Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Enterasys Sflow
Cargado por
Adrian RichardsonTítulo original
Derechos de autor
Formatos disponibles
Compartir este documento
Compartir o incrustar documentos
¿Le pareció útil este documento?
¿Este contenido es inapropiado?
Denunciar este documentoCopyright:
Formatos disponibles
Enterasys Sflow
Cargado por
Adrian RichardsonCopyright:
Formatos disponibles
Enterasys
SecureStack
C3
Stackable Switches
Configuration Guide
Firmware Version 6.03.xx.xxxx
P/N 9034313-07
i
Notice
EnterasysNetworksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthisdocumentand
itswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasysNetworkstodeterminewhetheranysuch
changeshavebeenmade.
Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice.
INNOEVENTSHALLENTERASYSNETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL,OR
CONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS)ARISINGOUTOF
ORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDINTHEM,EVENIFENTERASYS
NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWNOF,THEPOSSIBILITYOFSUCH
DAMAGES.
EnterasysNetworks,Inc.
50MinutemanRoad
Andover,MA01810
2009EnterasysNetworks,Inc.Allrightsreserved.
PartNumber: 903431307 June2009
ENTERASYS,ENTERASYSNETWORKS,ENTERASYSSECURENETWORKS,SECURESTACK,ENTERASYS
SECURESTACK,ENTERASYSNETSIGHT,WEBVIEW,andanylogosassociatedtherewith,aretrademarksorregistered
trademarksofEnterasysNetworks,Inc.intheUnitedStatesandothercountries.ForacompletelistofEnterasystrademarks,
seehttp://www.enterasys.com/company/trademarks.aspx.
Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespectivecompanies.
DocumentationURL:http://www.enterasys.com/support/manuals
DocumentacionURL:http://www.enterasys.com/support/manuals
DokumentationimInternet:http://www.enterasys.com/support/manuals
Version: Information in this guide refers to SecureStack C3 firmware version 6.03.xx.xxxx
or higher.
ii
Enterasys Networks, Inc. Firmware License Agreement
BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT,
CAREFULLY READ THIS LICENSE AGREEMENT.
Thisdocumentisanagreement(Agreement)betweentheenduser(You)andEnterasysNetworks,Inc.,onbehalf
ofitselfanditsAffiliates(ashereinafterdefined)(Enterasys)thatsetsforthYourrightsandobligationswithrespect
totheEnterasyssoftwareprogram/firmware(includinganyaccompanyingdocumentation,hardwareormedia)
(Program)inthepackageandprevailsoveranyadditional,conflictingorinconsistenttermsandconditions
appearingonanypurchaseorderorotherdocumentsubmittedbyYou.Affiliatemeansanyperson,partnership,
corporation,limitedliabilitycompany,otherformofenterprisethatdirectlyorindirectlythroughoneormore
intermediaries,controls,oriscontrolledby,orisundercommoncontrolwiththepartyspecified.ThisAgreement
constitutestheentireunderstandingbetweentheparties,withrespecttothesubjectmatterofthisAgreement.The
Programmaybecontainedinfirmware,chipsorothermedia.
BYINSTALLINGOROTHERWISEUSINGTHEPROGRAM,YOUREPRESENTTHATYOUAREAUTHORIZEDTO
ACCEPTTHESETERMSONBEHALFOFTHEENDUSER(IFTHEENDUSERISANENTITYONWHOSEBEHALF
YOUAREAUTHORIZEDTOACT,YOUANDYOURSHALLBEDEEMEDTOREFERTOSUCHENTITY)AND
THATYOUAGREETHATYOUAREBOUNDBYTHETERMSOFTHISAGREEMENT,WHICHINCLUDES,
AMONGOTHERPROVISIONS,THELICENSE,THEDISCLAIMEROFWARRANTYANDTHELIMITATIONOF
LIABILITY.IFYOUDONOTAGREETOTHETERMSOFTHISAGREEMENTORARENOTAUTHORIZEDTO
ENTERINTOTHISAGREEMENT,ENTERASYSISUNWILLINGTOLICENSETHEPROGRAMTOYOUANDYOU
AGREETORETURNTHEUNOPENEDPRODUCTTOENTERASYSORYOURDEALER,IFANY,WITHINTEN
(10)DAYSFOLLOWINGTHEDATEOFRECEIPTFORAFULLREFUND.
IFYOUHAVEANYQUESTIONSABOUTTHISAGREEMENT,CONTACTENTERASYSNETWORKS,LEGAL
DEPARTMENTAT(978)6841000.
YouandEnterasysagreeasfollows:
1. LICENSE. Youhavethenonexclusiveandnontransferablerighttouseonlytheone(1)copyoftheProgram
providedinthispackagesubjecttothetermsandconditionsofthisAgreement.
2. RESTRICTIONS. ExceptasotherwiseauthorizedinwritingbyEnterasys,Youmaynot,normayYoupermitany
thirdpartyto:
(a) Reverseengineer,decompile,disassembleormodifytheProgram,inwholeorinpart,includingforreasons
oferrorcorrectionorinteroperability,excepttotheextentexpresslypermittedbyapplicablelawandtothe
extentthepartiesshallnotbepermittedbythatapplicablelaw,suchrightsareexpresslyexcluded.
InformationnecessarytoachieveinteroperabilityorcorrecterrorsisavailablefromEnterasysuponrequest
anduponpaymentofEnterasysapplicablefee.
(b) IncorporatethePrograminwholeorinpart,inanyotherproductorcreatederivativeworksbasedonthe
Program,inwholeorinpart.
(c) Publish,disclose,copyreproduceortransmittheProgram,inwholeorinpart.
(d) Assign,sell,license,sublicense,rent,lease,encumberbywayofsecurityinterest,pledgeorotherwisetransfer
theProgram,inwholeorinpart.
(e) Removeanycopyright,trademark,proprietaryrights,disclaimerorwarningnoticeincludedonorembedded
inanypartoftheProgram.
3. APPLICABLELAW. ThisAgreementshallbeinterpretedandgovernedunderthelawsandinthestateand
federalcourtsoftheCommonwealthofMassachusettswithoutregardtoitsconflictsoflawsprovisions.Youacceptthe
personaljurisdictionandvenueoftheCommonwealthofMassachusettscourts.Noneofthe1980UnitedNations
ConventionontheLimitationPeriodintheInternationalSaleofGoods,andtheUniformComputerInformation
TransactionsActshallapplytothisAgreement.
4. EXPORTRESTRICTIONS. YouunderstandthatEnterasysanditsAffiliatesaresubjecttoregulationbyagencies
oftheU.S.Government,includingtheU.S.DepartmentofCommerce,whichprohibitexportordiversionofcertain
technicalproductstocertaincountries,unlessalicensetoexporttheproductisobtainedfromtheU.S.Governmentor
anexceptionfromobtainingsuchlicensemayberelieduponbytheexportingparty.
IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionCIVundertheU.S.Export
AdministrationRegulations,YouagreethatYouareacivilenduseroftheProgramandagreethatYouwillusethe
Programforcivilendusesonlyandnotformilitarypurposes.
iii
IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionTSRundertheU.S.Export
AdministrationRegulations,inadditiontotherestrictionontransfersetforthinSection1or2ofthisAgreement,You
agreenotto(i)reexportorreleasetheProgram,thesourcecodefortheProgramortechnologytoanationalofa
countryinCountryGroupsD:1orE:2(Albania,Armenia,Azerbaijan,Belarus,Cambodia,Cuba,Georgia,Iraq,
Kazakhstan,Laos,Libya,Macau,Moldova,Mongolia,NorthKorea,thePeoplesRepublicofChina,Russia,Tajikistan,
Turkmenistan,Ukraine,Uzbekistan,Vietnam,orsuchothercountriesasmaybedesignatedbytheUnitedStates
Government),(ii)exporttoCountryGroupsD:1orE:2(asdefinedherein)thedirectproductoftheProgramorthe
technology,ifsuchforeignproduceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S.
CommerceControlList,or(iii)ifthedirectproductofthetechnologyisacompleteplantoranymajorcomponentofa
plant,exporttoCountryGroupsD:1orE:2thedirectproductoftheplantoramajorcomponentthereof,ifsuch
foreignproduceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S.CommerceControl
ListorissubjecttoStateDepartmentcontrolsundertheU.S.MunitionsList.
5. UNITEDSTATESGOVERNMENTRESTRICTEDRIGHTS. TheenclosedProgram(i)wasdevelopedsolelyat
privateexpense;(ii)containsrestrictedcomputersoftwaresubmittedwithrestrictedrightsinaccordancewithsection
52.22719(a)through(d)oftheCommercialComputerSoftwareRestrictedRightsClauseanditssuccessors,and(iii)in
allrespectsisproprietarydatabelongingtoEnterasysand/oritssuppliers.ForDepartmentofDefenseunits,the
ProgramisconsideredcommercialcomputersoftwareinaccordancewithDFARSsection227.72023anditssuccessors,
anduse,duplication,ordisclosurebytheU.S.Governmentissubjecttorestrictionssetforthherein.
6. DISCLAIMEROFWARRANTY. EXCEPTFORTHOSEWARRANTIESEXPRESSLYPROVIDEDTOYOUIN
WRITINGBYENTERASYS,ENTERASYSDISCLAIMSALLWARRANTIES,EITHEREXPRESSORIMPLIED,
INCLUDINGBUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITY,SATISFACTORY
QUALITY,FITNESSFORAPARTICULARPURPOSE,TITLEANDNONINFRINGEMENTWITHRESPECTTOTHE
PROGRAM.IFIMPLIEDWARRANTIESMAYNOTBEDISCLAIMEDBYAPPLICABLELAW,THENANYIMPLIED
WARRANTIESARELIMITEDINDURATIONTOTHIRTY(30)DAYSAFTERDELIVERYOFTHEPROGRAMTO
YOU.
7. LIMITATIONOFLIABILITY. INNOEVENTSHALLENTERASYSORITSSUPPLIERSBELIABLEFORANY
DAMAGESWHATSOEVER(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFBUSINESS,
PROFITS,BUSINESSINTERRUPTION,LOSSOFBUSINESSINFORMATION,SPECIAL,INCIDENTAL,
CONSEQUENTIAL,ORRELIANCEDAMAGES,OROTHERLOSS)ARISINGOUTOFTHEUSEORINABILITYTO
USETHEPROGRAM,EVENIFENTERASYSHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
THISFOREGOINGLIMITATIONSHALLAPPLYREGARDLESSOFTHECAUSEOFACTIONUNDERWHICH
DAMAGESARESOUGHT.
THECUMULATIVELIABILITYOFENTERASYSTOYOUFORALLCLAIMSRELATINGTOTHEPROGRAM,
INCONTRACT,TORTOROTHERWISE,SHALLNOTEXCEEDTHETOTALAMOUNTOFFEESPAIDTO
ENTERASYSBYYOUFORTHERIGHTSGRANTEDHEREIN.
