This reference lists the commands to configure the UniFi Data Center (UDC) Leaf / Spine software features using the Ubiquiti Network Operating System (UNS) command line interface (CLI). The information in this reference is intended for system administrators who are responsible for configuring and operating a network using UDC Leaf / Spine devices.

This document applies to the current Early Access release of UDC Leaf and is subject to change with updated releases.

To obtain the greatest benefit from this reference, you should have an understanding of the base software and should have read the specification for your networking device platform. You should also have basic knowledge of Ethernet and networking concepts.

Using the Command Line Interface
Management Commands
Utility Commands
Switching Commands
Routing Commands
- IP Routing Commands (for management interface)
Quality of Service Commands
- Class of Service Commands
VXLAN Commands
- VXLAN L2 Overlay Commands

Using the Command Line Interface

Conventions for commands

This document uses the following conventions to describe what you should do in each command.

Table. Parameter Conventions

Symbol	What this convention is used for
[ ] square brackets	An optional value.
italic font	A variable whose value you should enter.
{ } curly braces	A set of choices where one must be chosen
\| vertical bar	Choices that are mutually exclusive.

Command Modes

Commands are part of the following modes based on command function. The following table describes thes command modes.

Table. CLI Command Modes

Mode	Command Prompt	Description	How to access
User Exec	Switch>	Commands to view basic system information.	n/a
Privileged Exec	Switch#	General view commands and access to other modes	Enter enable from User Exec
Global Config	Switch (Config)#	Most setup commands	Enter config from Privileged Exec
VLAN Config	Switch (Vlan)#	All VLAN commands.	Enter vlan database from Privileged Exec
VXLAN Config	Switch (Vxlan id vni)#	All the VXLAN commands for VNI vni	Enter vxlan vni from Global Config
Interface Config	Switch (Interface slot/port)#	Setup commands for an individual interface	Enter interface slot/port from Global Config
Line SSH	Switch (config-ssh)#	Commands for SSH configuration	Enter line ssh from Global Config

To exit any mode and return to the previous, enter exit.

Management Commands

Secure Shell Commands

ip ssh

Use this command to enable system SSH access. This command is the same as ip ssh server enable.

ip ssh

Mode: Privileged Exec

ip ssh port

Use this command to change the SSH port.

This command sets the SSH server listen port number.

ip ssh port 1-65535

Mode: Privileged Exec

Default: 22

no ip ssh port

Use this command to set the SSH port back to default (22).

no ip ssh port

ip ssh server enable

Use this command to enable system SSH access.

ip ssh server enable

Mode: Privileged Exec

no ip ssh server enable

Use this command to disable IP SSH access.

no ip ssh server enable

Mode: Privileged Exec

sshcon timeout

Use this command to change the number of minutes before an SSH connection times out. The time must be between 1 and 160 minutes.

sshcon timeout 1-160

Mode: Privileged Exec

Default: 5

no sshcon timeout

Use this command to reset the SSH timeout time to default (5 minutes).

no sshcon timeout

Mode: Privileged Exec

show ip ssh

Use this command to show IP SSH server settings.

no sshcon timeout

Mode: Privileged Exec

User Account Commands

Use this command to configure login authentication. default specifies that the listed authentication methods should be used as the default method list when a user logs in, while providing a list-name define a string used to name this list of methods. methods can be any of the following:

- none: No authentication.

- local: Local username database.

aaa authentication login {default | list-name} method1 [method2...]

Mode: Global Config

no aaa authentication login

Use this command to return to default authentication method ordering.

no aaa authentication login {default | list-name}

Mode: Global Config

aaa authentication enable

Use this command to change the authentication method for changing command modes. aaa authentication enable uses the default and optional list names created by this command.

aaa authentication enable {default | list-name} method1 [method2...]

Mode: Global Config

no aaa authentication enable

Use this command to change the authentication method back to default.

no aaa authentication enable {default | list-name}

Mode: Global Config

enable authentication

Use this command to set the authentication method list for changing modes when on a remote connection.

enable authentication {default}

Mode: Line Config

no enable authentication

Use this command to set the authentication list back to default for changing modes when on a remote connection.

no enable authentication {default}

Mode: Line Config

Use this command to set the method for authentication during line access (SSH). By default, this uses the default set by aaa authentication login.

Mode: Line Config

no login authentication

Use this command to change to the default value for login authentication.

no login authentication

Mode: Line Config

password

A user can use this command to change her password, for instance after a password has aged.

password

Mode: User Exec

enable password

Use this command to set a password for access control to Privileged Exec mode. The encrypted parameter sets an encrypted password from another switch configuration; it should be a 128 character AES password.

enable password [password [encrypted]]

Mode: Privileged Exec

no enable password

Use this command to disable the password requirement.

no enable password

Mode: Privileged Exec

write memory

Use this command to save configuration changes. When the system reboots, configuration changes will stay.

write memory [confirm]

Mode: Privileged Exec

Prelogin Banner, System Prompt, and Host Name Commands

set clibanner

Use this command to set a login banner of up to 2000 characters (within double quotes).

