the SNTP sync-now command is: sntp sync-now The SNTP sync-now command is executed in the Global Configuration command mode. Note: SNTP must be enabled before this command can take effect.
SNTP sync-interval command

The SNTP sync-interval command specifies recurring synchronization with the secondary NTP server in hours relative to initial synchronization. The syntax for the SNTP sync-interval command is: sntp sync-interval <0-168> The SNTP sync-interval command is executed in the Global Configuration command mode. The following table describes the parameters for this command. Table 15: sntp sync-interval command parameters
Parameters <0-168> Descriptions Enter the number of hours for periodic synchronization with the NTP server. Note: 0 is boot-time only, and 168 is once a week.
Real time clock configuration

In addition to SNTP time configuration, a real-time clock (RTC) is available to provide the switch with time information. This RTC provides the switch information in the instance that SNTP time is not available. Use the following commands to view and configure the RTC: clock set command on page 42 Clock sync rtc-with-SNTP enable command on page 42
August 20, 2010
41
no clock sync-rtc-with-SNTP enable command on page 42 Default clock sync-rtc-with-SNTP enable command on page 42 Clock source command on page 43 default clock source command on page 43
clock set command

This command is used to set the RTC. The syntax of the clock set command is: clock set {<LINE> | <hh:mm:ss>} The following table outlines the parameters for this command. Table 16: clock set command parameters
Parameters <LINE> <hh:mm:ss> Description A string in the format of mmddyyyyhhmmss that defines the current local time. Numeric entry of the current local time in the manner specified.
This command is executed in the Privileged EXEC command mode.
Clock sync rtc-with-SNTP enable command

This command enables the synching of the RTC with the SNTP clock when the SNTP clock synchronizes. The syntax for this command is: clock sync-rtc-with-sntp enable This command is executed in the Global Configuration command mode.
no clock sync-rtc-with-SNTP enable command

This command disables the synching of the RTC with the SNTP clock when the SNTP clock synchronizes. The syntax for this command is: no clock sync-rtc-with-sntp enable This command is executed in the Global Configuration command mode.
Default clock sync-rtc-with-SNTP enable command

This command sets the synchronizing of the RTC with the SNTP clock to factory defaults. The syntax for this command is: default clock sync-rtc-with-sntp enable
42
August 20, 2010
This command is executed in the Global Configuration command mode.
Clock source command

This command sets the default clock source for the switch. The syntax for this command is: clock source {sntp | rtc | sysUpTime} Substitute {sntp | rtc | sysUpTime} with the clock source selection. This command is executed in the Global Configuration command mode.
default clock source command

This command sets the clock source to factory defaults. The syntax of this command is: default clock source This command is executed in the Global Configuration command mode.
Custom Autonegotiation Advertisements

Custom Autonegotiation Advertisement (CANA) customizes the capabilities that are advertised. It also controls the capabilities that are advertised by the WC 8180 as part of the auto-negotiation process. The following sections describe configuring CANA with CLI: Configuring CANA on page 43 Viewing current autonegotiation advertisements on page 43 Setting default auto-negotiation-advertisements on page 44 no auto-negotiation-advertisements command on page 44
Configuring CANA
Use the auto-negotiation-advertisements command to configure CANA. To configure port 5 to advertise the operational mode of 10 Mb/s and full duplex enter the following command line: auto-negotiation-advertisements port 5 10-full
Viewing current autonegotiation advertisements

To view the autonegotiation advertisements for the device, enter the following command: show auto-negotiation-advertisements [port <portlist>]
August 20, 2010
43
Setting default auto-negotiation-advertisements

The default auto-negotiation-advertisements command makes a port advertise all its auto-negotiation-capabilities. The syntax for the default auto-negotiation-advertisements command is: default auto-negotiation-advertisements [port <portlist>] To set default advertisements for port 5 of the device, enter the following command line: default auto-negotiation-advertisements port 5 The default auto-negotiation-advertisements command can be executed in the Interface Configuration mode.
no auto-negotiation-advertisements command
The no auto-negotiation-advertisements command makes a port silent. The syntax for the no auto-negotiation-advertisements command is: no autonegotiation-advertisements [port <portlist>] The no auto-negotiation-advertisements command can be executed in the Interface Configuration mode.
Connecting to another switch

Using the Command Line Interface (CLI), it is possible to communicate with another switch while maintaining the current switch connection. This is accomplished with the familiar ping and telnet commands.
ping command
Use the ping command to determine if communication with another switch can be established. The syntax for this command is: ping<dns_host_name> [datasize <64-4096> [{count <1-999>} | continuous] [{timeout | -t} <1-120>] [interval <1-60] [debug] Substitute <dns_host_name> with the DNS host name of the unit to test. Run this command in User EXEC command mode or any of the other command modes. The following table describes the parameters for this command.
44
August 20, 2010
Table 17: ping command parameters

Parameters <dns_host_name> datasize <644096> count <19999> | continuous Description The DNS host name of the unit to test. Specify the size of the ICMP packet to be sent. The data size range is from 64 to 4096 bytes. Set the number of ICMP packets to be sent. The continuous mode sets the ping running until the user interrupts it by entering Ctrl+C. Set the timeout using either the timeout with the -t parameter followed by the number of seconds the switch must wait before timing out. Specify the number of seconds between transmitted packets. Provide additional output information such as the ICMP sequence number and the trip time.
timeout | -t | <1120>
interval <160> debug
telnet command
Use the telnet command to establish communications with another switch during the current CLI session. Communication can be established to only one external switch at a time using the telnet command. The syntax for this command is: telnet <dns_host_name> Substitute <dns_host_name> with the DNS hostname of the unit with which to communicate. This command is executed in the User EXEC command mode.
Domain Name Server (DNS) Configuration

Domain name servers are used when the switch needs to resolve a domain name to an IP address. The following commands allow for the configuration of the switch domain name servers: show ip dns command on page 46 ip domain-name command on page 46 no ip domain-name command on page 46 default ip domain-name command on page 46 ip name-server command on page 47 no ip name-server command on page 47
August 20, 2010
45
show ip dns command

The show ip dns command is used to display DNS-related information. This information includes the default switch domain name and any configured DNS servers. The syntax for this command is: show ip dns This command is executed in the User EXEC command mode.
ip domain-name command
The ip domain-name command is used to set the default DNS domain name for the switch. This default domain name is appended to all DNS queries or commands that do not already contain a DNS domain name. The syntax for this command is: ip domain-name <domain_name> Substitute <domain_name> with the default domain name to be used. A domain name is determined to be valid if it contains alphanumeric characters and contains at least one period (.). This command is executed in the Global Configuration command mode.
no ip domain-name command
The no ip domain-name command is used to clear a previously configured default DNS domain name for the switch. The syntax for this command is: no ip domain-name This command is executed in the Global Configuration command mode.
default ip domain-name command

The default ip domain-name command is used to set the system default switch domain name. Because this default is an empty string, this command has the same effect as the no ip domain-name command. The syntax for this command is: default ip domain-name This command is executed in the Global Configuration command mode.
46
August 20, 2010
ip name-server command
The ip name-server command is used to set the domain name servers the switch uses to resolve a domain name to an IP address. A switch can have up to three domain name servers specified for this purpose. The syntax of this command is: ip name-server <ip_address_1> ip name-server <ip_address_2> ip nameserver <ip_address_3> Note: To enter all three server addresses you must enter the command three times, each with a different server address. The following table outlines the parameters for this command. Table 18: ip name-server command parameters
Parameters <ip_address_1> <ip_address_2> <ip_address_3> Description The IP address of the domain name server used by the switch. Optional. The IP address of a domain name server to add to the list of servers used by the switch. Optional. The IP address of a domain name server to add to the list of servers used by the switch.
no ip name-server command
The no ip name-server command is used to remove domain name servers from the list of servers used by the switch to resolve domain names to an IP address. The syntax for this command is: no ip name-server <ip_address_1> no ip name-server [<ip_address_2>] no ip name-server [<ip_address_2>] Note: To remove all three server addresses you must enter the command three times, each with a different server address. The following table outlines the parameters for this command.
Parameters <ip_address_1> <ip_address_2> Description The IP address of the domain name server to remove. Optional. The IP address of a domain name server to remove from the list of servers used by the switch.
August 20, 2010
47
Parameters <ip_address_3>
Description Optional. The IP address of a domain name server to remove from the list of servers used by the switch.
Changing switch software

The software download process occurs automatically without user intervention. This process deletes the contents of the flash memory and replaces it with the desired software image. Do not interrupt the download process. Depending on network conditions, this process make take up to 10 minutes. When the download process is complete, the switch automatically resets unless the no-reset parameter was used. The software image initiates a self-test and returns a message when the process is complete. An example of this message is illustrated in the following table. Table 19: Software download message output Download Image [/] Image Saving Image [-] Finishing Upgrading
During the download process the switch is not operational. The progress of the download process can be tracked by observing the front panel LEDs. To change the software version running on the switch with CLI, follow this procedure:
1. Access CLI through the Telnet protocol or a Console connection. 2. From the command prompt, use the download command with the following parameters to change the software version: download [address <a.b.c.d>] {primary | secondary} {image <image name> | image-if-newer <image name> | diag <image name>} [no-reset] [usb] The following table explains the parameters for the download command. Table 20: download command parameters
Parameter address <a.b.c.d> Description This parameter is the IP address of the TFTP server to be used. The address <ip> parameter is optional and if omitted the switch defaults to the TFTP server specified by the tftpserver command unless software
48
August 20, 2010
Parameter
Description download is to take place using a USB Mass Storage Device.
primary | secondary
This parameter determines if the image is the primary or secondary image. This parameter is the name of the software image to be downloaded from the TFTP server. This parameter is the name of the software image to be downloaded from the TFTP server if newer than the currently running image. This parameter is the name of the diagnostic image to be downloaded from the TFTP server. This parameter forces the switch to not reset after the software download is complete. In the WC 8180, this parameter specifies that the software download is performed using a USB Mass Storage Device and the front panel USB port.
image <image name>
image-if-newer <image name>
diag <image name>
no-reset
usb
3. Press Enter.
Configuration files in CLI

CLI provides many options for working with configuration files. Through CLI, configuration files can be displayed, stored, and retrieved. For details, refer to the following: Displaying the current configuration on page 50 Storing the current configuration on page 50 copy tftp config command on page 51 copy usb config command on page 51 Saving the current configuration on page 51 save config command
August 20, 2010
49
Importing action commands

The import and export of action commands in ASCII configuration files is not supported in this release. This includes commands such as radius secret and mdc-join. Action commands that are part of a device configuration before an export operation will be excluded during the export operation. Subsequent imports of the configuration file will not contain the excluded commands. Excluded commands must be manually executed after the import process. This is very important to keep in mind especially in regards to configuring a new device or updating a device that has been returned to factory defaults. Note the action commands that were part of the pre-export configuration so they can be manually executed after the configuration file is imported.
Displaying the current configuration

The show running-config command displays the current configuration of switch. The syntax for the show running-config command is: show running-config This command only can be executed in the Privileged EXEC mode and takes no parameters.
Storing the current configuration

The copy running-config command copies the contents of the current configuration file to another location for storage. For all switches in the 8100 Series, the configuration file can be saved to a TFTP server. The WC 8180 also provide the ability to save the configuration file to a USB Mass Storage Device through the front panel USB drive. The syntax for the copy running-config command is: copy running-config {tftp | (usb) [u2] } address <A.B.C.D> filename <name> The following table outlines the parameters for this command. Table 21: copy running-config parameters
Parameters {tftp | usb} address <A.B.C.D> Description This parameter specifies the general location in which the configuration file is saved. If a TFTP server is to be used, this parameter signifies the IP address of the server to be used.
50
August 20, 2010
Parameters filename <name>
Description The name of the file that is created when the configuration is saved to the TFTP server or USB Mass Storage Device.
The copy running-config command only can be executed in the Privileged EXEC mode.
copy tftp config command

Use this command to restore a configuration file stored on a TFTP server. The syntax for this command is: copy tftp config address <A.B.C.D> filename <name> The following table outlines the parameters for this command. Table 22: copy tftp config command parameters
Parameter address <A.B.C.D> filename <name> Description The IP address of the TFTP server to be used. The name of the file to be retrieved.
copy usb config command

Use this command to restore a configuration file stored on a USB Mass Storage Device. The syntax is: copy usb config filename <name> The only parameter for this command is the name of the file to be retrieved from the USB device.
Saving the current configuration

The configuration currently in use on a switch is regularly saved to the flash memory automatically. However, you can manually initiate this process using the copy config nvram command. This command takes no parameters and you must run it in Privileged EXEC mode. If you have disabled the AutosaveToNvramEnabled function by removing the default check in the AutosaveToNvRamEnabled field, the configuration is not automatically saved to the flash memory.
August 20, 2010
51
Automatically downloading a configuration file with CLI

This feature is enabled through CLI by using the configure network command. This command enables a script to be loaded and executed immediately as well as configure parameters to automatically download a configuration file when the switch is booted. The syntax for the configure network command is: configure network load-on-boot {disable | use-bootp | use-config} address <A.B.C.D> filename <name> The following table outlines the parameters for this command. Table 23: configure network command parameters
Parameter load-on-boot {disable | use-bootp | use config} Description Specifies the settings for automatically loading a configuration file when the system boots: disable - disables the automatic loading of config file use-bootp - specifies loading the ASCII configuration file at boot and using BootP to obtain values for the TFTP address and filename use-config - specifies loading the ASCII configuration file at boot and using the locally configured values for the TFTP address and filename Note: If you omit this parameter, the system immediately downloads and runs the ASCII config file. address <A.B.C.D> filename <name> The IP address of the desired TFTP server. The name of the configuration file to use in this process
This command must be run in the Privileged EXEC mode. The current switch settings relevant to this process can be viewed using the show confignetwork command. This command takes no parameters and must be executed in Privileged EXEC mode.
Terminal setup
Switch terminal settings can be customized to suit the preferences of a switch administrator. This operation must be performed in CLI.
52
August 20, 2010
The terminal command configures terminal settings. These settings are transmit and receive speeds, terminal length, and terminal width. The syntax of the terminal command is: terminal speed {2400 | 4800 | 9600 | 19200 | 38400} length <0-132> width <1-132> The terminal command is executed in the User EXEC command mode. The following table describes the parameters for this command. Table 24: terminal command parameters
Parameters speed {2400|4800|19200|38400} Description Sets the transmit and receive baud rates for the terminal. The speed can be set at one of the five options shown; the default is 9600. Sets the length of the terminal display in lines; the default is 23. Note: If the terminal length is set to a value of 0, the pagination is disabled and the display continues to scroll without stopping. Sets the width of the terminal display in characters; the default is 79.
length
width
The show terminal command can be used at any time to display the current terminal settings. This command takes no parameters and is executed in the EXEC command mode.
Setting the default management interface

You can set the default management interface with CLI to suit the preferences of the switch administrator. This selection is stored in NVRAM. When the system is started, the banner displays and prompts the user to enter Ctrl+Y. After these characters are entered, the system displays either a menu or the command line interface prompt, depending on previously configured defaults. When using the console port, you must log out for the new mode to display. When using Telnet, all subsequent Telnet sessions display the selection. To change the default management interface, use the cmd-interface command. The syntax of this command is: cmd-interface {cli | menu} The cmd-interface command must be executed in the Privileged EXEC command mode.
Setting Telnet access

CLI can be accessed through a Telnet session. To access CLI remotely, the management port must have an assigned IP address and remote access must be enabled.
August 20, 2010
53
Note: Multiple users can access CLI system simultaneously, through the serial port, Telnet, and modems. The maximum number of simultaneous users is four. All users can configure simultaneously. For details on viewing and changing the Telnet-allowed IP addresses and settings, refer to the following: telnet-access command on page 54 no telnet-access command default telnet-access command on page 55
telnet-access command
The telnet-access command configures the Telnet connection that is used to manage the switch. The telnet-access command is executed through the console serial connection. The syntax for the telnet-access command is: telnet-access [enable | disable] [login-timeout <1-10>] [retry<1-100>] [inactive-timeout <0-60>] [logging {none | access | failures | all}] [source-ip <1-50> <A.B.C.D> <WORD> [mask <A.B.C.D>] Execute the telnet-access command in the Global Configuration command mode. The following table describes the parameters for the telnet-access command. Table 25: telnet-access command parameters
Parameters enable | disable login-timeout <1-10> Description Enables or disables Telnet connection. Specify in minutes the time to wait for Telnet and Console login before the connection closes. Enter an integer between 1 and 10. Specify the number of times the user can enter an incorrect password before closing the connection. Enter an integer between 1 and 100. Specify in minutes the duration for an inactive session to be terminated. Specify the events whose details you want to store in the event log: none-do not save access events in the log access-save only successful access events in the log
retry <1-100>
inactive-timeout <0-60> logging {none | access | failures | all}
54
August 20, 2010
Parameters
Description failure-save failed access events in the log all-save all access events in the log
[source-ip <1-50> <A.B.C.D> [mask <A.B.C.D>] [source-ip <WORD>
Specify the source IP address from which connections are allowed. Enter the IP address in dotted-decimal notation. Mask specifies the subnet mask from which connections are allowed; enter IP mask in dotted-decimal notation.
default telnet-access command

The default telnet-access command sets the Telnet settings to the default values. The syntax for the default telnet-access command is: default telnet-access The default telnet-access command is executed in the Global Configuration command mode.
Setting boot parameters

The command outlined in this section is used for booting the switch as well as setting boot parameters.
boot command
The boot command performs a soft-boot of the switch. The syntax for the boot command is: boot [default] [partial default] The boot command is executed in the Privileged EXEC command mode. The following table describes the parameters for the boot command. Table 26: boot command parameters
Parameters default Description Reboot the switch and use the factory default configurations
August 20, 2010
55
Parameters partial-default
Description Reboot the switch and use partial factory default configurations
Note: When you reset to factory defaults, the switch retains the last reset count and reason for last reset; these two parameters do not default to factory defaults.
Defaulting to BootP-when-needed
The BootP default value is BootP-when-needed. This enables the switch to be booted and the system to automatically seek a BootP server for the IP address. If an IP address is assigned to the device and the BootP process times out, the BootP mode remains in the default mode of BootP-when-needed. However, if the device does not have an assigned IP address and the BootP process times out, the BootP mode automatically changes to BootP disabled. But this change to BootP disabled is not stored, and the BootP reverts to the default value of BootP-when-needed after rebooting the device. When the system is upgraded, the switch retains the previous BootP value. When the switch is defaulted after an upgrade, the system moves to the default value of BootP-when-needed. Refer to the following commands to configure BootP parameters: ip bootp server command on page 56 no ip bootp server command on page 57 default ip bootp server command on page 57
ip bootp server command

The ip bootp server command configures BootP on the current instance of the switch or server. This command is used to change the value of BootP from the default value, which is BootP-when-needed. The syntax for the ip bootp server command is: ip bootp server {always | disable | last | needed} The ip bootp server command is executed in the Global Configuration command mode. The following table describes the parameters for this command. Table 27: ip bootp server command parameters
Parameters always | disable | last | needed Description Specifies when to use BootP:
56
August 20, 2010
Parameters
Description always-Always use BootP disable-never use BootP last-use BootP or the last known address needed-use BootP only when needed Note: The default value is to use BootP when needed.
no ip bootp server command

The no ip bootp server command disables the BootP server. The syntax for the no ip bootp server command is: no ip bootp server The no ip bootp server command is executed in the Global Configuration command mode.
default ip bootp server command

The default ip bootp server command uses BootP when needed. The syntax for the default ip bootp server command is: default ip bootp server The default ip bootp server command is executed in the Global Configuration command mode.
shutdown command
The shutdown command proves a mechanism for safely shutting down a switch without interfering with device processes or corrupting the software image. After this command is issued, the configuration is saved, auto-save functionality is temporarily disabled, and configuration changes are not allowed until the switch restarts. If the shutdown is cancelled, auto-save functionality returns to the state in which it was previously functioning. The shutdown command has the following syntax: shutdown [force] [minutes-towait <1-60>] [cancel] The following table describes the parameters of the shutdown command.
August 20, 2010
57
Table 28: shutdown command parameter

Parameters force minutes-to-wait <1-60> Description This parameter forces the shutdown without confirmation. This parameter represents the number of minutes to wait before the shutdown occurs. If no value is specified, the default value of 10 minutes is used. This parameter cancels a scheduled shutdown any time during the time period specified by the minutes-to-wait parameter.
cancel
reload command
The reload command operates in a similar fashion to the shutdown command. However, the reload command is intended more to be used by system administrators using the command functionality to configure remote devices and reset them when the configuration is complete. The reload command differs from the shutdown command in that the configuration is not explicitly saved after the command is issued. This means that any configuration changes must be explicitly saved before the switch reloads. The reload command does temporarily disable auto-save functionality until the reload occurs. Cancelling the reload returns auto-save functionality to any previous setting. The reload command has the following syntax: reload [force] [minutes-to-wait <1-60>] [cancel] The following table describes the parameters of the reload command. Table 29: reload command parameters
Parameter force minutes-to-wait <1-60> Description This parameter forces the reload without confirmation. This parameter represents the number of minutes to wait before the reload occurs. If no value is specified, the default value of 10 minutes is used. This parameter cancels a scheduled reload any time during the time period specified by the minutes-to-wait parameter.
cancel
58
August 20, 2010
CLI Help
To obtain help on the navigation and use of Command Line Interface (CLI), use the following command: help {commands | modes} Use help commands to obtain information about the commands available in CLI organized by command mode. A short explanation of each command is also included. Use help modes to obtain information about command modes available and CLI commands used to access them. These commands are available in any command mode.
Clearing the default TFTP server with CLI

The default TFTP server can be cleared from the switch and reset to 0.0.0.0 with the following two commands: no tftp-server default tftp-server
Configuring a default TFTP server with CLI

The switch processes that make use of a TFTP server often give the switch administrator the option of specifying the IP address of a TFTP server to be used. Instead of entering this address every time it is needed, a default IP address can be stored on the switch. A default TFTP server for the switch is specified with the tftp-server command. The syntax of this command is: tftp-server <A.B.C.D> To complete the command, replace <A.B.C.D> with the IP address of the default TFTP server. This command must be executed in the Privileged EXEC command mode.
Configuring default clock source

This command sets the default clock source for the switch. The syntax for this command is: clock source {rtp | sntp | sysUpTime} Substitute {rtp | sntp | sysUpTime}with the clock source selection. Run this command in Global Configuration command mode.
August 20, 2010
59
Configuring daylight savings time with CLI

Use the following procedure to configure the daylight savings time adjustment with CLI:
1. In CLI, set the Global Configuration command mode. configure 2. Enable sntp server. 3. Set the date to change to daylight savings time. clock summer-time zone date day month year hh:mm day month year hh:mm [offset]
Job aid
The following table defines the variables for the clock summer-time command: Table 30: clock summer-time command parameters
Parameters date Description Indicates that daylight savings time should start and end on the specified days every year. Date to start daylight savings time. Month to start daylight savings time. Year to start daylight savings time. Hour and minute to start daylight savings time. Date to end daylight savings time. Month to end daylight savings time. Year to end daylight savings time. Hour and minute to end daylight savings time. Number of minutes to add during the summer time. The time zone acronym to be displayed when daylight savings time is in effect. If it is
day month year hh:mm day month year hh:mm offset zone
60
August 20, 2010
Parameters
Description unspecified, it defaults to the time zone acronym set when the time zone was set.
Configuring Dual Agent

Use the following commands to configure the Dual Agent feature with CLI: Enhanced download command on page 61 toggle next boot image command on page 62 boot secondary command on page 62 Show agent images on page 62
Enhanced download command

You can update either active image or non-active image. Once the image download is done, the unit resets and restarts with the new image regardless of the value of the Next Boot image indicator. In case of image download without reset, the new image in the flash will be the Next Boot image. Use the download command to specify the download target image. The syntax for this command is: download [address <a.b.c.d>] {primary | secondary} {image <image name> | image-if-newer <image name> | diag <image name>} [no-reset] [usb] The following table defines the parameters for the download command. Table 31: download command parameters
Parameters a.b.c.d primary | secondary image <image name> image-if-newer <image name> diag <image name> no-reset usb Variable IP address in dot notation. Choose which image to download. Download the specified image. Only download the image if the version is newer than the installed version. Download the specified diagnostic image. Do not reset the switch. Download the image from the USB drive.
Note: Dual Agent supports the WLAN switches NBUs through AAUR.
August 20, 2010
61
toggle next boot image command

You can use CLI commands to change the next boot image of the device. Use the toggle-next-boot-image command to toggle the next boot image. The syntax for this command is: toggle-next-boot-image You must restart the switch after this command to use the next boot image as the new primary image.
boot secondary command

You can use CLI commands to change the next boot image of the device. Use the boot secondary command to use the secondary boot image. The syntax for this command is: boot secondary The switch will restart automatically with the new image.
Show agent images

You can use CLI commands to list the following information about the agent images stored in flash memory: Primary image version Secondary image name Active image version Use the show boot image command to show the agent image information for agent images stored in the flash memory. They syntax for this command is: show boot image
Configuring local time zone with CLI

SNTP uses Coordinated Universal Time (UTC) for all time synchronizations so it is not affected by different time zones. To have the switch report the time in your local time zone, you need to use the clock commands to set the local time zone. You must enable SNTP before you set the time zone. If SNTP is not enabled, this command has no effect. If you enable SNTP and do not specify a time zone, UTC is shown by default. Use the following procedure to configure your switch for your local time zone with CLI:
62
August 20, 2010
1. In CLI, set the Global Configuration command mode. configure 2. Enable sntp server. 3. Set clock time zone using the clock command. clock time-zone zone hours [minutes]
Job aid
The following table defines the variables for the clock time-zone command: Table 32: clock time-zone command
Variables zone hours minutes Description Time zone acronym to be displayed when showing system time (up to 4 characters). Difference from UTC in hours. This can be any value between -12 and +12. Optional: This is the number of minutes difference from UTC. Minutes can be any value between 0 and 59.
Customizing CLI banner with CLI

show banner command
The show banner command displays the banner. The syntax for the show banner command is: show banner [static | custom] The show banner command is executed in the Privileged EXEC command mode. The following table outlines the parameters for this command. Table 33: show banner command parameters
Parameters static | custom Description Displays which banner is currently set to display:
August 20, 2010
63
Parameters static custom
Description
banner command
The banner command specifies the banner displayed at startup; either static or custom. The syntax for the banner command is: banner {static | custom} <line number> "<LINE>" The following table outlines the parameters for this command. Table 34: banner command parameters
Parameters static | custom static custom line number LINE Enter the banner line number you are setting. The range is 1 to 19. Specifies the characters in the line number. Description Sets the display banner as:
This command is executed in the Privileged EXEC command mode.
no banner command
The no banner command clears all lines of a previously stored custom banner. This command sets the banner type to the default setting (STATIC). Displaying the default TFTP server with CLI no banner The no banner command is executed in the Privileged EXEC command mode.
Displaying the default TFTP server with CLI

The default TFTP server configured for the switch can be displayed in CLI at any time by using the show tftp-server command. This command has no parameters and is executed in the Privileged EXEC mode.
64
August 20, 2010
Displaying complete GBIC information

Complete information can obtained for a GBIC port using the following command: show interfaces gbic-info <port-list> Substitute <port-list> with the GBIC ports for which to display information. If no GBIC is detected, this command does not show any information. This command is available in all command modes.
Displaying hardware information

To display a complete listing of information about the status of switch hardware in CLI, use the following command: show system [verbose] The inclusion of the [verbose] option displays additional information about fan status, power status, and switch serial number. Switch hardware information is displayed in a variety of locations in Web-based management and Device Manager. No special options are needed in these interfaces to display the additional information.
Enabling Autosave
With autosave enabled the system checks every minute to see if there is any new configuration data. If there is, it will automatically be saved to NVRAM. While autosave is enabled, the AUR feature should perform normally. Use the following command to enable the autosave feature.
autosave enable command

The autosave enable command is used to enable the autosave feature. The syntax for this command is: autosave enable The autosave enable command is executed in Global Configuration command mode.
August 20, 2010
65
Setting the server for Web-based management with CLI

Setting the server for Web-based management with CLI You can use CLI to enable or disable a web server for use with Web-based management. For details, refer to the following: web-server command on page 66 no web-server command on page 66
web-server command
The web-server command enables or disables the web server used for Web-based management. The syntax for the web-server command is: web-server {enable | disable} The web-server command is executed in the Global Configuration command mode. The following table describes the parameters for this command. Table 35: web-server command parameters
Parameter enable | disable Description Enables or disables the web server.
no web-server command
The no web-server command disables the web server used for Web-based management. The syntax for the no web-server command is: no web-server The no web-server command is executed in the Global Configuration command mode.
Setting the read-only and read-write passwords

The first step to requiring password authentication when the user logs in to the switch is to edit the password settings. To set the read-only and read-write passwords, perform the following procedure.
66
August 20, 2010
1. Access CLI through the Telnet protocol or a Console connection. 2. From the command prompt, use the cli password command to change the desired password. cli password {read-only | read-write} <password> The following table describes the parameters for this command. Table 36: cli password command parameters
Parameter {read-only | read-write} Description This parameter specifies if the password change is for read-only access or read-write access. If password security is disabled, the length can be 1-15 chars. If password security is enabled, the range for length is 10-15 chars.
<password>
3. Press Enter.
Enabling and disabling passwords