8. AUDITRIGHTS. YouherebyacknowledgethattheintellectualpropertyrightsassociatedwiththeProgramare
ofcriticalvaluetoEnterasys,and,accordingly,Youherebyagreetomaintaincompletebooks,recordsandaccounts
showing(i)licensefeesdueandpaid,and(ii)theuse,copyinganddeploymentoftheProgram.Youalsograntto
Enterasysanditsauthorizedrepresentatives,uponreasonablenotice,therighttoauditandexamineduringYour
normalbusinesshours,Yourbooks,records,accountsandhardwaredevicesuponwhichtheProgrammaybedeployed
toverifycompliancewiththisAgreement,includingtheverificationofthelicensefeesdueandpaidEnterasysandthe
use,copyinganddeploymentoftheProgram.Enterasysrightofexaminationshallbeexercisedreasonably,ingood
faithandinamannercalculatedtonotunreasonablyinterferewithYourbusiness.Intheeventsuchauditdiscovers
noncompliancewiththisAgreement,includingcopiesoftheProgrammade,usedordeployedinbreachofthis
Agreement,YoushallpromptlypaytoEnterasystheappropriatelicensefees.Enterasysreservestheright,tobe
exercisedinitssolediscretionandwithoutpriornotice,toterminatethislicense,effectiveimmediately,forfailureto
complywiththisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramandshall
returntoEnterasystheProgramandallcopiesoftheProgram.
9. OWNERSHIP. Thisisalicenseagreementandnotanagreementforsale.Youacknowledgeandagreethatthe
Programconstitutestradesecretsand/orcopyrightedmaterialofEnterasysand/oritssuppliers.Youagreeto
implementreasonablesecuritymeasurestoprotectsuchtradesecretsandcopyrightedmaterial.Allright,titleand
interestinandtotheProgramshallremainwithEnterasysand/oritssuppliers.Allrightsnotspecificallygrantedto
YoushallbereservedtoEnterasys.
iv
10. ENFORCEMENT. YouacknowledgeandagreethatanybreachofSections2,4,or9ofthisAgreementbyYoumay
causeEnterasysirreparabledamageforwhichrecoveryofmoneydamageswouldbeinadequate,andthatEnterasys
maybeentitledtoseektimelyinjunctiverelieftoprotectEnterasysrightsunderthisAgreementinadditiontoanyand
allremediesavailableatlaw.
11. ASSIGNMENT. Youmaynotassign,transferorsublicensethisAgreementoranyofYourrightsorobligations
underthisAgreement,exceptthatYoumayassignthisAgreementtoanypersonorentitywhichacquiressubstantially
allofYourstockassets.EnterasysmayassignthisAgreementinitssolediscretion.ThisAgreementshallbebinding
uponandinuretothebenefitoftheparties,theirlegalrepresentatives,permittedtransferees,successorsandassignsas
permittedbythisAgreement.Anyattemptedassignment,transferorsublicenseinviolationofthetermsofthis
AgreementshallbevoidandabreachofthisAgreement.
12. WAIVER. AwaiverbyEnterasysofabreachofanyofthetermsandconditionsofthisAgreementmustbein
writingandwillnotbeconstruedasawaiverofanysubsequentbreachofsuchtermorcondition.Enterasysfailureto
enforceatermuponYourbreachofsuchtermshallnotbeconstruedasawaiverofYourbreachorpreventenforcement
onanyotheroccasion.
13. SEVERABILITY. IntheeventanyprovisionofthisAgreementisfoundtobeinvalid,illegalorunenforceable,the
validity,legalityandenforceabilityofanyoftheremainingprovisionsshallnotinanywaybeaffectedorimpaired
thereby,andthatprovisionshallbereformed,construedandenforcedtothemaximumextentpermissible.Anysuch
invalidity,illegality,orunenforceabilityinanyjurisdictionshallnotinvalidateorrenderillegalorunenforceablesuch
provisioninanyotherjurisdiction.
14. TERMINATION. EnterasysmayterminatethisAgreementimmediatelyuponYourbreachofanyoftheterms
andconditionsofthisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramand
shallreturntoEnterasystheProgramandallcopiesoftheProgram.
v
Contents
About This Guide
Using This Guide ..........................................................................................................................................xxxiii
Structure of This Guide .................................................................................................................................xxxiii
Related Documents ...................................................................................................................................... xxxv
Conventions Used in This Guide ................................................................................................................. xxxvi
Getting Help .................................................................................................................................................xxxvii
Chapter 1: Introduction
SecureStack C3 CLI Overview ....................................................................................................................... 1-1
Switch Management Methods ........................................................................................................................ 1-1
Factory Default Settings ................................................................................................................................. 1-2
Using the Command Line Interface ................................................................................................................ 1-6
Starting a CLI Session ............................................................................................................................. 1-6
Logging In ................................................................................................................................................ 1-7
Navigating the Command Line Interface .................................................................................................. 1-8
Chapter 2: Configuring Switches in a Stack
About SecureStack C3 Switch Operation in a Stack ...................................................................................... 2-1
Installing a New Stackable System of Up to Eight Units ................................................................................ 2-2
Installing Previously-Configured Systems in a Stack ..................................................................................... 2-3
Adding a New Unit to an Existing Stack ......................................................................................................... 2-3
Creating a Virtual Switch Configuration .......................................................................................................... 2-3
Considerations About Using Clear Config in a Stack ..................................................................................... 2-5
Issues Related to Mixed Type Stacks ............................................................................................................ 2-5
Feature Support ....................................................................................................................................... 2-5
Configuration ............................................................................................................................................ 2-5
Stacking Configuration and Management Commands ................................................................................... 2-6
Purpose .................................................................................................................................................... 2-6
Commands ............................................................................................................................................... 2-6
show switch........................................................................................................................................2-6
show switch switchtype ......................................................................................................................2-7
show switch stack-ports......................................................................................................................2-8
set switch............................................................................................................................................2-9
set switch copy-fw............................................................................................................................2-10
set switch description .......................................................................................................................2-10
set switch movemanagement...........................................................................................................2-11
set switch member............................................................................................................................2-11
clear switch member.........................................................................................................................2-12
Chapter 3: Basic Configuration
Quick Start Setup Commands ........................................................................................................................ 3-1
Setting User Accounts and Passwords .......................................................................................................... 3-2
Purpose .................................................................................................................................................... 3-2
Commands ............................................................................................................................................... 3-2
show system login..............................................................................................................................3-3
set system login..................................................................................................................................3-4
clear system login...............................................................................................................................3-4
set password......................................................................................................................................3-5
set system password length...............................................................................................................3-6
set system password aging................................................................................................................3-6
vi
set system password history..............................................................................................................3-7
show system lockout ..........................................................................................................................3-7
set system lockout..............................................................................................................................3-8
Setting Basic Switch Properties ...................................................................................................................... 3-9
Purpose .................................................................................................................................................... 3-9
Commands ............................................................................................................................................... 3-9
show ip address................................................................................................................................3-10
set ip address ...................................................................................................................................3-11
clear ip address ................................................................................................................................3-11
show ip protocol................................................................................................................................3-12
set ip protocol ...................................................................................................................................3-12
show system.....................................................................................................................................3-13
show system hardware.....................................................................................................................3-14
show system utilization.....................................................................................................................3-15
set system utilization........................................................................................................................3-16
clear system utilization.....................................................................................................................3-17
show system enhancedbuffermode..................................................................................................3-17
set system enhancedbuffermode .....................................................................................................3-18
set system temperature....................................................................................................................3-18
clear system temperature.................................................................................................................3-19
show time .........................................................................................................................................3-20
set time.............................................................................................................................................3-20
show summertime ............................................................................................................................3-21
set summertime................................................................................................................................3-22
set summertime date........................................................................................................................3-22
set summertime recurring.................................................................................................................3-23
clear summertime.............................................................................................................................3-24
set prompt.........................................................................................................................................3-24
show banner motd............................................................................................................................3-25
set banner motd................................................................................................................................3-25
clear banner motd.............................................................................................................................3-26
show version.....................................................................................................................................3-26
set system name ..............................................................................................................................3-27
set system location...........................................................................................................................3-28
set system contact............................................................................................................................3-28
set width...........................................................................................................................................3-29
set length..........................................................................................................................................3-29
show logout ......................................................................................................................................3-30
set logout .........................................................................................................................................3-30
show console....................................................................................................................................3-31
set console baud..............................................................................................................................3-31
Downloading a Firmware Image ................................................................................................................... 3-32
Downloading from a TFTP Server .......................................................................................................... 3-32
Downloading via the Serial Port ............................................................................................................. 3-32
Reverting to a Previous Image ............................................................................................................... 3-34
Reviewing and Selecting a Boot Firmware Image ........................................................................................ 3-35
Purpose .................................................................................................................................................. 3-35
Commands ............................................................................................................................................. 3-35
show boot system.............................................................................................................................3-35
set boot system................................................................................................................................3-36
Starting and Configuring Telnet .................................................................................................................... 3-37
Purpose .................................................................................................................................................. 3-37
Commands ............................................................................................................................................. 3-37
show telnet .......................................................................................................................................3-37
set telnet...........................................................................................................................................3-37
telnet.................................................................................................................................................3-38
vii
Managing Switch Configuration and Files .................................................................................................... 3-39
Configuration Persistence Mode ............................................................................................................ 3-39
Purpose .................................................................................................................................................. 3-39
Commands ............................................................................................................................................. 3-39
show snmp persistmode...................................................................................................................3-40
set snmp persistmode ......................................................................................................................3-40
save config.......................................................................................................................................3-41
dir......................................................................................................................................................3-41
show file............................................................................................................................................3-42
show config.......................................................................................................................................3-43
configure...........................................................................................................................................3-44
copy..................................................................................................................................................3-45
delete................................................................................................................................................3-46
show tftp settings..............................................................................................................................3-46
set tftp timeout..................................................................................................................................3-47
clear tftp timeout...............................................................................................................................3-47
set tftp retry.......................................................................................................................................3-48
clear tftp retry....................................................................................................................................3-48
Clearing and Closing the CLI ........................................................................................................................ 3-49
Purpose .................................................................................................................................................. 3-49
Commands ............................................................................................................................................. 3-49
cls (clear screen) ..............................................................................................................................3-49
exit....................................................................................................................................................3-50
Resetting the Switch ..................................................................................................................................... 3-50
Purpose .................................................................................................................................................. 3-50
Commands ............................................................................................................................................. 3-50
reset..................................................................................................................................................3-50
clear config.......................................................................................................................................3-51
Using and Configuring WebView .................................................................................................................. 3-52
Purpose .................................................................................................................................................. 3-52
Commands ............................................................................................................................................. 3-52
show webview..................................................................................................................................3-52
set webview......................................................................................................................................3-53
show ssl............................................................................................................................................3-53
set ssl ...............................................................................................................................................3-54
Gathering Technical Support Information ..................................................................................................... 3-55
Purpose .................................................................................................................................................. 3-55
Command ............................................................................................................................................... 3-55
show support....................................................................................................................................3-55
Configuring Hostprotect ................................................................................................................................ 3-56
Purpose .................................................................................................................................................. 3-56
Commands ............................................................................................................................................. 3-56
show system hostprotect..................................................................................................................3-56
set system hostprotect......................................................................................................................3-56
clear system hostprotect...................................................................................................................3-57
Chapter 4: Activating Licensed Features
License Key Field Descriptions ...................................................................................................................... 4-1
Licensing Procedure in a Stack Environment ................................................................................................. 4-1
Adding a New Member to a Licensed Stack ............................................................................................ 4-2
Clearing, Showing, and Applying Licenses .................................................................................................... 4-2
Commands ............................................................................................................................................... 4-2
set license...........................................................................................................................................4-3
show license.......................................................................................................................................4-4
clear license........................................................................................................................................4-4
viii
Chapter 5: Configuring System Power and PoE
Commands ..................................................................................................................................................... 5-1
show inlinepower................................................................................................................................5-1
set inlinepower threshold....................................................................................................................5-2
set inlinepower trap............................................................................................................................5-3
set inlinepower detectionmode...........................................................................................................5-3
show port inlinepower.........................................................................................................................5-4
set port inlinepower ............................................................................................................................5-5
Chapter 6: Discovery Protocol Configuration
Configuring CDP ............................................................................................................................................. 6-1
Purpose .................................................................................................................................................... 6-1
Commands ............................................................................................................................................... 6-1
show cdp............................................................................................................................................6-2
set cdp state.......................................................................................................................................6-3
set cdp auth........................................................................................................................................6-4
set cdp interval ...................................................................................................................................6-4
set cdp hold-time................................................................................................................................6-5
clear cdp.............................................................................................................................................6-5
show neighbors ..................................................................................................................................6-6
Configuring Cisco Discovery Protocol ............................................................................................................ 6-7
Purpose .................................................................................................................................................... 6-7
Commands ............................................................................................................................................... 6-7
show ciscodp......................................................................................................................................6-7
show ciscodp port info........................................................................................................................6-8
