Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

EdgeSwitch - CLI Reference Guide

Overview

This article contains the CLI reference guide for EdgeSwitch. Use the content tree below to see the command sections that interest you.

NOTES & REQUIREMENTS:
  • Applicable to the latest EdgeSwitch firmware on all EdgeSwitch models.
  • This article does not apply to the EdgeSwitch X (ES-X) and EdgeSwitch XP (ES-XP) models.

Table of Contents

1. Management Commands

   1.1 Network Interface Commands

   1.2 Console Port Access Commands

   1.3 Telnet Commands

   1.4 Secure Shell Commands

   1.5 Management Security Commands

   1.6 Hypertext Transfer Protocol Commands

   1.7 Access Commands

   1.8 User Account Commands

   1.9 SNMP Commands

   1.10 RADIUS Commands

   1.11 TACACS+ Commands

   1.12 Configuration Scripting Commands

   1.13 Prelogin Banner, System Prompt, and Host Name Commands

   1.14 IPv6 Management Commands

   1.15 UNMS, Discovery and Analytics Commands

 

2. Utility Commands

   2.1 AutoInstall Commands

   2.2 Dual Image Commands

   2.3 System Information and Statistics Commands

   2.4 Logging Commands

   2.5 Email Alerting and Mail Server Commands

   2.6 System Utility and Clear Commands

   2.7 Simple Network Time Protocol Commands

   2.8 Time Zone Commands

   2.9 DHCP Server Commands

   2.10 DNS Client Commands

   2.11 IP Address Conflict Commands

   2.12 Serviceability Packet Tracing Commands

   2.13 Cable Test Command

   2.14 Remote Monitoring Commands

   2.15 Statistics Application Commands

 

3.1 Switching Commands

   3.1 Port Configuration Commands

   3.2 Spanning Tree Protocol Commands

   3.3 VLAN Commands

   3.4 Private VLAN Commands

   3.5 Voice VLAN Commands

   3.6 Provisioning (IEEE 802.1p) Commands

   3.7 Protected Ports Commands

   3.8 GARP Commands

   3.9 GVRP Commands

   3.10 GMRP Commands

   3.11 Port-Based Network Access Control Commands

   3.12 802.1X Supplicant Commands

   3.13 Storm-Control Commands

   3.14 Port-Channel/LAG (802.3ad) Commands

   3.15 Port Mirroring Commands

   3.16 Static MAC Filtering Commands

   3.17 DHCP Client Commands

   3.18 DHCP Snooping Configuration Commands

   3.19 IGMP/MLD Snooping Commands

   3.20 IGMP/MLD Snooping Querier Commands

   3.21 Port Security Commands

   3.22 LLDP (802.1AB) Commands

   3.23 LLDP-MED Commands

   3.24 Denial of Service Commands

   3.25 MAC Database Commands

   3.26 Power over Ethernet (PoE) Commands

   3.27 DHCP L2 Relay Commands

   3.28 Dynamic ARP Inspection (DAI) and IP Source Guard Commands

   3.29 IPv6 ND RA Guard Commands

 

4. Routing Commands

   4.1 Address Resolution Protocol Commands

   4.2 IP Routing Commands

   4.3 Router Discovery Protocol Commands

   4.4 Virtual LAN Routing Commands

   4.5 IP Helper Commands

   4.6 ICMP Throttling Commands

 

5. Quality of Service Commands

   5.1 Class of Service Commands

   5.2 Differentiated Services Commands

   5.3 DiffServ Class Commands

   5.4 DiffServ Policy Commands

   5.5 DiffServ Service Commands

   5.6 DiffServ Show Commands

   5.7 MAC Access Control List Commands

   5.8 IP Access Control List Commands

   5.9 IPv6 Access Control List Commands

   5.10 Time Range Commands for Time-Based ACLs

   5.11 Auto-Voice over IP Commands

 

6. Related Articles

 

configure.png  Management Commands

Back to Top

This section describes the management commands available in the EdgeSwitch CLI.

Network Interface Commands

Back to Top

This section describes the commands you use to configure a logical interface for management access.

network parms

This command sets the device’s IP address, subnet mask, and gateway. The IP address and gateway must be on the same subnet. If you specify the none option, the IP address and subnet mask are set to the factory defaults.

network parms {ipaddr netmask [gateway] | none}

Mode: Privileged EXEC

network mac-address

This command sets locally administered MAC addresses. The following rules apply:

- Bit 6 of byte 0 (called the U/L bit) indicates whether the address is universally administered (b’0’) or locally administered (b’1’).
- Bit 7 of byte 0 (called the I/G bit) indicates whether the destination address is an individual address (b’0’) or a group address (b’1’).
- The second character, of the twelve character macaddr, must be 2, 6, A or E.

A locally administered address must have bit 6 On (b’1’) and bit 7 Off (b’0’).

network mac-address macaddr

Mode: Privileged EXEC

network mac-type

This command specifies whether the switch uses the burned-in or the locally administered MAC address.

network mac-type {local | burnedin}

Mode: Privileged EXEC
Default: burnedin

network javamode

This command specifies whether or not the switch should allow access to the Java applet in the header frame of the web interface. When access is enabled, the Java applet can be viewed from the web interface. When access is disabled, the user cannot view the Java applet.

network javamode

Mode: Privileged EXEC
Default: Enabled

network protocol

Select DHCP, BootP, or None as the network config protocol. Use the none keyword to rollback to the default network configuration. This option also allows you to configure a static IP address. The dhcp client-id option enables the DHCP client to specify the unique client identifier (option 61).

network protocol [ bootp | dhcp {client-id} | none ]

Mode: Privileged EXEC
Default: dhcp

network protocol static parms

Select static network configuration. Configuring an IP address with this command is the same as using network parms command. Use the none keyword to remove all system network configuration.

network protocol static parms [ none | ipaddr netmask gw ]

Mode: Privileged EXEC

show network

This command displays configuration settings associated with the switch’s network interface. The network interface is the logical interface used for in-band connectivity with the switch via any of the switch’s front panel ports.

The configuration parameters associated with the switch’s network interface do not affect the configuration of the front panel ports through which traffic is switched or routed.

The network interface is always considered to be up, whether or not any member ports are up; therefore, the show network command will always show Interface Status as Up.

show network

Modes: User / Privileged EXEC
Parameters:

 

Interface Status The network interface status; it is always considered to be “Up”.
IP Address The IP address of the interface. The factory default value is 0.0.0.0.
Subnet Mask The IP subnet mask for this interface. The factory default value is 0.0.0.0.
Default Gateway The default gateway for this IP interface. The factory default value is 0.0.0.0.
IPv6 Administrative Mode Whether enabled or disabled.
IPv6 Address/Length The IPv6 address and length.
IPv6 Default Router The IPv6 default router address.
Burned In MAC Address The burned in MAC address used for in-band connectivity.
Locally Administered MAC Address If desired, a locally administered MAC address can be configured for in-band connectivity.
MAC Address Type The MAC address which should be used for in-band connectivity. The choices are the burned in or the Locally Administered address. The factory default is to use the burned in MAC address.
Configured IPv4 Protocol The IPv4 network protocol being used. The options are bootp | dhcp | none.
Configured IPv6 Protocol The IPv6 network protocol being used. The options are dhcp | none.
DHCPv6 Client DUID The DHCPv6 client’s unique client identifier. This row is displayed only when the configured IPv6 protocol is dhcp.
IPv6 Autoconfig Mode Whether IPv6 Stateless address autoconfiguration is enabled or disabled.
DHCP Client Identifier The client identifier is displayed in the output of the command only if DHCP is enabled with the client- id option on the network port. See “network protocol dhcp” on page 39.

Console Port Access Commands

Back to Top

This section describes the commands you use to configure the console port . You can use a serial cable to connect a management host directly to the console port of the switch .

line

This command gives you access to the Line Console mode, which allows you to configure various Telnet settings and the console port, as well as to configure console login/enable authentication.

line {console | telnet | ssh}

Mode: Global Config

Parameters:

 

console Console terminal line.
telnet Virtual terminal for remote console access (Telnet).
ssh Virtual terminal for secured remote console access (SSH).

serial baudrate

This command specifies the communication rate of the terminal interface. The supported rates are 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200.

serial baudrate {1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200}

Mode: Line Config

Default: 115200

serial timeout

This command specifies the maximum connect time (in minutes) without console activity. A value of 0 indicates that a console can be connected indefinitely. The time range is 0 to 160.

serial timeout 0-160

Mode: Line Config

Default: 5

show serial

This command displays serial communication settings for the switch.

show serial

Modes: User / Privileged EXEC

Parameters:

 

Serial Port Login Timeout
(minutes)
The time, in minutes, of inactivity on a Serial port connection, after which the Switch will close the connection. Any numeric value between 0 and 160 is allowed, the factory default is 5. A value of 0 disables the timeout.
Baud Rate (bps) The default baud rate at which the serial port will try to connect. The available values are 1200, 2400, 4800, 9600, 19200, 38400,57600, and 115200 baud. The factory default is 115200 baud.
Character Size (bits) The number of bits in a character. The number of bits is always 8.
Flow Control Whether Hardware Flow-Control is enabled or disabled. Hardware Flow Control is always disabled.
Stop Bits The number of Stop bits per character. The number of Stop bits is always 1.
Parity Type The Parity Method used on the Serial Port. The Parity Method is always None.

Telnet Commands

Back to Top

This section describes the commands you use to configure and view Telnet settings. You can use Telnet to manage the device from a remote management host.

ip telnet server enable

Use this command to enable Telnet connections to the system and to enable the Telnet Server Admin Mode. This command opens the Telnet listening port.

ip telnet server enable

Mode: Privileged EXEC

Default: Disabled

transport input telnet

This command regulates new Telnet sessions. If enabled, new Telnet sessions can be established until there are no more sessions available. An established session remains active until the session is ended or an abnormal network error ends the session.

transport input telnet

Mode: Line Config

Default: Disabled

telnetcon maxsessions

This command specifies the maximum number of Telnet connection sessions that can be established. A value of 0 indicates that no Telnet connection can be established. The range is 0-5.

telnetcon maxsessions 0-5

Mode: Privileged EXEC

Default: 5

telnetcon timeout

This command sets the Telnet connection session timeout value, in minutes. A session is active as long as the session has not been idle for the value set. The time is a decimal value from 1 to 160.

telnetcon timeout 1-160

Mode: Privileged EXEC

Default: 5

show telnetcon

This command displays the current inbound Telnet settings. In other words, these settings apply to Telnet connections initiated from a remote system to the switch.

show telnetcon

Modes: User / Privileged EXEC

Parameters:

 

Remote Connection Login Timeout (minutes) This object indicates the number of minutes a remote connection session is allowed to remain inactive before being logged off. May be specified as a number from 1 to 160. The factory default is 5.
Maximum Number of Remote Connection Sessions This object indicates the number of simultaneous remote connection sessions allowed. The factory default is 5.
Allow New Telnet Sessions New Telnet sessions will not be allowed when this field is set to no. The factory default value is no.

Secure Shell Commands

Back to Top

This section describes the commands you use to configure Secure Shell (SSH) access to the switch. Use SSH to access the switch from a remote management host.

ip ssh

Use this command to enable SSH access to the system. (This command is the short form of the ip ssh server enable command).

ip ssh

Mode: Privileged EXEC

Default: Enabled

ip ssh protocol

This command is used to set or remove protocol levels (or versions) for SSH. Either SSH1 (1), SSH2 (2), or both SSH 1 and SSH 2 (1 and 2) can be set.

ip ssh protocol [1] [2]

Mode: Privileged EXEC

Default: 2

ip ssh server enable

This command enables the IP secure shell server.

ip ssh server enable

Mode: Privileged EXEC

Default: Enabled

sshcon maxsessions

This command specifies the maximum number of SSH connection sessions that can be established. A value of 0 indicates that no SSH connection can be established. The range is 0 to 5.

sshcon maxsessions 0-5

Mode: Privileged EXEC

Default: 5

sshcon timeout

This command sets the SSH connection session timeout value, in minutes. A session is active as long as the session has been idle for the value set. The time is a decimal value from 1 to 160.

Changing the timeout value for active sessions does not become effective until the session is re accessed. Also, any keystroke activates the new timeout duration.

sshcon timeout 1-160

Mode: Privileged EXEC

Default: 5

show ip ssh

This command displays the SSH settings.

show ip ssh

Mode: Privileged EXEC

Parameters:

Administrative Mode This field indicates whether the administrative mode of SSH is enabled or disabled.
Protocol Level The protocol level may have the values of version 1, version 2 or both versions 1 and version 2.
SSH Sessions Currently Active The number of SSH sessions currently active.
Max SSH Sessions Allowed The maximum number of SSH sessions allowed.
SSH Timeout The SSH timeout value in minutes.
Keys Present Indicates whether the SSH RSA and DSA key files are present on the device.
Key Generation in Progress Indicates whether RSA or DSA key files generation is currently in progress.

Management Security Commands

Back to Top

This section describes commands you use to generate keys and certificates, which you can do in addition to loading them as before.

crypto certificate generate

Use this command to generate a self-signed certificate for HTTPS. The generated RSA key for SSL has a length of 1024 bits. The resulting certificate is generated with a common name equal to the lowest IP address of the device and a duration of 365 days.

crypto certificate generate

Mode: Global Config

crypto key generate rsa

Use this command to generate an RSA key pair for SSH. The new key files will overwrite any existing generated or downloaded RSA key files.

crypto key generate rsa

Mode: Global Config

crypto key generate dsa

Use this command to generate a DSA key pair for SSH. The new key files will overwrite any existing generated or downloaded DSA key files.

crypto key generate dsa

Mode: Global Config

Hypertext Transfer Protocol Commands

Back to Top

This section describes the commands you use to configure Hypertext Transfer Protocol (HTTP) and secure HTTP access to the switch. Access to the switch by using a web browser is enabled by default. 

ip http accounting exec, ip https accounting exec

These commands apply the user exec (start-stop/stop-only) accounting list to the line methods HTTP and HTTPS.

ip {http|https} accounting exec {default | listname}

Mode: Global Config

ip http authentication, ip https authentication

Use these commands to specify authentication methods for HTTP and HTTPS users. The default configuration is the local user database is checked. This action has the same effect as the command ip http|https authentication local. The additional methods of authentication are used only if the previous method returns an error, not if it fails.

To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. For example, if none is specified as an authentication method after RADIUS, no authentication is used if the RADIUS server is down.

ip {http|https} authentication {local | none | radius | tacacs} {method2}

Mode: Global Config

Default: local

Parameters:

local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for authentication.

ip http server

This command enables access to the switch through the web interface. When access is enabled, the user can login to the switch from the web interface. When access is disabled, the user cannot login to the switch’s web server. Disabling the web interface takes effect immediately. All interfaces are affected.

ip http server

Mode: Privileged EXEC

Default: Enabled

ip http secure-server

This command is used to enable the secure socket layer for secure HTTP.

ip http secure-server

Mode: Privileged EXEC

Default: Enabled

ip http session hard-timeout

This commands configures the hard timeout for insecure HTTP sessions in hours. Configuring this value to zero will give an infinite hard-timeout. When this timeout expires, the user will be forced to re-authenticate. This timer begins on initiation of the web session and is unaffected by the activity level of the connection.

ip http session hard-timeout 1-168

Mode: Privileged EXEC

Default: 24

ip http session maxsessions

This command limits the number of allowable insecure HTTP sessions. Zero is the configurable minimum.

ip http session maxsessions 0-16

Mode: Privileged EXEC

Default: 16

ip http session soft-timeout

This command configures the soft timeout for insecure HTTP sessions in minutes. Configuring this value to zero will give an infinite soft-timeout. When this timeout expires the user will be forced to re authenticate. This timer begins on initiation of the web session and is restarted with each access to the switch.

ip http session soft-timeout 1-60

Mode: Privileged EXEC

Default: 5

ip http secure-session hard-timeout

This command configures the hard timeout for secure HTTP sessions in hours. When this timeout expires, the user is forced to re authenticate. This timer begins on initiation of the web session and is unaffected by the activity level of the connection. The secure-session hard-timeout can not be set to zero (infinite).

ip http secure-session hard-timeout 1-168

Mode: Privileged EXEC

Default: 24

ip http secure-session maxsessions

This command limits the number of secure HTTP sessions. Zero is the configurable minimum.

ip http secure-session maxsessions 0-16

Mode: Privileged EXEC

Default: 16

ip http secure-session soft-timeout

This command configures the soft timeout for secure HTTP sessions in minutes. Configuring this value to zero will give an infinite soft-timeout. When this timeout expires, you are forced to re-authenticate. This timer begins on initiation of the web session and is restarted with each access to the switch. The secure-session soft-timeout cannot be set to zero (infinite).

ip http secure-session soft-timeout 1-60

Mode: Privileged EXEC

Default: 5

ip http secure-port

This command is used to set the SSL port where port can be 1025-65535 and the default is port 443.

ip http secure-port [port-id]

Mode: Privileged EXEC

Default: 443

ip http secure-protocol

This command is used to set protocol levels (versions). The protocol level can be set to TLS1, SSL3 or to both TLS1 and SSL3.

ip http secure-protocol [SSL3] [TLS1]

Mode: Privileged EXEC

Default: SSL3 and TLS1

show ip http

This command displays the HTTP settings for the switch.

show ip http

Mode: Privileged EXEC

Parameters:

HTTP Mode (Unsecure) The insecure HTTP server administrative mode.
Java Mode The java applet administrative mode which applies to both secure and un-secure web connections.
Maximum Allowable HTTP Sessions The number of allowable insecure HTTP sessions.
HTTP Session Hard Timeout The hard timeout for insecure HTTP sessions in hours.
HTTP Session Soft Timeout The soft timeout for insecure HTTP sessions in minutes.
HTTP Mode (Secure) The secure HTTP server administrative mode.
Secure Port The secure HTTP server port number.
Secure Protocol Level(s) The protocol level may have the values of SSL3, TSL1, or both SSL3 and TSL1.
Maximum Allowable HTTPS Sessions The number of allowable secure HTTP sessions.
HTTPS Session Hard Timeout The hard timeout for secure HTTP sessions in hours.
HTTPS Session Soft Timeout The soft timeout for secure HTTP sessions in minutes.
Certificate Present Indicates whether the secure-server certificate files are present on the device.
Certificate Generation in Progress Indicates whether certificate generation is currently in progress.

Access Commands

Back to Top

Use the commands in this section to close remote connections or to view information about connections to the system.

disconnect

Use the disconnect command to close HTTP, HTTPS, Telnet or SSH sessions. Use all to close all active sessions, or use session-id to specify the session ID to close. To view the possible values, use the show loginsession command.

disconnect {session_id | all}

Mode: Privileged EXEC

show loginsession

This command displays current Telnet, SSH and serial port connections to the switch. This command displays truncated user names. Use the show loginsession long command to display the complete usernames.

show loginsession

Mode: Privileged EXEC

Parameters:

ID Login Session ID.
User Name The name the user entered to log on to the system.
Connection From IP address of the remote client machine or EIA-232 for the serial port connection.
Idle Time Time this session has been idle.
Session Time Total time this session has been connected.
Session Type Shows the type of session, which can be HTTP, HTTPS, telnet, serial, or SSH.

show loginsession long

This command displays the complete user names of the users currently logged in to the switch.

show loginsession long

Mode: Privileged EXEC

User Account Commands

This section describes the commands you use to add, manage, and delete system users. The EdgeSwitch software has one default user account: ubnt. The ubnt user can view and configure system settings.

aaa authentication login

Use this command to set authentication at login. The default and optional list names created with the command are used with the aaa authentication login command. Create a list by entering the aaa authentication login <list-name> {method} command, where <list-name> is any character string used to name this list. The {method} argument identifies the list of methods that the authentication algorithm tries, in the given sequence.

The additional methods of authentication are used only if the previous method returns an error, not if there is an authentication failure. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. For example, if none is specified as an authentication method after RADIUS, no authentication is used if the RADIUS server is down.

aaa authentication login {default | list-name} {enable | local | none | radius | tacacs} {method2}

Mode: Global Config

Default:  networkList - Used by Telnet and SSH and only contains the method local.

Parameters:

default Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name Character string of up to 15 characters used to name the list of authentication methods activated when a user logs in.
enable Uses the enable password for authentication.
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS servers for authentication.

aaa authentication enable

Use this command to set authentication for accessing higher privilege levels. The default enable list is enableList. It is used by console, telnet and SSH, and contains the method as enable followed by none.


aaa authentication enable {default | list-name} {deny | enable | line | none | radius | tacacs} {method2}

Mode: Global Config

Default: default

Parameters:

default Uses the local username database for authentication.
list-name Character string (15 characters max), used to name the list of authentication methods activated when a user logs in.
deny Used to deny access.
enable Uses the enable password for authentication.
line Uses the line password for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS servers for authentication.

aaa authorization

This command enables access to the switch through the web interface. When access is enabled, the user can login to the switch from the web interface. When access is disabled, the user cannot login to the switch’s web server. Disabling the web interface takes effect immediately. All interfaces are affected.

aaa authorization {commands | exec} {default | list-name} {local | none | radius | tacacs}

Mode: Global Config

Parameters:

commands Provides authorization for all user-executed commands.
exec Provides exec authorization.
default The default list of methods for authorization services.
list-name Alphanumeric character string used to name the list of authorization methods.
local Uses the local username database for authorization.
none Uses no authorization.
radius Uses the list of all RADIUS servers for authorization.
tacacs Uses the list of all TACACS servers for authorization.

show authorization methods

This command is used to enable the secure socket layer for secure HTTP.

show authorization methods

Mode: Privileged EXEC

enable authentication

Use this command to specify the authentication method list when accessing a higher privilege level from a remote Telnet session.

enable authentication {default | list-name}

Mode: Line Config

Parameters:

default Uses the default list created with the aaa authentication enable command.
list-name Uses the indicated list created with the aaa authentication enable command.

username

Use the username command in Global Config mode to add a new user to the local user database. The default privilege level is 1. Using the encrypted keyword allows the administrator to transfer local user passwords between devices without having to know the passwords. When the password parameter is used along with encrypted parameter, the password must be exactly 128 hexadecimal characters in length.

If the password strength feature is enabled, this command checks for password strength and returns an appropriate error if it fails to meet the password strength criteria. Giving the optional parameter override-complexity-check disables the validation of the password strength.

username name {password password [encrypted [override-complexity-check] | level level [encrypted [override-complexity-check]] | override-complexity-check]} | {level level [override-complexity-check] password}

Mode: Global Config

Parameters:

name The name of the user. Range: 1-64 characters.
password The authentication password for the user. Range 8-64 characters. This value can be zero if the no passwords min-length command has been executed. The special characters allowed in the password include: ! # $ % & ‘ ( ) * + , -. / : ; < = > @ [ \ ] ^ _ ` { | } ~.
level The user level. Level 0 can be assigned by a level 15 user to another user to suspend that user’s access. Range 0-15. Enter access level 1 for Read Access or 15 for Read/Write Access. If not specified where it is optional, the privilege level is 1.
encrypted Encrypted password entered, copied from another switch configuration.
override-complexity- check Disables the validation of the password strength.

username name nopassword

Use this command to remove an existing user’s password (NULL password).

username [name] nopassword [level level]

Mode: Global Config

Parameters:

name The name of the user. Range: 1-32 characters.
password The authentication password for the user. Range 8-64 characters.
level The user level. Level 0 can be assigned by a level 15 user to another user to suspend that user’s access. Range 0-15.

username name unlock

Use this command to allow a locked user account to be unlocked. Only a user with read/write access can reactivate a locked user account.

username name unlock

Mode: Global Config

show users

This command displays the configured user names and their settings. The show users command displays truncated user names. Use the show users long command to display the complete user names. The show users command is only available for users with Read/Write privileges. The SNMPv3 fields will only be displayed if SNMP is available on the system.

show users

Mode: Privileged EXEC

Parameters:

User Name The name the user enters to login using the serial port, Telnet or web.
Access Mode Shows whether the user is able to change parameters on the switch (Read/Write) or is only able to view them (Read Only). As a factory default, the ubnt user has Read/Write access.
SNMPv3 Access Mode The SNMPv3 Access Mode. If the value is set to ReadWrite, the SNMPv3 user is able to set and retrieve parameters on the system. If the value is set to ReadOnly, the SNMPv3 user is only able to retrieve parameter information. The SNMPv3 access mode may be different than the CLI and web access mode.
SNMPv3 Authentication The authentication protocol to be used for the specified login user.
SNMPv3 Encryption The encryption protocol to be used for the specified login user.

show users long

This command displays the complete usernames of the configured users on the switch.

show users long

Mode: Privileged EXEC

show users accounts

This command displays local user status with respect to user account lockout and password aging. Displayed user names are truncated. Use the show users long command to show the complete user names.

show users accounts [detail]

Mode: Privileged EXEC

Parameters:

User Name The local user account’s user name.
Access Level The user’s access level (1 for read-only or 15 for read/write).
Password Aging Number of days, since the password was configured, until the password expires.
Password Expiry Date The current password expiration date in date format.
Lockout Indicates whether the user account is locked out (true or false).
Override Complexity Check Displays the user’s Password override complexity check status. By default it is disabled. View with detail keyword.
Password Strength Displays the user password’s strength (Strong or Weak). This field is displayed only if the Password Strength feature is enabled. View with detail keyword.

show users login-history 

Use this command to display information about the login history of users.

show users login-history {long | username name}

Mode: Privileged EXEC

login authentication

Use this command to specify the login authentication method list for a line (console, telnet or SSH) The default configuration uses the default set with the command aaa authentication login.

login authentication {default | list-name}

Mode: Line Configuration

Parameters:

default Uses the default list created with the aaa authentication login command.
list-name Uses the indicated list created with the aaa authentication login command.

password (User EXEC)

Use this command to allow a user to change the password for only that user. This command should be used after the password has aged. The user is prompted to enter the old password and the new password.
password

Mode: User EXEC

password (Line Configuration)

Use the password command in Line Configuration mode to specify a password on a line. The default configuration is no password is specified.
password [password [encrypted]]

Mode: Line Configuration

Parameters:

password Password for this level. Range: 8-64 characters.
encrypted Encrypted password to be entered, copied from another switch configuration. The encrypted password should be 128 characters long because the assumption is that this password is already encrypted with AES.

password (aaa IAS User Config)

This command is used to configure a password for a user in the IAS database. An optional encrypted parameter is provided to indicate that the password given to the command is already encrypted.
password [password [encrypted]]

Mode: aaa IAS User Config

Parameters:

password Password for this level.
encrypted Encrypted password to be entered, copied from another switch configuration. 

enable password

Use the enable password command to set a local password to control access to the privileged EXEC mode.

enable password [password [encrypted]]

Mode: Privileged EXEC

Parameters:

password Password for this level. Range: 8-64 characters.
encrypted Encrypted password to be entered, copied from another switch configuration. The encrypted password should be 128 characters long because the assumption is that this password is already encrypted with AES.

passwords min-length

Use this command to enforce a minimum password length for local users. The value also applies to the enable password. The valid range is 8-64.

passwords min-length [8-64]

Mode: Global Config

Default: 8

passwords history

Use this command to set the number of previous passwords that shall be stored for each user account. When a local user changes his or her password, the user will not be able to reuse any password stored in password history. This ensures that users don’t reuse their passwords often. The valid range is 0-10.

passwords history [0-10]

Mode: Global Config

Default: 0

passwords aging

Use this command to implement aging on passwords for local users. When a user’s password expires, the user is prompted to change it before logging in again. The valid range is 1-365. The default is 0, or no aging.

passwords aging [1-365]

Mode: Global Config

Default: 0

passwords lock-out

Use this command to strengthen the security of the switch by locking user accounts that have failed login due to wrong passwords. When a lockout count is configured, a user that is logged in must enter the correct password within that count. Otherwise the user will be locked out from further switch access.

Only a user with read/write access can reactivate a locked user account. Password lockout does not apply to logins from the serial console. The valid range is 1-5. The default is 0, or no lockout count enforced.

passwords lock-out [1-5]

Mode: Global Config

Default: 0

passwords strength-check

Use this command to enable the password strength feature. It is used to verify the strength of a password during configuration.

passwords strength-check

Mode: Global Config

Default: Disabled

passwords strength maximum consecutive-characters

Use this command to set the maximum number of consecutive characters to be used in password strength. The valid range is 0-15. The default is 0. Minimum of 0 means no restriction on that set of characters.

passwords strength maximum consecutive-characters [0-15]

Mode: Global Config

Default: 0

passwords strength maximum repeated-characters

Use this command to set the maximum number of repeated characters to be used in password strength. The valid range is 0-15. The default is 0. Minimum of 0 means no restriction on that set of characters.

passwords strength maximum repeated-characters [0-15]

Mode: Global Config

Default: 0

passwords strength minimum uppercase-letters

Use this command to enforce a minimum number of uppercase letters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.

passwords strength minimum uppercase-letters [0-16]

Mode: Global Config

Default: 2

passwords strength minimum lowercase-letters

Use this command to enforce a minimum number of lowercase letters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.

passwords strength minimum lowercase-letters [0-16]

Mode: Global Config

Default: 2

passwords strength minimum numeric-characters

Use this command to enforce a minimum number of numeric characters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.

passwords strength minimum numeric-characters [0-16]

Mode: Global Config

Default: 2

passwords strength minimum special-characters

Use this command to enforce a minimum number of special characters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.

passwords strength minimum special-characters [0-16]

Mode: Global Config

Default: 2

passwords strength minimum character-classes

Use this command to enforce a minimum number of characters classes that a password should contain. Character classes are uppercase letters, lowercase letters, numeric characters and special characters. The valid range is 0-4. The default is 4.

passwords strength minimum character-classes [0-4]

Mode: Global Config

Default: 4

passwords strength exclude-keyword

Use this command to exclude the specified keyword while configuring the password. The password does not accept the keyword in any form (in between the string, case insensitive and reverse) as a substring. You can configure up to a maximum of 3 keywords.

passwords strength exclude-keyword [keyword]

Mode: Global Config

show passwords configuration

Use this command to display the configured password management settings.

show passwords configuration

Mode: Privileged EXEC

Parameters:

Minimum Password Length Minimum number of characters required when changing passwords.
Password History Number of passwords to store for reuse prevention.
Password Aging Length in days that a password is valid.
Lockout Attempts Number of failed password login attempts before lockout.
Minimum Password Uppercase Letters Minimum number of uppercase characters required in a password.
Minimum Password Lowercase Letters Minimum number of lowercase characters required in a password.
Minimum Password Numeric Characters Minimum number of numeric characters required in a password.
Maximum Password Consecutive Characters Maximum number of consecutive characters allowed in a password.
Maximum Password Repeated Characters Maximum number of repeated characters allowed in a password.
Minimum Password Character Classes Minimum number of character classes (uppercase, lowercase, numeric and special) required when configuring passwords.
Password Exclude-Keywords The set of keywords to be excluded from the configured password when strength checking is enabled.

show passwords result

Use this command to specify the login authentication method list for a line (console, telnet or SSH) The default configuration uses the default set with the command aaa authentication login.

show passwords result

Mode: Privileged EXEC

Parameters:

Last User Whose Password Is Set Shows the name of the user with the most recently set password.
Password Strength Check Shows whether password strength checking is enabled.
Last Password Set Result Shows if the attempt to set a password succeeded; if not, the reason for the failure is included.

aaa ias-user username

The Internal Authentication Server (IAS) database is a dedicated internal database used for local authentication of users for network access through the IEEE 802.1X feature. Use the aaa ias-user username command in Global Config mode to add the specified user to the internal user database. This command also changes the mode to AAA User Config mode.

aaa ias-user username [user]

Mode: Global Config

aaa session-id

Use this command in Global Config mode to specify if the same session-id is used for Authentication, Authorization and Accounting service type within a session.

aaa session-id [common | unique]

Mode: Global Config

Default: common

Parameters:

common Use the same session-id for all AAA Service types.
unique Use a unique session-id for all AAA Service types.

aaa accounting

Use this command in Global Config mode to create an accounting method list for user EXEC sessions, user- executed commands, or 802.1X. This list is identified by default or a user-specified list_name.
Accounting records, when enabled for a line-mode, can be sent at both the beginning and at the end (start- stop) or only at the end (stop-only).

If none is specified, then accounting is disabled for the specified list. If tacacs is specified as the accounting method, accounting records are notified to a TACACS+ server. If radius is the specified accounting method, accounting records are notified to a RADIUS server.

aaa accounting {exec | commands | dot1x} {default | list-name} {start-stop | stop-only | none} {none | radius | tacacs} {method2}

Mode: Global Config

Notes:

- A maximum of five Accounting Method lists can be created for each exec and commands type.
- Only the default Accounting Method list can be created for 802.1X. There is no provision to create more.
- The same list-name can be used for both exec and commands accounting type.
- AAA Accounting for commands with RADIUS as the accounting method is not supported.
- The start-stop or none options are the only supported record types for 802.1X accounting.
- The start-stop option enables accounting and none disables accounting.
- RADIUS is the only accounting method type supported for 802.1X accounting.

Parameters:

exec Provides accounting for a user EXEC terminal sessions.
commands Provides accounting for all user executed commands.
dot1x Provides accounting for 802.1X user commands.
default The default list of methods for accounting services.
list-name Character string used to name the list of accounting methods.
start-stop Sends a start accounting notice at the beginning of a process and a stop accounting notice at the beginning of a process and a stop accounting notice at the end of a process.
stop-only Sends a stop accounting notice at the end of the requested user process.
none Disables accounting services on this line.
radius Use RADIUS+ server for accounting purposes.
tacacs Use TACACS+ server for accounting purposes.

clear aaa ias-users

Use this command to remove all users from the IAS database.

clear aaa ias-users

Mode: Privileged Exec

show aaa ias-users

Use this command to display configured IAS users and their attributes. Passwords configured are not shown in the show command output.

show aaa ias-users [username]

Mode: Privileged Exec

accounting

Use this command in Line Configuration mode to apply the accounting method list to a line config (Telnet/SSH).

accounting {exec | commands} {default | list-name}

Mode: Line Configuration

Parameters:

exec Causes accounting for an EXEC session.
commands This causes accounting for each command execution attempt. If a user is enabling accounting for exec mode for the current line-configuration type, the user will be logged out.
default The default Accounting List.
list-name Enter a string of not more than 15 characters.

show accounting

Use this command to display ordered methods for accounting lists.

show accounting

Mode: Privileged EXEC

show accounting methods

Use this command to display configured accounting method lists.

show accounting methods

Mode: Privileged EXEC

clear accounting statistics

This command clears the accounting statistics.

clear accounting statistics

Mode: Privileged EXEC

SNMP Commands

Back to Top

This section describes the commands you use to configure Simple Network Management Protocol (SNMP) on the switch. You can configure the switch to act as an SNMP agent so that it can communicate with SNMP managers on your network.

snmp-server

This command sets the name and the physical location of the switch, and the organization responsible for the network. The parameters name, location, and contact can be up to 255 characters in length.

snmp-server {sysname [name] | location [location] | contact [contact]}

Mode: Global Config

snmp-server community

This command adds (and names) a new SNMP community, and optionally sets the access mode, allowed IP address, and create a view for the community.

Community names in the SNMP Community Table must be unique. When making multiple entries using the same community name, the first entry is kept and processed and all duplicate entries are ignored.

snmp-server community community-name [{ro | rw |su }] [ipaddress ip-address] [view view-name]

Mode: Global Config

Parameters:

community-name A name associated with the switch and with a set of SNMP managers that manage it with a specified privileged level. The length of community-name can be up to 16 case-sensitive characters.
ro | rw | su The access mode of the SNMP community, which can be public (Read-Only/RO), private (Read-Write/ RW), or Super User (SU).
ip-address The associated community SNMP packet sending address and is used along with the client IP mask value to denote a range of IP addresses from which SNMP clients may use that community to access the device. A value of 0.0.0.0 allows access from any IP address. Otherwise, this value is ANDed with the mask to determine the range of allowed client IP addresses.
view-name The name of the view to create or update.

snmp-server community-group

This command configures a community access string to permit access via the SNMPv1 and SNMPv2 protocols.

snmp-server community-group community-string group-name [ipaddress ipaddress]

Mode: Global Config

Parameters:

community-string The community which is created and then associated with the group. The range is 1 to 20 characters.
group-name The name of the group that the community is associated with. The range is 1 to 30 characters.
ipaddress Optionally, the IPv4 address that the community may be accessed from.

snmp-server enable traps violation

The Port MAC locking component interprets this command and configures violation action to send an SNMP trap with default trap frequency of 30 seconds. The Global command configures the trap violation mode across all interfaces valid for port-security. There is no global trap mode as such.

snmp-server enable traps violation

Modes: Global / Interface Config

Default: Disabled

snmp-server enable traps

This command enables the Authentication Flag.

snmp-server enable traps

Mode: Global Config

Default: Enabled

snmp trap link-status

This command enables link status traps on an interface or range of interfaces. This command is valid only when the Link Up/Down Flag is enabled.

snmp trap link-status

Mode: Interface Config

snmp trap link-status all

This command enables link status traps for all interfaces. This command is valid only when the Link Up/Down Flag is enabled.

snmp trap link-status all

Mode: Global Config

snmp-server enable traps linkmode

This command enables Link Up/Down traps for the entire switch. When enabled, link traps are sent only if the Link Trap flag setting associated with the port is enabled.

snmp-server enable traps linkmode

Mode: Global Config

Default: Enabled

snmp-server enable traps multiusers

This command enables Multiple User traps. When the traps are enabled, a Multiple User Trap is sent when a user logs in to the terminal interface (EIA 232 or Telnet) and there is an existing terminal interface session.

snmp-server enable traps multiusers

Mode: Global Config

Default: Enabled

snmp-server enable traps stpmode

This command enables the sending of new root traps and topology change notification traps.

snmp-server enable traps stpmode

Mode: Global Config

Default: Enabled

snmp-server engineID local

This command configures the SNMP engine ID on the local device. Changing the engine ID will invalidate all SNMP configuration that exists on the box.

snmp-server engineID local {engineid-string | default}

Mode: Global Config

Default: The engineID is configured automatically, based on the device MAC address. 

Parameters:

engineid-string A hexadecimal string identifying the engine ID, used for localizing configuration. The engine ID must be an even length in the range of 6 to 32 hexadecimal characters.
default Sets the engine ID to the default string, based on the device MAC address.

snmp-server filter

This command creates a filter entry for use in limiting which traps will be sent to a host.

snmp-server filter filtername oid-tree {included | excluded}

Mode: Global Config

Default: No filters are created by default.

Parameters:

filtername The label for the filter being created. The range is 1 to 30 characters.
oid-tree The OID subtree to include or exclude from the filter. Subtrees may be specified numerically (1.3.6.2.4) or by keywords (system), and asterisks may be used to specify a subtree family (1.3.*.4).
included The tree is included in the filter.
excluded The tree is excluded from the filter.

snmp-server group

Use this command to remove an existing user’s password (NULL password).

snmp-server group group-name {v1 | v2 | v3 {noauth | auth | priv}} [context context-name] [read read-view] [write write-view] [notify notify-view]

Mode: Global Config

Default: Generic groups are created for all versions and privileges using the default views.

Parameters:

group-name The group name to be used when configuring communities or users. The range is 1 to 30 characters.
v1 This group can only access via SNMPv1.
v2 This group can only access via SNMPv2.
v3 This group can only access via SNMPv3.
noauth This group can be accessed only when not using Authentication or Encryption. Applicable only if SNMPv3 is selected.
auth This group can be accessed only when using Authentication but not Encryption. Applicable only if SNMPv3 is selected.
priv This group can be accessed only when using both Authentication and Encryption. Applicable only if SNMPv3 is selected.
context-name The SNMPv3 context used during access. Applicable only if SNMPv3 is selected.
read-view The view this group will use during GET requests. The range is 1 to 30 characters.
write-view The view this group will use during SET requests. The range is 1 to 30 characters.
notify-view The view this group will use when sending out traps. The range is 1 to 30 characters.

snmp-server host

This command configures traps to be sent to the specified host.

snmp-server host host-addr {informs [timeout seconds] [retries retries] | traps version {1 | 2} community-string [udp-port port] [filter filter-name]

Mode: Global Config

Default: No default hosts are configured.

Parameters:

host-addr The IPv4 or IPv6 address of the host to send the trap or inform to.
informs Send SNMPv2 informs to the host.
seconds The number of seconds to wait for an acknowledgement before resending the Inform. The default is 15 seconds. The range is 1 to 300 seconds.
retries The number of times to resend an Inform. The default is 3 attempts. The range is 0 to 255 retries.
traps Send SNMP traps to the host. This option is selected by default.
version 1 Sends SNMPv1 traps. This option is not available if informs is selected.
version 2 Sends SNMPv2 traps. This option is not available if informs is selected. This option is selected by default.
community-string Community string sent as part of the notification. The range is 1 to 20 characters.
port The SNMP Trap receiver port. The default is port 162.
filter-name The filter name to associate with this host. Filters can be used to specify which traps are sent to this host. The range is 1 to 30 characters.

snmp-server user

This command creates an SNMPv3 user for access to the system.

snmp-server user username groupname [remote engineid-string] [ {auth-md5 password | auth-sha password | auth-md5-key md5-key | auth-sha-key sha-key} [priv-des password | priv-des-key des-key]

Mode: Global Config

Default: No default users are created.

Parameters:

username The username the SNMPv3 user will connect to the switch as. The range is 1 to 30 characters.
groupname The name of the group the user belongs to. The range is 1 to 30 characters.
engineid-string The engine-id of the remote management station that this user will be connecting from. The range is 5 to 32 characters.
password The password the user will use for the authentication or encryption mechanism. The range is 1 to 32 characters.
md5-key A pregenerated MD5 authentication key. The length is 32 characters.
sha-key A pregenerated SHA authentication key. The length is 48 characters.
des-key A pregenerated DES encryption key. The length is 32 characters if MD5 is selected, 48 characters if SHA is selected.

snmp-server view

This command creates or modifies an existing view entry that is used by groups to determine which objects can be accessed by a community or user.

snmp-server viewname oid-tree {included | excluded}

Mode: Global Config

Default: Views are created by default to provide access to the default groups.

Parameters:

viewname The label for the view being created. The range is 1 to 30 characters.
oid-tree The OID subtree to include or exclude from the view. Subtrees may be specified numerically (1.3.6.2.4) or by keywords (system), and asterisks may be used to specify a subtree family (1.3.*.4).
included The tree is included in the view.
excluded The tree is excluded from the view.

snmp-server v3-host

This command configures traps to be sent to the specified host.

snmp-server v3-host host-addr username [traps | informs [timeout seconds] [retries retries]] [auth | noauth | priv] [udpport port] [filter filter-name]

Mode: Global Config

Default: No default hosts are configured.

Parameters:

 

host-addr The IPv4 or IPv6 address of the host to send the trap or inform to.
username User used to send a Trap or Inform message. This user must be associated with a group that supports the version and access method. The range is 1 to 30 characters.
traps Send SNMP traps to the host. This is the default option.
informs Send SNMP informs to the host.
seconds Number of seconds to wait for an acknowledgement before resending the Inform. The default is 15 seconds. The range is 1 to 300 seconds.
retries Number of times to resend an Inform. The default is 3 attempts. The range is 0 to 255 retries.
auth Enables authentication but not encryption.
noauth No authentication or encryption. This is the default.
priv Enables authentication and encryption.
port The SNMP Trap receiver port. This value defaults to port 162.
filter-name The filter name to associate with this host. Filters can be used to specify which traps are sent to this host. The range is 1 to 30 characters.

snmptrap source-interface

Use this command in Global Configuration mode to configure the global source-interface (Source IP address) for all SNMP communication between the SNMP client and the server.

snmptrap source-interface {slot/port | vlan vlan-id}

Mode: Global Config

Parameters:

slot/port The unit identifier assigned to the switch.
vlan-id Configures the VLAN interface to use as the source IP address. The range of the VLAN ID is 1 to 4093.

show snmp

This command displays the current SNMP configuration.

show snmp

Mode: Privileged EXEC

Parameters:

 

Community Table:  
Community-String The community string for the entry. This is used by SNMPv1 and SNMPv2 protocols to access the switch.
Community-Access The type of access the community has (read only / read write / super user).
View Name The view this community has access to.
IP Address Access to this community is limited to this IP address.
Community Group Table:  
Community-String The community this mapping configures.
Group Name The group this community is assigned to.
IP Address The IP address this community is limited to.
Host Table:  
Target Address The address of the host that traps will be sent to.
Type The type of message that will be sent, either traps or informs.
Community The community traps will be sent to.
Version The version of SNMP the trap will be sent as.
UDP Port The UDP port the trap or inform will be sent to.
Filter name The filter the traps will be limited by for this host.
TO Sec The number of seconds before informs will time out when sending to this host.
Retries The number of times informs will be sent after timing out.

show snmp engineID

This command displays the currently configured SNMP engineID.

show snmp engineID

Mode: Privileged EXEC

show snmp filters

This command displays the configured filters used when sending traps.

show snmp filters [filtername]

Mode: Privileged EXEC

Parameters:

Name The filter name for this entry.
OID Tree The OID tree this entry will include or exclude.
Type Indicates if this entry includes or excludes the OID Tree.

show snmp group

This command displays the configured groups.

show snmp group [groupname]

Mode: Privileged EXEC

Parameters:

Name The name of the group.
Security Model Indicates which protocol can access the system via this group.
Security Level Indicates the security level allowed for this group.
Read View The view this group provides read access to.
Write View The view this group provides write access to.
Notify View The view this group provides trap access to.

show snmp source-interface

Use this command in Privileged EXEC mode to display the configured global source-interface (Source IP address) details used for an SNMP client.

show snmp source-interface

Mode: Privileged EXEC

show snmp user

This command displays the currently configured SNMPv3 users.

show snmp user [username]

Mode: Privileged EXEC

Parameters:

 

Name The name of the user.
Group Name The group that defines the SNMPv3 access parameters.
Auth Method The authentication algorithm configured for this user.
Privilege Method The encryption algorithm configured for this user.
Remote Engine ID The engineID for the user defined on the client machine.

show snmp views

This command displays the currently configured views.

show snmp views [viewname]

Mode: Privileged EXEC

Parameters:

Name The view name for this entry.
OID Tree The OID tree that this entry will include or exclude.
Type Indicates if this entry includes or excludes the OID tree.

show trapflags

This command displays trap conditions. The command’s display shows all the enabled OSPFv2 and OSPFv3 trapflags. Configure which traps the switch should generate by enabling or disabling the trap condition. If a trap condition is enabled and the condition is detected, the SNMP agent on the switch sends the trap to all enabled trap receivers.

You do not have to reset the switch to implement the changes. Cold and warm start traps are always generated and cannot be disabled.

show trapflags

Mode: Privileged EXEC

Parameters:

 

Authentication Flag Can be enabled or disabled. The factory default is enabled. Indicates whether authentication failure traps will be sent.
Link Up/Down Flag Can be enabled or disabled. The factory default is enabled. Indicates whether link status traps will be sent.
Multiple Users Flag Can be enabled or disabled. The factory default is enabled. Indicates whether a trap will be sent when the same user ID is logged into the switch more than once at the same time (either through Telnet or the serial port).
Spanning Tree Flag Can be enabled or disabled. The factory default is enabled. Indicates whether spanning tree traps are sent.

RADIUS Commands

Back to Top

This section describes the commands you use to configure the switch to use a Remote Authentication Dial-In User Service (RADIUS) server on your network for authentication and accounting.

radius accounting mode

This command is used to enable the RADIUS accounting function.

radius accounting mode

Mode: Global Config

Default: Disabled

radius server attribute 32

This command sets a custom NAS Identifer attribute for RADIUS authentication.

radius server attribute 32 nas-identifier

Mode: Global Config

radius server attribute 4

This command specifies the RADIUS client to use the NAS-IP Address attribute in the RADIUS requests. If the specific IP address is configured while enabling this attribute, the RADIUS client uses that IP address while sending NAS-IP-Address attribute in RADIUS communication.

radius server attribute 4 [ipaddr]

Mode: Global Config

Parameters:

4 NAS-IP-Address attribute to be used in RADIUS requests.
ipaddr The IP address of the server.

radius server host

This command configures the IP address or DNS name to use for communicating with the RADIUS server of a selected server type. While configuring the IP address or DNS name for the authenticating or accounting servers, you can also configure the port number and server name. If the authenticating and accounting servers are configured without a name, the command uses the Default_RADIUS_Auth_Server and Default_RADIUS_Acct_ Server as the default names, respectively. The same name can be configured for more than one authenticating servers and the name should be unique for accounting servers. The RADIUS client allows the configuration of a maximum of 32 authenticating and accounting servers.

If you use the auth parameter, the command configures the IP address or hostname to use to connect to a RADIUS authentication server. You can configure up to 3 servers per RADIUS client. If the maximum number of configured servers is reached, the command fails until you remove one of the servers by issuing the no form of the command. If you use the optional port parameter, the command configures the UDP port number to use when connecting to the configured RADIUS server. The port number range is 1-65535, with a default of 1812.