After the read-only and read-write passwords are set, they can be individually enabled or disabled for the various switch access methods. When enabled, password security prompts you for a password and the value is hidden. To enable or disable passwords, perform the following procedure:
1. Access CLI through the Telnet protocol or a Console connection. 2. From the command prompt, use the cli password command to enable or disable the desired password. cli password {telnet | serial} {none | local | radius | tacacs} The following table describes the parameters for this command. Table 37: cli password parameters
Parameter {telnet | serial} Description This parameter specifies if the password is enabled or disabled for telnet or the console. Telnet and web access are tied together so that
August 20, 2010
67
Parameter
Description enabling or disabling passwords for one enables or disables it for the other.
{none | local | radius | tacacs}
This parameter specifies if the password is to be disabled (none), or if the password to be used is the locally stored password created in the previous procedure, or if RADIUS authentication or TACACS +AAA services is used.
3. Press Enter.
Configuring RADIUS authentication

The Remote Authentication Dial-In User Service (RADIUS) protocol is a means to authenticate users through the use of a dedicated network resource. This network resource contains a listing of eligible user names and passwords and their associated access rights. When RADIUS is used to authenticate access to a switch, the user supplies a user name and, when prompted, a password. The password value is hidden when entered. This information is checked against the preexisting list. If the user credentials are valid they can access the switch. If RADIUS Authentication was selected when enabling passwords through CLI, the RADIUS server settings must be specified to complete the process. Ensure that Global Configuration mode is entered in CLI before beginning this task. To enable RADIUS authentication through CLI, follow these steps:
1. Access CLI through the Telnet protocol or a Console connection. 2. From the command prompt, use the radius-server command to configure the server settings. radius-server host <address> [secondary-host <address>] port <num> key <string> [password fallback] The following table describes the parameters for this command. Table 38: radius-server parameters
Parameter host <address> Description This parameter is the IPv6 or IPv4 address of the RADIUS server that is used for authentication. The secondary-host <address> address> parameter is optional. If a
[secondary-host <address>]
68
August 20, 2010
Parameter
Description backup RADIUS server is to be specified, include this parameter with the IPv6 or IPv4 address of the backup server.
port <num>
This parameter is the UDP port number the RADIUS server uses to listen for requests. This parameter prompts you to supply a secret text string or password that is shared between the switch and the RADIUS server. Enter the secret string, which is a string up to 16 characters in length. The password is hidden when entered. This parameter is optional and enables the password fallback feature on the RADIUS server. This option is disabled by default.
key
[password fallback]
3. Press Enter.
Related RADIUS Commands

During the process of configuring RADIUS authentication, there are three other CLI commands that can be useful to the process. These commands are: 1. show radius-server The command takes no parameters and displays the current RADIUS server configuration. 2. no radius-server This command takes no parameters and clears any previously configured RADIUS server settings. 3. radius-server password fallback This command takes no parameters and enables the password fallback RADIUS option if it was not done when the RADIUS server was configured initially.
August 20, 2010
69
Configuring system security

This chapter describes the methods and procedures necessary to configure system security. Depending on the scope and usage of the commands listed in this chapter, you can need different command modes to execute them. Navigation Configuring MAC address-based security using CLI on page 70 Configuring RADIUS authentication using CLI on page 78 SNMP configuration using CLI on page 80 Configuring RADIUS accounting using CLI Configuring TACACS+ using CLI on page 100 Configuring IP Manager using CLI on page 103 Configuring password security using CLI on page 105 Displaying CLI Audit log using CLI on page 106 Configuring Secure Socket Layer services using CLI on page 107 Configuring Secure Shell protocol using CLI on page 108 IP Source Guard configuration using CLI
Configuring MAC address-based security using CLI

The following CLI commands allow for the configuration of the BaySecureapplication using Media Access Control (MAC) addresses. The CLI commands in this section are used to configure and manage MAC address security.
CLI commands for MAC address security

The CLI commands in this section are used to configure and manage MAC address security. show mac-security command on page 71 show mac-security mac-da-filter command on page 71 mac-security command on page 72 mac-security mac-address-table address command on page 73 show mac-security mac-address-table command on page 73 mac-security security-list command on page 74
70
August 20, 2010
no mac-security security-list command on page 74 mac-security command for specific ports on page 74 show mac-security command on page 75 mac-security mac-da-filter command on page 75 CLI commands for MAC address auto-learning on page 75 mac-security auto-learning aging-time command on page 76 no mac-security auto-learning aging-time command on page 76 default mac-security auto-learning aging-time command on page 76 mac-security auto-learning port command on page 76 no mac-security auto-learning command on page 77 default mac-security auto-learning command on page 77
show mac-security command

The show mac-security command displays configuration information for the BaySecure application. The syntax for the show mac-security command is: show mac-security {config|mac-address-table [address <macaddr>] | port|security-lists} The following table outlines the parameters for this command. Table 39: show mac-security command parameters
Parameter config mac-address-table [address <madaddr>] Description Displays general BaySecure configuration. Displays contents of BaySecure table of allowed MAC addresses: addressspecifies a single MAC address to display; enter the MAC address port security-lists Displays the BaySecure status of all ports. Displays port membership of all security lists.
The show mac-security command is executed in the Privileged EXEC command mode.
show mac-security mac-da-filter command

The show mac-security mac-da-filter command displays configuration information for filtering MAC destination addresses (DA). Packets can be filtered from up to 10 MAC DAs.
August 20, 2010
71
The syntax for the show mac-security mac-da-filter command is show mac-security mac-da-filter The show mac-security mac-da-filter command is executed in the Privileged EXEC command mode. The show mac-security mac-da-filter command has no parameters or variables.
mac-security command
The mac-security command modifies the BaySecure configuration. The syntax for the mac-security command is mac-security [disable|enable] [filtering {enable|disable}] [intrustion-detect {enable|disable|forever}] [intrusion-timer <1-65535>] [learning-ports <portlist>] [learning {enable|disable}] [snmp-lock {enable|disable}] [snmp-trap {enable|disable}] The following table outlines the parameters for this command. Table 40: mac-security parameters
Parameter disable|enable filtering {enable|disable} intrusion-detect {enable|disable|forever} Description Disables or enables MAC address-based security. Enables or disables DA filtering on intrusion detected. Specifies partitioning of a port when an intrusion is detected: enableport is partitioned for a period of time disabledport is not partitioned on detection foreverport is partitioned until manually changed intrustion-timer <1-65535> Specifies, in seconds, length of time a port is partitioned when an intrusion is detected; enter the number of seconds desired. Specifies MAC address learning. Learned addresses are added to the table of allowed MAC addresses. Enter the ports to learn; a single port, a range of ports, several ranges, all ports, or no ports can be entered. Specifies MAC address learning:
learning-ports <portlist>
learning {enable|disable}
72
August 20, 2010
Parameter
Description enableenables learning by ports disabledisables learning by ports
snmp-lock {enable|disable} snmp-trap {enable|disable}
Enables or disables a lock on SNMP writeaccess to the BaySecure MIBs. Enables or disables trap generation upon intrusion detection.
The mac-security command is executed in the Global Configuration mode.
mac-security mac-address-table address command

The mac-security mac-address-table address command assigns either a specific port or a security list to the MAC address. This removes the previous assignment to the specified MAC address and creates an entry in the BaySecure table of allowed MAC addresses. The syntax for the mac-security mac-address-table address command is mac-security mac-address-table address <H.H.H.> {port <portlist>| security-list <1-32>} The following table outlines the parameters for this command. Table 41: no mac-security mac-address-table parameters
Parameter <H.H.H> port <portlist> security-list <1-32> Description Enter the MAC address in the form of H.H.H. Enter the port number. Enter the security list number.
The no mac-security mac-address-table command executes in the Global Configuration mode.
show mac-security mac-address-table command

The show mac-security mac-address-table command displays the current global MAC Address security table. The syntax for this command is show mac-security mac-address-table. This command executes in the Privileged EXEC command mode.
August 20, 2010
73
mac-security security-list command

The mac-security security-list command assigns a list of ports to a security list. The syntax for the mac-security security-list command is: mac-security security-list <1-32> <portlist> The following table outlines the parameters for this command. Table 42: mac-security security-list parameters
Parameter <1-32> <portlist> Description Enter the number of the security list you want to use. Enter the port number.
The mac-security security-list command executes in the Global Configuration mode.
no mac-security security-list command

The no mac-security security-list command clears the port membership of a security list. The syntax for the no mac-security security-list command is: no mac-security security-list <1-32> Substitute the <1-32> with the number of the security list to be cleared. The no mac-security security-list command executes in the Global Configuration mode.
mac-security command for specific ports

The mac-security command for specific ports configures the BaySecure status of specific ports. The syntax for the mac-security command for specific ports is mac-security [port <portlist>] {disable|enable|learning} The following table outlines the parameters for this command. Table 43: mac-security parameters
Parameter port <portlist> Description Enter the port numbers.
74
August 20, 2010
Parameter disable|enable|learning
Description Directs the specific port disabledisables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is being performed enableenables BaySecure on the specified port and removes the port from the list of ports for which MAC address learning is being performed learningdisables BaySecure on the specified port and adds these port to the list of ports for which MAC address learning is being performed
The mac-security command for specific ports executes in the Interface Configuration mode.
show mac-security command

The show mac-security command displays the current MAC Address security table for the ports entered. The syntax for this command is show mac-security port <portlist> Substitute <portlist> with the ports to be displayed. This command executes in the Privileged EXEC command mode.
mac-security mac-da-filter command

The mac-security mac-da-filter command allows packets to be filtered from up to ten specified MAC DAs. This command also allows you to delete such a filter and then receive packets from the specified MAC DA. The syntax for the mac-security mac-da-filter command is mac-security mac-da-filter {add|delete} <H.H.H> Substitute the {add|delete} <H.H.H> with either the command to add or delete a MAC address and the MAC address in the form of H.H.H. The mac-security mac-da-filter command executes in the Global Configuration mode.
CLI commands for MAC address auto-learning

The CLI commands in this section are used to configure and manage MAC auto-learning.
August 20, 2010
75
mac-security auto-learning aging-time command

The mac-security auto-learning aging-time command sets the aging time for the auto-learned addresses in the MAC Security Table. The syntax for the command is mac-security auto-learning aging-time <0-65535> Substitute <0-65535> with the aging time in minutes. An aging time of 0 means that the learned addresses never age out. The default is 60 minutes. The mac-security auto-learning aging-time command executes in the Global Configuration mode.
no mac-security auto-learning aging-time command

The no mac-security auto-learning aging-time command sets the aging time for the auto-learned addresses in the MAC Security Table to 0. In this way, it disables the removal of auto-learned MAC addresses. The syntax for the command is no mac-security auto-learning aging-time The no mac-security aging-time command executes in the Global Configuration mode.
default mac-security auto-learning aging-time command

The default mac-security auto-learning aging-time command sets the aging time for the auto-learned addresses in the MAC Security Table to the default of 60 minutes. The syntax for the command is default mac-security auto-learning aging-time The default mac-security auto-learning aging-time command executes in the Global Configuration mode.
mac-security auto-learning port command

The mac-security auto-learning port command configures MAC security autolearning on the ports. The syntax for the command is mac-security auto-learning port <portlist> disabledisable|{enable [max-addrs <1-25>}
76
August 20, 2010
The following table outlines the parameters for this command. Table 44: mac-security auto-learning parameters
Parameter <portlist> disable|enable max-addrs <1-25> Description The ports to configure for auto-learning. Disables or enables auto-learning on the specified ports. The default is disabled. Sets the maximum number of addresses the port learns. The default is 2.
The mac-security auto-learning command executes in the Interface Configuration mode.
no mac-security auto-learning command

This command disables MAC security auto-learning for the specified ports on the switch. The syntax for this command is no mac-security auto-learning port <portlist> The no mac-security auto-learning command executes in the Interface Configuration mode.
default mac-security auto-learning command

The default mac-security auto-learning command sets the default MAC security auto-learning on the switch. The syntax for the command is default mac-security auto-learning port <portlist> [enable] [maxaddrs] The following table outlines the parameters for this command. Table 45: default mac-security auto-learning parameters
Parameters <portlist> enable max-addrs Description The ports to configure for auto-learning. Sets to default the auto-learning status for the port. The default is disabled. Sets to default the maximum number of addresses the port learns. The default is 2.
August 20, 2010
77
The default mac-security auto-learning command executes in the Interface Configuration mode.
Configuring RADIUS authentication using CLI

Configure RADIUS to perform authentication services for system users by doing the following: Configure the RADIUS server itself. For specific configuration procedures, see the vendor documentation. In particular, ensure that you set the appropriate Service-Type attribute in the user accounts: - for read-write access, Service-Type = Administrative - for read-only access, Service-Type = NAS-Prompt Configure RADIUS server settings on the switch (see Configuring RADIUS server settings (page 100)). (Optional) Enable the RADIUS password fallback feature (see Enabling RADIUS password fallback (page 101)). Use the following commands to configure RADIUS authentication: Configuring RADIUS server settings on page 78 Enabling RADIUS password fallback on page 79 Viewing RADIUS information on page 80
Configuring RADIUS server settings

Add a RADIUS server using the following command in Global or Interface Configuration mode: radius-server The following table describes the parameters for this command. Table 46: radius-server command parameters
Parameter host <IPaddr> key <key> Description Specifies the IP address of the primary server you want to add or configure. Specifies the secret authentication and encryption key used for all communications between the NAS and the RADIUS server. The key, also referred to as the shared secret, must be the same as the one defined on the server. You are prompted to enter and confirm the key.
78
August 20, 2010
Parameter [port <port>]
Description Specifies the UDP port for RADIUS. <port> is an integer in the range 0 65535. The default port number is 1812.
[secondary-host <IPaddr>]
Specifies the IP address of the secondary server. The secondary server is used only if the primary server does not respond. Specifies the number of seconds before the service request times out. RADIUS allows three retries for each server (primary and secondary).
[timeout <timeout>]
<timeout>
is an integer in the range 160. The default timeout interval is 2 seconds.
Delete a RADIUS server and restore default RADIUS settings by using one of the following commands in Global or Interface Configuration mode: no radius-server default radius-server
Enabling RADIUS password fallback

Enable the RADIUS password fallback feature by using the following command in Global or Interface Configuration mode: radius-server password fallback When RADIUS password fallback is enabled, users can log on to the switch using the local password if the RADIUS server is unavailable or unreachable.The default is disabled. After you enable RADIUS password fallback, you cannot disable it without erasing all other RADIUS server settings. Important: You can use the Console Interface to disable the RADIUS password fallback without erasing other RADIUS server settings. From the main menu, choose Console/Comm Port Configuration, then toggle the RADIUS Password Fallback field to No. Disable the RADIUS password fallback feature by using one of the following commands in Global or Interface Configuration mode: no radius-server default radius-server The command erases settings for the RADIUS primary and secondary servers and secret key, and restores default RADIUS settings.
August 20, 2010
79
Viewing RADIUS information

Display RADIUS configuration status by using the following command from any mode: show radius-server
SNMP configuration using CLI

This section describes how you can configure SNMP using CLI, to monitor devices running software that supports the retrieval of SNMP information. Use the following commands to configure SNMP: Configuring SNMP v1, v2c, v3 Parameters using CLI on page 81 SNMPv3 table entries stored in NVRAM on page 82 show snmp-server command on page 82 snmp-server authentication-trap command on page 83 no snmp-server authentication-trap command on page 83 default snmp-server authentication-trap command on page 83 snmp-server community for read or write command on page 84 snmp-server community command on page 84 no snmp-server community command on page 85 default snmp-server community command on page 86 no snmp-server contact command on page 86 default snmp-server contact command on page 86 snmp-server command on page 87 no snmp-server command on page 87 snmp-server host command on page 87 show snmp-server host command on page 89 no snmp-server host command on page 89 default snmp-server host command on page 90 snmp-server location command on page 90 no snmp-server location command on page 91 default snmp-server location command on page 91 snmp-server name command on page 91 no snmp-server name command on page 92 default snmp-server name command on page 92
80
August 20, 2010
snmp-server user command on page 92 no snmp-server user command on page 94 snmp-server view command on page 94 no snmp-server view command on page 95 snmp-server bootstrap command on page 95 show snmp-server notification-control on page 96 snmp-server notification-control command on page 97 no snmp-server notification-control on page 97 default snmp-server notification-control on page 98 spanning-tree rstp traps command on page 98 no spanning-tree rstp traps command on page 99 default spanning-tree rstp traps command on page 99 show spanning-tree rstp traps config conmmand on page 99
Configuring SNMP v1, v2c, v3 Parameters using CLI

Earlier releases of SNMP used a proprietary method for configuring SNMP communities and trap destinations for specifying SNMPv1 configuration that included: A single read-only community string that can only be configured using the console menus. A single read-write community string that can only be configured using the console menus. Up to four trap destinations and associated community strings that can be configured either in the console menus, or using SNMP Set requests on the s5AgTrpRcvrTable With the WLAN 8100 Series support for SNMPv3, you can configure SNMP using the new standards-based method of configuring SNMP communities, users, groups, views, and trap destinations. Important: You must configure views and users using CLI before SNMPv3 can be used. Important: You must have the secure version of the software image installed on your switch before you can configure SNMPv3. The WLAN 8100 Series also supports the previous proprietary SNMP configuration methods for backward compatibility. All the configuration data configured in the proprietary method is mapped into the SNMPv3 tables as read-only table entries. In the new standards-based SNMPv3 method of configuring SNMP, all processes are configured and controlled through the SNMPv3 MIBs. The Command Line Interface commands change or display the single read-only community, read-write
August 20, 2010
81
community, or four trap destinations of the proprietary method of configuring SNMP. Otherwise, the commands change or display SNMPv3 MIB data. The WLAN 8100 Series software supports MD5 and SHA authentication, as well as AES and DES encryption. The SNMP agent supports exchanges using SNMPv1, SNMPv2c and SNMPv3. Support for SNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1 communities. SNMPv3 support introduces industrial-grade user authentication and message security. This includes MD5 and SHA-based user authentication and message integrity verification, as well as AES- and DES-based privacy encryption. Export restrictions on SHA and DES necessitate support for domestic and non-domestic executable images or defaulting to no encryption for all customers. The traps can be configured in SNMPv1, v2, or v3 format. If you do not identify the version (v1, v2, or v3), the system formats the traps in the v1 format. A community string can be entered if the system requires one.
SNMPv3 table entries stored in NVRAM

The following list shows the number of nonvolatile entries (entries stored in NVRAM) allowed in the SNMPv3 tables. The system does not allow you to create more entries marked nonvolatile when you reach these limits: snmpCommunityTable: 20 vacmViewTreeFamilyTable: 60 vacmSecurityToGroupTable: 40 vacmAccessTable: 40 usmUserTable: 20 snmpNotifyTable: 20 snmpTargetAddrTabel: 20 snmpTargetParamsTable: 20
show snmp-server command

The show snmp-server command displays SNMP configuration. The syntax for the show snmp-server command is show snmp-server {host|user|view} The show snmp-server command executes in the Privileged EXEC command mode. The following table outlines the parameters for this command.
82
August 20, 2010
Table 47: show snmp-server command parameters

Parameter host user view Description Displays the trap receivers configured in the SNMPv3 MIBs. Displays the SNMPv3 users, including views accessible to each user. Displays SNMPv3 views.
snmp-server authentication-trap command

The snmp-server authentication-trap command enables or disables the generation of SNMP authentication failure traps. The syntax for the snmp-server authentication-trap command is snmp-server authentication-trap {enable|disable} The snmp-server authentication-trap command executes in the Global Configuration mode. The following table outlines the parameters for this command. Table 48: snmp-server authentication-trap command parameters
Parameter enable|disable Description Enables or disables the generation of authentication failure traps.
no snmp-server authentication-trap command

The no snmp-server authentication-trap command disables generation of SNMP authentication failure traps. The syntax for the no snmp-server authentication-trap command is no snmp-server authentication-trap The no snmp-server authentication-trap command executes in the Global Configuration mode.
default snmp-server authentication-trap command

The default snmp-server authentication-trap command restores SNMP authentication trap configuration to the default settings.
August 20, 2010
83
The syntax for the default snmp-server authentication-trap command is default snmp-server authentication-trap The default snmp-server authentication-trap command executes in the Global Configuration mode.
snmp-server community for read or write command

This command configures a single read-only or a single read-write community. A community configured using this command does not have access to any of the SNMPv3 MIBs. The community strings created by this command are controlled by the SNMP Configuration screen in the console interface. These community strings have a fixed MIB view. The snmp-server community command for read/write modifies the community strings for SNMPv1 and SNMPv2c access. The syntax for the snmp-server community for read/write command is snmp-server community [ro|rw] The snmp-server community for read/write command executes in the Global Configuration mode. The following table outlines the parameters for this command. Table 49: snmp-server community for read/write command
Parameter ro|rw (read-only I read-write) Description Specifies read-only or read-write access. Stations with ro access can only retrieve MIB objects, and stations with rw access can retrieve and modify MIB objects. If ro nor rw are not specified, ro is assumed (default).
snmp-server community command

The snmp-server community command allows you to create community strings with varying levels of read, write, and notification access based on SNMPv3 views. These community strings are separate from those created using the snmp-server community for read/ write command. This command affects community strings stored in the SNMPv3 snmpCommunity Table, which allows several community strings to be created. These community strings can have any MIB view. The syntax for the snmp-server community command is snmp-server community {read-view <view-name>|write-view <view-name>| notify-view <view-name>}
84
August 20, 2010
The snmp-server community command executes in the Global Configuration mode. The following table outlines the parameters for this command. Table 50: snmp-server community command parameters
Parameter read-view <view-name> Description Changes the read view used by the new community string for different types of SNMP operations. view-namespecifies the name of the view which is a set of MIB objects/instances that can be accessed; enter an alphanumeric string. Changes the write view used by the new community string for different types of SNMP operations. view-namespecifies the name of the view which is a set of MIB objects/instances that can be accessed; enter an alphanumeric string. Changes the notify view settings used by the new community string for different types of SNMP operations. view-namespecifies the name of the view which is a set of MIB objects/instances that can be accessed; enter an alphanumeric string.
write-view <view-name>
notify-view <view-name>
no snmp-server community command

The no snmp-server community command clears the snmp-server community configuration. The syntax for the no snmp-server community command is no snmp-server community {ro|rw|<community-string>} The no snmp-server community command is executed in the Global Configuration mode. If you do not specify a read-only or read-write community parameter, all community strings are removed, including all the communities controlled by the snmp-server community command and the snmp-server community for read-write command. If you specify read-only or read-write, then just the read-only or read-write community is removed. If you specify the name of a community string, then the community string with that name is removed. The following table outlines the parameters for this command. Table 51: no snmp-server community command parameters
Parameters ro |rw|<community-string> Description Changes the settings for SNMP:
August 20, 2010
85
Parameters
Description ro|rwsets the specified old-style community string value to NONE, thereby disabling it. community-stringdeletes the specified community string from the SNMPv3 MIBs (that is, from the new-style configuration).
default snmp-server community command

The default snmp-server community command restores the community string configuration to the default settings. The syntax for the default snmp-server community command is default snmp-server community [ro|rw] The default snmp-server community command executes in the Global Configuration mode. If the read-only or read-write parameter is omitted from the command, then all communities are restored to their default settings. The read-only community is set to Public, the readwrite community is set to Private, and all other communities are deleted. The following table describes the parameters for this command. Table 52: default snmp-server community command parameters
Parameters ro|rw Description Restores the read-only community to Public, or the readwrite community to Private.
no snmp-server contact command

The no snmp-server contact command clears the sysContact value. The syntax for the no snmp-server contact command is no snmp-server contact The no snmp-server contact command executes in the Global Configuration mode.
default snmp-server contact command

The default snmp-server contact command restores sysContact to the default value. The syntax for the default snmp-server contact command is
86
August 20, 2010
default snmp-server contact The default snmp-server contact command executes in the Global Configuration mode.
snmp-server command
The snmp-server command enables or disables the SNMP server. The syntax for the snmp-server command is: snmp-server {enable|disable} The following table describes the parameters for this command. Table 53: snmp-server command parameters
Parameter enable|disable Description Enables or disables the SNMP server.
no snmp-server command
The no snmp-server command disables SNMP access. The syntax for the no snmp-server command is no snmp-server The no snmp-server command executes in the Global Configuration mode. The no snmp-server command has no parameters or variables. Important: If you disable SNMP access to the switch, you cannot use Device Manager for the switch.
snmp-server host command

The snmp-server host command adds a trap receiver to the trap-receiver table. In the proprietary method, the table has a maximum of four entries, and these entries can generate only SNMPv1 traps. This command controls the contents of the s5AgTrpRcvrTable, which is the set of trap destinations controlled by the SNMP Configuration screen in the console interface. The proprietary method syntax for the snmp-server host for command is snmp-server host <host-ip> <community-string>
August 20, 2010
87
Using the new standards-based SNMP method, you can create several entries in SNMPv3 MIBs. Each can generate v1, v2c, or v3 traps. Important: Before using the desired community string or user in this command, ensure that it is configured with a notify-view. The new standards-based method syntax for the snmp-server host command is snmp-server host <host-ip> [port <trap-port>] {v1 <community-string>| v2c <community-string>|v3 {auth|no-auth|auth-priv}<username> The snmp-server host command executes in the Global Configuration mode. The following table describes the parameters for this command. Table 54: snmp-server host command parameters
Parameter host-ip community-string Description Enter a dotted-decimal IP address of a host to be the trap destination. If you are using the proprietary method for SNMP, enter a community string that works as a password and permits access to the SNMP protocol. Enter a value for the SNMP trap port between 1 and 65535. To configure the new standards-based tables, using v1 creates trap receivers in the SNMPv3 MIBs. Multiple trap receivers with varying access levels can be created. To configure the new standards-based tables, using v2c creates trap receivers in the SNMPv3 MIBs. Multiple trap receivers with varying access levels can be created. To configure the new standards-based tables, using v3 creates trap receivers in the SNMPv3 MIBs. Multiple trap receivers with varying access levels can be created. Enter the following variables: authauth specifies SNMPv3 traps are sent using authentication and no privacy. no-authno-auth specifies SNMPv3 traps are sent using with no authentication and no privacy. auth-privspecifies traps are sent using authentication and privacy; this parameter
port <trap-port> v1<community-string>
v2c<community-string>
v3{auth|no-auth|auth-priv}
88
August 20, 2010
Parameter
Description is available only if the image has full SHA/ DES support.
username
To configure the new standards-based tables; specifies the SNMPv3 username for trap destination; enter an alphanumeric string.
show snmp-server host command

The show snmp-server host command displays the current SNMP host information including the configured trap port. The syntax for the show snmp-server host command is show snmp-server host The show snmp-server host executes in the Privileged EXEC mode.
no snmp-server host command

The no snmp-server host command deletes trap receivers from the table. The proprietary method syntax for the no snmp-server host command is no snmp-server host [<host-ip> [community-string>]] Using the standards-based method of configuring SNMP, a trap receiver matching the IP address and SNMP version is deleted. The standards-based method syntax for the no snmp-server host command is no snmp-server host <host-ip> [port<trap-port>] {v1|v2c|v3| <community-string>} The no snmp-server host command executes in the Global Configuration mode. If you do not specify any parameters, this command deletes all trap destinations from the s5AgTrpRcvrTable and from SNMPv3 tables. The following table describes the parameters for this command. Table 55: no snmp-server host command parameters
Parameter <host-ip> [<community-string>] Description In the proprietary method, enter the following variables:
August 20, 2010
89
Parameter
Description host-ipthe IP address of a trap destination host. community-stringthe community string that works as a password and permits access to the SNMP protocol. If both parameters are omitted, all hosts are cleared, proprietary and standards-based. If a host IP is included, the community-string is required or an error is reported.
<host-ip> port <trap-port> v1|v2c|v3|<community-string>
Using the standards-based method, enter the IP address of a trap destination host. Using the standards-based method, enter the SNMP trap port. Using the standards-based method, specifies trap receivers in the SNMPv3 MIBs. <community-string>the community string that works as a password and permits access to the SNMP protocol.
default snmp-server host command

The default snmp-server host command restores the-old style SNMP server and the standards based tables are reset (cleared). The syntax for the default snmp-server host command is: default snmp-server host The default snmp-server host command is executed in the Global Configuration mode. The default snmp-server host command has no parameters or variables.
snmp-server location command

The snmp-server location command configures the SNMP sysLocation value. The syntax for the snmp-server location command is: snmp-server location <text> The snmp-server location command is executed in the Global Configuration mode. The following table describes the parameters for this command.
90
August 20, 2010
Table 56: snmp-server location command parameters

Parameter text Description Specify the SNMP sysLocation value; enter an alphanumeric string of up to 255 characters.
no snmp-server location command

The no snmp-server location command clears the SNMP sysLocation value. The syntax for the no snmp-server location command is: no snmp-server location The no snmp-server location command is executed in the Global Configuration mode.
default snmp-server location command

The default snmp-server location command restores sysLocation to the default value. The syntax for the default snmp-server location command is: default snmp-server location The default snmp-server location command is executed in the Global Configuration mode.
snmp-server name command