This command defines a login banner. Parameter clibanner is up to 2000 character inside double quotes.

set clibanner clibanner

Mode: Global Config

no set clibanner

Use this command to remove the login banner.

no set clibanner

Mode: Global Config

show clibanner

Use this command to enable displaying the CLI banner.

show clibanner

Mode: Privileged Exec

set prompt

Use this command to change the name of the prompt.

set prompt prompt_string

Mode: Privileged Exec

hostname

Use this command to define the hostname of the switch of up to 64 characters.

hostname hostname

Mode: Privileged Exec

Utility Commands

Use this command to show switch system information.

show sysinfo

Mode: Privileged Exec

Logging Commands

logging buffered

Use this command to enable in-memory logging (up to 128 logs).

Use this command to configure the settings for the logging host. Up to eight hosts can be configured.

Use this command to clear buffered logging.

clear logging persistent

Mode: Privileged Exec

System Utility and Clear Commands

clear config

Use this command to reset configuration to factory defaults.

clear config

Mode: Privileged Exec

clear vlan

Use this command to reset VLAN configuration to factory defaults.

clear vlan

Mode: Privileged Exec

ping

Use this command to ping a device on the network.

ping {address | hostname [count count] [interval 1-60] [size size] [ipv4 ip-address | {slot/port | vlan 1-4093 | network}]

Mode: Privileged Exec, User Exec

Default: Count - 5, Interval - 3 seconds, Size - 0

reload

Use this command to reset the switch, restoring to the stored configuration.

Use this command to enable acting as an NTP client.

ntp client

Mode: Global Config

no ntp client

Use this command to disable acting as an NTP client.

no ntp client

Mode: Global Config

show ntp

Use this command to show configuration for NTP.

show ntp

Mode: Privileged Exec

Time Zone Commands

show clock

Use this command to show current date and time.

show clock

Mode: Privileged Exec

show clock detail

Use this command to show system time as well as configuration for summer time and time zone.

show clock detail

Mode: Privileged Exec

Switching Commands

Port Configuration Commands

interface

Use this command to access Interface Config mode for a specific port or range of ports.

interface {slot/port | slot/port-slot/port}

Mode: Privileged Exec

auto-negotiate

Use this command to enable auto negotiation.

auto-negotiate

Mode: Interface Config

Default: Enabled

no auto-negotiate

Use this command to disable auto negotiation.

no auto-negotiate

Mode: Interface Config

auto-negotiate all

Use this command to enable auto negotiation on all ports.

auto-negotiate all

Mode: Global Config

no auto-negotiate all

Use this command to disable auto negotiation on all ports.

no auto-negotiate all

Mode: Global Config

description

Use this command to set the description on an interface or range of interfaces.

description desc

Mode: Interface Config

no description

Use this command to remove a description from an interface or range of interfaces.

no description

Mode: Interface Config

mtu

Use this command to set the maximum transmission unit (MTU) size in bytes.

mtu 1518-12288

Mode: Interface Config

Default: 1518 (untagged)

no mtu

Use this command to set MTU to default.

no mtu

Mode: Interface Config

shutdown

Use this command to disable a port or range of ports.

shutdown

Mode: Interface Config

no shutdown

Use this command to enable a port or range of ports.

no shutdown

Mode: Interface Config

shutdown all

Use this command to disable all ports.

shutdown all

Mode: Global Config

no shutdown all

Use this command to enable all ports.

no shutdown all

Mode: Global Config

flowcontrol

Use this command to enable 802.3x flow control to manage data transfer rates between devices.

flowcontrol

Mode: Global Config, Interface Config

no flowcontrol

Use this command to disable 802.3x flow control.

no flowcontrol

Mode: Global Config, Interface Config

show flowcontrol

Use this command to display flow control configuration.

show flowcontrol

Mode: Privileged Exec

speed

Use this command to set the speed that will be advertised by a port or range of ports. The auto keyword sets auto-negotiation on the port.

speed {auto {100G | 40G | 25G | 10G | 1000 | 100 | 10} [40G | 10G | 1000 | 100 | 10] [half-duplex | full-duplex] | {100G | 40G | 25G | 10G | 1000 | 100 | 10} {half-duplex | full-duplex}}

Mode: Interface Config

fec

Use this command to enable forward error correction (FEC) on a port or range of ports. cl74 is default for 25G; cl91 is default for 100G.

fec {cl74 | cl91}

Mode: Interface Config

no fec

Use this command to disable forward error correction (FEC) on a port or range of ports.

no fec

Mode: Interface Config

show port

Use this command to display port information.

show port {intf-range | all}

Mode: Privileged Exec

show port advertise

Use this command to display auto-negotiation information for a port.

show port advertise [slot/port]

Mode: Privileged Exec

show port description

Use this command to display the interface description.

show port description slot/port

Mode: Privileged Exec

Spanning Tree Protocol Commands

spanning-tree

Use this command to enable spanning tree.

spanning-tree

Mode: Global Config

no spanning-tree

Use this command to disable spanning tree.

no spanning-tree

Mode: Global Config

spanning-tree configuration name

Use this command to set the configuration identifier name to identify the current spanning tree configuration.

spanning-tree configuration name name

Mode: Global Config

Default: Base MAC address

no spanning-tree configuration name

Use this command to reset the configuration identifier name to default.

no spanning-tree configuration name

Mode: Global Config

spanning-tree configuration revision

Use this command to set the configuration revision label to identify the current spanning tree configuration.

spanning-tree configuration revision 0-65535

Mode: Global Config

Default: 0

no spanning-tree configuration revision

Use this command to set the configuration revision label to default.