If you use the acct parameter, the command configures the IP address or hostname to use for the RADIUS accounting server. You can only configure one accounting server. If an accounting server is currently configured, use the no form of the command to remove it from the configuration. The IP address or hostname you specify must match that of a previously configured accounting server. If you use the optional port parameter, the command configures the UDP port to use when connecting to the RADIUS accounting server. If a port is already configured for the accounting server, the new port replaces the previously configured port. The port value must be in the range 0-65535, with a default of 1813.

radius server host {auth | acct} {ipaddr | dnsname} [name servername] [port 0-65535]

Mode: Global Config

Parameters:

 

ipaddr The IP address of the server.
dnsname The DNS name of the server.
port The port number (range 0-65535) to use to connect to the specified RADIUS server.
servername The alias name to identify the server.

radius server key

This command configures the key to be used in RADIUS client communication with the specified server. Depending on whether the auth or acct keyword is used, the shared secret is configured for the RADIUS authentication or RADIUS accounting server. The IP address or hostname provided must match a previously configured server. When this command is executed, the secret is prompted.

Text-based configuration supports RADIUS server’s secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the show running-config command’s display, these secret keys are displayed in encrypted format. You cannot show these keys in plain text format.

radius server key {auth | acct} {ipaddr | dnsname} encrypted password

Modes: Global Config

Parameters:

 

ipaddr The IP address of the server.
dnsname The DNS name of the server.
password The password in encrypted format.

radius server msgauth

This command enables the message authenticator attribute to be used for the specified RADIUS Authenticating server.

radius server msgauth [ipaddr | dnsname]

Mode: Global Config

Parameters:

 

ipaddr The IP address of the server.
dnsname The DNS name of the server.

radius server primary

This command specifies a configured server that should be the primary server in the group of servers which have the same server name. Multiple primary servers can be configured for each number of servers that have the same name.

When the RADIUS client has to perform transactions with an authenticating RADIUS server of specified name, the client uses the primary server that has the specified server name by default. If the RADIUS client fails to communicate with the primary server for any reason, the client uses the backup servers configured with the same server name. These backup servers are identified as the Secondary type.

radius server primary [ipaddr | dnsname]

Mode: Global Config

Parameters:

 

ipaddr The IP address of the server.
dnsname The DNS name of the server.

radius server retransmit

This command configures the RADIUS client global parameter that specifies the maximum number of message transmissions before using the fall back server upon unsuccessful communication with the current RADIUS authenticating server. When the maximum number of retries is reached for the RADIUS accounting server and no response is received, the client does not communicate with any other server.

The maximum number of transmission attempts can be set between 1 to 15, with a default of 4 attempts.

radius server retransmit retries

Mode: Global Config

Default: 4

radius source-interface

Use this command to specify the physical or logical interface to use as the RADIUS client source interface (source IP address). If configured, the address of source-interface is used for all RADIUS communications between the RADIUS server and the RADIUS client. The selected source-interface IP address is used for filling the IP header of RADIUS management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch.

If a source-interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address. If the configured interface is down, the RADIUS client falls back to its default behavior.

radius source-interface {slot/port | vlan vlan-id}

Mode: Global Config

radius server timeout

This command configures the RADIUS client global parameter that specifies the timeout value (in seconds) after which a request must be retransmitted to the RADIUS server if no response is received. The timeout value is an integer in the range of 1 to 30.

radius server timeout seconds

Mode: Global Config

Default: 5

show radius

This command displays the values configured for the global parameters of the RADIUS client.

show radius

Mode: Privileged EXEC

Parameters:

 

Number of Configured Authentication Servers The number of RADIUS Authentication servers that have been configured.
Number of Configured Accounting Servers The number of RADIUS Accounting servers that have been configured.
Number of Named Authentication Server Groups The number of configured named RADIUS server groups.
Number of Named Accounting Server Groups The number of configured named RADIUS server groups.
Number of Retransmits The configured value of the maximum number of times a request packet is retransmitted.
Time Duration The configured timeout value, in seconds, for request retransmissions.
RADIUS Accounting Mode A global parameter to indicate whether the accounting mode for all the servers is enabled or not.
RADIUS Attribute 4 Mode A global parameter to indicate whether the NAS-IP-Address attribute has been enabled to use in RADIUS requests.
RADIUS Attribute 4 Value A global parameter that specifies the IP address to be used in the NAS-IP-Address attribute to be used in RADIUS requests.

show radius servers

This command displays the summary and details of the RADIUS authenticating servers configured for the RADIUS client.

show radius servers [{ipaddr | dnsname | name [servername]}]

Mode: Privileged EXEC

Parameters:

 

Current The * symbol preceding the server host address specifies that the server is currently active.
Host Address The IP address of the host.
Server Name The name of the authenticating server.
Port The port used for communication with the authenticating server.
Type Specifies whether this server is a primary or secondary type.
Current Host Address The IP address of the currently active authenticating server.
Secret Configured Yes or No Boolean value that indicates whether this server is configured with a secret.
Number of Retransmits The configured value of the maximum number of times a request packet is retransmitted.
Message Authenticator Global parameter that indicates whether the Message Authenticator attribute is enabled or disabled.
Time Duration The configured timeout value, in seconds, for request retransmissions.
RADIUS Accounting Mode Global parameter that indicates whether the accounting mode for all the servers is enabled or not.
RADIUS Attribute 4 Mode Global parameter that indicates whether the NAS-IP-Address attribute has been enabled to use in RADIUS requests.
RADIUS Attribute 4 Value Global parameter that specifies the IP address to use in NAS-IP-Address attribute used in RADIUS requests.

show radius accounting

This command displays a summary of configured RADIUS accounting servers.

show radius accounting name [servername]

Mode: Privileged EXEC

Parameters:

 

Host Address The IP address of the host.
Server Name The name of the accounting server.
RADIUS Accounting Mode A global parameter to indicate whether the accounting mode for all the servers is enabled or not.
Port The port used for communication with the accounting server.
Secret Configured Yes or No Boolean value indicating whether this server is configured with a secret.

show radius accounting statistics

This command displays a summary of statistics for the configured RADIUS accounting servers.

show radius accounting statistics {ipaddr | dnsname | name servername}

Mode: Privileged EXEC

Parameters:

 

RADIUS Accounting Server Name The name of the accounting server.
Host Address The IP address of the host.
Round Trip Time The time interval, in hundredths of a second, between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server.
Requests The number of RADIUS Accounting-Request packets sent to this server. This number does not include retransmissions.
Retransmission The number of RADIUS Accounting-Request packets retransmitted to this RADIUS accounting server.
Responses The number of RADIUS packets received on the accounting port from this server.
Malformed Responses The number of malformed RADIUS Accounting-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or signature attributes or unknown types are not included as malformed accounting responses.
Bad Authenticators The number of RADIUS Accounting-Response packets containing invalid authenticators received from this accounting server.
Pending Requests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
Timeouts The number of accounting timeouts to this server.
Unknown Types The number of RADIUS packets of unknown types, which were received from this server on the accounting port.
Packets Dropped The number of RADIUS packets received from this server on the accounting port and dropped for some other reason.

show radius source-interface

Use this command in Privileged EXEC mode to display the configured RADIUS client source-interface (Source IP address) information.

show radius source-interface

Mode: Privileged EXEC

show radius statistics

This command displays the summary statistics of configured RADIUS Authenticating servers.

show radius statistics {ipaddr | dnsname | name servername}

Mode: Privileged EXEC

Parameters:

 

RADIUS Server Name The name of the authenticating server.
Server Host Address The IP address of the host.
Access Requests The number of RADIUS Access-Request packets sent to this server. This number does not include retransmissions.
Access Retransmissions The number of RADIUS Access-Request packets retransmitted to this RADIUS authentication server.
Access Accepts The number of RADIUS Access-Accept packets, including both valid and invalid packets, that were received from this server.
Access Rejects The number of RADIUS Access-Reject packets, including both valid and invalid packets, that were received from this server.
Access Challenges The number of RADIUS Access-Challenge packets, including both valid and invalid packets, that were received from this server.
Malformed Access Responses The number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or signature attributes or unknown types are not included as malformed access responses.
Bad Authenticators The number of RADIUS Access-Response packets containing invalid authenticators or signature attributes received from this server.
Pending Requests The number of RADIUS Access-Request packets destined for this server that have not yet timed out or received a response.
Timeouts The number of authentication timeouts to this server.
Unknown Types The number of packets of unknown type that were received from this server on the authentication port.
Packets Dropped The number of RADIUS packets received from this server on the authentication port and dropped for some other reason.

TACACS+ Commands

Back to Top

TACACS+ provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ is based on the TACACS protocol (described in RFC1492) but additionally provides for separate authentication, authorization, and accounting services.

tacacs-server host

Use the tacacs-server host command in Global Configuration mode to configure a TACACS+ server. This command enters into the TACACS+ configuration mode. The ip-address|hostname parameter is the IP address or hostname of the TACACS+ server. To specify multiple hosts, multiple tacacs-server host commands can be used.

tacacs-server host ip-address|hostname

Mode: Global Config

tacacs-server key

Use the tacacs-server key command to set the authentication and encryption key for all TACACS+ communications between the switch and the TACACS+ daemon. The key-string parameter has a range of 0-128 characters and specifies the authentication and encryption key for all TACACS communications between the switch and the TACACS+ server. This key must match the key used on the TACACS+ daemon.

Text-based configuration supports TACACS server’s secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. The show running-config command displays these secret keys in encrypted format. You cannot show these keys in plain text format.

tacacs-server key [key-string | encrypted key-string]

Mode: Global Config

tacacs-server keystring

Use the tacacs-server keystring command to set the global authentication encryption key used for all TACACS+ communications between the TACACS+ server and the client.

tacacs-server keystring

Mode: Global Config

tacacs-server source-interface

Use this command in Global Configuration mode to configure the source interface (Source IP address) for TACACS+ server configuration. The selected source-interface IP address is used for filling the IP header of management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch.

If a source-interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address.

tacacs-server source-interface {slot/port | vlan vlan-id}

Modes: Global Config

tacacs-server timeout

Use this command to set the timeout value for communication with the TACACS+ servers. The timeout parameter has a range of 1-30 and is the timeout value in seconds.

tacacs-server timeout timeout

Mode: Global Config

key (TACACS Config)

Use the key command in TACACS Configuration mode to specify the authentication and encryption key for all TACACS communications between the device and the TACACS server. This key must match the key used on the TACACS daemon. The key-string parameter specifies the key name. For an empty string use “ ”. The range is 0-128 characters.

Text-based configuration supports TACACS server’s secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the show running-config command’s display, these secret keys are displayed in encrypted format. You cannot show these keys in plain text format.

key [key-string | encrypted key-string]

Mode: TACACS Config

keystring (TACACS Server Config)

Use the keystring command in TACACS Server Configuration mode to set the TACACS+ server-specific authentication encryption key used for all TACACS+ communications between the TACACS+ server and the client.

keystring

Mode: TACACS Server Config

port (TACACS Config)

Use the port command in TACACS Configuration mode to specify a server port number. The server port-number range is 0 - 65535.

port port-number

Mode: TACACS Config

Default: 49

priority (TACACS Config)

Use this command in TACACS Configuration mode to specify the order in which servers are used, where 0 (zero) is the highest priority. The priority parameter specifies the priority for servers. The highest priority is 0 (zero), and the range is 0 - 65535.

priority priority

Mode: TACACS Config

Default: 0

timeout (TACACS Config)

Use this command in TACACS Configuration mode to specify the timeout value in seconds. If no timeout value is specified, the global value is used. The timeout parameter has a range of 1-30 and is the timeout value in seconds.

timeout timeout

Mode: TACACS Config

show tacacs

Use this command to display the configuration, statistics, and source interface details of the TACACS+ client.

show tacacs [ip-address|hostname|client|server]

Mode: Privileged EXEC

Parameters:

 

Host address The IP address or hostname of the configured TACACS+ server.
Port The configured TACACS+ server port number.
TimeOut The timeout in seconds for establishing a TCP conection.
Priority The preference order in which TACACS+ servers are contacted. If a server connection fails, the next highest priority server is contacted.
client Display SNTP client information.
server Display SNTP server information.

show tacacs source-interface

Use this command in Global Config mode to display the configured global source interface details used for a TACACS+ client. The IP address of the selected interface is used as source IP for all communications with the server.

show tacacs source-interface

Mode: Privileged EXEC

Configuration Scripting Commands

Back to Top

Configuration Scripting allows you to generate text-formatted script files representing the current configuration of a system. You can apply configuration scripts to one or more switches with no or minor modifications. Use the show running-config command  to capture the running configuration into a script. Use the copy command to transfer the configuration script to or from the switch.

Scripts must conform to the following rules:
- The file extension must be .scr.
- A maximum of ten scripts are allowed on the switch.
- The combined size of all script files on the switch shall not exceed 2048 KB.
- The maximum number of configuration file command lines is 2000.

You can type single-line annotations at the command prompt to use when you write test or configuration scripts to improve script readability. The exclamation mark (!) character flags the beginning of a comment. The comment flag character can begin a word anywhere on the command line, and all input following this character is ignored. 

script apply

This command applies the commands in the script to the switch. The scriptname parameter is the name of the script to apply.

script apply scriptname

Mode: Privileged EXEC

script delete

This command deletes a specified script where the scriptname parameter is the name of the script to delete. The all option deletes all the scripts present on the switch.

script delete {scriptname | all}

Mode: Privileged EXEC

script list

This command lists all scripts present on the switch as well as the remaining available space.

script list

Mode: Privileged EXEC

script show

This command displays the contents of a script file, which is named scriptname.

script show scriptname

Mode: Privileged EXEC

script validate

This command validates a script file by parsing each line in the script file where scriptname is the name of the script to validate. The validate option is intended to be used as a tool for script development. Validation identifies potential problems. It might not identify all problems with a given script on any given device.

script validate scriptname

Mode: Privileged EXEC

application

This command starts or stops an installed application.

application start | stop filename

Mode: Privileged EXEC

Prelogin Banner, System Prompt, and Host Name Commands

Back to Top

This section describes the commands you use to configure the prelogin banner and the system prompt. The prelogin banner is the text that displays before you login.

copy

The copy command includes the option to upload or download the CLI Banner to or from the switch. You can specify local URLs by using TFTP, SFTP, SCP, or Xmodem.

copy tftp://ipaddr/filepath/filename nvram:clibanner
copy nvram:clibanner tftp://ipaddr/filepath/filename

Mode: Privileged EXEC

set prompt

This command changes the name of the prompt. The length of name may be up to 64 alphanumeric characters.

set prompt prompt_string

Mode: Privileged EXEC

hostname

This command sets the system hostname. It also changes the prompt. The length of name may be up to 64 alphanumeric, case-sensitive characters.

hostname hostname

Mode: Privileged EXEC

show clibanner

Use this command to display the configured prelogin CLI banner. The prelogin banner is the text that displays before displaying the CLI prompt.

show clibanner

Mode: Privileged EXEC

set clibanner

Use this command to configure the prelogin CLI banner before displaying the login prompt. The line parameter sets the banner text where double quote ("") is a delimiting character. The banner message can be up to 2000 characters.

set clibanner line

Mode: Global Config

IPv6 Management Commands

Back to Top

IPv6 Management commands allow a device to be managed via an IPv6 address in a switch or IPv4 routing (i.e., independent from the IPv6 Routing package). For routing/IPv6 builds dual IPv4/IPv6 operation over the service port is enabled.

The EdgeSwitch has capabilities such as:
- Static assignment of IPv6 addresses and gateways for the service/network ports.
- The ability to ping an IPv6 link-local address over the service/network port.
- Using IPv6 management commands, you can send SNMP traps and queries via the service/network port.
- The user can manage a device via the network port.

network ipv6 enable

Use this command to enable IPv6 operation on the network port.

network ipv6 enable

Mode: Privileged EXEC

Default: Enabled

network ipv6 address

Use the options of this command to manually configure IPv6 global address, enable/disable stateless global address auto-configuration and to enable/disable DHCPv6 client protocol information for the network port. Multiple IPv6 addresses can be configured on the network port.

network ipv6 address {address/prefix-length [eui64] | autoconfig | dhcp}

Mode: Privileged EXEC

Parameters:

 

address IPv6 prefix in IPv6 global address format.
prefix-length IPv6 prefix length value.
eui64 Formulate IPv6 address in eui64 format.
autoconfig Configure stateless global address auto-configuration capability.
dhcp Configure DHCPv6 client protocol.

network ipv6 gateway

Use this command to configure IPv6 default gateway (global or link-local address format) information for the network port.

network ipv6 gateway gateway-address

Mode: Privileged EXEC

network ipv6 neighbor

Use this command to manually add IPv6 neighbors to the IPv6 neighbor table for this network port. If an IPv6 neighbor already exists in the neighbor table, the entry is automatically converted to a static entry. Static entries are not modified by the neighbor discovery process. They are, however, treated the same for IPv6 forwarding.

Static IPv6 neighbor entries are applied to the kernel stack and to the hardware when the corresponding interface is operationally active.

network ipv6 neighbor ipv6-address macaddr

Mode: Privileged EXEC

Parameters:

 

ipv6-address The IPv6 address of the neighbor or interface.
macaddr The link-layer address.

show network ipv6 neighbors

Use this command to display the information about the IPv6 neighbor entries cached on the network port. The information is updated to show the type of the entry.

show network ipv6 neighbors

Mode: Privileged EXEC

Parameters:

 

IPv6 Address The IPv6 address of the neighbor.
MAC Address The MAC Address of the neighbor.
isRtr Shows if the neighbor is a router. If TRUE, the neighbor is a router; if FALSE, it is not a router.
Neighbor State The state of the neighbor cache entry. Possible values are: Incomplete, Reachable, Stale, Delay, Probe, and Unknown.
Age The time in seconds that has elapsed since an entry was added to the cache.
Last Updated The time in seconds that has elapsed since an entry was added to the cache.
Type The type of neighbor entry: Static if the entry is manually configured, Dynamic if dynamically resolved.

show network ipv6 dhcp statistics

Use this command to display  information about the IPv6 DHCPv6 client statistics.

show network ipv6 dhcp statistics

Mode: Privileged EXEC

ping ipv6

Use this command to determine whether another computer is on the network. Ping provides a synchronous response when initiated from the CLI and browser-based UI interfaces. To use the command, configure the switch for network (in-band) connection. The source and target devices must have the ping utility enabled and running on top of TCP/IP. The switch can be pinged from any IP workstation with which the switch is connected through the default VLAN (VLAN 1), as long as there is a physical path between the switch and the workstation.

The terminal interface sends three pings to the target station. Use the ipv6-global-address|hostname parameter to ping an interface by using the global IPv6 address of the interface. The argument slot/port corresponds to a physical routing interface or VLAN routing interface. The keyword vlan is used to specify the VLAN ID of the routing VLAN directly instead of a slot/port format. Use the optional size keyword to specify the size of the ping packet.

You can utilize the ping or traceroute facilities over the service/network ports when using an IPv6 global address ipv6-global-address|hostname. Any IPv6 global address or gateway assignments to these interfaces will cause IPv6 routes to be installed within the IP stack such that the ping or traceroute request is routed out the service/network port properly. When referencing an IPv6 link-local address, you must also specify the service or network port interface by using the network parameter.

ping ipv6 {ipv6-global-address|hostname | {interface {slot/port | vlan 1-4093 | network} link-local-address} [size datagram-size]}

Modes: User / Privileged EXEC

Default: count 1 / interval 3 seconds / size 0 bytes

ping ipv6 interface

Use this command to determine whether another computer is on the network. To use the command, configure the switch for network (in-band) connection. The source and target devices must have the ping utility enabled and running on top of TCP/IP. The switch can be pinged from any IP workstation with which the switch is connected through the default VLAN (VLAN 1), as long as there is a physical path between the switch and the workstation.

The terminal interface sends three pings to the target station. You can use a network port, service port, VLAN, or physical interface as the source. The parameter slot/port corresponds to a physical routing interface or VLAN routing interface. The keyword vlan is used to specify the VLAN ID of the routing VLAN directly instead of in a slot/port format.

ping ipv6 interface {slot/port | vlan 1-4093 | network} {link-local-address link-local-address | ipv6-address} [size datagram-size]

Modes: User / Privileged EXEC

Parameters:

 

interface Use the interface keyword to ping an interface by using the link-local address or the global IPv6 address of the interface.
size Use the optional size keyword to specify the size of the ping packet.
ipv6-address The link local IPv6 address of the device you want to query.

UNMS, Discovery and Analytics Commands

Back to Top

Use the commands in this section to configure the UNMS, Ubiquiti Discovery and Device Analytics features.

service ubnt-discovery

Use this command to enable or disable the Ubiquiti Discovery responder.

service ubnt-discovery

Mode: Global Config

Default: Enabled

service ubnt-discovery-scanner

Use this command to enable or disable the Ubiquiti Discovery scanner.

service ubnt-discovery-scanner

Mode: Global Config

Default: Enabled

service ubnt-discovery-active-scan

Use this command to enable or disable the Ubiquiti Discovery active scan feature.

ubnt-discovery-active-scan

Mode: Global Config

Default: Disabled

service unms

Use this command to enable or disable the UNMS service.

service unms

Mode: Global Config

Default: Disabled

service unms key

Use this command to manually add the UNMS key obtained from the UNMS server.

service unms key key-value

Mode: Global Config

device analytics

Use this command to enable or disable the Ubiquiti Device Analytics feature.

device analytics

Mode: Global Config

Default: Disabled

show unms

Use this command to view the UNMS connection status and log entries.

show unms [log]

Mode: Privileged EXEC

show device analytics

Use this command to verify if the Ubiquiti Device Analytics feature is enabled or disabled.

show device analytics

Mode: Privileged EXEC

tools.png  Utility Commands

Back to Top

This chapter describes the utility commands available in the EdgeSwitch CLI.

AutoInstall Commands

Back to Top

The AutoInstall feature enables the automatic update of the image and configuration of the switch. This feature enables touchless or low-touch provisioning to simplify switch configuration and imaging. AutoInstall includes the following support:

- Downloading an image from TFTP server using DHCP option 125. The image update can result in a downgrade/upgrade of the firmware.
- Automatically downloading a configuration file from a TFTP server when the switch is booted with no saved configuration file.
- Automatically downloading an image from a TFTP server in the following situations:
- When the switch is booted with no saved configuration found.
- When the switch is booted with a saved configuration that has AutoInstall enabled.

When the switch boots and no configuration file is found, it attempts to obtain an IP address from a network DHCP server. The response from the DHCP server includes the IP address of the TFTP server where the image and configuration flies are located.

After acquiring an IP address and the additional relevant information from the DHCP server, the switch downloads the image file or configuration file from the TFTP server. A downloaded image is automatically installed. A downloaded configuration file is saved to non-volatile memory.

AutoInstall from a TFTP server can run on any IP interface, including the network port, service port, and in-band routing interfaces (if supported). To support AutoInstall, the DHCP client is enabled operationally on the service port, if it exists, or the network port, if there is no service port.

boot autoinstall

Use this command to operationally start or stop the AutoInstall process on the switch. The command is non-persistent and is not saved in the startup or running configuration file.

boot autoinstall {start | stop}

Mode: Privileged EXEC

Default: Stopped

boot host retrycount

Use this command to set the number of attempts to download a configuration file from the TFTP server.

boot host retrycount [1-3]

Mode: Privileged EXEC

Default: 3

boot host dhcp

Use this command to enable AutoInstall on the switch for the next reboot cycle. The command does not change the current behavior of AutoInstall and saves the command to NVRAM.

boot host dhcp

Mode: Privileged EXEC

Default: Disabled

boot host autosave

Use this command to automatically save the downloaded configuration file to the startup-config file on the switch. When autosave is disabled, you must explicitly save the downloaded configuration to non-volatile memory by using the write memory or copy system:running-config nvram:startup-config command.

If the switch reboots and the downloaded configuration has not been saved, the AutoInstall process begins, if the feature is enabled.

boot host autosave

Mode: Privileged EXEC

Default: Disabled

boot host autoreboot

Use this command to allow the switch to automatically reboot after successfully downloading an image. When auto reboot is enabled, no administrative action is required to activate the image and reload the switch.

boot host autoreboot

Mode: Privileged EXEC

Default: Enabled

erase startup-config

Use this command to erase the text-based configuration file stored in non-volatile memory. If the switch boots and no startup-config file is found, the AutoInstall process automatically begins.

erase startup-config

Modes: Privileged EXEC

erase factory-defaults

Use this command to erase the text-based factory-defaults file stored in non-volatile memory.

erase factory-defaults

Modes: Privileged EXEC

erase application

Use this command to erase an application file stored in non-volatile memory.

erase application filename

Modes: Privileged EXEC

show autoinstall

This command displays the current status of the AutoInstall process.

show autoinstall

Modes: Privileged EXEC

Dual Image Commands

Back to Top

The EdgeSwitch software supports a dual image feature that allows the switch to have two software images in the permanent storage. You can specify which image is the active image to be loaded in subsequent reboots. This feature allows reduced down-time when you upgrade or downgrade the software.

delete

This command deletes the backup image file from the permanent storage.

delete backup

Mode: Privileged EXEC

boot system

This command activates the specified image. It will be the active-image for subsequent reboots and will be loaded by the boot loader. The current active-image is marked as the backup-image for subsequent reboots. If the specified image doesn’t exist on the system, this command returns an error message.

boot system {active | backup}

Mode: Privileged EXEC

show bootvar

This command displays the version information and the activation status for the current active and backup images. The command also displays any text description associated with an image. This command displays the switch activation status.

show bootvar

Mode: Privileged EXEC

filedescr

This command associates a given text description with an image. Any existing description will be replaced.

filedescr {active | backup} text-description

Mode: Privileged EXEC

update bootcode

This command updates the bootcode (boot loader) on the switch. The bootcode is read from the active-image for subsequent reboots.

update bootcode

Mode: Privileged EXEC

System Information and Statistics Commands

Back to Top

This section describes the commands you use to view information about system features, components, and configurations.

show arp switch

This command displays the contents of the IP stack’s Address Resolution Protocol (ARP) table. The IP stack only learns ARP entries associated with the management interfaces – network or service ports. ARP entries associated with routing interfaces are not listed.

show arp switch

Mode: Privileged EXEC

Parameters:

 

IP Address IP address of the management interface or another device on the management network.
MAC Address Hardware MAC address of that device.
Interface For a service port the output is Management. For a network port, the output is the slot/port of the physical interface.

show eventlog

This command displays the event log, which contains error messages from the system. The event log is not cleared on a system reset. The unit is the switch identifier.

show eventlog [unit]

Mode: Privileged EXEC

Parameters:

 

File The file in which the event originated.
Line The line number of the event.
Task Id The task ID of the event.
Code The event code.
Time The time this event occurred.
Unit The unit for the event.

show hardware

This command displays inventory information for the switch.

show hardware

Mode: Privileged EXEC

show reload

This command displays whether the reload in command was previously set and the time before the switch will be restarted.

show reload

Mode: Privileged EXEC

show environment

This command displays the temperature and fan information (if applicable) for the switch.

show environment

Mode: Privileged EXEC

show version

This command displays inventory information for the switch.

show version

Mode: Privileged EXEC

Parameters:

 

System Description Text used to identify the product name of this switch.
Machine Type The machine model as defined by the Vital Product Data.
Machine Model The machine model as defined by the Vital Product Data
Serial Number The unique box serial number for this switch.
Burned in MAC Address Universally assigned network address.
Software Version The release.version.revision number of the code currently running on the switch.

show platform vpd

This command displays vital product data for the switch.

show platform vpd

Modes: User / Privileged EXEC

Parameters:

 

Operational Code Image File Name Build Signature loaded into the switch
Software Version Release Version Maintenance Level and Build (RVMB) information of the switch.
Timestamp Timestamp at which the image is built

show interface

This command displays a summary of statistics for a specific interface or a count of all CPU traffic based upon the argument.

show interface {slot/port | switchport}

Mode: Privileged EXEC

Parameters:

 

Receive Packets Discarded The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffered space.
Packets Transmitted Without Error The total number of packets transmitted out of the interface.
Transmit Packets Discarded The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. A possible reason for discarding a packet could be to free up buffer space.
Transmit Packets Errors The number of outbound packets that could not be transmitted because of errors.
Collisions Frames The best estimate of the total number of collisions on this Ethernet segment.
Time Since Counters Last Cleared The elapsed time, in days, hours, minutes, and seconds since the statistics for this port were last cleared.
Packets Received Without Error The total number of packets (including broadcast packets and multicast packets) received by the processor.
Broadcast Packets Received The total number of packets received that were directed to the broadcast address. Note that this does not include multicast packets.
Packets Received With Error The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.
Packets Transmitted Without Error The total number of packets transmitted out of the interface.
Broadcast Packets Transmitted The total number of packets that higher-level protocols requested to be transmitted to the Broadcast address, including those that were discarded or not sent.
Transmit Packet Errors The number of outbound packets that could not be transmitted because of errors.
Time Since Counters Last Cleared The elapsed time, in days, hours, minutes, and seconds since the statistics for this switch were last cleared.

show interfaces status

Use this command to display interface information, including the description, port state, speed and auto- neg capabilities. The command is similar to show port all but displays additional fields like interface description and port-capability.

The description of the interface is configurable through the existing command description <name> which has a maximum length of 64 characters that is truncated to 28 characters in the output. The long form of the
description can be displayed using show port description. The interfaces displayed by this command are physical interfaces, LAG interfaces and VLAN routing interfaces.

show interfaces status [slot/port]

Mode: Privileged EXEC

show interfaces traffic

Use this command to display interface traffic information.

show interfaces traffic [slot/port]

Mode: Privileged EXEC

show interface counters

This command reports key summary statistics for all the ports (physical, port-channel, and CPU).

show interface counters

Mode: Privileged EXEC

Parameters:

 

Packets Received Successfully:  
Port Interface (slot/port), port-channel number, or CPU.
InOctets Total Packets Received Without Error - The total number of packets received that were without errors.
InUcastPkts Unicast Packets Received - The number of subnetwork-unicast packets delivered to a higher-layer protocol.
InMcastPkts Multicast Packets Received - The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address.
InBcastPkts Broadcast Packets Received - The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets.
Packets Transmitted Successfully:  
Port Interface (slot/port), port-channel number, or CPU.
OutOctets Total Packets Transmitted Successfully - The number of frames that have been transmitted by this port to its segment.
OutUcastPkts Unicast Packets Transmitted - The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
OutMcastPkts Multicast Packets Transmitted - The total number of packets that higher-level protocols requested be transmitted to a Multicast address, including those that were discarded or not sent.
OutBcastPkts Broadcast Packets Transmitted - The total number of packets that higher-level protocols requested be transmitted to the Broadcast address, including those that were discarded or not sent.

show interface ethernet

This command displays detailed statistics for a specific interface or for all CPU traffic based upon the argument.

show interface ethernet {slot/port | switchport | all}

Mode: Privileged EXEC

Parameters:

 

Total Packets Received (Octets) The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including Frame Check Sequence (FCS) octets). This object can be used as a reasonable estimate of Ethernet utilization. If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval. The result of this equation is the value Utilization which is the percent utilization of the Ethernet segment on a scale of 0 to 100 percent.
Packets Received 64 Octets The total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including FCS octets).
Packets Received 65–127 Octets The total number of packets (including bad packets) received that were from 65 to 127 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Received 128–255 Octets The total number of packets (including bad packets) received that were from 128 to 255 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Received 256–511 Octets The total number of packets (including bad packets) received that were from 256 to 511 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Received 512–1023 Octets The total number of packets (including bad packets) received that were from 512 to 1023 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Received 1024–1518 Octets The total number of packets (including bad packets) received that were from 1024 to 1518 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Received > 1518 Octets The total number of packets received that were longer than 1522 octets (excluding framing bits, but including FCS octets) and were otherwise well formed.
Packets RX and TX 64 Octets The total number of packets (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
Packets RX and TX 65–127 Octets The total number of packets (including bad packets) received and transmitted that were from 65 to 127 octets in length inclusive (excluding framing bits but including FCS octets).
Packets RX and TX 128–255 Octets The total number of packets (including bad packets) received and transmitted that were from 128 to 255 octets in length inclusive (excluding framing bits but including FCS octets).
Packets RX and TX 256–511 Octets The total number of packets (including bad packets) received and transmitted that were from 256 to 511 octets in length inclusive (excluding framing bits but including FCS octets).
Packets RX and TX 512–1023 Octets The total number of packets (including bad packets) received and transmitted that were from 512 to 1023 octets in length inclusive (excluding framing bits but including FCS octets).
Packets RX and TX 1024–1518 Octets The total number of packets (including bad packets) received and transmitted that were from 1024 to 1518 octets in length inclusive (excluding framing bits but including FCS octets).
Packets RX and TX 1519–2047 Octets The total number of packets received and transmitted that were from 1519 to 2047 octets in length inclusive (excluding framing bits, but including FCS octets) and were otherwise well formed.
Packets RX and TX 2048–4095 Octets The total number of packets received that were from 2048 to 4095 octets in length inclusive (excluding framing bits, but including FCS octets) and were otherwise well formed.
Packets RX and TX 4096–9216 Octets The total number of packets received that were from 4096 to 9216 octets in length inclusive (excluding framing bits, but including FCS octets) and were otherwise well formed.
Total Packets Received Without Error The total number of packets received that were without errors.
Unicast Packets Received The number of subnetwork-unicast packets delivered to a higher-layer protocol.
Multicast Packets Received The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address.
Broadcast Packets Received The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets.
Receive Packets Discarded The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.
Total Packets Received with MAC Errors The total number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.
Jabbers Received The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). Note that this definition of jabber is different than the definition in IEEE-802.3 section 8.2.1.5 (10BASE5) and section 10.3.1.4 (10BASE2). These documents define jabber as the condition where any packet exceeds 20 ms. The allowed range to detect jabber is between 20 ms and 150 ms.
Fragments/Undersize Received The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets).
Alignment Errors The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with a non-integral number of octets.
FCS Errors The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with an integral number of octets.
Overruns The total number of frames discarded as this port was overloaded with incoming packets, and could not keep up with the inflow.
Total Received Packets Not Forwarded A count of valid frames received which were discarded (in other words, filtered) by the forwarding process
802.3x Pause Frames Received A count of MAC Control frames received on this interface with an opcode indicating the PAUSE operation. This counter does not increment when the interface is operating in half-duplex mode.
Unacceptable Frame Type The number of frames discarded from this port due to being an unacceptable frame type.
Total Packets Transmitted (Octets) The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets). This object can be used as a reasonable estimate of Ethernet utilization. If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval.
Packets Transmitted 64 Octets The total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including FCS octets).
Packets Transmitted 65-127 Octets The total number of packets (including bad packets) received that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Transmitted 128-255 Octets The total number of packets (including bad packets) received that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Transmitted 256-511 Octets The total number of packets (including bad packets) received that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Transmitted 512-1023 Octets The total number of packets (including bad packets) received that were between 512 and 1023 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Transmitted 1024-1518 Octets The total number of packets (including bad packets) received that were between 1024 and 1518 octets in length inclusive (excluding framing bits but including FCS octets).
Packets Transmitted > 1518 Octets The total number of packets transmitted that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed.
Max Frame Size The maximum size of the Info (non-MAC) field that this port will receive or transmit.
Total Packets Transmitted Successfully The number of frames that have been transmitted by this port to its segment.
Unicast Packets Transmitted The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
Multicast Packets Transmitted The total number of packets that higher-level protocols requested be transmitted to a Multicast address, including those that were discarded or not sent.
Broadcast Packets Transmitted The total number of packets that higher-level protocols requested be transmitted to the Broadcast address, including those that were discarded or not sent.
Transmit Packets Discarded The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. A possible reason for discarding a packet could be to free up buffer space.
Total Transmit Errors The sum of Single, Multiple, and Excessive Collisions.
Total Transmit Packets Discards The sum of single collision frames discarded, multiple collision frames discarded, and excessive frames discarded.
Single Collision Frames A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly one collision.
Multiple Collision Frames A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by more than one collision.
Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions.
802.3x Pause Frames Transmitted A count of MAC Control frames transmitted on this interface with an opcode indicating the PAUSE operation. This counter does not increment when the interface is operating in half-duplex mode.
GVRP PDUs Received The count of GVRP PDUs received in the GARP layer.
GVRP PDUs Transmitted The count of GVRP PDUs transmitted from the GARP layer.
GVRP Failed Registrations The number of times attempted GVRP registrations could not be completed.
GMRP PDUs Received The count of GMRP PDUs received in the GARP layer.
GMRP PDUs Transmitted The count of GMRP PDUs transmitted from the GARP layer.
GMRP Failed Registrations The number of times attempted GMRP registrations could not be completed.
STP BPDUs Transmitted Spanning Tree Protocol Bridge Protocol Data Units sent.
STP BPDUs Received Spanning Tree Protocol Bridge Protocol Data Units received.
RST BPDUs Transmitted Rapid Spanning Tree Protocol Bridge Protocol Data Units sent.
RSTP BPDUs Received Rapid Spanning Tree Protocol Bridge Protocol Data Units received.
MSTP BPDUs Transmitted Multiple Spanning Tree Protocol Bridge Protocol Data Units sent.
MSTP BPDUs Received Multiple Spanning Tree Protocol Bridge Protocol Data Units received.
EAPOL Frames Transmitted The number of EAPOL frames of any type that have been transmitted by this authenticator.
EAPOL Frames Received The number of valid EAPOL frames of any type that have been received by this authenticator.
Time Since Counters Last Cleared The elapsed time, in days, hours, minutes, and seconds since the statistics for this port were last cleared.
Bytes Tx The total number of bytes transmitted by the interface.
Bytes Rx The total number of bytes received by the interface.
Packets Tx he total number of packets transmitted by the interface.
Packets Rx The total number of packets received by the interface.

show interface ethernet switchport

This command displays the private VLAN mapping information for the switch interfaces.

show interface ethernet interface-id switchport

Mode: Privileged EXEC

show interface lag

Use this command to display configuration information about the specified LAG interface.

show interface lag lag-intf-num

Mode: Privileged EXEC

show fiber-ports optical-transceiver

This command displays the diagnostics information of the SFP like Temp, Voltage, Current, Input Power, Output Power, Tx Fault, and LOS. The values are derived from the SFP’s A2 (Diagnostics) table using the I2C interface.

show fiber-ports optical-transceiver {all | slot/port}

Mode: Privileged EXEC

Parameters:

 

Temp Internally measured transceiver temperature.
Voltage Internally measured supply voltage.
Current Measured TX bias current.
Output Power Measured optical output power relative to 1mW.
Input Power Measured optical power received relative to 1mW.
TX Fault Transmitter fault.
LOS Loss of signal.

show fiber-ports optical-transceiver-info

This command displays the SFP vendor-related information such as the vendor name, SFP serial number, and SFP part number. The values are derived from the SFP’s A0 table using the I2C interface.

show fiber-ports optical-transceiver-info {all | slot/port}

Mode: Privileged EXEC

Parameters:

 

Port The interface (slot/port).
Vendor Name The vendor name is a 16-character field that contains ASCII characters, left-aligned and padded on the right with ASCII spaces (20h). The vendor name is the full name of the corporation, a commonly accepted abbreviation of the name of the corporation, the SCSI company code for the corporation, or the stock exchange code for the corporation.
Link Length (50um, OM2) This value specifies link length that is supported by the transceiver while operating in compliance with applicable standards using 50 micron multi-mode OM2 [500MHz*km at 850nm] fiber. A value of zero means that the transceiver does not support 50 micron multi-mode fiber or that the length information must be determined from the transceiver technology.
Link Length (62.5um, OM1) This value specifies link length that is supported by the transceiver while operating in compliance with applicable standards using 62.5 micron multi-mode OM1 [200 MHz*km at 850nm, 500 MHz*km at 1310nm] fiber. A value of zero means that the transceiver does not support 62.5 micron multi-mode fiber or that the length information must be determined from the transceiver technology.
Serial Number The vendor serial number (vendor SN) is a 16 character field that contains ASCII characters, left- aligned and padded on the right with ASCII spaces (20h), defining the vendor’s serial number for the transceiver. A value of all zero in the 16-byte field indicates that the vendor SN is unspecified.
Part Number The vendor part number (vendor PN) is a 16-byte field that contains ASCII characters, left aligned and added on the right with ASCII spaces (20h), defining the vendor part number or product name. A value of all zero in the 16-byte field indicates that the vendor PN is unspecified.
Nominal Bit Rate (Mbps) The nominal bit (signaling) rate (BR, nominal) is specified in units of 100 MBd, rounded off to the nearest 100 MBd. The bit rate includes those bits necessary to encode and delimit the signal as well as those bits carrying data information. A value of 0 indicates that the bit rate is not specified and must be determined from the transceiver technology. The actual information transfer rate will depend on the encoding of the data, as defined by the encoding value.
Rev The vendor revision number (vendor rev) contains ASCII characters, left aligned and padded on the right with ASCII spaces (20h), defining the vendor’s product revision number. A value of all zero in this field indicates that the vendor revision is unspecified.

show mac-addr-table

This command displays the forwarding database entries. These entries are used by the transparent bridging function to determine how to forward a received frame. Enter all or no parameters to display the entire table. Enter a MAC Address and VLAN ID to display the table entry for the requested MAC address on the specified VLAN. Enter the count parameter to view summary information about the forwarding database table. Use the interface slot/port parameter to view MAC addresses on a specific interface.

The lag lag-intf-num can also be used as an alternate way to specify the LAG interface. Use the vlan vlan_id parameter to display information about MAC addresses on a specified VLAN.

show mac-addr-table [{macaddr vlan_id | all | count | interface slot/port | vlan vlan_id}]

Mode: Privileged EXEC

Parameters:

 

VLAN ID The VLAN in which the MAC address is learned.
MAC Address A unicast MAC address for which the switch has forwarding and or filtering information. The format is six 2-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB.
Interface The port through which this address was learned.
Interface Index This object indicates the ifIndex of the interface table entry associated with this port.
Static The value of the corresponding instance was added by the system or a user when a static MAC filter was defined. It cannot be relearned.
Learned The value of the corresponding instance was learned by observing the source MAC addresses of incoming traffic, and is currently in use.
Management The value of the corresponding instance (system MAC address) is also the value of an existing instance of dot1dStaticAddress. It is identified with interface 0/1. and is currently used when enabling VLANs for routing.
Self The value of the corresponding instance is the address of one of the switch’s physical interfaces (the system’s own MAC address).
GMRP Learned The value of the corresponding was learned via GMRP and applies to Multicast.
Other The value of the corresponding instance does not fall into one of the other categories.
Dynamic Address count Number of MAC addresses in the forwarding database that were automatically learned.
Static Address (User-defined) count Number of MAC addresses in the forwarding database that were manually entered by a user.
Total MAC Addresses in use Number of MAC addresses currently in the forwarding database.
Total MAC Addresses available Number of MAC addresses the forwarding database can handle.

process cpu threshold

Use this command to configure the CPU utilization thresholds. The Rising and Falling thresholds are specified as a percentage of CPU resources. The utilization monitoring time period can be configured from 5 seconds to 86400 seconds in multiples of 5 seconds. The CPU utilization threshold configuration is saved across a switch reboot. Configuring the falling utilization threshold is optional. If the falling CPU utilization parameters are not configured, then they take the same value as the rising CPU utilization parameters.

process cpu threshold type total rising 1-100 interval

Mode: Global Config

show process app-list

This command displays the user and system applications.

show process app-list

Mode: Privileged EXEC

show process app-resource-list

This command displays the configured and in-use resources of each application.

show process app-resource-list

Mode: Privileged EXEC

show process cpu

This command provides the percentage utilization of the CPU by different tasks.

show process cpu

Mode: Privileged EXEC

show process proc-list

This application displays the processes started by applications created by the Process Manager.


show process proc-list

Mode: Privileged EXEC

show running-config

Display the currently running (active) configuration. To display or capture the commands with settings and configurations that are equal to the default value, include the all option.

The optional interface parameter can be used to display the configuration of an physical, LAG or VLAN interface.

If the optional scriptname parameter is used with a file name .scr extension, the output is redirected to a script file.

show running-config [all | interface | scriptname]

Mode: Privileged EXEC

show startup-config

Display the startup (boot) configuration.

show startup-config

Mode: Privileged EXEC

show backup-config

Display the backup configuration if present.

show backup-config

Mode: Privileged EXEC

show factory-defaults

Display the factory default configuration.

show factory-defaults

Mode: Privileged EXEC

show sysinfo

This command displays switch information.

show sysinfo

Mode: Privileged EXEC

Parameters:

 

Switch Description Text used to identify this switch.
System Name Name used to identify the switch.The factory default is blank. 
System Location Text used to identify the location of the switch. The factory default is blank. 
System Contact Text used to identify a contact person for this switch. The factory default is blank. 
System ObjectID The base object ID for the switch’s enterprise MIB.
System Up Time The time in days, hours and minutes since the last switch reboot.
Current SNTP Synchronized Time The system time acquired from a network SNTP server.
MIBs Supported A list of MIBs supported by this agent.

show tech-support

Use the show tech-support command to display system and configuration information when you contact technical support. Only share the output of the tech-support file with trusted parties as the contents may contain sensitive information on your environment/network.

show tech-support

Mode: Privileged EXEC

show mbuf

This command displays the memory mbuf information for the switch.

show mbuf [ detail | total ]

Mode: Privileged EXEC

length

Use this command to set the pagination length to value number of lines for the sessions specified by configuring on different Line Config modes (Telnet/SSH) and is persistent.

length value

Mode: Line Config

Default: 24

terminal length

Use this command to set the pagination length to value number of lines for the current session. This command configuration takes an immediate effect on the current session and is not persistent.

terminal length value

Mode: Privileged EXEC

show terminal length

Use this command to display all the configured terminal length values.

show terminal length

Mode: Privileged EXEC

memory free low-watermark processor

Use this command to get notifications when the CPU free memory falls below the configured threshold. A notification is generated when the free memory falls below the threshold. Another notification is generated once the available free memory rises to 10 percent above the specified threshold.