The snmp-server name command configures the SNMP sysName value. The syntax for the snmp-server name command is: snmp-server name <text> The snmp-server name command is executed in the Global Configuration mode. The following table describes the parameters for this command. Table 57: snmp-server name command parameters
Parameter text Description Specify the SNMP sysName value; enter an alphanumeric string of up to 255 characters.
August 20, 2010
91
no snmp-server name command

The no snmp-server name command clears the SNMP sysName value. The syntax for the no snmp-server name command is: no snmp-server name The no snmp-server name command is executed in the Global Configuration mode.
default snmp-server name command

The default snmp-server name command restores sysName to the default value. The syntax for the default snmp-server name command is: default snmp-server name The default snmp-server name command is executed in the Global Configuration mode.
snmp-server user command

The snmp-server user command creates an SNMPv3 user. For each user, you can create three sets of read/write/notify views: for unauthenticated access for authenticated access for authenticated and encrypted access The syntax for the snmp-server user command for unauthenticated access is: snmp-server user <username> [read-view<view-name>] [write-view<viewname>] [notify-view<view-name] The syntax for the snmp-server user command for authenticated access is: snmp-server user <username> [read-view<view-name>] [write-view<viewname>] [notify-view<view-name]] md5|sha <password> [read-view<viewname>] [write-view<view-name>] [notify-view<view-name] The syntax for the snmp-server user command for authenticated and encrypted access is: snmp-server user <username> [read-view<view-name>] [write-view<viewname>] [notify-view<view-name]] md5|sha <password> [read-view<viewname>] [write-view<view-name>] [notify-view<view-name]] {3des|aes| des} <password> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name] The snmp-server user command is executed in the Global Configuration mode.
92
August 20, 2010
The sha and 3des/aes/des parameters are only available if the switch image has SSH support. For authenticated access, you must specify the md5 or sha parameter. For authenticated and encrypted access, you must also specify the 3des, aes, or des parameter. For each level of access, you can specify read, write, and notify views. If you do not specify view parameters for authenticated access, the user will have access to the views specified for unauthenticated access. If you do not specify view parameters for encrypted access, the user will have access to the views specified for authenticated access or, if no authenticated views were specified, the user will have access to the views specified for unauthenticated access. The following table describes the parameters for this command. Table 58: snmp-server user command parameters
Parameters username md5 <password> Description Specifies the user name. Enter an alphanumeric string of up to 255 characters. Specifies the use of an md5 password. <password> specifies the new user md5 password; enter an alphanumeric string. If this parameter is omitted, the user is created with only unauthenticated access rights. Specifies the read view to which the new user has access: view-namespecifies the viewname; enter an alphanumeric string of up to 255 characters. write-view <view-name> Specifies the write view to which the new user has access: view-namespecifies the viewname; enter an alphanumeric string that can contain at least some of the nonalphanumeric characters. notify-view <view-name> Specifies the notify view to which the new user has access: view-namespecifies the viewname; enter an alphanumeric string that can contain at least some of the nonalphanumeric characters. SHA 3DES AES DES engine-id Specifies SHA authentication. Specifies 3DES privacy encryption. Specifies AES privacy encryption. Specifies DES privacy encryption. Specifies the new remote user to receive notifications. notify-viewspecifies the viewname to notify.
read-view <view-name>
August 20, 2010
93
Important: If a view parameter is omitted from the command, that view type cannot be accessed.
no snmp-server user command

The no snmp-server user command deletes the specified user. The syntax for the no snmp-server user command is: no snmp-server user [engine-id<engine ID>] <username> The no snmp-server user command is executed in the Global Configuration mode. Important: If you do not specify any parameters, this command deletes all snmpv3 users from the SNMPv3 tables. The following table describes the parameters for this command. Table 59: no snmp-server user command parameters
Parameters [engine-id <engine ID>] username Description Specifies the SNMP engine ID of the remote SNMP entity. Specifies the user to be removed.
snmp-server view command

The snmp-server view command creates an SNMPv3 view. The view is a set of MIB object instances which can be accessed. The syntax for the snmp-server view command is: snmp-server view <view-name> <OID> [<OID> {<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID> [<OID>]]]]]]]]] The snmp-server view command is executed in the Global Configuration mode. The following table describes the parameters for this command. Table 60: snmp-server view command parameters
Parameters viewname Description Specifies the name of the new view; enter an alphanumeric string.
94
August 20, 2010
Parameters OID
Description Specifies Object identifier. OID can be entered as a dotted form OID. Each OID must be preceded by a + or - sign (if this is omitted, a + sign is implied). The + is not optional. For the dotted form, a sub-identifier can be an asterisk, indicating a wildcard. Here are some examples of valid OID parameters: sysName +sysName -sysName +sysName.0 +ifIndex.1 -ifEntry..1 (this matches all objects in the ifTable with an instance of 1; that is, the entry for interface #1) 1.3.6.1.2.1.1.1.0 (the dotted form of sysDescr) The + or - indicates whether the specified OID is included in or excluded from, the set of MIB objects accessible using this view. There are 10 possible OID values.
no snmp-server view command

The no snmp-server view command deletes the specified view. The syntax for the no snmp-server view is: no snmp-server view <viewname> The no snmp-server view is executed in the Global Configuration mode. The following table describes the parameters for this command. Table 61: no snmp-server view command parameters
Parameter viewname Description Specifies the name of the view to be removed. This is not an optional parameter.
snmp-server bootstrap command

The snmp-server bootstrap command allows you to specify how you wish to secure SNMP communications, as described in the SNMPv3 standards. It creates an initial set of
August 20, 2010
95
configuration data for SNMPv3. This configuration data follows the conventions described in the SNMPv3 standard (in RFC 3414 and 3415). This commands creates a set of initial users, groups and views. Important: This command deletes all existing SNMP configurations, hence must be used with care. The syntax for the snmp-server bootstrap command is: snmp-server bootstrap <minimum-secure>|<semi-secure>|<very-secure> The snmp-server bootstrap command is executed in the Global Configuration mode. The following table describes the parameters for this command. Table 62: snmp-server bootstrap command parameters
Parameters <minimum-secure> Description Specifies a minimum security configuration that allows read access and notify access to all processes (view restricted) with noAuth-noPriv and read, write, and notify access to all processes (internet view) using Auth-noPriv and Auth-Priv. Important: In this configuration, view restricted matches view internet. <semi-secure> Specifies a minimum security configuration that allows read access and notify access to all processes (view restricted) with noAuth-noPriv and read, write, and notify access to all processes (internet view) using Auth-noPriv and Auth-Priv. Important: In this configuration, restricted contains a smaller subset of views than internet view. The subsets are defined according to RFC 3515 Appendix A. <very-secure> Specifies a maximum security configuration that allows no access to the users.
show snmp-server notification-control

The show snmp-server notification-control command shows the current state of the applicable notifications. The syntax for the show snmp-server notification-control command is show snmp-server notification-control The show snmp-server notification-control command executes in Privileged EXEC mode.
96
August 20, 2010
snmp-server notification-control command

The snmp-server notification-control command enables the notification identified by the command parameter. The notification options are: DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort IP Source Guard: bsSourceGuardReachedMaxIpEntries, bsSourceGuardCannotEnablePort The syntax for the snmp-server notification-control command is snmp-server notification-control <WORD/1-128> The snmp-server notification-control command executes in Global Configuration mode. The following table describes the parameters for this command. Table 63: snmp-server notification-control command parameters
Parameter <WORD/1-128> Description Can either be the English description or the OID of a supported notification type.
no snmp-server notification-control
The no snmp-server notification-control command disables the notification identified by the command parameter. The notification options are: DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort IP Source Guard: bsSourceGuardReachedMaxIpEntries, bsSourceGuardCannotEnablePort The syntax for the no snmp-server notification-control command is no snmp-server notification-control <WORD/1-128> The no snmp-server notification-control command executes in Global Configuration mode. The following table describes the parameters for this command.
August 20, 2010
97
Table 64: no snmp-server notification-control command parameters

default snmp-server notification-control

The default snmp-server notification-control command returns the notification identified by the command parameter to its default state. The syntax for the default snmp-server notification-control command is default snmp-server notification-control <WORD/1-128> The default snmp-server notification-control command executes in Global Configuration mode. The following table describes the parameters for this command. Table 65: default snmp-server notification-control command parameters
spanning-tree rstp traps command

The RSTP traps feature provides notifications for the following events: RSTP instance up/down RSTP core memory allocation error RSTP core buffer allocation error New root bridge Port protocol migration The default settings of RSTP traps are enabled. The events are notified as SNMP traps and as system log messages. The following messages for the RSTP traps will be logged into the system log: Trap: RSTP General Event (Up/Down) Trap: RSTP Error Event (Mem Fail / Buff Fail) Trap: RSTP New Root tt:tt:tt:tt:tt:tt:tt:tt
98
August 20, 2010
Trap: RSTP Topology Change Trap: RSTP Protocol Migration Type: Send (RSTP/STP) for Port: t If the traps are not received on the traps receiver host (should be configured) but the traps are logged into the system log, the network connectivity should be checked. The spanning-tree rstp traps command enables RSTP traps. The syntax for the spanning-tree rstp traps command is spanning-tree rstp traps The spanning-tree rstp traps command executes in the Global Configuration mode.
no spanning-tree rstp traps command

The no spanning-tree rstp traps command disables RSTP traps. The syntax for the no spanning-tree rstp traps is no spanning-tree rstp traps The no spanning-tree rstp traps command executes in the Global Configuration mode.
default spanning-tree rstp traps command

The default spanning-tree rstp traps command returns RSTP traps to their default state. The syntax for the default spanning-tree rstp traps is default spanning-tree rstp traps The default spanning-tree rstp traps command executes in the Global Configuration mode.
show spanning-tree rstp traps config conmmand

The show spanning-tree rstp traps config command shows the current state of the RSTP trap. The syntax for the show spanning-tree rstp traps config command is show spanning-tree rstp traps config The show spanning-tree rstp traps config command executes in the Privileged EXEC mode.
August 20, 2010
99
Configuring TACACS+ using CLI

To configure TACACS+ to perform AAA services for system users, do the following: 1. Configure the TACACS+ server itself. For more information, see the vendor documentation for your server for specific configuration procedures. 2. Configure TACACS+ server settings on the switch 3. Enable TACACS+ services over serial or Telnet connections 4. Enable TACACS+ authorization and specify privilege levels 5. Enable TACACS+ accounting Important: You can enable TACACS+ authorization without enabling TACACS+ accounting, and you can enable TACACS+ accounting without enabling TACACS+ authorization. Use the following commands to configure TACACS+: Configuring TACACS+ server settings on page 100 Enabling remote TACACS+ services on page 101 Enabling TACACS+ authorization on page 101 Setting authorization privilege levels on page 102 Enabling TACACS+ accounting Viewing TACACS+ information on page 102
Configuring TACACS+ server settings

To add a TACACS+ server, use the following command in Global or Interface Configuration mode: tacacs server The following table describes the parameters for this command. Table 66: tacas server command parameters
Parameter host <IPaddr> key <key> Description Specifies the IP address of the primary server you want to add or configure. Specifies the secret authentication and encryption key used for all communications between the NAS and the TACACS+ server. The key, also referred to as the shared secret, must be the same as the one defined
100
August 20, 2010
Parameter
Description on the server. You are prompted to confirm the key when you enter it. Important: The key parameter is a required parameter when you create a new server entry. The parameter is optional when you are modifying an existing entry.
[secondary host <IPaddr>]
Specifies the IP address of the secondary server. The secondary server is used only if the primary server does not respond. Specifies the TCP port for TACACS+ where port is an integer in the range of 0-65535. The default port number is 49.
[port <port>]
To delete a TACACS+ server, use one of the following commands in Global or Interface Configuration mode: no tacacs default tacacs The commands erase settings for the TACACS+ primary and secondary servers and secret key, and restore default port settings.
Enabling remote TACACS+ services

To enable TACACS+ to provide services to remote users over serial or Telnet connections, use the following commands in Global or Interface Configuration mode. For serial connections: cli password serial tacacs For Telnet connections: cli password telnet tacacs You must configure a TACACS+ server on the switch before you can enable remote TACACS + services. For more information about configuring the primary TACACS+ server and shared secret, see Configuring TACACS+ server settings (page 159).
Enabling TACACS+ authorization

To enable TACACS+ authorization globally on the switch, use the following command in Global or Interface Configuration mode: tacacs authorization enable
August 20, 2010
101
To disable TACACS+ authorization globally on the switch, use the following command in Global or Interface Configuration mode: tacacs authorization disable The default is disabled.
Setting authorization privilege levels

The preconfigured privilege levels control which commands can be executed. If a user has been assigned a privilege level for which authorization has been enabled, TACACS+ authorizes the authenticated user to execute a specific command only if the command is allowed for that privilege level. To specify the privilege levels to which authorization applies, use the following command in Global or Interface Configuration mode: tacacs authorization level all|<level>|none The following table describes the parameters for this command. Table 67: tacas authorization command parameters
Parameter all <level> Description Authorization is enabled for all privilege levels. An integer in the range 015 that specifies the privilege levels for which authorization is enabled. You can enter a single level, a range of levels, or several levels. For any levels you do not specify, authorization does not apply, and users assigned to these levels can execute all commands. Authorization is not enabled for any privilege level. All users can execute any command available on the switch.
none
Viewing TACACS+ information

To display TACACS+ configuration status, enter the following command from any mode: show tacacs
102
August 20, 2010
Configuring IP Manager using CLI

To configure the IP Manager to control management access to the switch, do the following: Enable IP Manager. Configure the IP Manager list. Use the following commands to configure IP Manager: Enabling IP Manager on page 103 Configuring the IP Manager list on page 103 Removing IP Manager list entries on page 104 Viewing IP Manager settings on page 104
Enabling IP Manager
To enable IP Manager to control Telnet, SNMP, SSH, or HTTP access, use the following command in Global Configuration mode: ipmgr {telnet|snmp|web|ssh} The following table describes the parameters for this command. Table 68: Enabling IP manager command parameters
Parameter telnet snmp web ssh Description Enables the IP Manager list check for Telnet access. Enables the IP Manager list check for SNMP, including Device Manager. Enables the IP Manager list check for Web-based management system. Enables the IP Manager list check for SSH access.
To disable IP Manager for a management system, use the no keyword at the start of the command.
Configuring the IP Manager list

To specify the source IP addresses or address ranges that have access the switch when IP Manager is enabled, use the following command in Global Configuration mode: For Ipv4 entries with list ID between 1-50: ipmgr source-ip <list ID> <Ipv4addr> [mask<mask>]
August 20, 2010
103
The following table describes the parameters for this command. Table 69: ipmgr source-ip command parameters
Parameter <list ID> Description An integer in the range 1-50 for Ipv4 entries and 51-100 for Ipv6 entries that uniquely identifies the entry in the IP Manager list. Specifies the source IP address from which access is allowed. Enter the IP address either as an integer or in dotted-decimal notation. Specifies the subnet mask from which access is allowed. Enter the IP mask in dotted-decimal notation.
<Ipv4addr>
[mask <mask>]
Removing IP Manager list entries

To deny access to the switch for specified source IP addresses or address ranges, use the following command in Global Configuration mode: no ipmgr source-ip [<list ID>] <list ID> is an integer in the range 1-50 for Ipv4 addresses that uniquely identifies the entry in the IP Manager list. The command sets both the IP address and mask for the specified entry to 255.255.255.255 for Ipv4 entries. If you do not specify a <list ID> value, the command resets the whole list to factory defaults.
Viewing IP Manager settings

To view IP Manager settings, use the following command in any mode: show ipmgr The command displays whether Telnet, SNMP, SSH, and Web access are enabled whether the IP Manager list is being used to control access to Telnet, SNMP, SSH, and Web-based management system the current IP Manager list configuration
104
August 20, 2010
Configuring password security using CLI

The CLI commands detailed in this section are used to manage password security features. These commands can be used in the Global Configuration and Interface Configuration command modes. Enabling password security on page 105 Disabling password security on page 105 Creating user names and passwords on page 105 Configuring password retry attempts on page 106 Configuring password history on page 106 Defaulting password history on page 106 Displaying password history settings on page 106
Enabling password security

The password security command enables the Password Security feature on the WLAN 8100 Series. The syntax of the password security command is password security
Disabling password security

The no password security command disables the Password Security feature on the WLAN 8100 Series. The syntax for the no password security command is no password security
Creating user names and passwords

Use the username command to create custom user names and assign switch read-only and read-write passwords to them. These custom user names apply to local authentication only. The syntax of this command is as follows: username <username> {ro | rw} After entering this command the user is prompted to enter the password for the new user. Custom users cannot have custom access rights and limitations. Use of the associated readonly password confers the same rights and limitations as the default read-only user. Use of
August 20, 2010
105
the associated read-write password confers the same rights and limitation as the default readwrite user.
Configuring password retry attempts

To configure the number of times a user can retry a password, use the following command in Global or Interface Configuration mode: telnet-access retry <number> Where number is an integer in the range 1 to 100 that specifies the allowed number of failed log on attempts. The default is 3.
Configuring password history

Use the password password-history command to configure the number of passwords stored in the password history table. This command has the following syntax: password password-history <3-10> The parameter <3-10> represents the number of passwords to store in the history table. Use the appropriate value when configuring the feature.
Defaulting password history

Use the default password password-history command to return the number of passwords stored in the password history table to the default value of 3.
Displaying password history settings

The show password password-history command is used to display the number of passwords currently stored in the password history table.
Displaying CLI Audit log using CLI

The CLI audit provides a means for tracking CLI commands. The show audit log command displays the command history audit log stored in NVRAM. The syntax for the show audit log command is: show audit log [asccfg | serial | telnet] The show audit log command is in the Privileged EXEC mode. The following table describes the parameters and variables for the show audit log command.
106
August 20, 2010
Table 70: show audit log command parameters

Parameter asccfg serial telnet Description Displays the audit log for ASCII configuration. Displays the audit log for serial connections. Displays the audit log for Telnet and SSH connections.
Configuring Secure Socket Layer services using CLI

The following table lists CLI commands available for working with Secure Socket Layer (SSL). Table 71: SSL commands
Command [no] ssl Description Enables or disables SSL. The Web server operates in a secure mode when SSL is enabled and in nonsecure mode when the SSL server is disabled. Creates or deletes a certificate. The new certificate is used only on the next system reset or SSL server reset. The new certificate is stored in the NVRAM with the file name SSLCERT.DAT. The new certificate file replaces the existing file. On deletion, the certificate in NVRAM is also deleted. The current SSL server operation is not affected by the create or delete operation. Resets the SSL server. If SSL is enabled, the SSL server is restarted and initialized with the certificate that is stored in the NVRAM. Any existing SSL connections are closed. If SSL is not enabled, the existing nonsecure connection is also closed and the nonsecure operation resumes. Shows the SSL server configuration and SSL server state. Displays the certificate which is stored in the NVRAM and is used by the SSL server.
[no] ssl certificate
ssl reset
show ssl show ssl certificate
The following table describes the output for the show ssl command.
August 20, 2010
107
Table 72: Server state information

Field WEB Server SSL secured SSL server state Description Shows whether the Web server is using an SSL connection. Displays one of the following states: Un-initialized: The server is not running. Certificate Initialization: The server is generating a certificate during its initialization phase. Active: The server is initialized and running. SSL Certificate: Generation in progress Shows whether SSL is in the process of generating a certificate. The SSL server generates a certificate during server startup initialization, or CLI user can regenerate a new certificate. Shows whether an SSL certificate exists in the NVRAM. The SSL certificate is not present if the system is being initialized for the first time or CLI user has deleted the certificate.
SSL Certificate: Saved in NVRAM
Configuring Secure Shell protocol using CLI

Secure Shell protocol is used to improve Telnet and provide a secure access to CLI interface. There are two versions of the SSH Protocol. The WLAN 8100 Series SSH supports SSH2. The following CLI commands are used in the configuration and management of SSH. show ssh command on page 109 ssh dsa-host-key command on page 109 no ssh dsa-host-key command on page 110 ssh download-auth-key command on page 110 no ssh dsa-auth-key command on page 110 ssh command on page 111 no ssh command on page 111 ssh secure command on page 111 ssh dsa-auth command on page 112 no ssh dsa-auth on page 112
108
August 20, 2010
default ssh dsa-auth command on page 112 ssh pass-auth command on page 112 no ssh pass-auth command on page 112 default ssh pass-auth command on page 113 ssh port command on page 113 default ssh port command on page 113 ssh timeout command on page 113 default ssh timeout command on page 114
show ssh command

This command displays information about all active SSH sessions and on other general SSH settings. The syntax for the show ssh command is: show ssh {global|session|download-auth-key} The following table describes the parameters for this command. Table 73: show ssh command parameters
Parameter download-auth-key global session Description Display authorization key and TFTP server IP address Display general SSH settings Display SSH session information
The show ssh global command is executed in the Privileged EXEC command mode.
ssh dsa-host-key command

The ssh dsa-host-key command triggers the DSA key regeneration. The syntax for the ssh dsa-host-key command is: ssh dsa-host-key The command is executed in the Global Configuration mode. The ssh dsa-host-key command has no parameters or variables.
August 20, 2010
109
no ssh dsa-host-key command

The no ssh dsa-host-key command deletes the DSA keys in the switch. A new DSA key can be generated by executing dsa-host-key or SSH enable commands. The syntax for the no ssh dsa-host-key command is: no ssh dsa-host-key The no ssh dsa-host-key command is executed in the Global Configuration mode. The no ssh dsa-host-key command has no parameters or variables.
ssh download-auth-key command

The ssh download-auth-key command downloads the DSA authentication key into the switch from the specified TFTP server or from the USB stick, if available. The syntax for the ssh download-auth-key command is: ssh download-auth-key [address] [<key-name>] [usb] The following table describes the parameters for this command. Table 74: ssh download-auth-key command parameters
Parameter address key-name usb Description Specify the TFTP server IP address. Specify the TFTP/USB file name. Specify whether download SSH auth key from the USB stick. Available only if the device has USB port.
The ssh download-auth-key command is executed in the Global Configuration mode.
no ssh dsa-auth-key command

The no ssh dsa-auth-key command deletes the DSA authentication key stored in the switch. The syntax for the no ssh dsa-auth-key command is: no ssh dsa-auth-key The no ssh dsa-auth-key command is executed in the Global Configuration mode.
110
August 20, 2010
ssh command
The ssh command enables SSH in a non secure mode. If the host keys do not exist, they are generated. The syntax for the ssh command is: ssh The ssh command is executed in the Global Configuration mode. This command has no parameters.
no ssh command
The no ssh command disables SSH. The syntax for the no ssh command is: no ssh {dsa-auth|dsa-auth-key|dsa-host-key|pass-auth} The following table describes the parameters for this command. Table 75: no ssh command parameters
Parameter dsa-auth dsa-auth-key dsa-host-key pass-auth Description Disable SSH DSA authentication. Delete SSH DSA auth key. Delete SSH DSA host key. Disable SSH password authentication.
The no ssh command is executed in the Global Configuration mode.
ssh secure command

The ssh secure command disables web, SNMP, and Telnet management interfaces permanently. The no ssh command does NOT turn them back on; they must be re-enabled manually. A warning message is issued to the user to enable one of the other interfaces before turning off SSH secure mode. The syntax for the ssh secure command is: ssh secure The ssh secure command is executed in the Global Configuration mode.
August 20, 2010
111
ssh dsa-auth command

The ssh dsa-auth command enables the user log on using DSA key authentication. The syntax for the command is: ssh dsa-auth The ssh dsa-auth command is executed in the Global Configuration mode.
no ssh dsa-auth
The no ssh dsa-auth command disables user log on using DSA key authentication. The syntax for the no ssh dsa-auth command is: no ssh dsa-auth The no ssh dsa-auth command is executed in the Global Configuration mode.
default ssh dsa-auth command

The default ssh dsa-auth command enables the user log on using the DSA key authentication. The syntax for the default ssh dsa-auth command is: default ssh dsa-auth The default ssh dsa-auth command is executed in the Global Configuration mode.
ssh pass-auth command

The ssh pass-auth command enables user log on using the password authentication method. The syntax for the ssh pass-auth command is: ssh pass-auth The ssh pass-auth command is executed in the Global Configuration mode.
no ssh pass-auth command

The no ssh pass-auth command disables user log on using password authentication. The syntax for the no ssh pass-auth command is:
112
August 20, 2010
no ssh pass-auth The no ssh pass-auth command is executed in the Global Configuration mode.
default ssh pass-auth command

The default ssh pass-auth command enables user log on using password authentication. The syntax for the default ssh pass-auth command is: default ssh pass-auth The default ssh pass-auth command is executed in the Global Configuration mode.
ssh port command

The ssh port command sets the TCP port for the SSH daemon. The syntax for the ssh port command is: ssh port <1-65535> Substitute the <1-65535> with the number of the TCP port to be used. The ssh port command is executed in the Global Configuration mode.
default ssh port command

The default ssh port command sets the default TCP port for the SSH daemon. The syntax for the default ssh port command is: default ssh port The default ssh port command is executed in the Global Configuration mode.
ssh timeout command

The ssh timeout command sets the authentication timeout, in seconds. The syntax of the ssh timeout command is: ssh timeout <1-120> Substitute <1-120> with the desired number of seconds. The ssh timeout command is executed in the Global Configuration mode.
August 20, 2010
113
default ssh timeout command

The default ssh timeout command sets the default authentication timeout to 60 seconds. The syntax for the default ssh timeout command is: default ssh timeout The default ssh timeout command is executed in the Global Configuration mode.
Configuring VLANs and Link Aggregation

This chapter describes the methods and procedures necessary to configure VLANs, Spanning Tree and Link Aggregation on the WC 8180. Navigation Configuring VLANs using CLI on page 114 Configuring STP using CLI on page 125 Configuring MLT using CLI on page 135 Configuring LACP and VLACP using CLI on page 137
Configuring VLANs using CLI

The Command Line Interface commands detailed in this section allow for the creation and management of VLANs. Depending on the type of VLAN being created or managed, the command mode needed to execute these commands can differ. Navigation This section contains information about the following topics: Displaying VLAN information on page 115 Displaying VLAN interface information on page 116 Displaying VLAN port membership on page 116 Setting the management VLAN on page 116 Resetting the management VLAN to default on page 117 Creating a VLAN on page 117 Deleting a VLAN on page 118 Modifying VLAN MAC address flooding on page 118 Configuring VLAN name on page 119
114
August 20, 2010
Enabling automatic PVID on page 119 Configuring VLAN port settings on page 119 Configuring VLAN members on page 120 Configuring VLAN Configuration Control on page 120 Managing the MAC address forwarding database table on page 122 IP Directed Broadcasting on page 124
Displaying VLAN information

Use the following procedure to display the number, name, type, protocol, user PID, state of a VLAN and whether it is a management VLAN.
To display VLAN information, use the following command from Privileged EXEC mode. show vlan [configcontrol] [dhcp-relay <1-4094>] [igmp {<1-4094>| unknown-mcast-allow-flood | unknown-mcast-noflood}] [interface { info | vids}] [ip <vid>] [mgmt] [multicast <membership>] [type {port | protocol-ipEther2| protocolipx802.3 | protocol-ipx802.2 | protocol-ipxSnap | protocol-ip xEther2 | protocol-decEther2 | protocol-snaEther2 | protocolNetbios | protocol-xnsEther2 | protocol-vi nesEther2 | protocol-ipv6Ether2 | protocol-Userdef |protocol-RarpEther2] [vid <1-4094>]
Variable definitions
The following table describes the variables for this command.
Variable vid <1-4094> type Value Enter the number of the VLAN to display. Enter the type of VLAN to display: port - port-based protocol - protocol-based (see following list) protocol-ipEther2 protocol-ipx802.3 protocol-ipx802.2 protocol-ipxSnap Specifies an ipEther2 protocol-based VLAN. Specifies an ipx802.3 protocol-based VLAN. Specifies an ipx802.2 protocol-based VLAN. Specifies an ipxSnap protocol-based VLAN.
August 20, 2010
115
Variable protocol-ipxEther2 protocol-decEther2 protocol-snaEther2 protocol-Netbios protocol-xnsEther2 protocol-vinesEther2 protocol-ipv6Ether2 protocol-Userdef protocol-RarpEther2
Value Specifies an ipxEther2 protocol-based VLAN. Specifies a decEther2 protocol-based VLAN. Specifies an snaEther2 protocol-based VLAN. Specifies a NetBIOS protocol-based VLAN. Specifies an xnsEther2 protocol-based VLAN. Specifies a vinesEther2 protocol-based VLAN. Specifies an ipv6Ether2 protocol-based VLAN. Specifies a user-defined protocol-based VLAN. Specifies a RarpEther2 protocol-based VLAN.
Displaying VLAN interface information

Use the following procedure to display VLAN settings associated with a port, including tagging information, PVID number, priority, and filtering information for tagged, untagged, and unregistered frames.
To display VLAN interface information, use the following command from Privileged EXEC mode. show vlan interface info [<portlist>]
Displaying VLAN port membership

Use the following procedure to display port memberships in VLANs.
To display VLAN port memberships, use the following command from Privileged EXEC mode. show vlan interface vids [<portlist>]
Setting the management VLAN

Use the following procedure to set a VLAN as the management VLAN.
116
August 20, 2010
To set the management VLAN, use the following command from Global Configuration mode. vlan mgmt <1-4094>
Resetting the management VLAN to default