no spanning-tree configuration revision

Mode: Global Config

spanning-tree auto-edge

Use this command to enable the interface to serve as an edge port in the case that it does not receive BPDUs within a period of time.

spanning-tree auto-edge

Mode: Interface Config

no spanning-tree auto-edge

Use this command to disable auto-edge status for the port.

no spanning-tree auto-edge

Mode: Interface Config

spanning-tree bpdumigrationcheck

Use this command to require transmission of multiple spanning tree (MSTP) and rapid spanning tree (RSTP). This can be from all interfaces or a specific interface using the slot/port parameter. This command forces transmission but does not change system configuration.

spanning-tree bpdumigrationcheck {slot/port | all}

Mode: Global Config

spanning-tree cost

Use this command to set the external path cost for use in an MST instance. The auto keyword sets the speed automatically based on interface speed. The cost value can range from 1 to 200,000,000.

spanning-tree cost {cost | auto}

Mode: Interface Config

no spanning-tree cost

Use this command to set the auto-edge status to default.

no spanning-tree cost

Mode: Interface Config

spanning-tree edgeport

Use this command to specify that an interface is an edge port in the common and internal spanning tree, allowing the port to immediately transition to forwarding state.

spanning-tree edgeport

Mode: Interface Config

no spanning-tree edgeport

Use this command to specify that a port is not an edge port within the common and internal spanning tree.

no spanning-tree edgeport

Mode: Interface Config

spanning-tree forceversion

Use this command to set the force protocol version to a new value.

spanning-tree forceversion {802.1d | 802.1s | 802.1w}

Mode: Global Config

Default: 802.1s

no spanning-tree forceversion

Use this command to set the force protocol version to default.

no spanning-tree forceversion

Mode: Global Config

spanning-tree forward-time

Use this command to set the bridge delay parameter for the common and internal spanning tree. The value can range from 4 to 30 seconds and must be greater than or equal to (Bridge Max Age / 2) + 1.

spanning-tree forward-time 4-30

Mode: Global Config

Default: 15

no spanning-tree forward-time

Use this command to set the bridge forward delay parameter to default.

spanning-tree forward-time

Mode: Global Config

spanning-tree max-age

Use this command to set the bridge max age parameter for the common and internal spanning tree. The value can range from 6 to 40 seconds and must be less than or equal to 2 x (Bridge Forward Delay - 1).

spanning-tree max-age 6-40

Mode: Global Config

Default: 20

no spanning-tree max-age

Use this command to set the bridge max age parameter to default.

no spanning-tree max-age

Mode: Global Config

spanning-tree max-hops

Use this command to set the bridge max hops parameter for the common and internal spanning tree.

spanning-tree max-hops 6-40

Mode: Global Config

Default: 20

no spanning-tree max-hops

Use this command to set the bridge max hops parameter to default.

no spanning-tree max-hops

Mode: Global Config

spanning-tree port mode

Use this command to enable administrative switch port state for the spanning tree.

spanning-tree port mode

Mode: Interface Config

Default: Enabled

no spanning-tree port mode

Use this command to set the administrative switch port state for this port to disabled. This disables the port for use by the spanning tree.

no spanning-tree port mode

Mode: Interface Config

spanning-tree port mode all

Use this command to set the administrative switch port state to enabled for all ports.

spanning-tree port mode all

Mode: Global Config

Default: Enabled

no spanning-tree port mode all

Use this command to set the administrative switch port state to disabled for all ports.

no spanning-tree port mode all

Mode: Global Config

spanning-tree tcnguard

Use this command to enable TCN Guard on an interface. This restricts the interface from transmitting any topology change received through the interface.

spanning-tree tcnguard

Mode: Interface Config

Default: Enabled

no spanning-tree tcnguard

Use this command to set the TCN Guard parameter for an interface to default.

no spanning-tree tcnguard

Mode: Interface Config

spanning-tree transmit

Use this command to set the bridge transmit hold count parameter. hold-count can be an integer from 1 to 10.

spanning-tree transmit hold-count

Mode: Global Config

Default: 6

no spanning-tree transmit

Use this command to reset the bridge transmit hold count parameter to default.

no spanning-tree transmit

Mode: Global Config

show spanning-tree

Use this command to display settings for the common and internal spanning tree.

show spanning-tree

Mode: Privileged Exec

VLAN Commands

vlan database

Use this command to enter VLAN Config mode.

vlan database

Mode: Privileged Exec

network mgmt_vlan

Use this command to set the management VLAN ID.

network mgmt_vlan 1-4093

Mode: Privileged Exec

Default: 1

no network mgmt_vlan

Use this command to reset the management VLAN ID back to the default.

no network mgmt_vlan

Mode: Privileged Exec

vlan

Use this command to create a new VLAN and assign it an ID.

vlan 2-4093

Mode: VLAN Config

no vlan

Use this command to delete a VLAN.

no vlan 2-4093

Mode: VLAN Config

vlan acceptframe

Use this command to set frame acceptance for an interface.

vlan acceptframe {admituntaggedonly | vlanonly | all}

Mode: Interface Config

Default: All

no vlan acceptframe

Use this command to reset the frame acceptance mode on an interface back to default.

no vlan acceptframe

Mode: Interface Config

vlan ingressfilter

Use this command to enable ingress filtering on an interface. If disabled, the port can receive frames from different VLAN IDs and forward to ports with that VLAN membership.