To prevent generation of excessive notifications when the CPU free memory fluctuates around the configured threshold, only one Rising or Falling memory notification is generated over a period of 60 seconds. The threshold is specified in kilobytes. The CPU free memory threshold configuration is saved across a switch reboot.

memory free low-watermark processor 1-256392

Mode: Global Config

Default: 0 (Disabled)

Logging Commands

Back to Top

This section describes the commands used to configure system logging, and to view logs and logging settings.

logging buffered

This command enables logging to memory. You can specify the severitylevel value as an integer from 0 to 7.

logging buffered [severitylevel]

Mode: Global Config

Default: Enabled

logging buffered wrap

This command enables wrapping of in-memory logging when the log file reaches full capacity. Otherwise when the log file reaches full capacity, logging stops.

logging buffered wrap

Mode: Global Config

Default: Enabled

logging cli-command

This command enables the CLI command logging feature, which enables the EdgeSwitch software to log all CLI commands issued on the system.

logging cli-command

Mode: Global Config

Default: Disabled

logging traps

This command sets the severity at which SNMP traps are logged and sent in an email. Specify the severitylevel value as an integer from 0 to 7.

logging traps severitylevel

Mode: Global Config

Default: 6 (Info)

logging console

This command enables logging to the console. You can specify the severitylevel value as an integer from 0 to 7.

logging console [severitylevel]

Mode: Global Config

Default: Disabled

logging host

This command configures the logging host parameters. You can configure up to eight hosts.

logging host {hostaddress|hostname} addresstype {port severitylevel}

Mode: Global Config

Default: Disabled

Parameters:

 

hostaddress The IP address of the logging host.
hostname The hostname of the logging host.
addresstype Indicates the type of address ipv4 or ipv6 or dns being passed.
port A port number from 1 to 65535.
severitylevel Specify this value as an integer from 0 to 7.

logging host reconfigure

This command enables logging host reconfiguration. The hostindex is the logging host index for which to change the IP address. The index value can be displayed with the show logging hosts command.

logging host reconfigure hostindex

Mode: Global Config

logging host remove

This command disables logging to host. The hostindex is the logging host index that should be deleted. The index value can be displayed with the show logging hosts command.

logging host remove hostindex

Mode: Global Config

logging port

This command sets the local port number of the LOG client for logging messages. The portid can be in the range from 1 to 65535.

logging port portid

Mode: Global Config

Default: 514

logging syslog

This command enables syslog logging.

logging syslog

Mode: Global Config

Default: Disabled

logging syslog port

This command enables syslog logging. The portid parameter is an integer with a range of 1-65535.

logging syslog port portid

Mode: Global Config

Default: 514

logging syslog source-interface

This command configures the syslog source-interface (source IP address) for syslog server configuration. The selected source-interface IP address is used for filling the IP header of management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch. If a source-interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address.

logging syslog source-interface {slot/port | {vlan vlan-id}}

Mode: Global Config

show logging

This command displays logging configuration information.

show logging

Mode: Privileged EXEC

Parameters:

 

Logging Client Local Port Port on the collector/relay to which syslog messages are sent.
Logging Client Source Interface Shows the configured syslog source-interface (source IP address).
CLI Command Logging Shows whether CLI Command logging is enabled.
Console Logging Shows whether console logging is enabled.
Console Logging Severity Filter The minimum severity to log to the console log. Messages with an equal or lower numerical severity are logged.
Buffered Logging Shows whether buffered logging is enabled.
Persistent Logging Shows whether persistent logging is enabled.
Persistent Logging Severity Filter The minimum severity at which the logging entries are retained after a system reboot.
Syslog Logging Shows whether syslog logging is enabled.
Log Messages Received Number of messages received by the log process. This includes messages that are dropped or ignored.
Log Messages Dropped Number of messages that could not be processed due to error or lack of resources.
Log Messages Relayed Number of messages sent to the collector/relay.

show logging buffered

This command displays buffered logging (system startup and system operation logs).

show logging buffered

Mode: Privileged EXEC

Parameters:

 

Buffered (In-Memory) Logging Shows whether the In-Memory log is enabled or disabled.
Buffered Logging Wrapping Behavior The behavior of the In-Memory log when faced with a log full situation.
Buffered Log Count The count of valid entries in the buffered log.

show logging hosts

This command displays all configured logging hosts. 

show logging hosts

Mode: Privileged EXEC

Parameters:

 

Index Used for deleting hosts.
IP Address / Hostname IP address or hostname of the logging host.
Severity The minimum severity to log to the specified address. 
Port The server port number, which is the port on the local host from which syslog messages are sent.
Status The state of logging to configured syslog hosts. If the status is disable, no logging occurs.

show logging persistent

This command displays display persistent log entries.

show logging persistent

Mode: Privileged EXEC

show logging traplogs

This command displays SNMP trap events and statistics.

show logging traplogs

Mode: Privileged EXEC

Parameters:

 

Number of Traps Since Last Reset The number of traps since the last boot.
Trap Log Capacity The number of traps the system can retain.
Number of Traps Since Log Last Viewed The number of new traps since the command was last executed.
Log The log number.
System Time Up How long the system had been running at the time the trap was sent.
Trap The text of the trap message.

clear logging buffered

This command clears buffered logging (system startup and system operation logs).

clear logging buffered

Mode: Privileged EXEC

Email Alerting and Mail Server Commands

Back to Top

This section describes the commands used to configure Email Alerting and other mail server commands.

logging email

This command enables email alerting and sets the lowest severity level for which log messages are emailed. If you specify a severity level, log messages at or above this severity level, but below the urgent severity level, are emailed in a non-urgent manner by collecting them together until the log time expires. The severitylevel value is specified as an integer from 0 to 7.

logging email [severitylevel]

Mode: Global Config

Default: Disabled

logging email urgent

This command sets the lowest severity level at which log messages are emailed immediately in a single email message. The severitylevel value is specified as an integer from 0 to 7. Specify none to indicate that log messages are collected and sent in a batch email at a specified interval.

logging email urgent {severitylevel | none}

Mode: Global Config

Default: 1 (Alert)

logging email message-type to-addr

This command configures the email address to which messages are sent. The message types supported are urgent, non-urgent, and both. For each supported severity level, multiple email addresses can be configured. The to-email-addr variable is a standard email address.

logging email message-type {urgent|non-urgent|both} to-addr to-email-addr

Mode: Global Config

logging email from-addr

This command configures the email address of the sender (the switch).

logging email from-addr from-email-addr

Mode: Global Config

logging email message-type subject

This command configures the subject line of the email for the specified type.

logging email message-type {urgent |non-urgent |both} subject subject

Mode: Global Config

logging email logtime

This command configures how frequently non-urgent email messages are sent. Non-urgent messages are collected and sent in a batch email at the specified interval. The valid range is every 30-1440 minutes.

logging email logtime minutes

Mode: Global Config

Default: 30 minutes

logging email test message-type

This command sends an email to the SMTP server to test the email alerting function.

logging email test message-type {urgent |non-urgent |both} message-body message-body

Mode: Global Config

show logging email config

This command displays information about the email alert configuration.

show logging email config

Mode: Privileged EXEC

Parameters: 

 

Email Alert Logging The administrative status of the feature: enabled or disabled
Email Alert From Address The email address of the sender (the switch).
Email Alert Urgent Severity Level The lowest severity level that is considered urgent. Messages of this type are sent immediately.
Email Alert Non Urgent Severity Level The lowest severity level that is considered non-urgent. Messages of this type, up to the urgent level, are collected and sent in a batch email. Log messages that are less severe are not sent in an email message at all.
Email Alert Trap Severity Level The lowest severity level at which traps are logged.
Email Alert Notification Period The amount of time to wait between non-urgent messages.
Email Alert To Address Table The configured email recipients.
Email Alert Subject Table The subject lines included in urgent (Type 1) and non-urgent (Type 2) messages. 

show logging email statistics

This command displays email alerting statistics.

show logging email statistics

Mode: Privileged EXEC

Parameters:

 

Email Alert Operation Status The operational status of the email alerting feature.
No of Email Failures The number of email messages that have attempted to be sent but were unsuccessful.
No of Email Sent The number of email messages that were sent from the switch since the counter was cleared.
Time Since Last Email Sent The amount of time that has passed since the last email was sent from the switch.

clear logging email statistics

This command resets the email alerting statistics.

clear logging email statistics

Mode: Privileged EXEC

mail-server

This command configures the SMTP server to which the switch sends email alert messages and changes the mode to Mail Server Configuration mode. The server address can be in the IPv4, IPv6, or DNS name format.

mail-server {ip-address | ipv6-address | hostname}

Mode: Global Config

 

security (Mail Server Config)

This command sets the email alerting security protocol by enabling the switch to use TLS authentication with the SMTP Server. If the TLS mode is enabled on the switch but the SMTP sever does not support TLS mode, no email is sent to the SMTP server.

security {tlsv1 | none}

Mode: Mail Server Config

Default: none

 

port (Mail Server Config)

This command configures the TCP port to use for communication with the SMTP server. The recommended port for TLSv1 is 465, and for no security (i.e. none) it is 25. However, any nonstandard port in the range 1 to 65535 is also allowed.

port {465 | 25 | 1–65535}

Mode: Mail Server Config

Default: 25

username (Mail Server Config)

This command configures the login ID the switch uses to authenticate with the SMTP server.

username name

Mode: Mail Server Config

Default: admin

password (Mail Server Config)

This command configures the password the switch uses to authenticate with the SMTP server.

password password

Mode: Mail Server Config

Default: admin

show mail-server config

This command displays information about the email alert configuration.

show mail-server {ip-address | hostname | all} config

Mode: Privileged EXEC

Parameters:

 

No of mail servers configured The number of SMTP servers configured on the switch.
Email Alert Mail Server Address The IPv4/IPv6 address or DNS hostname of the configured SMTP server.
Email Alert Mail Server Port The TCP port the switch uses to send email to the SMTP server
Email Alert Security Protocol The security protocol (TLS or none) the switch uses to authenticate with the SMTP server.
Email Alert Username The username the switch uses to authenticate with the SMTP server.
Email Alert Password The password the switch uses to authenticate with the SMTP server.

System Utility and Clear Commands

Back to Top

This section describes the commands that you can use to start configuring the switch, troubleshoot connectivity issues ,and to restore various configurations to their factory defaults.

help

Display help for various special keys.

help

Mode: Privileged EXEC

no

Use the no form to reverse the action of a command or reset a value back to its default. For example, the no shutdown configuration command reverses the previously entered shutdown command on an interface. 

no command

Mode: Global Config

enable

This command gives you access to the Privileged EXEC mode. From the Privileged EXEC mode, you can configure the network interface.

enable

Mode: User EXEC

do

This command executes Privileged EXEC mode commands from any of the configuration modes.

do

Modes: Global / Interface / VLAN Config

write memory

Use this command to save running configuration changes to NVRAM so that changes will persist across a reboot. This command is the same as copy system:running-config nvram:startup-config. Use the confirm keyword to directly save the configuration to NVRAM without prompting for confirmation.

write memory [confirm]

Mode: Privileged EXEC

configure

This command gives you access to the Global Config mode. From the Global Config mode, you can configure a variety of system settings, including user accounts. From the Global Config mode, you can enter other command modes, including Line Config mode.

configure

Mode: Privileged EXEC

dir

Use this command to list the files in the directory /mnt/fastpath in flash from the CLI.

dir

Mode: Privileged EXEC

traceroute

Use this command to discover the routes that IPv4 or IPv6 packets actually take when traveling to their destination through the network on a hop-by-hop basis. Traceroute continues to provide a synchronous response when initiated from the CLI.

traceroute {ip-address | [ipv6] {ipv6-address | hostname}} [initTtl initTtl] [maxTtl maxTtl] [maxFail maxFail] [interval interval] [count count] [port port] [size size] [source {ip-address | ipv6-address | slot/port}]

Mode: Privileged EXEC

Default: count: 3 probes / interval: 3 seconds / size: 0 bytes / port: 33434 / maxTtl: 30 hops / maxFail: 5 probes / initTtl: 1 hop

Parameters:

 

ip-address The IP address value should be a valid IP address.
ipv6-address The IPv6 address value should be a valid IPv6 address.
hostname The hostname value should be a valid hostname.
ipv6 The optional ipv6 keyword can be used before ipv6-address or hostname. Giving the ipv6 keyword before the hostname tries it to resolve to an IPv6 address.
initTtl Use initTtl to specify the initial time-to-live (TTL), the maximum number of router hops between the local and remote system. Range is 1 to 255.
maxTtl Use maxTtle to specify the maximum TTL. Range is 1 to 255.
maxFail Use maxFail to terminate the traceroute after failing to receive a response for this number of consecutive probes. Range is 1 to 255.
interval Use the optional interval parameter to specify the time between probes, in seconds. If a response is not received within this interval, then traceroute considers that probe a failure (printing *) and sends the next probe. If traceroute does receive a response to a probe within this interval, then it sends the next probe immediately. Range is 1 to 60 seconds.
count Use the optional count parameter to specify the number of probes to send for each TTL value. Range is 1 to 10 probes.
port Use the optional port parameter to specify destination UDP port of the probe. This should be an unused port on the remote destination system. Range is 1 to 65535.
size Use the optional size parameter to specify the size, in bytes, of the payload of the Echo Requests sent. Range is 0 to 65507 bytes.
source Use the optional source parameter to specify the source IP address or interface for the traceroute.

clear config

This command resets the configuration to the factory defaults without powering off the switch. When you issue this command, a prompt appears to confirm that the reset should proceed. When you enter y, you automatically reset the current configuration on the switch to the default values. It does not reset the switch.

clear config

Mode: Privileged EXEC

clear eventlog

This command clears entries from the persistent event log.

clear eventlog

Mode: Privileged EXEC

clear mac-addr-table

This command clears a specific dynamic MAC address entry or all entries. You can match on specific interface or VLAN when clearing a MAC address.

clear mac-addr-table [all | interface slot/port | vlan vlan-id | macaddr

Mode: Privileged EXEC

clear pass

This command resets all user passwords to the factory defaults without powering off the switch. You are prompted to confirm that the password reset should proceed.

clear pass

Mode: Privileged EXEC

clear traplog

This command clears the trap log.

clear traplog

Mode: Privileged EXEC

clear vlan

This command resets VLAN configuration parameters to the factory defaults.

When the VLAN configuration is reset to the factory defaults, there are some scenarios regarding GVRP and MVRP that happen due to this:
- Static VLANs are deleted.
- GVRP is restored to the factory default as a result of handling the VLAN RESTORE NOTIFY event.
- Since GVRP is disabled by default, this means that GVRP should be disabled and all of its dynamic VLANs should be deleted.

clear vlan

Mode: Privileged EXEC

logout

This command closes the current Telnet/SSH connection or resets the current serial connection.

logout

Mode: Privileged EXEC

ping

Use this command to determine whether another computer is on the network. Ping provides a synchronous response when initiated from the CLI and web interfaces.

ping {address | hostname | {ipv6 {interface {slot/port | vlan 1-4093 | network} link-local-address} | ipv6-address | hostname} [count count] [interval 1-60] [size size] [source ip-address | ipv6-address | {slot/port | vlan 1-4093 | network}]

Modes: User / Privileged EXEC

Default: count: 3 / interval: 3 seconds / size: 0 bytes

Parameters:

 

address The IPv4 or IPv6 address to ping.
hostname The hostname of the host to ping.
ipv6 The optional keyword ipv6 can be used before the ipv6-address or hostname argument. Using the ipv6 optional keyword before hostname tries to resolve it directly to the IPv6 address. Also used for pinging a link-local IPv6 address.
count Use the count parameter to specify the number of ping packets (ICMP Echo Requests) that are sent to the destination address specified by the address field. The range for count is 1 to 15 requests.
interval Use the interval parameter to specify the time between Echo Requests, in seconds. Range is 1 to 60 seconds.
size Use the size parameter to specify the size, in bytes, of the payload of the Echo Requests sent. Range is 0 to 65507 bytes.
source Use the source keyword to specify the source IP/IPv6 address or interface to use when sending the Echo Request packets.
interface Use the interface keyword to ping a link-local IPv6 address over an interface.
link-local-address The link-local IPv6 address to ping over an interface.

quit

This command closes the current Telnet/SSH connection or resets the current serial connection. The system asks you whether to save configuration changes before quitting.

quit

Mode: Privileged EXEC

reload

This command restarts the switch. Use the optional in parameter to restart the switch after a specified interval. The configuration keyword allows you to gracefully reload a configuration file or script.

reload [in hh:mm] [configuration]

Mode: Privileged EXEC

copy

The copy command uploads and downloads files to and from the switch. You can also use the copy command to manage the dual images (active and backup) on the file system. To upload and download files from a server you can use FTP, TFTP, Xmodem, Ymodem, or Zmodem. If FTP is used, a password is required.

The verify and noverify parameters are only available if the image/configuration verify options feature is enabled. The verify parameter specifies that digital signature verification will be performed for the specified downloaded image or configuration file. The noverify parameter specifies that no verification will be performed.

copy source destination {verify | noverify}

Mode: Privileged EXEC

Parameters:

 

source destination  
system:running-config nvram:factory-defaults Saves the running configuration to NVRAM to the factory-defaults file.
system:image url Saves the system image to a server.
url nvram:clibanner Downloads the CLI banner to the system.
url nvram:fastpath.cfg Downloads the binary config file to the system.
url nvram:publickey-config Downloads the Public Key for Configuration Script validation.
url nvram:publickey-image Downloads Public Key for Image validation.
url nvram:script destfilename Downloads a configuration script file to the system. During the download of a configuration script, the copy command validates the script. In case of any error, the command lists all the lines at the end of the validation process and prompts you to confirm before copying the script file.
url nvram:script destfilename noval When you use this option, the copy command will not validate the downloaded script file.
url nvram:sshkey-dsa Downloads an SSH key file. 
url nvram:sshkey-rsa1 Downloads an SSH key file.
url nvram:sshkey-rsa2 Downloads an SSH key file.
url nvram:sslpem-dhweak Downloads an HTTP secure-server certificate.
url nvram:sslpem-dhstrong Downloads an HTTP secure-server certificate.
url nvram:sslpem-root Downloads an HTTP secure-server certificate. 
url nvram:sslpem-server Downloads an HTTP secure-server certificate.
url nvram:startup-config Downloads the startup configuration file to the system.
url ias-users Downloads an IAS users database file to the system. When the IAS users file is downloaded, the switch IAS user’s database is replaced with the users and their attributes available in the downloaded file.
url {active | backup} Download an image from the remote server to either image.
{active | backup} url Upload either image to the remote server.
active backup Copy the active image to the backup image.
backup active Copy the backup image to the active image.

file verify

This command enables digital signature verification while an image and/or configuration file is downloaded to the switch.

file verify {all | image | none | script}

Mode: Global Config

Parameters:

 

all Verifies the digital signature of both image and configuration files.
image Verifies the digital signature of image files only.
none Disables digital signature verification for both images and configuration files.
script Verifies the digital signature of configuration files.

Simple Network Time Protocol Commands

Back to Top

This section describes the commands you use to automatically configure the system time and date using Simple Network Time Protocol (SNTP). 

sntp broadcast client poll-interval

This command sets the poll interval for SNTP broadcast clients in seconds as a power of two where poll-interval can be a value from 6-10.

sntp broadcast client poll-interval poll-interval

Mode: Global Config

Default: 6

sntp client mode

This command enables Simple Network Time Protocol (SNTP) client mode and may set the mode to either broadcast or unicast.

sntp client mode [broadcast | unicast]

Mode: Global Config

Default: Enabled

sntp client port

This command sets the SNTP client port ID to a value from 1-65535. The default value is 0, which means that the SNTP port is not configured by the user. In the default case, the actual client port value used in SNTP packets is assigned by the underlying OS.

sntp client port portid

Mode: Global Config

Default: 0

sntp unicast client poll-interval

This command sets the poll interval for SNTP unicast clients in seconds as a power of two where poll-interval can be a value from 6-10.

sntp unicast client poll-interval poll-interval

Mode: Global Config

Default: 6

sntp unicast client poll-timeout

This command will set the poll timeout for SNTP unicast clients in seconds to a value from 1 to 30.

sntp unicast client poll-timeout poll-timeout

Mode: Global Config

Default: 5

sntp unicast client poll-retry

This command will set the poll retry for SNTP unicast clients to a value from 0 to 10.

sntp unicast client poll-retry poll-retry

Mode: Global Config

Default: 1

sntp source-interface

Use this command to specify the physical or logical interface to use as the source interface (source IP address) for SNTP unicast server configuration. If configured, the address of source Interface is used for all SNTP communications between the SNTP server and the SNTP client. The selected source-interface IP address is used for filling the IP header of management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch.

If a source-interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address. If the configured interface is down, the SNTP client falls back to its default behavior.

sntp source-interface {slot/port | vlan vlan-id}

Mode: Global Config

Default: 6

sntp server

This command configures an SNTP server (a maximum of three). The server address can be either an IPv4 address or an IPv6 address. The optional priority can be a value of 1-3, the version a value of 1-4, and the port-id a value of 1-65535.

sntp server {ipaddress | ipv6address | hostname} [priority [version [port-id]]]

Mode: Global Config

show sntp

This command is used to display SNTP settings and status.

show sntp

Mode: Privileged EXEC

Parameters:

 

Last Update Time Time of last clock update.
Last Attempt Time Time of last transmit query (in unicast mode).
Last Attempt Status Status of the last SNTP request (in unicast mode) or unsolicited message (in broadcast mode).
Broadcast Count Current number of unsolicited broadcast messages that have been received and processed by the SNTP client since last reboot.
Multicast Count Current number of unsolicited multicast messages that have been received and processed by the SNTP client since last reboot.

show sntp client

This command is used to display SNTP client settings.

show sntp client

Mode: Privileged EXEC

Parameters:

 

Client Supported Modes Supported SNTP Modes (Broadcast, Unicast, or Multicast).
SNTP Version The highest SNTP version the client supports.
Port SNTP Client Port. The field displays the value 0 if it is default value. When the client port value is 0, if the client is in broadcast mode, it binds to port 123; if the client is in unicast mode, it binds to the port assigned by the underlying OS.
Client Mode Configured SNTP Client Mode.

show sntp server

This command is used to display SNTP server settings and configured servers.

show sntp server

Mode: Privileged EXEC

Parameters:

 

Server IP Address / Hostname IP address or hostname of configured SNTP Server.
Server Type Address type of server (IPv4, IPv6, or DNS).
Server Stratum Claimed stratum of the server for the last received valid packet.
Server Reference ID Reference clock identifier of the server for the last received valid packet.
Server Mode SNTP Server mode.
Server Maximum Entries Total number of SNTP Servers allowed.
Server Current Entries Total number of SNTP configured.
Address Type Address Type of configured SNTP server (IPv4, IPv6, or DNS).
Priority IP priority type of the configured server.
Version SNTP Version number of the server. The protocol version used to query the server in unicast mode.
Port Server Port Number.
Last Attempt Time Last server attempt time for the specified server.
Last Update Status Last server attempt status for the server.
Total Unicast Requests Number of requests to the server.
Failed Unicast Requests Number of failed requests from server.

show sntp source-interface

Use this command to display the SNTP client source interface configured on the switch.

show sntp source-interface

Mode: Privileged EXEC

Parameters:

 

SNTP Client Source Interface The interface ID of the physical or logical interface configured as the SNTP client source interface.
SNTP Client Source IPv4 Address The IP address of the interface configured as the SNTP client source interface.

Time Zone Commands

Back to Top

Use the Time Zone commands to configure system time and date, time zone and summer time (daylight saving time). Summer time can be recurring or non-recurring.

clock set

This command sets the system time and date.

clock set hh:mm:ss
clock set mm/dd/yyyy

Mode: Global Config

clock summer-time date

Use this command to set the summer-time offset to Coordinated Universal Time (UTC). If the optional parameters are not specified, they are read as either 0 or \0, as appropriate.

clock summer-time date {date month year hh:mm date month year hh:mm} [offset offset] [zone acronym]

Mode: Global Config

Parameters:

 

date Day of the month. Range is 1 to 31.
month Month. Range is the first three letters by name; for example, “jan” for January.
year Year. The range is 2010 to 2079.
hh:mm Time in 24-hour format in hours and minutes.
offset The number of minutes to add during the summertime. The range is 1 to 1440.
acronym The time zone acronym to display when summer-time is in effect. Up to four characters are allowed.

clock summer-time recurring

This command sets the summer-time recurring parameters.

clock summer-time recurring {week day month hh:mm week day month hh:mm} [offset offset] [zone acronym]

Mode: Global Config

Parameters:

 

week Week of the month. The range is 1 to 5, first, last.
day Day of the week. The range is the first three letters by name; sun, for example.
month Month. The range is the first three letters by name; jan, for example.
hh:mm Time in 24-hour format in hours and minutes. The range is hours: 0 to 23, minutes: 0 to 59.
offset The number of minutes to add during summer-time. The range is 1 to 1440.
acronym The time zone acronym to display when summer-time is in effect. Up to four characters are allowed.

clock timezone

Use this command to set the offset to Coordinated Universal Time (UTC). If the optional parameters are not specified, they will be read as either 0 or \0 as appropriate.

clock timezone {hours} [minutes minutes] [zone acronym]

Mode: Global Config

Parameters:

 

hours Hours difference from UTC. The range is -12 to 13.
minutes Minutes difference from UTC. The range is 0 to 59.
acronym The acronym for the time zone. Up to four characters are allowed.

show clock

Use this command to display the time and date from the system clock.

show clock

Mode: Privileged EXEC

show clock detail

Use this command to display the detailed system time along with the time zone and the summer-time configuration.

show clock detail

Mode: Privileged EXEC

DHCP Server Commands

Back to Top

This section describes the commands you to configure the DHCP server settings for the switch. DHCP uses UDP as its transport protocol and supports a number of features that facilitate in administration address allocations.

ip dhcp pool

This command configures a DHCP address pool name on a DHCP server and enters DHCP pool configuration mode.

ip dhcp pool name

Mode: Global Config

client-identifier (DHCP Pool Config)

This command specifies the unique identifier for a DHCP client. The unique-identifier is a valid notation in hexadecimal format. The unique-identifier is a concatenation of the media type and the MAC address, where 01 represents the Ethernet media type. 

client-identifier unique-identifier

Mode: DHCP Pool Config

client-name (DHCP Pool Config)

This command specifies the name for a DHCP client. Name is a string consisting of standard ASCII characters.

client-name name

Mode: DHCP Pool Config

default-router (DHCP Pool Config)

This command specifies the default router address(es) for the DHCP pool. Up to 8 addresses can be specified.

default-router address

Mode: DHCP Pool Config

dns-server (DHCP Pool Config)

This command specifies the DNS server address(es) for the DHCP pool. Up to 8 addresses can be specified.

dns-server address

Mode: DHCP Pool Config

hardware-address (DHCP Pool Config)

This command specifies the hardware address of a DHCP client. Hardware-address is the MAC address of the hardware platform of the client consisting of 6 bytes in dotted hexadecimal format. The type parameter indicates the protocol of the hardware platform. It is 1 for 10 MB Ethernet (default) and 6 for IEEE 802.

hardware-address hardwareaddress type

Mode: DHCP Pool Config

host (DHCP Pool Config)

This command specifies the IP address and network mask for a manual binding to a DHCP client.

host address [{mask | prefix-length}]

Mode: DHCP Pool Config

lease (DHCP Pool Config)

This command configures the duration of the lease for an IP address that is assigned from a DHCP server to a DHCP client. The overall lease time should be between 1-86400 minutes. If you specify infinite, the lease is set for 60 days. You can specify a lease duration in days (0-59), hours (0-23), and minutes (0-59).

lease [{days [hours] [minutes] | infinite}]

Mode: DHCP Pool Config

Default: 1 day (1 0 0)

network (DHCP Pool Config)

This command configures the network (for example 192.168.1.0) and mask for a DHCP address pool on the server. 

network network [{mask | prefixlength}]

Mode: DHCP Pool Config

bootfile (DHCP Pool Config)

This command specifies the name (filename parameter) of the default boot image for a DHCP client.

bootfile filename

Mode: DHCP Pool Config

domain-name (DHCP Pool Config)

This command specifies the domain name (domain parameter) for a DHCP client.

domain-name domain

Mode: DHCP Pool Config

domain-name enable

This command enables the domain name functionality.

domain-name enable [name name]

Mode: Global Config

netbios-name-server (DHCP Pool Config)

This command configures NetBIOS Windows Internet Naming Service (WINS) name servers that are available to DHCP clients. You can specify up to eight addresses.

netbios-name-server address

Mode: DHCP Pool Config

netbios-node-type (DHCP Pool Config)

The command configures the NetBIOS node type for Microsoft Dynamic Host Configuration Protocol (DHCP) clients.

The type specifies the NetBIOS node type. Valid types are:
- b-node: Broadcast
- p-node: Peer-to-peer
- m-node: Mixed
- h-node: Hybrid (recommended)

netbios-node-type type

Mode: DHCP Pool Config

Default: None

next-server (DHCP Pool Config)

This command configures the next server in the boot process of a DHCP client.The address parameter is the IP address of the next server in the boot process, which is typically a TFTP server.

next-server address

Mode: DHCP Pool Config

option (DHCP Pool Config)

This command configures DHCP Server options. The code parameter specifies the DHCP option code and ranges from 1-254. The ascii parameter specifies an NVT ASCII character string.

ASCII character strings that contain white space must be delimited by quotation marks. The hex parameter specifies hexadecimal data. In hexadecimal, character strings are two hexadecimal digits. 

option code {ascii string | hex string | ip address

Mode: DHCP Pool Config

ip dhcp excluded-address

This command specifies the IP addresses that a DHCP server should not assign to DHCP clients.

ip dhcp excluded-address low-address high-address

Mode: Global Config

ip dhcp ping packets

Use this command to specify the number, in a range from 2-10, of packets a DHCP server sends to a pool address as part of a ping operation. By default the number of packets sent to a pool address is 2, which is the smallest allowed number when sending packets. Setting the number of packets to 0 disables this command.

ip dhcp ping packets 0,2-10

Mode: Global Config

Default: 2

service dhcp

This command enables the DHCP server.

service dhcp

Mode: Global Config

Default: Disabled

ip dhcp bootp automatic

This command enables allocation of addresses to the bootp client from the automatic address pool.

ip dhcp bootp automatic

Mode: Privileged EXEC

Default: Disabled

ip dhcp conflict logging

This command enables conflict logging on DHCP server.

ip dhcp conflict logging

Mode: Privileged EXEC

Default: Enabled

clear ip dhcp binding

This command deletes an automatic address binding from the DHCP server database. If an asterisk (*) is specified for the address parameter, the bindings corresponding to all the addresses are deleted. 

clear ip dhcp binding {address | *}

Mode: Privileged EXEC

clear ip dhcp server statistics

This command clears DHCP server statistics counters.

clear ip dhcp server statistics

Mode: Privileged EXEC

clear ip dhcp conflict

The command is used to clear an address conflict from the DHCP Server database. The server detects conflicts using a ping. The DHCP server clears all conflicts if an asterisk (*) is used as the address parameter.

clear ip dhcp conflict {address | *}

Mode: Privileged EXEC

show ip dhcp binding

This command displays address bindings for the specific IP address on the DHCP server. If no IP address is specified, the bindings corresponding to all the addresses are displayed.

show ip dhcp binding [address]

Modes: User / Privileged EXEC

Parameters:

 

IP address The IP address of the client.
Hardware Address The MAC Address or the client identifier.
Lease expiration The lease expiration time of the IP address assigned to the client.
Type The manner in which IP address was assigned to the client.

show ip dhcp global configuration

This command displays address bindings for the specific IP address on the DHCP server. If no IP address is specified, the bindings corresponding to all the addresses are displayed.

show ip dhcp global configuration

Modes: User / Privileged EXEC

Parameters:

 

Service DHCP The field to display the status of dhcp protocol.
Number of Ping Packets The maximum number of Ping Packets that will be sent to verify that an ip address id not already assigned.
Conflict Logging Shows whether conflict logging is enabled or disabled.
BootP Automatic Shows whether BootP for dynamic pools is enabled or disabled.

show ip dhcp pool configuration

This command displays pool configuration. If all is specified, configuration for all the pools is displayed.

show ip dhcp pool configuration {name | all}

Modes: User / Privileged EXEC

Parameters:

 

Pool Name The name of the configured pool.
Pool Type The pool type.
Lease Time The lease expiration time of the IP address assigned to the client.
DNS Servers The list of DNS servers available to the DHCP client.
Default Routers The list of the default routers available to the DHCP client
Network The network number and the mask for the DHCP address pool.
Client Name The name of a DHCP client.
Client Identifier The unique identifier of a DHCP client.
Hardware Address The hardware address of a DHCP client.
Hardware Address Type The protocol of the hardware platform.
Host The IP address and the mask for a manual binding to a DHCP client.

show ip dhcp server statistics

This command displays DHCP server statistics.

show ip dhcp server statistics

Modes: User / Privileged EXEC

Parameters:

 

Automatic Bindings The number of IP addresses that have been automatically mapped to the MAC addresses of hosts that are found in the DHCP database.
Expired Bindings The number of expired leases.
Malformed Bindings The number of truncated or corrupted messages that were received by the DHCP server.
DHCP DISCOVER The number of DHCPDISCOVER messages the server has received.
DHCP REQUEST The number of DHCPREQUEST messages the server has received.
DHCP DECLINE The number of DHCPDECLINE messages the server has received.
DHCP RELEASE The number of DHCPRELEASE messages the server has received.
DHCP INFORM The number of DHCPINFORM messages the server has received.
DHCP OFFER The number of DHCPOFFER messages the server sent.
DHCP ACK The number of DHCPACK messages the server sent.
DHCP NACK The number of DHCPNACK messages the server sent.

show ip dhcp conflict

This command displays address conflicts logged by the DHCP Server. If no IP address is specified, all the conflicting addresses are displayed.

show ip dhcp conflict [ip-address]

Modes: User / Privileged EXEC

Parameters:

 

IP address The IP address of the host as recorded on the DHCP server.
Detection Method The manner in which the IP address of the hosts were found on the DHCP Server.
Detection time The time when the conflict was found.

DNS Client Commands

Back to Top

These commands are used in the Domain Name System (DNS), an Internet directory service. DNS is how domain names are translated into IP addresses. When enabled, the DNS client provides a hostname lookup service to other components of the EdgeSwitch software.

ip domain lookup

Use this command to enable the DNS client.

ip domain lookup

Mode: Global Config

Default: Enabled

ip domain name

Use this command to define a default domain name that EdgeSwitch software uses to complete unqualified host names (names with a domain name). By default, no default domain name is configured in the system. The name may not be longer than 255 characters and should not include an initial period. This name should be used only when the default domain name list, configured using the ip domain list command, is empty.

ip domain name name

Mode: Global Config

ip domain list

Use this command to define a list of default domain names to complete unqualified names. By default, the list is empty. Each name must be no more than 256 characters, and should not include an initial period. The default domain name, configured using the ip domain name command, is used only when the default domain name list is empty. A maximum of 32 names can be entered in to this list.

ip domain list name

Mode: Global Config

ip name-server

Use this command to configure the available name servers. Up to eight servers can be defined in one command or by using multiple commands. The parameter server-address is a valid IPv4 or IPv6 address of the server. The preference of the servers is determined by the order they are entered.

ip name-server server-address1 [server-address2...server-address8]

Mode: Global Config

ip name source-interface

Use this command to specify the physical or logical interface to use as the DNS client (IP name) source interface (source IP address) for DNS client management application. If configured, the source interface address is used for all DNS communications between the DNS server and the DNS client.

The selected source-interface IP address is used for filling the IP header of management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch. If a source interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address. If the configured interface is down, the DNS client falls back to its default behavior.

ip name source-interface {slot/port | vlan vlan-id}

Mode: Global Config

ip host

Use this command to define static host name-to-address mapping in the host cache. The parameter name is the hostname and ipaddress is the IP address of the host. The host name can include 1-158 alphanumeric characters, periods, hyphens, underscores, and non-consecutive spaces. Hostnames that include one or more space must be enclosed in quotation marks.

ip host name ipaddress

Mode: Global Config

ipv6 host

Use this command to define static host name-to-IPv6 address mapping in the host cache. The name is the hostname and v6address is the IPv6 address of the host. The hostname can include 1-158 alphanumeric characters, periods, hyphens, and spaces. Hostnames that include one or more space must be enclosed in quotation marks.

ipv6 host name v6address

Mode: Global Config

ip domain retry

Use this command to specify the number of times to retry sending Domain Name System (DNS) queries. The number indicates the number of times to retry sending a DNS query to the DNS server, and ranges from 0-100.

ip domain retry number

Mode: Global Config

Default: 2

ip domain timeout

Use this command to specify the amount of time to wait for a response to a DNS query. The seconds specifies the time, in seconds, to wait for a response to a DNS query, and ranges from 0-3600.

ip domain timeout seconds

Mode: Global Config

Default: 3

clear host

Use this command to delete entries from the host name-to-address cache. This command clears the entries from the DNS cache maintained by the software. This command clears both IPv4 and IPv6 entries.

clear host {name | all}

Mode: Privileged EXEC

show hosts

Use this command to display the default domain name, a list of name server hosts, the static and the cached list of host names and addresses. The parameter name ranges from 1-255 characters. This command displays both IPv4 and IPv6 entries.

show hosts name

Modes: User / Privileged EXEC

Parameters:

 

Host name Domain host name.
Default domain Default domain name.
Default domain list Default domain list.
Domain Name lookup DNS client enabled/disabled.
Number of retries Number of time to retry sending Domain Name System (DNS) queries.
Retry timeout period Amount of time to wait for a response to a DNS query.
Name servers Configured name servers.
DNS Client Source Interface Shows the configured source interface (source IP address) used for a DNS client. The IP address of the selected interface is used as source IP for all communications with the server.

show ip name source-interface

Use this command to display the configured source interface details used for a DNS client. The IP address of the selected interface is used as source IP for all communications with the server.

show ip name source-interface

Mode: Privileged EXEC

IP Address Conflict Commands

Back to Top

The commands in this section help troubleshoot IP address conflicts.

ip address-conflict-detect run

This command triggers the switch to run active address conflict detection by sending gratuitous ARP packets for IPv4 addresses on the switch.

ip address-conflict-detect run

Mode: Global Config

show ip address-conflict

This command displays the status information corresponding to the last detected address conflict.

show ip address-conflict

Modes: User / Privileged EXEC

Parameters:

 

Address Conflict Detection Status Identifies whether the switch has detected an address conflict on any IP address.
Last Conflicting IP Address The IP Address that was last detected as conflicting on any interface.
Last Conflicting MAC Address The MAC Address of the conflicting host that was last detected on any interface.
Time Since Conflict Detected The time in days, hours, minutes and seconds since the last address conflict was detected.

clear ip address-conflict-detect

This command clears the detected address conflict status information.

clear ip address-conflict-detect

Modes: User / Privileged EXEC

Serviceability Packet Tracing Commands

Back to Top

These commands improve the capability of network engineers to diagnose conditions affecting the EdgeSwitch. Use the debug commands with caution, as the output can be long and may adversely affect system performance.

capture start

Use this command capture start to manually start capturing CPU packets for packet trace. The packet capture operates in three modes: capture file, remote capture, and capture line. The command is not persistent across a reboot cycle.

capture start [{all|receive|transmit}]

Mode: Privileged EXEC

Parameters:

 

all Capture all traffic.
receive Capture only received traffic.
transmit Capture only transmitted traffic.

capture stop

Use the command capture stop to manually stop capturing CPU packets for packet trace.

capture stop

Mode: Privileged EXEC

capture sniffer

Use the command start or stop the capture sniffer.

capture sniffer start | stop

Mode: Privileged EXEC

capture file|remote|line

Use this command to configure file capture options. The command is persistent across a reboot cycle.

capture {file|remote|line}

Mode: Global Config

Parameters:

 

file In the capture file mode, the captured packets are stored in a file on NVRAM. The maximum file size defaults to 524288 bytes. The switch can transfer the file to a TFTP server via TFTP, SFTP, SCP via CLI, and SNMP. The file is formatted in .pcap format, is named cpuPktCapture.pcap, and can be examined using network analyzer tools such as Wireshark.

Starting a file capture automatically terminates any remote capture sessions and line capturing. After the packet capture is activated, the capture proceeds until the capture file reaches its maximum size, or until the capture is stopped manually using the CLI command capture stop.
remote In the remote capture mode, the captured packets are redirected in real time to an external PC running the Wireshark tool. A packet capture server runs on the switch side and sends the captured packets via a TCP connection to the Wireshark tool.

When using the remote capture mode, the switch does not store any captured data locally on its file system. You can configure the IP port number for connecting Wireshark to the switch. The default port number is 2002.

Starting a remote capture session automatically terminates the file capture and line capturing.
line In the capture line mode, the captured packets are saved into the RAM and can be displayed on the CLI. Starting a line capture automatically terminates any remote capture session and capturing into a file. There is a maximum 128 packets of maximum 128 bytes that can be captured and displayed in line mode.

capture remote port

Use this command to configure file capture options. The command is persistent across a reboot cycle.

capture remote port portid

Mode: Global Config

capture file size

Use this command to configure file capture options. The command is persistent across a reboot cycle.


capture file size max-file-size

Mode: Global Config

capture line wrap

This command enables wrapping of captured packets in line mode when the captured packets reach full capacity.

capture line wrap

Mode: Global Config

show capture packets

Use this command to display packets captured and saved to RAM. It is possible to capture and save into RAM, packets that are received or transmitted through the CPU. A maximum 128 packets can be saved into RAM per capturing session. A maximum 128 bytes per packet can be saved into the RAM.

If a packet holds more than 128 bytes, only the first 128 bytes are saved; data more than 128 bytes is skipped and cannot be displayed in the CLI.

Capturing packets is stopped automatically when 128 packets are captured and have not yet been displayed during a capture session. Captured packets are not retained after a reload cycle.

show capture packets

Mode: Privileged EXEC

debug aaa accounting

This command is useful to debug accounting configuration and functionality in User Manager.

debug aaa accounting

Mode: Privileged EXEC

debug aaa authorization

Use this command to enable the tracing for AAA in User Manager. This is useful to debug authorization configuration and functionality in the User Manager. Each of the parameters are used to configure authorization debug flags.

debug aaa authorization commands|exec

Mode: Privileged EXEC

debug arp

Use this command to enable ARP debug protocol messages.

debug arp

Mode: Privileged EXEC

debug authentication

This command displays either the debug trace for either a single event or all events for an interface

debug authentication packet {all | event} interface

Mode: Privileged EXEC

debug auto-voip

Use this command to enable Auto VOIP debug messages. Use the optional parameters to trace H323, SCCP, or SIP packets respectively.

debug auto-voip [H323|SCCP|SIP|oui]

Mode: Privileged EXEC

debug clear

This command disables all previously enabled “debug” traces.

debug clear

Mode: Privileged EXEC

debug console

This command enables the display of debug trace output on the login session in which it is executed. Debug console display must be enabled in order to view any trace output. The output of debug trace commands will appear on all login sessions for which debug console has been enabled. The configuration of this command remains in effect for the life of the login session. The effect of this command is not persistent across reboots.

debug console

Mode: Privileged EXEC

Default: Disabled

debug crashlog

Use this command to view information contained in the crash log file that the system maintains when it experiences an unexpected reset.

The crash log file contains the following information:
- Call stack information in both primitive and verbose forms
- Log Status
- Buffered logging
- Event logging
- Persistent logging
- System Information (output of sysapiMbufDump)
- Message Queue Debug Information
- Memory Debug Information
- Memory Debug Status
- OS Information (output of osapiShowTasks)
- /proc information (meminfo, cpuinfo, interrupts, version and net/sockstat)

debug crashlog {[kernel] crashlog-number [upload url] | proc | verbose | deleteall}

Mode: Privileged EXEC

Default: Disabled

Parameters:

 

kernel View the crash log file for the kernel
crashlog-number Specifies the file number to view. The system maintains up to four copies, and the valid range is 1 – 4.
upload url To upload the crash log to a TFTP server, use the upload keyword and specify the required TFTP server information.
proc View the application process crashlog.
verbose Enable the verbose crashlog.
deleteall Delete all crash log files on the system.

debug debug-config

Use this command to download or upload the debug-config.ini file. This file executes CLI commands (including devshell and drivshell commands) on specific predefined events. The debug config file is created manually and downloaded to the switch.

debug debug-config {download url | upload url}

Mode: Privileged EXEC

debug dhcp packet

This command displays debug information about DHCPv4 client activities and traces DHCPv4 packets to and from the local DHCPv4 client.

debug dhcp packet [transmit | receive]

Mode: Privileged EXEC

debug dot1x packet

Use this command to enable 802.1X packet debug trace.

debug dot1x packet

Mode: Privileged EXEC

debug igmpsnooping packet

This command enables tracing of IGMP Snooping packets received and transmitted by the switch.

debug igmpsnooping packet

Mode: Privileged EXEC

debug igmpsnooping packet transmit

This command enables tracing of IGMP Snooping packets transmitted by the switch. Snooping should be enabled on the device and the interface in order to monitor packets for a particular interface.

debug igmpsnooping packet transmit

Mode: Privileged EXEC

debug igmpsnooping packet receive

This command enables tracing of IGMP Snooping packets received by the switch. Snooping should be enabled on the device and the interface in order to monitor packets for a particular interface.

debug igmpsnooping packet receive

Mode: Privileged EXEC

debug ip acl

Use this command to enable debug of IP Protocol packets matching the ACL criteria.

debug ip acl acl-number

Mode: Privileged EXEC

debug ipv6 dhcp

This command displays “debug” information about DHCPv6 client activities and traces DHCPv6 packets to and from the local DHCPv6 client.

debug ipv6 dhcp

Mode: Privileged EXEC

debug lacp packet

This command enables tracing of LACP packets received and transmitted by the switch.

debug lacp packet

Mode: Privileged EXEC

debug ping packet

This command enables tracing of ICMP echo requests and responses. The command traces pings on the network port or service port for switching packages. For routing packages, pings are traced on the routing ports as well.

debug ping packet

Mode: Privileged EXEC

debug spanning-tree bpdu

This command enables tracing of spanning tree BPDUs received and transmitted by the switch.

debug spanning-tree bpdu

Mode: Privileged EXEC

debug spanning-tree bpdu receive

This command enables tracing of spanning tree BPDUs received by the switch. Spanning tree should be enabled on the device and on the interface in order to monitor packets for a particular interface.

debug spanning-tree bpdu receive

Mode: Privileged EXEC

debug spanning-tree bpdu transmit

This command enables tracing of spanning tree BPDUs transmitted by the switch. Spanning tree should be enabled on the device and on the interface in order to monitor packets on a particular interface.

debug spanning-tree bpdu transmit

Mode: Privileged EXEC

debug tacacs

Use the debug tacacs packet command to turn on TACACS+ debugging.

debug tacacs {packet {receive | transmit}} | accounting | authentication

Mode: Privileged EXEC

Parameters:

 

packet receive Turn on TACACS+ receive packet debugs.
packet transmit Turn on TACACS+ transmit packet debugs.
accounting Turn on TACACS+ authentication debugging.
authentication Turn on TACACS+ authorization debugging.

debug transfer

This command enables debugging for file transfers.

debug transfer

Mode: Privileged EXEC

show debugging

Use the show debugging command to display enabled packet tracing configurations.

show debugging

Mode: Privileged EXEC

exception protocol

Use this command to specify the protocol used to store the core dump file.

exception protocol {nfs | tftp | none}

Mode: Global Config

Default: none

exception dump tftp-server

Use this command to configure the IP address of a remote TFTP server in order to dump core files to an external server.

exception dump tftp-server {ip-address}

Mode: Global Config

exception dump nfs

Use this command to configure an NFS mount point in order to dump core file to the NFS file system.

exception dump nfs ip-address/dir

Mode: Global Config

exception dump filepath

Use this command to configure a file-path to dump core file to a TFTP server, NFS mount or USB device subdirectory.

exception dump filepath dir

Mode: Global Config

exception core-file

Use this command to configure a prefix for a core-file name. If hostname is configured the core file name takes the hostname, otherwise the core-file names uses the MAC address when generating a core dump file. The prefix length is 15 characters.

The core file name is generated with the prefix as follows:
- If hostname is selected: file-name-prefix_hostname_Time_Stamp.bin
- If hostname is not selected: file-name-prefix_MAC_Address_Time_Stamp.bin


exception core-file {file-name-prefix | [hostname] | [time-stamp]}

Mode: Global Config

Default: Core

exception switch-chip-register

This command enables or disables the switch-chip-register dump in case of an exception. The switch-chip- register dump is taken only for a master unit and not for member units

exception switch-chip-register {enable | disable}

Mode: Global Config

Default: Disabled

write core

Use the write core command to generate a core dump file on demand. The write core test command is helpful when testing the core dump setup. For example, if the TFTP protocol is configured, write core test communicates with the TFTP server and informs the user if the TFTP server can be contacted.

Similarly, if protocol is configured as nfs, this command mounts and unmounts the file system and informs the user of the status.

Write core reloads the switch which is useful when the device malfunctions, but has not crashed. For write core test, the destination file name is used for the TFTP test. Optionally, you can specify the destination file name when the protocol is configured as TFTP.

write core [test [dest_file_name]]

Mode: Privileged EXEC

show exception

Use this command to display the configuration parameters for generating a core dump file.

show exception

Mode: Privileged EXEC

mbuf

Use this command to configure memory buffer (MBUF) threshold limits and generate notifications when MBUF limits have been reached.

mbuf {falling-threshold | rising-threshold | severity}

Mode: Global Config

Parameters:

 

falling-threshold The percentage of memory buffer resources that, when usage falls below this level for the configured interval, triggers a notification. The range is 1 to 100. The default is 0 (disabled).
rising-threshold The percentage of the memory buffer resources that, when exceeded for the configured rising interval, triggers a notification. The range is 1 to 100. The default is 0 (disabled).
severity The severity level at which Mbuf logs messages. The range is 1-7; default is 5 (L7_LOG_SEVERITY_NOTICE).

show mbuf

Use this command to display the memory buffer (MBUF) Utilization Monitoring parameters.

show mbuf

Mode: Privileged EXEC

Parameters:

 

Rising Threshold The percentage of the memory buffer resources that, when exceeded for the configured rising interval, triggers a notification. The range is 1 to 100. The default is 0 (disabled).
Falling Threshold The percentage of memory buffer resources that, when usage falls below this level for the configured interval, triggers a notification. The range is 1 to 100. The default is 0 (disabled).
Severity The severity level.

show mbuf total

Use this command to display memory buffer (MBUF) information.

show mbuf total

Mode: Privileged EXEC

Parameters:

 

Mbufs Total Total number of message buffers in the system.
Mbufs Free Number of message buffers currently available.
Mbufs Rx Used Number of message buffers currently in use.
Total Rx Norm Alloc Attempts Number of times the system tried to allocate a message buffer allocation of class RX Norm.
Total Rx Mid2 Alloc Attempts Number of times the system tried to allocate a message buffer allocation of class RX Mid2.
Total Rx Mid1 Alloc Attempts Number of times the system tried to allocate a message buffer allocation of class RX Mid1.
Total Rx Mid0 Alloc Attempts Number of times the system tried to allocate a message buffer allocation of class RX Mid0.
Total Rx High Alloc Attempts Number of times the system tried to allocate a message buffer allocation of class RX High.
Total Tx Alloc Attempts Number of times the system tried to allocate a message buffer allocation of class TX.
Total Rx Norm Alloc Failures Number of message buffer allocation failures for RX Norm class of message buffer.
Total Rx Mid2 Alloc Failures Number of message buffer allocation failures for RX Mid2 class of message buffer.
Total Rx Mid1 Alloc Failures Number of message buffer allocation failures for RX Mid1 class of message buffer.
Total Rx Mid0 Alloc Failures Number of message buffer allocation failures for RX Mid0 class of message buffer.
Total Rx High Alloc Failures Number of message buffer allocation failures for RX High class of message buffer.
Total Tx Alloc Failures Number of message buffer allocation failures for TX class of message buffer.

Cable Test Command

Back to Top

The cable test feature enables you to determine the cable connection status on a selected port.

The cable test feature is supported only for copper cable. It is not supported for optical fiber cable. If the port has an active link while the cable test is run, the link can go down for the duration of the test.

cablestatus

This command returns the status of the specified port.

cablestatus slot/port

Mode: Privileged EXEC

Parameters: 

 

Normal The cable is working correctly.
Open The cable is disconnected or there is a faulty connector.
Short There is an electrical short in the cable.
Cable Test Failed The cable status could not be determined. The cable may in fact be working.
Cable Length If this feature is supported by the PHY for the current link speed, the cable length is displayed as a range between the shortest estimated length and the longest estimated length. Note that if the link is down and a cable is attached to a 10/100 Ethernet adapter, then the cable status may display as Open or Short because some Ethernet adapters leave unused wire pairs unterminated or grounded. Unknown is displayed if the cable length could not be determined.

Remote Monitoring Commands

Back to Top

Remote Monitoring (RMON) is a method of collecting a variety of data about network traffic. RMON supports 64- bit counters (RFC 3273) and High Capacity Alarm Table (RFC 3434).