Use the following procedure to reset the management VLAN to VLAN1.
To reset the management VLAN to default, use the following command from Global Configuration mode. default vlan mgmt
Creating a VLAN
Use the following procedure to create a VLAN. A VLAN is created by setting the state of a previously nonexistent VLAN.
To create a VLAN, use the following command from Global Configuration mode. vlan create <1-4094> [name<line>] type {port | protocolipEther2 | protocol-ipx802.3 | protocolipx802.2 | protocolipxSnap | protocol-ipxEther2 | protocol-decEther2 | protocolsnaEther2 | protocol-N etbios | protocol-xnsEther2 | protocolvinesEther2 | protocol-ipv6Ether2 | protocol-Userdef <4096-65534>| protocol-RarpEther2}
Variable definitions
Variable <1-4094> name <line> type Value Enter the number of the VLAN to create. Enter the name of the VLAN to create. Enter the type of VLAN to create:
August 20, 2010
117
Variable port - port-based
Value
protocol - protocol-based (see following list) protocol-ipEther2 protocol-ipx802.3 protocol-ipx802.2 protocol-ipxSnap protocol-ipxEther2 protocol-decEther2 protocol-snaEther2 protocol-Netbios protocol-xnsEther2 protocol-vinesEther2 protocol-Userdef <4096-65534> protocol-ipv6Ether2 Specifies an ipEther2 protocol-based VLAN. Specifies an ipx802.3 protocol-based VLAN. Specifies an ipx802.2 protocol-based VLAN. Specifies an ipxSnap protocol-based VLAN. Specifies an ipxEther2 protocol-based VLAN. Specifies a decEther2 protocol-based VLAN. Specifies an snaEther2 protocol-based VLAN. Specifies a NetBIOS protocol-based VLAN. Specifies an xnsEther2 protocol-based VLAN. Specifies a vinesEther2 protocol-based VLAN. Specifies a user-defined protocol-based VLAN. Specifies an ipv6Ether2 protocol-based VLAN.
Deleting a VLAN
Use the following procedure to delete a VLAN.
To delete a VLAN, use the following command from Global Configuration mode. vlan delete <2-4094>
Modifying VLAN MAC address flooding

Use the following procedure to remove MAC addresses from the list of addresses for which flooding is allowed. This procedure can also be used as an alternate method of deleting a VLAN.
To modify VLAN MAC address flooding, or to delete a VLAN, use the following command from Global Configuration mode. no vlan [<2-4094>] [igmp unknown-mcast-allow-flood <H.H.H>]
118
August 20, 2010
Configuring VLAN name

Use the following procedure to configure or modify the name of an existing VLAN.
To configure the VLAN name, use the following command from Global Configuration mode. vlan name <1-4094> <line>
Enabling automatic PVID

Use the following procedure to enable the automatic PVID feature.
To enable automatic PVID, use the following command from Global Configuration mode. [no] auto-pvid Use the no form of this command to disable
Configuring VLAN port settings

Use the following procedure to configure VLAN-related settings for a port.
To configure VLAN port settings, use the following command from Global Configuration mode. vlan ports [<portlist>] [tagging {enable | disable | tagAll | untagAll | tagPvidOnly | untagPvidOnly}] [pvid <1-4094>] [filter-untagged-frame {enable | disable}] [filterunregistered-frames {enable | disable}] [priority <0-7>] [name <line>] Variable Definitions
Variable <portlist> Value Enter the port numbers to be configured for a VLAN.
August 20, 2010
119
Variable tagging {enable|disable|tagAll| untagAll| tagPvidOnly| untagPvidOnly} pvid <1-4094> filter-untagged-frame {enable| disable}
Value Enables or disables the port as a tagged VLAN member for egressing packet. Sets the PVID of the port to the specified VLAN. Enables or disables the port to filter received untagged packets.
filter-unregistered-frames {enable | Enables or disables the port to filter received disable} unregistered packets. Enabling this feature on a port means that any frames with a VID to which the port does not belong to are discarded. priority <0-7> name <line> Sets the port as a priority for the switch to consider as it forwards received packets. Enter the name you want for this port. Note: This option can only be used if a single port is specified in the <portlist>
Configuring VLAN members

Use the following procedure to add or delete a port from a VLAN.
To configure VLAN members, use the following command from Global Configuration mode. vlan members [add | remove] <1-4094> <portlist> Variable Definitions
Variable add | remove Value Adds a port to or removes a port from a VLAN. Note: If this parameter is omitted, set the exact port membership for the VLAN; the prior port membership of the VLAN is discarded and replaced by the new list of ports. Specifies the target VLAN. Enter the list of ports to be added, removed, or assigned to the VLAN.
<1-4094> portlist
Configuring VLAN Configuration Control

VLAN Configuration Control (VCC) allows a switch administrator to control how VLANs are modified. VLAN Configuration Control is a superset of the existing AutoPVID functionality and
120
August 20, 2010
incorporates this functionality for backwards compatibility. VLAN Configuration Control is globally applied to all VLANs on the switch. VLAN Configuration Control offers four options for controlling VLAN modification: Strict Automatic AutoPVID Flexible Note: The factory default setting is Strict. VLAN Configuration Control is only applied to ports with the tagging modes of Untag All and Tag PVID Only. To configure VCC using the CLI, refer to the following commands: Displaying VLAN Configuration Control settings on page 121 Modifying VLAN Configuration Control settings on page 121 Displaying VLAN Configuration Control settings Use the following procedure to display the current VLAN Configuration Control setting.
To display VLAN Configuration Control settings, use the following command from Global Configuration mode. show vlan configcontrol Modifying VLAN Configuration Control settings Use the following procedure to modify the current VLAN Configuration Control setting. This command applies the selected option to all VLANs on the switch.
To modify VLAN Configuration Control settings, use the following command from Global Configuration more vlan configcontrol <vcc_option> Variable Definitions
Variable <vcc_option> Value This parameter denotes the VCC option to use on the switch. The valid values are: automatic -- Changes the VCC option to Automatic. autopvid -- Changes the VCC option to AutoPVID.
August 20, 2010
121
Variable
Value flexible -- Changes the VCC option to Flexible. strict -- Changes the VCC option to Strict. This is the default VCC value.
Managing the MAC address forwarding database table

This section shows you how to view the contents of the MAC address forwarding database table, as well as setting the age-out time for the addresses. The MAC flush feature is a direct way to flush MAC addresses from the MAC address table. The MAC flush commands allow flushing of: a single MAC address (see Removing a single address from the MAC address table (page 157)) all addresses from the MAC address table (see Clearing the MAC address table (page 156) a port or list of ports (see Clearing the MAC address table on a FastEthernet interface (page 156)) a trunk (see Clearing the MAC address table on a trunk (page 156)) a VLAN (see Clearing the MAC address table on a VLAN (page 156)) MAC flush deletes dynamically learned addresses. MAC flush commands may not be executed instantly when the command is issued. Since flushing the MAC address table is not considered an urgent task, MAC flush commands are assigned the lowest priority and placed in a queue. The MAC flush commands are supported in CLI, SNMP, DM, and Web-based Management. Use the following commands to manage the MAC address forwarding database table: Displaying MAC address forwarding table on page 122 Configuring MAC address retention on page 123 Setting MAC address retention time to default on page 123 Clearing the MAC address table on page 124 Clearing the MAC address table on a VLAN on page 124 Clearing the MAC address table on a FastEthernet interface on page 124 Clearing the MAC address table on a trunk on page 124 Displaying MAC address forwarding table Use the following procedure to display the current contents of the MAC address forwarding database table. You can filter the MAC Address table by port number. The MAC address table can store up to 16000 addresses.
122
August 20, 2010
To displaying the MAC address forwarding table, use the following command from Privileged EXEC mode show mac-address-table [vid<1-4094>] [aging-time] [address<H.H.H>] [port<portlist>] Variable Definitions
Variable vid <1-4094> Value Enter the number of the VLAN for which you want to display the forwarding database. Default is to display the management VLANs database. Displays the time in seconds after which an unused entry is removed from the forwarding database. Displays a specific MAC address if it exists in the database. Enter the MAC address you want displayed.
aging-time address <H.H.H>
Configuring MAC address retention Use the following procedure to set the time during which the switch retains unseen MAC addresses.
To configure unseen MAC address retention, use the following command from Global Configuration mode. mac-address-table aging-time <10-1 000 000> Variable Definitions
Variable vid <10-1 000 000> Value Enter the aging time in seconds that you want for MAC addresses before they expire.
Setting MAC address retention time to default Use the following procedure to set the retention time for unseen MAC addresses to 300 seconds.
To set the MAC address retention time to default, use the following command from Global Configuration mode. default mac-address-table aging-time
August 20, 2010
123
Clearing the MAC address table Use the following procedure to clear the MAC address table.
To flush the MAC address table, use the following command from Privileged EXEC mode. clear mac-address-table Clearing the MAC address table on a VLAN Use the following procedure to flush the MAC addresses for the specified VLAN.
To flush the MAC address table for a specific VLAN, use the following command from Privileged EXEC mode. clear mac-address-table interface vlan <vlan#> Clearing the MAC address table on a FastEthernet interface Use the following procedure to flush the MAC addresses for the specified ports. This command does not flush the addresses learned on the trunk.
To clear the MAC address table on a FastEthernet interface, use the following command from Privileged EXEC mode. clear mac-address-table interface FastEthernet <port-list|ALL> Clearing the MAC address table on a trunk Use the following procedure to flush the MAC addresses for the specified trunk. This command flushes only addresses that are learned on the trunk.
To flush a single MAC address, use the following command from Privileged EXEC mode. clear mac-address-table address <H.H.H>
IP Directed Broadcasting
IP directed broadcasting takes the incoming unicast Ethernet frame, determines that the destination address is the directed broadcast for one of its interfaces, and then forwards the datagram onto the appropriate network using a link-layer broadcast.
124
August 20, 2010
IP directed broadcasting in a VLAN forwards direct broadcast packets in two ways: Through a connected VLAN subnet to another connected VLAN subnet. Through a remote VLAN subnet to the connected VLAN subnet. By default, this feature is disabled. The following CLI commands are used to work with IP directed broadcasting: Enabling IP directed broadcast on page 125 Enabling IP directed broadcast Use the following procedure to enable IP directed broadcast.
To enable IP directed broadcast, use the following command from Global Configuration mode. [no] ip directed-broadcast enable Use the no form of this command to disable.
Configuring STP using CLI

Use the following procedures to configure STP for the WLAN 8100 Series using the CLI. Setting the STP mode using the CLI on page 125 Configuring STP BPDU Filtering using the CLI on page 125 Creating and Managing STGs using the CLI on page 126 Managing RSTP using the CLI on page 132
Setting the STP mode using the CLI

Use the following procedure to set the STP operational mode.
To set the STP mode, use the following command from Global Configuration mode. spanning-tree op-mode {stpg | rstp }
Configuring STP BPDU Filtering using the CLI

Use the following procedure to configure STP BPDU Filtering on a port. This command is available in all STP modes (STPG, RSTP, and MSTP).
August 20, 2010
125
1. To enable STP BPDU filtering, use the following command from Interface Configuration mode. [no] spanning-tree bpdu-filtering [port<portlist>] [enable] [timeout <10-65535> | 0>] Use the no form of this command to disable. 2. To set the STP BPDU Filtering properties on a port to their default values, use the following command from the Interface Configuration command mode: default spanning-tree bpdu-filtering [port<portlist>] [enable] [timeout] 3. To show the current status of the BPDU Filtering parameters, use the following command from the Privileged EXEC mode: show spanning-tree bpdu-filtering [<interface-type>] [port<portlist>] Variable Definitions
Variable port <portlist> enable timeout <10-65535| 0> Value Specifies the ports affected by the command. Enables STP BPDU Filtering on the specified ports. The default value is disabled. When BPDU filtering is enabled, this indicates the time (in seconds) during which the port remains disabled after it receives a BPDU. The port timer is disabled if this value is set to 0. The default value is 120 seconds.
Creating and Managing STGs using the CLI

To create and manage Spanning Tree Groups, you can refer to the Command Line Interface commands listed in this section. Depending on the type of Spanning Tree Group that you want to create or manage, the command mode needed to execute these commands can differ. In the following commands, the omission of any parameters that specify a Spanning Tree Group results in the command operating against the default Spanning Tree Group (Spanning Tree Group 1). To configure STGs using the CLI, refer to the following: Configuring path cost calculation mode on page 127 Configuring STG port membership mode on page 127 Displaying STP configuration information on page 127
126
August 20, 2010
Creating a Spanning Tree Group on page 128 Deleting a Spanning Tree Group on page 128 Enabling a Spanning Tree Group on page 128 Disabling a Spanning Tree Group on page 128 Configuring STP values on page 129 Restoring default Spanning Tree values on page 130 Adding a VLAN to a STG on page 130 Removing a VLAN from a STG on page 131 Configuring STP and MSTG participation on page 131 Resetting Spanning Tree values for ports to default on page 132 Configuring path cost calculation mode Use the following procedure to set the path cost calculation mode for all Spanning Tree Groups on the switch.
To configure path cost calculation mode, use the following command from Privileged EXEC mode. spanning-tree cost-calc-mode {dot1d | dot1t} Configuring STG port membership mode Use the following procedure to set the STG port membership mode for all Spanning Tree Groups on the switch.
To configure STG port membership mode, use the following command from Privileged EXEC mode. spanning-tree port-mode {auto | normal} Displaying STP configuration information Use the following procedure to display spanning tree configuration information that is specific to either the Spanning Tree Group or to the port.
To display STP configuration information, use the following command from Privileged EXEC mode. show spanning-tree [stp <1-8>] {config | port| port-mode | vlans}
August 20, 2010
127
Variable Definitions
Variable stp <1-8> Value Displays specified Spanning Tree Group configuration; enter the number of the group to be displayed. Displays spanning tree configuration for: config--the specified (or default) Spanning Tree Group port--the ports within the Spanning Tree Group port-mode--the port mode vlans--the VLANs that are members of the specified Spanning Tree Group
config | port | port-mode | vlans
Creating a Spanning Tree Group Use the following procedure to create a Spanning Tree Group.
To create a Spanning Tree Group, use the following command from Global Configuration mode. spanning-tree stp <1-8> create Deleting a Spanning Tree Group Use the following procedure to delete a Spanning Tree Group.
To delete a Spanning Tree Group, use the following command from Global Configuration mode. spanning-tree stp <1-8> delete Enabling a Spanning Tree Group Use the following procedure to enable a Spanning Tree Group.
To enable a Spanning Tree Group, use the following command from Global Configuration mode. spanning-tree stg <1-8> enable Disabling a Spanning Tree Group Use the following procedure to disable a Spanning Tree Group.
128
August 20, 2010
To disable a Spanning tree Group, use the following command from Global Configuration mode. spanning-tree stp <1-8> disable Configuring STP values Use the following procedure to set STP values by STG.
To configure STP values, use the following command from Global Configuration mode. spanning-tree [stp <1-8>] [forward-time <4-30>] [hello-time <1-10>] [max-age <6-40> [priority {0*0000 | 0*1000| 0*2000 | 0*3000 | ... | 0*E000 | 0*F000}] [tagged-bpdu {enable | disable}] [tagged-bpdu-vid >1-4094>] [multicast-address <H.H.H>] [add-vlan] [remove-vlan] Variable Definitions
Variable stp <1-8> forward-time <4-30> Value Specifies the Spanning Tree Group; enter the STG ID. Enter the forward time of the STG in seconds; the range is 4 -- 30, and the default value is 15. Enter the hello time of the STG in seconds; the range is 1 --10, and the default value is 2. Enter the max-age of the STG in seconds; the range is 6 -- 40, and the default value is 20. Sets the spanning tree priority (in Hex); if 802.1T compliant, this value must be a multiple of 0x1000. Sets the BPDU as tagged or untagged. The default value for Spanning Tree Group 1 (default group) is untagged; the default for the other groups is tagged. Sets the VLAN ID (VID) for the tagged BPDU. The default value is 4001 -- 4008 for STG 1 -- 8, respectively. Sets the spanning tree multicast address. Adds a VLAN to the Spanning Tree Group.
hello-time <1-10> max-age <6-40>
priority {0x000 | 0x1000 | 0x2000 | 0x3000 | .... | 0xE000 | 0xF000} tagged-bpdu {enable | disable}
tagged-bpdu-vid <1-4094>
multicast-address <H.H.H> add-vlan
August 20, 2010
129
Variable remove-vlan
Value Removes a VLAN from the Spanning Tree Group.
Restoring default Spanning Tree values Use the following procedure to restore default spanning tree values for the Spanning Tree Group.
To restore Spanning Tree values to default, use the following command from Global Configuration mode. default spanning-tree [stp <1-8> [forward-time] [hello-time] [max-age] [priority] [tagged-bpdu] [multicast address] Variable Definitions
Variable stp <1-8> forward-time hello-time max-age priority Value Disables the Spanning Tree Group; enter the STG ID. Sets the forward time to the default value of 15 seconds. Sets the hello time to the default value of 2 seconds. Sets the maximum age time to the default value of 20 seconds. Sets spanning tree priority (in Hex); if 802.1T compliant, this value must be a multiple of 0x1000. Sets the tagging to the default value. The default value for Spanning Tree Group 1 (default group) is untagged; the default for the other groups is tagged. Sets the spanning tree multicast MAC address to the default.
tagged-bpdu
multicast address
Adding a VLAN to a STG Use the following procedure to add a VLAN to a specified Spanning Tree Group.
To add a VLAN to a STG, use the following command from Global Configuration mode. spanning-tree [stp <1-8>] add-vlan <1-4094>
130
August 20, 2010
Removing a VLAN from a STG Use the following procedure to remove a VLAN from a specified Spanning Tree Group.
To remove a VLAN from a STG, use the following command from Global Configuration mode. spanning-tree [stp <1-8>] remove-vlan <1-4094> Configuring STP and MSTG participation Use the following procedure to set the Spanning Tree Protocol (STP) and multiple Spanning Tree Group (STG) participation for the ports within the specified Spanning Tree Group.
To configure STP and MSTG participation, use the following command from Interface Configuration mode. [no] spanning-tree [port <portlist>] [stp <1-8>] [learning {disable | normal | fast}] [cost <1-65535>] [priority] Use the no form of this command to disable. Variable Definitions
Variable port <portlist> Value Enables the spanning tree for the specified port or ports; enter port or ports you want enabled for the spanning tree. Note: If you omit this parameter, the system uses the port number you specified when you issued the interface command to enter the Interface Configuration mode. Specifies the spanning tree group; enter the STG ID. Specifies the STP learning mode: disable -- disables FastLearn mode normal -- changes to normal learning mode fast -- enables FastLearn mode cost <1-65535> priority Enter the path cost of the spanning tree; range is 1 -- 65535. Sets the spanning tree priority for a port as a hexadecimal value. If the Spanning Tree Group is 802.1T compliant, this value must be a multiple of 0x10.
stp <1-8> learning {disable|normal|fast}
August 20, 2010
131
Resetting Spanning Tree values for ports to default Use the following procedure to set the spanning tree values for the ports within the specified Spanning Tree Group to the factory default settings.
To reset Spanning Tree values to default, use the following command from Interface Configuration mode. default spanning-tree [port <portlist>] [stp <1-8>] [learning] [cost] [priority] Variable Definitions
Variable port <portlist> Value Enables spanning tree for the specified port or ports; enter port or ports to be set to factory spanning tree default values. Note: If this parameter is omitted, the system uses the port number specified when the interface command was used to enter Interface Configuration mode. Specifies the Spanning Tree Group to set to factory default values; enter the STG ID. This command places the port into the default STG. The default value for STG is 1. Sets the spanning tree learning mode to the factory default value. The default value for learning is Normal mode. Sets the path cost to the factory default value. The default value for path cost depends on the type of port. Sets the priority to the factory default value. The default value for the priority is 0x8000.
stp <1-8>
learning
cost
priority
Managing RSTP using the CLI Use the following command to configure RSTP: Configuring RSTP parameters on page 132 Configuring RSTP on a port on page 134 Displaying RSTP configuration on page 134 Displaying RSTP port configuration on page 133 Configuring RSTP parameters Use the following procedure to set the RSTP parameters which include forward delay, hello time, maximum age time, default path cost version, bridge priority, transmit holdcount, and version for the bridge.
132
August 20, 2010
To configure RSTP parameters, use the following command from Global Configuration mode. spanning-tree rstp [ forward-time <4-30>] [hello-time <1-10>] [max-age <6-40>] [pathcost-type {bits16 | bits32}] [priority {0000|1000|2000| ...| F000}] [tx-holdcount <1-10>] [version {stp-compatible | rstp}] Variable Definitions
Variable forward-time <4-30> hello-time <1-10> max-age <6-40> pathcost-type {bits16 | bits32} priority {0000 | 1000 | ... | F000} tx-hold count version {stp-compatible | rstp} Value Sets the RSTP forward delay for the bridge in seconds; the default is 15. Sets the RSTP hello time delay for the bridge in seconds; the default is 2. Sets the RSTP maximum age time for the bridge in seconds; the default is 20. Sets the RSTP default path cost version; the default is bits32. Sets the RSTP bridge priority (in hex); the default is 8000. Sets the RSTP Transmit Hold Count; the default is 3. Sets the RSTP version; the default is rstp.
Displaying RSTP port configuration Use the following procedure to display the Rapid Spanning Tree Protocol (RSTP) related portlevel configuration details.
To display RSTP port configuration, use the following command from Privileged EXEC mode. show spanning-tree rstp port {config | status | statistics | role} [<portlist>] Variable Definitions
Variable config status Value Displays RSTP port-level configuration. Displays RSTP port-level role information.
August 20, 2010
133
Variable statistics role
Value Displays RSTP port-level statistics. Displays RSTP port-level status.
Configuring RSTP on a port Use the following procedure to set the RSTP parameters, which include path cost, edge-port indicator, learning mode, point-to-point indicator, priority, and protocol migration indicator on the single or multiple port.
To configure RSTP on a port, use the following command from Interface Configuration mode. spanning-tree rstp [port <portlist>] [cost <1-200000000> [edgeport {false | true}] [learning {disable | enable}] [p2p {auto | force-false | force-true}] [priority {00 | 10 | ... | F0}] [protocol-migration {false | true}] Variable Definitions
Variable port <portlist> cost <1-200000000> edge-port {false | true} Value Filter on list of ports. Sets the RSTP path cost on the single or multiple ports; the default is 200000. Indicates whether the single or multiple ports are assumed to be edge ports. This parameter sets the Admin value of edge port status; the default is false. Enables or disables RSTP on the single or multiple ports; the default is enable. Indicates whether the single or multiple ports are to be treated as point-to-point links. This command sets the Admin value of P2P Status; the default is force-true. Sets the RSTP port priority on the single or multiple ports; the default is 80. Forces the single or multiple port to transmit RSTP BPDUs when set to true, while operating in RSTP mode; the default is false.
learning {disable | enable} p2p {auto | force-false | force-true}
priority {00 | 10 |... | F0} protocol-migration {false | true}
Displaying RSTP configuration Use the following procedure to display the Rapid Spanning Tree Protocol (RSTP) related bridge-level configuration details.
134
August 20, 2010
To display RSTP configuration details, use the following command from Privileged EXEC mode. show spanning-tree rstp {config | status | statistics} Variable Definitions
Variable config status statistics Value Displays RSTP bridge-level configuration. Displays RSTP bridge-level role information. Displays RSTP bridge-level statistics.
Configuring MLT using CLI

The Command Line Interface commands detailed in this section allow for the creation and management of Multi-Link trunks. Depending on the type of Multi-Link trunk being created or managed, the command mode needed to execute these commands can differ. Refer to the following sections to configure MLT: Displaying MLT configuration and utilization on page 135 Configuring a Multi-Link trunk on page 135 Disabling a MLT on page 136 Displaying MLT properties on page 136 Configuring STP participation for MLTs on page 137
Displaying MLT configuration and utilization

Use the following procedure to display Multi-Link Trunking (MLT) configuration and utilization.
To display MLT configuration and utilization, use the following command from Privileged EXEC mode. show mlt [utilization <1-32>]
Configuring a Multi-Link trunk

Use the following procedure to configure a Multi-Link trunk (MLT).
August 20, 2010
135
To configure a Multi-Link trunk, use the following command from Global Configuration mode. mlt <id> [name<trunkname>] [enable | disable] [member <portlist>] [learning {disable | fast | normal}] [bpdu {allports | single-port}] loadbalance {basic | advance} Variable Definitions
Variable id name <trunkname> enable | disable member <portlist> learning <disable | fast | normal> bpdu {all-ports | single-port} loadbalance {basic | advance} Value Enter the trunk ID; the range is 1 to 32. Specifies a text name for the trunk; enter up to 16 alphanumeric characters. Enables or disables the trunk. Enter the ports that are members of the trunk. Sets STP learning mode. Sets trunk to send and receive BPDUs on either all ports or a single port. Sets the MLT load-balancing mode: basic: MAC-based load-balancing advance: IP-based load-balancing
Disabling a MLT
Use the following procedure to disable a Multi-Link trunk (MLT), clearing all the port members.
To disable a MLT, use the following command from Global Configuration mode. no mlt [<id>]
Displaying MLT properties

Use the following procedure to display the properties of Multi-Link trunks (MLT) participating in Spanning Tree Groups (STG).
136
August 20, 2010
To display MLT properties, use the following command from Global Configuration mode. show mlt spanning-tree <1-32>
Configuring STP participation for MLTs

Use the following procedure to set Spanning Tree Protocol (STP) participation for Multi-Link trunks (MLT).
To configure STP participation for MLTs, use the following command from Global Configuration mode. mlt spanning-tree <1-32> [stp <1-8>, ALL>] [learning {disable | normal | fast}] Variable Definitions
Variable <1-32> stp <1-8> learning {disable | normal | fast} Value Specifies the ID of the MLT to associate with the STG. Specifies the spanning tree group. Specifies the STP learning mode: disable -- disables learning normal -- sets the learning mode to normal fast -- sets the learning mode to fast
Configuring LACP and VLACP using CLI

This section contains information on the following topics: Configuring Link Aggregation using CLI on page 137 Configuring VLACP using CLI on page 142
Configuring Link Aggregation using CLI

This section describes the commands necessary to configure and manage Link Aggregation using the Command Line Interface (CLI).
August 20, 2010
137
To configure Link Aggregation using the CLI, refer to the fo Displaying LACP system settings on page 138 Displaying LACP per port configuration on page 138 Displaying LACP port mode on page 138 Displaying LACP port statistics on page 139 Clearing LACP port statistics on page 139 Displaying LACP port debug information on page 139 Displaying LACP aggregators on page 139 Configuring LACP system priority on page 140 Enabling LACP port aggregation mode on page 140 Configuring the LACP administrative key on page 140 Configuring LACP operating mode on page 140 Configuring per port LACP priority on page 141 Configuring LACP periodic transmission timeout interval on page 142 Configuring LACP port mode on page 142 Displaying LACP port mode Use the following procedure to display the current port mode (default or advanced).
To display the port mode, use the following command from Privileged EXEC mode. show lacp port-mode Displaying LACP system settings Use the following procedure to display system-wide LACP settings.
To display system settings, use the following command from Privileged EXEC mode. show lacp system Displaying LACP per port configuration Use the following procedure to display information on the per-port LACP configuration. Select ports either by port number or by aggregator value.
To display per port configuration, use the following command from Privileged EXEC mode. show lacp port [<portList> | aggr <1-65535>]
138
August 20, 2010
Variable <portList> aggr <1-65535> Value Enter the specific ports for which to display LACP information. Enter the aggregator value to display ports that are members of it.
Displaying LACP port statistics Use the following procedure to displayLACP port statistics. Select ports either by port number or by aggregator value.
To display port statistics, use the following command from Privileged EXEC mode. show lacp stats [<portList> | aggr <1-65535>] Variable Definitions
Variable <portList> aggr <1-65535> Value Enter the specific ports for which to display LACP information. Enter the aggregator value to display ports that are members of it.
Clearing LACP port statistics Use the following procedure to clear existing LACP port statistics.
To clear statistics, use the following command from Interface Configuration mode. lacp clear-stats <portList> Displaying LACP port debug information Use the following procedure to display port debug information.
To display port debug information, use the following command from Privileged EXEC mode. show lacp debug member [<portList>] Displaying LACP aggregators Use the following procedure to display LACP aggregators or LACP trunks.
August 20, 2010
139
To display aggregators, use the following command from Privileged EXEC mode. show lacp aggr <1-65535> Configuring LACP system priority Use the following procedure to configure the LACP system priority. It is used to set the systemwide LACP priority. The factory default priority value is 32768.
To configure system priority, use the following command from Global Configuration mode. lacp system-priority <0-65535> Enabling LACP port aggregation mode Use the following procedure to enable the port aggregation mode.
To enable the port aggregation mode, use the following command from Interface Configuration mode. [no] lacp aggregation [port <portList>] enable Use the no form of the command to disable. Configuring the LACP administrative key Use the following procedure to configure the administrative LACP key for a set of ports.
To set the administrative key, use the following command from Interface Configuration mode. lacp key [port <portList>] <1-4095> Variable Definitions
Variable port <portList> <1-4095> Value The ports to configure the LACP key for. The LACP key to use.
Configuring LACP operating mode Use the following procedure to configure the LACP mode of operations for a set of ports.
140
August 20, 2010
To configure the operating mode, use the following command from Interface Configuration mode. lacp mode [port <portList>] {active | passive | off} Variable Definitions
Variable port <portList> {active | passive | off} Value The ports for which the LACP mode is to be set. The type of LACP mode to set for the port. The LACP modes are: active -- The port will participate as an active Link Aggregation port. Ports in active mode send LACPDUs periodically to the other end to negotiate for link aggregation. passive -- The port will participate as a passive Link Aggregation port. Ports in passive mode send LACPDUs only when the configuration is changed or when its link partner communicates first. off -- The port does not participate in Link Aggregation. LACP requires at least one end of each link to be in active mode.
Configuring per port LACP priority Use the following procedure to configure the per-port LACP priority for a set of ports.
To configure priority, use the following command from Interface Configuration mode. lacp priority [port <portList> <0-65535> Variable Definitions
Variable port <portList> <0-65535> Value The ports for which to configure LACP priority. The priority value to assign.
August 20, 2010
141
Configuring LACP periodic transmission timeout interval Use the following procedure to configure the LACP periodic transmission timeout interval for a set of ports.
To configure the interval, use the following command from Interface Configuration mode. lacp timeout-time [port <portList>] {long | short} Variable Definitions
Variable port <portList> {long | short} Value The ports for which to configure the timeout interval. Specify the long or short timeout interval.
Configuring LACP port mode Use the following procedure to configure the LACP port mode on the switch.
To configure the port mode, use the following command from Interface Configuration mode. lacp port-mode {default | advance} Variable Definitions
Variable default advance Value Default LACP port mode. Advanced LACP port mode.
Configuring VLACP using CLI