set ciscodp status...............................................................................................................................6-9
set ciscodp timer.................................................................................................................................6-9
set ciscodp holdtime.........................................................................................................................6-10
set ciscodp port ................................................................................................................................6-10
clear ciscodp.....................................................................................................................................6-12
Configuring Link Layer Discovery Protocol and LLDP-MED ........................................................................ 6-13
Overview ................................................................................................................................................ 6-13
Purpose .................................................................................................................................................. 6-13
Commands ............................................................................................................................................. 6-14
Configuration Tasks ............................................................................................................................... 6-14
show lldp...........................................................................................................................................6-15
show lldp port status.........................................................................................................................6-16
show lldp port trap............................................................................................................................6-16
show lldp port tx-tlv...........................................................................................................................6-17
show lldp port location-info...............................................................................................................6-17
show lldp port local-info....................................................................................................................6-18
show lldp port remote-info................................................................................................................6-21
show lldp port network-policy...........................................................................................................6-22
set lldp tx-interval..............................................................................................................................6-23
set lldp hold-multiplier.......................................................................................................................6-24
set lldp trap-interval ..........................................................................................................................6-24
set lldp med-fast-repeat....................................................................................................................6-25
set lldp port status ............................................................................................................................6-26
set lldp port trap................................................................................................................................6-26
set lldp port med-trap........................................................................................................................6-27
set lldp port location-info...................................................................................................................6-27
set lldp port tx-tlv..............................................................................................................................6-28
set lldp port network-policy...............................................................................................................6-30
clear lldp...........................................................................................................................................6-31
clear lldp port status .........................................................................................................................6-32
ix
clear lldp port trap.............................................................................................................................6-32
clear lldp port med-trap.....................................................................................................................6-33
clear lldp port location-info................................................................................................................6-33
clear lldp port network-policy............................................................................................................6-34
clear lldp port tx-tlv...........................................................................................................................6-35
Chapter 7: Port Configuration
Port Configuration Summary .......................................................................................................................... 7-1
Port String Syntax Used in the CLI .......................................................................................................... 7-1
Reviewing Port Status .................................................................................................................................... 7-2
Purpose .................................................................................................................................................... 7-2
Commands ............................................................................................................................................... 7-2
show port............................................................................................................................................7-3
show port status .................................................................................................................................7-3
show port counters .............................................................................................................................7-4
clear port counters..............................................................................................................................7-6
show port cablestatus.........................................................................................................................7-6
Disabling / Enabling and Naming Ports .......................................................................................................... 7-7
Purpose .................................................................................................................................................... 7-7
Commands ............................................................................................................................................... 7-7
set port disable...................................................................................................................................7-8
set port enable....................................................................................................................................7-8
show port alias....................................................................................................................................7-9
set port alias .......................................................................................................................................7-9
Setting Speed and Duplex Mode .................................................................................................................. 7-11
Purpose .................................................................................................................................................. 7-11
Commands ............................................................................................................................................. 7-11
show port speed...............................................................................................................................7-11
set port speed...................................................................................................................................7-12
show port duplex..............................................................................................................................7-12
set port duplex..................................................................................................................................7-13
Enabling / Disabling J umbo Frame Support ................................................................................................. 7-14
Purpose .................................................................................................................................................. 7-14
Commands ............................................................................................................................................. 7-14
show port jumbo...............................................................................................................................7-14
set port jumbo...................................................................................................................................7-15
clear port jumbo................................................................................................................................7-15
Setting Auto-Negotiation and Advertised Ability ........................................................................................... 7-16
Purpose .................................................................................................................................................. 7-16
Commands ............................................................................................................................................. 7-16
show port negotiation.......................................................................................................................7-16
set port negotiation...........................................................................................................................7-17
show port advertise ..........................................................................................................................7-17
set port advertise..............................................................................................................................7-18
clear port advertise...........................................................................................................................7-19
show port mdix.................................................................................................................................7-20
set port mdix.....................................................................................................................................7-20
Setting Flow Control ..................................................................................................................................... 7-22
Purpose .................................................................................................................................................. 7-22
Commands ............................................................................................................................................. 7-22
show flowcontrol ...............................................................................................................................7-22
set flowcontrol...................................................................................................................................7-22
Setting Port Link Traps and Link Flap Detection .......................................................................................... 7-24
Purpose .................................................................................................................................................. 7-24
Commands ............................................................................................................................................. 7-24
x
show port trap...................................................................................................................................7-24
set port trap......................................................................................................................................7-25
show linkflap.....................................................................................................................................7-25
set linkflap globalstate......................................................................................................................7-28
set linkflap portstate..........................................................................................................................7-28
set linkflap interval ............................................................................................................................7-29
set linkflap action..............................................................................................................................7-29
clear linkflap action...........................................................................................................................7-30
set linkflap threshold.........................................................................................................................7-30
set linkflap downtime........................................................................................................................7-31
clear linkflap down............................................................................................................................7-31
clear linkflap......................................................................................................................................7-32
Configuring Broadcast Suppression ............................................................................................................. 7-33
Purpose .................................................................................................................................................. 7-33
Commands ............................................................................................................................................. 7-33
show port broadcast.........................................................................................................................7-33
set port broadcast.............................................................................................................................7-34
clear port broadcast..........................................................................................................................7-34
Port Mirroring ................................................................................................................................................ 7-36
Mirroring Features .................................................................................................................................. 7-36
Remote Port Mirroring ............................................................................................................................ 7-36
Configuring SMON MIB Port Mirroring ................................................................................................... 7-37
Purpose .................................................................................................................................................. 7-38
Commands ............................................................................................................................................. 7-38
show port mirroring...........................................................................................................................7-38
set port mirroring..............................................................................................................................7-39
clear port mirroring...........................................................................................................................7-40
set mirror vlan...................................................................................................................................7-40
clear mirror vlan................................................................................................................................7-41
Link Aggregation Control Protocol (LACP) ................................................................................................... 7-42
LACP Operation ..................................................................................................................................... 7-42
LACP Terminology ................................................................................................................................. 7-43
SecureStack C3 Usage Considerations ................................................................................................. 7-43
Commands ............................................................................................................................................. 7-44
show lacp..........................................................................................................................................7-45
set lacp.............................................................................................................................................7-46
set lacp asyspri.................................................................................................................................7-47
set lacp aadminkey...........................................................................................................................7-47
clear lacp..........................................................................................................................................7-48
set lacp static....................................................................................................................................7-48
clear lacp static.................................................................................................................................7-49
set lacp singleportlag........................................................................................................................7-50
clear lacp singleportlag.....................................................................................................................7-50
show port lacp..................................................................................................................................7-51
set port lacp......................................................................................................................................7-52
clear port lacp...................................................................................................................................7-54
Configuring Protected Ports ......................................................................................................................... 7-56
Protected Port Operation ....................................................................................................................... 7-56
Commands ............................................................................................................................................. 7-56
set port protected..............................................................................................................................7-56
show port protected..........................................................................................................................7-57
clear port protected...........................................................................................................................7-57
set port protected name....................................................................................................................7-58
show port protected name................................................................................................................7-58
clear port protected name.................................................................................................................7-59
xi
Chapter 8: SNMP Configuration
SNMP Configuration Summary ...................................................................................................................... 8-1
SNMPv1 and SNMPv2c ........................................................................................................................... 8-2
SNMPv3 ................................................................................................................................................... 8-2
About SNMP Security Models and Levels ............................................................................................... 8-2
Using SNMP Contexts to Access Specific MIBs ...................................................................................... 8-3
Configuration Considerations ................................................................................................................... 8-3
Reviewing SNMP Statistics ............................................................................................................................ 8-3
Purpose .................................................................................................................................................... 8-3
Commands ............................................................................................................................................... 8-4
show snmp engineid...........................................................................................................................8-4
show snmp counters...........................................................................................................................8-5
Configuring SNMP Users, Groups, and Communities .................................................................................... 8-8
Purpose .................................................................................................................................................... 8-8
Commands ............................................................................................................................................... 8-8
show snmp user .................................................................................................................................8-8
set snmp user.....................................................................................................................................8-9
clear snmp user................................................................................................................................8-11
show snmp group.............................................................................................................................8-11
set snmp group.................................................................................................................................8-12
clear snmp group..............................................................................................................................8-13
show snmp community.....................................................................................................................8-13
set snmp community.........................................................................................................................8-14
clear snmp community......................................................................................................................8-15
Configuring SNMP Access Rights ................................................................................................................ 8-15
Purpose .................................................................................................................................................. 8-15
Commands ............................................................................................................................................. 8-16
show snmp access ...........................................................................................................................8-16
set snmp access...............................................................................................................................8-18
clear snmp access............................................................................................................................8-19
Configuring SNMP MIB Views ...................................................................................................................... 8-19
Purpose .................................................................................................................................................. 8-19
Commands ............................................................................................................................................. 8-19
show snmp view...............................................................................................................................8-20
show snmp context...........................................................................................................................8-21
set snmp view...................................................................................................................................8-21
clear snmp view................................................................................................................................8-22
Configuring SNMP Target Parameters ......................................................................................................... 8-23
Purpose .................................................................................................................................................. 8-23
Commands ............................................................................................................................................. 8-23
show snmp targetparams .................................................................................................................8-23
set snmp targetparams.....................................................................................................................8-24
clear snmp targetparams..................................................................................................................8-25
Configuring SNMP Target Addresses .......................................................................................................... 8-26
Purpose .................................................................................................................................................. 8-26
Commands ............................................................................................................................................. 8-26
show snmp targetaddr......................................................................................................................8-26
set snmp targetaddr..........................................................................................................................8-27
clear snmp targetaddr.......................................................................................................................8-28
Configuring SNMP Notification Parameters ................................................................................................. 8-29
About SNMP Notify Filters ..................................................................................................................... 8-29
Purpose .................................................................................................................................................. 8-29
Commands ............................................................................................................................................. 8-29
show newaddrtrap............................................................................................................................8-30
set newaddrtrap................................................................................................................................8-30
xii
show snmp notify..............................................................................................................................8-31
set snmp notify.................................................................................................................................8-32
clear snmp notify..............................................................................................................................8-33
show snmp notifyfilter.......................................................................................................................8-33
set snmp notifyfilter...........................................................................................................................8-34
clear snmp notifyfilter........................................................................................................................8-35