There is no configuration command for ether stats and high capacity ether stats. The data source for ether stats and high capacity ether stats are configured during initialization.

rmon alarm

This command sets the RMON alarm entry in the RMON alarm MIB group.

rmon alarm alarm-number variable sample-interval {absolute|delta} rising-threshold value [rising-event-index] falling-threshold value

Mode: Global Config

Parameters:

 

alarm-number An index that uniquely identifies an entry in the alarm table. Each entry defines a diagnostic sample at a particular interval for an object on the device. The range is 1 to 65535.
variable The object identifier of the particular variable to be sampled. Only variables that resolve to an ASN.1 primitive type of integer.
sample-interval The interval in seconds over which the data is sampled and compared with the rising and falling thresholds. The range is 1 to 2147483647. The default is 3600.
Alarm Absolute Value The value of the statistic during the last sampling period. This object is a read-only, 32-bit signed value.
rising-threshold value The rising threshold for the sample statistics. The range is -2147483648 to 2147483647. The default is 1.
rising-event-index The index of the eventEntry that is used when a rising threshold is crossed. The range is 1 to 65535. The default is 1.
falling-threshold value The falling threshold for the sample statistics. The range is -2147483648 to 2147483647. The default is 1.
falling-event-index The index of the eventEntry that is used when a falling threshold is crossed. The range is 1 to 65535. The default is 2.
startup The alarm that may be sent. Possible values are rising, falling, or both rising-falling. The default is rising-falling.
owner string The owner string associated with the alarm entry. The default is monitorAlarm.

rmon hcalarm

This command sets the RMON hcalarm entry in the High Capacity RMON alarm MIB group.

rmon hcalarm alarm-number variable sample-interval {absolute|delta} rising-threshold high value low value status {positive|negative} [rising-event-index] falling-threshold high value low value status {positive|negative} [falling-event-index] [startup {rising|falling|rising-falling}] [owner string]

Mode: Global Config

Parameters:

 

High Capacity Alarm Index An arbitrary integer index value used to uniquely identify the high capacity alarm entry. The range is 1 to 65535.
High Capacity Alarm Variable The object identifier of the particular variable to be sampled. Only variables that resolve to an ASN.1 primitive type of integer.
High Capacity Alarm Interval The interval in seconds over which the data is sampled and compared with the rising and falling thresholds. The range is 1 to 2147483647. The default is 1.
High Capacity Alarm Sample Type The method of sampling the selected variable and calculating the value to be compared against the thresholds. Possible types are Absolute Value or Delta Value. The default is Absolute Value.
High Capacity Alarm Absolute Value The absolute value (that is, the unsigned value) of the hcAlarmVariable statistic during the last sampling period. The value during the current sampling period is not made available until the period is complete. This object is a 64-bit unsigned value that is Read-Only.
High Capacity Alarm Absolute Alarm Status This object indicates the validity and sign of the data for the high capacity alarm absolute value object (hcAlarmAbsValueobject). Possible status types are valueNotAvailable, valuePositive, or valueNegative. The default is valueNotAvailable.
High Capacity Alarm Startup Alarm High capacity alarm startup alarm that may be sent. Possible values are rising, falling, or rising-falling. The default is rising-falling.
High Capacity Alarm Rising-Threshold Absolute Value Low The lower 32 bits of the absolute value for threshold for the sampled statistic. The range is 0 to 4294967295. The default is 1.
High Capacity Alarm Rising-Threshold Absolute Value High The upper 32 bits of the absolute value for threshold for the sampled statistic. The range is 0 to 4294967295. The default is 0.
High Capacity Alarm Rising-Threshold Value Status This object indicates the sign of the data for the rising threshold, as defined by the objects hcAlarmRisingThresAbsValueLow and hcAlarmRisingThresAbsValueHigh. Possible values are valueNotAvailable, valuePositive, or valueNegative. The default is valuePositive.
High Capacity Alarm Falling-Threshold Absolute Value Low The lower 32 bits of the absolute value for threshold for the sampled statistic. The range is 0 to 4294967295. The default is 1.
High Capacity Alarm Falling-Threshold Absolute Value High The upper 32 bits of the absolute value for threshold for the sampled statistic. The range is 0 to 4294967295. The default is 0.
High Capacity Alarm Falling-Threshold Value Status This object indicates the sign of the data for the falling threshold, as defined by the objects hcAlarmFallingThresAbsValueLow and hcAlarmFallingThresAbsValueHigh. Possible values are valueNotAvailable, valuePositive, or valueNegative. The default is valuePositive.
High Capacity Alarm Rising Event Index The index of the eventEntry that is used when a rising threshold is crossed. The range is 1 to 65535. The default is 1.
High Capacity Alarm Falling Event Index The index of the eventEntry that is used when a falling threshold is crossed. The range is 1 to 65535. The default is 2.
High Capacity Alarm Failed Attempts The number of times the associated hcAlarmVariable instance was polled on behalf of the hcAlarmEntry (while in the active state) and the value was not available. This object is a read-only 32-bit counter value.
High Capacity Alarm Owner The owner string associated with the alarm entry. The default is monitorHCAlarm.
High Capacity Alarm Storage Type The type of non-volatile storage configured for this entry. This object is read-only. The default is volatile.

rmon event

This command sets the RMON event entry in the RMON event MIB group.

rmon event event-number [description string|log|owner string|trap community]

Mode: Global Config

Parameters:

 

Event Index An index that uniquely identifies an entry in the event table. Each such entry defines one event that is to be generated when the appropriate conditions occur. The range is 1 to 65535.
Event Description A comment describing the event entry. The default is alarmEvent.
Event Type The type of notification that the probe makes about the event. Possible values are None, Log, SNMP Trap, Log and SNMP Trap. The default is None.
Event Owner Owner string associated with the entry. The default is monitorEvent.
Event Community The SNMP community specific by this octet string which is used to send an SNMP trap. The default is public.

rmon collection history

This command sets the history control parameters of the RMON historyControl MIB group.

This command is not supported on interface range. Each RMON history control collection entry can be configured on only one interface. If you try to configure on multiple interfaces, DUT displays an error.


rmon collection history index-number [buckets number | interval interval-in-sec | owner string]

Mode: Interface Config

Parameters:

 

History Control Index An index that uniquely identifies an entry in the historyControl table. Each such entry defines a set of samples at a particular interval for an interface on the device. The range is 1 to 65535.
History Control Data Source The source interface for which historical data is collected.
History Control Buckets Requested The requested number of discrete time intervals over which data is to be saved. The range is 1 to 65535. The default is 50.
History Control Buckets Granted The number of discrete sampling intervals over which data shall be saved. This object is read-only. The default is 10.
History Control Interval The interval in seconds over which the data is sampled. The range is 1 to 3600. The default is 1800.
History Control Owner The owner string associated with the history control entry. The default is monitorHistoryControl.

show rmon

This command displays the entries in the RMON alarm table.

show rmon {alarms | alarm alarm-index}

Mode: Privileged EXEC

Parameters:

 

Alarm Index An index that uniquely identifies an entry in the alarm table. Each entry defines a diagnostic sample at a particular interval for an object on the device. The range is 1 to 65535.
Alarm Variable The object identifier of the particular variable to be sampled. Only variables that resolve to an ASN.1 primitive type of integer.
Alarm Interval The interval in seconds over which the data is sampled and compared with the rising and falling thresholds. The range is 1 to 2147483647. The default is 1.
Alarm Absolute Value The value of the statistic during the last sampling period. This object is a read-only, 32-bit signed value.
Alarm Rising Threshold The rising threshold for the sample statistics. The range is 2147483648 to 2147483647. The default is 1.
Alarm Rising Event Index The index of the eventEntry that is used when a rising threshold is crossed. The range is 1 to 65535. The default is 1.
Alarm Falling Threshold The falling threshold for the sample statistics. The range is 2147483648 to 2147483647. The default is 1.
Alarm Falling Event Index The index of the eventEntry that is used when a falling threshold is crossed. The range is 1 to 65535. The default is 2.
Alarm Startup Alarm The alarm that may be sent. Possible values are rising, falling or both rising-falling. The default is rising- falling.
Alarm Owner The owner string associated with the alarm entry. The default is monitorAlarm.

show rmon collection history

This command displays the entries in the RMON history control table.

show rmon collection history [interfaces slot/port]

Mode: Privileged EXEC

Parameters:

 

History Control Index An index that uniquely identifies an entry in the historyControl table. Each such entry defines a set of samples at a particular interval for an interface on the device. The range is 1 to 65535.
History Control Data Source The source interface for which historical data is collected.
History Control Buckets Requested The requested number of discrete time intervals over which data is to be saved. The range is 1 to 65535. The default is 50.
History Control Buckets Granted The number of discrete sampling intervals over which data shall be saved. This object is read-only. The default is 10.
History Control Interval The interval in seconds over which the data is sampled. The range is 1 to 3600. The default is 1800.
History Control Owner The owner string associated with the history control entry. The default is monitorHistoryControl.

show rmon events

This command displays the entries in the RMON event table.

show rmon events

Mode: Privileged EXEC

Parameters:

 

Event Index An index that uniquely identifies an entry in the event table. Each such entry defines one event that is to be generated when the appropriate conditions occur. The range is 1 to 65535.
Event Description A comment describing the event entry. The default is alarmEvent.
Event Type The type of notification that the probe makes about the event. Possible values are None, Log, SNMP Trap, Log and SNMP Trap. The default is None.
Event Owner Owner string associated with the entry. The default is monitorEvent.
Event Community The SNMP community specific by this octet string which is used to send an SNMP trap. The default is public.
Owner Event owner. The owner string associated with the entry.
Last time sent The last time over which a log or a SNMP trap message is generated.

show rmon history

This command displays the specified entry in the RMON history table.

show rmon history index {errors [period seconds] | other [period seconds] | throughput [period seconds]}

Mode: Privileged EXEC

Parameters:

 

History Control Index An index that uniquely identifies an entry in the historyControl table. Each such entry defines a set of samples at a particular interval for an interface on the device. The range is 1 to 65535.
History Control Data Source The source interface for which historical data is collected.
History Control Buckets Requested The requested number of discrete time intervals over which data is to be saved. The range is 1 to 65535. The default is 50.
History Control Buckets Granted The number of discrete sampling intervals over which data shall be saved. This object is read-only. The default is 10.
History Control Interval The interval in seconds over which the data is sampled. The range is 1 to 3600. The default is 1800.
History Control Owner The owner string associated with the history control entry. The default is monitorHistoryControl.
Maximum Table Size Maximum number of entries that the history table can hold.
Time Time at which the sample is collected, displayed as period seconds.
CRC Align Number of CRC align errors.
Undersize Packets Total number of undersize packets. Packets are less than 64 octets long (excluding framing bits, including FCS octets).
Oversize Packets Total number of oversize packets. Packets are longer than 1518 octets (excluding framing bits, including FCS octets).
Fragments Total number of fragment packets. Packets are not an integral number of octets in length or had a bad Frame Check Sequence (FCS), and are less than 64 octets in length (excluding framing bits, including FCS octets).
Jabbers Total number of jabber packets. Packets are longer than 1518 octets (excluding framing bits, including FCS octets), and are not an integral number of octets in length or had a bad Frame Check Sequence (FCS).
Octets Total number of octets received on the interface.
Packets Total number of packets received (including error packets) on the interface.
Broadcast Total number of good Broadcast packets received on the interface.
Multicast Total number of good Multicast packets received on the interface.
Util Port utilization of the interface associated with the history index specified.
Dropped Collisions Total number of dropped collisions.

show rmon log

This command displays the entries in the RMON log table.

show rmon log [event-index]

Mode: Privileged EXEC

Parameters:

 

Maximum table size Maximum number of entries that the log table can hold.
Event Event index for which the log is generated.
Description A comment describing the event entry for which the log is generated.
Time Time at which the event is generated.

show rmon statistics interfaces

This command displays the RMON statistics for the given interfaces.

show rmon statistics interfaces slot/port

Mode: Privileged EXEC

Parameters:

 

Port slot/port
Dropped Total number of dropped events on the interface.
Octets Total number of octets received on the interface.
Packets Total number of packets received (including error packets) on the interface.
Broadcast Total number of good broadcast packets received on the interface.
Multicast Total number of good multicast packets received on the interface.
CRC Align Errors Total number of packets received have a length (excluding framing bits, including FCS octets) of between 64 and 1518 octets inclusive.
Collisions Total number of collisions on the interface.
Undersize Pkts Total number of undersize packets. Packets are less than 64 octets long (excluding framing bits, including FCS octets).
Oversize Pkts Total number of oversize packets. Packets are longer than 1518 octets (excluding framing bits, including FCS octets).
Fragments Total number of fragment packets. Packets are not an integral number of octets in length or had a bad Frame Check Sequence (FCS), and are less than 64 octets in length (excluding framing bits, including FCS octets).
Jabbers Total number of jabber packets. Packets are longer than 1518 octets (excluding framing bits, including FCS octets), and are not an integral number of octets in length or had a bad Frame Check Sequence (FCS).
64 Octets Total number of packets which are 64 octets in length (excluding framing bits, including FCS octets).
65-127 Octets Total number of packets which are between 65 and 127 octets in length (excluding framing bits, including FCS octets).
128-255 Octets Total number of packets which are between 128 and 255 octets in length (excluding framing bits, including FCS octets).
256-511 Octets Total number of packets which are between 256 and 511 octets in length (excluding framing bits, including FCS octets).
512-1023 Octets Total number of packets which are between 512 and 1023 octets in length (excluding framing bits, including FCS octets).
1024-1518 Octets Total number of packets which are between 1024 and 1518 octets in length (excluding framing bits, including FCS octets).
HC Overflow Pkts Total number of HC overflow packets.
HC Overflow Octets Total number of HC overflow octets.
HC Overflow Pkts 64 Octets Total number of HC overflow packets which are 64 octets in length
HC Overflow Pkts 65 - 127 Octects Total number of HC overflow packets which are between 65 and 127 octets in length.
HC Overflow Pkts 128 - 255 Octects Total number of HC overflow packets which are between 128 and 255 octets in length.
HC Overflow Pkts 256 - 511 Octects Total number of HC overflow packets which are between 256 and 511 octets in length.
HC Overflow Pkts 512 - 1023 Octects Total number of HC overflow packets which are between 512 and 1023 octets in length.
HC Overflow Pkts 1024 - 1518 Octets Total number of HC overflow packets which are between 1024 and 1518 octets in length.

show rmon hcalarms

This command displays the entries in the RMON high-capacity alarm table.

show rmon {hcalarms | hcalarm alarm-index}

Mode: Privileged EXEC

Parameters:

 

High Capacity Alarm Index An arbitrary integer index value used to uniquely identify the high capacity alarm entry. The range is 1 to 65535.
High Capacity Alarm Variable The object identifier of the particular variable to be sampled. Only variables that resolve to an ASN.1 primitive type of integer.
High Capacity Alarm Interval The interval in seconds over which the data is sampled and compared with the rising and falling thresholds. The range is 1 to 2147483647. The default is 1.
High Capacity Alarm Sample Type The method of sampling the selected variable and calculating the value to be compared against the thresholds. Possible types are Absolute Value or Delta Value. The default is Absolute Value.
High Capacity Alarm Absolute Value The absolute value (that is, the unsigned value) of the hcAlarmVariable statistic during the last sampling period. The value during the current sampling period is not made available until the period is complete. This object is a 64-bit unsigned value that is Read-Only.
High Capacity Alarm Absolute Alarm Status This object indicates the validity and sign of the data for the high capacity alarm absolute value object (hcAlarmAbsValueobject). Possible status types are valueNotAvailable, valuePositive, or valueNegative. The default is valueNotAvailable.
High Capacity Alarm Startup Alarm High capacity alarm startup alarm that may be sent. Possible values are rising, falling, or rising-falling. The default is rising-falling.
High Capacity Alarm Rising-Threshold Absolute Value Low The lower 32 bits of the absolute value for threshold for the sampled statistic. The range is 0 to 4294967295. The default is 1.
High Capacity Alarm Rising-Threshold Absolute Value High The upper 32 bits of the absolute value for threshold for the sampled statistic. The range is 0 to 4294967295. The default is 0.
High Capacity Alarm Rising-Threshold Value Status This object indicates the sign of the data for the rising threshold, as defined by the objects hcAlarmRisingThresAbsValueLow and hcAlarmRisingThresAbsValueHigh. Possible values are valueNotAvailable, valuePositive, or valueNegative. The default is valuePositive.
High Capacity Alarm Falling-Threshold Absolute Value Low The lower 32 bits of the absolute value for threshold for the sampled statistic. The range is 0 to 4294967295. The default is 1.
High Capacity Alarm Falling-Threshold Absolute Value High The upper 32 bits of the absolute value for threshold for the sampled statistic. The range is 0 to 4294967295. The default is 0.
High Capacity Alarm Falling-Threshold Value Status This object indicates the sign of the data for the falling threshold, as defined by the objects hcAlarmFallingThresAbsValueLow and hcAlarmFallingThresAbsValueHigh. Possible values are valueNotAvailable, valuePositive, or valueNegative. The default is valuePositive.
High Capacity Alarm Rising Event Index The index of the eventEntry that is used when a rising threshold is crossed. The range is 1 to 65535. The default is 1.
High Capacity Alarm Falling Event Index The index of the eventEntry that is used when a falling threshold is crossed. The range is 1 to 65535. The default is 2.
High Capacity Alarm Failed Attempts The number of times the associated hcAlarmVariable instance was polled on behalf of thie hcAlarmEntry (while in the active state) and the value was not available. This object is a 32-bit counter value that is read-only.
High Capacity Alarm Owner The owner string associated with the alarm entry. The default is monitorHCAlarm.
High Capacity Alarm Storage Type The type of non-volatile storage configured for this entry. This object is read-only. The default is volatile.

Statistics Application Commands

Back to Top

The statistics application gives you the ability to query for statistics on port utilization, flow-based and packet reception on programmable time slots. The statistics application collects the statistics at a configurable time range. You can specify the port number(s) or a range of ports for statistics to be displayed.

The configured time range applies to all ports. Detailed statistics are collected between a specified time range in date and time format. You can define the time range as having an absolute time entry and/or a periodic time. For example, you can specify the statistics to be collected and displayed between 9:00 12 NOV 2011 (START) and 21:00 12 NOV 2012 (END) or schedule it on every Mon, Wed, and Fri 9:00 (START) to 21:00 (END).

You can receive the statistics in the following ways:
- User requests through the CLI for a set of counters.
- Configuring the device to display statistics using syslog or email alert. The alerts are sent by the statistics application at END time.

You can configure the device to display statistics on the console. The collected statistics are presented on the console at END time.

stats group

This command creates a new group with the specified id or name and configures the time range and the reporting mechanism for that group.

stats group group-id|name timerange time-range-name reporting list-of-reporting-methods

Mode: Global Config

Parameters:

 

group-id|name

Name of the group of statistics or its identifier to apply on the interface. The range is:

  1. received
  2. received-errors
  3. transmitted
  4. transmitted-errors
  5. received-transmitted
  6. port-utilization
  7. congestion

The default is None.

time-range-name Name of the time range for the group or the flow-based rule. The range is 1 to 31 alphanumeric characters. The default is None.
list-of-reporting- methods

Report the statistics to the configured method. The range is:

  1. none
  2. console
  3. syslog
  4. e-mail

The default is None.

stats flow-based

This command configures flow based statistics rules for the given parameters over the specified time range. Only an IPv4 address is allowed as source and destination IP address.

stats flow-based rule-id timerange time-range-name [{srcip ip-address} {dstip ip-address} {srcmac mac-address} {dstmac mac-address} {srctcpport portid} {dsttcpport portid} {srcudpport portid} {dstudpport portid}]

Mode: Global Config

Parameters:

 

rule-id The flow-based rule ID. The range is 1 to 16. The default is None.
time-range-name Name of the time range for the group or the flow-based rule. The range is 1 to 31 alphanumeric characters. The default is None.
srcip ip-address The source IP address.
dstip ip-address The destination IP address.
srcmac mac-address The source MAC address.
dstmac mac-address The destination MAC address.
srctcpport portid The source TCP port number.
dsttcpport portid The destination TCP port number.
srcudpport portid The source UDP port number.
dstudpport portid The destination UDP port number.

stats flow-based reporting

This command configures the reporting mechanism for all the flow-based rules configured on the system. There is no per flow-based rule reporting mechanism. Setting the reporting method to none resets all the reporting methods.

stats flow-based reporting list-of-reporting-methods

Mode: Global Config

stats group

This command applies the group specified on an interface or interface-range.

stats group group-id|name

Mode: Interface Config

stats flow-based

This command applies the flow-based rule specified by the ID on an interface or interface-range.

stats flow-based rule-id

Mode: Interface Config

show stats group

This command displays the configured time range and the interface list for the group specified and shows collected statistics for the specified time-range name on the interface list after the time-range expiry.

show stats group group-id|name

Mode: Privileged EXEC

show stats flow-based

This command displays the configured time range, flow-based rule parameters, and the interface list for the flow specified.

show stats flow-based rule-id|all

Mode: Privileged EXEC

lan.png  Switching Commands

Back to Top

This chapter describes the switching commands available in the EdgeSwitch CLI.

Port Configuration Commands

Back to Top

This section describes the commands you use to view and configure port settings.

interface

This command gives access to Interface Config mode, which lets you enable or modify the operation of an interface (port). You can also specify a range of ports to configure by specifying a starting slot/port and an ending slot/port, separated by a hyphen.

interface {slot/port | slot/port-slot/port}

Mode: Interface Config

auto-negotiate

This command enables automatic negotiation on a port or range of ports.

auto-negotiate

Mode: Interface Config

auto-negotiate all

This command enables automatic negotiation on all ports.

auto-negotiate all

Mode: Global Config

description

Use this command to create an alphanumeric description of an interface or range of interfaces.

description description

Mode: Interface Config

mtu

Use this command to set the maximum transmission unit (MTU) size, in bytes, for frames that ingress or egress the interface. You can use the mtu command to configure jumbo frame support for physical and port-channel (LAG) interfaces. For the standard EdgeSwitch implementation, the MTU size is a valid integer between 1522–9216 for tagged packets and a valid integer between 1518–9216 for untagged packets.

mtu 1518-9216

Mode: Interface Config

Default: 1518 (untagged)

shutdown

This command disables a port or range of ports.

shutdown

Mode: Interface Config

shutdown all

This command disables all ports.

shutdown all

Mode: Global Config

speed

Use this command to enable or disable auto-negotiation and set the speed that will be advertised by that port. The half-duplex and full-duplex parameters allow you to set the advertised speed for half-duplex and full-duplex modes.

Use the auto keyword to enable auto-negotiation on the port and optionally set the preferred speed.

speed {auto {10G | 1000 | 100 | 10} [10G | 1000 | 100 | 10] [half-duplex | full-duplex] | {| 10G | 1000 | 100 | 10} {half-duplex | full-duplex}}

Mode: Interface Config

Default: auto

speed all

This command sets the speed and duplex setting for all interfaces.

speed all {100 | 10} {half-duplex | full-duplex}

Mode: Global Config

show port

This command displays port information.

show port {intf-range | all}

Mode: Privileged EXEC

Parameters:

 

Intf Interface in slot/port format
Type If not blank, this field indicates that this port is a special type of port.
Admin Mode The Port control administration state. The port must be enabled in order for it to be allowed into the network. May be enabled or disabled. The factory default is enabled.
Physical Mode The desired port speed and duplex mode. If auto-negotiation support is selected, then the duplex mode and speed is set from the auto-negotiation process. Note that the maximum capability of the port (full duplex -100M) is advertised. Otherwise, this object determines the port’s duplex mode and transmission rate. The factory default is Auto.
Physical Status The port speed and duplex mode.
Link Status The Link is up or down.
Link Trap This object determines whether or not to send a trap when link status changes. The factory default is enabled.
LACP Mode LACP is enabled or disabled on this port.

show port advertise

Use this command to display the local administrative link advertisement configuration, local operational link advertisement, and the link partner advertisement for an interface. It also displays priority Resolution for speed and duplex as per 802.3 Annex 28B.3. It displays the Auto negotiation state, Phy Master/Slave Clock configuration, and Link state of the port.

If the link is down, the Clock is displayed as No Link, and a dash is displayed against the Oper Peer advertisement, and Priority Resolution. If Auto negotiation is disabled, then the admin Local Link advertisement, operational local link advertisement, operational peer advertisement, and Priority resolution fields are not displayed.

If this command is executed without the optional slot/port parameter, then it displays the Auto- negotiation state and operational Local link advertisement for all the ports. Operational link advertisement will display speed only if it is supported by both local as well as link partner. If auto-negotiation is disabled, then operational local link advertisement is not displayed.

show port advertise [slot/port]

Mode: Privileged EXEC

show port description

This command displays the interface description.

show port description slot/port

Mode: Privileged EXEC

Spanning Tree Protocol Commands

Back to Top

This section describes the commands you use to configure Spanning Tree Protocol (STP). STP helps prevent network loops, duplicate messages, and network instability. STP is enabled on the switch and on all ports and LAGs by default. If STP is disabled, the system does not forward BPDU messages.

spanning-tree

This command sets the spanning-tree operational mode to enabled.

spanning-tree

Mode: Global Config

Default: Enabled

spanning-tree auto-edge

Use this command to allow the interface to become an edge port if it does not receive any BPDUs within a given amount of time.

spanning-tree auto-edge

Mode: Interface Config

Default: Enabled

spanning-tree bpdumigrationcheck

Use this command to force a transmission of rapid spanning tree (RSTP) and multiple spanning tree (MSTP) BPDUs. Use the slot/port parameter to transmit a BPDU from a specified interface, or use the all keyword to transmit RST or MST BPDUs from all interfaces.

spanning-tree bpdumigrationcheck {slot/port | all}

Mode: Global Config

spanning-tree configuration name

This command sets the Configuration Identifier Name for use in identifying the configuration that this switch is currently using. The name is a string of up to 32 characters.

spanning-tree configuration name name

Mode: Global Config

Default: Base MAC address in hexadecimal notation

spanning-tree configuration revision

This command sets the Configuration Identifier Revision Level for use in identifying the configuration that this switch is currently using. The Configuration Identifier Revision Level is a number in the range of 0 to 65535.

spanning-tree configuration revision 0-65535

Mode: Global Config

Default: 0

spanning-tree cost

Use this command to configure the external path cost for port used by a MST instance. When the auto keyword is used, the path cost from the port to the root bridge is automatically determined by the speed of the interface. To configure the cost manually, specify a cost value from 1–200000000.

spanning-tree cost {cost | auto}

Mode: Interface Config

Default: auto

spanning-tree edgeport

This command specifies that an interface (or range of interfaces) is an Edge Port within the common and internal spanning tree. This allows this port to transition to Forwarding State without delay.

spanning-tree edgeport

Mode: Interface Config

spanning-tree forceversion

This command sets the Force Protocol Version parameter to a new value.

spanning-tree forceversion {802.1d | 802.1s | 802.1w}

Mode: Global Config

Default: 802.1s

Parameters:

 

802.1d Specify that the switch transmits ST BPDUs rather than MST BPDUs (IEEE 802.1d functionality supported).
802.1s Specify that the switch transmits MST BPDUs (IEEE 802.1s functionality supported).
802.1w Specify that the switch transmits RST BPDUs rather than MST BPDUs (IEEE 802.1w functionality supported).

spanning-tree forward-time

This command sets the Bridge Forward Delay parameter to a new value for the common and internal spanning tree. The value in seconds ranges from 4 to 30, with the value being greater than or equal to (Bridge Max Age / 2) + 1.

spanning-tree forward-time 4-30

Mode: Global Config

Default: 15

spanning-tree max-age

This command sets the Bridge Max Age parameter to a new value for the common and internal spanning tree. The value is in seconds range from 6 to 40, with the value being less than or equal to 2 x (Bridge Forward Delay - 1).

spanning-tree max-age 6-40

Mode: Global Config

Default: 20

spanning-tree max-hops

This command sets the Bridge Max Hops parameter to a new value for the common and internal spanning tree.

spanning-tree max-hops 6-40

Mode: Global Config

Default: 20

spanning-tree mst

This command sets the Path Cost or Port Priority for this port within the multiple spanning tree instance or in the common and internal spanning tree. If you specify an mstid parameter that corresponds to an existing multiple spanning tree instance, the configurations are done for that multiple spanning tree instance. If you specify 0 (defined as the default CIST ID) as the mstid, the configurations are done for the common and internal spanning tree instance.

If you specify the cost option, the command sets the path cost for this port within a multiple spanning tree instance or the common and internal spanning tree instance, depending on the mstid parameter. You can set the path cost as a number in the range of 1 to 200000000 or auto. If you select auto the path cost value is set based on Link Speed.

If you specify the port-priority option, this command sets the priority for this port within a specific multiple spanning tree instance or the common and internal spanning tree instance, depending on the mstid parameter. The port-priority value is a number in the range of 0 to 240 in increments of 16.

spanning-tree mst mstid {{cost 1-200000000 | auto} | port-priority 0-240}

Mode: Interface Config

Default: cost: auto / port-priority: 128

spanning-tree mst instance

This command adds a multiple spanning tree instance to the switch. The parameter mstid is a number within a range of 1 to 4094, that corresponds to the new instance ID to be added. The maximum number of multiple instances supported by the switch is 4.

spanning-tree mst instance mstid

Mode: Global Config

spanning-tree mst priority

This command sets the bridge priority for a specific multiple spanning tree instance. The parameter mstid is a number that corresponds to the desired existing multiple spanning tree instance. The priority value is a number within a range of 0 to 4094.

If you specify 0 (defined as the default CIST ID) as the mstid, this command sets the Bridge Priority parameter to a new value for the common and internal spanning tree. The bridge priority value is a number within a range of 0 to 4094. The twelve least significant bits are masked according to the 802.1s specification. This causes the priority to be rounded down to the next lower valid priority.

spanning-tree mst priority mstid 0-4094

Mode: Global Config

Default: 32768

spanning-tree mst vlan

This command adds an association between a multiple spanning tree instance and one or more VLANs so that the VLAN(s) are no longer associated with the common and internal spanning tree. The parameter mstid is a multiple spanning tree instance identifier, in the range of 0 to 4094, that corresponds to the desired existing multiple spanning tree instance. The vlanid can be specified as a single VLAN, a list, or a range of values.

To specify a list of VLANs, enter a list of VLAN IDs in the range 1 to 4093, each separated by a comma with no spaces in between. To specify a range of VLANs, separate the beginning and ending VLAN ID with a dash (-). Spaces and zeros are not permitted. The VLAN IDs may or may not exist in the system.

spanning-tree mst vlan mstid vlanid

Mode: Global Config

spanning-tree port mode

This command sets the Administrative Switch Port State for this port to enabled for use by spanning tree.

spanning-tree port mode

Mode: Interface Config

spanning-tree port mode all

This command sets the STP port mode for all ports to enabled.

spanning-tree port mode all

Mode: Global Config

Default: Enabled

spanning-tree tcnguard

Use this command to enable TCN guard on the interface. When enabled, TCN Guard restricts the interface from propagating any topology change information received through that interface.

spanning-tree tcnguard

Mode: Interface Config

Default: Disabled

spanning-tree transmit

This command sets the Bridge Transmit Hold Count parameter (0-10).

spanning-tree transmit hold-count

Mode: Global Config

show spanning-tree

This command displays spanning tree settings for the common and internal spanning tree. 

show spanning-tree

Modes: User / Privileged EXEC

Parameters:

 

Bridge Priority Specifies the bridge priority for the Common and Internal Spanning tree (CST). The value lies between 0 and 61440. It is displayed in multiples of 4096.
Bridge Identifier The bridge identifier for the CST. It consists of the bridge priority and the bridge’s base MAC address.
Time Since Topology Change Time in seconds.
Topology Change Count Number of times changed.
Topology Change in Progress Boolean value of the Topology Change parameter for the switch indicating if a topology change is in progress on any port assigned to the common and internal spanning tree.
Designated Root The bridge identifier of the root bridge, consisting of the bridge priority and the bridge’s base MAC address.
Root Path Cost Value of the Root Path Cost parameter for the common and internal spanning tree.
Root Port Identifier Identifier of the port to access the Designated Root for the CST.
Bridge Max Age Derived value.
Bridge Max Hops Bridge max-hops count for the device.
Bridge Forwarding Delay Derived value.
Hello Time Configured value of the parameter for the CST.
Bridge Hold Time Minimum time between transmissions of Configuration Bridge Protocol Data Units (BPDUs).
CST Regional Root Bridge Identifier of the CST Regional Root, consisting of the bridge priority and the bridge’s base MAC address.
Regional Root Path Cost Path Cost to the CST Regional Root.
Associated FIDs List of forwarding database identifiers currently associated with this instance.
Associated VLANs List of VLAN IDs currently associated with this instance.

show spanning-tree brief

This command displays spanning tree settings for the bridge. 

show spanning-tree brief

Modes: User / Privileged EXEC

Parameters:

 

Bridge Priority Configured value.
Bridge Identifier The bridge identifier for the selected MST instance. It consists of the bridge priority and the base MAC address of the bridge.
Bridge Max Age Configured value.
Bridge Max Hops Bridge max-hops count for the device.
Bridge Hello Time Configured value.
Bridge Forward Delay Configured value.
Bridge Hold Time Minimum time between transmissions of Configuration Bridge Protocol Data Units (BPDUs).

show spanning-tree interface

This command displays the settings and parameters for a specific switch port within the common and internal spanning tree. 

show spanning-tree interface slot/port | lag lag-intf-num

Modes: User / Privileged EXEC

Parameters:

 

Hello Time Admin hello time for this port.
Port Mode Enabled or disabled.
TCN Guard Enable or disable the propagation of received topology change notifications and topology changes to other ports.
Auto Edge To enable or disable the feature that causes a port that has not seen a BPDU for edge delay time, to become an edge port and transition to forwarding faster.
Port Up Time Since Counters Last Cleared Time since port was reset, displayed in days, hours, minutes, and seconds.
STP BPDUs Transmitted Spanning Tree Protocol Bridge Protocol Data Units sent.
STP BPDUs Received Spanning Tree Protocol Bridge Protocol Data Units received.
RSTP BPDUs Transmitted Rapid Spanning Tree Protocol Bridge Protocol Data Units sent.
RSTP BPDUs Received Rapid Spanning Tree Protocol Bridge Protocol Data Units received.
MSTP BPDUs Transmitted Multiple Spanning Tree Protocol Bridge Protocol Data Units sent.
MSTP BPDUs Received Multiple Spanning Tree Protocol Bridge Protocol Data Units received.

show spanning-tree mst detailed

This command displays the detailed settings for an MST instance.

show spanning-tree mst detailed mstid

Modes: User / Privileged EXEC

show spanning-tree mst port detailed

This command displays the detailed settings and parameters for a specific switch port within a particular multiple spanning tree instance. The parameter mstid is a number that corresponds to the desired existing multiple spanning tree instance.

show spanning-tree mst port detailed mstid slot/port | lag lag-intf-num

Modes: User / Privileged EXEC

Parameters:

 

MST Instance ID The ID of the existing multiple spanning tree (MST) instance identifier. The value is 0-4094.
Port Identifier The port identifier for the specified port within the selected MST instance. It is made up from the port priority and the interface number of the port.
Port Priority The priority for a particular port within the selected MST instance. The port priority is displayed in multiples of 16.
Port Forwarding State Current spanning tree state of this port.
Port Role Each enabled MST Bridge Port receives a Port Role for each spanning tree. The port role is one of the following values: Root Port, Designated Port, Alternate Port, Backup Port, Master Port or Disabled Port
Auto-Calculate Port Path Cost Indicates whether auto calculation for port path cost is enabled.
Port Path Cost Configured value of the Internal Port Path Cost parameter.
Designated Root The Identifier of the designated root for this port.
Root Path Cost The path cost to get to the root bridge for this instance. The root path cost is zero if the bridge is the root bridge for that instance.
Designated Bridge Bridge Identifier of the bridge with the Designated Port.
Designated Port Identifier Port on the Designated Bridge that offers the lowest cost to the LAN.
Port Identifier The port identifier for this port within the CST.
Port Priority The priority of the port within the CST.
Port Forwarding State The forwarding state of the port within the CST.
Port Role The role of the specified interface within the CST.
Auto-Calculate Port Path Cost Indicates whether auto calculation for port path cost is enabled or not (disabled).
Port Path Cost The configured path cost for the specified interface.
Auto-Calculate External Port Path Cost Indicates whether auto calculation for external port path cost is enabled.
External Port Path Cost The cost to get to the root bridge of the CIST across the boundary of the region. This means that if the port is a boundary port for an MSTP region, then the external path cost is used.
Designated Root Identifier of the designated root for this port within the CST.
Root Path Cost The root path cost to the LAN by the port.
Designated Bridge The bridge containing the designated port.
Designated Port Identifier Port on the Designated Bridge that offers the lowest cost to the LAN.
Topology Change Acknowledgement Value of flag in next Configuration Bridge Protocol Data Unit (BPDU) transmission indicating if a topology change is in progress for this port.
Hello Time The hello time in use for this port.
Edge Port The configured value indicating if this port is an edge port.
Edge Port Status The derived value of the edge port status. True if operating as an edge port; false otherwise.
Point To Point MAC Status Derived value indicating if this port is part of a point to point link.
CST Regional Root The regional root identifier in use for this port.
CST Internal Root Path Cost The internal root path cost to the LAN by the designated external port.

show spanning-tree mst port summary

This command displays the settings of one or all ports within the specified multiple spanning tree instance. The parameter mstid indicates a particular MST instance.

If you specify 0 (defined as the default CIST ID) as the mstid, the status summary displays for one or all ports within the common and internal spanning tree.


show spanning-tree mst port summary mstid {slot/port | lag lag-intf-num | all}

Modes: User / Privileged EXEC

Parameters:

 

MST Instance ID The MST instance associated with this port.
Interface The interface in slot/port format.
STP Mode Indicates whether spanning tree is enabled or disabled on the port.
Type Currently not used.
STP State The forwarding state of the port in the specified spanning tree instance.
Port Role The role of the specified port within the spanning tree.
Desc Indicates whether the port is in loop inconsistent state or not. This field is blank if the loop guard feature is not available.

show spanning-tree mst port summary active

This command displays settings for the ports within the specified multiple spanning tree instance that are active links.

show spanning-tree mst port summary mstid active

Modes: User / Privileged EXEC

Parameters:

 

MST Instance ID The ID of the existing MST instance.
Interface The interface in slot/port format.
STP Mode Indicates whether spanning tree is enabled or disabled on the port.
Type Currently not used.
STP State The forwarding state of the port in the specified spanning tree instance.
Port Role The role of the specified port within the spanning tree.
Desc Indicates whether the port is in loop inconsistent state or not. This field is blank if the loop guard feature is not available.

show spanning-tree mst summary

This command displays summary information about all multiple spanning tree instances in the switch.

The following information is listed for each MSTID:
- Associated FIDs
- Associated VLANs
- List of forwarding database identifiers associated with this instance.
- List of VLAN IDs associated with this instance.

show spanning-tree mst summary

Modes: User / Privileged EXEC

show spanning-tree summary

This command displays spanning tree settings and parameters for the switch. 

show spanning-tree summary

Modes: User / Privileged EXEC

Parameters:

 

Spanning Tree Adminmode Enabled or disabled.
Spanning Tree Version Version of 802.1 currently supported (IEEE 802.1s, IEEE 802.1w, or IEEE 802.1d) based upon the Force Protocol Version parameter.
BPDU Guard Mode Enabled or disabled.
BPDU Filter Mode Enabled or disabled.
Configuration Name Identifier used to identify the configuration currently being used.
Configuration Revision Level Identifier used to identify the configuration currently being used.
Configuration Digest Key A generated Key used in the exchange of the BPDUs.
Configuration Format Selector Specifies the version of the configuration format being used in the exchange of BPDUs. The default value is zero.
MST Instances List of all multiple spanning tree instances configured on the switch.

show spanning-tree vlan

This command displays the association between a VLAN and a multiple spanning tree instance.

show spanning-tree vlan vlanid

Modes: User / Privileged EXEC

VLAN Commands

Back to Top

This section describes the commands you use to configure VLAN settings.

vlan database

This command gives you access to the VLAN Config mode, which allows you to configure VLAN characteristics.

vlan database

Mode: Privileged EXEC

network mgmt_vlan

This command configures the Management VLAN ID.

network mgmt_vlan 1-4093

Mode: Privileged EXEC

Default: VLAN1

vlan (VLAN Database Config)

This command creates a new VLAN and assigns it an ID. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). VLAN range is 2-4093.

vlan 2-4093

Mode: VLAN Database Config

vlan acceptframe

This command sets the frame acceptance mode on an interface or range of interfaces. For VLAN Only mode, untagged frames or priority frames received on this interface are discarded. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port.

For Admit Untagged Only mode, only untagged frames are accepted on this interface; tagged frames are discarded. With any option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

vlan acceptframe {admituntaggedonly | vlanonly | all}

Modes: Interface Config

Default: all

Parameters:

 

VLAN Only mode Untagged frames or priority frames received on this interface are discarded.
Admit Untagged Only mode VLAN-tagged and priority tagged frames received on this interface are discarded.
Admit All mode Untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port.

vlan ingressfilter

This command enables ingress filtering on an interface or range of interfaces. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

vlan ingressfilter

Mode: Interface Config

Default: Enabled (on v1.9.0+ firmware)

vlan allow dei-frame

This command allows or denies frames with the DEI flag.

vlan allow dei-frame

Mode: Global Config

Default: Enabled

vlan internal allocation

Use this command to configure which VLAN IDs to use for port-based routing interfaces. When a port-based routing interface is created, an unused VLAN ID is assigned internally.

vlan internal allocation {base vlan-id | policy ascending | policy descending}

Mode: Global Config

Default: Descending

Parameters:

 

base vlan-id The first VLAN ID to be assigned to a port-based routing interface.
policy ascending VLAN IDs assigned to port-based routing interfaces start at the base and increase in value.
policy descending VLAN IDs assigned to port-based routing interfaces start at the base and decrease in value.

vlan makestatic (VLAN Database Config)

This command changes a dynamically created VLAN (created by GVRP registration) to a static VLAN (one that is permanently configured and defined). The ID is a valid VLAN identification number. VLAN range is 2-4093.

vlan makestatic 2-4093

Mode: VLAN Database  Config

vlan name (VLAN Database Config)

This command changes the name of a VLAN. The name is an alphanumeric string of up to 32 characters, and the ID is a valid VLAN identification number. ID range is 1-4093.

vlan name 1-4093 name

Mode: VLAN Database  Config

vlan participation

This command configures the degree of participation for a specific interface or range of interfaces in a VLAN. The ID is a valid VLAN identification number, and the interface is a valid interface number.

vlan participation {exclude | include | auto} 1-4093

Mode: Interface Config

Default: VLAN1: include / VLAN2-4093: auto

Parameters:

 

include The interface is always a member of this VLAN. This is equivalent to registration fixed.
exclude The interface is never a member of this VLAN. This is equivalent to registration forbidden.
auto The interface is dynamically registered in this VLAN by GVRP and will not participate in this VLAN unless a join request is received on this interface. This is equivalent to registration normal.

switchport mode general

This command sets a interface to use the general-style VLAN configuration method.

switchport mode general

Mode: Interface Config

Default: general

switchport mode access

This command sets a interface to use the Cisco-style VLAN configuration method and defines the port as access.

switchport mode access

Mode: Interface Config

Default: general

switchport mode trunk

This command sets a interface to use the Cisco-style VLAN configuration method and defines the port as trunk.

switchport mode trunk

Mode: Interface Config

Default: general

switchport access vlan

This command defines the access VLAN when using the Cisco-style VLAN configuration method.

switchport access vlan 1-4093

Mode: Interface Config

 

switchport trunk allowed vlan

This command defines the allowed VLANs on the trunk when using the Cisco-style VLAN configuration method.

switchport trunk allowed vlan [ vlan-range |  add vlan-range | except vlan-range | remove vlan-range | all ]

Mode: Interface Config

Parameters:

 

vlan-range Define the VLANs that should be allowed on the trunk.
add Define the VLANs that should be added to the allowed list.
except Define the VLANs that should not be added to the allowed list.
remove Define the VLANs that should be removed from the allowed list.
all Allow all VLANs on the trunk.

switchport trunk native vlan

This command defines the native VLAN on the trunk when using the Cisco-style VLAN configuration method.

switchport trunk native vlan 1-4093

Mode: Interface Config

vlan participation all

This command configures the degree of participation for all interfaces in a VLAN. The ID is a valid VLAN identification number.

vlan participation all {exclude | include | auto} 1-4093

Mode: Global Config

Parameters:

 

include The interface is always a member of this VLAN. This is equivalent to registration fixed.
exclude The interface is never a member of this VLAN. This is equivalent to registration forbidden.
auto The interface is dynamically registered in this VLAN by GVRP and will not participate in this VLAN unless a join request is received on this interface. This is equivalent to registration normal.

vlan participation all

This command configures the degree of participation for all interfaces in a VLAN. The ID is a valid VLAN identification number.

vlan participation all {exclude | include | auto} 1-4093

Mode: Global Config

Default: all

Parameters:

 

VLAN Only mode Untagged frames or priority frames received on this interface are discarded.
Admit Untagged Only mode VLAN-tagged and priority tagged frames received on this interface are discarded.
Admit All mode Untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port.

vlan port ingressfilter all

This command enables ingress filtering for all ports. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

vlan port ingressfilter all

Mode: Global Config

Default: Enabled (on v1.9.0+ firmware)

vlan port pvid all

This command changes the VLAN ID for all interface.

vlan port pvid all 1-4093

Mode: Global Config

Default: VLAN1

vlan port tagging all

This command configures the tagging behavior for all interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

vlan port tagging all 1-4093

Mode: Global Config

vlan pvid

This command changes the VLAN ID on an interface or range of interfaces.

vlan pvid 1-4093

Mode: Interface Config

Default: VLAN1

vlan tagging

This command configures the tagging behavior for a specific interface or range of interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

vlan tagging 1-4093

Mode: Interface Config

vlan association (VLAN Database Config)

This command associates a MAC address or OUI to a certain VLAN.

vlan association [ mac macaddr vlanid ] [ oui oui-prefix vlanid ]

Mode: VLAN Database Config

show vlan association

This command displays the configured MAC address or OUI associations.

show vlan association [ mac macaddr ] [ oui ]

Mode: Privileged EXEC

show vlan

This command displays information about the configured private VLANs, including primary and secondary VLAN IDs, type (community, isolated, or primary) and the ports which belong to a private VLAN.

show vlan {vlanid | private-vlan [type]}

Modes: User / Privileged EXEC

Parameters:

 

Primary Primary VLAN identifier. The range of the VLAN ID is 1 to 4093.
Secondary Secondary VLAN identifier.
Type Secondary VLAN type (community, isolated, or primary).
Ports Ports which are associated with a private VLAN.
VLAN ID The VLAN identifier (VID) associated with each VLAN. The range of the VLAN ID is 1 to 4093.
VLAN Name A string associated with this VLAN as a convenience. It can be up to 32 alphanumeric characters long, including blanks. The default is blank. VLAN ID 1 always has the name Default. This field is optional.
VLAN Type Type of VLAN, which can be Default (VLAN ID = 1) or static (one that is configured and permanently defined), or Dynamic. A dynamic VLAN can be created by GVRP registration or during the 802.1X authentication process (DOT1X) if a RADIUS-assigned VLAN does not exist on the switch.
Interface Interface in slot/port format. It is possible to set the parameters for all ports by using the selectors on the top line.
Include This port is always a member of this VLAN. This is equivalent to registration fixed in the IEEE 802.1Q standard.
Exclude This port is never a member of this VLAN. This is equivalent to registration forbidden in the IEEE 802.1Q standard.
Autodetect To allow the port to be dynamically registered in this VLAN via GVRP. The port will not participate in this VLAN unless a join request is received on this port. This is equivalent to registration normal in the IEEE 802.1Q standard.
Tagged Transmit traffic for this VLAN as tagged frames.
Untagged Transmit traffic for this VLAN as untagged frames.

show vlan internal usage

This command displays information about the VLAN ID allocation on the switch.

show vlan internal usage

Modes: User / Privileged EXEC

show vlan brief

This command displays a list of all configured VLANs.

show vlan brief

Modes: User / Privileged EXEC

Parameters:

 

VLAN ID There is a VLAN Identifier (vlanid) associated with each VLAN. The range of the VLAN ID is 1 to 4093.
VLAN Name A string associated with this VLAN as a convenience. It can be up to 32 alphanumeric characters long, including blanks. The default is blank. VLAN ID 1 always has the name “Default”. This field is optional.
VLAN Type Type of VLAN, which can be Default (VLAN ID = 1) or static (one that is configured and permanently defined), or a Dynamic (one that is created by GVRP registration).

show interfaces switchport general

This command displays the VLANs for ports that are configured with the general-style VLAN configuration method.

show interfaces switchport general slot/port

Mode: Privileged EXEC

show interfaces switchport access

This command displays the VLAN for access ports that are configured with the Cisco-style VLAN configuration method.

show interfaces switchport access slot/port

Mode: Privileged EXEC

 

show interfaces switchport trunk

This command displays the VLANs for trunk ports that are configured with the Cisco-style VLAN configuration method.

show interfaces switchport trunk slot/port

Mode: Privileged EXEC 

show vlan port

This command displays VLAN port information.

show vlan port {slot/port | all}

Modes: User / Privileged EXEC

Parameters:

 

Interface The interface in slot/port format. It is possible to set the parameters for all ports by using the selectors on the top line.
Port VLAN ID The VLAN ID that this port will assign to untagged frames or priority tagged frames received on this port. The value must be for an existing VLAN. The factory default is 1.
Acceptable Frame Types The types of frames that may be received on this port. The options are ‘VLAN only’ and ‘Admit All’. When set to ‘VLAN only’, untagged frames or priority tagged frames received on this port are discarded. When set to ‘Admit All’, untagged frames or priority tagged frames received on this port are accepted and assigned the value of the Port VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance to the 802.1Q VLAN specification.
Ingress Filtering May be enabled or disabled. When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification.
GVRP May be enabled or disabled.
Default Priority The 802.1p priority assigned to tagged packets arriving on the port.