To configure VLACP using the CLI, refer to the following commands: Enabling VLACP globally on page 143 Configuring VLACP multicast MAC address on page 145 Configuring VLACP port parameters on page 143 Displaying VLACP status on page 145 Displaying VLACP port configuration on page 145
142
August 20, 2010
Enabling VLACP globally Use the following procedure to globally enable VLACP for the device.
To enable VLACP, use the following command from Global Configuration mode. [no] vlacp enable Use the no form of this command to disable. Configuring VLACP port parameters Use the following procedure to configure VLACP parameters on a port.
To configure parameters, use the following command from Interface Configuration mode. [no] vlacp port <port> [enable | disable] [timeout <long/ short>][fast-periodic-time <integer>] [slow-periodic-time <integer>] [timeout-scale <integer>] [funcmac-addr <mac>] [ethertype <hex>] Use the no form of this command to remove parameters. Variable Definitions
Variable <port> enable|disable timeout <long/short> Value Specifies the port number. Enables or disables VLACP. Specifies whether the timeout control value for the port is a long or short timeout. long sets the port timeout value to: (timeout-scale value) (slow-periodictime value). short sets the ports timeout value to: (timeout-scale value) (fast-periodic-time value). For example, if the timeout is set to short while the timeout-scale value is 3 and the fast-periodic-time value is 400 ms, the timer expires after 1200 ms. Default is long. fast-periodic-time <integer> Specifies the number of milliseconds between periodic VLACPDU transmissions using short timeouts.
August 20, 2010
143
Variable
Value The range is 400-20000 milliseconds. Default is 500.
slow-periodic-time <integer>
Specifies the number of milliseconds between periodic VLACPDU transmissions using long timeouts. The range is 10000-30000 milliseconds. Default is 30000. Sets a timeout scale for the port, where timeout = (periodic time) (timeout scale). The range is 1-10. Default is 3. Note: With VLACP, a short interval exists between a port transmitting a VLACPDU and the partner port receiving the same VLACPDU. However, if the timeout-scale is set to less than 3, the port timeout value does not take into account the normal travel time of the VLACPDU. The port expects to receive a VLACPDU at the same moment the partner port sends it. Therefore, the delayed VLACPDU results in the link being blocked, and then enabled again when the packet arrives. To prevent this scenario from happening, set the timeout-scale to a value larger than 3. VLACP partners must also wait 3 synchronized VLACPDUs to have the link enabled. If VLACP partner miss 3 consecutive packets from the other partner, sets the link as VLACP down. Specifies the address of the far-end switch configured to be the partner of this switch. If none is configured, any VLACP-enabled switch communicating with the local switch through VLACP PDUs is considered to be the partner switch. Note: VLACP has only one multicast MAC address, configured using the vlacp macaddress command, which is the Layer 2 destination address used for the VLACPDUs. The port-specific funcmac-addr parameter does not specify a multicast MAC address, but instead specifies the MAC address of the switch to which this port is sending VLACPDUs. You are not always required to configure funcmac-addr. If not configured, the first VLACP-enabled switch that receives the
timeout-scale <integer>
funcmac-addr <mac>
144
August 20, 2010
Variable
Value PDUs from a unit assumes that it is the intended recipient and processes the PDUs accordingly. If you want an intermediate switch to drop VLACP packets, configure the funcmacaddr parameter to the desired destination MAC address. With funcmac-addr configured, the intermediate switches do not misinterpret the VLACP packets.
ethertype <hex>
Sets the VLACP protocol identification for this port. Defines the ethertype value of the VLACP frame. The range is 8101-81FF. Default is 8103.
Configuring VLACP multicast MAC address Use the following procedure to set the multicast MAC address used by the device for VLACPDUs.
To configure the multicast MAC address, use the following command from Global Configuration mode. [no] vlacp macaddress <macaddress> Use the no form of this command to delete the address. Displaying VLACP status Use the following procedure to display the status of VLACP on the switch.
To display VLACP status, use the following command from Privileged EXEC mode. show vlacp Displaying VLACP port configuration Use the following procedure to display the VLACP configuration details for a port or list of ports.
To display port configuration, use the following command from Privileged EXEC mode. show vlacp interface <slot/port> where <slot/port> specifies a port or list of ports. Among other properties, the show vlacp interface command displays a column called HAVE PARTNER, with possible values of yes or no.
August 20, 2010
145
If HAVE PARTNER is yes when ADMIN ENABLED and OPER ENABLED are true, then that port has received VLACPDUs from a port and those PDUs were recognized as valid according to the interface settings. If HAVE PARTNER is no, when ADMIN ENABLED is true and OPER ENABLED is FALSE, then the partner for that port is down (that port received at least one correct VLACPDU, but did not receive additional VLACPDUs within the configured timeout period). In this case VLACP blocks the port. This scenario is also seen if only one unit has VLACP enabled and the other has not enabled VLACP. The show vlacp interface command is in the privExec command mode. Note: If VLACP is enabled on an interface, the interface will not forward traffic unless it has a valid VLACP partner. If one partner has VLACP enabled and the other is not enabled, the unit with VLACP enabled will not forward traffic, however the unit with VLACP disabled will continue to forward traffic.
Configuring IP routing
IP routing configuration using CLI
This chapter describes the procedures you can use to configure routable VLANs using the CLI. The WC 8180 can function as a Layer 3 (L3) switch. This means that a regular Layer 2 VLAN becomes a routable Layer 3 VLAN if an IP address and MAC address are attached to the VLAN. When routing is enabled in Layer 3 mode, every Layer 3 VLAN is capable of routing as well as carrying the management traffic. You can use any Layer 3 VLAN instead of the Management VLAN to manage the switch. Refer to the following sections to configure IP routing using CLI: IP routing configuration procedures on page 147 Configuring global IP routing status on page 147 Displaying global IP routing status on page 148 Configuring an IP address for a VLAN on page 148 Configuring IP routing status on a VLAN on page 149 Configuring a secondary IP address for a VLAN on page 149 Displaying the IP address configuration and routing status for a VLAN on page 150 Displaying IP routes on page 151
146
August 20, 2010
Performing a traceroute on page 151 Bad xref to DLM-18512499
IP routing configuration procedures

To configure inter-VLAN routing on the switch, perform the following steps:
1. Enable IP routing globally. 2. Assign an IP address to a specific VLAN or brouter port. Routing is automatically enabled on the VLAN or brouter port when you assign an IP address to it.
IP routing configuration navigation

Configuring global IP routing status Displaying global IP routing status Configuring an IP address for a VLAN Configuring IP routing status for a VLAN Displaying the IP address configuration and routing status for a VLAN Displaying IP routes Performing a traceroute Entering Router Configuration mode
Configuring global IP routing status

Use this procedure to enable and disable global routing at the switch level. By default, routing is disabled.
To configure the status of IP routing on the switch, enter the following from the Global Configuration mode: [no] ip routing
August 20, 2010
147
Variable no Value Disables IP routing on the switch
Displaying global IP routing status

Use this command to display the status of IP blocking on the switch.
To display the status of IP blocking on the switch, enter the following from the User EXEC mode: show ip routing
Configuring an IP address for a VLAN

To enable routing an a VLAN, you must first configure an IP address on the VLAN.
To configure an IP address on a VLAN, enter the following from the VLAN Interface Configuration mode: [no] ip address <ipaddr> <mask> [<MAC-offset>] Variable Definitions
Variable [no] <ipaddr> <mask> [<MAC-offset>] Value Removes the configured IP address and disables routing on the VLAN. Specifies the IP address to attach to the VLAN. Specifies the subnet mask to attach to the VLAN Specifies the value used to calculate the VLAN MAC address, which is offset from the switch MAC address. The valid range is 1-256. Specify the value 1 for the Management VLAN only. If no MAC offset is specified, the switch applies one automatically.
148
August 20, 2010
Configuring IP routing status on a VLAN

Use this procedure to enable and disable routing for a particular VLAN.
To configure the status of IP routing on a VLAN, enter the following from the VLAN Interface Configuration mode: [default] [no] ip routing Variable Definitions
Variable default no Value Disables IP routing on the VLAN. Disables IP routing on the VLAN.
Configuring a secondary IP address for a VLAN

Use this procedure to configure a secondary IP interface to a VLAN (also known as multinetting). You can have a maximum of eight secondary IP addresses for every primary address, and you must configure the primary address before configuring any secondary addresses. Primary and secondary interfaces must reside on different subnets. To remove a primary IP address from a VLAN, you must first remove all secondary addresses from the VLAN. Prerequisites Configure a primary IP address on the VLAN. To configure the secondary IP interface on the VLAN, enter the following from the VLAN Interface Configuration mode. [no] ip address <ip address> <mask> [<mac offset>] secondary Variable Definitions
Variable no Value Removes the configured IP address. To remove a primary IP address from a VLAN, you must first remove all secondary addresses from the VLAN. Specifies the IP address to attach to the VLAN.
<ipaddr>
August 20, 2010
149
Variable <mask> [<MAC-offset>]
Value Specifies the subnet mask to attach to the VLAN Specifies the value used to calculate the VLAN MAC address, which is offset from the switch MAC address. The valid range is 1-256. Specify the value 1 for the Management VLAN only. If no MAC offset is specified, the switch applies one automatically.
Job aid: Example of adding a secondary IP interface to a VLAN Primary and secondary interfaces must reside on different subnets. In the following example, 4.1.0.10 is the primary IP and 4.1.1.10 is the secondary IP.
(config)# interface vlan 4 (config)# ip address 4.1.0.10 255.255.255.0 6 (config-if)# ip address 4.1.1.10 255.255.255.0 7 secondary
Displaying the IP address configuration and routing status for a VLAN

Use this procedure to display the IP address configuration and the status of routing on a VLAN.
To display the IP address configuration on a VLAN, enter the following from the VLAN Privileged Exec mode: show vlan ip [vid <vid>] Variable Definitions
Variable [vid <vid>] Value Specifies the VLAN ID of the VLAN to be displayed. Range is 1-4094.
Job aid The following table shows the field descriptions for the show vlan ip command.
Field Vid ifindex Address Mask MacAddress Description Specifies the VLAN ID. Specifies an index entry for the interface. Specifies the IP address associated with the VLAN. Specifies the mask. Specifies the MAC address associated with the VLAN.
150
August 20, 2010
Field Offset Routing
Description Specifies the value used to calculate the VLAN MAC address, which is offset from the switch MAC address. Specifies the status of routing on the VLAN: enabled or disabled.
Displaying IP routes
Use this procedure to display all active routes in the routing table. Route entries appear in ascending order of the destination IP addresses.
To display all active routes in the routing table, enter the following from the User EXEC command mode: show ip route [<dest-ip>] [-s <subnet><mask>] [summary] Variable Definitions
Variable [<dest-ip>] [-s <subnet><mask>] [summary] Value Specifies the destination IP address of the route to display. Specifies the destination subnet of the routes to display. Displays a summary of IP route information.
Performing a traceroute
Use this procedure to display the route taken by IP packets to a specified host.
1. To perform a traceroute, enter the following from the Global Configuration mode: traceroute <Hostname|A.B.C.D.> <-m> <-p> <-q> <-v> <-w> <1-1464> 2. Type CTRL+C to interrupt the command.
August 20, 2010
151
Variable Hostname A.B.C.D -m Value Specifies the name of the remote host. Specifies the IP address of the remote host. Specifies the maximum time to live (ttl). The value for this parameter is in the rage from 1-255. The default value is 10. Example: traceroute 10.3.2.134 -m 10 Specifies the base UDP port number. The value for this parameter is in the range from 0-65535. Example: traceroute 1.2.3.4 -p 87 Specifies the number of probes per time to live. The value for this parameter is in the range from 1-255. The default value is 3. Example: traceroute 10.3.2.134 -q 3 Specifies verbose mode. Example: traceroute 10.3.2.134 -v Specifies the wait time per probe. The value for this parameter is in the range from 1-255. The default value is 5 seconds. Example: traceroute 10.3.2.134 -w 15 Specifies the UDP probe packet size. TIP: probe packet size is 40 plus specified data length in bytes. Example: traceroute 10.3.2.134 -w 60
-p
-q
-v -w
<1-1464>
Static route configuration using CLI

This chapter describes the procedures you can use to configure static routes using the CLI. Static route configuration navigation Configuring a static route on page 152 Displaying static routes on page 153 Configuring a management route on page 154 Displaying the management routes on page 155
Configuring a static route

Use this procedure to configure a static route. Create static routes to manually configure a path to destination IP address prefixes.
152
August 20, 2010
Prerequisites Enable IP routing globally Enable IP routing and configure an IP address on the VLANs to be routed. To configure a static route, enter the following from the Global Configuration command mode: [no] ip route <dest-ip> <mask> <next-hop> [<cost>] [disable] [enable] [weight<cost>] Variable Definitions
Variable [no] <dest-ip> <mask> <next-hop> [<cost>] [disable] [enable] [weight<cost>] Value Removes the specified static route. Specifies the destination IP address for the route being added. 0.0.0.0 is considered the default route. Specifies the destination subnet mask for the route being added. Specifies the next hop IP address for the route being added. Specifies the weight, or cost, of the route being added. Range is 1-65535. Disables the specified static route. Enables the specified static route. Changes the weight, or cost, of an existing static route. Range is 1-65535.
Displaying static routes

Use this procedure to display all static routes, whether these routes are active or inactive.
To display a static route, enter the following from the User EXEC command mode: show ip route static [<dest-ip>] [-s<subnet><mask>] Variable Definitions
Variable <dest-ip> Value Specifies the destination IP address of the static routes to display.
August 20, 2010
153
Variable [-s<subnet><mask>]
Value Specifies the destination subnet of the routes to display.
Job aid The following table shows the field descriptions for the show ip route static command.
Field DST MASK NEXT COST VLAN PORT PROT TYPE PRF Description Identifies the route destination. Identifies the route mask. Identifies the next hop in the route. Identifies the route cost. Identifies the VLAN ID on the route. Specifies the ports. Specifies the routing protocols. For static routes, options are LOC (local route) or STAT (static route). Indicates the type of route as described by the Type Legend on the CLI screen. Specifies the route preference.
Configuring a management route

Use this procedure to create a management route to the far end network, with a next-hop IP address from the management VLANs subnet. A maximum of 4 management routes can be configured on the switch. Prerequisites Enable IP routing globally Enable IP routing and configure an IP address on the management VLAN interface. To configure a static management route, enter the following from the Global Configuration command mode: [no] ip mgmt route <dest-ip><mask><next-hop> Variable Definitions
Variable [no] Value Removes the specified management route.
154
August 20, 2010
Variable <dest-ip> <mask> <next-hope>
Value Specifies the destination IP address for the route being added. Specifies the destination subnet mask for the route being added. Specifies the next hop IP address for the route being added.
Displaying the management routes

Use this procedure to display the static routes configured for the management VLAN.
To display the static routes configured for the management VLAN, enter the following from the User EXEC mode: show ip mgmt route
Job aid
The following table shows the shows the field descriptions for the show ip mgmt route command.
Field Destination IP Subnet Mask Gateway IP Description Identifies the route destination. Identifies the route mask. Identifies the next hop in the route.
DHCP relay configuration using CLI

This chapter describes the procedures you can use to configure DHCP relay using the CLI. Important: DHCP relay uses a hardware resource that is shared by switch Quality of Service applications. When DHCP relay is enabled globally, the Quality of Service filter manager will not be able to use precedence 11 for configurations.
August 20, 2010
155
Prerequisites Enable IP routing globally. Enable IP routing and configure an IP address on the VLAN to be set as the DHCP relay agent. Ensure that a route to the destination DHCP server is available on the switch.
DHCP relay configuration procedures

To configure DHCP relay, perform the following steps:
1. Ensure that DHCP relay is enabled globally. (DHCP relay is enabled by default.) 2. Configure the DHCP relay forwarding path, specifying the VLAN IP as the DHCP relay agent and the remote DHCP server as the destination. 3. Enable DHCP for the specific VLAN.
DHCP relay configuration navigation

Configuring global DHCP relay status on page 156 Displaying the global DHCP relay status on page 157 Specifying a local DHCP relay agent and remote DHCP server on page 157 Displaying the DHCP relay configuration on page 158 Configuring DHCP relay status and parameters on a VLAN on page 158 Displaying the DHCP relay configuration for a VLAN on page 159 Displaying DHCP relay counters on page 160 Clearing DHCP relay counters for a VLAN on page 160
Configuring global DHCP relay status

Use this procedure to configure the global DHCP relay status. DHCP relay is enabled by default.
To configure the global DHCP relay status, enter the following from the Global Configuration mode: [no] ip dhcp-relay
156
August 20, 2010
Variable [no] Disables DHCP relay. Value
Displaying the global DHCP relay status

Use this procedure to display the current DHCP relay status for the switch.
To display the global DHCP relay status, enter the following from the User EXEC command mode: show ip dhcp-relay
Specifying a local DHCP relay agent and remote DHCP server

Use this procedure to specify a VLAN as a DHCP relay agent on the forwarding path to a remote DHCP server. The DHCP relay agent can forward DHCP client requests from the local network to the DHCP server in the remote network. The DHCP relay feature is enabled by default, and the default mode is BootP-DHCP. Prerequisites Enable IP routing and configure an IP address on the VLAN to configure as a DHCP relay agent. To configure a VLAN as a DHCP relay agent, enter the following from the Global Configuration mode: [no] ip dhcp-relay fwd-path <relay-agent-ip> <DHCP-server> [enable] [disable] [mode {bootp | bootp-dhcp | dhcp}] Variable Definitions
Variable [no] <relay-agent-ip> <DHCP-server> Value Removes the specified DHCP forwarding path. Specifies the IP address of the VLAN that serves as the local DHCP relay agent. Specifies the address of the remote DHCP server to which DHCP packets are to be relayed.
August 20, 2010
157
Variable [enable] [disable] [mode {bootp | bootp-dhcp | dhcp}]
Value Enables the specified DHCP relay forwarding path. Disables the specified DHCP relay forwarding path. Specifies the mode for DHCP relay. BootP only BootP and DHCP DHCP only If you do not specify a mode, the default DHCP and BootP is used.
Displaying the DHCP relay configuration

Use this procedure to display the current DHCP relay agent configuration.
To display the DHCP relay configuration, enter the following from the User EXEC command mode: show ip dhcp-relay fwd-path
Job aid
The following table shows the field descriptions for the show ip dhcp-relay fwd-path command.
Field INTERFACE SERVER ENABLE MODE Description Specifies the interface IP address of the DHCP relay agent. Specifies the IP address of the DHCP server. Specifies whether DHCP is enabled. Specifies the DHCP mode.
Configuring DHCP relay status and parameters on a VLAN

Use this procedure to configure the DHCP relay parameters on a VLAN. To enable DHCP relay on the VLAN, enter the command with no optional parameters.
158
August 20, 2010
To configure DHCP relay on a VLAN, enter the following from the VLAN Interface Configuration mode: [no] ip dhcp-relay [broadcast] [min-sec <min-sec>] [mode {bootp | dhcp | bootp_dhcp}] Variable Definitions
Variable [no] [broadcast] min-sec <min-sec> Value Disables DHCP relay on the specified VLAN. Enables the broadcast of DHCP reply packets to the DHCP clients on this VLAN interface. The switch immediately forwards a BootP/ DHCP packet if the secs field in the BootP/ DHCP packet header is greater than the configured min-sec value; otherwise, the packet is dropped. Range is 0-65535. The default is 0. Specifies the type of DHCP packets this VLAN supports: bootp - Supports BootP only dhcp - Supports DHCP only bootp_dhcp - Supports both BootP and DHCP
mode {bootp | dhcp | bootp_dhcp}
Displaying the DHCP relay configuration for a VLAN

Use this procedure to display the current DHCP relay parameters configured for a VLAN.
To display the DHCP relay VLAN parameters, enter the following from the Privileged EXEC command mode: show vlan dhcp-relay [<vid>] Variable Definitions
Variable [<vid>] Value Specifies the VLAN ID of the VLAN to be displayed. Range is 1-4094.
Job aid The following table shows the field descriptions for the show ip dhcp-relay command.
August 20, 2010
159
Field IfIndex MIN_SEC
Description Indicates the VLAN interface index. Indicates the minimum time, in seconds, to wait between receiving a DHCP packet and forwarding the DHCP packet to the destination device. A value of zero indicates forwarding is done immediately without delay. Indicates whether DHCP relay is enabled on the VLAN. Indicates the type of DHCP packets this interface supports. Options include none, BootP, DHCP, and both. Indicates whether DHCP reply packets are broadcast to the DHCP client on this VLAN interface.
ENABLED MODE
ALWAYS_BROADCAST
Displaying DHCP relay counters

Use this procedure to display the current DHCP relay counters. This includes the number of requests and the number of replies.
To display the DHCP relay counters, enter the following from the User EXEC command mode: show ip dhcp-relay counters
Job aid
The following table shows the field descriptions for the show ip dhcp-relay counters command.
Field INTERFACE REQUESTS REPLIES Description Indicates the interface IP address of the DHCP relay agent. Indicates the number of DHCP requests. Indicates the number of DHCP replies.
Clearing DHCP relay counters for a VLAN

Use this procedure to clear the DHCP relay counters for a VLAN.
160
August 20, 2010
To clear the DHCP relay counters, enter the following from the VLAN Interface Configuration command mode: ip dhcp-relay clear-counters
Directed broadcasts configuration using CLI

This chapter describes procedures you can use to configure and display the status of directed broadcasts using CLI. Navigation Configuring directed broadcasts on page 161 Displaying the directed broadcast configuration on page 161
Configuring directed broadcasts

Use this procedure to enable directed broadcasts on the switch. By default, directed broadcasts are disabled. Prerequisites Enable IP routing globally. Enable IP routing and configure an IP address on the VLAN to be configured as a broadcast interface. Ensure that a route (local or static) to the destination address is available on the switch. To enable directed broadcasts, enter the following from the Global Configuration mode: ip directed-broadcast enable
Displaying the directed broadcast configuration

Use this procedure to display the status of directed broadcasts on the switch. By default, directed broadcasts are disabled.
To display directed broadcast status, enter the following from the User EXEC mode: show ip directed-broadcast
August 20, 2010
161
Static ARP and Proxy ARP configuration using CLI

This chapter describes the procedures you can use to configure Static ARP, Proxy ARP, and display ARP entries using the CLI. Static ARP and Proxy ARP configuration navigation Static ARP configuration on page 162 Displaying the ARP table on page 162 Proxy ARP configuration on page 164
Static ARP configuration

This section describes how to configure Static ARP using the CLI. Configuring a static ARP entry Use this procedure to create and enable a static ARP entry. Prerequisites Enable IP routing globally. Enable IP routing and configure an IP address on the target VLAN. To configure a static ARP entry, enter the following from the Global Configuration mode: [no] ip arp <A.B.C.D> <aa:bb:cc:dd:ee:ff> <port> [vid <1-4094>] Variable Definitions
Variable [no] <A.B.C.D> <aa:bb:cc:dd:ee:ff> < port> vid <1-4094> Value Removes the specified ARP entry. Specifies the IP address of the device being set as a static ARP entry. Specifies the MAC address of the device being set as a static ARP entry. Specifies the port number to which the static ARP entry is being added. Specifies the VLAN ID to which the static ARP entry is being added.
Displaying the ARP table Use the following procedures to display the ARP table, configure a global timeout for ARP entries, and clear the ARP cache.
162
August 20, 2010
Navigation Displaying ARP entries on page 163 Configuring a global timeout for ARP entries on page 163 Clearing the ARP cache on page 164 Displaying ARP entries Use this procedure to display ARP entries.
To display ARP entries, enter the following from the User Exec mode: show arp-table OR show ip arp [static | dynamic] [<ip-addr> | {-s <subnet> <mask>{] [summary] The show ip arp command is invalid if the switch is not in Layer 3 mode. Variable Definitions
Variable <ip-addr> -s <subnet> <mask> static Value Specifies the IP address of the ARP entry to be displayed. Displays ARP entries for the specified subnet only. Displays all configured static entries, including those without a valid route.
Job aid The following table shows the field descriptions for the show ip arp command.
Field IP Address Age (min) MAC Address VLAN-Unit/Port/Trunk Flags Description Specifies the IP address of the ARP entry. Displays the ARP age time. Specifies the MAC address of the ARP entry. Specifies the VLAN/port of the ARP entry. Specifies the type of ARP entry. S=Static, D=Dynamic, L=Local, B=Broadcast.
Configuring a global timeout for ARP entries Use this procedure to configure an aging time for the ARP entries.
August 20, 2010
163
To configure a global timeout for ARP entries, enter the following from the Global Configuration mode: ip arp timeout <timeout> Variable Definitions
Variable <timeout> Value Specifies the amount of time in minutes before an ARP entry ages out. Range is 5-360. The default value is 360 minutes.
Clearing the ARP cache Use this procedure to clear the cache of ARP entries.
To clear the ARP cache, enter the following from the Global Configuration mode: clear arp-cache
Proxy ARP configuration

This section describes how to configure Proxy ARP using the CLI. Navigation Configuring proxy ARP status on page 164 Displaying proxy ARP status on a VLAN on page 165 Configuring proxy ARP status Use this procedure to enable proxy ARP functionality on a VLAN. By default, proxy ARP is disabled. Prerequisites Enable IP routing globally. Enable IP routing and configure an IP address on the VLAN to be configured as a Proxy ARP interface. To configure proxy ARP status, enter the following from the VLAN Interface Configuration mode: [default] [no] ip arp-proxy enable
164
August 20, 2010
Variable default no Value Disables proxy ARP functionality on the VLAN. Disables proxy ARP functionality on the VLAN.
Displaying proxy ARP status on a VLAN Use this procedure to display the status of proxy ARP on a VLAN.
To display proxy ARP status for a VLAN, enter the following from the User EXEC mode: show ip arp-proxy interface [vlan<vid>] Variable Definitions
Variable <vid> Value Specifies the ID of the VLAN to display. Range is 1-4094.
Job aid The following table shows the field descriptions for the show ip arp-proxy interfaces command.
Field Vlan Proxy ARP status Identifies a VLAN. Specifies the status of Proxy ARP on the VLAN. Description
IGMP snooping configuration using CLI

This chapter describes the procedures you can use to configure IGMP snooping on a VLAN using CLI.
IGMP snooping configuration procedures
To configure IGMP snooping, the only required configuration is to enable snooping on the VLAN. All related configurations, listed below, are optional and can be configured to suit the requirements of your network.
August 20, 2010
165
IGMP snooping configuration navigation

Configuring IGMP snooping on a VLAN on page 166 Configuring IGMP send query on a VLAN on page 167 Configuring IGMP proxy on a VLAN on page 167 Configuring the IGMP version on a VLAN on page 168 Configuring static mrouter ports on a VLAN on page 168 Displaying IGMP snoop, proxy, and mrouter configuration on page 169 Configuring IGMP parameters on a VLAN on page 170 Configuring the router alert option on a VLAN on page 171 Displaying IGMP interface information on page 172 Displaying IGMP group membership information on page 173 Configuring unknown multicast packet filter on page 175 Displaying the status of unknown multicast packet filtering on page 175 Specifying a multicast MAC address to be allowed to flood all VLANs on page 176 Displaying the multicast MAC addresses for which flooding is allowed on page 176 Displaying IGMP cache information on page 177 Flushing the router table on page 178 Configuring IGMP selective channel block on page 178
Configuring IGMP snooping on a VLAN

Enable IGMP snooping on a VLAN to forward the multicast data to only those ports that are members of the group. IGMP snooping is disabled by default.
To enable IGMP snooping, enter the following from the VLAN Interface Configuration command mode: [default] [no] ip igmp snooping OR Enter the following from the Global Configuration command mode: [default] vlan igmp <vid> [snooping {enable | disable}]
166
August 20, 2010
Variable default no enable disable Value Disables IGMP snooping on the selected VLAN. Disables IGMP snooping on the selected VLAN. Enables IGMP snooping on the selected VLAN. Disables IGMP snooping on the selected VLAN.
Configuring IGMP send query on a VLAN