show snmp notifyprofile....................................................................................................................8-36
set snmp notifyprofile........................................................................................................................8-36
clear snmp notifyprofile.....................................................................................................................8-37
Creating a Basic SNMP Trap Configuration ................................................................................................. 8-37
Example ................................................................................................................................................. 8-38
Configuring the SNMP Management Interface ............................................................................................. 8-39
Purpose .................................................................................................................................................. 8-39
Commands ............................................................................................................................................. 8-39
show snmp interface.........................................................................................................................8-39
set snmp interface............................................................................................................................8-40
clear snmp interface.........................................................................................................................8-41
Chapter 9: Spanning Tree Configuration
Spanning Tree Configuration Summary ......................................................................................................... 9-1
Overview: Single, Rapid, and Multiple Spanning Tree Protocols ............................................................. 9-1
Spanning Tree Features .......................................................................................................................... 9-2
Loop Protect ............................................................................................................................................. 9-2
Configuring Spanning Tree Bridge Parameters .............................................................................................. 9-3
Purpose .................................................................................................................................................... 9-3
Commands ............................................................................................................................................... 9-4
show spantree stats............................................................................................................................9-5
set spantree........................................................................................................................................9-7
show spantree version........................................................................................................................9-7
set spantree version...........................................................................................................................9-8
clear spantree version........................................................................................................................9-9
show spantree bpdu-forwarding.........................................................................................................9-9
set spantree bpdu-forwarding...........................................................................................................9-10
show spantree bridgeprioritymode ...................................................................................................9-10
set spantree bridgeprioritymode.......................................................................................................9-11
clear spantree bridgeprioritymode....................................................................................................9-11
show spantree mstilist......................................................................................................................9-12
set spantree msti ..............................................................................................................................9-12
clear spantree msti ...........................................................................................................................9-13
show spantree mstmap ....................................................................................................................9-13
set spantree mstmap........................................................................................................................9-14
clear spantree mstmap.....................................................................................................................9-14
show spantree vlanlist......................................................................................................................9-15
show spantree mstcfgid....................................................................................................................9-15
set spantree mstcfgid.......................................................................................................................9-16
clear spantree mstcfgid....................................................................................................................9-16
set spantree priority..........................................................................................................................9-17
clear spantree priority.......................................................................................................................9-17
set spantree hello.............................................................................................................................9-18
clear spantree hello..........................................................................................................................9-18
set spantree maxage........................................................................................................................9-19
clear spantree maxage.....................................................................................................................9-20
set spantree fwddelay.......................................................................................................................9-20
clear spantree fwddelay....................................................................................................................9-21
show spantree backuproot ...............................................................................................................9-21
xiii
set spantree backuproot...................................................................................................................9-22
clear spantree backuproot................................................................................................................9-22
show spantree tctrapsuppress..........................................................................................................9-23
set spantree tctrapsuppress .............................................................................................................9-23
clear spantree tctrapsuppress ..........................................................................................................9-24
set spantree protomigration..............................................................................................................9-24
show spantree spanguard................................................................................................................9-25
set spantree spanguard....................................................................................................................9-25
clear spantree spanguard.................................................................................................................9-26
show spantree spanguardtimeout ....................................................................................................9-27
set spantree spanguardtimeout........................................................................................................9-27
clear spantree spanguardtimeout.....................................................................................................9-28
show spantree spanguardlock..........................................................................................................9-28
clear / set spantree spanguardlock...................................................................................................9-29
show spantree spanguardtrapenable...............................................................................................9-29
set spantree spanguardtrapenable...................................................................................................9-30
clear spantree spanguardtrapenable................................................................................................9-30
show spantree legacypathcost.........................................................................................................9-31
set spantree legacypathcost.............................................................................................................9-31
clear spantree legacypathcost..........................................................................................................9-32
show spantree autoedge..................................................................................................................9-32
set spantree autoedge......................................................................................................................9-32
clear spantree autoedge...................................................................................................................9-33
Configuring Spanning Tree Port Parameters ............................................................................................... 9-34
Purpose .................................................................................................................................................. 9-34
Commands ............................................................................................................................................. 9-34
set spantree portadmin.....................................................................................................................9-34
clear spantree portadmin..................................................................................................................9-35
show spantree portadmin.................................................................................................................9-35
show spantree portpri .......................................................................................................................9-36
set spantree portpri...........................................................................................................................9-36
clear spantree portpri........................................................................................................................9-37
show spantree adminpathcost..........................................................................................................9-38
set spantree adminpathcost .............................................................................................................9-38
clear spantree adminpathcost ..........................................................................................................9-39
show spantree adminedge ...............................................................................................................9-39
set spantree adminedge...................................................................................................................9-40
clear spantree adminedge................................................................................................................9-40
show spantree operedge..................................................................................................................9-41
Configuring Spanning Tree Loop Protect Parameters .................................................................................. 9-42
Purpose .................................................................................................................................................. 9-42
Commands ............................................................................................................................................. 9-42
set spantree lp..................................................................................................................................9-43
show spantree lp..............................................................................................................................9-43
clear spantree lp...............................................................................................................................9-44
show spantree lplock........................................................................................................................9-44
clear spantree lplock.........................................................................................................................9-45
set spantree lpcapablepartner..........................................................................................................9-46
show spantree lpcapablepartner ......................................................................................................9-46
clear spantree lpcapablepartner.......................................................................................................9-47
set spantree lpthreshold...................................................................................................................9-47
show spantree lpthreshold................................................................................................................9-48
clear spantree lpthreshold................................................................................................................9-48
set spantree lpwindow......................................................................................................................9-49
show spantree lpwindow..................................................................................................................9-49
clear spantree lpwindow...................................................................................................................9-50
xiv
set spantree lptrapenable.................................................................................................................9-50
show spantree lptrapenable .............................................................................................................9-51
clear spantree lptrapenable..............................................................................................................9-51
set spantree disputedbpduthreshold................................................................................................9-52
show spantree disputedbpduthreshold.............................................................................................9-53
clear spantree disputedbpduthreshold.............................................................................................9-53
show spantree nonforwardingreason ...............................................................................................9-54
Chapter 10: 802.1Q VLAN Configuration
VLAN Configuration Summary ..................................................................................................................... 10-1
Port String Syntax Used in the CLI ........................................................................................................ 10-1
Creating a Secure Management VLAN .................................................................................................. 10-2
Viewing VLANs ............................................................................................................................................. 10-3
Purpose .................................................................................................................................................. 10-3
Command ............................................................................................................................................... 10-3
show vlan..........................................................................................................................................10-3
Creating and Naming Static VLANs ............................................................................................................. 10-5
Purpose .................................................................................................................................................. 10-5
Commands ............................................................................................................................................. 10-5
set vlan.............................................................................................................................................10-5
set vlan name...................................................................................................................................10-6
clear vlan..........................................................................................................................................10-6
clear vlan name................................................................................................................................10-7
Assigning Port VLAN IDs (PVIDs) and Ingress Filtering .............................................................................. 10-8
Purpose .................................................................................................................................................. 10-8
Commands ............................................................................................................................................. 10-8
show port vlan..................................................................................................................................10-8
set port vlan......................................................................................................................................10-9
clear port vlan...................................................................................................................................10-9
show port ingress filter....................................................................................................................10-10
set port ingress filter .......................................................................................................................10-11
show port discard...........................................................................................................................10-11
set port discard...............................................................................................................................10-12
Configuring the VLAN Egress List .............................................................................................................. 10-13
Purpose ................................................................................................................................................ 10-13
Commands ........................................................................................................................................... 10-13
show port egress ............................................................................................................................10-13
set vlan forbidden...........................................................................................................................10-14
set vlan egress ...............................................................................................................................10-15
clear vlan egress ............................................................................................................................10-15
show vlan dynamicegress ..............................................................................................................10-16
set vlan dynamicegress..................................................................................................................10-17
Setting the Host VLAN ................................................................................................................................ 10-18
Purpose ................................................................................................................................................ 10-18
Commands ........................................................................................................................................... 10-18
show host vlan................................................................................................................................10-18
set host vlan...................................................................................................................................10-18
clear host vlan................................................................................................................................10-19
Enabling/Disabling GVRP (GARP VLAN Registration Protocol) ................................................................ 10-20
About GARP VLAN Registration Protocol (GVRP) .............................................................................. 10-20
Purpose ................................................................................................................................................ 10-21
Commands ........................................................................................................................................... 10-21
show gvrp.......................................................................................................................................10-22
show garp timer..............................................................................................................................10-22
set gvrp...........................................................................................................................................10-23
xv
clear gvrp........................................................................................................................................10-24
set garp timer..................................................................................................................................10-24
clear garp timer...............................................................................................................................10-25
Chapter 11: Policy Classification Configuration
Policy Classification Configuration Summary ............................................................................................... 11-1
Configuring Policy Profiles ............................................................................................................................ 11-2
Purpose .................................................................................................................................................. 11-2
Commands ............................................................................................................................................. 11-2
show policy profile............................................................................................................................11-2
set policy profile................................................................................................................................11-4
clear policy profile.............................................................................................................................11-5
Configuring Classification Rules ................................................................................................................... 11-6
Purpose .................................................................................................................................................. 11-6
Commands ............................................................................................................................................. 11-6
show policy rule................................................................................................................................11-6
show policy capability.......................................................................................................................11-8
set policy rule..................................................................................................................................11-10
clear policy rule...............................................................................................................................11-13
clear policy all-rules........................................................................................................................11-14
Assigning Ports to Policy Profiles ............................................................................................................... 11-15
Purpose ................................................................................................................................................ 11-15
Commands ........................................................................................................................................... 11-15
set policy port .................................................................................................................................11-15
clear policy port ..............................................................................................................................11-16
Configuring Policy Class of Service (CoS) ................................................................................................. 11-17
About Policy-Based CoS Configurations .............................................................................................. 11-17
About CoS-Based Flood Control .......................................................................................................... 11-19
Commands ........................................................................................................................................... 11-20
set cos state ...................................................................................................................................11-20
show cos state................................................................................................................................11-21
clear cos state ................................................................................................................................11-21
set cos settings...............................................................................................................................11-22
clear cos settings............................................................................................................................11-23
show cos settings ...........................................................................................................................11-23
set cos port-config..........................................................................................................................11-24
show cos port-config.......................................................................................................................11-25
clear cos port-config.......................................................................................................................11-26
set cos port-resource irl ..................................................................................................................11-27
set cos port-resource flood-ctrl .......................................................................................................11-28
show cos port-resource..................................................................................................................11-29
clear cos port-resource irl ...............................................................................................................11-30
clear cos port-resource flood-ctrl ....................................................................................................11-31
set cos reference............................................................................................................................11-31
show cos reference ........................................................................................................................11-32
clear cos reference.........................................................................................................................11-33
show cos unit..................................................................................................................................11-34
clear cos all-entries.........................................................................................................................11-35
show cos port-type .........................................................................................................................11-35
Chapter 12: Port Priority Configuration