Private VLAN Commands

Back to Top

This section describes the commands you use for private VLANs. Private VLANs provides Layer-2 isolation between ports that share the same broadcast domain. In other words, it allows a VLAN broadcast domain to be partitioned into smaller point-to-multipoint subdomains. The ports participating in a private VLAN can be located anywhere in the Layer-2 network.

switchport private-vlan

This command defines a private-VLAN association for an isolated or community port or a mapping for a promiscuous port.

switchport private-vlan {host-association primary-vlan-id secondary-vlan-id | mapping primary-vlan-id {add | remove} secondary-vlan-list}

Mode: Interface Config

Parameters:

 

host-association Defines the VLAN association for community or host ports.
primary-vlan-id Primary VLAN ID of a private VLAN.
secondary-vlan-id Secondary (isolated or community) VLAN ID of a private VLAN.
mapping Defines the private VLAN mapping for promiscuous ports.
add Associates the secondary VLAN with the primary one.
remove Deletes the secondary VLANs from the primary VLAN association.
secondary-vlan-list A list of secondary VLANs to be mapped to a primary VLAN.

switchport mode private-vlan

This command configures a port as a promiscuous or host private VLAN port. Note that the properties of each mode can be configured even when the switch is not in that mode. However, they will only be applicable once the switch is in that particular mode.

switchport mode private-vlan {host|promiscuous}

Mode: Interface Config

Parameters:

 

host Configures an interface as a private VLAN host port. It can be either isolated or community port depending on the secondary VLAN it is associated with.
promiscuous Configures an interface as a private VLAN promiscuous port. The promiscuous ports are members of the primary VLAN.

private-vlan (VLAN Config)

This command configures the private VLANs and configures the association between the primary private VLAN and secondary VLANs.

private-vlan {association [add|remove] community | isolated | primary}

Mode: VLAN Config

Parameters:

 

association Associates the primary and secondary VLAN.
community Designates a VLAN as a community VLAN.
isolated Designates a VLAN as the isolated VLAN.
primary Designates a VLAN as the primary VLAN.

Voice VLAN Commands

Back to Top

This section describes the commands you use for Voice VLAN. Voice VLAN enables switch ports to carry voice traffic with defined priority so as to enable separation of voice and data traffic coming onto the port. The benefits of using Voice VLAN is to ensure that the sound quality of an IP phone could be safeguarded from deteriorating when the data traffic on the port is high.

Also the inherent isolation provided by VLANs ensures that inter-VLAN traffic is under management control and that network- attached clients cannot initiate a direct attack on voice components. QoS-based on IEEE 802.1P class of service (CoS) uses classification and scheduling to sent network traffic from the switch in a predictable manner. The system uses the source MAC of the traffic traveling through the port to identify the IP phone data flow.

voice vlan (Global Config)

Use this command to enable the Voice VLAN capability on the switch.

voice vlan

Mode: Global Config

voice vlan (Interface Config)

Use this command to enable the Voice VLAN capability on the interface or range of interfaces.

voice vlan {vlan-id id | dot1p priority | none | untagged}

Mode: Interface Config

Parameters:

 

vlan-id id Configure the IP phone to forward all voice traffic through the specified VLAN. Valid VLAN ID range is 1-4093 (the maximum supported by the platform).
dot1p priority Configure the IP phone to use 802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic. Valid priority range is 0 to 7.
none Allow the IP phone to use its own configuration to send untagged voice traffic.
untagged Configure the phone to send untagged voice traffic.

voice vlan data priority

Use this command to either trust or untrust the data traffic arriving on the Voice VLAN interface or range of interfaces being configured.

voice vlan data priority {untrust | trust}

Mode: Interface Config

Default: trust

show voice vlan

Display the Voice VLAN global or interface configuration settings.

show voice vlan [interface {slot/port | all}]

Mode: Privileged EXEC

Parameters:

 

Administrative Mode The Global Voice VLAN mode.
Voice VLAN Mode The admin mode of the Voice VLAN on the interface.
Voice VLAN ID The Voice VLAN ID.
Voice VLAN Priority The do1p priority for the Voice VLAN on the port.
Voice VLAN Untagged The tagging option for the Voice VLAN traffic.
Voice VLAN CoS Override The Override option for the voice traffic arriving on the port.
Voice VLAN Status The operational status of Voice VLAN on the port.

Provisioning (IEEE 802.1p) Commands

Back to Top

This section describes the commands you use to configure provisioning (IEEE 802.1p,) which allows you to prioritize ports.

vlan port priority all

This command configures the port priority assigned for untagged packets for all ports presently plugged into the device. The range for the priority is 0-7. Any subsequent per port configuration will override this configuration setting.

vlan port priority all priority

Mode: Global Config

vlan priority

This command configures the default 802.1p port priority assigned for untagged packets for a specific interface. The range for the priority is 0–7.

vlan priority priority

Mode: Interface Config

Default: 0

Protected Ports Commands

Back to Top

This section describes commands you use to configure and view protected ports on a switch. Protected ports do not forward traffic to each other, even if they are on the same VLAN. However, protected ports can forward traffic to all unprotected ports in their group. Unprotected ports can forward traffic to both protected and unprotected ports. Ports are unprotected by default.

If an interface is configured as a protected port, and you add that interface to a Port Channel or Link Aggregation Group (LAG), the protected port status becomes operationally disabled on the interface, and the interface follows the configuration of the LAG port. However, the protected port configuration for the interface remains unchanged. Once the interface is no longer a member of a LAG, the current configuration for that interface automatically becomes effective.

switchport protected (Global Config)

Use this command to create a protected port group. The groupid parameter identifies the set of protected ports. Use the name parameter to assign an optional name to the protected port group. The name can be up to 32 alphanumeric characters long, including blanks. The default is blank. Port protection occurs within a single switch. Protected port configuration does not affect traffic between ports on two different switches. No traffic forwarding is possible between two protected ports.

switchport protected groupid name name

Mode: Global Config

switchport protected (Interface Config)

Use this command to add an interface to a protected port group. The groupid parameter identifies the set of protected ports to which this interface is assigned. You can only configure an interface as protected in one group. Port protection occurs within a single switch. Protected port configuration does not affect traffic between ports on two different switches. No traffic forwarding is possible between two protected ports.

switchport protected groupid

Mode: Interface Config

show switchport protected

This command displays the status of all the interfaces, including protected and unprotected interfaces.

show switchport protected groupid

Modes: User / Privileged EXEC

Parameters:

 

Group ID The number that identifies the protected port group.
Name An optional name of the protected port group. The name can be up to 32 alphanumeric characters long, including blanks. The default is blank.
List of Physical Ports List of ports, which are configured as protected for the group identified with groupid. If no port is configured as protected for this group, this field is blank.

show interfaces switchport

This command displays the status of the interface (protected/unprotected) under the group ID.

show interfaces switchport slot/port groupid

Modes: User / Privileged EXEC

Parameters:

 

Name A string associated with this group as a convenience. It can be up to 32 alphanumeric characters long, including blanks. The default is blank. This field is optional.
Protected Indicates whether the interface is protected or not (TRUE or FALSE). If the group is multiple groups then it shows TRUE in Group groupid.

GARP Commands

Back to Top

This section describes the commands you use to configure Generic Attribute Registration Protocol (GARP) and view GARP status. The commands in this section affect both GARP VLAN Registration Protocol (GVRP) and GARP Multicast Registration Protocol (GMRP). GARP is a protocol that allows client stations to register with the switch for membership in VLANS (by using GVMP) or multicast groups (by using GVMP).

set garp timer join

This command sets the GVRP join time per GARP for one interface, a range of interfaces, or all interfaces. Join time is the interval between the transmission of GARP Protocol Data Units (PDUs) registering (or re-registering) membership for a VLAN or multicast group. This command has an effect only when GVRP is enabled. The time is set in hundreds of a second, ranging from 10 to 100. A value of 20 for example equals to 0.2 seconds.

set garp timer join 10-100

Modes: Global / Interface Config

Default: 20

set garp timer leave

This command sets the GVRP leave time for one interface, a range of interfaces, or all interfaces or all ports and only has an effect when GVRP is enabled. Leave time is the time to wait after receiving an unregister request for a VLAN or a multicast group before deleting the VLAN entry. This can be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service.

The leave time is set in hundreds of a second, ranging from 20 to 600. A value of 60 for example, equals to 0.6 seconds. The leave time must be greater than or equal to three times the join time.

set garp timer leave 20-600

Modes: Global / Interface Config

Default: 60

set garp timer leaveall

This command sets how frequently Leave All PDUs are generated. A Leave All PDU indicates that all registrations will be unregistered. Participants would need to rejoin in order to maintain registration. The value applies per port and per GARP participation. The time is set in hundreds of a second, ranging from 200 to 6000. A value of 1000 for example, equals to 10 seconds.

You can use this command on all ports (Global Config mode), a single port or a range of ports (Interface Config mode) and it only has an effect only when GVRP is enabled. The leave all time must be greater than the leave time.

set garp timer leaveall 200-6000

Modes: Global / Interface Config

Default: 1000

show garp

This command displays GARP information.

show garp

Modes: User / Privileged EXEC

Parameters:

 

GMRP Admin Mode The administrative mode of GARP Multicast Registration Protocol (GMRP) for the system.
GVRP Admin Mode The administrative mode of GARP VLAN Registration Protocol (GVRP) for the system.

GVRP Commands

Back to Top

This section describes the commands you use to configure and view GARP VLAN Registration Protocol (GVRP) information. GVRP-enabled switches exchange VLAN configuration information, which allows GVRP to provide dynamic VLAN creation on trunk ports and automatic VLAN pruning. If GVRP is disabled, the system does not forward GVRP messages.

set gvrp adminmode

This command enables GVRP on the system.

set gvrp adminmode

Mode: Privileged EXEC

Default: Disabled

set gvrp interfacemode

This command enables GVRP on a single port (Interface Config mode), a range of ports (Interface Range mode), or all ports (Global Config mode).

set gvrp interfacemode

Modes: Global / Interface Config

Default: Disabled

show gvrp configuration

This command displays Generic Attributes Registration Protocol (GARP) information for one or all interfaces.

show gvrp configuration {slot/port | all}

Modes: User / Privileged EXEC

Parameters:

 

Interface Interface in slot/port format.
Join Timer The interval between the transmission of GARP PDUs registering (or reregistering) membership for an attribute. Current attributes are a VLAN or multicast group. There is an instance of this timer on a per- Port, per-GARP participant basis. 
Leave Timer The period of time to wait after receiving an unregister request for an attribute before deleting the attribute. Current attributes are a VLAN or multicast group. This may be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service. There is an instance of this timer on a per-Port, per-GARP participant basis. 
LeaveAll Timer This Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. There is an instance of this timer on a per-Port, per-GARP participant basis. The Leave All Period Timer is set to a random value in the range of LeaveAllTime to 1.5*LeaveAllTime. 
Port GMRP Mode The GMRP administrative mode for the port, which is enabled or disabled (default). If this parameter is disabled, Join Time, Leave Time and Leave All Time have no effect.

GMRP Commands

Back to Top

This section describes the commands you use to configure and view GARP Multicast Registration Protocol (GMRP) information. Like IGMP Snooping, GMRP helps control the flooding of multicast packets. GMRP-enabled switches dynamically register and deregister group membership information with the MAC networking devices attached to the same segment.

GMRP also allows group membership information to propagate across all networking devices in the bridged LAN that support Extended Filtering Services. If GMRP is disabled, the system does not forward GMRP messages.

set gmrp adminmode

This command enables GARP Multicast Registration Protocol (GMRP) on the system.

set gmrp adminmode

Mode: Privileged EXEC

Default: Disabled

set gmrp interfacemode

This command enables GARP Multicast Registration Protocol on a single interface (Interface Config mode), a range of interfaces, or all interfaces (Global Config mode). If an interface which has GARP enabled is enabled for routing or is enlisted as a member of a port-channel (LAG), GARP functionality is disabled on that interface. GARP functionality is subsequently re-enabled if routing is disabled and port-channel (LAG) membership is removed from an interface that has GARP enabled.

set gmrp interfacemode

Modes: Global / Interface Config

Default: Disabled

show gmrp configuration

This command displays Generic Attributes Registration Protocol (GARP) information for one or all interfaces.

show gmrp configuration {slot/port | all}

Modes: User / Privileged EXEC

Parameters:

 

Interface The slot/port of the interface that this row in the table describes.
Join Timer The interval between the transmission of GARP PDUs registering (or reregistering) membership for an attribute. Current attributes are a VLAN or multicast group. There is an instance of this timer on a per-port, per-GARP participant basis. 
Leave Timer The period of time to wait after receiving an unregister request for an attribute before deleting the attribute. Current attributes are a VLAN or multicast group. This may be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service. There is an instance of this timer on a per-Port, per-GARP participant basis. 
LeaveAll Timer This Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. There is an instance of this timer on a per-Port, per-GARP participant basis. The Leave All Period Timer is set to a random value in the range of LeaveAllTime to 1.5*LeaveAllTime.
Port GMRP Mode The GMRP administrative mode for the port. It may be enabled or disabled. If this parameter is disabled, Join Time, Leave Time and Leave All Time have no effect.

show mac-address-table gmrp

This command displays the GMRP entries in the Multicast Forwarding Database (MFDB) table.

show mac-address-table gmrp

Mode: Privileged EXEC

Parameters:

 

VLAN ID The VLAN in which the MAC Address is learned.
MAC Address A unicast MAC address for which the switch has forwarding and or filtering information. The format is six 2-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB.
Type The type of the entry. Static entries are those that are configured by the end user. Dynamic entries are added to the table as a result of a learning process or protocol.
Description The text description of this multicast table entry.
Interfaces The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).

Port-Based Network Access Control Commands

Back to Top

This section describes the commands you use to configure port-based network access control (IEEE 802.1X). Port-based network access control allows you to permit access to network services only to and devices that are authorized and authenticated.

aaa authentication dot1x default

Use this command to configure the authentication method for port-based access to the switch. The additional methods of authentication are used only if the previous method returns an error, not if there is an authentication failure.

The possible methods are as follows:
- ias Uses the internal authentication server users database for authentication. This method can be used in conjunction with any one of the existing methods like local, radius, etc.
- local Uses the local username database for authentication.
- none Uses no authentication.
- radius Uses the list of all RADIUS servers for authentication.

aaa authentication dot1x default {[ias]|[method1 [method2 [method3]]]}

Mode: Global Config

clear dot1x statistics

This command resets the 802.1X statistics for the specified port or for all ports.

clear dot1x statistics {slot/port | all}

Mode: Privileged EXEC

clear dot1x authentication-history

This command clears the authentication history table captured during successful and unsuccessful authentication on all interface or the specified interface.

clear dot1x authentication-history [slot/port]

Mode: Privileged EXEC

clear radius statistics

This command is used to clear all RADIUS statistics.

clear radius statistics

Mode: Privileged EXEC

dot1x eapolflood

Use this command to enable EAPOL flood support on the switch.

dot1x eapolflood

Mode: Global Config

Default: Disabled

dot1x guest-vlan

This command configures VLAN as guest vlan on an interface or a range of interfaces. The command specifies an active VLAN as an IEEE 802.1X guest VLAN. The range is 1 to the maximum VLAN ID supported by the platform.

dot1x guest-vlan vlan-id

Mode: Interface Config

dot1x initialize

This command begins the initialization sequence on the specified port. This command is only valid if the control mode for the specified port is auto or MAC-based. If the control mode is not auto or MAC-based, an error will be returned.

dot1x initialize slot/port

Mode: Global Interface Config

dot1x max-req

This command sets the maximum number of times the authenticator state machine on an interface or range of interfaces will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant. The count value must be in the range 1–10.

dot1x max-req count

Mode: Interface Config

Default: 2

dot1x max-users

Use this command to set the maximum number of clients supported on an interface or range of interfaces when MAC-based 802.1X authentication is enabled on the port. The maximum users supported per port is dependent on the product. The count value is in the range 1–48.

dot1x max-users count

Mode: Interface Config

Default: 16

dot1x port-control

This command sets the authentication mode to use on the specified interface or range of interfaces. Use the force-unauthorized parameter to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized. Use the force-authorized parameter to specify that the authenticator PAE unconditionally sets the controlled port to authorized. Use the auto parameter to specify that the authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server. If the mac-based option is specified, then MAC-based 802.1X authentication is enabled on the port.

dot1x port-control {force-unauthorized | force-authorized | auto | mac-based}

Mode: Interface Config

Default: auto

dot1x port-control all

This command sets the authentication mode to use on all ports. Select force-unauthorized to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized. Select force-authorized to specify that the authenticator PAE unconditionally sets the controlled port to authorized. Select auto to specify that the authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server. If the mac-based option is specified, then MAC-based 802.1X authentication is enabled on the port.

dot1x port-control all {force-unauthorized | force-authorized | auto | mac-based}

Mode: Global Config

Default: auto

dot1x mac-auth-bypass

If the 802.1X mode on the interface is mac-based, you can optionally use this command to enable MAC Authentication Bypass (MAB) on an interface. MAB is a supplemental authentication mechanism that allows 802.1X unaware clients – such as printers, fax machines, and some IP phones – to authenticate to the network using the client MAC address as an identifier.

dot1x mac-auth-bypass

Mode: Interface Config

Default: Disabled

dot1x re-authenticate

This command begins the re-authentication sequence on the specified port. This command is only valid if the control mode for the specified port is auto or mac-based. If the control mode is not auto or mac-based, an error will be returned.

dot1x re-authenticate slot/port

Mode: Privileged EXEC

dot1x re-authentication

This command enables re-authentication of the supplicant for the specified interface or range of interfaces.

dot1x re-authentication

Mode: Interface Config

Default: Disabled

dot1x system-auth-control

Use this command to enable the 802.1X authentication support on the switch. While disabled, the 802.1X configuration is retained and can be changed, but is not activated.

dot1x system-auth-control

Mode: Global Config

Default: Disabled

dot1x system-auth-control monitor

Use this command to enable the 802.1X monitor mode on the switch. The purpose of Monitor mode is to help troubleshoot port-based authentication configuration issues without disrupting network access for hosts connected to the switch. In Monitor mode, a host is granted network access to an 802.1X-enabled port even if it fails the authentication process. The results of the process are logged for diagnostic purposes.

dot1x system-auth-control monitor

Mode: Global Config

Default: Disabled

dot1x timeout

This command sets the value, in seconds, of the timer used by the authenticator state machine on an interface or range of interfaces. Depending on the parameter used and the value (in seconds) passed, various timeout configurable parameters are set. 

dot1x timeout {{guest-vlan-period seconds} | {reauth-period seconds} | {quiet-period seconds} | {tx-period seconds} | {supp-timeout seconds} | {server-timeout seconds}}

Mode: Interface Config

Default: guest-vlan-period: 90 seconds / reauth-period: 3600 seconds / quiet-period: 60 seconds / tx-period: 30 seconds / supp-timeout: 30 seconds / server-timeout: 30 seconds

Parameters:

 

guest-vlan-period The time, in seconds, for which the authenticator waits to see if any EAPOL packets are received on a port before authorizing the port and placing the port in the guest vlan (if configured). The guest vlan timer is only relevant when guest vlan has been configured on that specific port.
reauth-period The value, in seconds, of the timer used by the authenticator state machine on this port to determine when re-authentication of the supplicant takes place. The reauth-period valid range is 1–65535.
quiet-period The value, in seconds, of the timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The valid range is 0–65535.
tx-period The value, in seconds, of the timer used by the authenticator state machine on this port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The quiet-period valid range is 1–65535.
supp-timeout The value, in seconds, of the timer used by the authenticator state machine on this port to timeout the supplicant. The supp-timeout valid range is 1–65535.
server-timeout The value, in seconds, of the timer used by the authenticator state machine on this port to timeout the authentication server. The server-timeout valid range is 1–65535.

dot1x unauthenticated-vlan

Use this command to configure the unauthenticated VLAN associated with the specified interface or range of interfaces. The unauthenticated VLAN ID can be a valid VLAN ID from 0 to the maximum supported VLAN ID (4093 for EdgeSwitch). The unauthenticated VLAN must be statically configured in the VLAN database to be operational. By default, the unauthenticated VLAN is 0; i.e., invalid and not operational.

dot1x unauthenticated-vlan vlan-id

Mode: Interface Config

Default: 0

dot1x user

This command adds the specified user to the list of users with access to the specified port or all ports. The user parameter must be a configured user.

dot1x user user {slot/port | all}

Mode: Global Config

show authentication methods

Use this command to display information about the authentication methods.

show authentication methods

Mode: Privileged EXEC

Parameters:

 

Authentication Login List The authentication login listname.
Method 1 The first method in the specified authentication login list, if any.
Method 2 The second method in the specified authentication login list, if any.
Method 3 The third method in the specified authentication login list, if any.

show dot1x

This command is used to show a summary of the global 802.1X configuration, summary information of the 802.1X configuration for a specified port or all ports, the detailed 802.1X configuration for a specified port and the 802.1X statistics for a specified port, depending on the tokens used.

show dot1x [{summary {slot/port | all} | detail slot/port | statistics slot/port]

Mode: Privileged EXEC

Parameters:

 

Administrative Mode Indicates whether authentication control on the switch is enabled or disabled.
VLAN Assignment Mode Indicates whether assignment of an authorized port to a RADIUS-assigned VLAN is allowed (enabled) or not (disabled).
Dynamic VLAN Creation Mode Indicates whether the switch can dynamically create a RADIUS-assigned VLAN if it does not currently exist on the switch.
Monitor Mode Indicates whether the 802.1X Monitor mode on the switch is enabled or disabled.
Interface The interface whose configuration is displayed.
Control Mode The configured control mode for this port. Possible values are force-unauthorized | force-authorized | auto | mac-based | authorized | unauthorized.
Operating Control Mode The control mode under which this port is operating. Possible values are authorized | unauthorized.
Reauthentication Enabled Indicates whether reauthentication is enabled on this port.
Port Status Indicates whether the port is authorized or unauthorized. Possible values are authorized | unauthorized.
Port The interface whose configuration is displayed.
Protocol Version The protocol version associated with this port. The only possible value is 1, corresponding to the first version of the 802.1X specification.
PAE Capabilities The port access entity (PAE) functionality of this port. Possible values are Authenticator or Supplicant.
Control Mode The configured control mode for this port. Possible values are force-unauthorized, force-authorized, auto, and mac-based.
Authenticator PAE State Current state of the authenticator PAE state machine. Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized. When MAC-based authentication is enabled on the port, this parameter is deprecated.
Backend Authentication State Current state of the backend authentication state machine. Possible values are Request, Response, Success, Fail, Timeout, Idle, and Initialize. When MAC-based authentication is enabled on the port, this parameter is deprecated.
Quiet Period The timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The value is expressed in seconds and will be in the range 0 and 65535.
Transmit Period The timer used by the authenticator state machine on the specified port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The value is expressed in seconds and will be in the range of 1 and 65535.
Guest-VLAN ID The guest VLAN identifier configured on the interface.
Guest VLAN Period The time in seconds for which the authenticator waits before authorizing and placing the port in the Guest VLAN, if no EAPOL packets are detected on that port.
Supplicant Timeout The timer used by the authenticator state machine on this port to timeout the supplicant. The value is expressed in seconds and will be in the range of 1 and 65535.
Server Timeout The timer used by the authenticator on this port to timeout the authentication server. The value is expressed in seconds and will be in the range of 1 and 65535.
Maximum Requests The maximum number of times the authenticator state machine on this port will retransmit an EAPOL EAP Request/Identity before timing out the supplicant. The value will be in the range of 1 and 10.
Configured MAB Mode The administrative mode of the MAC authentication bypass feature on the switch.
Operational MAB Mode The operational mode of the MAC authentication bypass feature on the switch. MAB might be administratively enabled but not operational if the control mode is not MAC based.
Vlan-ID The VLAN assigned to the port by the RADIUS server. This is only valid when the port control mode is not Mac-based.
VLAN Assigned Reason The reason the VLAN identified in the VLAN-assigned field has been assigned to the port. Possible values are RADIUS, Unauthenticated VLAN, Guest VLAN, default, and Not Assigned. When the VLAN Assigned Reason is Not Assigned, it means that the port has not been assigned to any VLAN by 802.1X. This only valid when the port control mode is not MAC-based.
Reauthentication Period The timer used by the authenticator state machine on this port to determine when reauthentication of the supplicant takes place. The value is expressed in seconds and will be in the range of 1 and 65535.
Reauthentication Enabled Indicates if re-authentication is enabled on this port. Possible values are ‘True” or “False”.
Key Transmission Enabled Indicates if the key is transmitted to the supplicant for the specified port. Possible values are True or False.
EAPOL Flood Mode Enabled Indicates whether the EAPOL flood support is enabled on the switch. Possible values are True or False.
Control Direction The control direction for the specified port or ports. Possible values are both or in.
Maximum Users The maximum number of clients that can get authenticated on the port in the MAC-based 802.1X authentication mode. This value is used only when the port control mode is not MAC-based.
Unauthenticated VLAN ID Indicates the unauthenticated VLAN configured for this port. This value is valid for the port only when the port control mode is not MAC-based.
Session Timeout Indicates the time for which the given session is valid. The time period in seconds is returned by the RADIUS server on authentication of the port. This value is valid for the port only when the port control mode is not MAC-based.
Session Termination Action This value indicates the action to be taken once the session timeout expires. Possible values are Default, Radius-Request. If the value is Default, the session is terminated the port goes into unauthorized state. If the value is Radius-Request, then a re-authentication of the client authenticated on the port is performed. This value is valid for the port only when the port control mode is not MAC- based.
Supplicant MAC-Address The MAC-address of the supplicant.
Authenticator PAE State Current state of the authenticator PAE state machine. Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized.
Backend Authentication State Current state of the backend authentication state machine. Possible values are Request, Response, Success, Fail, Timeout, Idle, and Initialize.
VLAN-Assigned The VLAN assigned to the client by the RADIUS server.
Logical Port The logical port number associated with the client.
Port The interface whose statistics are displayed.
EAPOL Frames Received The number of valid EAPOL frames of any type that have been received by this authenticator.
EAPOL Frames Transmitted The number of EAPOL frames of any type that have been transmitted by this authenticator.
EAPOL Start Frames Received The number of EAPOL start frames that have been received by this authenticator.
EAPOL Logoff Frames Received The number of EAPOL logoff frames that have been received by this authenticator.
Last EAPOL Frame Version The protocol version number carried in the most recently received EAPOL frame.
Last EAPOL Frame Source The source MAC address carried in the most recently received EAPOL frame.
EAP Response/Id Frames Received The number of EAP response/identity frames that have been received by this authenticator.
EAP Response Frames Received The number of valid EAP response frames (other than resp/id frames) that have been received by this authenticator.
EAP Request/Id Frames Transmitted The number of EAP request/identity frames that have been transmitted by this authenticator.
EAP Request Frames Transmitted The number of EAP request frames (other than request/identity frames) that have been transmitted by this authenticator.
Invalid EAPOL Frames Received The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized.
EAP Length Error Frames Received The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized.

show dot1x authentication-history

This command displays 802.1X authentication events and information during successful and unsuccessful 802.1X authentication process for all interfaces or the specified interface. Use the optional keywords to display only failure authentication events in summary or in detail.

show dot1x authentication-history {slot/port | all} [failed-auth-only] [detail]

Mode: Privileged EXEC

Parameters:

 

Time Stamp The exact time at which the event occurs.
Interface Physical Port on which the event occurs.
Mac-Address The supplicant/client MAC address.
VLAN assigned The VLAN assigned to the client/port on authentication.
VLAN assigned Reason The type of VLAN ID assigned, which can be Guest VLAN, Unauth, Default, RADIUS Assigned, or Montior Mode VLAN ID.
Auth Status The authentication status.
Reason The actual reason behind the successful or failed authentication.

show dot1x clients

This command displays 802.1X client information. This command also displays information about the number of clients that are authenticated using Monitor mode and using 802.1X.

show dot1x clients {slot/port | all}

Mode: Privileged EXEC

Parameters:

 

Clients Authenticated using Monitor Mode

Indicates the number of the 802.1X clients authenticated using Monitor mode.

Clients Authenticated using Dot1x

Indicates the number of 802.1X clients authenticated using 802.1x authentication process.

Logical Interface

The logical port number associated with a client.

Interface

The physical port to which the supplicant is associated.

User Name

The user name used by the client to authenticate to the server.

Supplicant MAC Address

The supplicant device MAC address.

Session Time

The time since the supplicant is logged on.

Filter ID

Identifies the Filter ID returned by the RADIUS server when the client was authenticated. This is a configured DiffServ policy name on the switch.

VLAN ID

The VLAN assigned to the port.

VLAN Assigned

The reason the VLAN identified in the VLAN ID field has been assigned to the port. Possible values are RADIUS, Unauthenticated VLAN, Monitor Mode, or Default. When the VLAN Assigned reason is Default, it means that the VLAN was assigned to the port because the P-VID of the port was that VLAN ID.

Session Timeout

This value indicates the time for which the given session is valid. The time period in seconds is returned by the RADIUS server on authentication of the port. This value is valid for the port only when the port-control mode is not MAC-based.

Session Termination Action

This value indicates the action to be taken once the session timeout expires. Possible values are Default and Radius-Request. If the value is Default, the session is terminated and client details are cleared. If the value is Radius-Request, then a reauthentication of the client is performed.

show dot1x users

This command displays 802.1X port security user information for locally configured users.

show dot1x users slot/port

Mode: Privileged EXEC

 

802.1X Supplicant Commands

Back to Top

EdgeSwitch supports 802.1X (“dot1x”) supplicant functionality on point-to-point ports. The administrator can configure the user name and password used in authentication and capabilities of the supplicant port.

dot1x pae

This command sets the port’s 802.1X role. The port can serve as either a supplicant or an authenticator.

dot1x pae {supplicant | authenticator}

Mode: Interface Config

dot1x supplicant port-control

This command sets the ports authorization state (Authorized or Unauthorized) either manually or by setting the port to auto-authorize upon startup. By default all the ports are authenticators. If the port’s attribute needs to be moved from authenticator to supplicant or from supplicant to authenticator, use this command.

dot1x supplicant port-control {auto | force-authorized | force_unauthorized}

Mode: Interface Config

Parameters:

 

auto The port is in the Unauthorized state until it presents its user name and password credentials to an authenticator. If the authenticator authorizes the port, then it is placed in the Authorized state.
force-authorized Sets the authorization state of the port to Authorized, bypassing the authentication process.
force-unauthorized Sets the authorization state of the port to Unauthorized, bypassing the authentication process.

dot1x supplicant max-start

This command configures the number of attempts that the supplicant makes to find the authenticator before the supplicant assumes that there is no authenticator.

dot1x supplicant max-start 1-10

Mode: Interface Config

Default: 3

dot1x supplicant timeout start-period

This command configures the start-period timer interval to wait for the EAP identity request from the authenticator.

dot1x supplicant timeout start-period 1-65535

Mode: Interface Config

Default: 30

dot1x supplicant timeout held-period

This command configures the held period timer interval to wait for the next authentication on previous authentication fail.

dot1x supplicant timeout held-period 1-65535

Mode: Interface Config

Default: 60

dot1x supplicant timeout auth-period

This command configures the authentication period timer interval to wait for the next EAP request challenge from the authenticator.

dot1x supplicant timeout auth-period 1-65535

Mode: Interface Config

Default: 30

dot1x supplicant user

Use this command to map the given user to the port.

dot1x supplicant user

Mode: Interface Config

show dot1x statistics

This command displays the 802.1X port statistics in detail.

show dot1x statistics slot/port

Modes: User / Privileged EXEC

Parameters:

 

EAPOL Frames Received Displays the number of valid EAPOL frames received on the port.
EAPOL Frames Transmitted Displays the number of EAPOL frames transmitted via the port.
EAPOL Start Frames Transmitted Displays the number of EAPOL Start frames transmitted via the port.
EAPOL Logoff Frames Received Displays the number of EAPOL Log off frames that have been received on the port.
EAP Resp/ID Frames Received Displays the number of EAP Respond ID frames that have been received on the port.
EAP Response Frames Received Displays the number of valid EAP Respond frames received on the port.
EAP Req/ID Frames Transmitted Displays the number of EAP Requested ID frames transmitted via the port.
EAP Req Frames Transmitted Displays the number of EAP Request frames transmitted via the port.
Invalid EAPOL Frames Received Displays the number of unrecognized EAPOL frames received on this port.
EAP Length Error Frames Received Displays the number of EAPOL frames with an invalid Packet Body Length received on this port.
Last EAPOL Frames Version Displays the protocol version number attached to the most recently received EAPOL frame.
Last EAPOL Frames Source Displays the source MAC Address attached to the most recently received EAPOL frame.

Storm-Control Command

Back to Top

This section describes commands you use to configure storm-control and view storm-control configuration information. A traffic storm is a condition that occurs when incoming packets flood the LAN, which creates performance degradation in the network. The Storm-Control feature protects against this condition.

The EdgeSwitch provides broadcast, multicast, and unicast story recovery for individual interfaces. Unicast Storm-Control protects against traffic whose MAC addresses are not known by the system. For broadcast, multicast, and unicast storm-control, if the rate of traffic ingressing on an interface increases beyond the configured threshold for that type, the traffic is dropped.

To configure storm-control, you will enable the feature for all interfaces or for individual interfaces, and you will set the threshold (storm-control level) beyond which the broadcast, multicast, or unicast traffic will be dropped. The Storm-Control feature allows you to limit the rate of specific types of packets through the switch on a per- port, per-type, basis.

Configuring a storm-control level also enables that form of storm-control. Disabling a storm-control level (using the no form of the command) sets the storm-control level back to the default value and disables that form of storm- control. Using the no form of the storm-control command (not stating a “level”) disables that form of storm-control but maintains the configured “level” (to be active the next time that form of storm-control is enabled.)

The actual rate of ingress traffic required to activate storm-control is based on the size of incoming packets and the hard-coded average packet size of 512 bytes – used to calculate a packet-per-second (pps) rate – as the forwarding-plane requires pps versus an absolute rate kbps. For example, if the configured limit is 10%, this is converted to ~25000 pps, and this pps limit is set in forwarding plane (hardware). You get the approximate desired output when 512-byte packets are used.

storm-control broadcast

Use this command to enable broadcast storm recovery mode for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode). If the mode is enabled, broadcast storm recovery is active and, if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of broadcast traffic will be limited to the configured threshold.

storm-control broadcast

Modes: Interface / Global Config

Default: Disabled

storm-control broadcast level

Use this command to configure the broadcast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) as a percentage of link speed and enable broadcast storm recovery. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of broadcast traffic is limited to the configured threshold.

storm-control broadcast level 0-100

Modes: Interface / Global Config

Default: 5

storm-control broadcast rate

Use this command to configure the broadcast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) in packets per second. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of broadcast traffic is limited to the configured threshold.

storm-control broadcast rate 0-33554431

Modes: Interface / Global Config

Default: 0

storm-control multicast

This command enables multicast storm recovery mode for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode). If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of multicast traffic will be limited to the configured threshold.

storm-control multicast

Modes: Interface / Global Config

Default: Disabled

storm-control multicast level

This command configures the multicast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) as a percentage of link speed and enables multicast storm recovery mode. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of multicast traffic will be limited to the configured threshold.

storm-control multicast level 0-100

Modes: Interface / Global Config

Default: 5

storm-control multicast rate

Use this command to configure the multicast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) in packets per second. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of multicast traffic is limited to the configured threshold.

storm-control multicast rate 0-33554431

Modes: Interface / Global Config

Default: 0

storm-control unicast

This command enables unicast storm recovery mode for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode). If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of unknown unicast traffic will be limited to the configured threshold.

storm-control unicast

Modes: Interface / Global Config

Default: Disabled

storm-control unicast level

This command configures the unicast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) as a percentage of link speed, and enables unicast storm recovery. If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of unknown unicast traffic will be limited to the configured threshold.This command also enables unicast storm recovery mode for an interface.

storm-control unicast level 0-100

Modes: Interface / Global Config

Default: 5

storm-control unicast rate

Use this command to configure the unicast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) in packets per second. If the mode is enabled, unicast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of unicast traffic is limited to the configured threshold.

storm-control unicast rate 0-33554431

Modes: Interface / Global Config

Default: 0

show storm-control

This command displays the configured storm control settings.

show storm-control [all | slot/port]

Modes: Privileged EXEC

Parameters:

 

Broadcast Storm Control Mode / Bcast Mode Shows whether the broadcast storm control mode is enabled or disabled. The factory default is disabled.
Broadcast Storm Control Level / Bcast Level The broadcast storm control level.
Multicast Storm Control Mode / Mcast Mode Shows whether the multicast storm control mode is enabled or disabled.
Multicast Storm Control Level / Mcast Level The multicast storm control level.

Unicast Storm Control Mode / Ucast Mode

Shows whether the Unknown Unicast or DLF (Destination Lookup Failure) storm control mode is enabled or disabled.
Unicast Storm Control Level / Ucast Level The Unknown Unicast or DLF (Destination Lookup Failure) storm control level.

Port-Channel/LAG (802.3ad)Commands

Back to Top

This section describes the commands you use to configure port-channels, which is defined in the 802.3ad specification, and that are also known as link aggregation groups (LAGs). Link aggregation allows you to combine multiple full-duplex Ethernet links into a single logical link. Network devices treat the aggregation as if it were a single link, which increases fault tolerance and provides load sharing. The LAG feature initially load shares traffic based upon the source and destination MAC address. Assign the port-channel (LAG) VLAN membership after you create a port-channel. If you do not assign VLAN membership, the port-channel might become a member of the management VLAN which can result in learning and switching issues.

A port-channel (LAG) interface can be either static or dynamic, but not both. All members of a port channel must participate in the same protocols.) A static port-channel interface does not require a partner system to be able to aggregate its member ports. If you configure the maximum number of dynamic port-channels (LAGs) that your platform supports, additional port-channels that you configure are automatically static.

port-channel

This command configures a new port-channel (LAG) and generates a logical slot/port number for the port-channel. The name field is a character string which can contain alphanumeric characters and “-” (dash character). 

port-channel name

Mode: Global Config

addport

This command adds a physical port to a port-channel (LAG). 

addport {slot/port | lag lag-intf_num}

Mode: Interface Config

deleteport (Interface Config)

This command deletes a port or a range of ports from a port-channel (LAG).

deleteport {slot/port | lag lag-intf_num}

Mode: Interface Config

deleteport (Global Config)

This command deletes all configured ports from the port-channel (LAG). The interface is a logical slot/port number of a configured port-channel.

deleteport slot/port all

Mode: Global Config

lacp admin key

Use this command to configure the administrative value of the key for the port-channel. The value range of key is 0–65535.

lacp admin key key

Mode: LAG Interface Config

Default: 0x8000 / 32768

lacp collector max-delay

Use this command to configure the port-channel collector max delay. This command can be used to configure a single interface or a range of interfaces.The valid range of delay is 0–65535.

lacp collector max delay delay

Mode: LAG Interface Config

Default: 0x8000 / 32768

lacp actor admin key

Use this command to configure the administrative value of the LACP actor admin key on an interface or range of interfaces. The valid range for key is 0–65535.

lacp actor admin key key

Mode: LAG Interface Config

Default: Internal Interface Number of the Physical Port

lacp actor admin state individual

Use this command to set LACP actor admin state to individual.

lacp actor admin state individual

Mode: Interface Config

lacp actor admin state longtimeout

Use this command to set LACP actor admin state to longtimeout.

lacp actor admin state longtimeout

Mode: Interface Config

lacp actor admin state passive

Use this command to set the LACP actor admin state to passive.

lacp actor admin state passive

Mode: Interface Config

lacp actor admin state

Use this command to configure the administrative value of actor state as transmitted by the Actor in LACPDUs. This command can be used to configure a single interfaces or a range of interfaces.

lacp actor admin state {individual | longtimeout | passive}

Mode: Interface Config

lacp actor port priority

Use this command to configure the priority value assigned to the Aggregation Port for an interface or range of interfaces. The valid range for priority is 0 to 65535.

lacp actor port priority 0-65535

Mode: Interface Config

Default: 0x80 /128

lacp partner admin key

Use this command to configure the administrative value of the Key for the protocol partner. This command can be used to configure a single interface or a range of interfaces. The valid range for key is 0 to 65535.

lacp partner admin key key

Mode: Interface Config

Default: 0x0 / 0

lacp partner admin state individual

Use this command to set LACP partner admin state to individual.

lacp partner admin state individual

Mode: Interface Config

lacp partner admin state longtimeout

Use this command to set LACP partner admin state to long timeout.

lacp partner admin state longtimeout

Mode: Interface Config

lacp partner admin state passive

Use this command to set the LACP partner admin state to passive.

lacp partner admin state passive

Mode: Interface Config

lacp partner port id

Use this command to configure the LACP partner port ID. This command can be used to configure a single interface or a range of interfaces. The valid range for port-id is 0 to 65535.

lacp partner port-id port-id

Mode: Interface Config

Default: 0x80 / 128

lacp partner port priority

Use this command to configure the LACP partner port priority. This command can be used to configure a single interface or a range of interfaces. The valid range for priority is 0 to 65535.

lacp partner port priority priority

Mode: Interface Config

lacp partner system-id

Use this command to configure the 6-octet MAC Address value representing the administrative value of the Aggregation Port’s protocol Partner’s System ID. This command can be used to configure a single interface or a range of interfaces. The valid range of system-id is 00:00:00:00:00:00 to FF:FF:FF:FF:FF.

lacp partner system-id system-id

Mode: Interface Config

Default: 00:00:00:00:00:00

lacp partner system priority

Use this command to configure the administrative value of the priority associated with the Partner’s System ID. This command can be used to configure a single interface or a range of interfaces. The valid range for priority is 0 to 65535.

lacp partner system priority 0-65535

Mode: Interface Config

Default: 0x0 / 0

interface lag

Use this command to enter Interface configuration mode for the specified LAG.

interface lag lag-interface-number

Mode: Global Config

port-channel static

This command enables the static mode on a port-channel (LAG) interface or range of interfaces. By default the static mode for a new port-channel is enabled, which means the port-channel is static. If the maximum number of allowable dynamic port-channels are already present in the system, the static mode for a new port-channel is enabled, which means the port-channel is static. You can only use this command on port-channel interfaces.

port-channel static

Mode: Interface Config

Default: Disabled (on v1.7.4+ firmware)

port lacpmode

This command enables Link Aggregation Control Protocol (LACP) on a port or range of ports.

port lacpmode

Mode: Interface Config

port lacpmode enable all

This command enables Link Aggregation Control Protocol (LACP) on all ports.

port lacpmode enable all

Mode: Global Config

port lacptimeout (Interface Config)

This command sets the timeout on a physical interface or range of interfaces of a particular device type (actor or partner) to either long or short timeout.

port lacptimeout {actor | partner} {long | short}

Mode: Interface Config

Default: long

port lacptimeout (Global Config)

This command sets the timeout for all interfaces of a particular device type (actor or partner) to either long or short timeout.

port lacptimeout {actor | partner} {long | short}

Mode: Global Config

Default: long

port-channel adminmode all

This command enables all configured port-channels with the same administrative mode setting.

port-channel adminmode all

Mode: Global Config

port-channel linktrap

This command enables link trap notifications for the port-channel (LAG). The interface is a logical slot/port for a configured port-channel. The option all sets every configured port-channel to the same administrative mode setting.

port-channel linktrap {logical slot/port | all}

Mode: Global Config

port-channel load-balance

This command selects the load-balancing option used on a port-channel (LAG). Traffic is balanced on a port-channel (LAG) by selecting one of the links in the channel over which to transmit specific packets. The link is selected by creating a binary pattern from selected fields in a packet, and associating that pattern with a particular link. 

port-channel load-balance {1 | 2 | 3 | 4 | 5 | 6} {slot/port | all}

Modes: Global / LAG Interface Config

Parameters:

 

1 Source MAC, VLAN, EtherType, and incoming port associated with the packet
2 Destination MAC, VLAN, EtherType, and incoming port associated with the packet
3 Source/Destination MAC, VLAN, EtherType, and incoming port associated with the packet
4 Source IP and Source TCP/UDP fields of the packet
5 Destination IP and Destination TCP/UDP Port fields of the packet
6 Source/Destination IP and source/destination TCP/UDP Port fields of the packet
slot/port | all Global Config Mode only: The interface is a logical slot/port number of a configured port-channel; all applies the command to all currently configured port-channels.

port-channel local-preference

This command enables the local-preference mode on a port-channel (LAG) interface or range of interfaces. By default, the local-preference mode for a port-channel is disabled. 

port-channel local-preference

Mode: LAG Interface Config

Default: Disabled

port-channel min-links

This command configures the port-channel’s minimum amount of links.

port-channel min-links 1-8

Mode: LAG Interface Config

port-channel name

This command defines a name for the port-channel (LAG). The interface is a logical slot/port for a configured port-channel, and name is an alphanumeric string up to 15 characters. 

port-channel name {logical slot/port} name

Mode: Global Config

port-channel system priority

Use this command to configure port-channel system priority. The valid range of priority is 0-65535.

port-channel system priority priority

Mode: Global Config

Default: 0x8000 / 32768

show lacp actor

Use this command to display LACP actor attributes. 

show lacp actor {slot/port | all}

Mode: Privileged EXEC

Parameters:

 

System Priority The administrative value of the Key.
Actor Admin Key The administrative value of the Key.
Port Priority The priority value assigned to the Aggregation Port.
Admin State The administrative values of the actor state as transmitted by the Actor in LACPDUs.

show lacp partner

Use this command to display LACP partner attributes. 

show lacp partner {slot/port | all}

Mode: Privileged EXEC

Parameters:

 

System Priority The administrative value of priority associated with the Partner’s System ID.
System-ID Represents the administrative value of the Aggregation Port’s protocol Partner’s System ID.
Admin Key The administrative value of the Key for the protocol Partner.
Port Priority The administrative value of the Key for protocol Partner.
Port-ID The administrative value of the port number for the protocol Partner.
Admin State The administrative values of the actor state for the protocol Partner.

show port-channel brief

This command displays the static capability of all port-channel (LAG) interfaces on the device.
show port-channel brief

Mode: Privileged EXEC

Parameters:

 

Logical Interface The slot/port of the logical interface.
Port-channel Name The name of port-channel (LAG) interface.
Link-State Shows whether the link is up or down.
Trap Flag Shows whether trap flags are enabled or disabled.
Type Shows whether the port-channel is statically or dynamically maintained.
Mbr Ports The members of this port-channel.
Active Ports The ports that are actively participating in the port-channel.

show port-channel

This command displays an overview of all port-channels (LAGs) on the switch.

show port-channel {slot/port | lag lag-intf-num}

Mode: Privileged EXEC

Parameters:

 

Local Interface The valid slot/port number.
Channel Name The name of this port-channel (LAG). You may enter any string of up to 15 alphanumeric characters.
Link State Indicates whether the Link is up or down.
Admin Mode May be enabled or disabled. The factory default is enabled.
Type The status designating whether a particular port-channel (LAG) is statically or dynamically maintained.
Load Balance Option The load balance option associated with this LAG.
Local Preference Mode Indicates whether the local preference mode is enabled or disabled.
Mbr Ports A listing of the ports that are members of this port-channel (LAG), in slot/port notation. There can be a maximum of eight ports assigned to a given port-channel (LAG).
Device/Timeout For each port, lists the timeout (long or short) for Device Type (actor or partner).
Port Speed Speed of the port-channel port.
Port Active This field indicates if the port is actively participating in the port-channel (LAG).

show port-channel system priority

Use this command to display the port-channel system priority.

show port-channel system priority

Mode: Privileged EXEC

show port-channel counters

Use this command to display port-channel counters for the specified port.

show port-channel slot/port counters

Mode: Privileged EXEC

Parameters:

 

Local Interface The valid slot/port number.
Channel Name The name of this port-channel (LAG).
Link State Indicates whether the Link is up or down.
Admin Mode May be enabled or disabled. The factory default is enabled.
Port Channel Flap Count The number of times the port-channel was inactive.
Mbr Ports The slot/port for the port member.
Mbr Flap Counters The number of times a port member is inactive, either because the link is down, or the admin state is disabled.

clear port-channel counters

Use this command to clear and reset specified port-channel and member flap counters for the specified interface.

clear port-channel {lag lag-intf-num | slot/port} counters

Mode: Privileged EXEC

clear port-channel all counters

Use this command to clear and reset all port-channel and member flap counters for the specified interface.

clear port-channel all counters

Mode: Privileged EXEC

Port Mirroring Commands

Back to Top

Port mirroring, which is also known as port monitoring, selects network traffic that you can analyze with a network analyzer, such as a SwitchProbe device or other Remote Monitoring (RMON) probe.

monitor session

This command configures a probe port and a monitored port for monitor session (port monitoring). Use the source interface parameter to specify the interface to monitor. Use rx to monitor only ingress packets, or use tx to monitor only egress packets. If you do not specify an {rx|tx} option, the destination port monitors both ingress and egress packets. A VLAN can be configured as the source to a session (all member ports of that VLAN are monitored).