vlan ingressfilter

Mode: Interface Config

Default: Disabled

no vlan ingressfilter

This command sets the ingress filtering setting to default for an interface.

no vlan ingressfilter

Mode: Interface Config

vlan name

Use this command to set the name of a VLAN, up to 32 characters.

vlan name 1-4093 name

Mode: VLAN Config

Default: VLAN 1 is "default", and others are blank

no vlan name

Use this command to set the name of a VLAN to blank.

no vlan name 1-4093

Mode: VLAN Config

vlan participation

Use this command to define the participation for an interface in a VLAN.

vlan participation {exclude | include | auto} 1-4093

Mode: Interface Config

vlan participation all

Use this command to define the participation for all interfaces in a VLAN.

vlan participation all {exclude | include | auto} 1-4093

Mode: Global Config

vlan port acceptframe all

Use this command to set VLAN acceptance mode for all ports.

vlan port acceptframe all {vlanonly | admituntaggedonly | all}

Mode: Global Config

vlan port ingressfilter all

Use this command to enable ingress filtering for all interfaces.

vlan port ingressfilter all

Mode: Global Config

no vlan port ingressfilter all

Use this command to disable ingress filtering for all interfaces.

no vlan port ingressfilter all

Mode: Global Config

vlan port pvid all

Use this command to change the VLAN ID for all interfaces.

vlan port pvid all 1-4093

Mode: Global Config

no vlan port pvid all

Use this command to change the VLAN ID for all interfaces to 1.

no vlan port pvid all

Mode: Global Config

vlan port tagging all

Use this command to enable VLAN tagging behavior for all interfaces.

vlan port tagging all 1-4093

Mode: Global Config

no vlan port tagging all

Use this command to disable tagging behavior for all interfaces.

no vlan port tagging all

Mode: Global Config

vlan pvid

Use this command to change the VLAN ID on an interface.

vlan pvid 1-4093

Mode: Interface Config

Default: 1

no vlan pvid

Use this command to reset the VLAN ID on an interface back to default (1).

no vlan pvid

Mode: Interface Config

vlan tagging

Use this command to enable VLAN tagging behavior for an interface.

vlan tagging 1-4093

Mode: Interface Config

no vlan tagging

Use this command to disable VLAN tagging behavior for an interface.

no vlan tagging 1-4093

Mode: Interface Config

vlan association mac

Use this command to tie a VLAN to a MAC address.

vlan association mac macaddr vlanid

Mode: VLAN Config

no vlan association mac

Use this command to remove the association of a VLAN to a MAC address.

no vlan association mac macaddr

Mode: VLAN Config

show vlan

Use this command to display information about configured VLANs.

show vlan vlanid

Mode: Privileged Exec, VLAN Config

show vlan brief

Use this command to display a list of all VLANs.

show vlan brief

Mode: Privileged Exec

show vlan port

Use this command to display VLAN port information.

show vlan port slot/port

Mode: Privileged Exec, VLAN Config

show vlan association mac

Use this command to display how MACs are associated with VLANs.

show vlan association mac

Mode: Privileged Exec

Provisioning (IEEE 802.1p) Commands

vlan port priority all

Use this command to set the port priority for untagged packets on all ports. The priority range is 0-7.

vlan port priority all 0-7

Mode: Global Config

vlan priority

Use this command to configure port priority for untagged packets on a specific port. The priority range is 0-7.

vlan priority 0-7

Mode: Interface Config

Protected Ports Commands

Note: Protected Port commands are not needed for typical VXLAN functionality. As such, they are currently considered experimental for UDC Leaf.

switchport protected

Use this command to make a protected port group. The parameter groupid sets the set of protected ports. name can be up to 32 characters long.

switchport protected groupid name name

Mode: Global Config

Default: Unprotected

no switchport protected

Use this command to remove a protected port group.

no switchport protected groupid

Mode: Global Config

switchport protected

Use this command to include an interface in a protected port group.

switchport protected groupid

Mode: Interface Config

no switchport protected

Use this command to remove an interface from a protected port group.

no switchport protected groupid

Mode: Interface Config

show switchport protected

Use this command to display the status of interfaces (protected / unprotected).

show switchport protected groupid

Mode: Privileged Exec, User Exec

Port-Based Network Access Control Commands

show authentication methods

Use this command to show authentication methods.

show authentication methods

Mode: Privileged Exec

Storm-Control Commands

storm-control broadcast

Use this command to enable broadcast storm recovery for all interfaces (Global Config) or an interface (Interface Config). If enabled, traffic will be dropped on an interface if it increases above the configured threshold.

storm-control broadcast

Mode: Global Config, Interface Config

Default: Disabled

no storm-control broadcast

Use this command to disable broadcast storm recovery for all interfaces (Global Config) or an interface (Interface Config).

no storm-control broadcast

Mode: Global Config, Interface Config

storm-control broadcast level

Use this command to set the broadcast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) and enable broadcast storm recovery. The threshold is a percentage of link speed. The rate of broadcast traffic is limited to the set threshold.

storm-control broadcast level 0-100

Mode: Global Config, Interface Config

Default: 5

no storm-control broadcast level

Use this command to set the broadcast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) to default. This command also disables broadcast storm recovery.