Port Priority Configuration Summary ............................................................................................................ 12-1
Configuring Port Priority ............................................................................................................................... 12-2
Purpose .................................................................................................................................................. 12-2
Commands ............................................................................................................................................. 12-2
xvi
show port priority..............................................................................................................................12-2
set port priority..................................................................................................................................12-3
clear port priority...............................................................................................................................12-3
Configuring Priority to Transmit Queue Mapping ......................................................................................... 12-4
Purpose .................................................................................................................................................. 12-4
Commands ............................................................................................................................................. 12-4
show port priority-queue...................................................................................................................12-4
set port priority-queue.......................................................................................................................12-5
clear port priority-queue....................................................................................................................12-6
Configuring Quality of Service (QoS) ........................................................................................................... 12-7
Purpose .................................................................................................................................................. 12-7
Commands ............................................................................................................................................. 12-7
show port txq....................................................................................................................................12-7
set port txq........................................................................................................................................12-8
clear port txq.....................................................................................................................................12-9
Chapter 13: IGMP Configuration
IGMP Overview ............................................................................................................................................ 13-1
About IP Multicast Group Management ................................................................................................. 13-1
About Multicasting .................................................................................................................................. 13-2
Configuring IGMP at Layer 2 ........................................................................................................................ 13-2
Purpose .................................................................................................................................................. 13-2
Commands ............................................................................................................................................. 13-2
show igmpsnooping..........................................................................................................................13-3
set igmpsnooping adminmode..........................................................................................................13-3
set igmpsnooping interfacemode......................................................................................................13-4
set igmpsnooping groupmembershipinterval....................................................................................13-4
set igmpsnooping maxresponse.......................................................................................................13-5
set igmpsnooping mcrtrexpiretime....................................................................................................13-6
set igmpsnooping add-static.............................................................................................................13-6
set igmpsnooping remove-static.......................................................................................................13-7
show igmpsnooping static ................................................................................................................13-8
show igmpsnooping mfdb.................................................................................................................13-8
clear igmpsnooping..........................................................................................................................13-9
Configuring IGMP on Routing Interfaces .................................................................................................... 13-10
Purpose ................................................................................................................................................ 13-10
Commands ........................................................................................................................................... 13-10
ip igmp............................................................................................................................................13-10
ip igmp enable................................................................................................................................13-11
ip igmp version ...............................................................................................................................13-11
show ip igmp interface....................................................................................................................13-12
show ip igmp groups.......................................................................................................................13-13
ip igmp query-interval .....................................................................................................................13-13
ip igmp query-max-response-time..................................................................................................13-14
ip igmp startup-query-interval .........................................................................................................13-14
ip igmp startup-query-count............................................................................................................13-15
ip igmp last-member-query-interval ................................................................................................13-15
ip igmp last-member-query-count...................................................................................................13-16
ip igmp robustness .........................................................................................................................13-16
Chapter 14: Logging and Network Management
Configuring System Logging ........................................................................................................................ 14-1
Purpose .................................................................................................................................................. 14-1
Commands ............................................................................................................................................. 14-1
show logging server..........................................................................................................................14-2
xvii
set logging server .............................................................................................................................14-3
clear logging server ..........................................................................................................................14-4
show logging default.........................................................................................................................14-4
set logging default ............................................................................................................................14-5
clear logging default .........................................................................................................................14-6
show logging application..................................................................................................................14-6
set logging application......................................................................................................................14-7
clear logging application...................................................................................................................14-9
show logging local ............................................................................................................................14-9
set logging local..............................................................................................................................14-10
clear logging local...........................................................................................................................14-10
show logging buffer ........................................................................................................................14-11
show logging interface....................................................................................................................14-11
set logging interface .......................................................................................................................14-12
clear logging interface ....................................................................................................................14-13
Monitoring Network Events and Status ...................................................................................................... 14-14
Purpose ................................................................................................................................................ 14-14
Commands ........................................................................................................................................... 14-14
history.............................................................................................................................................14-14
show history....................................................................................................................................14-15
set history.......................................................................................................................................14-15
ping.................................................................................................................................................14-16
show users .....................................................................................................................................14-16
disconnect ......................................................................................................................................14-17
show netstat ...................................................................................................................................14-17
Managing Switch Network Addresses and Routes ..................................................................................... 14-19
Purpose ................................................................................................................................................ 14-19
Commands ........................................................................................................................................... 14-19
show arp.........................................................................................................................................14-19
set arp.............................................................................................................................................14-20
clear arp..........................................................................................................................................14-21
traceroute .......................................................................................................................................14-21
show mac .......................................................................................................................................14-22
show mac agetime..........................................................................................................................14-23
set mac agetime.............................................................................................................................14-24
clear mac agetime..........................................................................................................................14-24
set mac algorithm...........................................................................................................................14-25
show mac algorithm........................................................................................................................14-25
clear mac algorithm........................................................................................................................14-26
set mac multicast............................................................................................................................14-26
clear mac address ..........................................................................................................................14-27
show mac unreserved-flood...........................................................................................................14-28
set mac unreserved-flood...............................................................................................................14-28
Configuring Simple Network Time Protocol (SNTP) ................................................................................... 14-29
Purpose ................................................................................................................................................ 14-29
Commands ........................................................................................................................................... 14-29
show sntp.......................................................................................................................................14-29
set sntp client..................................................................................................................................14-31
clear sntp client...............................................................................................................................14-31
set sntp server................................................................................................................................14-32
clear sntp server.............................................................................................................................14-32
set sntp poll-interval........................................................................................................................14-33
clear sntp poll-interval.....................................................................................................................14-33
set sntp poll-retry............................................................................................................................14-34
clear sntp poll-retry.........................................................................................................................14-34
set sntp poll-timeout .......................................................................................................................14-35
xviii
clear sntp poll-timeout ....................................................................................................................14-35
set timezone...................................................................................................................................14-36
show sntp interface.........................................................................................................................14-37
set sntp interface............................................................................................................................14-37
clear sntp interface.........................................................................................................................14-38
Configuring Node Aliases ........................................................................................................................... 14-40
Purpose ................................................................................................................................................ 14-40
Commands ........................................................................................................................................... 14-40
show nodealias config....................................................................................................................14-40
set nodealias ..................................................................................................................................14-41
clear nodealias config.....................................................................................................................14-42
Chapter 15: RMON Configuration
RMON Monitoring Group Functions ............................................................................................................. 15-1
Design Considerations ................................................................................................................................. 15-2
Statistics Group Commands ......................................................................................................................... 15-3
Purpose .................................................................................................................................................. 15-3
Commands ............................................................................................................................................. 15-3
show rmon stats ...............................................................................................................................15-4
set rmon stats...................................................................................................................................15-4
clear rmon stats................................................................................................................................15-5
History Group Commands ............................................................................................................................ 15-6
Purpose .................................................................................................................................................. 15-6
Commands ............................................................................................................................................. 15-6
show rmon history............................................................................................................................15-6
set rmon history................................................................................................................................15-7
clear rmon history.............................................................................................................................15-7
Alarm Group Commands .............................................................................................................................. 15-9
Purpose .................................................................................................................................................. 15-9
Commands ............................................................................................................................................. 15-9
show rmon alarm..............................................................................................................................15-9
set rmon alarm properties...............................................................................................................15-10
set rmon alarm status.....................................................................................................................15-11
clear rmon alarm.............................................................................................................................15-12
Event Group Commands ............................................................................................................................ 15-13
Purpose ................................................................................................................................................ 15-13
Commands ........................................................................................................................................... 15-13
show rmon event............................................................................................................................15-13
set rmon event properties...............................................................................................................15-14
set rmon event status .....................................................................................................................15-15
clear rmon event.............................................................................................................................15-15
Filter Group Commands ............................................................................................................................. 15-17
Commands ........................................................................................................................................... 15-17
show rmon channel ........................................................................................................................15-17
set rmon channel ............................................................................................................................15-18
clear rmon channel .........................................................................................................................15-19
show rmon filter ..............................................................................................................................15-19
set rmon filter..................................................................................................................................15-20
clear rmon filter...............................................................................................................................15-21
Packet Capture Commands ....................................................................................................................... 15-22
Purpose ................................................................................................................................................ 15-22
Commands ........................................................................................................................................... 15-22
show rmon capture.........................................................................................................................15-22
set rmon capture.............................................................................................................................15-23
clear rmon capture..........................................................................................................................15-24
xix
Chapter 16: DHCP Server Configuration
DHCP Overview ........................................................................................................................................... 16-1
DHCP Relay Agent ................................................................................................................................ 16-1
DHCP Server ......................................................................................................................................... 16-1
Configuring a DHCP Server ................................................................................................................... 16-2
Configuring General DHCP Server Parameters ........................................................................................... 16-3
Purpose .................................................................................................................................................. 16-3
Commands ............................................................................................................................................. 16-3
set dhcp............................................................................................................................................16-4
set dhcp bootp..................................................................................................................................16-4
set dhcp conflict logging...................................................................................................................16-5
show dhcp conflict............................................................................................................................16-5
clear dhcp conflict.............................................................................................................................16-6
set dhcp exclude...............................................................................................................................16-7
clear dhcp exclude............................................................................................................................16-7
set dhcp ping....................................................................................................................................16-8
clear dhcp ping.................................................................................................................................16-8
show dhcp binding............................................................................................................................16-9
clear dhcp binding............................................................................................................................16-9
show dhcp server statistics.............................................................................................................16-10
clear dhcp server statistics .............................................................................................................16-10
Configuring IP Address Pools ..................................................................................................................... 16-12
Manual Pool Configuration Considerations .......................................................................................... 16-12
Purpose ................................................................................................................................................ 16-12
Commands ........................................................................................................................................... 16-12
set dhcp pool ..................................................................................................................................16-13
clear dhcp pool ...............................................................................................................................16-14
set dhcp pool network.....................................................................................................................16-14
clear dhcp pool network..................................................................................................................16-15
set dhcp pool hardware-address ....................................................................................................16-15
clear dhcp pool hardware-address .................................................................................................16-16
set dhcp pool host ..........................................................................................................................16-16
clear dhcp pool host .......................................................................................................................16-17
set dhcp pool client-identifier..........................................................................................................16-17
clear dhcp pool client-identifier.......................................................................................................16-18
set dhcp pool client-name...............................................................................................................16-19
clear dhcp pool client-name............................................................................................................16-19