An IP/MAC ACL can be attached to a session. Use destination interface to specify the interface to receive the monitored traffic. Use the mode parameter to enable the administrative mode of the session. If enabled, the probe port monitors all the traffic received and transmitted on the physical monitored port. Use the filter parameter to filter a specified access group either by IP address or MAC address.

Remote port mirroring is configured by adding the RSPAN VLAN ID. At the source switch, the destination is configured as the RSPAN VLAN and at the destination switch, the source is configured as the RSPAN VLAN. The reflector-port is configured at the source switch. The port forwards the mirrored traffic towards the destination switch.

monitor session session-id { source {interface slot/port | vlan vlan-id | remote vlan vlan-id} [rx|tx] | destination {interface slot/port | remote vlan vlan-id reflector-port slot/port} | mode | filter {ip access-group {acl-id|acl-name} | mac access-group acl-name} }

Mode: Global Config

show monitor session

This command displays the Port monitoring information for a particular mirroring session. The session-id parameter is an integer value used to identify the session. 

show monitor session session-id

Mode: Privileged EXEC

Parameters:

 

Session ID An integer value used to identify the session.
Monitor Session Mode Indicates whether the Port Mirroring feature is enabled or disabled for the session.
Probe Port Probe port (destination port) for the session identified with session-id. If probe port is not set then this field is blank.
Source Port The port which is configured as mirrored port (source port) for the session identified with session-id. If no source port is configured for the session then this field is blank.
Type Direction in which source port configured for port mirroring. Types are “tx” for transmitted packets and “rx” for received packets.

show vlan remote-span

This command displays the configured RSPAN VLAN.

show vlan remote-span

Mode: Privileged EXEC

Static MAC Filtering Commands

Back to Top

The commands in this section describe how to configure static MAC filtering. Static MAC filtering allows you to configure destination ports for a static multicast MAC filter irrespective of the platform.

macfilter

This command adds a static MAC filter entry for the MAC address macaddr on the VLAN vlanid. The value of the macaddr parameter is a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The restricted MAC Addresses are: 00:00:00:00:00:00, 01:80:C2:00:00:00 to 01:80:C2:00:00:0F, 01:80:C2:00:00:20 to 01:80:C2:00:00:21, and FF:FF:FF:FF:FF:FF. The vlanid parameter must identify a valid VLAN.

The number of static MAC filters supported on the system is different for MAC filters where source ports are configured and MAC filters where destination ports are configured:
- For unicast MAC address filters and multicast MAC address filters with source port lists, the maximum number of static MAC filters supported is 20.
- For multicast MAC address filters with destination ports configured, the maximum number of static filters supported is 256.
- can configure the following combinations:
- Unicast MAC and source port (max = 20)
- Multicast MAC and source port (max = 20)
- Multicast MAC and destination port (only) (max = 256)
- Multicast MAC and source ports and destination ports (max = 20)

macfilter macaddr vlanid

Mode: Global Config

macfilter adddest

Use this command to add the interface or range of interfaces to the destination filter set for the MAC filter with the given macaddr and VLAN of vlanid. The macaddr parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The vlanid parameter must identify a valid VLAN. Configuring a destination port list is only valid for multicast MAC addresses.

macfilter adddest macaddr vlanid

Mode: Interface Config

macfilter adddest all

This command adds all interfaces to the destination filter set for the MAC filter with the given macaddr and VLAN of vlanid. The macaddr parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The vlanid parameter must identify a valid VLAN. Configuring a destination port list is only valid for multicast MAC addresses.

macfilter adddest all macaddr vlanid

Mode: Global Config

macfilter addsrc

Use this command to add the interface or range of interfaces to the source filter set for the MAC filter with the given macaddr and VLAN of vlanid. The macaddr parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The vlanid parameter must identify a valid VLAN. 

macfilter addsrc macaddr vlanid

Mode: Interface Config

macfilter addsrc all

This command adds all interfaces to the source filter set for the MAC filter with the given macaddr and VLAN of vlanid. The macaddr parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The vlanid parameter must identify a valid VLAN.

macfilter addsrc all macaddr vlanid

Mode: Global Config

show mac-address-table static

This command displays the Static MAC Filtering information for all Static MAC Filters. If you specify all, all the Static MAC Filters in the system are displayed. If you supply a value for macaddr, you must also enter a value for vlanid, and the system displays Static MAC Filter information only for that MAC address and VLAN.

show mac-address-table static {macaddr vlanid | all}

Mode: Privileged EXEC

Parameters:

 

MAC Address The MAC Address of the static MAC filter entry.
VLAN ID The VLAN ID of the static MAC filter entry.
Source Port(s) The source port filter set’s slot and port(s).

show mac-address-table staticfiltering

This command displays the Static Filtering entries in the Multicast Forwarding Database (MFDB) table.

show mac-address-table staticfiltering

Mode: Privileged EXEC

Parameters:

 

VLAN ID The VLAN in which the MAC Address is learned.
MAC Address A unicast MAC address for which the switch has forwarding and or filtering information. As the data is gleaned from the MFDB, the address will be a multicast address. The format is six 2-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB.
Type The type of the entry. Static entries are those that are configured by the end user. Dynamic entries are added to the table as a result of a learning process or protocol.
Description The text description of this multicast table entry.
Interfaces The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).

DHCP Client Commands

Back to Top

The EdgeSwitch can include vendor and configuration information in DHCP client requests relayed to a DHCP server. This information is included in DHCP Option 60, Vendor Class Identifier. The information is a string of 128 octets.

dhcp client vendor-id-option

This command enables the inclusion of DHCP Option-60, Vendor Class Identifier included in the requests transmitted to the DHCP server by the DHCP client operating in the EdgeSwitch.

dhcp client vendor-id-option string

Mode: Global Config

dhcp client vendor-id-option-string

This parameter sets the DHCP Vendor Option-60 string to be included in the requests transmitted to the DHCP server by the DHCP client operating in the EdgeSwitch.

dhcp client vendor-id-option-string string

Mode: Global Config

show dhcp client vendor-id-option

This command displays the configured administration mode of the vendor-id-option and the vendor-id string to be included in Option-43 in DHCP requests.

show dhcp client vendor-id-option

Mode: Privileged EXEC

DHCP Snooping Configuration Commands

Back to Top

This section describes commands you use to configure DHCP Snooping.

ip dhcp snooping

Use this command to enable DHCP Snooping globally.

ip dhcp snooping

Mode: Global Config

Default: Disabled

ip dhcp snooping vlan

Use this command to enable DHCP Snooping on a list of comma-separated VLAN ranges.

ip dhcp snooping vlan vlan-list

Mode: Global Config

Default: Disabled

ip dhcp snooping verify mac-address

Use this command to enable verification of the source MAC address with the client hardware address in the received DCHP message.

ip dhcp snooping verify mac-address

Mode: Global Config

Default: Enabled

ip dhcp snooping database

Use this command to configure the persistent location of the DHCP Snooping database. This can be local or a remote file on a given IP machine.

ip dhcp snooping database {local|tftp://hostIP/filename}

Mode: Global Config

Default: local

ip dhcp snooping database write-delay

Use this command to configure the interval in seconds at which the DHCP Snooping database will be persisted. The interval value ranges from 15 to 86400 seconds.

ip dhcp snooping database write-delay interval

Mode: Global Config

Default: 300

ip dhcp snooping binding

Use this command to configure static DHCP Snooping binding.

ip dhcp snooping binding mac-address vlan vlan-id ip address interface interface-id

Mode: Global Config

ip dhcp filtering trust

Use this command to enable trusted mode on the interface.

ip dhcp filtering trust interface-id

Mode: Global Config

ip dhcp snooping limit

Use this command to control the rate at which the DHCP Snooping messages come on an interface or range of interfaces. By default, rate limiting is disabled. When enabled, the rate can range from 0 to 300 packets per second. The burst level range is 1 to 15 seconds.

ip dhcp snooping limit {rate pps [burst interval seconds]}

Mode: Interface Config

Default: Disabled

ip dhcp snooping log-invalid

Use this command to control the logging DHCP messages filtration by the DHCP Snooping application. This command can be used to configure a single interface or a range of interfaces.

ip dhcp snooping log-invalid

Mode: Interface Config

Default: Disabled

ip dhcp snooping trust

Use this command to configure an interface or range of interfaces as trusted.

ip dhcp snooping trust

Mode: Interface Config

Default: Disabled

show ip dhcp snooping

Use this command to display the DHCP Snooping global configurations and per port configurations.

show ip dhcp snooping

Modes: User / Privileged EXEC

Parameters:

 

Interface The interface for which data is displayed.
Trusted If it is enabled, DHCP snooping considers the port as trusted. The factory default is disabled.
Log Invalid Pkts If it is enabled, DHCP snooping application logs invalid packets on the specified interface.

show ip dhcp snooping binding

Use this command to display the DHCP Snooping binding entries.

show ip dhcp snooping binding [{static|dynamic}] [interface slot/port] [vlanid]

Modes: User / Privileged EXEC

Parameters:

 

MAC Address Displays the MAC address for the binding that was added. The MAC address is the key to the binding database.
IP Address Displays the valid IP address for the binding rule.
VLAN The VLAN for the binding rule.
Interface The interface to add a binding into the DHCP snooping interface.
Type Binding type; statically configured from the CLI or dynamically learned.
Lease Time (sec) The remaining lease time for the entry.

show ip dhcp snooping database

Use this command to display the DHCP Snooping configuration related to the database persistency.

show ip dhcp snooping database

Modes: User / Privileged EXEC

Parameters:

 

Agent URL Bindings database agent URL.
Write Delay The maximum write time to write the database into local or remote.

show ip dhcp snooping interfaces

Use this command to show the DHCP Snooping status of the interfaces.

show ip dhcp snooping interfaces

Mode: Privileged EXEC

show ip dhcp snooping statistics

Use this command to list statistics for DHCP Snooping security violations on untrusted ports.

show ip dhcp snooping statistics

Modes: User / Privileged EXEC

Parameters:

 

Interface The IP address of the interface in slot/port format.
MAC Verify Failures Represents the number of DHCP messages that were filtered on an untrusted interface because of source MAC address and client HW address mismatch.
Client Ifc Mismatch Represents the number of DHCP release and Deny messages received on the different ports than learned previously.
DHCP Server Msgs Rec’d Represents the number of DHCP server messages received on Untrusted ports.

clear ip dhcp snooping binding

Use this command to clear all DHCP Snooping bindings on all interfaces or on a specific interface.

clear ip dhcp snooping binding [interface slot/port]

Modes: User / Privileged EXEC

clear ip dhcp snooping statistics

Use this command to clear all DHCP Snooping statistics.

clear ip dhcp snooping statistics

Modes: User / Privileged EXEC

IGMP/MLD Snooping Commands

Back to Top

This section describes the commands you use to configure IGMP and MLD Snooping. The EdgeSwitch software supports IGMP Versions 1, 2, and 3. The IGMP Snooping feature can help conserve bandwidth because it allows the switch to forward IP multicast traffic only to connected hosts that request multicast traffic. IGMPv3 adds source filtering capabilities to IGMP versions 1 and 2.

Many of the IGMP/MLD Snooping commands are available both in the Interface and VLAN modes. Operationally the system chooses or prefers the VLAN configured values over the Interface configured values for most configurations when the interface participates in the VLAN.

set igmp

This command enables IGMP Snooping on the system (Global Config Mode), an interface, or a range of interfaces. This command also enables IGMP Snooping on a particular VLAN (VLAN Config Mode) and can enable IGMP Snooping on all interfaces participating in a VLAN.

If IGMP Snooping is enabled on an interface, enabling routing on the interface or giving the interface port- channel (LAG) membership disables the interface’s IGMP Snooping functionality. IGMP Snooping functionality is restored if routing is disabled or if port-channel (LAG) membership is removed from the interface.

The IGMP application supports the following activities:
- Validation of the IP header checksum (as well as the IGMP header checksum) and discarding of the frame upon checksum error.
- Maintenance of the forwarding table entries based on the MAC address versus the IP address.
- Flooding of unregistered multicast data packets to all ports in the VLAN. The optional vlan_id parameter is supported only in VLAN Database Config mode.

set igmp [vlan_id]

Modes: Global / Interface / VLAN Database Config

set igmp interfacemode

This command enables IGMP Snooping on all interfaces. If IGMP Snooping is enabled on an interface, enabling routing on the interface or giving it membership in a port-channel (LAG), disables the interface’s IGMP Snooping functionality. IGMP Snooping functionality is restored if routing is disabled or if port-channel (LAG) membership is removed from the interface.

set igmp interfacemode

Mode: Global Config

Default: Disabled

set igmp fast-leave

This command enables or disables IGMP Snooping fast-leave admin mode on a selected interface, a range of interfaces, or a VLAN. Enabling fast-leave allows the switch to immediately remove the Layer-2 LAN interface from its forwarding table entry upon receiving an IGMP leave message for that multicast group without first sending out MAC-based general queries to the interface.

You should enable fast-leave admin mode only on VLANs where only one host is connected to each Layer-2 LAN port. This prevents the inadvertent dropping of the other hosts that were connected to the same Layer-2 LAN port but were still interested in receiving multicast traffic directed to that group. Also, fast-leave processing is supported only with IGMP version 2 hosts. The optional vlan_id parameter is supported only in VLAN Config mode.

set igmp fast-leave [vlan_id]

Modes: Interface / VLAN Database Config

Default: Disabled

set igmp groupmembership-interval

This command sets the IGMP Group Membership Interval time on a VLAN, one interface, a range of interfaces, or all interfaces. The Group Membership Interval time is the amount of time in seconds that a switch waits for a report from a particular group on a particular interface before deleting the interface from the entry. This value must be greater than the IGMPv3 Maximum Response time value. The range is 2 to 65535 seconds. The optional vlan_id parameter is supported only in VLAN Config mode.

set igmp groupmembership-interval [vlan_id] 2-65535

Modes: Global / Interface / VLAN Database Config

Default: 260

set igmp maxresponse

This command sets the IGMP Maximum Response time for the system, on a particular interface or VLAN, or on a range of interfaces. The Maximum Response time is the amount of time in seconds that a switch will wait after sending a query on an interface because it did not receive a report for a particular group in that interface. This value must be less than the IGMP Query Interval time value. The range is 1 to 25 seconds. The optional vlan_id parameter is supported only in VLAN Config mode.

set igmp maxresponse [vlan_id] 1-25

Modes: Global / Interface / VLAN Database Config

set igmp mcrtrexpiretime

This command sets the Multicast Router Present Expiration time. The time is set for the system, on a particular interface or VLAN, or on a range of interfaces. This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached. The range is 0 to 3600 seconds. A value of 0 indicates an infinite timeout; i.e., no expiration. The optional vlan_id parameter is supported only in VLAN Config mode.

set igmp mcrtrexpiretime [vlan_id] 0-3600

Modes: Global / Interface / VLAN Database Config

Default: 0

set igmp mrouter

This command configures the VLAN ID (vlan_id) that has the multicast router mode enabled.

set igmp mrouter vlan_id

Mode: Interface Config

set igmp mrouter interface

This command configures the interface or range of interfaces as a multicast router interface. When configured as a multicast router interface, the interface is treated as a multicast router interface in all VLANs.

set igmp mrouter interface

Mode: Interface Config

set igmp report-suppression

Use this command to suppress the IGMP reports on a given VLAN ID. In order to optimize the number of reports traversing the network with no added benefits, a Report Suppression mechanism is implemented. When more than one client responds to an MGMD query for the same Multicast Group address within the max-response-time, only the first response is forwarded to the query and others are suppressed at the switch.

set igmp report-suppression vlan_id

Mode: VLAN Database Config

Default: Disabled

show igmpsnooping

This command displays IGMP Snooping information for a given port or VLAN. Configured information is displayed whether or not IGMP Snooping is enabled.

show igmpsnooping [slot/port | vlan_id]

Mode: Privileged EXEC

Parameters:

 

Admin Mode Indicates whether or not IGMP Snooping is active on the switch.
Multicast Control Frame Count The number of multicast control frames that are processed by the CPU.
Interface Enabled for IGMP Snooping The list of interfaces on which IGMP Snooping is enabled.
VLANS Enabled for IGMP Snooping The list of VLANS on which IGMP Snooping is enabled.
IGMP Snooping Admin Mode Indicates whether IGMP Snooping is active on the interface or VLAN.
Fast Leave Mode Indicates whether IGMP Snooping Fast-leave is active.
Group Membership Interval The amount of time in seconds that a switch will wait for a report from a particular group on a particular interface or VLAN before deleting the entry. 
Maximum Response Time The amount of time the switch waits after it sends a query on an interface or VLAN because it did not receive a report for a particular group. 
Multicast Router Expiry Time The amount of time to wait before removing an interface or VLAN from the list with multicast routers attached. The interface is removed if a query is not received.
VLAN ID The VLAN ID.
Report Suppression Mode Indicates whether IGMP reports are enabled or not.

show igmpsnooping mrouter interface

This command displays information about statically configured ports.

show igmpsnooping mrouter interface slot/port

Mode: Privileged EXEC

Parameters:

 

Interface The port on which multicast router information is being displayed.
Multicast Router Attached Indicates whether multicast router is statically enabled on the interface.
VLAN ID The list of VLANs of which the interface is a member.

show igmpsnooping mrouter vlan

This command displays information about statically configured ports.

show igmpsnooping mrouter vlan slot/port

Mode: Privileged EXEC

show igmpsnooping ssm

This command displays information about Source Specific Multicasting (SSM) by entry, group, or statistics. SSM delivers multicast packets to receivers that originated from a source address specified by the receiver. SSM is only available with IGMPv3 and MLDv2.

show igmpsnooping ssm {entries | groups | stats}

Mode: Privileged EXEC

show mac-address-table igmpsnooping

This command displays the IGMP Snooping entries in the MFDB table.

show mac-address-table igmpsnooping

Mode: Privileged EXEC

Parameters:

 

VLAN ID The VLAN in which the MAC address is learned.
MAC Address A multicast MAC address for which the switch has forwarding or filtering information. The format is six 2-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB.
Type The type of the entry, which is either static (added by the user) or dynamic (added to the table as a result of a learning process or protocol).
Description The text description of this multicast table entry.
Interfaces The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).

set mld

This command enables MLD Snooping on the system (Global Config Mode), an interface, or a range of interfaces. This command also enables MLD Snooping on a particular VLAN (VLAN Config Mode) and can enable MLD Snooping on all interfaces participating in a VLAN.

set mld [vlan_id]

Modes: Global / Interface / VLAN Database Config

set mld interfacemode

This command enables MLD Snooping on all interfaces.

set mld interfacemode

Mode: Global Config

Default: Disabled

set mld fast-leave

This command enables or disables MLD Snooping fast-leave admin mode on a selected interface, a range of interfaces, or a VLAN. Enabling fast-leave allows the switch to immediately remove the Layer-2 LAN interface from its forwarding table entry upon receiving an MLD leave message for that multicast group without first sending out MAC-based general queries to the interface.

You should enable fast-leave admin mode only on VLANs where only one host is connected to each Layer-2 LAN port. This prevents the inadvertent dropping of the other hosts that were connected to the same Layer-2 LAN port but were still interested in receiving multicast traffic directed to that group. Also, fast-leave processing is supported only with MLD version 2 hosts. The optional vlan_id parameter is supported only in VLAN Config mode.

set mld fast-leave [vlan_id]

Modes: Interface / VLAN Database Config

Default: Disabled

set mld groupmembership-interval

This command sets the MLD Group Membership Interval time on a VLAN, one interface, a range of interfaces, or all interfaces. The Group Membership Interval time is the amount of time in seconds that a switch waits for a report from a particular group on a particular interface before deleting the interface from the entry. This value must be greater than the MLDv3 Maximum Response time value. The range is 2 to 65535 seconds. The optional vlan_id parameter is supported only in VLAN Config mode.

set mld groupmembership-interval [vlan_id] 2-65535

Modes: Global / Interface / VLAN Database Config

Default: 260

set mld maxresponse

This command sets the MLD Maximum Response time for the system, on a particular interface or VLAN, or on a range of interfaces. The Maximum Response time is the amount of time in seconds that a switch will wait after sending a query on an interface because it did not receive a report for a particular group in that interface. This value must be less than the MLD Query Interval time value. The range is 1 to 65 seconds. The optional vlan_id parameter is supported only in VLAN Config mode.

set mld maxresponse [vlan_id] 1-65

Modes: Global / Interface / VLAN Database Config

Default: 10

set mld mcrtrexpiretime

This command sets the Multicast Router Present Expiration time. The time is set for the system, on a particular interface or VLAN, or on a range of interfaces. This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached. The range is 0 to 3600 seconds. A value of 0 indicates an infinite timeout; i.e., no expiration. The optional vlan_id parameter is supported only in VLAN Config mode.

set mld mcrtrexpiretime [vlan_id] 0-3600

Modes: Global / Interface / VLAN Database Config

Default: 0

set mld mrouter

This command configures the VLAN ID (vlan_id) that has the multicast router mode enabled.

set mld mrouter vlan_id

Mode: Interface Config

set mld mrouter interface

This command configures the interface or range of interfaces as a multicast router interface. When configured as a multicast router interface, the interface is treated as a multicast router interface in all VLANs.

set mld mrouter interface

Mode: Interface Config

show mldsnooping

This command displays MLD Snooping information for a given port or VLAN. Configured information is displayed whether or not MLD Snooping is enabled.

show mldsnooping [slot/port | vlan_id]

Mode: Privileged EXEC

Parameters:

 

Admin Mode Indicates whether or not MLD Snooping is active on the switch.
Multicast Control Frame Count The number of multicast control frames that are processed by the CPU.
Interface Enabled for MLD Snooping The list of interfaces on which MLD Snooping is enabled.
VLANS Enabled for MLD Snooping The list of VLANS on which MLD Snooping is enabled.
MLD Snooping Admin Mode Indicates whether MLD Snooping is active on the interface or VLAN.
Fast Leave Mode Indicates whether MLD Snooping Fast-leave is active.
Group Membership Interval The amount of time in seconds that a switch will wait for a report from a particular group on a particular interface or VLAN before deleting the entry. 
Maximum Response Time The amount of time the switch waits after it sends a query on an interface or VLAN because it did not receive a report for a particular group. 
Multicast Router Expiry Time The amount of time to wait before removing an interface or VLAN from the list with multicast routers attached. The interface is removed if a query is not received.
VLAN ID The VLAN ID.

show mldsnooping mrouter interface

This command displays information about statically configured ports.

show mldsnooping mrouter interface slot/port

Mode: Privileged EXEC

Parameters:

 

Interface The port on which multicast router information is being displayed.
Multicast Router Attached Indicates whether multicast router is statically enabled on the interface.
VLAN ID The list of VLANs of which the interface is a member.

show mldsnooping mrouter vlan

This command displays information about statically configured ports.

show mldsnooping mrouter vlan slot/port

Mode: Privileged EXEC

show mac-address-table mldsnooping

This command displays the MLD Snooping entries in the MFDB table.

show mac-address-table mldsnooping

Mode: Privileged EXEC

Parameters:

 

VLAN ID The VLAN in which the MAC address is learned.
MAC Address A multicast MAC address for which the switch has forwarding or filtering information. The format is six 2-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB.
Type The type of the entry, which is either static (added by the user) or dynamic (added to the table as a result of a learning process or protocol).
Description The text description of this multicast table entry.
Interfaces The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).

IGMP/MLD Snooping Querier Commands

Back to Top

IGMP and MLD Snooping requires that one central switch or router periodically query all end-devices on the network to announce their multicast memberships. This central device is the IGMP/MLD Querier. The query responses, known as reports, keep the switch updated with the current multicast group membership on a port- by-port basis. If the switch does not receive updated membership information in a timely fashion, it will stop forwarding multicasts to the port where the end device is located.

This section describes commands used to configure and display information on IGMP and MLD Snooping Queriers on the network and, separately, on VLANs.

Many of the IGMP/MLD Snooping commands are available both in the Interface and VLAN modes. Operationally the system chooses or prefers the VLAN configured values over the Interface configured values for most configurations when the interface participates in the VLAN.

set igmp querier

Use this command to enable IGMP Snooping Querier on the system, using Global Config mode, or on a VLAN. Using this command, you can specify the IP Address that the Snooping Querier switch should use as the source address while generating periodic queries.
If IGMP Snooping Querier is enabled on a VLAN, disabling IGMP Snooping on the VLAN also disables the VLAN’s IGMP Snooping Querier functionality. The VLAN’s IGMP Snooping Querier functionality is restored if IGMP Snooping again becomes operational on the VLAN.

The Querier IP Address assigned for a VLAN takes precedence over global configuration. The IGMP Snooping Querier application supports sending periodic general queries on the VLAN to solicit membership reports.


set igmp querier [vlan-id] [address ipv4_address]

Modes: Global / VLAN Database Config

Default: Disabled

set igmp querier query-interval

Use this command to set the IGMP Querier Query Interval time. It is the amount of time in seconds that the switch waits before sending another general query.

set igmp querier query-interval 1-1800

Mode: Global Config

Default: 60

set igmp querier timer expiry

Use this command to set the IGMP Querier timer expiration period. It is the time period that the switch remains in Non-Querier mode once it has discovered that there is a Multicast Querier in the network.

set igmp querier timer expiry 60-300

Mode: Global Config

Default: 125

set igmp querier version

Use this command to set the IGMP version of the query that the snooping switch is going to send periodically.

set igmp querier version 1-2

Mode: Global Config

Default: 1

set igmp querier election participate

Use this command to enable the Snooping Querier to participate in the Querier Election process when it discovers the presence of another Querier in the VLAN. When this mode is enabled, if the Snooping Querier finds that the other Querier’s source address is better (less) than the Snooping Querier’s address, it stops sending periodic queries. If the Snooping Querier wins the election, then it will continue sending periodic queries.

set igmp querier election participate

Mode: VLAN Database Config

Default: Disabled

show igmpsnooping querier

Use this command to display IGMP Snooping Querier information. Configured information is displayed whether or not IGMP Snooping Querier is enabled.

show igmpsnooping querier [{detail | vlan vlanid}]

Mode: Privileged EXEC

 

Admin Mode Indicates whether or not IGMP Snooping Querier is active on the switch.
Admin Version The version of IGMP that will be used while sending out the queries.
Querier Address The IP Address which will be used in the IPv4 header while sending out IGMP queries. It can be configured using the appropriate command.
Query Interval The amount of time in seconds that a Snooping Querier waits before sending out the periodic general query.
Querier Timeout The amount of time to wait in the Non-Querier operational state before moving to a Querier state.
VLAN Admin Mode Indicates whether iGMP Snooping Querier is active on the VLAN.
VLAN Operational State Indicates whether IGMP Snooping Querier is in “Querier” or “Non-Querier” state. When the switch is in Querier state, it will send out periodic general queries. When in Non-Querier state, it will wait for moving to Querier state and does not send out any queries.
VLAN Operational Max Response Time Indicates the time to wait before removing a Leave from a host upon receiving a Leave request. This value is calculated dynamically from the Queries received from the network. If the Snooping Switch is in Querier state, then it is equal to the configured value.
Querier Election Participation Indicates whether the IGMP Snooping Querier participates in querier election if it discovers the presence of a querier in the VLAN.
Querier VLAN Address The IP address will be used in the IPv4 header while sending out IGMP queries on this VLAN. It can be configured using the appropriate command.
Operational Version The version of IGMP will be used while sending out IGMP queries on this VLAN.
Last Querier Address Indicates the IP address of the most recent Querier from which a Query was received.
Last Querier Version Indicates the IGMP version of the most recent Querier from which a Query was received on this VLAN.

set mld querier

Use this command to enable MLD Snooping Querier on the system, using Global Config mode, or on a VLAN. Using this command, you can specify the IPv6 Address that the Snooping Querier switch should use as the source address while generating periodic queries.

The Querier IPv6 Address assigned for a VLAN takes precedence over global configuration. The MLD Snooping Querier application supports sending periodic general queries on the VLAN to solicit membership reports.


set mld querier [vlan-id] [address ipv6_address]

Modes: Global / VLAN Database Config

Default: Disabled

set mld querier query-interval

Use this command to set the MLD Querier Query Interval time. It is the amount of time in seconds that the switch waits before sending another general query.

set mld querier query-interval 1-1800

Mode: Global Config

Default: 60

set mld querier timer expiry

Use this command to set the MLD Querier timer expiration period. It is the time period that the switch remains in Non-Querier mode once it has discovered that there is a Multicast Querier in the network.

set mld querier timer expiry 60-300

Mode: Global Config

Default: 60

set mld querier election participate

Use this command to enable the Snooping Querier to participate in the Querier Election process when it discovers the presence of another Querier in the VLAN. When this mode is enabled, if the Snooping Querier finds that the other Querier’s source address is better (less) than the Snooping Querier’s address, it stops sending periodic queries. If the Snooping Querier wins the election, then it will continue sending periodic queries.

set mld querier election participate

Mode: VLAN Database Config

Default: Disabled

show mldsnooping querier

Use this command to display MLD Snooping Querier information. Configured information is displayed whether or not MLD Snooping Querier is enabled.

show mldsnooping querier [{detail | vlan vlanid}]

Mode: Privileged EXEC

 

Admin Mode Indicates whether or not MLD Snooping Querier is active on the switch.
Admin Version The version of MLD that will be used while sending out the queries.
Querier Address The IP Address which will be used in the IPv6 header while sending out MLD queries. It can be configured using the appropriate command.
Query Interval The amount of time in seconds that a Snooping Querier waits before sending out the periodic general query.
Querier Timeout The amount of time to wait in the Non-Querier operational state before moving to a Querier state.
VLAN Admin Mode Indicates whether iGMP Snooping Querier is active on the VLAN.
VLAN Operational State Indicates whether MLD Snooping Querier is in “Querier” or “Non-Querier” state. When the switch is in Querier state, it will send out periodic general queries. When in Non-Querier state, it will wait for moving to Querier state and does not send out any queries.
VLAN Operational Max Response Time Indicates the time to wait before removing a Leave from a host upon receiving a Leave request. This value is calculated dynamically from the Queries received from the network. If the Snooping Switch is in Querier state, then it is equal to the configured value.
Querier Election Participation Indicates whether the MLD Snooping Querier participates in querier election if it discovers the presence of a querier in the VLAN.
Querier VLAN Address The IP address will be used in the IPv4 header while sending out MLD queries on this VLAN. It can be configured using the appropriate command.
Operational Version The version of MLD will be used while sending out MLD queries on this VLAN.
Last Querier Address Indicates the IP address of the most recent Querier from which a Query was received.
Last Querier Version Indicates the MLD version of the most recent Querier from which a Query was received on this VLAN.

Port Security Commands

Back to Top

This section describes the command you use to configure Port Security on the switch. Port security, which is also known as port MAC locking, allows you to secure the network by locking allowable MAC addresses on a given port. Packets with a matching source MAC address are forwarded normally, and all other packets are discarded.

port-security

This command enables port locking on an interface, a range of interfaces, or at the system level.

port-security

Modes: Global / Interface Config

Default: Disabled

port-security max-dynamic

This command sets the maximum number of dynamically locked MAC addresses allowed on a specific port. The valid range is 0–600.

port-security max-dynamic maxvalue

Mode: Interface Config

Default: 600

port-security max-static

This command sets the maximum number of statically locked MAC addresses allowed on a port. The valid range is 0–20.

port-security max-static maxvalue

Mode: Interface Config

port-security mac-address

This command adds a MAC address to the list of statically locked MAC addresses for an interface or range of interfaces. The vid parameter is the VLAN ID.

port-security mac-address mac-address vid

Mode: Interface Config

port-security mac-address move

This command converts dynamically locked MAC addresses to statically locked addresses for an interface or range of interfaces.

port-security mac-address move

Mode: Interface Config

port-security mac-address sticky

This command enables sticky mode Port MAC Locking on a port. If accompanied by a MAC address and a VLAN ID (for Interface Config mode only), it adds a sticky MAC address to the list of statically locked MAC addresses. These sticky addresses are converted back to dynamically locked addresses if sticky mode is disabled on the port. The vid parameter is the VLAN ID. The Global command applies the sticky mode to all valid interfaces (physical and LAG). 

Dynamically learned sticky addresses will appear in show running-config output as port-security mac-address sticky mac-address vid entries. This distinguishes them from static entries.


port-security mac-address sticky [mac-address vid]

Modes: Global / Interface Config

show port-security

This command displays the port-security settings for the port(s). If you do not use a parameter, the command displays the Port Security Administrative mode. Use the optional parameters to display the settings on a specific interface or on all interfaces. 

show port-security [{slot/port | all}]

Mode: Privileged EXEC

Parameters:

 

Admin Mode Port Locking mode for the interface or system.
Dynamic Limit Maximum dynamically allocated MAC Addresses.
Static Limit Maximum statically allocated MAC Addresses.
Violation Trap Mode Whether violation traps are enabled.
Sticky Mode The administrative mode of the port security Sticky Mode feature on the interface.

show port-security dynamic

This command displays the dynamically locked MAC addresses for the port.

show port-security dynamic slot/port

Mode: Privileged EXEC

show port-security static

This command displays the statically locked MAC addresses for port.

show port-security static slot/port

Mode: Privileged EXEC

show port-security violation

This command displays the source MAC address of the last packet discarded on a locked port.

show port-security violation slot/port

Mode: Privileged EXEC

LLDP (802.1AB) Commands

Back to Top

This section describes the command you use to configure Link Layer Discovery Protocol (LLDP), which is defined in the IEEE 802.1AB specification. LLDP allows stations on an 802 LAN to advertise major capabilities and physical descriptions. The advertisements allow a network management system (NMS) to access and display this information.

lldp transmit

Use this command to enable the LLDP advertise capability on an interface or a range of interfaces.

lldp transmit

Mode: Interface Config

Default: Enabled (on v1.8.0+ firmware)

lldp receive

Use this command to enable the LLDP receive capability on an interface or a range of interfaces.

lldp receive

Mode: Interface Config

Default: Enabled (on v1.8.0+ firmware)

lldp timers

Use this command to set the timing parameters for local data transmission on ports enabled for LLDP.

lldp timers [interval interval-seconds] [hold hold-value] [reinit reinit-seconds]

Mode: Global Config

Default: interval: 30 seconds / hold: 4 / reinit: 2 seconds

Parameters:

 

interval Determines the number of seconds to wait between transmitting local data LLDPDUs. The range is 1-32768 seconds. 
hold The multiplier on the transmit interval that sets the TTL in local data LLDPDUs. The multiplier range is 2-10. 
reinit Delay before reinitialization. The range is 1-10 seconds.

lldp transmit-tlv

Use this command to specify which optional type length values (TLVs) in the 802.1AB basic management set are transmitted in the LLDPDUs from an interface or range of interfaces.

lldp transmit-tlv [sys-desc] [sys-name] [sys-cap] [port-desc] [port-vlan] [power-mdi]

Mode: Interface Config

Default: port-vlan TLV is included

Parameters:

 

port-desc Include/Exclude LLDP port description TLV.
port-vlan Include/Exclude LLDP port VLAN ID TLV.
power-mdi Include/Exclude LLDP power via MDI TLV.
sys-cap   Include/Exclude LLDP system capabilities TLV.
sys-desc  Include/Exclude LLDP system description TLV.
sys-name  Include/Exclude LLDP system name TLV.

lldp transmit-mgmt

Use this command to include transmission of the local system management address information in the LLDPDUs.

lldp transmit-mgmt

Mode: Interface Config

Default: Disabled

lldp notification

Use this command to enable remote data change notifications on an interface or a range of interfaces.

lldp notification

Mode: Interface Config

Default: Disabled

lldp notification-interval

Use this command to configure how frequently the system sends remote data change notifications. The interval parameter is the number of seconds to wait between sending notifications. The valid interval range is 5-3600 seconds.

lldp notification-interval interval

Mode: Global Config

Default: 5

clear lldp statistics

Use this command to reset all LLDP statistics, including MED-related information.

clear lldp statistics

Mode: Privileged EXEC

clear lldp remote-data

Use this command to delete all information from the LLDP remote data table, including MED-related information.

clear lldp remote-data

Mode: Privileged EXEC

show lldp

Use this command to display a summary of the current LLDP configuration.

show lldp

Mode: Privileged EXEC

Parameters:

 

Transmit Interval How frequently the system transmits local data LLDPDUs, in seconds.
Transmit Hold Multiplier The multiplier on the transmit interval that sets the TTL in local data LLDPDUs.
Re-initialization Delay The delay before reinitialization, in seconds.
Notification Interval How frequently the system sends remote data change notifications, in seconds.

show lldp interface

Use this command to display a summary of the current LLDP configuration for a specific interface or for all interfaces.

show lldp interface {slot/port | all}

Mode: Privileged EXEC

Parameters:

 

Interface The interface in a slot/port format.
Link Shows whether the link is up or down.
Transmit Shows whether the interface transmits LLDPDUs.
Receive Shows whether the interface receives LLDPDUs.
Notify Shows whether the interface sends remote data change notifications.
TLVs Shows whether the interface sends optional TLVs in the LLDPDUs. 
Mgmt Shows whether the interface transmits system management address information in the LLDPDUs.

show lldp statistics

Use this command to display the current LLDP traffic and remote table statistics for a specific interface or for all interfaces.

show lldp statistics {slot/port | all}

Mode: Privileged EXEC

Parameters:

 

Last Update The amount of time since the last update to the remote table in days, hours, minutes, and seconds.
Total Inserts Total number of inserts to the remote data table.
Total Deletes Total number of deletes from the remote data table.
Total Drops Total number of times the complete remote data received was not inserted due to insufficient resources.
Total Ageouts Total number of times a complete remote data entry was deleted because the Time to Live interval expired.
Interface The interface in slot/port format.
Transmit Total Total number of LLDP packets transmitted on the port.
Receive Total Total number of LLDP packets received on the port.
Discards Total number of LLDP frames discarded on the port for any reason.
Errors The number of invalid LLDP frames received on the port.
Ageouts Total number of times a complete remote data entry was deleted for the port because the Time to Live interval expired.
TVL Discards The number of TLVs discarded.
TVL Unknowns Total number of LLDP TLVs received on the port where the type value is in the reserved range, and not recognized.

show lldp remote-device

Use this command to display summary information about remote devices that transmit current LLDP data to the system. You can show information about LLDP remote data received on all ports or on a specific port.

show lldp remote-device {slot/port | all}

Mode: Privileged EXEC

Parameters:

 

Local Interface The interface that received the LLDPDU from the remote device.
RemID An internal identifier to the switch to mark each remote device to the system.
Chassis ID The ID that is sent by a remote device as part of the LLDP message, it is usually a MAC address of the device.
Port ID The port number that transmitted the LLDPDU.
System Name The system name of the remote device.

show lldp remote-device detail

Use this command to display detailed information about remote devices that transmit current LLDP data to an interface on the system.

show lldp remote-device detail slot/port

Mode: Privileged EXEC

Parameters:

 

Local Interface The interface that received the LLDPDU from the remote device.
Remote Identifier An internal identifier to the switch to mark each remote device to the system.
Chassis ID Subtype The type of identification used in the Chassis ID field.
Chassis ID The chassis of the remote device.
Port ID Subtype The type of port on the remote device.
Port ID The port number that transmitted the LLDPDU.
System Name The system name of the remote device.
System Description Describes the remote system by identifying the system name and versions of hardware, operating system, and networking software supported in the device.
Port Description Describes the port in an alpha-numeric format. The port description is configurable.
System Capabilities Supported Indicates the primary function(s) of the device.
System Capabilities Enabled Shows which of the supported system capabilities are enabled.
Management Address For each interface on the remote device with an LLDP agent, lists the type of address the remote LLDP agent uses and specifies the address used to obtain information related to the device.
Time To Live The amount of time (in seconds) the remote device’s information received in the LLDPDU should be treated as valid information.

show lldp local-device

Use this command to display summary information about the advertised LLDP local data. This command can display summary information or detail for each interface.

show lldp local-device {slot/port | all}

Mode: Privileged EXEC

show lldp local-device detail

Use this command to display detailed information about the LLDP data a specific interface transmits.

show lldp local-device detail slot/port

Mode: Privileged EXEC

Parameters:

 

Interface The interface that sends the LLDPDU.
Chassis ID Subtype The type of identification used in the Chassis ID field.
Chassis ID The chassis of the local device.
Port ID Subtype The type of port on the local device.
Port ID The port number that transmitted the LLDPDU.
System Name The system name of the local device.
System Description Describes the local system by identifying the system name and versions of hardware, operating system, and networking software supported in the device.
Port Description Describes the port in an alpha-numeric format.
System Capabilities Supported Indicates the primary function(s) of the device.
System Capabilities Enabled Shows which of the supported system capabilities are enabled.
Management Address The type of address and the specific address the local LLDP agent uses to send and receive information.

LLDP-MED Commands

Back to Top

Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) (ANSI-TIA-1057) provides an extension to the LLDP standard. Specifically, LLDP-MED provides extensions for network configuration and policy, device location, Power over Ethernet (PoE) management and inventory management.

lldp med confignotification

Use this command to configure an interface or a range of interfaces to send the topology change notification.

lldp med confignotification

Mode: Interface Config

Default: Disabled

lldp med transmit-tlv

Use this command to specify which optional Type Length Values (TLVs) in the LLDP MED set will be transmitted in the Link Layer Discovery Protocol Data Units (LLDPDUs) from this interface or a range of interfaces.

lldp med transmit-tlv [capabilities] [inventory] [network-policy] [ubnt-ex-pse]

Mode: Interface Config

Default: capabilities, network-policy and inventory TLVs are enabled 

Parameters:

 

capabilities   Include/Exclude LLDP capabilities TLV.
inventory      Include/Exclude LLDP inventory TLV.
network-policy Include/Exclude LLDP network policy TLV.
ubnt-ex-pse    Include/Exclude LLDP UBNT extended PSE TLV.

lldp med confignotification all

Use this command to configure all the ports to send the topology change notification.

lldp med confignotification all

Mode: Global Config

Default: Disabled

lldp med faststartrepeatcount

Use this command to set the value of the fast start repeat count. The count is the number of LLDP PDUs that will be transmitted when the product is enabled. The range is 1 to 10.

lldp med faststartrepeatcount [count]

Mode: Global Config

Default: 3

lldp med transmit-tlv all

Use this command to specify which optional Type Length Values (TLVs) in the LLDP MED set will be transmitted in the Link Layer Discovery Protocol Data Units (LLDPDUs).

lldp med transmit-tlv all [capabilities] [inventory] [network-policy] [ubnt-ex-pse]

Mode: Global Config

Default: capabilities, network-policy and inventory TLVs are enabled 

Parameters:

 

capabilities   Include/Exclude LLDP capabilities TLV.
inventory      Include/Exclude LLDP inventory TLV.
network-policy Include/Exclude LLDP network policy TLV.
ubnt-ex-pse    Include/Exclude LLDP UBNT extended PSE TLV.

show lldp med

Use this command to display a summary of the current LLDP MED configuration.

show lldp med

Mode: Privileged EXEC

show lldp med interface

Use this command to display a summary of the current LLDP MED configuration for a specific interface.

show lldp med interface {slot/port | all}

Mode: Privileged EXEC

show lldp med local-device detail

Use this command to display detailed information about the LLDP MED data that a specific interface transmits.

show lldp med local-device detail slot/port

Mode: Privileged EXEC

show lldp med remote-device

Use this command to display the summary information about remote devices that transmit current LLDP MED data to the system. You can show information about LLDP MED remote data received on all valid LLDP interfaces or on a specific physical interface.

show lldp med remote-device {slot/port | all}

Mode: Privileged EXEC

Parameters:

 

Local Interface The interface that received the LLDPDU from the remote device.
Remote ID An internal identifier to the switch to mark each remote device to the system.
Device Class Device classification of the remote device.

show lldp med remote-device detail

Use this command to display detailed information about remote devices that transmit current LLDP MED data to an interface on the system.

show lldp med remote-device detail slot/port

Mode: Privileged EXEC

Denial of Service Commands

Back to Top

This section describes the commands you use to configure Denial of Service (DoS) Control. The EdgeSwitch software provides support for classifying and blocking specific types of Denial of Service attacks.

You can configure your system to monitor and block these types of attacks:

  • SIP = DIP: Source IP address = Destination IP address.
  • First Fragment: TCP Header size smaller then configured value.
  • TCP Fragment: IP Fragment Offset = 1.
  • TCP Flag: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence
  • Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
  • L4 Port: Source TCP/UDP Port = Destination TCP/UDP Port.
  • ICMP: Limiting the size of ICMP Ping packets.
  • SMAC = DMAC: Source MAC address = Destination MAC address.
  • TCP Port: Source TCP Port = Destination TCP Port.
  • UDP Port: Source UDP Port = Destination UDP Port.
  • TCP Flag & Sequence: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP
  • Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
  • TCP Offset: TCP Header Offset = 1.
  • TCP SYN: TCP Flag SYN set.
  • TCP SYN & FIN: TCP Flags SYN and FIN set.
  • TCP FIN & URG & PSH: TCP Flags FIN and URG and PSH set and TCP Sequence Number = 0.
  • ICMP V6: Limiting the size of ICMPv6 Ping packets.
  • ICMP Fragment: Checks for fragmented ICMP packets.

dos-control all

This command enables Denial of Service protection checks globally.

dos-control all

Mode: Global Config

Default: Disabled

dos-control sipdip

This command enables Source IP address = Destination IP address (SIP = DIP) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SIP = DIP, the packets will be dropped if the mode is enabled.

dos-control sipdip

Mode: Global Config

Default: Disabled

dos-control firstfrag

This command enables Minimum TCP Header Size Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having a TCP Header Size smaller then the configured value, the packets will be dropped if the mode is enabled. The default is disabled. If you enable dos-control firstfrag, but do not provide a Minimum TCP Header Size, the system sets that value to 20.

dos-control firstfrag [0-255]

Mode: Global Config

Default: Disabled, 20 if enabled.

dos-control tcpfrag

This command enables TCP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having IP Fragment Offset equal to one (1), the packets will be dropped if the mode is enabled.

dos-control tcpfrag

Mode: Global Config

Default: Disabled

dos-control tcpflag

This command enables TCP Flag Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attacks. If packets ingress having TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN, URG, and PSH set and TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the packets will be dropped if the mode is enabled.

dos-control tcpflag

Mode: Global Config

Default: Disabled

dos-control l4port

This command enables L4 Port Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having Source TCP/UDP Port Number equal to Destination TCP/ UDP Port Number, the packets will be dropped if the mode is enabled.

Some applications mirror source and destination L4 ports – RIP for example uses 520 for both. If you enable dos-control l4port, applications such as RIP may experience packet loss which would render the application inoperable.


dos-control l4port

Mode: Global Config

Default: Disabled

dos-control smacdmac

This command enables Source MAC address = Destination MAC address (SMAC = DMAC) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SMAC = DMAC, the packets will be dropped if the mode is enabled.

dos-control smacdmac

Mode: Global Config

Default: Disabled

dos-control tcpport

This command enables TCP L4 source = destination port number (Source TCP Port = Destination TCP Port) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with Source TCP Port = Destination TCP Port, the packets will be dropped if the mode is enabled.

dos-control tcpport

Mode: Global Config

Default: Disabled

dos-control udpport

This command enables UDP L4 source = destination port number (Source UDP Port = Destination UDP Port) DoS protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with Source UDP Port = Destination UDP Port, the packets will be dropped if the mode is enabled.

dos-control udpport

Mode: Global Config

Default: Disabled

dos-control tcpflagseq

This command enables TCP Flag and Sequence Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN, URG, and PSH set and TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the packets will be dropped if the mode is enabled.

dos-control tcpflagseq

Mode: Global Config

Default: Disabled

dos-control tcpoffset

This command enables TCP Offset Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP Header Offset equal to one (1), the packets will be dropped if the mode is enabled.

dos-control tcpoffset

Mode: Global Config

Default: Disabled

dos-control tcpsyn

This command enables TCP SYN and L4 source = 0-1023 Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP flag SYN set and an L4 source port from 0 to 1023, the packets will be dropped if the mode is enabled.

dos-control tcpsyn

Mode: Global Config

Default: Disabled

dos-control tcpsynfin

This command enables TCP SYN and FIN Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP flags SYN and FIN set, the packets will be dropped if the mode is enabled.

dos-control tcpsynfin

Mode: Global Config

Default: Disabled

dos-control tcpfinurgpsh

This command enables TCP FIN and URG and PSH and SEQ = 0 checking Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP FIN, URG, and PSH all set and TCP Sequence Number set to 0, the packets will be dropped if the mode is enabled.

dos-control tcpfinurgpsh

Mode: Global Config

Default: Disabled

dos-control icmpv4

This command enables Maximum ICMPv4 Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMPv4 Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.

dos-control icmpv4 0-16376

Mode: Global Config

Default: Disabled, 512 if enabled

dos-control icmpv6

This command enables Maximum ICMPv6 Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMPv6 Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.

dos-control icmpv6 0-16376

Mode: Global Config

Default: Disabled, 512 if enabled

dos-control icmpfrag

This command enables ICMP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having fragmented ICMP packets, the packets will be dropped if the mode is enabled.

dos-control icmpfrag

Mode: Global Config

show dos-control

This command displays Denial of Service configuration information.

show dos-control

Mode: Privileged EXEC

Parameters:

 

First Fragment Mode The administrative mode of First Fragment DoS prevention. When enabled, this causes the switch to drop packets that have a TCP header smaller then the configured Min TCP Hdr Size.
Min TCP Hdr Size The minimum TCP header size the switch will accept if First Fragment DoS prevention is enabled.
ICMPv4 Mode The administrative mode of ICMPv4 DoS prevention. When enabled, this causes the switch to drop ICMP packets that have a type set to ECHO_REQ (ping) and a size greater than the configured ICMPv4 Payload Size.
Max ICMPv4 Payload Size The maximum ICMPv4 payload size to accept when ICMPv4 DoS protection is enabled.
ICMPv6 Mode The administrative mode of ICMPv6 DoS prevention. When enabled, this causes the switch to drop ICMP packets that have a type set to ECHO_REQ (ping) and a size greater than the configured ICMPv6 Payload Size.
Max ICMPv6 Payload Size The maximum ICMPv6 payload size to accept when ICMPv6 DoS protection is enabled.
ICMPv4 Fragment Mode The administrative mode of ICMPv4 Fragment DoS prevention. When enabled, this causes the switch to drop fragmented ICMPv4 packets.
TCP Port Mode The administrative mode of TCP Port DoS prevention. When enabled, this causes the switch to drop packets that have the TCP source port equal to the TCP destination port.
UDP Port Mode The administrative mode of UDP Port DoS prevention. When enabled, this causes the switch to drop packets that have the UDP source port equal to the UDP destination port.
SIPDIP Mode The administrative mode of SIP=DIP DoS prevention. Enabling this causes the switch to drop packets that have a source IP address equal to the destination IP address. The factory default is disabled.
SMACDMAC Mode The administrative mode of SMAC=DMAC DoS prevention. Enabling this causes the switch to drop packets that have a source MAC address equal to the destination MAC address.
TCP FIN&URG& PSH Mode The administrative mode of TCP FIN & URG & PSH DoS prevention. Enabling this causes the switch to drop packets that have TCP flags FIN, URG, and PSH set and TCP Sequence Number = 0.
TCP Flag & Sequence Mode The administrative mode of TCP Flag DoS prevention. Enabling this causes the switch to drop packets that have TCP control flags set to 0 and TCP sequence number set to 0.
TCP SYN Mode The administrative mode of TCP SYN DoS prevention. Enabling this causes the switch to drop packets that have TCP Flags SYN set.
TCP SYN & FIN Mode The administrative mode of TCP SYN & FIN DoS prevention. Enabling this causes the switch to drop packets that have TCP Flags SYN and FIN set.
TCP Fragment Mode The administrative mode of TCP Fragment DoS prevention. Enabling this causes the switch to drop packets that have an IP fragment offset equal to 1.
TCP Offset Mode The administrative mode of TCP Offset DoS prevention. Enabling this causes the switch to drop packets that have a TCP header Offset equal to 1.