Use this procedure to enable IGMP send query on a snoop-enabled VLAN. When IGMP snooping send query is enabled, the IGMP snooping querier sends out periodic IGMP queries that trigger IGMP report messages from the switch or host that wants to receive IP multicast traffic. IGMP snooping listens to these IGMP reports to establish appropriate forwarding. IGMP send query is disabled by default. Prerequisites You must enable snoop on the VLAN. To enable IGMP send query, enter the following command from the VLAN Interface Configuration mode: ip igmp send-query
Configuring IGMP proxy on a VLAN

Use this procedure to enable IGMP proxy on a snoop-enabled VLAN. With IGMP proxy enabled, the switch consolidates incoming report messages into one proxy report for that group. IGMP proxy is disabled by default. Prerequisites You must enable snoop on the VLAN. To enable IGMP proxy, enter the following from the VLAN Interface Configuration mode: [default] [no] ip igmp proxy OR Enter the following from the Global Configuration command mode:
August 20, 2010
167
[default] [no] vlan igmp <vid> [proxy {enable | disable}] Variable Definitions
Variable default no <vid> enable disable Value Disables IGMP proxy on the selected VLAN. Disables IGMP proxy on the selected VLAN. Specifies the VLAN ID. Enables IGMP proxy on the selected VLAN. Disables IGMP proxy on the selected VLAN.
Configuring the IGMP version on a VLAN

Use this procedure to configure the IGMP version running on the VLAN. You can specify the version as IGMPv1, IGMPv2, or IGMPv3 (IGMPv3 is supported for IGMP snooping only; it is not supported with PIM-SM). The default is IGMPv2.
To configure the IGMP version, enter the following from the VLAN Interface Configuration mode: [default] ip igmp version <1-3> Variable Definitions
Variable default <1-3> Value Restores the default IGMP protocol version (IGMPv2). Specifies the IGMP version.
Configuring static mrouter ports on a VLAN

IGMP snoop considers the port on which the IGMP query is received as the active IGMP multicast router (mrouter) port. By default, the switch forwards incoming IGMP Membership Reports only to the active mrouter port. To forward the IGMP reports to additional ports, you can configure the additional ports as static mrouter ports.
168
August 20, 2010
To configure static mrouter ports on a VLAN (IGMPv1, IGMPv2, and IGMPv3 according to the supported version on the VLAN), enter the following from the VLAN Interface Configuration mode: [default] [no] ip igmp mrouter <portlist> OR To configure IGMPv1 or IGMPv2 static mrouter ports, enter the following from the Global Configuration command mode: [no] vlan igmp <vid> {v1-members | v2-members} [add | remove] <portlist> Variable Definitions
Variable default no <portlist> {v1-members | v2-members} [add | remove] Value Removes all static mrouter ports. Removes the specified static mrouter port. Specifies the list of ports to add or remove as static mrouter ports. Specifies whether the static mrouter ports are IGMPv1 or IGMPv2. Specifies whether to add or remove the static mrouter ports.
Displaying IGMP snoop, proxy, and mrouter configuration

Use this procedure to display the IGMP snoop, proxy, and mrouter configuration per VLAN.
To display IGMP snoop information, enter: show ip igmp snooping Variable Definitions
Variable Vlan Snoop Enable Indicates the Vlan ID. Indicates whether snoop is enabled (true) or disabled (false). Value
August 20, 2010
169
Variable Proxy Snoop Enable Static Mrouter Ports Active Mrouter Ports Mrouter Expiration Time
Value Indicates whether IGMP proxy is enabled (true) or disabled (false). Indicates the static mrouter ports in this VLAN that provide connectivity to an IP multicast router. Displays all dynamic (querier port) and static mrouter ports that are active on the interface. Specifies the time remaining before the multicast router is aged out on this interface. If the switch does not receive queries before this time expires, it flushes out all group memberships known to the VLAN. The Query Max Response Interval (obtained from the queries received) is used as the timer resolution.
Configuring IGMP parameters on a VLAN

Use this procedure to configure the IGMP parameters on a VLAN. Important: The query interval, robustness, and version values must be the same as those configured on the interface (VLAN) of the multicast router (IGMP querier). To configure IGMP parameters, enter the following from the VLAN Interface Configuration mode: [default] ip igmp [last-member-query-interval<last-mbr-queryin>] [query-interval<query-int>] [query-max-response<querymax-resp>] [robust-value<robust-val>] [version<1-3>] OR enter the following from the Global Configuration command mode: [default] vlan igmp <vid> [query-interval<query-int<] [robustvalue<robust-val>] Variable Definitions
Variable default Value Sets the selected parameter to the default value. If no parameters are specified, snoop is disabled and all IGMP parameters are set to their defaults. Sets the maximum response time (in 1/10 seconds) that is inserted into group-specific queries sent in response to
<last-mbr-query-int>
170
August 20, 2010
Variable
Value leave group messages. This parameter is also the time between group-specific query messages. This value is not configurable for IGMPv1. Decreasing the value reduces the time to detect the loss of the last member of a group. The range is from 0255, and the default is 10 (1 second). Avaya recommends configuring this parameter to values higher than 3. If a fast leave process is not required, Avaya recommends values above 10. (The value 3 is equal to 0.3 of a second, and 10 is equal to 1.0 second.)
<query-int>
Sets the frequency (in seconds) at which host query packets are transmitted on the VLAN. The range is 165535. The default value is 125 seconds. Specifies the maximum response time (in 1/10 seconds) advertised in IGMPv2 general queries on this interface. The range is 0255. The default value is 100 (10 seconds). Specifies tuning for the expected packet loss of a network. This value is equal to the number of expected query packet losses for each serial query interval, plus 1. If you expect a network to lose query packets, you must increase the robustness value. Ensure that the robustness value is the same as the configured value on the multicast router (IGMP querier). The range is from 2 to 255, and the default is 2. The default value of 2 means that one query for each query interval can be dropped without the querier aging out.
<query-max-resp>
<robust-val>
Configuring the router alert option on a VLAN

Use this command to enable the router alert feature. This feature instructs the router to drop control packets that do not have the router-alert flag in the IP header. Important: To maximize your network performance, Avaya recommends that you set the router alert option according to the version of IGMP currently in use: IGMPv1Disable IGMPv2 Enable IGMPv3Enable To configure the router alert option on a VLAN, enter the following from the VLAN Interface Configuration mode: [default] [no] ip igmp router-alert
August 20, 2010
171
Variable default no Value Disables the router alert option. Disables the router alert option.
Displaying IGMP interface information

Use this procedure to display IGMP interface parameters.
To display the IGMP interface information, enter: show ip igmp interface [vlan <vid>] OR Enter: show vlan igmp <vid>
Job aid
The following table shows the field descriptions for the show ip igmp interface command command.
Field VLAN Query Intvl Vers Oper Vers Querier Query MaxRsp T Wrong Query Description Indicates the VLAN on which IGMP is configured. Specifies the frequency (in seconds) at which host query packets are transmitted on the interface. Specifies the version of IGMP configured on this interface. Specifies the version of IGMP running on this interface. Specifies the IP address of the IGMP querier on the IP subnet to which this interface is attached. Indicates the maximum query response time (in tenths of a second) advertised in IGMPv2 queries on this interface. Indicates the number of queries received whose IGMP version does not match the Interface version. You must configure all routers on a LAN to run the same version of IGMP. Thus, if queries are received with the wrong version, a configuration error occurs.
172
August 20, 2010
Field Joins Robust LastMbr Query
Description Indicates the number of times a group membership was added on this interface. Specifies the robust value configured for expected packet loss on the interface. Indicates the maximum response time (in tenths of a second) inserted into group-specific queries sent in response to leave group messages, and is also the amount of time between group-specific query messages. Use this value to modify the leave latency of the network. A reduced value results in reduced time to detect the loss of the last member of a group. This does not apply if the interface is configured for IGMPv1. Indicates whether the ip igmp send-query feature is enabled or disabled. Values are YES of NO. Default is disabled.
Send Query
The following table shows the field descriptions for the show vlan igmp command.
Field Snooping Proxy Robust Value Query Time IGMPv1 Static Router Ports IGMPv2 Static Router Ports Send Query Description Indicates whether snooping is enabled or disabled. Indicates whether proxy snoop is enabled or disabled. Indicates the robust value configured for expected packet loss on the interface. Indicates the frequency (in seconds) at which host query packets are transmitted on the interface. Indicates the IGMPv1 static mrouter ports. Indicates the IGMPv2 static mrouter ports. Indicates whether the ip igmp send-query feature is enabled or disabled. Values are YES of NO. Default is disabled.
Displaying IGMP group membership information

Display the IGMP group information to show the learned multicast groups and the attached ports.
To display IGMP group information, enter:
August 20, 2010
173
show ip igmp group [count] [group <A.B.C.D>] [membersubnet<A.B.C.D>/<0-32>] OR Enter: show vlan multicast membership <vid> Variable Definitions
Variable count group <A.B.C.D> member-subnet <A.B.C.D>/<0-32 Value Displays the number of IGMP group entries. Displays group information for the specified group. Displays group information for the specified member subnet.
Job aid The following table shows the field descriptions for the show ip igmp group command.
Field Group Address VLAN Member Address Description Indicates the multicast group address. Indicates the VLAN interface on which the group exists. Indicates the IP address of the IGMP receiver (host or IGMP reporter). The IP address is 0.0.0.0 if the type is static. Indicates the time left before the group report expires. This variable is updated upon receiving a group report. Specifies the type of membership: static or dynamic. Identifies the member port for the group. This is the port on which group traffic is forwarded and in those case where the type is dynamic, it is the port on which the IGMP join was received.
Expiration Type In Port
The following table shows the field descriptions for the show vlan multicast membership command.
Field Multicast Group Address In Port Description Indicates the multicast group address. Indicates the physical interface or a logical interface (VLAN) that received group reports from various sources.
174
August 20, 2010
Configuring unknown multicast packet filter

The default switch behavior is to flood all packets with unknown multicast addresses. Use this procedure to prevent the flooding of packets with unknown multicast addresses and enable the forwarding of these packets to static mrouter ports only.
To configure unknown multicast packet flooding, enter the following from the Global Configuration mode: [no] [default] vlan igmp <vid> unknown-mcast-no-flood {enable | disable} Variable Definitions
Variable no default enable disable Value Enables the flooding of multicast packets on the VLAN. Enables the flooding of multicast packets on the VLAN. Prevents the flooding of multicast packets on the VLAN. Enables the flooding of multicast packets on the VLAN.
Displaying the status of unknown multicast packet filtering

Use this procedure to display the status of unknown multicast filtering: enabled (no flooding) or disabled (flooding allowed).
To display the unknown multicast flooding configuration, enter: show vlan igmp unknown-mcast-no-flood
Job aid
The following table shows the field descriptions for the show vlan igmp unknown-mcastno-flood command.
Field Unknown Multicast No-Flood Description Specifies the status of unknown multicast filtering: enabled or disabled.
August 20, 2010
175
Specifying a multicast MAC address to be allowed to flood all VLANs

Use this procedure to allow particular unknown multicast packets to be flooded on all switch VLANs. To add MAC addresses starting with 01.00.5E to the allow-flood table, you must specify the corresponding multicast IP address. For instance, you cannot add MAC address 01.00.5E. 01.02.03 to the allow-flood table, but instead you must specify IP address 224.1.2.3. For all other types of MAC address, you can enter the MAC address directly to allow flooding.
To allow particular unknown multicast packets to be flooded, enter the following from the Global Configuration mode: vlan igmp unknown-mcast-allow-flood {<H.H.H> | <mcast_ip_address>} Variable Definitions
Variable <H.H.H> Value Specifies the multicast MAC address to be flooded. Accepted formats are: H.H.H xx:xx:xx:xx:xx:xx xx.xx.xx.xx.xx.xx xx-xx-xx-xx-xx-xx <mcast_ip_address> Specifies the multicast IP address to be flooded.
Displaying the multicast MAC addresses for which flooding is allowed

Use this procedure to display the multicast MAC addresses for which flooding is allowed on all switch VLANs.
To display the multicast MAC addresses for which flooding is allowed, enter: show vlan igmp unknown-mcast-allow-flood
176
August 20, 2010
Job aid
The following table shows the field descriptions for the show vlan igmp unknown-mcastallow-flood command.
Field Allowed Multicast Addresses Description Indicates multicast addresses that can flood.
Displaying IGMP cache information

Display the IGMP cache information to show the learned multicast groups in the cache and the IGMPv1 version timers. Note: Using the show ip igmp cache command may not display the expected results in some configurations. If the expected results are not displayed, use the show ip igmp group command to view the information.
To display the IGMP cache information, enter: show ip igmp cache
Job aid
The following table shows the field descriptions for the show ip igmp cache command.
Field Group Address Vlan ID Last Reporter Expiration V1 Host Timer Description Indicates the multicast group address. Indicates the VLAN interface on which the group exists. Indicates the last IGMP host to join the group. Indicates the group expiration time (in seconds). Indicates the time remaining until the local router assumes that no IGMP version 1 members exist on the IP subnet attached to the interface. Upon hearing an IGMPv1 membership report, this value is reset to the group membership timer. When the time remaining is nonzero, the local interface ignores IGMPv2 leave messages that it receives for this group.
August 20, 2010
177
Field Type
Description Indicates whether the entry is learned dynamically or is added statically.
Flushing the router table

Use this procedure to flush the router table.
To flush the router table, enter the following from the Global Configuration mode: ip igmp flush vlan <vid> {grp-member|mrouter} Variable Definitions
Variable {grp-member|mrouter} Value Flushes the table specified by type.
Configuring IGMP selective channel block

In certain deployment scenarios it might be required not to allow multicast streaming from specific group addresses to users connected to certain ports. With the IGMP selective channel block feature this type of control can be implemented. When configured it will control the IGMP membership of ports by blocking IGMP reports received from users on that port destined for the specific group address/addresses. The filter can be configured to block a single multicast address or range of addresses. This feature will work regardless of whether the switch is in Layer 2 IGMP snooping mode or the full IGMP mode (PIM-SM enabled). It will also be applicable for IGMPv1 and v2.
Configuring IGMP selective channel block navigation

Creating an IGMP profile on page 179 Deleting an IGMP profile on page 179 Applying the IGMP filter profile on interface on page 179 Removing a profile from an interface on page 179 Displaying an IGMP profile on page 180
178
August 20, 2010
Creating an IGMP profile

Use this procedure to create an IGMP profile.
1. From Global Configuration mode, enter the ip igmp profile <profile number (1-65535)> command. 2. Enter the deny command. 3. Enter the range <ip multicast address><ip multicast address> command.
Deleting an IGMP profile

Use this procedure to delete an IGMP profile.
To delete an IGMP profile enter the following command from Global Configuration mode: no ip igmp profile <profile number (1-65535)>
Applying the IGMP filter profile on interface

Use this procedure to apply the IGMP filter profile on an interface.
1. From Global Configuration mode enter the interface <interface-id> command. 2. Enter the ip igmp filter <profile number> command.
Removing a profile from an interface

Use this procedure to remove a profile from an interface.
August 20, 2010
179
1. From Global Configuration mode enter the interface <interface-id> command. 2. Enter the no ip igmp filter <profile number> command.
Displaying an IGMP profile

Use this procedure to display an IGMP profile.
To display an IGMP profile enter the following command from Global Configuration mode: show ip igmp profile <cr> or <profile number>
Configuring Access Lists

The CLI commands detailed in this section allow for the configuration and management of access lists. Navigation Assigning ports to an access list on page 180 Removing an access list assignment on page 181 Creating an IP access list on page 181 Removing an IP access list on page 182 Creating a Layer 2 access list on page 183 Removing a Layer 2 access list on page 184
Assigning ports to an access list

Assign ports to an access list by performing this the procedure.
Assign ports to an access list by using the following command in Global Configuration mode.
180
August 20, 2010
qos acl-assign port <port_list> acl-type {ip | l2} name <name>
Variable port <port_list> acl-type {ip | l2} name <name> Value Specifies the list of ports assigned to the specified access list. Specifies the type of access list used; IP or Layer 2. Specifies the name of the access list to be used. Access lists must be configured before ports can be assigned to them.
Removing an access list assignment

Remove an access list assignment by performing this procedure.
Remove an access list assignment by using the following command from Global Configuration mode. no qos acl-assign <aclassignid>
Creating an IP access list

Create an IP access list by performing this procedure.
Create an access list by using the following procedure from Global Configuration mode. qos ip-acl name <name> [addr-type <addrtype>] [src-ip <source_ip>] [dst-ip <destination_ip>] [ds-field <dscp>] [{protocol <protocol_type> | next_header <header>}] [src-portmin <port> src-port-max <port>] [dst-port-min <port> dst-portmax <port>] [flow-id <flowid>] [drop-action {drop | pass}] [update-dscp <0 - 63>] [update-1p <0 - 7>] [set-drop-prec {high drop | low drop}] [block <block_name>]
August 20, 2010
181
Variable name <name> addr-type <addrtype> src-ip <source_ip> dst-ip <destination_ip> ds-field <dscp> Value Specifies the name assigned to this access list. Specifies the IP address type to use for the access list. Specifies the source IP address to use for this access list. Specifies the destination IP address to use for this access list. Specifies the DSCP value to use for this access list.
{protocol <protocol_type> Specifies the protocol type or IP header to use with this access | next_header <header>} list. src-port-min <port> srcport-max <port> dst-port-min <port> dstport-max <port> flow-id <flowid> drop-action {drop | pass} update-dscp <0 - 63> update-1p <0 - 7> Specifies the minimum and maximum source ports to use with this access list. Both values must be specified. Specifies the minimum and maximum destination ports to use with the access list. Both values must be specified. Specifies the flow ID to use with this access list. Specifies the drop action to use for this access list. Specifies the DSCP value to update for this access list. Specifies the 802.1p value to update for this access list.
set-drop-prec {high drop | Specifies the drop precedence to configure for this access list. low drop} block <block_name> Specifies the block name to associate with the access list.
Removing an IP access list

Remove an IP access list by performing this procedure.
Remove an access list by using the following command from Global Configuration mode. no qos ip-acl <aclid>
182
August 20, 2010
Creating a Layer 2 access list

Create a Layer 2 access list by performing this procedure.
Create an access list by using the following command from Global Configuration mode. qos l2-acl name <name> [src-mac <source_mac_address>] [src-macmask <source_mac_address_mask>] [dst-mac <destination_mac_address>] [dst-mac-mask <destination_mac_address_mask>] [vlan-min <vid_min> vlan-max <vid_max>] [vlan-tag <vtag>] [ethertype <etype>] [priority <ieee1p_seq>] [drop-action {drop | pass}] [update-dscp <0 63>] [update-1p <0 - 7>] [set-drop-prec {high-drop | lowdrop}] [block <block_name>] Note: Possible values for vlan-max are based on the binary value of vlan-min, and are obtained by replacing consecutive trailing zeros in this binary value with ones, starting at the right-most position. For example, if vlan-min = 200, then there are 4 possible values for vlan-max: 11001000 (200) 11001001 (201) 11001011 (203) 11001111 (207) The value of vlan-max is vlan-min + 2n - 1, where n is the number of consecutive trailing zeros replaced.
Variable name <name> src-mac <source_mac_address> src-mac-mask <source_mac_address_ mask> [dst-mac <destination_mac_addre ss>] dst-mac-mask <destination_mac_addre ss_mask> Value Specifies the name assigned to this access list. Specifies the source MAC address to use for this access list. Specifies the source MAC address mask to use for this access list. Specifies the destination MAC address to use for this access list.
Specifies the destination MAC address mask to use for this access list.
vlan-min <vid_min> vlan- Specifies the minimum and maximum VLANs to use with this max <vid_max> access list. Both values must be specified.
August 20, 2010
183
Variable vlan-tag <vtag> ethertype <etype> priority <ieee1p_seq> drop-action {drop | pass} update-dscp <0 - 63> update-1p <0 - 7>
Value Specifies the VLAN tag to use with this access list. Specifies the Ethernet protocol type to use with the access list. Specifies the priority value to use with this access list. Specifies the drop action to use for this access list. Specifies the DSCP value to update for this access list. Specifies the 802.1p value to update for this access list.
set-drop-prec {high-drop | Specifies the drop precedence to configure for this access list. low-drop} block <block_name> Specifies the block name to associate with the access list.
Removing a Layer 2 access list

Remove a Layer 2 access list by performing this procedure.
Remove an access list by using the following command from Global Configuration mode. no qos l2-acl <aclid>
Configuring Elements, Classifiers, and Classifier Blocks

Use the CLI commands in this section to configure elements, classifiers, and classifier blocks. Navigation Configuring IP classifier element entries on page 185 Viewing IP classifier entries on page 186 Removing IP classifier entries on page 186 Adding Layer 2 elements on page 186 Viewing Layer 2 elements on page 188 Removing Layer 2 elements on page 188 Linking IP and L2 classifier elements on page 188 Removing classifier entries on page 189
184
August 20, 2010
Combining individual classifiers on page 189 Removing classifier block entries on page 190
Configuring IP classifier element entries

Use the following procedure to add and configure classifier entries.
Add and configure classifier entries by using the following command from Global Configuration mode. qos ip-element <cid> [addr-type <addrtype>] [ds-field <dscp>] [dst-ip <dst-ip-info>] [dst-port-min <port>] [flow-id <flowid>] [ip-flag <ip-flags>] [ipv4-options <no-opt | with-opt>] [nextheader <nextheader>] [session-id] [src-ip <src-ip-info>] [srcport-min <port>] [tcp-control <tcp-flags>]
Variable <cid> addr-type <addrtype> Value Specifies the element ID, value ranges from 155000. Specifies the address type. Use the value ipv4 to indicate an IPv4 address or the value ipv6 to indicate an IPv6 address. The default value is ipv4. Specifies a 6-bit DSCP value; value ranges from 0 63. Default is ignore. Specifies the source IP address and mask in the form of a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6. Default is 0.0.0.0. Specifies the L4 destination port minimum value. Specifies the IPv6 flow identifier. Specifies the flags present in an IPv4 header. Specifies whether the Option field is present in the packet header. Valid values are no-optindicates that only IPv4 packets without options will match this classifier element. with-optindicates that only IPv4 packets with options will match this classifier element.
ds-field <0-63> dst-ip <dst-ip-info>
dst-port-min <port> flow-id <flowid> ip-flag <ip-flags> ipv4-options <no-opt | with-opt>
August 20, 2010
185
Variable next-header src-ip <src-ip-info>
Value Specifies the IPv6 next header classifier criteria; range is 0255. Specifies the source IP address and mask in the form of a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6. Default is 0.0.0.0. Specifies the session ID. Specifies the L4 source port minimum value. Specifies the control flags present in an TCP header.
session-id src-port-min <port> tcp-control <tcp-flags>
Viewing IP classifier entries

View IP classifier entries by performing this procedure.
View IP classifier element entries by using the following commands from the Privileged EXEC Configuration mode. show qos ip-element [<1-65535>] [all] [system] [user]
Removing IP classifier entries

Use the following procedure to remove IP classifier entries. Note: An IP element that is referenced in a classifier cannot be deleted.
Remove IP classifier entries by using the following command from Global Configuration mode. no qos ip-element <1-55000>
Adding Layer 2 elements

Use the following procedure to add Layer 2 elements. Note: A Layer 2 element referenced in a classifier cannot be deleted.
186
August 20, 2010
Add Layer 2 elements by using the following command from the Global Configuration mode. qos l2-element <1-55000> [dst-mac <dst-mac>] [dst-mac-mask <dst-mac-mask>] [ethertype <etype>] [ivlan-min <vid-min>] [pkttype <etherII | llc | snap>] [priority <ieee1p-seq>] [sessionid <session-id>] [src-mac <src-mac>] [src-mac-mask <src-macmask>] [vlan-min <vid-min>] [vlan-tag <vtag>]
Variable <1-55000> dst-mac <dst-mac> dst-mac-mask <dst-mac-mask> ethertype <etype> ivlan-min <vid-min> pkt-type <etherII | llc | snap> Value Specifies the element ID; range is 155000. Specifies the destination MAC element criteria. Valid format is H.H.H. Specifies the destination MAC mask element criteria. Valid format is H.H.H. Specifies the Ethernet type. Valid format is 0xXXXX, for example, 0x0801. Default is ignore. Specifies the inner VLAN ID minimum value element criteria. Range is 14094. Specifies the packet frame format. etherIIindicates that only Ethernet II format frames match this classifier component. snapindicates that only EEE 802 SNAP format frames match this classifier component. llcindicates that only IEEE 802 LLC format frames match this classifier component. priority <ieee1p-seq> session-id <session-id> src-mac <src-mac> src-mac-mask <src-mac-mask> vlan-min <vid-min> Specifies the 802.1p priority values; range from 07 or all. Default is ignore. Specifies the session ID. Specifies the source MAC element criteria. Enter in the format H.H.H. Specifies the source MAC mask element criteria. Valid format is H.H.H. Specifies the VLAN ID minimum value element criteria. Range is 14094.
August 20, 2010
187
Variable vlan-tag <format> untagged tagged
Value Specifies the packet format element criteria:
The default is Ignore.
Viewing Layer 2 elements

View Layer 2 elements by performing this procedure.
View Layer 2 element entries by using the following commands from the Privileged EXEC Configuration mode. show qos l2-element [<1-65535>] [all] [system] [user]
Removing Layer 2 elements

Use the following procedure to delete Layer 2 element entries.
Delete element entries by using the following command from Global Configuration mode. no qos l2-element <1-55000>
Linking IP and L2 classifier elements

Use the following procedure to link IP and L2 classifier elements. Note: A classifier that is referenced in a classifier block or installed policy cannot be deleted.
Link elements by using the following command from Global Configuration mode. qos classifier <1-55000> set-id <1-55000> [name <WORD>] element-type {ip | l2 | system} element-id <1-55000>
188
August 20, 2010
Variable classifier <1-55000> set-id <1-55000> name <WORD> element-type {ip| l2 |system} element-id <1-55000> Value Specifies the classifier ID; range is 155000. Specifies the classifier set ID; range is 155000. Specifies the set label; maximum is 16 alphanumeric characters. Specifies the element type; either ip or l2, or system classifier. Specifies the element ID; range is 155000.
Removing classifier entries

Use the following procedure to delete classifier entries. Note: Each classifier can have only a single IP classifier element plus a single L2 classifier element or system classifier element. However, a classifier can be created using only one IP classifier element or only one L2 classifier element or only one system classifier element.
Delete classifier entries by using the following command from Global Configuration mode. no qos classifier <1-55000>
Combining individual classifiers

Use the following procedure to combine individual classifiers. Note: A classifier block that is referenced in an installed policy cannot be deleted.
Combine individual classifiers by using the following command from Global Configuration mode. qos classifier-block <1-55000> block-number <1-55000> [name <WORD>]{set-id <1-55000> | set-name <WORD>} [{in-profileaction <1-55000> | in-profile-action-name <WORD>} | {meter <1-55000> | meter-name <WORD>}]
August 20, 2010
189
Variable classifier-block<1-55000> block-number <1-55000> name <WORD> set-id <1-55000> set-name <WORD> in-profile-action <1-55000> in-profile-action-name <WORD> meter <1-55000> meter-name <WORD> Value Specifies an the classifier block ID; range is 155000. Specifies the classifier block number; range is 155000. Specifies the label for the classifier block; maximum is 16 alphanumeric characters. Specifies the classifier set to be linked to the classifier block; range is 155000. Specifies the classifier set name to be linked to the classifier block; maximum is 16 alphanumeric characters. Specifies the in profile action to be linked to the filter block; range is 155000. Specifies the in profile action name to be linked to the classifier block; maximum is 16 alphanumeric characters. Specifies the meter to be linked to the classifier block; range is 155000. Specifies the meter name to be linked to the classifier block; maximum is 16 alphanumeric characters.
Removing classifier block entries

Use the following procedure to delete classifier block entries.
Delete classifier block entries by using the following command from Global Configuration mode. no qos classifier-block <1-55000>
Configuring wired Quality of Service

This chapter discusses how to configure DiffServ and Quality of Service (QoS) parameters for policy-enabled networks. Note: When the ignore value is used in QoS, the system matches all values for that parameter.
190
August 20, 2010
Navigation Displaying QoS Parameters on page 191 Displaying QoS capability policy configuration on page 195 Configuring Access Lists on page 180 Configuring QoS Security QoS Agent configuration on page 196 Configuring Default Buffering Capabilities on page 198 Configuring the CoS-to-Queue Assignments on page 199 Configuring QoS Interface Groups on page 200 Configuring DSCP and 802.1p and Queue Associations on page 201 Configuring Elements, Classifiers, and Classifier Blocks on page 184 Configuring QoS system-element on page 203 Configuring QoS Actions on page 205 Configuring QoS Interface Action Extensions on page 207 Configuring QoS Meters on page 208 Configuring QoS Interface Shaper on page 210 Configuring QoS Policies on page 211 QoS Generic Filter set configuration on page 213 Configuring User Based Policies on page 215 Maintaining the QoS Agent on page 218 Configuring DoS Attack Prevention Package on page 221
Displaying QoS Parameters