set dhcp pool bootfile......................................................................................................................16-20
clear dhcp pool bootfile...................................................................................................................16-20
set dhcp pool next-server ...............................................................................................................16-21
clear dhcp pool next-server ............................................................................................................16-21
set dhcp pool lease.........................................................................................................................16-22
clear dhcp pool lease......................................................................................................................16-22
set dhcp pool default-router............................................................................................................16-23
clear dhcp pool default-router.........................................................................................................16-23
set dhcp pool dns-server ................................................................................................................16-24
clear dhcp pool dns-server .............................................................................................................16-24
set dhcp pool domain-name...........................................................................................................16-25
clear dhcp pool domain-name........................................................................................................16-25
set dhcp pool netbios-name-server ................................................................................................16-26
clear dhcp pool netbios-name-server .............................................................................................16-26
set dhcp pool netbios-node-type ....................................................................................................16-27
clear dhcp pool netbios-node-type .................................................................................................16-27
set dhcp pool option.......................................................................................................................16-28
clear dhcp pool option....................................................................................................................16-29
xx
show dhcp pool configuration.........................................................................................................16-29
Chapter 17: DHCP Snooping and Dynamic ARP Inspection
DHCP Snooping Overview ........................................................................................................................... 17-1
DHCP Message Processing ................................................................................................................... 17-1
Building and Maintaining the Database .................................................................................................. 17-2
Rate Limiting .......................................................................................................................................... 17-3
Basic Configuration ................................................................................................................................ 17-3
DHCP Snooping Commands ........................................................................................................................ 17-4
set dhcpsnooping.............................................................................................................................17-4
set dhcpsnooping vlan......................................................................................................................17-5
set dhcpsnooping database write-delay...........................................................................................17-5
set dhcpsnooping trust .....................................................................................................................17-6
set dhcpsnooping binding.................................................................................................................17-7
set dhcpsnooping verify....................................................................................................................17-7
set dhcpsnooping log-invalid............................................................................................................17-8
set dhcpsnooping limit......................................................................................................................17-9
show dhcpsnooping........................................................................................................................17-10
show dhcpsnooping database........................................................................................................17-11
show dhcpsnooping port.................................................................................................................17-11
show dhcpsnooping binding...........................................................................................................17-12
show dhcpsnooping statistics.........................................................................................................17-13
clear dhcpsnooping binding............................................................................................................17-14
clear dhcpsnooping statistics..........................................................................................................17-14
clear dhcpsnooping database.........................................................................................................17-14
clear dhcpsnooping limit.................................................................................................................17-15
Dynamic ARP Inspection Overview ............................................................................................................ 17-15
Functional Description .......................................................................................................................... 17-16
Basic Configuration .............................................................................................................................. 17-18
Example Configuration ......................................................................................................................... 17-19
Dynamic ARP Inspection Commands ........................................................................................................ 17-20
set arpinspection vlan.....................................................................................................................17-20
set arpinspection trust ....................................................................................................................17-21
set arpinspection validate...............................................................................................................17-22
set arpinspection limit.....................................................................................................................17-23
set arpinspection filter.....................................................................................................................17-24
show arpinspection access-list.......................................................................................................17-24
show arpinspection ports................................................................................................................17-25
show arpinspection vlan.................................................................................................................17-26
show arpinspection statistics..........................................................................................................17-26
clear arpinspection validate............................................................................................................17-27
clear arpinspection vlan..................................................................................................................17-28
clear arpinspection filter..................................................................................................................17-29
clear arpinspection limit..................................................................................................................17-30
clear arpinspection statistics...........................................................................................................17-31
Chapter 18: Preparing for Router Mode
Pre-Routing Configuration Tasks ................................................................................................................. 18-1
Example ................................................................................................................................................. 18-2
Enabling Router Configuration Modes .......................................................................................................... 18-2
Chapter 19: IP Configuration
Configuring Routing Interface Settings ......................................................................................................... 19-1
Purpose .................................................................................................................................................. 19-1
Commands ............................................................................................................................................. 19-1
xxi
show interface ..................................................................................................................................19-2
interface............................................................................................................................................19-3
show ip interface...............................................................................................................................19-4
ip address.........................................................................................................................................19-5
show running-config.........................................................................................................................19-6
no shutdown.....................................................................................................................................19-6
no ip routing......................................................................................................................................19-7
Configuring Tunnel Interfaces ...................................................................................................................... 19-8
Purpose .................................................................................................................................................. 19-8
Commands ............................................................................................................................................. 19-8
interface tunnel .................................................................................................................................19-8
tunnel source....................................................................................................................................19-9
tunnel destination...........................................................................................................................19-10
tunnel mode....................................................................................................................................19-10
show interface tunnel......................................................................................................................19-11
Reviewing and Configuring the ARP Table ................................................................................................ 19-12
Purpose ................................................................................................................................................ 19-12
Commands ........................................................................................................................................... 19-12
show ip arp.....................................................................................................................................19-12
arp..................................................................................................................................................19-13
ip proxy-arp.....................................................................................................................................19-14
arp timeout......................................................................................................................................19-15
clear arp-cache...............................................................................................................................19-15
Configuring Broadcast Settings .................................................................................................................. 19-16
Purpose ................................................................................................................................................ 19-16
Commands ........................................................................................................................................... 19-16
ip directed-broadcast......................................................................................................................19-16
ip forward-protocol..........................................................................................................................19-17
ip helper-address............................................................................................................................19-18
Reviewing IP Traffic and Configuring Routes ............................................................................................. 19-19
Purpose ................................................................................................................................................ 19-19
Commands ........................................................................................................................................... 19-19
show ip route..................................................................................................................................19-19
ip route............................................................................................................................................19-21
ping.................................................................................................................................................19-21
traceroute .......................................................................................................................................19-22
Configuring ICMP Redirects ....................................................................................................................... 19-23
Purpose ................................................................................................................................................ 19-23
Commands ........................................................................................................................................... 19-23
ip icmp redirect enable ...................................................................................................................19-23
show ip icmp redirect......................................................................................................................19-24
Chapter 20: IPv4 Routing Protocol Configuration
Activating Advanced Routing Features ........................................................................................................ 20-1
Configuring RIP ............................................................................................................................................ 20-2
Purpose .................................................................................................................................................. 20-2
RIP Configuration Task List and Commands ......................................................................................... 20-2
router rip...........................................................................................................................................20-2
ip rip enable......................................................................................................................................20-3
distance............................................................................................................................................20-3
ip rip send version............................................................................................................................20-4
ip rip receive version.........................................................................................................................20-5
ip rip authentication-key....................................................................................................................20-5
ip rip message-digest-key.................................................................................................................20-6
no auto-summary..............................................................................................................................20-7
xxii
split-horizon poison...........................................................................................................................20-7
passive-interface ..............................................................................................................................20-8
receive-interface...............................................................................................................................20-9
redistribute........................................................................................................................................20-9
Configuring OSPF ...................................................................................................................................... 20-11
Purpose ................................................................................................................................................ 20-11
OSPF Configuration Task List and Commands ................................................................................... 20-11
router id..........................................................................................................................................20-12
router ospf ......................................................................................................................................20-13
1583compatibility............................................................................................................................20-13
ip ospf enable.................................................................................................................................20-14
ip ospf areaid..................................................................................................................................20-14
ip ospf cost .....................................................................................................................................20-15
ip ospf priority.................................................................................................................................20-15
timers spf........................................................................................................................................20-16
ip ospf retransmit-interval ...............................................................................................................20-17
ip ospf transmit-delay.....................................................................................................................20-17
ip ospf hello-interval........................................................................................................................20-18
ip ospf dead-interval .......................................................................................................................20-18
ip ospf authentication-key...............................................................................................................20-19
ip ospf message digest key md5....................................................................................................20-20
distance ospf ..................................................................................................................................20-20
area range......................................................................................................................................20-21
area stub.........................................................................................................................................20-22
area default cost.............................................................................................................................20-23
area nssa........................................................................................................................................20-23
area virtual-link...............................................................................................................................20-24
redistribute......................................................................................................................................20-25
show ip ospf....................................................................................................................................20-26
show ip ospf database....................................................................................................................20-27
show ip ospf interface.....................................................................................................................20-28
show ip ospf neighbor.....................................................................................................................20-30
show ip ospf virtual-links.................................................................................................................20-31
clear ip ospf process.......................................................................................................................20-31
Configuring DVMRP ................................................................................................................................... 20-33
Purpose ................................................................................................................................................ 20-33
Commands ........................................................................................................................................... 20-33
Enabling DVMRP on an Interface ........................................................................................................ 20-33
ip dvmrp..........................................................................................................................................20-34
ip dvmrp enable..............................................................................................................................20-34
ip dvmrp metric...............................................................................................................................20-35
show ip dvmrp................................................................................................................................20-35
Configuring IRDP ........................................................................................................................................ 20-37
Purpose ................................................................................................................................................ 20-37
Commands ........................................................................................................................................... 20-37
ip irdp enable..................................................................................................................................20-37
ip irdp maxadvertinterval ................................................................................................................20-38
ip irdp minadvertinterval .................................................................................................................20-38
ip irdp holdtime...............................................................................................................................20-39
ip irdp preference............................................................................................................................20-39
ip irdp broadcast.............................................................................................................................20-40
show ip irdp....................................................................................................................................20-40
Configuring VRRP ...................................................................................................................................... 20-42
Purpose ................................................................................................................................................ 20-42
Commands ........................................................................................................................................... 20-42
router vrrp.......................................................................................................................................20-42
xxiii
create..............................................................................................................................................20-43
address...........................................................................................................................................20-44
priority.............................................................................................................................................20-45
advertise-interval ............................................................................................................................20-45
preempt ..........................................................................................................................................20-46
enable.............................................................................................................................................20-47
ip vrrp authentication-key ...............................................................................................................20-48
show ip vrrp....................................................................................................................................20-48
Configuring PIM-SM ................................................................................................................................... 20-49
Design Considerations ......................................................................................................................... 20-49
Purpose ................................................................................................................................................ 20-49
Commands ........................................................................................................................................... 20-49
ip pimsm.........................................................................................................................................20-50
ip pimsm staticrp.............................................................................................................................20-50
ip pimsm enable .............................................................................................................................20-51
ip pimsm query-interval ..................................................................................................................20-52
show ip pimsm................................................................................................................................20-52
show ip pimsm componenttable.....................................................................................................20-53
show ip pimsm interface.................................................................................................................20-54
show ip pimsm neighbor.................................................................................................................20-55
show ip pimsm rp............................................................................................................................20-56
show ip pimsm rphash....................................................................................................................20-57
show ip pimsm staticrp...................................................................................................................20-58
show ip mroute...............................................................................................................................20-59
Chapter 21: IPv6 Management