no storm-control broadcast level

Mode: Global Config, Interface Config

storm-control broadcast rate

Use this command to set the broadcast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) and enable broadcast storm recovery. The threshold is in packets per second. The rate of broadcast traffic is limited to the set threshold.

storm-control broadcast rate 0-99999999

Mode: Global Config, Interface Config

Default: 0

no storm-control broadcast rate

Use this command to set the broadcast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) to default. This command also disables broadcast storm recovery.

no storm-control broadcast rate

Mode: Global Config, Interface Config

storm-control multicast

Use this command to enable multicast storm recovery for all interfaces (Global Config) an an interface (Interface Config). The rate of multicast traffic is limited to the set threshold.

storm-control multicast

Mode: Global Config, Interface Config

Default: Disabled

no storm-control multicast

Use this command to disable multicast storm recovery mode for all interfaces (Global Config) or an interface (Interface Config).

no storm-control multicast

Mode: Global Config, Interface Config

storm-control multicast level

Use this command to set the multicast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) and enable multicast storm recovery. The threshold is a percentage of link speed. The rate of multicast traffic is limited to the set threshold.

storm-control multicast level 0-100

Mode: Global Config, Interface Config

Default: 5

no storm-control multicast level

Use this command to set the multicast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) to default. This command also disables multicast storm recovery.

no storm-control multicast level

Mode: Global Config, Interface Config

storm-control multicast rate

Use this command to set the multicast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) and enable multicast storm recovery. The threshold is in packets per second. The rate of multicast traffic is limited to the set threshold.

storm-control multicast rate 0-99999999

Mode: Global Config, Interface Config

Default: 0

no storm-control multicast rate

Use this command to set the multicast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) to default. This command also disables multicast storm recovery.

no storm-control multicast rate

Mode: Global Config, Interface Config

storm-control unicast

Use this command to enable unicast storm recovery for all interfaces (Global Config) an an interface (Interface Config). The rate of unicast traffic is limited to the set threshold.

storm-control unicast

Mode: Global Config, Interface Config

Default: Disabled

no storm-control unicast

Use this command to disable unicast storm recovery mode for all interfaces (Global Config) or an interface (Interface Config).

no storm-control unicast

Mode: Global Config, Interface Config

storm-control unicast level

Use this command to set the unicast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) to default. This command also disables unicast storm recovery.

storm-control unicast level 0-100

Mode: Global Config, Interface Config

Default: 5

no storm-control unicast level

Use this command to set the unicast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) to default. This command also disables unicast storm recovery.

no storm-control unicast level

Mode: Global Config, Interface Config

storm-control unicast rate

Use this command to set the unicast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) and enable unicast storm recovery. The threshold is in packets per second. The rate of unicast traffic is limited to the set threshold.

storm-control unicast rate 0-99999999

Mode: Global Config, Interface Config

Default: 0

no storm-control unicast rate

Use this command to set the unicast storm recovery threshold for all interfaces (Global Config) or an interface (Interface Config) to default. This command also disables unicast storm recovery.

no storm-control unicast rate

Mode: Global Config, Interface Config

show storm-control

Use this command to show information about storm-control settings.

show storm-control [all | slot/port]

Mode: Privileged Exec

Port-Channel/LAG (802.3ad) Commands

Note: LAG commands are not needed for typical VXLAN functionality. As such, they are currently considered experimental for UDC Leaf.

It is not necessary to use LAG to enable multiple connections between a UDC Leaf switch and another Leaf or Spine switch in a VXLAN use case. See this article for details.

port-channel

Use this command to create a new port-channel (LAG), also creating a logical slot/port number for it. The show port channel command will then show the slot/port number for the newly-created logical interface.

port-channel name

Mode: Global Config

no port-channel

Use this command to delete a port-channel (LAG) on a logical interface.

no port-channel {slot/port}

Mode: Global Config

addport

Use this command to add a port to a port-channel / LAG. The lag-intf_num parameter refers to the LAG identifier (following but excluding "3/" when shown using show port-channel all).

addport lag lag-intf_num

Mode: Interface Config

deleteport

Use this command to delete a port from a port-channel / LAG.

deleteport lag lag-intf_num

Mode: Interface Config

interface lag

Use this command to enter Interface Config mode for a port-channel / LAG.

interface lag lag-interface-number

Mode: Global Config

port-channel name

Use this command to define a name for a port-channel / LAG.

port-channel name {logical slot/port} name

Mode: Global Config

show port-channel all

Use this command to display information for all port-channels / LAGs.

show port-channel all

Mode: Privileged Exec

Port Mirroring Commands

monitor session

Use this command to configure a probe port and a monitored port. Using rx sets the monitoring session to monitor only ingress packets; tx sets the monitoring session to monitor only egress packets; not using either parameter sets the monitoring session to monitor both ingress and egress packets. The probe port may be a VLAN session (all VLAN ports monitored).