Display QoS parameters by performing this procedure.
Display QoS parameters by using the following command from Privileged EXEC mode. show qos { acl-assign <1 - 65535> | action [user | system | all | <1-65535>] | agent [details]| arp {spoofing [port] } | bpdu {blocker [port] } | capability [meter|shaper] | classifier [user | system | all | <1-65535>] | classifier-block [user | system | all |<1-65535> ] | dhcp {snooping [port] | spoofing [port] } | diag [unit] | dos {nachia [port] | sqlslam [port] | tcp-dnsport [port] | egressmap [ds| status]| if-actionextension [user | system | all | <1-65535>] | if-assign [port] | if-group | if-shaper [port] | ingressmap | ip-acl <1 - 65535> | ip-element [user | system | all | <1-65535>] | l2-acl <1 -
August 20, 2010
191
65535> | l2-element [user | system | all | <1-65535>] | meter [user | system | all | <1-65535>] | nsna | policy [user | system | all | <1-65535>] | queue-set | queue-set-assignment | statistics <1-65535> | system-element [user | system | all | <1-65535>] | ubp | user-policy}
Variable acl-assign <1 - 65535> Value Displays the specified access list assignment entry. <1-65535>Displays a particular entry. action [<1-65535> | all | system | user] Displays the base action entries. The applicable values are: <1-65535>displays a particular entry. alldisplays user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. agent <details> arp spoofing bpdu blocker Displays the global QoS parameters. detailsdisplays the policy class support table. Displays QoS ARP spoofing prevention settings. This parameter not available on 8100 Series. Displays QoS BPDU settings. blockerdisplays QoS BPDU blocker settings. This parameter not available on 8100 Series. Displays the current QoS meter and shaper capabilities of each interface. The applicable values are: meterdisplays QoS port meter capabilities. shaperdisplays QoS port shaper capabilities. classifier [<1-65535> | all | system user] Displays the classifier set entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all.
capability [meter | shaper]
192
August 20, 2010
Variable
Value
classifier-block [<1-65535> Displays the classifier block entries. The applicable values are: | all | system | user] <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. dhcp [snooping | spoofing] Displays QoS DHCP settings. The applicable values are: snoopingdisplays QoS DHCP snooping settings. spoofingdisplays QoS DHCP spoofing prevention settings. This parameter not available on 8100 Series. diag [unit] Displays the diagnostics entries. unit <1-8>displays diagnostic entries for particular unit
dos [nachia | sqlslam | tcp- Displays QoS DoS settings. The applicable values are: dnsport | tcp-ftpport | tcp nachiadisplays QoS DoS Nachia settings. synfinscan | xmas] sqlslamdisplays QoS DoS SQLSlam settings. tcp-dnsportdisplays QoS DoS TCP DnsPort settings. tcp-ftpportdisplays QoS DoS TCP FtpPort settings. tcp-synfinscandisplays QoS DoS TCP SynFinScan settings. xmasdisplays QoS DoS Xmas settings. This parameter not available on 8100 Series. egressmap if-action-extension [<1-65535> | all | system | user] Displays the association between the DSCP and the 802.1p priority and drop precedence. Displays the interface action extension entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. if-assign [port] Displays the list of interface assignments. portList of ports. Displays the configuration for particular ports Displays the interface groups.
if-group
August 20, 2010
193
Variable if-shaper [port]
Value Displays the interface shaping parameters. portList of ports. Displays the configuration for particular ports Displays the 802.1p priority to DSCP mapping. Displays the specified IP access list assignment entry. <1-65535>displays a particular entry.
ingressmap ip-acl <1 - 65535>
ip-element [<1-65535> | all Displays the IP classifier element entries. The applicable | system | user] values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. l2-acl <1 - 65535> Displays the specified Layer 2 access list assignment entry. <1-65535>displays a particular entry. l2-element [<1-65535> | all Displays the Layer 2 classifier element entries. The applicable | system | user] values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. meter [<1-65535> | all | system | user] Displays the meter entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all. nsna [classifier | interface | Displays QoS NSNA entries. The applicable values are: name] classifierdisplays QoS NSNA classifier entries. interfacedisplays QoS NSNA interface entries. namespecifies the label to display a particular NSNA template entry.
194
August 20, 2010
Variable policy [<1-65535> | all | system | user]
Value Displays the policy entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries. Default is all.
queue-set queue-set-assignment statistics <1-65535>
Displays the queue set configuration. Displays the association between the 802.1p priority to that of a specific queue. Displays the policy and filter statistics values. <1-65535>displays a particular entry.
system-element [<1-65535> | all | system | user]
Displays the system classifier element entries. The applicable values are: <1-65535>displays a particular entry. alldisplays all user-created, default, and system entries. systemdisplays only system entries. userdisplays only user-created and default entries.
ubp [classifier | interface | name]
Displays QoS UBP entries. The applicable values are: classifierdisplays QoS UBP classifier entries. interfacedisplays QoS UBP interface entries. namespecifies the label to display a particular UBP template entry.
user-policy
Displays QoS User Policy entries.
Displaying QoS capability policy configuration

Display QoS meter and shaper capabilities for system ports by performing this procedure.
Display QoS capability policy configuration by using the following command from Privileged EXEC mode: show qos capability {meter [port] | shaper [port]}
August 20, 2010
195
Variable meter [port] Value Displays granularity for committed rate, maximum committed rate and maximum bucket that can be used on ports for meters. portspecifies list of ports. Displays the information for particular ports Displays granularity for committed rate, maximum committed rate and maximum bucket that can be used on ports for shapers. portspecifies list of ports. Displays the information for particular ports
shaper [port]
QoS Agent configuration

The CLI commands detailed in this section allow for the configuration and management of the QoS Agent. Navigation Globally enabling and disabling QoS Agent support on page 196 Configuring a default queue set on page 197 Modifying default queue configuration on page 198
Globally enabling and disabling QoS Agent support

Perform this procedure to globally enable or disable QoS Agent support. The commands used in this procedure are available in Global Configuration mode. QoS Agent support is enabled by default. QoS Agent support cannot be disabled if QoS functionality is currently used by NSNA or UBP.
1. Globally enable QoS Agent support using the following command: qos agent oper-mode [enable] OR default qos agent [oper-mode] 2. Globally disable QoS Agent support using the following commands: qos agent oper-mode [disable] OR
196
August 20, 2010
no qos agent oper-mode [enable] Variable Definitions

Variable enable disable Value Enables QoS Agent functionality for the system. Disables QoS Agent functionality for the system.
Configuring a default queue set

Use the following procedure to specify the default queue set. Note: The default qos agent command has the same result as the qos agent reset-default command.
Configure the queue set by using the following command from Global Configuration mode. default qos agent [buffer | dos-attack-prevention | nt-mode | nvram-delay | queue-set | statistics-tracking | ubp] Variable Definitions
Variable buffer dos-attack-prevention nt-mode nvram-delay queue-set statistics-tracking ubp Value Restores default QoS resource buffer allocation. Restores default QoS DoS Attack Prevention. This parameter is only available on the 5600 Series switch. Restores default QoS NT application traffic processing mode. Restores default maximum time in seconds to write configuration data to a nonvolatile storage. Restores default QoS queue set. Restores default QoS statistics tracking support. Restores default QoS UBP support level.
Job aid: Viewing the QoS agent The following is an example for viewing the qos agent 5530-24TFD(config)#show qos agent QoS Operational Mode: Enabled QoS NVRam Commit Delay: 10 seconds QoS Queue Set: 2 QoS Buffering: Large QoS UBP Support Level: Low Security Local Data QoS Default Statistics Tracking: Aggregate QoS DOS Attack Prevention: Disabled Minimum TCP
August 20, 2010
197
Header Length: 20 Maximum IPv4 ICMP Length: 512 Maximum IPv6 ICMP Length: 512 QoS NT mode: Disabled
Modifying default queue configuration

Use the following procedure to modify the default queue configuration. Note: The queue-set value sets the number of queues in a queue set for each port type. The default value is 2.
Modify the configuration by using the following command from Global Configuration mode. qos agent queue-set <1-8>
Configuring Default Buffering Capabilities

Use the following CLI commands to display and modify the buffer allocation mode. Navigation Configuring default QoS resource buffer on page 198 Modifying QoS resource buffer allocation on page 198
Configuring default QoS resource buffer

Use the following procedure to allocate the default QoS resource buffer.
Restore the default the resource buffer by using the following command from Global Configuration mode. default qos agent buffer
Modifying QoS resource buffer allocation

Use the following procedure to modify QoS resource buffer allocation.
Modify resource buffer allocation by using the following command from Global Configuration mode.
198
August 20, 2010
qos agent buffer <regular | large | maximum> Variable Definitions

Variable buffer Value Modifies the QoS resource buffer allocation. The allowed buffer allocation modes for all QoS interfaces are as follows: regular large maximum Note: The buffer mode determines the level of resource sharing across interfaces sharing the same port hardware.
Configuring the CoS-to-Queue Assignments

Use the following CLI commands to display and modify CoS-to-queue assignments.
Configuring 802.1p priority values

Use the following procedure to associate the 802.1p priority values with a specific queue within a specific queue set. This association determines the egress scheduling treatment that traffic with a specific 802.1p priority value receives.
Configure priority values by using the following command from Global Configuration mode. qos queue-set-assignment queue-set <1-56> 1p <0-7> queue <1-8> Variable Definitions
Variable queue-set <1-56> 1p <0-7> queue <1-8> Value Specifies the queue-set, value ranges from 156. Specifies the 802.1p priority value for which the queue association is being modified; value ranges from 07. Specifies the queue within the identified queue set to assign the 802.1p priority traffic at egress, value ranges from 18.
August 20, 2010
199
Configuring QoS Interface Groups

Use the CLI commands in this section to add or delete ports to or from an interface group, or add or delete the interface groups themselves. Navigation Configuring ports for an interface group on page 200 Removing ports from an interface group on page 200 Creating an interface group on page 201 Removing an interface group on page 201
Configuring ports for an interface group

Use the following procedure to add ports to a defined interface group. Note: The system automatically removes the port from an existing interface group to assign it to a new interface group.
Add ports by using the following command from Interface Configuration mode. qos if-assign [port <portlist>] name [<WORD>] Variable Definitions
Variable port <portlist> name <WORD> Value Specifies the ports to add to interface group. Specifies name of interface group.
Removing ports from an interface group

Use the following procedure to delete ports from a defined interface group. Note: Ports not associated with an interface are considered QoS-disabled and may not have QoS operations applied until assigned to an interface group.
Delete ports by using the following command from Interface Configuration mode. no qos if-assign [port <portlist>]
200
August 20, 2010
Creating an interface group

Use the following procedure to create interface groups.
Create interface groups by using the following command from Global Configuration mode. qos if-group name <WORD> class <trusted | untrusted | unrestricted> Variable Definitions
Variable name <WORD> Value Specifies the name of the interface group; maximum is 32 USASCII. Name must begin with a letter a..z or A..Z.
class <trusted | untrusted Defines a new interface group and specifies the class of traffic | unrestricted> received on interfaces associated with this interface group: trusted untrusted unrestricted
Removing an interface group

Use the following procedure to delete interface groups. Note 1: An interface group referenced by an installed policy cannot be deleted. Note 2: An interface group associated with ports cannot be deleted.
Delete interface groups by using the following command from Global Configuration mode. no qos if-group name <WORD>
Configuring DSCP and 802.1p and Queue Associations

This section contains procedures used to configure DSCP, 802.1p priority and queue set associations.
August 20, 2010
201
Navigation Configuring DSCP to 802.1p priority on page 202 Restoring egress mapping entries to default on page 202 Configuring 802.1p priority to DSCP on page 203 Restoring ingress mapping entries to default on page 203
Configuring DSCP to 802.1p priority

Use the following procedure to configure DSCP-to-802.1p priority and drop precedence associations that are used for assigning these values at packet egress, based on the DSCP in the received packet.
Configure priority by using the following command from Global Configuration mode. qos egressmap [name <WORD>] ds <0-63> 1p <0-7> dp <low-drop | high-drop> Variable Definitions
Variable name <WORD> ds <0-63> Value Specifies the label for the egress mapping. Specifies the DSCP value used as a lookup key for 802.1p priority and drop precedence at egress when appropriate; range is between 0 and 63. Specifies the 802.1p priority value associated with the DSCP; range is between 0 and 7.
1p <0-7>
dp <low-drop | high-drop> Specifies the drop precedence values associated with the DSCP: low-drop high-drop
Restoring egress mapping entries to default

Use the following procedure to reset the egress mapping entries to factory default values.
Reset the entries by using the following command from Global Configuration mode. default qos egressmap
202
August 20, 2010
Configuring 802.1p priority to DSCP

Use the following procedure to configure 802.1p priority-to-DSCP associations that are used for assigning default values at packet ingress based on the 802.1p value in the ingressing packet.
Configure priority by using the following command from Global Configuration mode. qos ingressmap [name <WORD>] 1p <0-7> ds <0-63> Variable Definitions
Variable name <WORD> 1p <0-7> ds <0-63> Value Specifies the label for the ingress mapping. Specifies the 802.1p priority used as lookup key for DSCP assignment at ingress; range is between 0 and 7. Specifies the DSCP value associated with the target 802.1p priority; range is between 0 and 63.
Restoring ingress mapping entries to default

Use the following procedure to reset the ingress mapping entries to factory default values.
Reset the entries by using the following command from Global Configuration mode. default qos ingressmap
Configuring QoS system-element

Navigation Configuring system classifier element parameters on page 204 Viewing system classifier elements parameters on page 205 Removing system classifier element entries on page 205
August 20, 2010
203
Configuring system classifier element parameters

Use the following procedure to configure system classifier element parameters that may be used in QoS policies.
Configure system classifier element parameters by using the following command from Global Configuration mode. qos system-element <1-55000> [known-mcast | unknown-mcast | unknown-ucast] [pattern-format {tagged | untagged}] [patternip-version {ipv4 | ipv6 | non-ip}] [pattern-data <WORD> pattern-mask <WORD>] [session-id] Variable Definitions
Variable <1-55000> known-mcast unknown-mcast unknown-ucast Value Specifies the system classifier element entry id; range is 155000. Specifies the filter on known multicast destination address. Specifies the filter on unknown multicast destination address. Specifies the Filter on unknown unicast destination address.
pattern-format { tagged | untagged } Specifies the format of data/mask pattern. Specifies the available values are: tagged Data/mask pattern describes a tagged packet untaggedData/mask pattern describes an untagged packet pattern-data <WORD> Specifies the byte pattern data to filter on. Note: The format of the WORD string is in the form of XX:XX:XX:....:XX. Specifies the byte pattern mask to filter on. Note: The format of the WORD string is in the form of XX:XX:XX:....:XX. Specifies the IP version of the pattern data or mask.
pattern-mask <WORD>
pattern-ip-version
204
August 20, 2010
Variable
Value ipv4Filter IPv4 Header ipv6Filter IPv6 Header non-ipFilter non-ip packets
session-id
Specifies the session ID.
Viewing system classifier elements parameters

View system classifier elements parameters by performing this procedure.
View system classifier elements parameters by using the following commands from the Privileged EXEC Configuration mode. show qos system-element [<1-65535>] [all] [system] [user]
Removing system classifier element entries

Use the following procedure to remove system classifier element entries.
Remove system classifier element entries by using the following command from Global Configuration mode. no qos system-element <1-55000>
Configuring QoS Actions

The configuration of QoS actions directs the WC 8180 to take specific action on each packet. This section covers the following CLI commands. Navigation Creating and updating QoS actions on page 205 Removing QoS actions on page 207
Creating and updating QoS actions

Use the following procedure to create and update QoS actions.
August 20, 2010
205
Note: Certain options can be restricted based on the policy associated with the specific action. An action that is referenced in a meter or an installed policy cannot be deleted.
Create or update QoS actions by using the following command from Global Configuration mode. qos action <10-55000> [name <WORD>] [drop-action <enable | disable | deferred-pass>] [update-dscp <0-63>] [update-1p {<0-7> | use-tos-prec | use-egress}] [set-drop-prec <low-drop | high-drop>] [action-ext <1-55000> | action-ext-name <WORD>] Variable Definitions
Variable <10-55000> name <WORD> Value Specifies the QoS action; range is 1055000. Assigns a name to a QoS action with the designated action ID. Enter the name for the action; maximum is 16 alphanumeric characters
drop-action<enable | disable Specifies whether packets are dropped or not: | deferred-pass> enabledrop the traffic flow disabledo not drop the traffic flow deferred-passtraffic flow decision deferred to other installed policies Default is deferred pass. Note: If you omit this parameter, the default value applies. update-dscp <0-63> Specifies whether DSCP value are updated or left unchanged; unchanged equals ignore. Enter the 6-bit DSCP value; range is 0 to 63. Default is ignore. Specifies whether 802.1p priority value are updated or left unchanged; unchanged equals ignore: ieee1penter the value you want; range is 0 to 7 use-egressuses the egress map to assign value use-tos-precuses the type of service precedence to assign value. Default is ignore. Note: Requires specification of update-dscp value. set-drop-prec <low-drop | high-drop> Specifies the drop precedence value: low-drop high-drop
update-1p<0-7>
206
August 20, 2010
Variable Default is low-drop. action-ext <1-55000> action-ext-name <WORD>
Value
Specifies the action extension; range is 155000. Specifies a label for the action extension; maximum is 16 alphanumeric characters.
Removing QoS actions

Use the following procedure to delete QoS action entries. Note: An action cannot be deleted if referenced by a policy, classifier block, or meter.
Delete QoS action entries by using the following command from Global Configuration mode. no qos action <10-55000>
Configuring QoS Interface Action Extensions

QoS interface action extensions direct the WC 8180 to take specific action on each packet. This section covers the following CLI commands. Navigation Creating interface action extension entries on page 207 Removing interface action extension entries on page 208
Creating interface action extension entries

Use the following procedure to create interface action extension entries. Note: An interface extension that is referenced in an action entry cannot be deleted.
Create interface action extension entries by using the following command from Global Configuration mode. qos if-action-extension <1-55000> [name <WORD>] {egress-ucast <port> | egress-non-ucast <port>}
August 20, 2010
207
Variable <1-55000> name <WORD> Value Specifies the QoS action. The range is 155000 Assigns a name to a QoS action with the designated action ID. Enter the name for the action; maximum is 16 alphanumeric characters Specifies redirection of unicast/non-unicast to specified port.
egress-ucast <port> | egress-nonucast <port>
Removing interface action extension entries

Use the following procedure to remove interface action extension entries.
Remove interface action extension entries by using the following command from Global Configuration mode. no qos if-action-extension <1-55000>
Configuring QoS Meters

Use the following CLI commands to set the meters, if you want to meter or police the traffic, configure the committed rate, burst rate, and burst duration. Navigation Creating QoS meter entries on page 208 Removing QoS meter entries on page 209
Creating QoS meter entries

Use the following procedure to create QoS meter entries.
Create QoS meter entries by using the following command from Global Configuration mode. qos meter <1-55000> [name <WORD>] committed-rate <64-10230000> {burst-size <burst-size> max-burst-rate <64-4294967295> [maxburst-duration <1-4294967295>]} {in-profile-action <1-55000> |
208
August 20, 2010
in-profile-action-name <WORD>} {out-profile-action <1,9-55000> | out-profile-action-name <WORD>} Variable Definitions

Variable <1-55000> name <WORD> committed-rate <64-10230000> Value Specifies the QoS meter; range is 155000. Specifies name for meter; maximum is 16 alphanumeric characters. Specifies rate that traffic must not exceed for extended periods to be considered in-profile. Enter the rate in Kb/s for in-profile traffic in increments of 1000 Kbits/ sec; range is 64 to 10230000 Kbits/sec. Committed burst size in Kilobytes. The value range is: 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384. Specifies the largest burst of traffic that can be received a given time for the traffic to be considered in-profile. Used in calculating the committed burst size. Enter the burst size in Kb/s for in-profile traffic; range is 64 to 4294967295 Kbits/sec. Specifies the amount of time that the largest burst of traffic that can be received for the traffic to be considered in-profile. Used in calculating the committed burst size. Enter the burst duration in ms for in-profile traffic; range is 14294967295 ms. Specifies the in-profile action ID; range is 155000. Specifies the in-profile action name. Specifies the out-of-profile action ID; range is 1,9 to 55000. Specifies the out of profile action name.
burst-size <4,8,16,...,16384>
max-burst-rate <64-4294967295>
max-burst-duration <1-4294967295>
in-profile-action <1-55000> in-profile-action-name <WORD> out-profile-action <1,9-55000> out-profile-action-name <word>
Removing QoS meter entries

Use the following procedure to delete QoS meter entries. Note: A meter that is referenced in an installed policy or classifier block cannot be deleted.
Remove QoS meter entries by using the following command from Global Configuration mode.
August 20, 2010
209
no qos meter <1-55000>
Configuring QoS Interface Shaper

Navigation Configuring interface shaping on page 210 Disabling interface shaping on page 211
Configuring interface shaping

Use the following procedure to configure interface shaping.
Configure interface shaping by using the following command from Interface Configuration mode. qos if-shaper [port <portlist>] [name <WORD>] shape-rate <64-10230000> {burst-size <burst-size> max-burst-rate <64-4294967295> [max-burst-duration <1-4294967295>]} Variable Definitions
Variable burst-size <4,8,16, ..., 16384> Value Specifies the committed burst size in Kilobytes. The value range is: 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384. Specifies the ports to configure shaping parameters. Specifies name for if-shaper; maximum is 16 alphanumeric characters. Specifies the shaping rate in kilobits/sec; range is 64-10230000 kilobits/sec. Specifies the largest burst of traffic that can be received a given time for the traffic to be considered in-profile. Used in calculating the committed burst size. Enter the burst size in Kb/s for in-profile traffic; range is 64 to 4294967295 Kbits/sec. Specifies the amount of time that the largest burst of traffic that can be received for the traffic to be considered in-profile. Used in calculating the
port <portlist> name <WORD> shape-rate <64-10230000> max-burst-rate <64-4294967295>
max-burst-duration <1-4294967295>
210
August 20, 2010
Variable
Value committed burst size. Enter the burst duration in ms for in-profile traffic; range is 14294967295 ms.
Disabling interface shaping

Use the following procedure to disable interface shaping.
Disable interface shaping by using the following command from Interface Configuration mode. no qos if-shaper [port <portlist>]
Configuring QoS Policies

Use the following CLI commands to configure QoS policies. Navigation Configuring QoS policies on page 211 Removing QoS policies on page 213
Configuring QoS policies

Use the following procedure to create and configure QoS policies. Note: All components associated with a policy, including the interface group, element, classifier, classifier block, action, and meter, must be defined before referencing those components in a policy.
Create a QoS policy by using the following command from Global Configuration mode. qos policy <1-55000> {enable|disable [name <WORD>] {port <port_list> | if-group <WORD>} clfr-type {classifier | block} {clfr-id <1-55000> | clfr-name <WORD>} {{in-profile-action <1-55000> | in-profile-action-name <WORD>} | meter <1-55000> | meter-name <WORD>}} [non-match-action <1-55000> | non-matchaction-name <WORD>] precedence <1-15> [track-statistics <individual | aggregate>]}
August 20, 2010
211
Variable <1-55000> enable|disable name <WORD> port <portlist> if-group <WORD> Value Specifies the QoS policy; range is 155000. Enables or disables the QoS policy. Specifies the name for the policy; maximum is 16 alphanumeric characters. Specifies the ports to which to directly apply this policy. Specifies the interface group name to which this policy applies; maximum number of characters is 32 USASCII. The group name must begin with a letter within the range a..z or A..Z. Specifies the classifier type; classifier or block. Specifies the classifier ID; range is 155000. Specifies the classifier name or classifier block name; maximum is 16 alphanumeric characters. Specifies the action ID for in-profile traffic; range is 1 55000. Specifies the action name for in-profile traffic; maximum is 16 alphanumeric characters. Specifies meter ID associated with this policy; range is 155000. Specifies the meter name associated with this policy; maximum of 16 alphanumeric characters. Specifies the action ID for non-match traffic; range is 155000. This parameter is not applicable to 5600 Series switches. Specifies the action name for non-match traffic; maximum is 16 alphanumeric characters. Specifies the precedence of this policy in relation to other policies associated with the same interface group. Enter precedence number; range is 115. Note: Policies with a lower precedence value are evaluated after policies with a higher precedence number. Evaluation goes from highest value to lowest. Specifies statistics tracking on this policy, either: individualstatistics on individual classifiers aggregateaggregate statistics
clfr-type <classifier | block> clfr-id <1-55000> clfr-name <WORD> in-profile-action <1-55000> in-profile-action-name <WORD> meter <1-55000> meter-name <WORD> non-match-action <1-55000>
non-match-action-name <WORD> precedence <1-15>
track-statistics <individual | aggregate>
212
August 20, 2010
Removing QoS policies

Use the following procedure to disable QoS policy entries. Policies can be enabled using the qos policy <policynum> enable command. Remove QoS policy entries by using the following command from Global Configuration mode. no qos policy <1-55000>
QoS Generic Filter set configuration

This section contains procedures used to configure and manipulate a generic filter set. Navigation Configuring a traffic profile classifier entry Configuring a traffic profile set on page 213 Deleting a classifier, classifier block, or an entire filter set on page 217 Viewing filter descriptions on page 217
Configuring a traffic profile set

Configure a traffic profile set by performing the following procedure.
Use the following command to configure a traffic profile classifier entry. qos traffic-profile set port <port> name <name> [commited-rate <64-10230000>] [drop-nm-action <drop | pass>] [enable] This command is used in the Global Configuration mode. Variable Definitions
Variable port <port> name <name> commited-rate <64-10230000> Value Specifies the ports to apply the traffic profile to. Specifies the name of the traffic profile. Specifies the committed rate in Kilobits per second.
August 20, 2010
213
Variable drop-nm-action <drop | pass>
Value Specifies the action to take when the packet is nonmatching. This action is applied to all traffic that was not previously matched by the specified filtering data. Options are drop (packet is dropped) and pass (packet is not dropped). Enables the traffic profile.
enable
Deleting a classifier, classifier block, or an entire filter set

Delete a filter classifier or set by performing this procedure.
1. Delete a Traffic Profile classifier by using the following command from the Global Configuration mode. no qos traffic-profile classifier name <classifier-name> 2. Delete a Traffic Profile set by using the following command from the Global Configuration mode. no qos traffic-profile set {name <name> | port <port>}
Viewing filter descriptions

View filter descriptions by performing this procedure.
1. View classifier entries by using the following commands from the Privileged EXEC Configuration mode. show qos traffic-profile classifier OR show qos traffic-profile classifier name <classifier name> 2. View the parameters for a specific set by using the following command from the Privileged EXEC Configuration mode. show qos traffic-profile set <set name> port <port> 3. View ports and the filter sets assigned to those ports by using the following command from the Privileged EXEC Configuration mode. show qos traffic-profile interface
214
August 20, 2010
Configuring User Based Policies

Use the following procedure to configure User Based Policies.
Configure User Based Policies by using the following command from the Global configuration mode. qos ubp Note: To modify an entry in a filter set, you must delete the entry and add a new entry with the desired modifications.
Variable Value
classifier name [addr-type {ipv4| Creates the User Based Policy classifier entry. ipv6}] [block] [drop-action] [dsOptional parameters: field] [dst-ip] [dst-mac] [dst-port addr-type {ipv4|ipv6} specifies the type of IP address min] [ethertype] [eval-order] [flowused by this classifier entry. The type is limited to id] [next-header] [priority] [protocol] IPv4 and IPv6 addresses. [set-drop-prec] [src-ip] [src-mac] [src-port-min] [update-1p] [update- block specifies the label to identify access list elements that are of the same block. dscp] [vlan-min] [ vlan-tag] drop-action specifies whether or not to drop nonconforming traffic. ds-field specifies the value for the DiffServ Codepoint (DSCP) in a packet. dst-ip specifies the IP address to match against the destination IP address of a packet. dst-mac specifies the MAC address against which the MAC destination address of incoming packets is compared. dst-port-min specifies the minimum value for the layer 4 destination port number in a packet. dstport-max must be terminated prior to configuring this parameter. ethertype specifies a value indicating the version of Ethernet protocol being used. eval-order specifies the evaluation order for all elements with the same name.
August 20, 2010
215
Variable
Value flow-id specifies the flow identifier for IPv6 packets. next-header specifies the IPv6 next-header value. Values are in the range 0-255. priority specifies a value for the 802.1p user priority. protocol specifies the IPv4 protocol value. set-drop-prec specifies drop precendence src-ip specifies the IP address to match against the source IP address of a packet. src-mac specifies the MAC source address of incoming packets. src-port-min specifies the minimum value for the Layer 4 source port number in a packet. srcport-max must be terminated prior to configuring this parameter. update-1p specifies an 802.1p value used to update user priority. update-dscp specifies a value used to update the DSCP field in an IPv4 packet. vlan-min specifies the minimum value for the VLAN ID in a packet. vlan-max must be terminated prior to configuring this parameter. vlan-tag specifies the type of VLAN tagging in a packet.
set name [commited-rate] [dropnm-action] [drop-out-action] [maxburst-rate] [max-burst-duration] [update-dscp-out-action] [setpriority]
Creates the User Based Policy set. Optional parameters: commited-rate specifies the commited rate in Kbps. drop-nm-action specifies the action to take when the packet is non-matching. This action is applied to all traffic that was not previously matched by the specified filtering data. Options are enable (packet is dropped) and disable (packet is not dropped). drop-out-action specifies the action to take when a packet is out-of-profile. This action is only applied if metering is being enforced, and if the traffic is deemed out of profile based on the level of traffic and the metering criteria. Options are enable (packet is dropped) and disable (packet is not dropped). max-burst-rate specifies the maximum number of bytes allowed in a single transmission burst.
216
August 20, 2010
Variable
Value max-burst-duration specifies the maximum burst duration in milliseconds. update-dscp-out-action specifies an updated DSCP value for an IPv4 packet for out of profile traffic.. set-priority specifies the priority level of this filter set.
Deleting a classifier, classifier block, or an entire filter set