MAC Database Commands

Back to Top

This section describes the commands you use to configure and view information about the MAC databases.

bridge aging-time

This command configures the forwarding database address aging timeout in seconds. The seconds parameter must be within the range of 10 to 1,000,000 seconds.

bridge aging-time 10-1000000

Mode: Global Config

Default: 300

show forwardingdb agetime

This command displays the timeout for address aging.

show forwardingdb agetime

Mode: Privileged EXEC

Parameters:

 

Forwarding DB ID Fdbid (Forwarding database ID) indicates the forwarding database whose aging timeout is to be shown. The all option is used to display the aging timeouts associated with all forwarding databases. 
Agetime Displays the address aging timeout for the associated forwarding database. 

show mac-address-table multicast

This command displays the Multicast Forwarding Database (MFDB) information. If you enter the command with no parameter, the entire table is displayed. You can display the table entry for one MAC address by specifying the MAC address as an optional parameter.

show mac-address-table multicast [macaddr]

Mode: Privileged EXEC

Parameters:

 

VLAN ID The VLAN in which the MAC address is learned.
MAC Address A multicast MAC address for which the switch has forwarding or filtering information. The format is six 2-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB.
Type The type of the entry. Static entries are those that are configured by the end user. Dynamic entries are added to the table as a result of a learning process or protocol.
Component The component that is responsible for this entry in the Multicast Forwarding Database. Possible values are IGMP Snooping, GMRP, and Static Filtering.
Description The text description of this multicast table entry.
Interfaces The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).
Forwarding Interfaces The resultant forwarding list is derived from combining all the component’s forwarding interfaces and removing the interfaces that are listed as the static filtering interfaces.

show mac-address-table stats

This command displays the Multicast Forwarding Database (MFDB) statistics.

show mac-address-table stats

Mode: Privileged EXEC

Parameters:

 

Total Entries The total number of entries that can possibly be in the Multicast Forwarding Database table.
Most MFDB Entries Ever Used The largest number of entries that have been present in the Multicast Forwarding Database table. This value is also known as the MFDB high-water mark.
Current Entries The current number of entries in the MFDB.

Power over Ethernet (PoE) Commands

Back to Top

This section lists the available PoE commands on the EdgeSwitch.

poe opmode

This command sets the PoE operational mode on specific port(s).

poe opmode {auto | passive24V | shutdown}

Mode: Interface Config

Default: auto

Parameters:

 

auto Configure auto for PoE operational mode.
passive24v Configure passive 24V mode for PoE operation mode.
shutdown Disable PoE power on specific port.

poe powerkeeper

This command enables or disables the PoE powerkeeper feature, which keeps the PoE output power on during a software initiated reboot (reload).

poe powerkeeper

Mode: Global Config

Default: Enabled

 

poe reset

This command turns the PoE off and on using a specified timer between 1 and 60 seconds.

poe reset 1-60

Mode: Interface Config

 

poe watchdog

This command configures the PoE watchdog feature, which verifies the reachability of a certain host and power cycles the port when reachability is lost. 

poe watchdog [ address ipaddr|hostname | failure-count 1-3600 | interval 1-3600 | off-delay 1-60 | start-delay 1-65535 ]

Mode: Interface Config

Parameters:

 

address IP address or hostname to ping.
failure-count Failures count before power-cycle.
interval Interval between pings.
off-delay Power off delay.
start-delay Ping start delay.

show poe counters

This command displays the related counters of PoE status on the port(s).

show poe counters {all | intf-range}

Mode: Privileged EXEC

Parameters:

 

Intf The valid PoE slot/port number.
MPS Absent Number of times the powered device has no longer requested power from the port (MPS is the Maintenance Power Signature.)
Invalid Signature Counter of invalid signature in specific PoE port.
Power Denied Counter of power denied in specific PoE port.
Over Load Counter of over loading in specific PoE port.
Short Counter Counter of short in specific PoE port.

clear poe counters

This command clears the related counter of PoE status on specific port(s).

clear poe counters {all | intf-range}

Mode: Privileged EXEC

show poe port

This command displays the PoE configuration of specific ports.

show poe port {all | intf-range}

Mode: Privileged EXEC

Parameters:

 

Intf The valid PoE slot/port number.
OP Mode PoE Operational Mode
HP Enable High Power Enable
HP Mode High Power Mode
Detect Enable Detect Enable
Disconnect Enable Disconnect Enable
Class Enable Class Enable

show poe status

This command displays the PoE status on specific ports.

show poe status {all | intf-range}

Mode: Privileged EXEC

Parameters:

 

Intf The valid PoE slot/port number.
Detection Detection Status
Class Class status
Consumed(W) Consumed Power
Voltage(V) Port Voltage
Current(mA) Port Current
Temperature(C) Temperature

DHCP L2 Relay Commands

Back to Top

This section describes the commands you use for the DHCP L2 Relay feature.

dhcp l2relay (Global Config)

Use this command to enable DHCP L2 Relay feature globally.

dhcp l2relay

Mode: Global Config

Default: Disabled

dhcp l2relay (Interface Config)

Use this command to enable DHCP L2 Relay feature on the port.

dhcp l2relay

Mode: Interface Config

Default: Disabled

dhcp l2relay trust

Use this command to enable this interface to be trusted for L2 Relay (Option 82).

dhcp l2relay trust

Mode: Interface Config

dhcp l2relay circuit-id

Use this command to enable the circuit-id suboption of DHCP Option 82 on the specified VLAN.

dhcp l2relay circuit-id vlan vlan-id

Mode: Global Config

dhcp l2relay remote-id

Use this command to enable the remote-id suboption of DHCP Option-82 on the specified VLAN.

dhcp l2relay remote-id string vlan vlan-id

Mode: Global Config

dhcp l2relay vlan

Use this command to enable the DHCP L2 Relay feature on the specified VLAN(s).

dhcp l2relay vlan vlan-range

Mode: Global Config

show dhcp l2relay 

Display DHCP L2 Relay configuration for a certain VLAN or interface.

show dhcp l2relay [all | agent-option vlan vlan-range |  circuit-id vlan vlan-range | remote-id vlan vlan-range | interface {all | slot/port} | vlan vlan-range | stats {interface {all | slot/port}} ]

Mode: Privileged EXEC

Dynamic ARP Inspection (DAI) and IP Source Guard Commands

Back to Top

This section describes the commands you use for the Dynamic ARP Inspection (DAI) and IP Source Guard features.

ip arp inspection vlan

Use this command to enable DAI on a VLAN or range of VLANs and optionally enable logging of invalid ARP packets.

ip arp inspection vlan vlan-list [logging]

Mode: Global Config

Default: Disabled

ip arp inspection validate

Enable additional DAI validation based on source, destination MAC addresses and/or IP addresses.

ip arp inspection validate [src-mac | dst-mac | ip]

Mode: Global Config

ip arp inspection filter

Apply an ARP Access-List to a VLAN or range of VLANs. The static keyword specifies if the ARP ACL filter is static on a VLAN.

ip arp inspection filter arp-acl vlan vlan-list [static]

Mode: Global Config

arp access-list

Use this command to create an ARP Access-List.

arp access-list name

Mode: Global Config

permit (ARP Access-List Config)

Use this command to add a rule for a valid IP address and MAC address combination.

permit ip host ipaddr mac host macaddr 

Mode: ARP Access-List Config

ip arp inspection trust

Use this command to configure a port as trusted for DAI.

ip arp inspection trust

Mode: Interface Config

Default: Untrusted

ip arp inspection limit rate

Use this command to configure the DAI rate limit and burst interval values for an interface.

ip arp inspection limit rate rate

Mode: Interface Config

show ip arp inspection vlan

Use this command to display the Dynamic ARP Inspection (DAI) configuration for a VLAN or range of VLANs.

show ip arp inspection vlan vlan-range

Mode: Privileged EXEC

show ip arp inspection interfaces

Use this command to display DAI configuration on an interface.

show ip arp inspection interfaces slot/port

Mode: Privileged EXEC

show ip arp inspection statistics

Use this command to display the statistics of the ARP packets that are processed by DAI.

show ip arp inspection statistics [vlan vlan-range]

Mode: Privileged EXEC

show ip arp inspection

Use this command to show the global DAI configuration.

show ip arp inspection

Mode: Privileged EXEC

ip verify binding

Use this command to add a static IP Source Guard binding entry.

ip verify binding macaddr vlan vlan ipaddr interface slot/port

Mode: Global Config

ip verify source

Use this command to enable IP Source Guard verification on an interface. The port-security keyword also enabled MAC source verification.

ip verify source [port-security]

Mode: Interface Config

show ip verify

Use this command to display the IP Source Guard entries.

show ip verify [ interface slot/port | source {interface slot/port} ]

Mode: Privileged EXEC

IPv6 ND RA Guard Commands

Back to Top

This section describes the commands you use for the IPv6 ND RA Guard feature.

ipv6 nd raguard attach-policy

Use this command to configure the IPv6 RA GUARD host mode on an interface. Apply on ports that connect to hosts that should not be allowed to send Router Advertisements (RAs).

ipv6 nd raguard attach-policy 

Mode: Interface Config

show ip verify

Use this command to display the interfaces where the IPv6 ND RA Guard feature is enabled.

show ipv6 nd raguard policy 

Mode: Privileged EXEC

routing.png  Routing Commands

Back to Top

This chapter describes the routing commands available in the EdgeSwitch CLI.

Address Resolution Protocol Commands

Back to Top

This section describes the commands you use to configure Address Resolution Protocol (ARP) and to view ARP information on the switch. ARP associates IP addresses with MAC addresses and stores the information as ARP entries in the ARP cache.

arp

This command creates an ARP entry. The value for ipaddress is the IP address of a device on a subnet attached to an existing routing interface. The parameter macaddr is a unicast MAC address for that device.

arp ipaddress macaddr

Mode: Global Config

arp cachesize

This command configures the ARP cache size. 

arp cachesize value

Mode: Global Config

arp dynamicrenew

This command enables the ARP component to automatically renew dynamic ARP entries when they age out. When an ARP entry reaches its maximum age, the system must decide whether to retain or delete the entry. If the entry has recently been used to forward data packets, the system will renew the entry by sending an ARP request to the neighbor. If the neighbor responds, the age of the ARP cache entry is reset to 0 without removing the entry from the hardware. Traffic to the host continues to be forwarded in hardware without interruption. If the entry is not being used to forward data packets, then the entry is deleted from the ARP cache, unless the dynamic renew option is enabled.

If the dynamic renew option is enabled, the system sends an ARP request to renew the entry. When an entry is not renewed, it is removed from the hardware and subsequent data packets to the host trigger an ARP request. Traffic to the host may be lost until the router receives an ARP reply from the host. Gateway entries, entries for a neighbor router, are always renewed. The dynamic renew option applies only to host entries.

The disadvantage of enabling dynamic renew is that once an ARP cache entry is created, that cache entry continues to take space in the ARP cache as long as the neighbor continues to respond to ARP requests, even if no traffic is being forwarded to the neighbor. In a network where the number of potential neighbors is greater than the ARP cache capacity, enabling dynamic renew could prevent some neighbors from communicating because the ARP cache is full.

arp dynamicrenew

Mode: Global Config

Default: Disabled

arp purge

This command causes the specified IP address to be removed from the ARP cache. Only entries of type dynamic or gateway are affected by this command.

arp purge ipaddr

Mode: Privileged EXEC

arp resptime

This command configures the ARP request response timeout.

arp resptime 1-10

Mode: Global Config

Default: 1

arp retries

This command configures the ARP count of maximum request for retries.

arp retries 0-10

Mode: Global Config

Default: 4

arp timeout

This command configures the ARP entry ageout time in seconds.

arp timeout 15-21600

Mode: Global Config

Default: 1200

clear arp-cache

This command causes all ARP entries of type dynamic to be removed from the ARP cache. If the gateway keyword is specified, the dynamic entries of type gateway are purged as well.

clear arp-cache [gateway]

Mode: Privileged EXEC

clear arp-switch

Use this command to clear the contents of the switch’s Address Resolution Protocol (ARP) table that contains entries learned through the Management port. 

clear arp-switch

Mode: Privileged EXEC

show arp

This command displays the Address Resolution Protocol (ARP) cache. The displayed results are not the total ARP entries. To view the total ARP entries, the operator should view the show arp results in conjunction with the show arp switch results.

show arp

Mode: Privileged EXEC

Parameters:

 

Age Time (seconds) The time (in seconds) it takes for an ARP entry to age out. This value is configurable.
Response Time (seconds) The time (in seconds) it takes for an ARP request timeout. This value is configurable.
Retries The maximum number of times an ARP request is retried. This value is configurable.
Cache Size The maximum number of entries in the ARP table. This value is configurable.
Dynamic Renew Mode Displays whether the ARP component automatically attempts to renew dynamic ARP entries when they age out.
Total Entry Count Current/Peak The total entries in the ARP table and the peak entry count in the ARP table.
Static Entry Count Current/Max The static entry count in the ARP table and maximum static entry count in the ARP table.
IP Address The IP address of a device on a subnet attached to an existing routing interface.
MAC Address The hardware MAC address of that device.
Interface The routing slot/port associated with the device ARP entry.
Type The type that is configurable. The possible values are Local, Gateway, Dynamic and Static.
Age The current age of the ARP entry since last refresh (in hh:mm:ss format)

show arp brief

This command displays the brief Address Resolution Protocol (ARP) table information.

show arp brief

Mode: Privileged EXEC

Parameters:

 

Age Time (seconds) The time (in seconds) it takes for an ARP entry to age out. This value is configurable.
Response Time (seconds) The time (in seconds) it takes for an ARP request timeout. This value is configurable.
Retries The maximum number of times an ARP request is retried. This value is configurable.
Cache Size The maximum number of entries in the ARP table. This value is configurable.
Dynamic Renew Mode Displays whether the ARP component automatically attempts to renew dynamic ARP entries when they age out.
Total Entry Count Current/ Peak The total entries in the ARP table and the peak entry count in the ARP table.
Static Entry Count Current/ Max The static entry count in the ARP table and maximum static entry count in the ARP table.

show arp switch

This command displays the contents of the switch’s Address Resolution Protocol (ARP) table.

show arp switch

Mode: Privileged EXEC

Parameters:

 

IP Address The IP address of a device on a subnet attached to the switch.
MAC Address The hardware MAC address of that device.
Interface The routing slot/port associated with the device’s ARP entry.

IP Routing Commands

Back to Top

This section describes the commands you use to enable and configure IP routing on the switch.

routing

This command enables IP routing for an interface or range of interfaces. 

routing

Mode: Interface Config

Default: Disabled

ip routing

This command enables the IP Router Admin Mode for the master switch.

ip routing

Mode: Global Config

Default: Disabled

ip address

This command configures an IP address on an interface or range of interfaces. You can also use this command to configure one or more secondary IP addresses on the interface by specifying the secondary option.

ip address ipaddr {subnetmask | /masklen} [secondary]

Mode: Interface Config

ip address dhcp

This command enables the DHCPv4 client on an in-band interface so that it can acquire network information, such as the IP address, subnet mask, and default gateway, from a network DHCP server. When DHCP is enabled on the interface, the system automatically deletes all manually configured IPv4 addresses on the interface.

ip address dhcp [client-id]

Mode: Global Config

ip default-gateway

This command manually configures a default gateway for the switch. Only one default gateway can be configured.

The system installs a default IPv4 route with the gateway address as the next hop address. The route preference is 253. A default gateway configured with this command is more preferred than a default gateway learned from a DHCP server.


ip default-gateway ipaddr

Mode: Global Config

release dhcp

Use this command to force the DHCPv4 client to release the leased address from the specified interface or VLAN.

release dhcp slot/port | vlan vlanid

Mode: Privileged EXEC

renew dhcp

Use this command to force the DHCPv4 client to immediately renew an IPv4 address lease on the specified interface, VLAN, or the network/management interface.

renew dhcp [ slot/port | vlan vlanid | network-port ]

Mode: Privileged EXEC

ip route

This command configures a static route. The ipaddr parameter is a valid IP address, and subnetmask is a valid subnet mask. The nexthopip parameter is a valid IP address of the next hop router. Specifying Null0 for the nexthopip parameter adds a discard route.

The optional preference parameter is an integer value (from 1 to 255) that allows you to specify the preference/distance value of an individual static route. The default preference is 1.

ip route ipaddr subnetmask [nexthopip | Null0] [preference]

Mode: Global Config

ip route default

This command configures a static route. The nexthopip parameter is a valid IP address of the next hop router. The optional preference parameter is an integer value (from 1 to 255) that allows you to specify the preference/distance value of an individual static route. The default preference is 1.

ip route default nexthopip [preference]

Mode: Global Config

ip route distance

This command sets the default distance (preference) for newly added static routes. Changing the default distance does not update the distance of existing static routes.

ip route distance 1-255

Mode: Global Config

Default: 1

ip netdirbcast

This command enables the forwarding of network-directed broadcasts on an interface or range of interfaces. When enabled, network directed broadcasts are forwarded. When disabled, they are dropped.

ip netdirbcast

Mode: Interface Config

Default: Disabled

ip mtu

This command sets the IP Maximum Transmission Unit (MTU) in bytes on a routed interface.

The IP MTU size refers to the maximum size of the IP packet (IP header + IP payload). It does not include any extra bytes that may be required for Layer-2 headers. To receive and process packets, the Ethernet MTU must take into account the size of the Ethernet header.


ip mtu 68-9198

Mode: Interface Config

Default: 1500

show dhcp lease

This command displays a list of IPv4 addresses currently leased from a DHCP server on a specific in-band interface or all in-band interfaces.

show dhcp lease [interface slot/port]

Mode: Privileged EXEC

Parameters:

 

IP address, Subnet mask The IP address and network mask leased from the DHCP server.
DHCP Lease server The IPv4 address of the DHCP server that leased the address.
State State of the DHCPv4 Client on this interface.
DHCP transaction ID The transaction ID of the DHCPv4 Client.
Lease The time (in seconds) that the IP address was leased by the server.
Renewal The time (in seconds) when the next DHCP renew Request is sent by DHCPv4 Client to renew the leased IP address.
Rebind The time (in seconds) when the DHCP Rebind process starts.
Retry count Number of times the DHCPv4 client sends a DHCP REQUEST message before the server responds.

show ip brief

This command displays all the summary information of the IP, including the ICMP rate limit configuration and the global ICMP Redirect configuration.

show ip brief

Modes: User / Privileged EXEC

Parameters:

 

Default Time to Live The computed TTL (Time to Live) of forwarding a packet from the local router to the final destination.
Routing Mode Shows whether the routing mode is enabled or disabled.
Maximum Next Hops The maximum number of next hops the packet can travel.
Maximum Routes The maximum number of routes the packet can travel.
ICMP Rate Limit Interval Shows how often the token bucket is initialized with burst-size tokens. Burst-interval is from 0 to 2147483647 milliseconds. The default burst-interval is 1000 msec.
ICMP Rate Limit Burst Size Shows the number of ICMPv4 error messages that can be sent during one burst-interval. The range is from 1 to 200 messages. The default value is 100 messages.
ICMP Echo Replies Shows whether ICMP Echo Replies are enabled or disabled.
ICMP Redirects Shows whether ICMP Redirects are enabled or disabled.

show ip interface

This command displays all pertinent information about the IP interface or routed VLAN.

show ip interface {slot/port | vlan 1-4093}

Modes: User / Privileged EXEC

Parameters:

 

Routing Interface Status Determine the operational status of IPv4 routing Interface. 
Primary IP Address The primary IP address and subnet masks for the interface. 
Method Shows whether the IP address was configured manually or acquired from a DHCP server.
Routing Mode The administrative mode of router interface participation. 
Administrative Mode The administrative mode of the specified interface.
Forward Net Directed Broadcasts Displays whether forwarding of network-directed broadcasts is enabled (Enable) or disabled (Disable). This value is configurable.
Active State Displays whether the interface is Active or Inactive. An interface is considered active if its link is up and it is in forwarding state.
Link Speed Data Rate An integer representing the physical link data rate of the specified interface. This is measured in Megabits per second (Mbps).
MAC Address The burned-in physical address of the specified interface. The format is six 2-digit hexadecimal numbers that are separated by colons.
Encapsulation Type The encapsulation type for the specified interface.
IP MTU The maximum transmission unit (MTU) size of a frame, in bytes.
Bandwidth Shows the bandwidth of the interface.
Destination Unreachables Displays whether ICMP Destination Unreachables may be sent (Enabled or Disabled).
ICMP Redirects Displays whether ICMP Redirects may be sent (Enabled or Disabled).
DHCP Client Identifier The client identifier is displayed in the output of the command only if DHCP is enabled with the client-id option. 

show ip interface brief

This command displays summary information about IP configuration settings for all ports in the router, and indicates how each IP address was assigned.

show ip interface brief

Modes: User / Privileged EXEC

Parameters:

 

Interface Valid slot and port number separated by a forward slash.
State Routing operational state of the interface.
IP Address The IP address of the routing interface in 32-bit dotted decimal format.
IP Mask The IP mask of the routing interface in 32-bit dotted decimal format.
Method Indicates how each IP address was assigned. 

show ip route

This command displays the routing table. When you use the longer-prefixes keyword, the ip-address and mask pair becomes the prefix, and the command displays the routes to the addresses that match that prefix. Use the protocol parameter to specify the protocol that installed the routes. The value for protocol can be connected or static. Use the all parameter to display all routes including best and nonbest routes.

show ip route [{ip-address [protocol] | {ip-address mask [longer-prefixes] [protocol] | protocol} [all] | all}]

Modes: User / Privileged EXEC

Parameters:

 

Code The codes for the routing protocols that created the routes.
Default Gateway The IP address of the default gateway. When the system does not have a more specific route to a packet’s destination, it sends the packet to the default gateway.
IP-Address/Mask The IP-Address and mask of the destination network corresponding to this route.
Preference The administrative distance associated with this route. Routes with low values are preferred over routes with higher values.
Metric The cost associated with this route.
via Next-Hop The outgoing router IP address to use when forwarding traffic to the next router (if any) in the path toward the destination.
Route-Timestamp The last updated time for dynamic routes. 
Interface The outgoing router interface to use when forwarding traffic to the next destination. For reject routes, the next hop interface would be Null0 interface.

show ip route summary

This command displays a summary of the state of the routing table. When the optional all keyword is given, some statistics, such as the number of routes from each source, include counts for alternate routes.

show ip route summary [all]

Modes: User / Privileged EXEC

Parameters:

 

Connected Routes The total number of connected routes in the routing table.
Static Routes Total number of static routes in the routing table.
Reject Routes Total number of reject routes installed by all protocols.
Total Routes Total number of routes in the routing table.
Best Routes (High) The number of best routes currently in the routing table. This number only counts the best route to each destination. The value in parentheses indicates the highest count of unique best routes since counters were last cleared.
Alternate Routes The number of alternate routes currently in the routing table. An alternate route is a route that was not selected as the best route to its destination.
Route Adds The number of routes that have been added to the routing table.
Route Modifies The number of routes that have been changed after they were initially added to the routing table.
Route Deletes The number of routes that have been deleted from the routing table.
Unresolved Route Adds The number of route adds that failed because none of the route’s next hops were on a local subnet. Note that static routes can fail to be added to the routing table at startup because the routing interfaces are not yet up. This counter gets incremented in this case. The static routes are added to the routing table when the routing interfaces come up.
Invalid Route Adds The number of routes that failed to be added to the routing table because the route was invalid. A log message is written for each of these failures.
Failed Route Adds The number of routes that failed to be added to the routing table because of a resource limitation in the routing table.
Reserved Locals The number of routing table entries reserved for a local subnet on a routing interface that is down. Space for local routes is always reserved so that local routes can be installed when a routing interface bounces.
Unique Next Hops (High) The number of distinct next hops used among all routes currently in the routing table. These include local interfaces for local routes and neighbors for indirect routes. The value in parentheses indicates the highest count of unique next hops since counters were last cleared.
Next Hop Groups (High) The current number of next hop groups in use by one or more routes. Each next hop group includes one or more next hops. The value in parentheses indicates the highest count of next hop groups since counters were last cleared.

clear ip route counters

The command resets to zero the IPv4 routing table counters. The command only resets event counters Counters that report the current state of the routing table, such as the number of routes of each type, are not reset.

clear ip route counters

Mode: Privileged EXEC

show ip route preferences

This command displays detailed information about the route preferences for each type of route.

show ip route preferences

Modes: User / Privileged EXEC

show ip stats

This command displays IP statistical information.

show ip stats

Modes: User / Privileged EXEC

show routing heap summary

This command displays a summary of the memory allocation from the routing heap. The routing heap is a chunk of memory set aside when the system boots for use by the routing applications.

show routing heap summary

Mode: Privileged EXEC

Parameters:

 

Heap Size The amount of memory, in bytes, allocated at startup for the routing heap.
Memory In Use The number of bytes currently allocated.
Memory on Free List The number of bytes currently on the free list. When a chunk of memory from the routing heap is freed, it is placed on a free list for future reuse.
Memory Available in Heap The number of bytes in the original heap that have never been allocated.
In Use High Water Mark The maximum memory in use since the system last rebooted.

Router Discovery Protocol Commands

Back to Top

This section describes the commands you use to view and configure Router Discovery Protocol (IRDP) settings on the switch. The Router Discovery Protocol enables a host to discover the IP address of routers on the subnet.

ip irdp

This command enables router discovery on an interface or range of interfaces.

ip irdp

Mode: Interface Config

Default: Disabled

ip irdp address

This command configures the address that the interface uses to send the router discovery advertisements. The valid values for ipaddr are 224.0.0.1, which is the all-hosts IP multicast address, and 255.255.255.255, which is the limited broadcast address.

ip irdp address ipaddr

Mode: Interface Config

Default: 224.0.0.1

ip irdp holdtime

This command configures the value, in seconds, of the holdtime field of the router advertisement sent from this interface. The holdtime range is 4 to 9000 seconds.

ip irdp holdtime 4-9000

Mode: Interface Config

Default: 3 * maxinterval

ip irdp maxadvertinterval

This command configures the maximum time, in seconds, allowed between sending router advertisements from the interface. The range is 4 to 1800 seconds.

ip irdp maxadvertinterval 4-1800

Mode: Interface Config

Default: 600

ip irdp minadvertinterval

This command configures the minimum time, in seconds, allowed between sending router advertisements from the interface. The range is 3–1800 seconds.

ip irdp minadvertinterval 3-1800

Mode: Interface Config

Default: 0.75 * maxadvertinterval

ip irdp multicast

This command configures the destination IP address for router advertisements as 224.0.0.1, which is the default address. The no form of the command configures the IP address as 255.255.255.255 to send router advertisements to the limited broadcast address.

ip irdp multicast ip-address

Mode: Interface Config

ip irdp preference

This command configures the preferability of the address as a default router address, relative to other router addresses on the same subnet.

ip irdp preference -2147483648 to 2147483647

Mode: Interface Config

Default: 0

show ip irdp

This command displays the router discovery information for all interfaces, a specified interface, or specified VLAN. 

show ip irdp {slot/port | vlan 1-4093 | all}

Modes: User / Privileged EXEC

Virtual LAN Routing Commands

Back to Top

This section describes the commands you use to view and configure VLAN routing and to view VLAN routing status information.

vlan routing (VLAN Database)

This command enables routing on a VLAN. The vlanid value has a range of 1-4093. The interface- ID value has a range of 1-128. The ID is configured automatically if not specified.

vlan routing vlanid [interface-ID]

Mode: VLAN Database Config

interface vlan

Use this command to enter interface configuration mode for the specified VLAN. The valid vlan-id range is from 1 to 4093.

interface vlan vlan-id

Mode: Global Config

show ip vlan

This command displays the VLAN routing information for all VLANs with routing enabled.

show ip vlan

Modes: User / Privileged EXEC

Parameters:

 

MAC Address used by Routing VLANs The MAC Address associated with the internal bridge-router interface (IBRI). The same MAC Address is used by all VLAN routing interfaces. It will be displayed above the per-VLAN information.
VLAN ID The identifier of the VLAN.
Logical Interface The logical slot/port associated with the VLAN routing interface.
IP Address The IP address associated with this VLAN.
Subnet Mask The subnet mask that is associated with this VLAN.

IP Helper Commands

Back to Top

This section describes the commands to configure and monitor the IP Helper agent. IP Helper relays DHCP and other broadcast UDP packets from a local client to one or more servers which are not on the same network at the client.

The IP Helper feature provides a mechanism that allows a router to forward certain configured UDP broadcast packets to a particular IP address. This allows various applications to reach servers on nonlocal subnets, even if the application was designed to assume a server is always on a local subnet and uses broadcast packets (with either the limited broadcast address 255.255.255.255, or a network directed broadcast address) to reach the server.

The network administrator can configure relay entries both globally and on routing interfaces. Each relay entry maps an ingress interface and destination UDP port number to a single IPv4 address (the helper address). The network administrator may configure multiple relay entries for the same interface and UDP port, in which case the relay agent relays matching packets to each server address. Interface configuration takes priority over global configuration. That is, if a packet’s destination UDP port matches any entry on the ingress interface, the packet is handled according to the interface configuration. If the packet does not match any entry on the ingress interface, the packet is handled according to the global IP helper configuration.

The network administrator can configure discard relay entries, which direct the system to discard matching packets. Discard entries are used to discard packets received on a specific interface when those packets would otherwise be relayed according to a global relay entry. Discard relay entries may be configured on interfaces, but are not configured globally.

In addition to configuring the server addresses, the network administrator also configures which UDP ports are forwarded. Certain UDP port numbers can be specified by name in the UI as a convenience, but the network administrator can configure a relay entry with any UDP port number. The network administrator may configure relay entries that do not specify a destination UDP port. 

The system limits the number of relay entries to four times the maximum number of routing interfaces. The network administrator can allocate the relay entries as he likes. There is no limit to the number of relay entries on an individual interface, and no limit to the number of servers for a given {interface, UDP port} pair.

The relay agent relays DHCP packets in both directions. It relays broadcast packets from the client to one or more DHCP servers, and relays to the client packets that the DHCP server unicasts back to the relay agent. For other protocols, the relay agent only relays broadcast packets from the client to the server. Packets from the server back to the client are assumed to be unicast directly to the client. Because there is no relay in the return direction for protocols other than DHCP, the relay agent retains the source IP address from the original client packet. The relay agent uses a local IP address as the source IP address of relayed DHCP client packets.

When a switch receives a broadcast UDP packet on a routing interface, the relay agent checks if the interface is configured to relay the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise, the relay agent checks if there is a global configuration for the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise the packet is not relayed. Note that if the packet matches a discard relay entry on the ingress interface, then the packet is not forwarded, regardless of the global configuration.

The relay agent only relays packets that meet the following conditions:
- The destination MAC address must be the all-ones broadcast address (FF:FF:FF:FF:FF:FF)
- The destination IP address must be the broadcast address (255.255.255.255) or a directed broadcast address for the receive interface.
- The IP time-to-live (TTL) must be greater than 1.
- The protocol field in the IP header must be UDP (17).
- The destination UDP port must match a configured relay entry.

ip helper-address (Global Config)

Use this command to configure the relay of certain UDP broadcast packets received on any interface. This command can be invoked multiple times, either to specify multiple server addresses for a given UDP port number or to specify multiple UDP port numbers handled by a specific server.

ip helper-address server-address [dest-udp-port | dhcp | domain | isakmp | mobile-ip | nameserver | netbios-dgm | netbios-ns | ntp | pim-auto-rp | rip | tacacs | tftp | time]

Mode: Global Config

Parameters:

 

server-address The IPv4 unicast or directed broadcast address to which relayed UDP broadcast packets are sent. The server address cannot be an IP address configured on any interface of the local router.
dest-udp-port A destination UDP port number from 0 to 65535.
port name

The destination UDP port may be optionally specified by its name. Whether a port is specified by its number or its name has no effect on behavior. The names recognized are as follows:

- dhcp: Port 67
- domain: Port 53
- isakmp: Port 500
- mobile-ip: Port 434
- nameserver: Port 42
- netbios-dgm: Port 138
- netbios-ns: Port 137
- ntp: Port 123
- pim-auto-rp: Port 496
- rip: Port 520
- tacacs: Port 49
- tftp: Port 69
- time: Port 37

Other ports must be specified by number.

ip helper-address (Interface Config)

Use this command to configure the relay of certain UDP broadcast packets received on a specific interface, routed VLAN interface or range of interfaces. This command can be invoked multiple times on a routing interface, either to specify multiple server addresses for a given port number or to specify multiple port numbers handled by a specific server.

ip helper-address server-address [dest-udp-port | dhcp | domain | isakmp | mobile-ip | nameserver | netbios-dgm | netbios-ns | ntp | pim-auto-rp | rip | tacacs | tftp | time]

Mode: Interface Config

Parameters:

 

server-address The IPv4 unicast or directed broadcast address to which relayed UDP broadcast packets are sent. The server address cannot be an IP address configured on any interface of the local router.
dest-udp-port A destination UDP port number from 0 to 65535.
port name

The destination UDP port may be optionally specified by its name. Whether a port is specified by its number or its name has no effect on behavior. The names recognized are as follows:

- dhcp: Port 67
- domain: Port 53
- isakmp: Port 500
- mobile-ip: Port 434
- nameserver: Port 42
- netbios-dgm: Port 138
- netbios-ns: Port 137
- ntp: Port 123
- pim-auto-rp: Port 496
- rip: Port 520
- tacacs: Port 49
- tftp: Port 69
- time: Port 37

Other ports must be specified by number.

ip helper enable

Use this command to enable relay of UDP packets. This command can be used to temporarily disable IP helper without deleting all IP helper addresses. This command replaces the bootpdhcprelay enable command, but affects not only relay of DHCP packets, but also relay of any other protocols for which an IP helper address has been configured.

ip helper enable

Mode: Global Config

Default: Disabled

show ip helper-address

Use this command to display the IP helper address configuration. The argument slot/port corresponds to a physical routing interface or VLAN routing interface. The keyword vlan is used to specify the VLAN ID of the routing VLAN directly instead of a slot/port format.

show ip helper-address [{slot/port | vlan 1-4093}]

Mode: Privileged EXEC

Parameters:

 

Interface The relay configuration is applied to packets that arrive on this interface. This field is set to any for global IP helper entries.
UDP Port The relay configuration is applied to packets whose destination UDP port is this port. Entries whose UDP port is identified as any are applied to packets with the destination UDP ports listed in Table 4.
Discard If Yes, packets arriving on the given interface with the given destination UDP port are discarded rather than relayed. Discard entries are used to override global IP helper address entries which otherwise might apply to a packet.
Hit Count The number of times the IP helper entry has been used to relay or discard a packet.
Server Address The IPv4 address of the server to which packets are relayed.

show ip helper statistics

Use this command to display the number of DHCP and other UDP packets processed and relayed by the UDP relay agent.

show ip helper statistics

Mode: Privileged EXEC

Parameters:

 

DHCP client messages received The number of valid messages received from a DHCP client. The count is only incremented if IP helper is enabled globally, the ingress routing interface is up, and the packet passes a number of validity checks, such as having a TTL>1 and having valid source and destination IP addresses.
DHCP client messages relayed The number of DHCP client messages relayed to a server. If a message is relayed to multiple servers, the count is incremented once for each server.
DHCP server messages received The number of DHCP responses received from the DHCP server. This count only includes messages that the DHCP server unicasts to the relay agent for relay to the client.
DHCP server messages relayed The number of DHCP server messages relayed to a client.
UDP clients messages received The number of valid UDP packets received. This count includes DHCP messages and all other protocols relayed. Conditions are similar to those for the first statistic in this table.
UDP clients messages relayed The number of UDP packets relayed. This count includes DHCP messages relayed as well as all other protocols. The count is incremented for each server to which a packet is sent.
DHCP message hop count exceeded max The number of DHCP client messages received whose hop count is larger than the maximum allowed. The maximum hop count is a configurable value listed in show bootpdhcprelay. A log message is written for each such failure. The DHCP relay agent does not relay these packets.
DHCP message with secs field below min The number of DHCP client messages received whose secs field is less than the minimum value. The minimum secs value is a configurable value and is displayed in show bootpdhcprelay. A log message is written for each such failure. The DHCP relay agent does not relay these packets.
DHCP message with giaddr set to local address The number of DHCP client messages received whose gateway address, giaddr, is already set to an IP address configured on one of the relay agent’s own IP addresses. In this case, another device is attempting to spoof the relay agent’s address. The relay agent does not relay such packets. A log message gives details for each occurrence.
Packets with expired TTL The number of packets received with TTL of 0 or 1 that might otherwise have been relayed.
Packets that matched a discard entry The number of packets ignored by the relay agent because they match a discard relay entry.

clear ip helper statistics

Use this command to reset to zero the statistics displayed in the show ip helper statistics command.

clear ip helper statistics

Mode: Privileged EXEC

ICMP Throttling Commands

Back to Top

This section describes the commands you use to configure options for the transmission of various types of ICMP messages.

ip unreachables

Use this command to enable the generation of ICMP Destination Unreachable messages.

ip unreachables

Mode: Interface Config

Default: Enabled

ip redirects

Use this command to enable the generation of ICMP Redirect messages on a specific interface or all interfaces (Global Config).

ip redirects

Modes: Global / Interface Config

Default: Enabled

ip icmp echo-reply

Use this command to enable the generation of ICMP Echo Reply messages.

ip icmp echo-reply

Mode: Global Config

ip icmp error-interval

Use this command to limit the rate at which IPv4 ICMP error messages are sent. The rate limit is configured as a token bucket, with two configurable parameters. The burst-interval specifies how often the token bucket is initialized with burst-size tokens and supports a range from 0 to 2147483647 milliseconds (msec). The burst-size is the number of ICMP error messages that can be sent during one burst-interval. The range is from 1 to 200 messages. To disable ICMP rate limiting, set burst-interval to zero (0).

ip icmp error-interval burst-interval [burst-size]

Mode: Global Config

Default: burst-interval: 1000 msec / burst-size: 100 messages

qos.png  Quality of Service Commands

Back to Top

This chapter describes the Quality of Service (QoS) commands available in the EdgeSwitch CLI.

Class of Service Commands

Back to Top

This section describes the commands you use to configure and view Class of Service (CoS) settings for the switch. The commands in this section allow you to control the priority and transmission rate of traffic.

classofservice dot1p-mapping

This command maps an 802.1p priority to an internal traffic class. The userpriority value can range from 0-7. The trafficclass value range from 0 to 6.

classofservice dot1p-mapping userpriority trafficclass

Modes: Global / Interface Config

classofservice ip-dscp-mapping

This command maps an IP DSCP value to an internal traffic class. The ipdscp value is specified as either an integer from 0 to 63, or symbolically using one of the keywords such as af11 or ef. The trafficclass values can range from 0-6.

classofservice ip-dscp-mapping ipdscp trafficclass

Mode: Global Config

classofservice ip-precedence-mapping

This command maps an IP Precedence value to an internal traffic class for a specific interface. 

classofservice ip-precedence-mapping [0-7]

Mode: Global Config

classofservice trust

This command sets the class of service trust mode of an interface or range of interfaces. You can set the mode to trust the Dot1p (802.1p) or IP DSCP packet markings. You can also set the interface mode to untrusted. 

classofservice trust {dot1p | ip-dscp | untrusted}

Modes: Global / Interface Config

Default: dot1p

cos-queue max-bandwidth

This command specifies the maximum transmission bandwidth guarantee for each interface queue on an interface, a range of interfaces, or all interfaces. A value from 0-100 (percentage of link rate) must be specified for each supported queue, with 0 indicating no maximum bandwidth. The sum of all values entered must not exceed 100.

cos-queue max-bandwidth bw-0 bw-1...bw-n

Modes: Global / Interface Config

cos-queue min-bandwidth

This command specifies the minimum transmission bandwidth guarantee for each interface queue on an interface, a range of interfaces, or all interfaces. A value from 0-100 (percentage of link rate) must be specified for each supported queue, with 0 indicating no guaranteed minimum bandwidth. The sum of all values entered must not exceed 100.

cos-queue min-bandwidth bw-0 bw-1...bw-n

Modes: Global / Interface Config

cos-queue random-detect

This command activates weighted random early discard (WRED) for each specified queue on the interface. Specific WRED parameters are configured using the random-detect queue-parms and the random-detect exponential-weighting-constant commands.

cos-queue random-detect queue-id-1 [queue-id-2...queue-id-n]

Modes: Global / Interface Config

cos-queue strict

This command activates the strict priority scheduler mode for each specified queue for an interface queue on an interface, a range of interfaces, or all interfaces.

cos-queue strict queue-id-1 [queue-id-2...queue-id-n]

Modes: Global / Interface Config

random-detect

This command is used to enable WRED on the specific interface or on all interfaces (Global Config).

random-detect

Modes: Global / Interface Config

random-detect exponential weighting-constant

This command is used to configure the WRED decay exponent for a CoS queue interface.

random-detect exponential-weighting-constant 0-15

Mode: Interface Config

random-detect queue-parms

This command is used to configure WRED parameters for each drop precedence level supported by a queue. It is used only when per-COS queue configuration is enabled (using the cos-queue random-detect command).

random-detect queue-parms queue-id-1 [queue-id-2...queue-id-n] min-thresh thresh-prec-1...thresh-prec-n max-thresh thresh-prec-1...thresh-prec-n drop-probability prob-prec-1...prob-prec-n

Modes: Global / Interface Config

Parameters:

 

min-thresh Minimum threshold - Queue depth (as a percentage) where WRED starts marking and dropping traffic.
max-thresh Maximum threshold - Queue depth (as a percentage) above which WRED marks/drops all traffic.
drop-probability The percentage probability that WRED will mark/drop a packet, when the queue depth is at the maximum threshold. (The drop probability increases linearly from 0 just before the minimum threshold, to this value at the maximum threshold, then goes to 100% for larger queue depths).

traffic-shape

This command specifies the maximum transmission bandwidth limit for the interface as a whole. The bandwidth values are from 0-100 in increments of 1. You can also specify this value for a range of interfaces or all interfaces. Also known as rate shaping, traffic shaping has the effect of smoothing temporary traffic bursts over time so that the transmitted traffic rate is bounded.

traffic-shape bw

Modes: Global / Interface Config

show classofservice dot1p-mapping

This command displays the current Dot1p (802.1p) priority mapping to internal traffic classes for a specific interface or the global settings.

show classofservice dot1p-mapping [slot/port]

Mode: Privileged EXEC

Parameters:

 

User Priority The 802.1p user priority value.
Traffic Class The traffic class internal queue identifier to which the user priority value is mapped.

show classofservice ip-dscp-mapping

This command displays the current IP DSCP mapping to internal traffic classes for the global configuration settings.

show classofservice ip-dscp-mapping

Mode: Privileged EXEC

Parameters:

 

IP DSCP The IP DSCP value.
Traffic Class The traffic class internal queue identifier to which the IP DSCP value is mapped.

show classofservice ip-precedence-mapping

This command displays the current IP Precedence mapping to internal traffic classes for a specific interface or the global settings.

show classofservice ip-precedence-mapping [slot/port]

Mode: Privileged EXEC

Parameters:

 

IP Precedence The IP Precedence value.
Traffic Class The traffic class internal queue identifier to which the IP Precedence value is mapped.

show classofservice trust

This command displays the current trust mode setting for a specific interface or the global settings.

show classofservice trust [slot/port]

Mode: Privileged EXEC

Parameters:

 

Class of Service Trust Mode The the trust mode, which is either Dot1P, IP DSCP, or Untrusted.
Non-IP Traffic Class (IP DSCP mode only) The traffic class used for non-IP traffic.
Untrusted Traffic Class (Untrusted mode only) The traffic class used for all untrusted traffic.

show interfaces cos-queue

This command displays the class-of-service queue configuration for the specified interface or the global settings.

show interfaces cos-queue [slot/port]

Mode: Privileged EXEC

Parameters:

 

Interface Shaping Rate The global interface shaping rate value or the maximum transmission bandwidth limit for the interface as a whole. It is independent of any per- queue maximum bandwidth value(s) in effect for the interface. This is a configured value.
WRED Decay Exponent The global WRED decay exponent value or for a specific CoS queue interface.
Queue Id An interface supports n queues numbered 0 to (n-1). 
Minimum Bandwidth The minimum transmission bandwidth guarantee for the queue, expressed as a percentage. A value of 0 means bandwidth is not guaranteed and the queue operates using best-effort. 
Maximum Bandwidth The maximum transmission bandwidth guarantee for the queue, expressed as a percentage. A value of 0 means bandwidth is not guaranteed and the queue operates using best-effort. 
Scheduler Type Indicates whether this queue is scheduled for transmission using a strict priority or a weighted scheme.
Queue Management Type The queue depth management technique used for this queue (tail drop).
Interface The slot/port of the interface. If displaying the global configuration, this output line is replaced with a Global Config indication.

show interfaces random-detect

This command displays the global WRED settings for each CoS queue. If you specify the slot/port, the command displays the WRED settings for each CoS queue on the specified interface.

show interfaces random-detect [slot/port]

Mode: Privileged EXEC

Parameters:

 

Queue ID An interface supports n queues numbered 0 to (n-1). The specific n value is platform dependent.
WRED Minimum Threshold The configured minimum threshold the queue depth (as a percentage) where WRED starts marking and dropping traffic.
WRED Maximum Threshold The configured maximum threshold is the queue depth (as a percentage) above which WRED marks / drops all traffic.
WRED Drop Probability The configured percentage probability that WRED will mark/drop a packet, when the queue depth is at the maximum threshold. (The drop probability increases linearly from 0 just before the minimum threshold, to this value at the maximum threshold, then goes to 100% for larger queue depths).

show interfaces tail-drop-threshold

This command displays the tail drop threshold information. If you specify the slot/port, the command displays the tail drop threshold information for the specified interface.

show interfaces tail-drop-threshold [slot/port]

Mode: Privileged EXEC

Differentiated Services Commands

Back to Top

This section describes the commands you use to configure QOS Differentiated Services (DiffServ). You configure DiffServ in several stages by specifying three DiffServ components:
- Class > Creating and deleting classes > Defining match criteria for a class.
- Policy > Creating and deleting policies > Associating classes with a policy > Defining policy statements for a policy/class combination
- Service > Adding and removing a policy to/from an inbound interface

The DiffServ class defines the packet filtering criteria. The attributes of a DiffServ policy define the way the switch processes packets. You can define policy attributes on a per-class instance basis. The switch applies these attributes when a match occurs. Packet processing begins when the switch tests the match criteria for a packet. The switch applies a policy to a packet when it finds a class match within that policy.