The mode parameter enables administrative mode. If it is set, the probe port monitors all traffic transmitted and received on the physical monitored port.

monitor session session-id destination {interface slot/port | mode | source {interface slot/port} | [rx|tx]}

Mode: Global Config

no monitor session

Use this command without the optional parameters to remove the port monitoring session. Use the optional parameters to remove destination / mode / source from a given session.

no monitor session-id [destination interface slot/port | mode | source {interface slot/port | vlan vlan-id}]

Mode: Global Config

no monitor

This removes all monitoring source / destination ports.

no monitor

Mode: Global Config

show monitor session

Use this command to display port monitoring information.

show monitor session {session-id | all}

Mode: Privileged Exec

LLDP (802.1AB) Commands

lldp run

Use this command set LLDP to enabled.

lldp run

Mode: Global Config

no lldp run

Use this command to set LLDP to disabled.

no lldp run

Mode: Global Config

lldp transmit

Use this command to allow LLDP to advertise capabilities on an interface or range of interfaces. Use all in Global Config.

lldp transmit [all]

Mode: Interface Config, Global Config

Default: Disabled

no lldp transmit

Use this command to set local data transmission to default. Use all in Global Config.

no lldp transmit [all]

Mode: Interface Config, Global Config

lldp receive

Use this command to enable LLDP receiving on an interface or range of interfaces. Use all in Global Config.

lldp receive [all]

Mode: Interface Config, Global Config

Default: Disabled

no lldp receive

Use this command to return LLDP receiving mode to default. Use all in Global Config.

no lldp receive [all]

Mode: Interface Config, Global Config

lldp timers

Use this command to set timing parameters for data transmission ports with LLDP enabled. interval-seconds sets the length to wait between transmitting LLDPDUs (range: 5-32768 sec). hold-value is the multiplier on the transmit interval for setting TTL in local data LLDPDUs (range 2-10).

lldp timers [interval interval-seconds] [hold hold-value]

Mode: Global Config

Default: Interval - 30 sec; Hold: 4

no lldp timers

Use this command to set LLDP timing settings to default.

no lldp timers [interval] [hold]

Mode: Global Config

lldp transmit-tlv

Use this command to set which type length values (TLVs) are transmitted in the LLDPDUs. sys-cap (only option currently implemented) allows transmitting system capabilities.

lldp transmit-tlv [sys-cap]

Mode: Global Config

Default: No TLVs included

no lldp transmit-tlv

Use this command to remove a TLV from LLDPDUs. Not including parameters removes all optional TLVs.

no lldp transmit-tlv [sys-cap]

Mode: Global Config

lldp transmit-mgmt

Use this command to include local system management address information in LLDPDUs.

lldp transmit-mgmt

Mode: Global Config

no lldp transmit-mgmt

Use this command to exclude local system management address information in LLDPDUs.

no lldp transmit-mgmt

Mode: Global Config

lldp set-port-description

Use this command to enable auto-setting port description on interfaces. with LLDP-to-LLDP neighbor's name or number of LLDP neighbors.

lldp set-port-description

Mode: Global Config

no lldp set-port-description

Use this command to disable auto-setting port description on interfaces. with LLDP-to-LLDP neighbor's name or number of LLDP neighbors.

no lldp set-port-description

Mode: Global Config

show lldp

Use this command to display LLDP configuration.

show lldp

Mode: Privileged Exec

show lldp interface

Use this command to show a summary of LLDP configuration for a specific interface or all interfaces.

show lldp interface {slot/port | all}

Mode: Privileged Exec

show lldp statistics

Use this command to display LLDP traffic and remote table statistics.

show lldp statistics {slot/port | all}

Mode: Privileged Exec

show lldp remote-device

Use this command to display summary information about remove devices transmitting LLDP data.

show lldp remote-device {slot/port | all}

Mode: Privileged Exec

show lldp remote-device detail

Use this command to display summary information about remove devices transmitting LLDP data in detail.

show lldp remote-device detail slot/port

Mode: Privileged Exec

show lldp local-device

Use this command to display information about advertised LLDP local data.

show lldp local-device {slot/port | all}

Mode: Privileged Exec

show lldp local-device detail

Use this command to display information about advertised LLDP local data in detail.

show lldp local-device detail slot/port

Mode: Privileged Exec

Denial of Service Commands

dos-control all

Use this command to enable Denial of Service protection checks.

dos-control all

Mode: Global Config, Interface Config

Default: Disabled

no dos-control all

Use this command to disable Denial of Service protection checks.

no dos-control all

Mode: Global Config, Interface Config

dos-control sipdip

Use this command to enable Denial of Service protection for Source IP address = Destination IP address (SIP = DIP). Ingressed packets where SIP = DIP will be dropped.

dos-control sipdip

Mode: Global Config, Interface Config

Default: Disabled

no dos-control sipdip

Use this command to disable SIP = DIP DoS protection.

no dos-control sipdip

Mode: Global Config, Interface Config

dos-control firstfrag

Use this command to enable Denial of Service protection for Minimum TCP Header Size. Ingressed packets where TCP Header Size is smaller than the configured value will be dropped. If you enable dos-control firstfrag but do not provide a value, the system sets Minimum TCP Header Size to 20.

dos-control firstfrag [0-255]

Mode: Global Config, Interface Config

Default: Disabled / 20

no dos-control firstfrag

Use this command to disable Minimum TCP Header Size DoS protection.

no dos-control firstfrag

Mode: Global Config, Interface Config

dos-control tcpfrag

Use this command to enable Denial of Service protection for TCP Fragment. Ingressed packets having IP Fragment Offset equal to 1 will be dropped.

dos-control tcpfrag

Mode: Global Config, Interface Config

Default: Disabled

no dos-control tcpfrag

Use this command to disable TCP Fragment Denial of Service protection.