Purpose .................................................................................................................................................. 21-1
Commands ............................................................................................................................................. 21-1
show ipv6 status...............................................................................................................................21-1
set ipv6.............................................................................................................................................21-2
set ipv6 address ...............................................................................................................................21-3
show ipv6 address............................................................................................................................21-4
clear ipv6 address ............................................................................................................................21-4
set ipv6 gateway...............................................................................................................................21-5
clear ipv6 gateway............................................................................................................................21-6
show ipv6 neighbors.........................................................................................................................21-6
show ipv6 netstat..............................................................................................................................21-7
ping ipv6...........................................................................................................................................21-8
traceroute ipv6..................................................................................................................................21-9
Chapter 22: IPv6 Configuration
Overview ....................................................................................................................................................... 22-1
Default Conditions .................................................................................................................................. 22-2
General Configuration Commands ............................................................................................................... 22-3
ipv6 forwarding.................................................................................................................................22-3
ipv6 hop-limit ....................................................................................................................................22-3
ipv6 route..........................................................................................................................................22-4
ipv6 route distance ...........................................................................................................................22-5
ipv6 unicast-routing..........................................................................................................................22-6
ping ipv6...........................................................................................................................................22-6
ping ipv6 interface ............................................................................................................................22-7
traceroute ipv6..................................................................................................................................22-8
Interface Configuration Commands ............................................................................................................ 22-10
ipv6 address ...................................................................................................................................22-10
ipv6 enable.....................................................................................................................................22-11
xxiv
ipv6 mtu..........................................................................................................................................22-12
Neighbor Cache and Neighbor Discovery Commands ............................................................................... 22-14
clear ipv6 neighbors .......................................................................................................................22-14
ipv6 nd dad attempts ......................................................................................................................22-15
ipv6 nd ns-interval ..........................................................................................................................22-15
ipv6 nd reachable-time...................................................................................................................22-16
ipv6 nd other-config-flag.................................................................................................................22-17
ipv6 nd ra-interval ...........................................................................................................................22-18
ipv6 nd ra-lifetime...........................................................................................................................22-18
ipv6 nd suppress-ra........................................................................................................................22-19
ipv6 nd prefix..................................................................................................................................22-19
Query Commands ...................................................................................................................................... 22-22
show ipv6........................................................................................................................................22-22
show ipv6 interface.........................................................................................................................22-22
show ipv6 neighbors.......................................................................................................................22-24
show ipv6 route ..............................................................................................................................22-25
show ipv6 route preferences ..........................................................................................................22-27
show ipv6 route summary...............................................................................................................22-28
show ipv6 traffic..............................................................................................................................22-29
clear ipv6 statistics .........................................................................................................................22-34
Chapter 23: IPv6 Proxy Routing
Overview ....................................................................................................................................................... 23-1
Limitations .............................................................................................................................................. 23-2
Preparing a Mixed Stack for IPv6 Proxy Routing ......................................................................................... 23-2
Commands ................................................................................................................................................... 23-3
ipv6 proxy-routing.............................................................................................................................23-3
show ipv6 proxy-routing....................................................................................................................23-3
Chapter 24: DHCPv6 Configuration
Overview ....................................................................................................................................................... 24-1
Default Conditions .................................................................................................................................. 24-2
Global Configuration Commands ................................................................................................................. 24-2
Purpose .................................................................................................................................................. 24-2
Commands ............................................................................................................................................. 24-2
ipv6 dhcp enable ..............................................................................................................................24-2
ipv6 dhcp relay-agent-info-opt..........................................................................................................24-3
ipv6 dhcp relay-agent-info-remote-id-subopt....................................................................................24-4
ipv6 dhcp pool ..................................................................................................................................24-4
Address Pool Configuration Commands ...................................................................................................... 24-6
Purpose .................................................................................................................................................. 24-6
Commands ............................................................................................................................................. 24-6
domain-name....................................................................................................................................24-6
dns-server.........................................................................................................................................24-7
prefix-delegation...............................................................................................................................24-7
exit....................................................................................................................................................24-8
Interface Configuration Commands ............................................................................................................ 24-10
Purpose ................................................................................................................................................ 24-10
Commands ........................................................................................................................................... 24-10
ipv6 dhcp server .............................................................................................................................24-10
ipv6 dhcp relay...............................................................................................................................24-11
DHCPv6 Show Commands ........................................................................................................................ 24-13
Purpose ................................................................................................................................................ 24-13
Commands ........................................................................................................................................... 24-13
show ipv6 dhcp...............................................................................................................................24-13
xxv
show ipv6 dhcp interface................................................................................................................24-14
show ipv6 dhcp statistics................................................................................................................24-16
clear ipv6 dhcp statistics.................................................................................................................24-17
show ipv6 dhcp pool .......................................................................................................................24-18
show ipv6 dhcp binding..................................................................................................................24-18
Chapter 25: OSPFv3 Configuration
Overview ....................................................................................................................................................... 25-1
Default Conditions .................................................................................................................................. 25-2
Global OSPFv3 Configuration Commands ................................................................................................... 25-3
Purpose .................................................................................................................................................. 25-3
Command ............................................................................................................................................... 25-3
ipv6 router id.....................................................................................................................................25-3
ipv6 router ospf.................................................................................................................................25-4
default-information originate.............................................................................................................25-4
default-metric....................................................................................................................................25-5
distance ospf ....................................................................................................................................25-5
exit-overflow-interval.........................................................................................................................25-6
external-lsdb-limit .............................................................................................................................25-7
maximum-paths................................................................................................................................25-8
redistribute........................................................................................................................................25-8
Area Configuration Commands .................................................................................................................. 25-10
Purpose ................................................................................................................................................ 25-10
Commands ........................................................................................................................................... 25-10
area default-cost.............................................................................................................................25-10
area nssa........................................................................................................................................25-11
area nssa default-info-originate......................................................................................................25-12
area nssa no-redistribute................................................................................................................25-12
area nssa no-summary...................................................................................................................25-13
area nssa translator role.................................................................................................................25-14
area nssa translator-stab-intv.........................................................................................................25-14
area range......................................................................................................................................25-15
area stub.........................................................................................................................................25-16
area stub no-summary....................................................................................................................25-17
area virtual-link...............................................................................................................................25-17
area virtual-link dead-interval .........................................................................................................25-18
area virtual-link hello-interval..........................................................................................................25-19
area virtual-link retransmit-interval .................................................................................................25-19
area virtual-link transmit-delay........................................................................................................25-20
Interface Configuration Commands ............................................................................................................ 25-21
Purpose ................................................................................................................................................ 25-21
Commands ........................................................................................................................................... 25-21
ipv6 ospf enable .............................................................................................................................25-21
ipv6 ospf areaid..............................................................................................................................25-22
ipv6 ospf cost..................................................................................................................................25-22
ipv6 ospf dead-interval ...................................................................................................................25-23
ipv6 ospf hello-interval....................................................................................................................25-24
ipv6 ospf mtu-ignore.......................................................................................................................25-24
ipv6 ospf network............................................................................................................................25-25
ipv6 ospf priority.............................................................................................................................25-26
ipv6 ospf retransmit-interval ...........................................................................................................25-26
ipv6 ospf transmit-delay..................................................................................................................25-27
OSPFv3 Show Commands ......................................................................................................................... 25-29
Purpose ................................................................................................................................................ 25-29
Commands ........................................................................................................................................... 25-29
xxvi
show ipv6 ospf................................................................................................................................25-29
show ipv6 ospf area........................................................................................................................25-31
show ipv6 ospf abr..........................................................................................................................25-32
show ipv6 ospf asbr........................................................................................................................25-33
show ipv6 ospf database................................................................................................................25-34
show ipv6 ospf interface.................................................................................................................25-38
show ipv6 ospf interface stats ........................................................................................................25-40
show ipv6 ospf neighbor.................................................................................................................25-42
show ipv6 ospf range......................................................................................................................25-44
show ipv6 ospf stub table...............................................................................................................25-45
show ipv6 ospf virtual-link...............................................................................................................25-46
Chapter 26: Authentication and Authorization Configuration
Overview of Authentication and Authorization Methods ............................................................................... 26-1
RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment ...................................................... 26-3
Setting the Authentication Login Method ...................................................................................................... 26-4
Purpose .................................................................................................................................................. 26-4
Commands ............................................................................................................................................. 26-4
show authentication login.................................................................................................................26-4
set authentication login.....................................................................................................................26-4
clear authentication login..................................................................................................................26-5
Configuring RADIUS ..................................................................................................................................... 26-6
Purpose .................................................................................................................................................. 26-6
Commands ............................................................................................................................................. 26-6
show radius ......................................................................................................................................26-6
set radius..........................................................................................................................................26-7
clear radius.......................................................................................................................................26-9
show radius accounting..................................................................................................................26-10
set radius accounting......................................................................................................................26-10
clear radius accounting...................................................................................................................26-11
show radius interface......................................................................................................................26-12
set radius interface.........................................................................................................................26-12
clear radius interface......................................................................................................................26-13
Configuring 802.1X Authentication ............................................................................................................. 26-15
Purpose ................................................................................................................................................ 26-15
Commands ........................................................................................................................................... 26-15
show dot1x.....................................................................................................................................26-15
show dot1x auth-config...................................................................................................................26-17
set dot1x.........................................................................................................................................26-18
set dot1x auth-config......................................................................................................................26-19
clear dot1x auth-config...................................................................................................................26-20
show eapol .....................................................................................................................................26-21
set eapol .........................................................................................................................................26-23
clear eapol ......................................................................................................................................26-23
Configuring MAC Authentication ................................................................................................................ 26-25
Purpose ................................................................................................................................................ 26-25
Commands ........................................................................................................................................... 26-25
show macauthentication.................................................................................................................26-25
show macauthentication session....................................................................................................26-27
set macauthentication.....................................................................................................................26-28
set macauthentication password....................................................................................................26-28
clear macauthentication password.................................................................................................26-29
set macauthentication port .............................................................................................................26-29
set macauthentication portinitialize.................................................................................................26-30
set macauthentication portquietperiod............................................................................................26-30
xxvii
clear macauthentication portquietperiod.........................................................................................26-31
set macauthentication macinitialize................................................................................................26-31
set macauthentication reauthentication..........................................................................................26-32
set macauthentication portreauthenticate.......................................................................................26-32
set macauthentication macreauthenticate......................................................................................26-33
set macauthentication reauthperiod...............................................................................................26-33
clear macauthentication reauthperiod............................................................................................26-34
set macauthentication significant-bits.............................................................................................26-35
clear macauthentication significant-bits..........................................................................................26-35
Configuring Multiple Authentication Methods ............................................................................................. 26-37
About Multiple Authentication Types .................................................................................................... 26-37
About Multi-User Authentication ........................................................................................................... 26-37
Commands ........................................................................................................................................... 26-37
show multiauth................................................................................................................................26-38
set multiauth mode.........................................................................................................................26-39
clear multiauth mode......................................................................................................................26-39
set multiauth precedence ...............................................................................................................26-40