The following rules apply when you create a DiffServ class:
- Each class can contain a maximum of one referenced (nested) class
- Class definitions do not support hierarchical service policies


A given class definition can contain a maximum of one reference to another class. You can combine the reference with other match criteria. The referenced class is truly a reference and not a copy since additions to a referenced class affect all classes that reference it. Changes to any class definition currently referenced by any other class must result in valid class definitions for all derived classes, otherwise the switch rejects the change. You can remove a class reference from a class definition. The only way to remove an individual match criterion from an existing class definition is to delete the class and re-create it.

diffserv

This command sets the DiffServ operational mode to active. While disabled, the DiffServ configuration is retained and can be changed, but it is not activated. When enabled, DiffServ services are activated.

diffserv

Mode: Global Config

Default: Disabled

DiffServ Class Commands

Back to Top

Use the DiffServ class commands to define traffic classification. To classify traffic, you specify Behavior Aggregate (BA), based on DSCP and Multi-Field (MF) classes of traffic (name, match criteria). This set of commands consists of class creation/deletion and matching, with the class match commands specifying Layer 3, Layer 2, and general match criteria.

The class match criteria are also known as class rules, with a class definition consisting of one or more rules to identify the traffic that belongs to the class. Once you create a class match criterion for a class, you cannot change or delete the criterion. To change or delete a class match criterion, you must delete and re-create the entire class.

class-map

This command defines a DiffServ class of type match-all. When used without any match condition, this command enters the class-map mode. The class-map-name is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying an existing DiffServ class. Note that the class-map-name default is reserved and must not be used.

The class type of match-all indicates all of the individual match conditions must be true for a packet to be considered a member of the class. This command may be used without specifying a class type to enter the Class- Map Config mode for an existing DiffServ class.


class-map match-all class-map-name [ipv4 | ipv6]

Mode: Global Config

class-map rename

This command changes the name of a DiffServ class. The class-map-name is the name of an existing DiffServ class. The new-class-map-name parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the class.

class-map rename class-map-name new-class-map-name

Mode: Global Config

match ethertype

This command adds to the specified class definition a match condition based on the value of the ethertype. The ethertype value is specified as one of the following keywords: appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp; or as a custom EtherType value in the range of 0x0600-0xFFFF. Use the not option to negate the match condition.

match [not] ethertype {keyword | custom 0x0600-0xFFFF}

Mode: Class-Map Config

match any

This command adds to the specified class definition a match condition whereby all packets are considered to belong to the class. Use the not option to negate the match condition.

match [not] any

Mode: Class-Map Config

match class-map

This command adds to the specified class definition the set of match conditions defined for another class. The refclassname is the name of an existing DiffServ class whose match conditions are being referenced by the specified class definition.

- The parameters refclassname and class-map-name cannot be the same.
- Only one other class may be referenced by a class.
- Any attempt to delete the refclassname class while the class is still referenced by any class-map-name fails.
- The combined match criteria of class-map-name and refclassname must be an allowed combination based on the class type.
- Any subsequent changes to the refclassname class match criteria must maintain this validity, or the change attempt fails.
- The total number of class rules formed by the complete reference class chain (including both predecessor and successor classes) must not exceed a platform-specific maximum. In some cases, each removal of a refclass rule reduces the maximum number of available rules in the class definition by one.


match class-map refclassname

Mode: Class-Map Config

match cos

This command adds to the specified class definition a match condition for the Class of Service value (the only tag in a single tagged packet or the first or outer 802.1Q tag of a double VLAN tagged packet). The value may be from 0 to 7. Use the not option to negate the match condition.

match [not] cos 0-7

Mode: Class-Map Config

match secondary-cos

This command adds to the specified class definition a match condition for the secondary Class of Service value (the inner 802.1Q tag of a double VLAN tagged packet). The value may be from 0 to 7. Use the not option to negate the match condition.

match [not] secondary-cos 0-7

Mode: Class-Map Config

test

This command adds to the specified class definition a match condition based on the destination MAC address of a packet. The macaddr parameter is any Layer-2 MAC address formatted as six 2-digit hexadecimal numbers separated by colons (e.g., 00:11:22:dd:ee:ff). The macmask parameter is a Layer-2 MAC address bit mask, which need not be contiguous, and is formatted as six 2-digit hexadecimal numbers separated by colons (e.g., ff:07:23:ff:fe:dc). Use the not option to negate the match condition.

match [not] destination-address mac macaddr macmask

Mode: Class-Map Config

match dstip

This command adds to the specified class definition a match condition based on the destination IP address of a packet. The ipaddr parameter specifies an IP address. The ipmask parameter specifies an IP address bit mask and must consist of a contiguous set of leading 1 bits. Use the not option to negate the match condition.

match [not] dstip ipaddr ipmask

Mode: Class-Map Config

match dstl4port

This command adds to the specified class definition a match condition based on the destination Layer-4 port of a packet using a single keyword or numeric notation. To specify the match condition as a single keyword, the value for portkey is one of the supported port name keywords. The currently supported portkey values are: domain, echo, ftp, ftpdata, http, smtp, snmp, telnet, tftp, www. Each of these translates into its equivalent port number. To specify the match condition using a numeric notation, one Layer-4 port number is required. The port number is an integer from 0 to 65535. Use the not option to negate the match condition.

match [not] dstl4port {portkey | 0-65535}

Mode: Class-Map Config

match ip dscp

This command adds to the specified class definition a match condition based on the value of the IP DiffServ Code Point (DSCP) field in a packet, which is defined as the high-order six bits of the Service Type octet in the IP header (the low-order two bits are not checked). The dscpval value is specified as either an integer from 0 to 63, or symbolically through a keyword such as af23 or ef. Use the not option to negate the match condition.

match [not] ip dscp dscpval

Mode: Class-Map Config

match ip precedence

This command adds to the specified class definition a match condition based on the value of the IP Precedence field in a packet, which is defined as the high-order three bits of the Service Type octet in the IP header (the low- order five bits are not checked). The precedence value is an integer from 0 to 7. Use the not option to negate the match condition.

match [not] ip precedence 0-7

Mode: Class-Map Config

match ip tos

This command adds to the specified class definition a match condition based on the value of the IP TOS field in a packet, which is defined as all eight bits of the Service Type octet in the IP header. The value of tosbits is a 2-digit hexadecimal number from 00-ff. The value of tosmask is a two-digit hexadecimal number from 00-ff. The tosmask denotes the bit positions in tosbits that are used for comparison against the IP TOS field in a packet. For example, to check for an IP TOS value having bits 7 and 5 set and bit 1 clear, where bit 7 is most significant, use a tosbits value of a0 (hex) and a tosmask of a2 (hex). Use the not option to negate the match condition.

match [not] ip tos tosbits tosmask

Mode: Class-Map Config

match protocol

This command adds to the specified class definition a match condition based on the value of the IP Protocol field in a packet using a single keyword notation or a numeric value notation.

To specify the match condition using a single keyword notation, the value for protocol-name is one of the supported protocol name keywords. The currently supported values are: icmp, igmp, ip, tcp, udp. A value of ip matches all protocol number values.

To specify the match condition using a numeric value notation, the protocol number is a standard value assigned by IANA and is interpreted as an integer from 0 to 255. Use the not option to negate the match condition.


match [not] protocol {protocol-name | 0-255}

Mode: Class-Map Config

match signature

This command maps the available signatures from the rules file to the AppIQ class. When the appiq class is created, this menu displays an index number and its signature pattern. A single signature can be mapped using a number or multiple signatures can be selected and mapped to a class. Using this command without an index value maps all the available signatures to the same class.

match signature [StartIndex-EndIndex]

Mode: Class-Map Config

match source-address mac

This command adds to the specified class definition a match condition based on the source MAC address of a packet. The address parameter is any Layer-2 MAC address formatted as six 2-digit hexadecimal numbers separated by colons (e.g., 00:11:22:dd:ee:ff). The macmask parameter is a Layer-2 MAC address bit mask, which may not be contiguous, and is formatted as six 2-digit hexadecimal numbers separated by colons (e.g., ff:07:23:ff:fe:dc). Use the not option to negate the match condition.

match [not] source-address mac address macmask

Mode: Class-Map Config

match srcip

This command adds to the specified class definition a match condition based on the source IP address of a packet. The ipaddr parameter specifies an IP address. The ipmask parameter specifies an IP address bit mask and must consist of a contiguous set of leading 1 bits. Use the not option to negate the match condition.

match [not] srcip ipaddr ipmask

Mode: Class-Map Config

match srcl4port

This command adds to the specified class definition a match condition based on the source Layer-4 port of a packet using a single keyword or numeric notation. To specify the match condition as a single keyword notation, the value for portkey is one of the supported port name keywords: domain, echo, ftp, ftpdata, http, smtp, snmp, telnet, tftp, www. Each of these translates into its equivalent port number, which is used as both the start and end of a port range. To specify the match condition as a numeric value, one Layer-4 port number is required. The port number is an integer from 0 to 65535. Use the not option to negate the match condition.

match [not] srcl4port {portkey | 0-65535}

Mode: Class-Map Config

match src port

This command adds a match condition for a range of Layer-4 source ports. If an interface receives traffic that is within the configured range of Layer-4 source ports, then only the appiq class is in effect. The portvalue parameter specifies a single source port.

match src port {portstart-portend | portvalue}

Mode: Class-Map Config

match vlan

This command adds to the specified class definition a match condition based on the value of the Layer-2 VLAN Identifier field (the only tag in a single tagged packet or the first or outer tag of a double VLAN tagged packet). The VLAN ID is an integer from 0-4093. Use the not option to negate the match condition.

match [not] vlan 0-4093

Mode: Class-Map Config

match secondary-vlan

This command adds to the specified class definition a match condition based on the value of the Layer-2 secondary VLAN Identifier field (the inner 802.1Q tag of a double VLAN-tagged packet). The secondary VLAN ID is an integer from 0-4093. Use the not option to negate the match condition.

match [not] secondary-vlan 0-4093

Mode: Class-Map Config

DiffServ Policy Commands

Back to Top

Use the DiffServ policy commands to specify traffic conditioning actions, such as policing and marking, to apply to traffic classes. Use the policy commands to associate a traffic class that you define by using the class command set with one or more QoS policy attributes. Assign the class/policy association to an interface to form a service. Specify the policy name when you create the policy.

Each traffic class defines a particular treatment for packets that match the class definition. You can associate multiple traffic classes with a single policy. When a packet satisfies the conditions of more than one class, preference is based on the order in which you add the classes to the policy. The first class you add has the highest precedence.

This set of commands consists of policy creation/deletion, class addition/removal, and individual policy attributes. The only way to remove an individual policy attribute from a class instance within a policy is to remove the class instance and re-add it to the policy. The values associated with an existing policy attribute can be changed without removing the class instance.

assign-queue

This command modifies the queue id to which the associated traffic stream is assigned. The queueid is an integer from 0 to n-1, where n is the number of egress queues supported by the device.

assign-queue queueid

Mode: Policy-Class-Map Config

Incompatibilities: Drop

drop

This command specifies that all packets for the associated traffic stream are to be dropped at ingress.

drop

Mode: Policy-Class-Map Config

Incompatibilities: Assign Queue, Mark (all forms), Mirror, Police, Redirect

mirror

This command specifies that all incoming packets for the associated traffic stream are copied to a specific egress interface (physical port or LAG).

mirror slot/port

Mode: Policy-Class-Map Config

Incompatibilities: Drop, Redirect

redirect

This command specifies that all incoming packets for the associated traffic stream are redirected to a specific egress interface (physical port or port-channel).

redirect slot/port

Mode: Policy-Class-Map Config

Incompatibilities: Drop, Mirror

conform-color

Use this command to enable color-aware traffic policing and define the conform-color class map. Used only in conjunction with the police command where the fields for the conform level are specified. The parameter class-map-name is the name of an existing DiffServ class map. 

conform-color class-map-name

Mode: Policy-Class-Map Config

class

This command creates an instance of a class definition within the specified policy for the purpose of defining treatment of the traffic class through subsequent policy attribute statements. The classname is the name of an existing DiffServ class. This command causes the specified policy to create a reference to the class definition.

class classname

Mode: Policy Map Config

mark cos

This command marks all packets for the associated traffic stream with the specified class of service (CoS) value in the priority field of the 802.1p header (the only tag in a single tagged packet or the first or outer 802.1Q tag of a double VLAN tagged packet). If the packet does not already contain this header, one is inserted. The CoS value is an integer from 0 to 7.

mark-cos 0-7

Mode: Policy-Class-Map Config

Incompatibilities: Drop, Mark IP DSCP, IP Precedence, Police

mark secondary-cos

This command marks the outer VLAN tags in the packets for the associated traffic stream as secondary CoS.

mark secondary-cos 0-7

Mode: Policy-Class-Map Config

Incompatibilities: Drop, Mark IP DSCP, IP Precedence, Police

mark cos-as-sec-cos

This command marks outer VLAN tag priority bits of all packets as the inner VLAN tag priority, marking Cos as Secondary CoS. This essentially means that the inner VLAN tag CoS is copied to the outer VLAN tag CoS.

mark cos-as-sec-cos

Mode: Policy-Class-Map Config

Incompatibilities: Drop, Mark IP DSCP, IP Precedence, Police

mark ip-dscp

This command marks all packets for the associated traffic stream with the specified IP DSCP value. The dscpval value is specified as either an integer from 0 to 63, or symbolically through one a keywords such as af11 or ef.

mark ip-dscp dscpval

Mode: Policy-Class-Map Config

Incompatibilities: Drop, Mark CoS, Mark IP Precedence, Police

mark ip-precedence

This command marks all packets for the associated traffic stream with the specified IP Precedence value. The IP Precedence value is an integer from 0 to 7.

mark ip-precedence 0-7

Mode: Policy-Class-Map Config

Incompatibilities: Drop, Mark CoS, Mark IP DSCP, Police

police-simple

This command is used to establish the traffic policing style for the specified class. The simple form of the police command uses a single data rate and burst size, resulting in two outcomes: conform and violate. The conforming data rate is specified in kilobits-per-second (Kbps) and is an integer from 1 to 4294967295. The conforming burst size is specified in kilobytes (KB) and is an integer from 1 to 128.

police-simple {1-4294967295 1-128 conform-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} [violate-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit}]}

Mode: Policy-Class-Map Config

Incompatibilities: Drop, Mark (all forms)

police-single-rate

his command is the single-rate form of the police command and is used to establish the traffic policing style for the specified class.

police-single-rate {1-4294967295 1-128 1-128 conform-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} exceed-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} [violate-action {drop | set-cos-as-sec-cos-transmit | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit}]}

Mode: Policy-Class-Map Config

police-two-rate

This command is the two-rate form of the police command and is used to establish the traffic policing style for the specified class. In this two-rate form of the police command, the conform action defaults to transmit, the exceed action defaults to drop, and the violate action defaults to drop. These actions can be set with this command once the style has been configured.

police-two-rate {1-4294967295 1-4294967295 1-128 1-128 conform-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} exceed-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} [violate-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set- prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit}]}

Mode: Policy-Class-Map Config

policy-map

This command establishes a new DiffServ policy. The policyname parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the policy.

policy-map policyname in

Mode: Global Config

policy-map rename

This command changes the name of a DiffServ policy. The policyname is the name of an existing DiffServ class. The newpolicyname parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the policy.

policy-map rename policyname newpolicyname

Mode: Global Config

DiffServ Service Commands

Back to Top

Use the DiffServ service commands to assign a DiffServ traffic conditioning policy, which you specified by using the policy commands, to an interface in the incoming direction.

service-policy

This command attaches a policy to a specific interface or all interfaes in the inbound direction.

service-policy in policymapname

Modes: Global / Interface Config

DiffServ Show Commands

Back to Top

Use the DiffServ show commands to display configuration and status information for classes, policies, and services. You can display DiffServ information in summary or detailed formats. The status information is only shown when the DiffServ administrative mode is enabled.

show class-map

This command displays all configuration information for the specified class.

show class-map [class-name]

Modes: User / Privileged EXEC

Parameters:

 

Class Layer3 Protocol The Layer-3 protocol for this class. Possible value is IPv4.
Match Criteria Match Criteria fields are only displayed if they are configured. Not all platforms support all match criteria. They are displayed in the order entered by the user. The fields are evaluated in accordance with the class type. The possible Match Criteria fields are: Destination IP Address, Destination Layer 4 Port, Destination MAC Address, Ethertype, Source MAC Address, VLAN, Class of Service, Every, IP DSCP, IP Precedence, IP TOS, Protocol Keyword, Reference Class, Source IP Address, and Source Layer 4 Port.
Values The values of the Match Criteria.
Class Name The name of this class. (Classes are not necessarily displayed in the order in which they were created.)
Class Type A class type of all means every match criterion defined for the class is evaluated simultaneously and must all be true to indicate a class match.
Ref Class Name The name of an existing DiffServ class whose match conditions are being referenced by the specified class definition.

show diffserv

This command displays the DiffServ General Status Group information, which includes the current administrative mode setting as well as the current and maximum number of rows in each of the main DiffServ private MIB tables. 

show diffserv

Mode: Privileged EXEC

Parameters:

 

DiffServ Admin mode The current value of the DiffServ administrative mode.
Class Table Size Current/Max The current and maximum number of entries (rows) in the Class Table.
Class Rule Table Size Current/Max The current and maximum number of entries (rows) in the Class Rule Table.
Policy Table Size Current/Max The current and maximum number of entries (rows) in the Policy Table.
Policy Instance Table Size Current/Max The current and maximum number of entries (rows) in the Policy Instance Table.
Policy Instance Table Max Current/Max The current and maximum number of entries (rows) for the Policy Instance Table.
Policy Attribute Table Max Current/Max The current and maximum number of entries (rows) for the Policy Attribute Table.
Service Table Size Current/Max The current and maximum number of entries (rows) in the Service Table.

show policy-map

This command displays all configuration information for the specified policy.

show policy-map [policyname]

Mode: Privileged EXEC

Parameters:

 

Policy Name The name of this policy.
Policy Type The policy type (only inbound policy definitions are supported for this platform.)
Class Members The class that is a member of the policy.
Assign Queue Directs traffic stream to the specified QoS queue. This allows a traffic classifier to specify which one of the supported hardware queues are used for handling packets belonging to the class.
Class Name The name of this class.
Committed Burst Size (KB) The committed burst size, used in simple policing.
Committed Rate (Kbps) The committed rate, used in simple policing.
Conform Action The current setting for the action taken on a packet considered to conform to the policing parameters. This is not displayed if policing is not in use for the class under this policy.
Conform Color Mode The current setting for the color mode. Policing uses either color blind or color aware mode. Color blind mode ignores the coloration (marking) of the incoming packet. Color aware mode takes into consideration the current packet marking when determining the policing outcome.
Conform COS The CoS mark value if the conform action is set-cos-transmit.
Conform DSCP Value The DSCP mark value if the conform action is set-dscp-transmit.
Conform IP Precedence Value The IP Precedence mark value if the conform action is set-prec-transmit.
Drop Drop a packet upon arrival. This is useful for emulating access control list operation using DiffServ, especially when DiffServ and ACL cannot co-exist on the same interface.
Exceed Action The action taken on traffic that exceeds settings that the network administrator specifies.
Exceed Color Mode The current setting for the color of exceeding traffic that the user may optionally specify.
Mark CoS The class of service value that is set in the 802.1p header of inbound packets. This is not displayed if the mark cos was not specified.
Mark CoS as Secondary CoS The secondary 802.1p priority value (second/inner VLAN tag. Same as CoS (802.1p) marking, but the dot1p value used for remarking is picked from the dot1p value in the secondary (i.e. inner) tag of a double-tagged packet.
Mark IP DSCP The mark/re-mark value used as the DSCP for traffic matching this class. This is not displayed if mark ip description is not specified.
Mark IP Precedence The mark/re-mark value used as the IP Precedence for traffic matching this class. This is not displayed if mark ip precedence is not specified.
Mirror Copies a classified traffic stream to a specified egress port (physical port or LAG). This can occur in addition to any marking or policing action. It may also be specified along with a QoS queue assignment.
Non-Conform Action The current setting for the action taken on a packet considered to not conform to the policing parameters. This is not displayed if policing not in use for the class under this policy.
Non-Conform COS The CoS mark value if the non-conform action is set-cos-transmit.
Non-Conform DSCP Value The DSCP mark value if the non-conform action is set-dscp-transmit.
Non-Conform IP Precedence Value The IP Precedence mark value if the non-conform action is set-prec-transmit.
Peak Rate Guarantees a committed rate for transmission, but also transmits excess traffic bursts up to a user- specified peak rate, with the understanding that a downstream network element (such as the next hop’s policer) might drop this excess traffic. Traffic is held in queue until it is transmitted or dropped (per type of queue depth management.) Peak rate shaping can be configured for the outgoing transmission stream for an AP traffic class (although average rate shaping could also be used.)
Peak Burst Size (PBS). The network administrator can set the PBS as a means to limit the damage expedited forwarding traffic could inflict on other traffic (e.g., a token bucket rate limiter) Traffic exceeding this limit is discarded.
Policing Style The style of policing, if any, used (simple).
Redirect Forces a classified traffic stream to a specified egress port (physical port or LAG). This can occur in addition to any marking or policing action. It may also be specified along with a QoS queue assignment.

show diffserv service

This command displays policy service information for the specified interface and direction.

show diffserv service slot/port in

Mode: Privileged EXEC

Parameters:

 

DiffServ Admin Mode The current setting of the DiffServ administrative mode. An attached policy is only in effect on an interface while DiffServ is in an enabled mode.
Interface The slot/port.
Direction The traffic direction of this interface service.
Operational Status The current operational status of this DiffServ service interface.
Policy Name The name of the policy attached to the interface in the indicated direction.
Policy Details Attached policy details, whose content is identical to that described for the show policy-map policymapname command (content not repeated here for brevity).

show diffserv service brief

This command displays all interfaces in the system to which a DiffServ policy has been attached.

show diffserv service brief [in]

Mode: Privileged EXEC

Parameters:

 

DiffServ Mode The current setting of the DiffServ administrative mode. An attached policy is only active on an interface while DiffServ is in an enabled mode.
Interface The slot/port.
Direction The traffic direction of this interface service.
OperStatus The current operational status of this DiffServ service interface.
Policy Name The name of the policy attached to the interface in the indicated direction.

show policy-map interface

This command displays policy-oriented statistics information for the specified interface and direction.

show policy-map interface slot/port [in]

Mode: Privileged EXEC

Parameters:

 

Interface The slot/port.
Direction The traffic direction of this interface service.
Operational Status The current operational status of this DiffServ service interface.
Policy Name The name of the policy attached to the interface in the indicated direction.
Class Name The name of this class instance.
In Discarded Packets The number of packets discarded for this class instance for any reason due to DiffServ treatment of the traffic class.

show service-policy

This command displays a summary of policy-oriented statistics information for all interfaces in the specified direction.

show service-policy in

Mode: Privileged EXEC

Parameters:

 

Interface The slot/port.
Operational Status The current operational status of this DiffServ service interface.
Policy Name The name of the policy attached to the interface.

MAC Access Control List Commands

Back to Top

This section describes the commands you use to configure MAC Access Control List (ACL) settings . MAC ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources .

mac access-list extended

This command creates a MAC Access Control List (ACL) identified by name, consisting of classification fields defined for the Layer-2 header of an Ethernet frame. The name parameter is a case-sensitive alphanumeric string of 1-31 characters uniquely identifying the MAC access list. The rate-limit attribute configures the committed rate and the committed burst size.

If a MAC ACL by this name already exists, this command enters Mac-Access-List config mode to allow updating the existing MAC ACL.


mac access-list extended name

Mode: Global Config

mac access-list extended rename

This command changes the name of a MAC Access Control List (ACL). The name parameter is the name of an existing MAC ACL. The newname parameter is a case-sensitive alphanumeric string of 1-31 characters uniquely identifying the MAC access list.

mac access-list extended rename name newname

Mode: Global Config

deny | permit (MAC Access-List Config)

This command creates a new rule for the current MAC access list. Each rule is appended to the list of configured rules for the list. A rule may either deny or permit traffic according to the specified classification fields.

{deny|permit} {srcmac | any} {dstmac | any} [ethertypekey | 0x0600-0xFFFF] [vlan {eq 0-4095}] [cos 0-7] [[log] [time-range time-range-name] [assign-queue queue-id]] [{mirror | redirect} slot/port] [rate-limit rate burst-size]

Mode: Mac-Access-List Config

Parameters:

 

vlan The VLAN identifier.
cos 802.1p user priority.
time-range Allows imposing time limitation on the MAC ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the MAC ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the MAC ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive.
assign-queue Allows specification of a particular hardware queue for handling traffic that matches this rule. The allowed queue-id value is 0 to (n-1), where n is the number of user configurable queues available for the hardware platform. The assign-queue parameter is valid only for a permit rule.
mirror Allows the traffic matching this rule to be copied to the specified slot/port. Only valid for a permit rule.
redirect Allows the traffic matching this rule to be forwarded to the specified slot/port. Only valid for a permit rule.
ethertype Match on a certain Ethertype value. May be specified as either a keyword or a four-digit hexadecimal value from 0x0600-0xFFFF. See the Ethertype parameters list below.

 

Ethertype Parameters:

 

appletalk 0x809B
arp 0x0806
ibmsna 0x80D5
ipv4 0x0800
ipv6 0x86DD
ipx 0x8037
mplsmcast 0x8848
mplsucast 0x8847
netbios 0x8191
novell 0x8137, 0x8138
pppoe 0x8863, 0x8864
rarp 0x8035

mac access-group

This command either attaches a specific MAC Access Control List (ACL) identified by name to an interface or all interfaces (Global Config), or associates it with a VLAN ID. The vlan keyword is only valid for the global configuration command.

mac access-group name in [vlan vlan-id in] [sequence 1–4294967295]

Modes: Global / Interface Config

Parameters:

 

name The name of the Access Control List.
vlan-id A VLAN ID associated with a specific IP ACL in a given direction.
sequence A optional sequence number that indicates the order of this IP access list relative to the other IP access lists already assigned to this interface and direction. The range is 1 to 4294967295.

show mac access-lists

This command displays a MAC access list and all of the rules that are defined for the MAC ACL.

show mac access-lists [name]

Mode: Privileged EXEC

Parameters:

 

Rule Number The ordered rule number identifier defined within the MAC ACL.
Action The action associated with each rule. The possible values are Permit or Deny.
Source MAC Address The source MAC address for this rule.
Source MAC Mask The source MAC mask for this rule.
Committed Rate The committed rate defined by the rate-limit attribute.
Committed Burst Size The committed burst size defined by the rate-limit attribute.
Destination MAC Address The destination MAC address for this rule.
Ethertype The Ethertype keyword or custom value for this rule.
VLAN ID The VLAN identifier value or range for this rule.
COS The COS (802.1p) value for this rule.
Log Displays when you enable logging for the rule.
Assign Queue The queue identifier to which packets matching this rule are assigned.
Mirror Interface The slot/port to which packets matching this rule are copied.
Redirect Interface The slot/port to which packets matching this rule are forwarded.
Time Range Name Displays the name of the time-range if the MAC ACL rule has referenced a time range.
Rule Status Status (Active/Inactive) of the MAC ACL rule.

IP Access Control List Commands

Back to Top

This section describes the commands you use to configure IP Access Control List (ACL) settings. IP ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources.

access-list

This command creates an IP Access Control List (ACL) that is identified by the access list number, which is 1-99 for standard ACLs or 100-199 for extended ACLs.

access-list 1-99 {deny | permit} {every | srcip srcmask} [log] [time-range time-range-name] [assign-queue queue-id] [{mirror | redirect} slot/port]
access-list 100-199 {deny | permit} {every | {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0-255} {srcip srcmask|any|host srcip} [range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}] {dstip dstmask|any|host dstip} [range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}] [flag [+fin|-fin] [+syn|-syn] [+rst|-rst] [+psh|-psh] [+ack|-ack] [+urg|-urg] [established]] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments] [precedence precedence | tos tos [tosmask] | dscp dscp]}} [time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} slot/port] [rate-limit rate burst-size]

Mode: Global Config

Parameters:

 

1-99 or 100-199 Range 1 to 99 is the access list number for an IP standard ACL. Range 100 to 199 is the access list number for an IP extended ACL.
deny | permit Specifies whether the IP ACL rule permits or denies an action.
every Match every packet.
protocol | 0-255 Specifies the protocol to filter for an extended IP ACL rule.
source IP Specifies a source IP address and source netmask for match condition of the IP ACL rule. Specifying any specifies the source IP as 0.0.0.0 and the source IP mask as 255.255.255.255. Specifying host A.B.C.D specifies the source IP as A.B.C.D and source IP mask as 0.0.0.0.
port

This option is available only if the protocol is TCP or UDP. Specifies the source Layer-4 port match condition for the IP ACL rule. You can use the port number, which ranges from 0-65535, or portkey. Port number matches only apply to unfragmented or first fragments. For both TCP and UDP, each of these keywords translates into its equivalent port number, which is used as both the start and end of a port range.

 

If range is specified, the IP ACL rule matches only if the Layer-4 port number falls within the specified port range. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal or greater than the starting port. The starting port, ending port, and all ports in between will be part of the Layer-4 port range.

 

When eq is specified, the IP ACL rule matches only if the Layer-4 port number is equal to the specified port number or portkey.

 

When lt is specified, the IP ACL rule matches if the Layer-4 port number is less than the specified port number or portkey. It is equivalent to specifying a range of 0-<specified port number-1>.

 

When gt is specified, the IP ACL rule matches if the Layer-4 port number is greater than the specified port number or portkey. It is equivalent to specifying a range of <specified port number+1>-65535.

 

When neq is specified, the IP ACL rule matches only if the Layer-4 port number is not equal to the specified port number or portkey.

destination IP Specifies a destination IP address and netmask for match condition of the IP ACL rule. Specifying any implies a destination IP of 0.0.0.0 and destination mask of 255.255.255.255. Specifying host A.B.C.D implies a destination IP of A.B.C.D and destination mask of 0.0.0.0.
tos Specifies the TOS for an IP ACL rule depending on a match of precedence or DSCP values using the parameters dscp, precedence, tos/tosmask.
flag Specifies that the IP ACL rule matches on the TCP flags. This option is available only if the protocol is tcp. When established is specified, a match occurs if the specified RST or ACK bits are set in the TCP header.
icmp-type Specifies a match condition for ICMP packets. Specifying icmp-message implies that both icmp-type and icmp-code are specified. This option is available only if the protocol is icmp.
igmp-type When igmp-type is specified, the IP ACL rule matches on the specified IGMP message type, a number from 0 to 255. This option is available only if the protocol is IGMP.
fragments Specifies that the IP ACL rule matches on fragmented IP packets.
log Specifies that this rule is to be logged.
time-range Allows imposing time limitation on the ACL rule as defined by the parameter time-range-name
assign-queue Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned.
mirror | redirect Specifies the mirror or redirect interface which is the slot/port to which packets matching this rule are copied or forwarded, respectively.
rate-limit Specifies the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.

ip access-list

This command creates an extended IP Access Control List (ACL) identified by name, consisting of classification fields defined for the IP header of an IPv4 frame. The name parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IP access list. 

ip access-list name

Mode: Global Config

ip access-list rename

This command changes the name of an IP Access Control List (ACL). The name parameter specifies the names of an existing IP ACL. The newname parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IP access list.

ip access-list rename name newname

Mode: Global Config

deny | permit (IPv4 Access-List Config)

This command creates a new rule for the current IP access list. Each rule is appended to the list of configured rules for the list. A rule may either deny or permit traffic according to the specified classification fields.

{deny | permit} {every | {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0-255} {srcip srcmask|any|host srcip} [range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}] {dstip dstmask|any|host dstip} [range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}] [flag [+fin|-fin] [+syn|-syn] [+rst|-rst] [+psh|-psh] [+ack|-ack] [+urg|-urg] [established]] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments] [precedence precedence | tos tos [tosmask] | dscp dscp]}} [time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} slot/port] [rate-limit rate burst-size]

Mode: IPv4-Access-List Config

Parameters:

 

deny | permit Specifies whether the IP ACL rule permits or denies an action.
every Match every packet.
protocol | 0-255 Specifies the protocol to filter for an extended IP ACL rule.
source IP Specifies a source IP address and source netmask for match condition of the IP ACL rule. Specifying any specifies the source IP as 0.0.0.0 and the source IP mask as 255.255.255.255. Specifying host A.B.C.D specifies the source IP as A.B.C.D and source IP mask as 0.0.0.0.
port

This option is available only if the protocol is TCP or UDP. Specifies the source Layer-4 port match condition for the IP ACL rule. You can use the port number, which ranges from 0-65535, or portkey. Port number matches only apply to unfragmented or first fragments. For both TCP and UDP, each of these keywords translates into its equivalent port number, which is used as both the start and end of a port range.

 

If range is specified, the IP ACL rule matches only if the Layer-4 port number falls within the specified port range. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal or greater than the starting port. The starting port, ending port, and all ports in between will be part of the Layer-4 port range.

 

When eq is specified, the IP ACL rule matches only if the Layer-4 port number is equal to the specified port number or portkey.

 

When lt is specified, the IP ACL rule matches if the Layer-4 port number is less than the specified port number or portkey. It is equivalent to specifying a range of 0-<specified port number-1>.

 

When gt is specified, the IP ACL rule matches if the Layer-4 port number is greater than the specified port number or portkey. It is equivalent to specifying a range of <specified port number+1>-65535.

 

When neq is specified, the IP ACL rule matches only if the Layer-4 port number is not equal to the specified port number or portkey.

destination IP Specifies a destination IP address and netmask for match condition of the IP ACL rule. Specifying any implies a destination IP of 0.0.0.0 and destination mask of 255.255.255.255. Specifying host A.B.C.D implies a destination IP of A.B.C.D and destination mask of 0.0.0.0.
tos Specifies the TOS for an IP ACL rule depending on a match of precedence or DSCP values using the parameters dscp, precedence, tos/tosmask.
flag Specifies that the IP ACL rule matches on the TCP flags. This option is available only if the protocol is tcp. When established is specified, a match occurs if the specified RST or ACK bits are set in the TCP header.
icmp-type Specifies a match condition for ICMP packets. Specifying icmp-message implies that both icmp-type and icmp-code are specified. This option is available only if the protocol is icmp.
igmp-type When igmp-type is specified, the IP ACL rule matches on the specified IGMP message type, a number from 0 to 255. This option is available only if the protocol is IGMP.
fragments Specifies that the IP ACL rule matches on fragmented IP packets.
log Specifies that this rule is to be logged.
time-range Allows imposing time limitation on the ACL rule as defined by the parameter time-range-name
assign-queue Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned.
mirror | redirect Specifies the mirror or redirect interface which is the slot/port to which packets matching this rule are copied or forwarded, respectively.
rate-limit Specifies the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.

ip access-group

This command either attaches a specific IP Access Control List (ACL) identified by accesslistnumber or name to an interface, all interfaces (Global Config), or associates it with a VLAN ID.

ip access-group {accesslistnumber|name} in | [vlan vlan-id in] [sequence 1-4294967295]

Modes: Global / Interface Config

Parameters:

 

accesslistnumber Identifies a specific IP ACL. The range is 1 to 199.
name The name of the Access Control List.
vlan-id A VLAN ID associated with a specific IP ACL in a given direction.
sequence A optional sequence number that indicates the order of this IP access list relative to the other IP access lists already assigned to this interface and direction. The range is 1 to 4294967295.

acl-trapflags

This command enables the ACL trap mode.

acl-trapflags

Mode: Global Config

Default: Disabled

show ip access-lists

Use this command to view summary information about all IP ACLs configured on the switch.

show ip access-lists [accesslistnumber | name]

Mode: Privileged EXEC

Parameters:

 

ACL ID/Name Identifies the configured ACL number or name.
Rules Identifies the number of rules configured for the ACL.
Direction Shows whether the ACL is applied to traffic coming into (ingress) or leaving (egress) the interface.
Interface(s) Identifies the interface(s) to which the ACL is applied (ACL interface bindings).
VLAN(s) Identifies the VLANs to which the ACL is applied (ACL VLAN bindings).
Rule Number The number identifier for each rule that is defined for the IP ACL.
Action The action associated with each rule. The possible values are Permit or Deny.
Match All Indicates whether this access list applies to every packet. Possible values are True or False.
Protocol The protocol to filter for this rule.
ICMP Type The ICMP message type for this rule.
Starting Source L4 port The starting source Layer-4 port.
Ending Source L4 port The ending source Layer-4 port.
Starting Destination L4 port The starting destination Layer-4 port.
Ending Destination L4 port The ending destination Layer-4 port.
ICMP Code The ICMP message code for this rule.
Fragments If the ACL rule matches on fragmented IP packets.
Committed Rate The committed rate defined by the rate-limit attribute.
Committed Burst Size The committed burst size defined by the rate-limit attribute.
Source IP Address The source IP address for this rule.
Source IP Mask The source IP Mask for this rule.
Source L4 Port Keyword The source port for this rule.
Destination IP Address The destination IP address for this rule.
Destination IP Mask The destination IP Mask for this rule.
Destination L4 Port Keyword The destination port for this rule.
IP DSCP The value specified for IP DSCP.
IP Precedence The value specified IP Precedence.
IP TOS The value specified for IP TOS.
Log Displays when you enable logging for the rule.
Assign Queue The queue identifier to which packets matching this rule are assigned.
Mirror Interface The slot/port to which packets matching this rule are copied.
Redirect Interface The slot/port to which packets matching this rule are forwarded.
Time Range Name Displays the name of the time-range if the IP ACL rule has referenced a time range.
Rule Status Status (Active/Inactive) of the IP ACL rule.

show access-lists

This command displays IP ACLs, IPv6 ACLs, and MAC access control lists information for a designated interface and direction.

show access-lists interface slot/port in

Mode: Privileged EXEC

Parameters:

 

ACL Type Type of access list (IP, IPv6, or MAC).
ACL ID Access List name for a MAC or IPv6 access list or the numeric identifier for an IP access list.
Sequence Number An optional sequence number may be specified to indicate the order of this access list relative to other access lists already assigned to this interface and direction. A lower number indicates higher precedence order. If a sequence number is already in use for this interface and direction, the specified access list replaces the currently attached access list using that sequence number. If the sequence number is not specified by the user, a sequence number that is one greater than the highest sequence number currently in use for this interface and direction is used. Valid range is (1 to 4294967295).

show access-lists vlan

This command displays Access List information for a particular VLAN ID. The vlan-id parameter is the VLAN ID of the VLAN with the information to view.

show access-lists vlan vlan-id in

Mode: Privileged EXEC

Parameters:

 

ACL Type Type of access list (IP, IPv6, or MAC).
ACL ID Access List name for a MAC or IPv6 access list or the numeric identifier for an IP access list.
Sequence Number An optional sequence number may be specified to indicate the order of this access list relative to other access lists already assigned to this interface and direction. A lower number indicates higher precedence order. If a sequence number is already in use for this interface and direction, the specified access list replaces the currently attached access list using that sequence number. If the sequence number is not specified by the user, a sequence number that is one greater than the highest sequence number currently in use for this interface and direction is used. Valid range is (1 to 4294967295).

IPv6 Access Control List Commands

Back to Top

This section describes the commands you use to configure IPv6 Access Control List (ACL) settings. IPv6 ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources.

ipv6 access-list

This command creates an IPv6 Access Control List (ACL) identified by name, consisting of classification fields defined for the IP header of an IPv6 frame.

ipv6 access-list name

Mode: Global Config

ipv6 access-list rename

This command changes the name of an IPv6 ACL. The name parameter is the name of an existing IPv6 ACL. The newname parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IPv6 access list.

ipv6 access-list rename name newname

Mode: Global Config

deny | permit (IPv6 Access-List Config)

This command creates a new rule for the current IPv6 access list. Each rule is appended to the list of configured rules for the list. A rule may either deny or permit traffic according to the specified classification fields.

{deny | permit} {every | {{icmpv6 | ipv6 | tcp | udp | 0-255} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [{range {portkey|startport} {portkey|endport} | {eq | neq | lt | gt} {portkey|0-65535}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [{range {portkey|startport} {portkey|endport} | {eq | neq | lt | gt} {portkey|0-65535}] [flag [+fin|-fin] [+syn|-syn] [+rst|-rst] [+psh|-psh] [+ack|-ack] [+urg|-urg] [established]] [flow-label value] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [routing] [fragments] [dscp dscp]}} [log] [assign-queue queue-id] [{mirror | redirect} slot/port] [rate-limit rate burst-size]

Mode: IPv6-Access-List Config

Parameters:

 

deny | permit Specifies whether the IPv6 ACL rule permits or denies an action.
every Match every packet.
protocol | 0-255 Specifies the protocol to filter for an extended IPv6 ACL rule.
source IPv6 Specifies a source IPv6 address and source netmask for match condition of the IPv6 ACL rule.
port

This option is available only if the protocol is TCP or UDP. Specifies the source Layer-4 port match condition for the IPv6 ACL rule. You can use the port number, which ranges from 0-65535, or portkey. Port number matches only apply to unfragmented or first fragments. For both TCP and UDP, each of these keywords translates into its equivalent port number, which is used as both the start and end of a port range.

 

If range is specified, the IPv6 ACL rule matches only if the Layer-4 port number falls within the specified port range. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal or greater than the starting port. The starting port, ending port, and all ports in between will be part of the Layer-4 port range.

 

When eq is specified, the IPv6 ACL rule matches only if the Layer-4 port number is equal to the specified port number or portkey.

 

When lt is specified, the IPv6 ACL rule matches if the Layer-4 port number is less than the specified port number or portkey. It is equivalent to specifying a range of 0-<specified port number-1>.

 

When gt is specified, the IPv6 ACL rule matches if the Layer-4 port number is greater than the specified port number or portkey. It is equivalent to specifying a range of <specified port number+1>-65535.

 

When neq is specified, the IPv6 ACL rule matches only if the Layer-4 port number is not equal to the specified port number or portkey.

destination IPv6 Specifies a destination IP address and netmask for match condition of the IPv6 ACL rule. 
dscp Specifies the DSCP value to match for the IPv6 rule.
flag Specifies that the IPv6 ACL rule matches on the TCP flags. This option is available only if the protocol is tcp. When established is specified, a match occurs if the specified RST or ACK bits are set in the TCP header.
icmp-type Specifies a match condition for ICMP packets. Specifying icmp-message implies that both icmp-type and icmp-code are specified. This option is available only if the protocol is icmp.
fragments Specifies that IPv6 ACL rule matches on fragmented IPv6 packets (Packets that have the next header field is set to 44).
routing Specifies that IPv6 ACL rule matches on IPv6 packets that have routing extension headers (the next header field is set to 43).
log Specifies that this rule is to be logged.
time-range Allows imposing time limitation on the ACL rule as defined by the parameter time-range-name
assign-queue Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned.
mirror | redirect Specifies the mirror or redirect interface which is the slot/port to which packets matching this rule are copied or forwarded, respectively.
rate-limit Specifies the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.

ipv6 traffic-filter

This command either attaches a specific IPv6 ACL identified by name to an interface or range of interfaces, or associates it with a VLAN ID in a given direction. This command specified in Interface Config mode only affects a single interface, whereas the Global Config mode setting is applied to all interfaces. The vlan keyword is only valid in the Global Config mode.

ipv6 traffic-filter name in | [vlan vlan-id in] [sequence 1-4294967295]

Modes: Global / Interface Config

show ipv6 access-lists

This command displays an IPv6 access list and all of the rules that are defined for the IPv6 ACL.

show ipv6 access-lists [name]

Mode: Privileged EXEC

Parameters:

 

Rule Number The ordered rule number identifier defined within the IPv6 ACL.
Action The action associated with each rule. The possible values are Permit or Deny.
Match All Indicates whether this access list applies to every packet. Possible values are True or False.
Protocol The protocol to filter for this rule.
Committed Rate The committed rate defined by the rate-limit attribute.
Committed Burst Size The committed burst size defined by the rate-limit attribute.
Source IP Address The source IP address for this rule.
Source L4 Port Keyword The source port for this rule.
Destination IP Address The destination IP address for this rule.
Destination L4 Port Keyword The destination port for this rule.
IP DSCP The value specified for IP DSCP.
Flow Label The value specified for IPv6 Flow Label.
Log Displays when you enable logging for the rule.
Assign Queue The queue identifier to which packets matching this rule are assigned.
Mirror Interface The slot/port to which packets matching this rule are copied.
Redirect Interface The slot/port to which packets matching this rule are forwarded.
Time Range Name Displays the name of the time-range if the IPv6 ACL rule has referenced a time range.
Rule Status Status (Active/Inactive) of the IPv6 ACL rule.

Time Range Commands for Time-Based ACLs

Back to Top

Time-based ACLs allow one or more rules within an ACL to be based on time. Each ACL rule within an ACL except for the implicit deny all rule can be configured to be active and operational only during a specific time period. The time range commands allow you to define specific times of the day and week in order to implement time-based ACLs. The time range is identified by a name and can then be referenced by an ACL rule defined within an ACL.

time-range

Use this command to create a time range identified by name, consisting of one absolute time entry and/or one or more periodic time entries.

time-range name

Mode: Global Config

absolute

Use this command to add an absolute time entry to a time range. Only one absolute time entry is allowed per time-range. The time parameter is based on the currently configured time zone.

absolute [start time date] [end time date]

Mode: Time-Range Config

periodic

Use this command to add a periodic time entry to a time range. The time parameter is based off of the currently configured time zone. The first occurrence of the days-of-the-week argument is the starting day(s) from which the configuration that referenced the time range starts going into effect. The second occurrence is the ending day or days from which the configuration that referenced the time range is no longer in effect. 

periodic days-of-the-week time to time

Mode: Time-Range Config

show time-range

Use this command to display a time range and all the absolute/periodic time entries that are defined for the time range.

show time-range [name]

Mode: Privileged EXEC

Parameters:

 

Admin Mode The administrative mode of the time range feature on the switch
Current number of all Time Ranges The number of time ranges currently configured in the system.
Maximum number of all Time Ranges The maximum number of time ranges that can be configured in the system.
Time Range Name Name of the time range.
Status Status of the time range (active/inactive)
Periodic Entry count The number of periodic entries configured for the time range.
Absolute Entry Indicates whether an absolute entry has been configured for the time range (Exists).

Auto-Voice over IP Commands

Back to Top

This section describes the commands you use to configure Auto-Voice over IP (VoIP) commands. The Auto-VoIP feature explicitly matches VoIP streams in Ethernet switches and provides them with a better class-of-service than ordinary traffic. When you enable the Auto-VoIP feature on an interface, the interface scans incoming traffic for the Session Initiation Protocol (SIP), H.323 and Skinny Client Control Protocol (SCCP) call-control protocols. When a call-control protocol is detected, the switch assigns the traffic in that session to the highest CoS queue, which is generally used for time-sensitive traffic.

auto-voip

Use this command to configure auto VoIP mode. The supported modes are protocol-based and oui-based. Protocol-based auto VoIP prioritizes the voice data based on the Layer-4 port used for the voice session. OUI-based auto VoIP prioritizes the phone traffic based on the known OUI of the phone.

When both modes are enabled, if the connected phone OUI is one of the configured OUI, then the voice data is prioritized using OUI Auto VoIP, otherwise protocol-based auto VoIP is used to prioritize the voice data. Active sessions are cleared if protocol-based auto VoIP is disabled on the port.

auto-voip [protocol-based | oui-based]

Modes: Global / Interface Config

Default: oui-based

auto-voip oui

Use this command to configure an OUI for Auto VoIP. The traffic from the configured OUI will get the highest priority over the other traffic. The oui-prefix is a unique OUI that identifies the device manufacturer or vendor. The OUI is specified in three octet values (each octet represented as two hexadecimal digits) separated by colons. The string is a description of the OUI that identifies the manufacturer or vendor associated with the OUI.

auto-voip oui oui-prefix oui-desc string

Mode: Global Config

auto-voip oui-based priority

Use this command to configure the global OUI based auto VoIP (802.1p) priority.

auto-voip oui-based priority priority-value

Mode: Global Config

Default: 7

auto-voip protocol-based

Use this command to configure the global protocol-based auto VoIP remarking priority or traffic-class. If remark priority is configured, the voice data of the session is remarked with the priority configured through this command. The remark-priority is the 802.1p priority used for protocol-based VoIP traffic. The tc value is the traffic class used for protocol-based VoIP traffic.

auto-voip protocol-based {remark remark-priority | traffic-class tc}

Mode: Global Config

Default: 7

auto-voip vlan

Use this command to configure the global Auto VoIP VLAN ID. The VLAN behavior is depend on the configured auto VoIP mode. The auto-VoIP VLAN is the VLAN used to segregate VoIP traffic from other non-voice traffic. All VoIP traffic that matches a value in the known OUI list gets assigned to this VoIP VLAN.

auto-voip vlan vlan-id

Mode: Global Config

show auto-voip

Use this command to display the auto VoIP settings on the interface or interfaces of the switch.

show auto-voip {protocol-based|oui-based} interface {slot/port|all}

Mode: Privileged EXEC

Parameters:

 

VoIP VLAN ID The global VoIP VLAN ID.
Prioritization Type The type of prioritization used on voice traffic.
Class Value If the Prioritization Type is configured as traffic-class, then this value is the queue value. If the Prioritization Type is configured as remark, then this value is 802.1p priority used to remark the voice traffic.
Priority The 802.1p priority. This field is valid for OUI auto VoIP.
AutoVoIP Mode The Auto VoIP mode on the interface.

show auto-voip oui-table

Use this command to display the VoIP OUI table information.

show auto-voip oui-table

Mode: Privileged EXEC

Parameters:

 

OUI OUI of the source MAC address.
Status Default or configured entry.
OUI Description Description of the OUI.

Related Articles

EdgeSwitch - Configuration and Administration Guides

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?