no dos-control tcpfrag

Mode: Global Config, Interface Config

dos-control tcpflag

Use this command to enable Denial of Service protection for TCP Flag. Ingressed packets having TCP Flag SYN set and a source port <1024, or having TCP Control Flags set to 0 and TCP Sequence number set to 0, or having TCP Flags FIN, URG, and PSH set and TCP Sequence Number set to 0, or having TCP Flags SYN and FIN both set, will be dropped.

dos-control tcpflag

Mode: Global Config, Interface Config

Default: Disabled

no dos-control tcpflag

Use this command to disable TCP Flag Denial of Service protection.

no dos-control tcpflag

Mode: Global Config, Interface Config

dos-control l4port

Use this command to enable Denial of Service protections for L4 Port. Ingressed packets having Source TCP / UDP port number equal to Destination TCP / UDP port number will be dropped.

dos-control l4port

Mode: Global Config, Interface Config

Default: Disabled

no dos-control l4port

Use this command to disable L4 Port Denial of Service protection.

no dos-control l4port

Mode: Global Config, Interface Config

dos-control smacdmac

Use this command to enable Denial of Service protections for Source MAC address = Destination MAC address (SMAC = DMAC). Ingressed packets having SMAC = DMAC will be dropped.

dos-control smacdmac

Mode: Global Config, Interface Config

Default: Disabled

no dos-control smacdmac

Use this command to disable SMAC = DMAC Denial of Service protection.

no dos-control smacdmac

Mode: Global Config, Interface Config

dos-control tcpflagseq

Use this command to enable Denial of Service protections for TCP Flag and Sequence. Ingressed packets having having TCP Flag SYN set and source port <1024, or TCP Control Flags set to 0 and TCP Sequence Number set to 0, or TCP Flags FIN, URG, and PSH set and TCP Sequence Number set to 0, or TCP Flags SYN and FIN both set will be dropped.

dos-control tcpflagseq

Mode: Global Config, Interface Config

Default: Disabled

no dos-control tcpflagseq

Use this command to disable TCP Flag and Sequence Denial of Service protection.

no dos-control tcpflagseq

Mode: Global Config, Interface Config

dos-control tcpoffset

Use this command to enable Denial of Service protections for TCP Offset. Ingressed packets having TCP Header Offset equal to 1 will be dropped.

dos-control tcpoffset

Mode: Global Config, Interface Config

Default: Disabled

no dos-control tcpoffset

Use this command to disable TCP Offset Denial of Service protection.

no dos-control tcpoffset

Mode: Global Config, Interface Config

dos-control tcpsynfin

Use this command to enable Denial of Service protections for TCP SYN and FYN. Ingressed packed having TCP flags SYN and FIN set will be dropped.

dos-control tcpsynfin

Mode: Global Config, Interface Config

Default: Disabled

no dos-control tcpsynfin

Use this command to disable TCP SYN and FYN Denial of Service protection.

no dos-control tcpsynfin

Mode: Global Config, Interface Config

dos-control tcpfinurgpsh

Use this command to enable Denial of Service protections for TCP FIN URG and PSH and SEQ = 0. Ingressed packets having TCP, FIN, URG, and PSH all set but TCP sequence number 0 will be dropped.

dos-control tcpfinurgpsh

Mode: Global Config, Interface Config

Default: Disabled

no dos-control tcpfinurgpsh

Use this command to disable TCP FIN URG and PSH and SEQ = 0 Denial of Service protection.

no dos-control tcpfinurgpsh

Mode: Global Config, Interface Config

dos-control icmpv4

Use this command to enable Denial of Service protections for Maximum ICMPv4 Packet Size. Ingressed ICMPc4 Echo Request (ping) packets having a size greater than the configured value will be dropped.

dos-control icmpv4 [0-16376]

Mode: Global Config, Interface Config

Default: Disabled / 512

no dos-control icmpv4

Use this command to disable Maximum ICMPv4 Packet Size Denial of Service protection.

no dos-control icmpv4

Mode: Global Config, Interface Config

dos-control icmpfrag

Use this command to enable Denial of Service protections for ICMP Fragmenting. Ingressed packets with fragmented ICMP packets will be dropped.

dos-control icmpfrag

Mode: Global Config, Interface Config

Default: Disabled

no dos-control icmpfrag

Use this command to disable ICMP Fragmentation Denial of Service protection.

no dos-control icmpfrag

Mode: Global Config, Interface Config

show dos-control

Use this command to show configuration information for Denial of Service protections.

show dos-control slot/port

Mode: Privileged Exec

MAC Database Commands

bridge aging-time

Use this command to change the forwarding database aging time in seconds.

bridge aging-time 10-1000000

Mode: Global Config

Default: 300

no bridge aging-time

Use this command to reset the forwarding database aging time to the default.

no bridge aging-time

Mode: Global Config

show mac-address-table multicast

Use this command to show information for the multicast forwarding database.

show mac-address-table multicast

Mode: Privileged Exec

Routing Commands

IP Routing Commands

Note: These commands can only be used for the out-of-band management interface (interface 1/1). Other ports should be managed as part of VXLAN networks. See this article for details on assigning IP addresses in a VXLAN setting using an attached DHCP server.

ip address

Use this command to set an IP address on an interface or a range of interfaces. This can also be used to configure a secondary IP address.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

ip address ipaddr {subnetmask | /masklen} [secondary]