Use the following procedure to delete a classifier, classifier block, or filter set. Note: You cannot reset QoS defaults if the EAP/NEAP UBP support references a QoS UBP filter set.
1. Delete an entire filter set by using the following command from the Global configuration mode. no qos ubp name <filter name> Note: You cannot delete a filter set while it is in use. 2. Delete a classifier by using the following command from the Global configuration mode. no qos ubp name <filter name> eval-order <value>
Viewing filter descriptions

Use the following procedure to view User-based Policy filter parameters, view parameters for a specific filter set, view ports and associated filter sets, and view classifier entries.
1. View User Based Policy filter parameters by using the following command from the Privileged EXEC configuration mode. show qos ubp 2. View the parameters for a specific filter set by using the following command from the Privileged EXEC configuration mode. show qos ubp name <filter name> 3. View ports and the filter sets assigned to those ports by using the following command from the Privileged EXEC configuration mode.
August 20, 2010
217
show qos ubp interface 4. View classifier entries by using the following command from the Privileged EXEC configuration mode. show qos ubp classifier
Maintaining the QoS Agent

Use the following CLI commands to maintain the QoS agent. Navigation Resetting QoS to factory default state on page 218 Configuring QOS NT mode on page 218 Configuring QoS UBP support on page 219 Configuring QoS statistics tracking type on page 219 Configuring NVRAM delay on page 220 Resetting NVRAM delay to default on page 220 Resetting the QoS agent on page 221
Resetting QoS to factory default state

Use the following procedure to delete all user-defined entries, remove all installed policies, and reset the system to its QoS factory default values. Note 1: You cannot reset QoS defaults if the NSNA application references a QoS NSNA filter set. Note 2: You cannot reset QoS defaults if the EAP/NEAP UBP support references a QoS UBP filter set.
Reset QoS to factory defaults by using the following command from Global Configuration mode. qos agent reset-default
Configuring QOS NT mode

This procedure describes how to configure the QoS Agent NT mode.
218
August 20, 2010
Configure QoS NT mode by using the following command from Global Configuration mode. qos agent nt-mode [pure|mixed|disabled] Variable Definitions
Variable disabled mixed pure Value NT application traffic processing is disabled on all ports. NT application traffic processing enabled on all port with egress DSCP mapping. NT application traffic processing enabled on all ports without egress DSCP mapping.
Configuring QoS UBP support

Use the following procedure to configure the UBP support level.
Configure the UBP support level by using the following command from Global Configuration mode. qos agent ubp [disable|epm|high-security-local|low-securitylocal] Variable Definitions
Variable disable epm high-security-local low-security-local Value QoS agent rejects information forwarded by other applications. QoS Agent notifications generated for EPM based on user information forwarded by other applications. User may be rejected if resources needed to install the UBP filter set are not available. User may be accepted even if the UBP filter set could not be applied.
Configuring QoS statistics tracking type

This procedure describes the steps necessary to configure the type of statistics tracking used with QoS.
August 20, 2010
219
Configure the QoS statistics tracking type by using the following command from Global Configuration mode. qos agent statistics-tracking [aggregate|disable|individual] Variable Definitions
Variable aggregate disable individual Value Allocates a single statistics counter to track data for all classifiers contained in the QoS policy being created. Disable statistics tracking. Allocates individual statistics counters to track data for each classifier contained in the QoS policy being created.
Configuring NVRAM delay

Use the following procedure to specify the maximum amount of time, in seconds, before nonvolatile QoS configuration is written to non-volatile storage. Delaying NVRAM access can be used to minimize file input and output. This can aid QoS agent efficiency if a large amount of QoS data is being configured.
Configure NVRAM delay by using the following command from Global Configuration mode. qos agent nvram-delay <0-604800> Default is 10 seconds.
Resetting NVRAM delay to default

Use the following procedure to reset the NVRAM delay time to factory default.
Reset NVRAM delay to default by using the following command from Global Configuration mode. default qos agent nvram-delay
220
August 20, 2010
Resetting the QoS agent

Use the following procedure to delete all user-defined entries, remove all installed policies, and reset the system to its QoS factory default values.
Reset the QoS agent by using the following command from Global Configuration mode. default qos agent
Configuring DoS Attack Prevention Package

This section contains procedures used to configure the DoS Attack Prevention Package (DAPP). This feature is only applicable to the 8100 Series switch. Navigation Enabling DAPP on page 221 Configuring DAPP status tracking on page 221 Configuring DAPP minimum TCP header size on page 222 Configuring DAPP maximum IPv4 ICMP length on page 222 Configuring DAPP maximum IPv6 ICMP length on page 222
Enabling DAPP
This procedure describes the steps necessary to enable DAPP.
Enable DAPP by using the following command from Global Configuration mode: [no] qos agent dos-attack-prevention enable Use the no form of this command to disable.
Configuring DAPP status tracking

This procedure describes how to configure DAPP status tracking. Note: If adequate resources are not available to enable this feature the command will fail.
August 20, 2010
221
Enable DAPP status tracking by using the following command from Global Configuration mode: qos agent dos-attack-prevention status-tracking [enable | maxipv4-icmp | max-ipv6-icmp | min-tcp-header] Configuring DAPP maximum IPv6 ICMP length This procedure describes how to set the maximum IPv6 ICMP length used by DAPP.
Set the maximum IPv6 ICMP length by using the following command from Global Configuration mode: qos agent dos-attack-prevention max-ipv6-icmp <0-16383>
Configuring DAPP minimum TCP header size

This procedure describes how to set the minimum TCP header size used by DAPP.
Set the minimum TCP header size by using the following command from Global Configuration mode: qos agent dos-attack-prevention min-tcp-header <0-255>
Configuring DAPP maximum IPv4 ICMP length

This procedure describes how to set the maximum IPv4 ICMP length used by DAPP.
Set the maximum IPv4 ICMP length by using the following command from Global Configuration mode: qos agent dos-attack-prevention max-ipv4-icmp <0-1023>
Configuring Serviceability
This chapter describes the methods and procedures necessary to configure RMON and IPFIX.
222
August 20, 2010
Navigation Configuring RMON with the CLI on page 223 Configuring IPFIX using CLI on page 228
Configuring RMON with the CLI

This section describes the CLI commands used to configure and manage RMON. Navigation Viewing RMON alarms on page 223 Viewing RMON events on page 223 Viewing RMON history on page 224 Viewing RMON statistics on page 224 Setting RMON alarms on page 224 Deleting RMON alarm table entries on page 225 Configuring RMON event log and traps on page 226 Deleting RMON event table entries on page 226 Configuring RMON history on page 226 Deleting RMON history table entries. on page 227 Configuring RMON statistics on page 227 Disabling RMON statistics on page 228
Viewing RMON alarms

Use the following procedure to view RMON alarms.
1. Enter Privileged Executive mode. 2. Use the show rmon alarm command to display information about RMON alarms.
Viewing RMON events

Use the following procedure to display information regarding RMON events.
August 20, 2010
223
1. Enter Privileged Executive mode. 2. Enter the show rmon event command.
Viewing RMON history

Use this procedure to display information regarding the configuration of RMON history.
1. Enter Privileged Executive mode. 2. Enter the show rmon history [<port>] command. Variable Definitions
Variable <port> Definition The specified port number for which RMON history settings is displayed.
Viewing RMON statistics

Use the following procedure to display information regarding the configuration of RMON statistics.
1. Enter Privileged Executive mode. 2. Enter the show rmon stats command.
Setting RMON alarms

Use the following procedure to set
1. Enter Global Configuration mode. 2. Enter the rmon alarm <1-65535> <WORD> <1-2147483647> {absolute | delta} rising-threshold <-2147483648-2147483647> [<1-65535>]
224
August 20, 2010
falling-threshold <-2147483648-2147483647> [<1-65535>] [owner <LINE>] command. Variable Definitions

Parameter <1-65535> <WORD> <1-2147483647> absolute delta Description Unique index for the alarm entry. The MIB object to be monitored. This object identifier can be an English name. The sampling interval, in seconds. Use absolute values (value of the MIB object is compared directly with thresholds). Use delta values (change in the value of the MIB object between samples is compared with thresholds).
rising-threshold The first integer value is the rising threshold value. The optional <-2147483648-21474836 second integer specifies the event entry to be triggered after the 47 > [<1-65535>] rising threshold is crossed. If omitted, or if an invalid event entry is referenced, no event is triggered. falling-threshold The first integer value is the falling threshold value. The optional <-2147483648-21474836 second integer specifies the event entry to be triggered after the 47 > [<1-65535>] falling threshold is crossed. If omitted, or if an invalid event entry is referenced, no event is triggered. [owner <LINE>] Specify an owner string to identify the alarm entry.
Deleting RMON alarm table entries

Use the following procedure to delete RMON alarm table entries.
1. Enter Global Configuration mode. 2. Enter the no rmon alarm [<1-65535>] command. Variable Definitions
Variable [<1-65535>] Definition The number assigned to the alarm. If no number is selected, all RMON alarm table entries are deleted.
August 20, 2010
225
Configuring RMON event log and traps

Use the following procedure to configure RMON event log and trap settings.
1. Enter Global Configuration mode. 2. Enter the rmon event <1-65535> [log] [trap] [description <LINE>] [owner <LINE>] command. Variable Definitions
Parameter <1-65535> [log] [trap] [description <LINE>] [owner <LINE>] Description Unique index for the event entry. Record events in the log table. Generate SNMP trap messages for events. Specify a textual description for the event. Specify an owner string to identify the event entry.
Deleting RMON event table entries

Use the following procedure to clear entries in the table.
1. Enter Global Configuration mode. 2. Enter the no rmon event [<1-65535>] command to delete the entries. Variable Definitions
Variable [<1-65535>] Definition Unique identifier of the event. If not given, all table entries are deleted.
Configuring RMON history

Use the following procedure to configure RMON history settings.
226
August 20, 2010
1. Enter Global Configuration mode. 2. Enter the rmon history <1-65535> <LINE> <1-65535> <1-3600> [owner <LINE>] command to configure the RMON history.. Variable Definitions
Parameter <1-65535> <LINE> <1-65535> <1-3600> [owner <LINE>] Description Unique index for the history entry. Specify the port number to be monitored. The number of history buckets (records) to keep. The sampling rate (how often a history sample is collected). Specify an owner string to identify the history entry.
Deleting RMON history table entries.

Use this procedure to delete RMON history table entries.
1. Enter Global Configuration mode. 2. Enter the no rmon history [<1-65535>] command to delete the entries. Variable Definitions
Variable [<1-65535>] Definition Unique identifier of the event. If not given, all table entries are deleted.
Configuring RMON statistics

Use this procedure to configure RMON statistics settings.
1. Enter Global Configuration mode. 2. Enter the rmon stats <1-65535> <LINE> [owner <LINE>] command to configure RMON statistics.
August 20, 2010
227
Parameter <1-65535> [owner <LINE>] Description Unique index for the stats entry. Specify an owner string to identify the stats entry.
Disabling RMON statistics

Use this procedure to disable RMON statistics. If the variable is omitted, all entries in the table are cleared.
1. Enter Global Configuration mode. 2. Enter the no rmon stats [<1-65535>] command to disable RMON statistics. Variable Definitions
Variable <1-65535> Definition Unique index for the statistics entry. If omitted, all statistics are disabled.
Configuring IPFIX using CLI

This section describes the commands used in the configuration and management of IP Flow Information Export (IPFIX) using the CLI. Navigation Configuring IPFIX collectors on page 228 Enabling IPFIX globally on page 229 Configuring unit specific IPFIX on page 229 Enabling IPFIX on the interface on page 230 Enabling IPFIX export through ports on page 230 Deleting the IPFIX information for a port on page 231 Viewing the IPFIX table on page 231
Configuring IPFIX collectors

The ip ipfix collector command is used to configure IPFIX collectors. IPFIX collectors are used to collect and analyze data exported from an IPFIX compliant switch. In Software
228
August 20, 2010
Release 5.0, the only external collector supported is NetQOS. At this time, up to two collectors can be supported. IPFIX data is exported from the switch in Netflow version 9 format. Data is exported using UDP port 9995. IPFIX data is not load balanced when two collectors are in use. Identical information is sent to both collectors. Use the following procedure to configure the IPFIX collectors.
1. Enter Global Configuration mode. 2. Use the ip ipfix collector <unit_number> <collector_ip_address> command to configure the IPFIX collector. Variable Definitions
Parameter <unit_number> <collector_ip_address> Description The unit number of the collector. Currently up to two collectors are supported so the values 1 or 2 are valid. The IP address of the collector.
Enabling IPFIX globally

Use the following procedure to globally enable IPFIX on the switch.
1. Enter Global Configuration mode. 2. Use the ip ipfix enable command to enable IPFIX on the switch.
Configuring unit specific IPFIX

Use the following command to configure unit specific IPFIX parameters.
1. Enter Global Configuration mode. 2. Use the ip ipfix slot <unit_number> [aging-interval <aging_interval>] [export-interval <export_interval>] [exporter-enable] [template-refresh-interval
August 20, 2010
229
<template_refresh_interval>] [template-refresh-packets <template_refresh_packets>] command to enable IPFIX on the switch. Variable Definitions
Parameter <unit_number> <aging_interval> <export_interval> Description The unit number of the collector. Currently up to two collectors are supported so the values 1 or 2 are valid. The IPFIX aging interval. This value is in seconds from 0 to 2147400. The IPFIX export interval. This interval is the value at which IPFIX data is exported in seconds from 10 to 3600.
<template_refresh_interval The IPFIX template refresh interval. This value is in seconds > from 300 to 3600. <template_refresh_packet s> The IPFIX template refresh packet setting. This value is the number of packets from 10000 - 100000.
Enabling IPFIX on the interface

Use the following procedure to enable IPFIX on the interface.
1. Enter Interface Configuration mode. 2. Use the ip ipfix enable command to enable IPFIX on the interface.
Enabling IPFIX export through ports

Use the following procedure to enable the ports exporting data through IPFIX.
1. Enter Interface Configuration mode. 2. Use the ip ipfix port <port_list> command to enable IPFIX on the interface. Variable Definitions
Variable port-list Definition Single or comma-separated list of ports.
230
August 20, 2010
Deleting the IPFIX information for a port

Use the following procedure to delete the collected IPFIX information for a port.
1. Enter Privileged Executive mode. 2. Use the ip ipfix flush port <port_list> [export-and-flush] command to delete the collected IPFIX information for the port or ports. Variable Definitions
Variable port-list export-and-flush Definition Single or comma-separated list of ports. Export data to a collector before it is deleted.
Viewing the IPFIX table

Use the following procedure to display IPFIX data collected from the switch.
1. Enter Privileged Executive mode. 2. Use the show ip ipfix table <unit_number> sort-by <sort_by> sort-order <sort_order> display <num_entries> command view the IPFIX data. Variable Definitions
Variable <unit_number> <sort_by> Definition The unit number of the collector. Currently up to two collectors are supported so the values 1 or 2 are valid. The value on which the data is sorted. Valid options are: byte-count dest-addr first-pkt-time last-pkt-time pkt-count port
August 20, 2010
231
Variable protocol source-addr TCP-UDP-dest-port TCP-UDP-src-port TOS <sort_order> <num_entries>
Definition
The order in which the data is sorted. Valid options are ascending and descending. The number of data rows to display. Valid options are: all top-10 top-25 top-50 top-100 top-200
Configuring diagnostics and graphing

This chapter describes the methods and procedures necessary to configure diagnostics and graphing. Navigation System diagnostics and statistics using CLI on page 232 Network monitoring configuration using CLI on page 234
System diagnostics and statistics using CLI

This chapter describes the procedures you can use to perform system diagnostics and gather statistics using CLI. Navigation Viewing port-statistics on page 233 Displaying port operational status on page 233 Validating port operational status on page 233 Showing port information on page 234
232
August 20, 2010
Viewing port-statistics
Use this procedure to view the statistics for the port on both received and transmitted traffic.
1. Enter Global Configuration mode. 2. Enter the show port-statistics [port <portlist>] command. Variable Definitions
Variable port <portlist> Definition The ports to display statistics for. When no port list is specified, all ports are shown.
Displaying port operational status

Use this procedure to display the port operational status. Important: If you use a terminal with a width of greater than 80 characters, the output is displayed in a tabular format. 1. Enter Privileged Executive mode. 2. Enter the show interfaces [port list] verbose command. If you issue the command with no parameters the port status is shown for all ports. 3. Observe the CLI output.
Validating port operational status

VLACP: Configure VLACP on port 1 from a 8100 series unit and on port 2 on 5000 series unit. Have a link between these 2 ports. When the show interfaces command is typed, VLACP status is up for port on the unit where the command is typed. Pull out the link from the other switch, VLACP status goes Down. STP: After switch boots, type show interfaces command. STP Status is Listening (wait a few seconds and try again). STP Status becomes Learning.
August 20, 2010
233
After a while (15 seconds is the forward delay default value, only if you did not configure another time interval for STP forward delay), if you type show interfaces again, STP Status should be forwarding.
Showing port information

Perform this procedure to display port configuration information.
1. Enter Privileged Executive mode. 2. Enter the show interfaces <portlist> config command. 3. Observe the CLI output.
Network monitoring configuration using CLI

This section describes using CLI to view and configure network monitoring. Navigation Viewing CPU utilization on page 234 Viewing memory utilization on page 235 Configuring the system log on page 235 Configuring remote logging on page 237 Configuring port mirroring on page 239 Displaying Many-to-Many port-mirroring on page 241 Configuring Many-to-Many port-mirroring on page 242 Disabling Many-to-Many port-mirroring on page 243
Viewing CPU utilization

Use this procedure to view the CPU utilization
1. Enter Privileged Executive mode. 2. Enter the show cpu-utilization command. 3. Observe the displayed information.
234
August 20, 2010
Viewing memory utilization

Use this procedure to view the memory utilization
1. Enter Privileged Executive mode. 2. Enter the show memory-utilization command. 3. Observe the displayed information.
Configuring the system log

This section outlines the CLI commands used in the configuration and management of the system log. Navigation Displaying the system log on page 235 Configuring the system log on page 236 Disabling the system log on page 236 Setting the system log to default on page 236 Clearing the system log on page 236 Displaying the system log Use this procedure to displays the configuration, and the current contents, of the system event log.
Enter the show show logging [config] [critical] [serious] [informational] [sort-reverse] command Privileged Executive mode. Variable Definitions
Variable config critical serious informational sort-reverse Value Display configuration of event logging. Display critical log messages. Display serious log messages. Display informational log messages. Display informational log messages in reverse chronological order (beginning with most recent).
August 20, 2010
235
Configuring the system log Use this procedure to configure the system settings for the system event log.
Enter the logging [enable | disable] [level critical | serious | informational | none] [nv-level critical | serious | none] command Privileged Executive mode. Variable Definitions
Variable enable | disable Value Enables or disables the event log (default is Enabled).
level critical | serious | informational Specifies the level of logging stored in DRAM. | none nv-level critical | serious | none Specifies the level of logging stored in NVRAM.
Disabling the system log Use this procedure to disable the system event log.
Enter the no logging command in global configuration mode. Setting the system log to default Use this procedure to default the system event log configuration.
Enter the default logging command in global configuration mode. Clearing the system log Use this procedure to clear all log messages in DRAM.
Enter the clear logging system [non-volatile] [nv] [volatile] command in global configuration mode. Variable Definitions
Variable non-volatile nv Value Clears log messages from NVRAM. Clears log messages from NVRAM and DRAM.
236
August 20, 2010
Variable volatile
Value Clears log messages from DRAM.
Configuring remote logging

Use the CLI to configure remote logging. This section discusses the commands that enable remote logging. Navigation Displaying logging on page 237 Enabling remote logging on page 237 Disabling remote logging on page 237 Setting the remote logging address on page 238 Clearing the remote server IP address on page 238 Setting the log severity on page 238 Resetting the severity level on page 239 Setting the default remote logging level on page 239 Displaying logging Use this procedure to display the configuration and the current contents of the system event log.
1. Enter Global Configuration mode. 2. Enter the show logging command to display the log. Enabling remote logging Use this procedure to enable remote logging. By default, remote logging is disabled.
1. Enter Global Configuration mode. 2. Enter the logging remote enable command to enable the use of a remote syslog server. Disabling remote logging Use this procedure to disable remote logging.
August 20, 2010
237
1. Enter Global Configuration mode. 2. Enter the no logging remote enable command to disable the use of a remote syslog server. Setting the remote logging address Use this procedure to set the address of the remote server for the syslog.
1. Enter Global Configuration mode. 2. Enter the logging remote address <A.B.C.D> command to disable the use of a remote syslog server. Variable Definitions
Parameters and variables <A.B.C.D> Description Specifies the IP address of the remote server in dotted-decimal notation. The default address is 0.0.0.0.
Clearing the remote server IP address Use this procedure to clear the IP address of the remote server.
1. Enter Global Configuration mode. 2. Enter the no logging remote address command to clear the IP address of the remote syslog server. Setting the log severity Use this command to set the severity level of the logs sent to the remote server.
1. Enter Global Configuration mode. 2. Enter the logging remote level {critical | informational | serious | none} command to set the severity level of the logs that will be sent to the server.
238
August 20, 2010
Parameters and variables {critical | serious | informational | none} Description Specifies the severity level of the log messages to be sent to the remote server: critical informational serious none
Resetting the severity level Use this command to remove severity level setting
1. Enter Global Configuration mode. 2. Enter the no logging remote level command to remove the severity level of the logs that will be sent to the server. The level is set to none. Setting the default remote logging level Use this procedure to set the remote logging level to default.
1. Enter Global Configuration mode. 2. Enter the default logging remote level command to sets the severity level of the logs sent to the remote server. The default level is none.
Configuring port mirroring

Port mirroring can be configured with the CLI commands detailed in this section. Navigation Displaying the port-mirroring configuration on page 239 Configure port-mirroring on page 240 Disabling port-mirroring on page 241 Displaying the port-mirroring configuration Use this procedure to display the existing port-mirroring configuration.
August 20, 2010
239
1. Enter Privileged Executive mode. 2. Enter the show port-mirroring command to display the port-mirroring configuration. Configure port-mirroring Use this procedure to set the port-mirroring configuration
1. Enter Global Configuration mode. 2. Enter the port-mirroring mode {disable | Xrx monitor-port <portlist> mirror-ports <portlist> | Xtx monitor-port <portlist> mirror-ports <portlist> | ManytoOneRx monitorport <portlist> mirror-ports <portlist> | ManytoOneTx monitor-port <portlist> mirror-port-X <portlist> | ManytoOneRxTx monitor-port <portlist> mirror-port-X <portlist> | XrxOrXtx monitor-port <portlist> mirror-port-X <portlist> | XrxOrYtx monitor-port <portlist> mirror-port-X <portlist> mirror-port-Y <portlist> | XrxYtxmonitor-port <portlist> mirror-port-X <portlist> mirror-port-Y <portlist> | XrxYtxOrYrxXtx monitor-port <portlist> mirror-port-X <portlist> mirror-port-Y <portlist> | Asrc monitor-port <portlist> mirror-MAC-A <macaddr> | Adst monitor-port <portlist> mirror-MAC-A <macaddr> | AsrcOrAdst monitor-port <portlist> mirror-MAC-A <macaddr> | AsrcBdst monitor-port <portlist> mirror-MAC-A <macaddr> mirror-MAC-B <macaddr> | AsrcBdstOrBsrcAdst monitor-port <portlist> mirror-MAC-A <macaddr> mirror-MAC-B <macaddr>} command to display the portmirroring configuration. Variable Definitions
Parameter disable monitor-port mirror-port-X mirror-port-Y mirror-MAC-A mirror-MAC-B portlist Description Disables port-mirroring. Specifies the monitor port. Specifies the mirroring port X. Specifies the mirroring port Y. Specifies the mirroring MAC address A. Specifies the mirroring MAC address B. Enter the port numbers.
240
August 20, 2010
Parameter ManytoOneRx ManytoOneTx ManytoOneRxTx Xrx Xtx XrxOrXtx XrxYtx
Description Many to one port mirroring on ingress packets. Many to one port mirroring on egress packets. Many to one port mirroring on ingress and egress traffic. Mirror packets received on port X. Mirror packets transmitted on port X. Mirror packets received or transmitted on port X. Mirror packets received on port X and transmitted on port Y. This mode is not recommended for mirroring broadcast and multicast traffic. Mirror packets received on port X and transmitted on port Y or packets received on port Y and transmitted on port X. Mirror packets received on port X or transmitted on port Y. Enter the MAC address in format H.H.H. Mirror packets with source MAC address A. Mirror packets with destination MAC address A. Mirror packets with source or destination MAC address A. Mirror packets with source MAC address A and destination MAC address B. Mirror packets with source MAC address A and destination MAC address B or packets with source MAC address B and destination MAC address A.
XrxYtxOrXtxYrx
XrxOrYtx macaddr Asrc Adst AsrcOrAdst AsrcBdst AsrcBdstOrBsrcAdst
Disabling port-mirroring Use this procedure to disable port-mirroring
1. Enter Global Configuration mode 2. Enter the no port-mirroring command to disable port-mirroring. Displaying Many-to-Many port-mirroring Use this procedure to display Many-to-Many port-mirroring settings
August 20, 2010
241
1. Enter Privileged Executive mode 2. Enter the show port-mirroring command. 3. Observe the displayed information. Configuring Many-to-Many port-mirroring Use this procedure to configure Many-to-Many port-mirroring
1. Enter Global Configuration mode 2. Enter the port-mirroring <1-4> mode {disable | Adst | Asrc | AsrcBdst | AsrcBdstOrBsrcAdst | AsrcOrAdst | ManyToOneRx | ManyToOneRxTx | ManyToOneTx | Xrx | XrxOrXtx | XrxOrYtx | XrxYtx | XrxYtxOrYrxXtx | Xtx} command. 3. Enter the command from step 2 for up to four instances. Variable Definitions
Variable disable Adst Asrc AsrcBdst AsrcBdstOrBsrcAdst Disable mirroring. Mirror packets with destination MAC address A Mirror packets with source MAC address A. Mirror packets with source MAC address A and destination MAC address B. Mirror packets with source MAC address A and destination MAC address B or packets with source MAC address B and destination MAC address A. Mirror packets with source or destination MAC address A. Mirror many to one port mirroring on ingress packets. Mirror many to one port mirroring on ingress and egress packets. Mirror many to one port mirroring on egress packets. Mirror packets received on port X. Value
AsrcOrAdst ManyToOneRx ManyToOneRxTx ManyToOneTx Xrx
242
August 20, 2010
Variable XrxOrXtx XrxYtx XrxYtxOrYrxXtx
Value Mirror packets received on port X and transmitted on port Y. Mirror packets received on port X and transmitted on port Y. Mirror packets received on port X and transmitted on port Y or packets received on port Y and transmitted on port X. Mirror packets received on port X or transmitted on port Y
Xtx
Disabling Many-to-Many port-mirroring Use this procedure to disable Many-to-Many port-mirroring
1. Enter Global Configuration mode 2. Enter the port-mirroring [<1-4>] mode disable or no portmirroring [<1-4>] command to disable a specific instance. 3. Enter the no port-mirroring command to disable all instances. Variable Definitions
Variable <1-4> Definition The port-mirroring instance.
August 20, 2010
243
244
August 20, 2010

Config Cli

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Config Cli

Enviado por

Direitos autorais:

Formatos disponíveis

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

1.0.0.0 NN47251-500, 01.01 August 20, 2010

2010 Avaya Inc.

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Contents Chapter 1: Command Line Interface workflows.....................................................................7

Chapter 2: Command Line Interface Configuration.............................................................13

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Chapter 1: Command Line Interface workflows

Basic controller configuration

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Command Line Interface workflows

Enabling traps and logs

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Displaying system logs

Displaying system logs

Troubleshooting client-related issues

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Command Line Interface workflows

Troubleshooting AP-related issues

Troubleshooting Layer 2 and 3 issues

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Troubleshooting Layer 2 and 3 issues

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Command Line Interface workflows

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Chapter 2: Command Line Interface Configuration

Configuring WLAN options

Managing wireless communications

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Command Line Interface Configuration

Managing automatic radio frequency operations

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Configuring WLAN options

Managing wireless controller actions

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Command Line Interface Configuration

Managing wireless domains

Configuring wireless communications

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Configuring WLAN options

Configuring general controller options

diffserv classifierblock <block_name>

Avaya WLAN 8100 Configuration - WC 8180 (CLI)

August 20, 2010

Command Line Interface Configuration