Mode: Interface Config

no ip address

Use this command to delete an ID address from an interface. To remove all IP addresses, use the command without any parameters.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

no ip address ipaddr [{subnetmask | /masklen [secondary]}]

Mode: Interface Config

ip address dhcp

Use this command to enable DHCPv4 client on an interface. Use the client-id parameter to send DHCP client messages with the client identifier option.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

ip address dhcp [client-id]

Mode: Interface Config

Default: Disabled

no ip address dhcp

Use this command to disable DHCPv4 client on an interface. Use the client-id parameter to remove the client-id option and also disable DHCP.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

no ip address dhcp [client-id]

Mode: Interface Config

ip default-gateway

Use this command to manually set a default gateway for the switch. Only one can be configured.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

ip default-gateway ipaddr

Mode: Global Config

no ip default-gateway

Use this command to remove the default gateway address from configuration.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

no ip default-gateway ipaddr

Mode: Global Config

release dhcp

Use this command to release the leased DHCP IP address from an interface.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

release dhcp slot/port

Mode: Privileged Exec

renew dhcp

Use this command to renew the leased DHCP IP address from an interface.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

renew dhcp slot/port

Mode: Privileged Exec

ip mtu

Use this command to set the IP MTU (IP header and payload, excluding any extra bytes for L2 headers).

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

ip mtu 68-9198

Mode: Interface Config

Default: 1500 bytes

no ip mtu

Use this command to reset IP MTU to the default.

Note that this command only works for the RJ45 management interface and does not impact IP settings for any VXLAN networks.

no ip mtu

Mode: Interface Config

show ip interface

This command displays all pertinent information about the IP interface The parameter slot/port corresponds to a physical routing interface or VLAN routing interface. The keyword vlan is used to specify the VLAN ID of the routing VLAN directly instead of in slot/port format.

show ip interface {slot/port | vlan 1-4093}

Mode: Privileged Exec

Quality of Service Commands

Class of Service Commands

traffic-shape

Use this command to specify the maximum transmission bandwidth limit for the switch for for each interface. max-bw is the egress bandwidth control rate (kbps); max-burst is the maximum burst (in bytes).

traffic-shape max-bw [max-burst]

Mode: Global Config, Interface Config

Default: max-bw: 0; max-burst: 0

no traffic-shape

Use this command to restore traffic shaping to default.

traffic-shape max-bw [max-burst]

Mode: Global Config, Interface Config

show interfaces cos-queue

Use this command to show cos-queue configuration.

show interfaces cos-queue slot/port

Mode: Privileged Exec

VXLAN Commands

VXLAN L2 Overlay Commands

vxlan

Use this command to create a VXLAN interface for a given VXLAN Network Identifier (VNI). Valid VNI range is 1 - 16,777,215. Using this command will also take you into VXLAN Config mode.

vxlan 1-16777215

Mode: Global Config

no vxlan

This command removes a VXLAN interface. Valid VNI range is 1 - 16,777,215.

vxlan-udp-port

Use this command to set the port number for VXLAN encapsulation.

vxlan-udp-port portnum

Mode: Global Config

Default: 4782

no vxlan-udp-port

Use this command to set the port number for VXLAN encapsulation to default.

no vxlan-udp-port

Mode: Global Config

Use this command to set the source IP address for this VTEP. ipv4_addr is a valid IPv4 address and subnet mask in /XX format.

ip ipv4_addr

Mode: VXLAN Config

no ip

Use this command to remove the source IP address for this VTEP.

no ip

Mode: VXLAN Config

remote-ip

Use this command to add a peer VTEP on which other nodes may be found in the current VNI, accessed using the L3 underlay. The address parameter is a valid IP address, containing four decimal bytes ranging from 0 to 255. The IP address 0.0.0.0 is invalid.

remote-ip address

Mode: VXLAN Config

no remote-ip

Use this command to remove a peer VTEP on which other nodes may be found in the current VNI.

no remote-ip

Mode: VXLAN Config

source-interface

Use this command to set a source interface on which VXLAN encapsulates packets for the given VNI. The slot/port parameter is a valid interface in slot/port format.

source-interface slot/port

Mode: VXLAN Config

no source-interface

Use this command to remove the source interface from the VXLAN tunnel configuration for the given VNI.

no source-interface

Mode: VXLAN Config

mac

Use this command to set a specific source MAC address for the given VNI. The macaddr parameter is a valid MAC address.

mac macaddr

Mode: VXLAN Config

no mac

Use this command to reset the mac address on the given VNI to the default.

no mac

Mode: VXLAN Config

neighbor

Use this command to set a neighbor (e.g., a Spine switch in a traditional Leaf / Spine configuration) to pass traffic to immediately for routing for the given VNI. The macaddr parameter is a valid MAC address.

neighbor macaddr

Mode: VXLAN Config

no neighbor

Use this command to remove a neighbor for the given VNI. The macaddr parameter is a valid MAC address.

no neighbor macaddr

Mode: VXLAN Config

vlan

Use this command to bind the given VNI to a VLAN. The vid parameter is a valid VLAN.

vlan vid

Mode: VXLAN Config

no vlan

Use this command to unbind the given VNI from a given VLAN. The vid parameter is a valid VLAN.

no vlan vid

Mode: VXLAN Config

show vxlan

Use this command to show information about all VXLANs.

show vxlan

Mode: VXLAN Config