clear multiauth precedence ............................................................................................................26-40
show multiauth port ........................................................................................................................26-41
set multiauth port............................................................................................................................26-41
clear multiauth port.........................................................................................................................26-42
show multiauth station....................................................................................................................26-43
show multiauth session ..................................................................................................................26-43
show multiauth idle-timeout............................................................................................................26-44
set multiauth idle-timeout................................................................................................................26-45
clear multiauth idle-timeout.............................................................................................................26-46
show multiauth session-timeout .....................................................................................................26-46
set multiauth session-timeout.........................................................................................................26-47
clear multiauth session-timeout......................................................................................................26-48
Configuring User +IP Phone Authentication .............................................................................................. 26-48
Configuring VLAN Authorization (RFC 3580) ............................................................................................. 26-49
Purpose ................................................................................................................................................ 26-49
Commands ........................................................................................................................................... 26-49
set vlanauthorization.......................................................................................................................26-50
set vlanauthorization egress...........................................................................................................26-50
clear vlanauthorization....................................................................................................................26-51
show vlanauthorization...................................................................................................................26-51
Configuring Policy Maptable Response ...................................................................................................... 26-52
Operational Description ........................................................................................................................ 26-53
Commands ........................................................................................................................................... 26-54
show policy maptable.....................................................................................................................26-54
set policy maptable.........................................................................................................................26-55
clear policy maptable......................................................................................................................26-56
Configuring MAC Locking ........................................................................................................................... 26-57
Purpose ................................................................................................................................................ 26-57
Commands ........................................................................................................................................... 26-58
show maclock.................................................................................................................................26-58
show maclock stations....................................................................................................................26-59
set maclock enable.........................................................................................................................26-60
set maclock disable........................................................................................................................26-61
set maclock.....................................................................................................................................26-61
clear maclock..................................................................................................................................26-62
set maclock static...........................................................................................................................26-63
clear maclock static........................................................................................................................26-63
set maclock firstarrival ....................................................................................................................26-64
clear maclock firstarrival .................................................................................................................26-65
xxviii
set maclock agefirstarrival ..............................................................................................................26-65
clear maclock agefirstarrival ...........................................................................................................26-66
set maclock move...........................................................................................................................26-66
set maclock trap.............................................................................................................................26-67
Configuring Port Web Authentication (PWA) .............................................................................................. 26-68
About PWA ........................................................................................................................................... 26-68
Purpose ................................................................................................................................................ 26-68
Commands ........................................................................................................................................... 26-68
show pwa........................................................................................................................................26-69
set pwa...........................................................................................................................................26-70
show pwa banner ...........................................................................................................................26-71
set pwa banner...............................................................................................................................26-71
clear pwa banner............................................................................................................................26-72
set pwa displaylogo........................................................................................................................26-72
set pwa ipaddress...........................................................................................................................26-73
set pwa protocol .............................................................................................................................26-73
set pwa guestname ........................................................................................................................26-74
clear pwa guestname .....................................................................................................................26-74
set pwa guestpassword..................................................................................................................26-75
set pwa gueststatus........................................................................................................................26-75
set pwa initialize .............................................................................................................................26-76
set pwa quietperiod........................................................................................................................26-76
set pwa maxrequest .......................................................................................................................26-77
set pwa portcontrol .........................................................................................................................26-77
show pwa session..........................................................................................................................26-78
set pwa enhancedmode .................................................................................................................26-79
Configuring Secure Shell (SSH) ................................................................................................................. 26-80
Purpose ................................................................................................................................................ 26-80
Commands ........................................................................................................................................... 26-80
show ssh status..............................................................................................................................26-80
set ssh............................................................................................................................................26-80
set ssh hostkey...............................................................................................................................26-81
Configuring Access Lists ............................................................................................................................ 26-82
Purpose ................................................................................................................................................ 26-82
Commands ........................................................................................................................................... 26-82
show access-lists............................................................................................................................26-82
access-list (standard) .....................................................................................................................26-83
access-list (extended).....................................................................................................................26-84
ip access-group..............................................................................................................................26-86
Chapter 27: TACACS+ Configuration
show tacacs......................................................................................................................................27-2
set tacacs .........................................................................................................................................27-3
show tacacs server...........................................................................................................................27-3
set tacacs server ..............................................................................................................................27-4
clear tacacs server ...........................................................................................................................27-5
show tacacs session.........................................................................................................................27-6
set tacacs session............................................................................................................................27-7
clear tacacs session.........................................................................................................................27-8
show tacacs command.....................................................................................................................27-9
set tacacs command.........................................................................................................................27-9
show tacacs singleconnect.............................................................................................................27-10
set tacacs singleconnect ................................................................................................................27-10
show tacacs interface.....................................................................................................................27-11
set tacacs interface.........................................................................................................................27-11
xxix
clear tacacs interface......................................................................................................................27-12
Chapter 28: sFlow Configuration
Overview ....................................................................................................................................................... 28-1
Using sFlow in Your Network ................................................................................................................. 28-1
Definitions .............................................................................................................................................. 28-2
sFlow Agent Functionality ...................................................................................................................... 28-2
Sampling Mechanisms ........................................................................................................................... 28-2
Example Configuration ........................................................................................................................... 28-4
Commands ................................................................................................................................................... 28-4
show sflow receivers ........................................................................................................................28-5
set sflow receiver owner...................................................................................................................28-7
set sflow receiver ip..........................................................................................................................28-7
set sflow receiver maxdatagram.......................................................................................................28-8
set sflow receiver port.......................................................................................................................28-9
clear sflow receiver...........................................................................................................................28-9
set sflow port poller.........................................................................................................................28-10
show sflow pollers ..........................................................................................................................28-11
clear sflow port poller......................................................................................................................28-12
set sflow port sampler.....................................................................................................................28-12
show sflow samplers ......................................................................................................................28-13
clear sflow port sampler..................................................................................................................28-14
set sflow interface...........................................................................................................................28-14
show sflow interface.......................................................................................................................28-15
clear sflow interface........................................................................................................................28-16
show sflow agent............................................................................................................................28-17
Appendix A: Policy and Authentication Capacities
Policy Capacities ............................................................................................................................................A-1
Authentication Capacities ...............................................................................................................................A-2
Index
Figures
1-1 SecureStack C3 Startup Screen......................................................................................................... 1-6
1-2 Sample CLI Defaults Description........................................................................................................ 1-8
1-3 Performing a Keyword Lookup........................................................................................................... 1-8
1-4 Performing a Partial Keyword Lookup................................................................................................ 1-9
1-5 Scrolling Screen Output...................................................................................................................... 1-9
1-6 Abbreviating a Command................................................................................................................. 1-10
10-1 Example of VLAN Propagation via GVRP ...................................................................................... 10-21
Tables
1-1 Default Settings for Basic Switch Operation....................................................................................... 1-2
1-2 Default Settings for Router Operation................................................................................................ 1-4
1-3 Basic Line Editing Commands.......................................................................................................... 1-10
3-1 Required CLI Setup Commands......................................................................................................... 3-1
3-2 Optional CLI Setup Commands.......................................................................................................... 3-2
3-3 show system lockout Output Details................................................................................................... 3-8
3-4 show system Output Details............................................................................................................. 3-14
3-5 show version Output Details............................................................................................................. 3-27
5-1 show inlinepower Output Details ........................................................................................................ 5-2
6-1 show cdp Output Details..................................................................................................................... 6-2
6-2 show ciscodp Output Details .............................................................................................................. 6-8
xxx
6-3 show ciscodp port info Output Details ................................................................................................ 6-9
6-4 show lldp port local-info Output Details ............................................................................................ 6-19
6-5 show lldp port remote-info Output Display........................................................................................ 6-22
7-1 show port status Output Details.......................................................................................................... 7-4
7-2 show port counters Output Details ..................................................................................................... 7-5
7-3 show port cablestatus Output Details................................................................................................. 7-7
7-4 show linkflap parameters Output Details.......................................................................................... 7-27
7-5 show linkflap metrics Output Details................................................................................................. 7-27
7-6 LACP Terms and Definitions ............................................................................................................ 7-43
7-7 show lacp Output Details.................................................................................................................. 7-46
8-1 SNMP Security Levels........................................................................................................................ 8-3
8-2 show snmp engineid Output Details................................................................................................... 8-4
8-3 show snmp counters Output Details................................................................................................... 8-6
8-4 show snmp user Output Details.......................................................................................................... 8-9
8-5 show snmp group Output Details ..................................................................................................... 8-12
8-6 show snmp access Output Details ................................................................................................... 8-17
8-7 show snmp view Output Details ....................................................................................................... 8-21
8-8 show snmp targetparams Output Details ......................................................................................... 8-24
8-9 show snmp targetaddr Output Details .............................................................................................. 8-27
8-10 show snmp notify Output Details...................................................................................................... 8-32
8-11 Basic SNMP Trap Configuration....................................................................................................... 8-38
9-1 show spantree Output Details ............................................................................................................ 9-6
10-1 Command Set for Creating a Secure Management VLAN............................................................... 10-2
10-2 show vlan Output Details.................................................................................................................. 10-4
10-3 show gvrp configuration Output Details.......................................................................................... 10-23
11-1 show policy profile Output Details .................................................................................................... 11-3
11-2 show policy rule Output Details ........................................................................................................ 11-8
11-3 Valid Values for Policy Classification Rules ................................................................................... 11-12
14-1 show logging server Output Details.................................................................................................. 14-3
14-2 show logging application Output Details........................................................................................... 14-7
14-3 Mnemonic Values for Logging Applications...................................................................................... 14-8
14-4 show netstat Output Details............................................................................................................ 14-18
14-5 show arp Output Details ................................................................................................................. 14-20
14-6 show mac Output Details................................................................................................................ 14-23
14-7 show sntp Output Details................................................................................................................ 14-30
14-8 show nodealias config Output Details ............................................................................................ 14-41
15-1 RMON Monitoring Group Functions and Commands....................................................................... 15-1
15-2 show rmon alarm Output Details .................................................................................................... 15-10
15-3 show rmon event Output Details .................................................................................................... 15-14
18-1 Enabling the Switch for Routing....................................................................................................... 18-2
18-2 Router CLI Configuration Modes...................................................................................................... 18-2
19-1 show ip interface Output Details....................................................................................................... 19-5
19-2 show ip arp Output Details ............................................................................................................. 19-13
20-1 RIP Configuration Task List and Commands ................................................................................... 20-2
20-2 OSPF Configuration Task List and Commands.............................................................................. 20-11
20-3 show ip ospf database Output Details............................................................................................ 20-28
20-4 show ip ospf interface Output Details............................................................................................. 20-29
20-5 show ip ospf neighbor Output Details............................................................................................. 20-30
20-6 show ip ospf virtual links Output Details......................................................................................... 20-31
20-7 show ip pimsm Output Details........................................................................................................ 20-53
20-8 show ip pimsm componenettable Output Details ........................................................................... 20-54
20-9 show ip pimsm interface vlan Output Details.................................................................................. 20-55
20-10 show ip pimsm interface stats Output Details................................................................................. 20-55
20-11 show ip pimsm neighbor Output Details......................................................................................... 20-56
20-12 show ip pimsm rp Output Details.................................................................................................... 20-57
20-13 show ip pimsm staticrp Output Details ........................................................................................... 20-59
xxxi
22-1 show ipv6 neighbor Output Details................................................................................................. 22-25
22-2 show ipv6 route Output Details....................................................................................................... 22-26
22-3 show ipv6 route preferences Output Details................................................................................... 22-27
22-4 show ipv6 summary Output Details................................................................................................ 22-29
22-5 show ipv6 traffic Output Details ..................................................................................................... 22-30
24-1 Output of show ipv6 dhcp interface Command............................................................................... 24-15
24-2 Output of show ipv6 dhcp statistics Command............................................................................... 24-16
25-1 show ipv6 ospf Output Details........................................................................................................ 25-30
25-2 show ipv6 ospf area Output Details................................................................................................ 25-31
25-3 show ipv6 ospf abr Output Details.................................................................................................. 25-32
25-4 show ipv6 ospf asbr Output Details................................................................................................ 25-33
25-5 show ipv6 ospf database Output Details ....................................................................................... 25-36
25-6 show ipv6 ospf database database-summary Output Details ........................................................ 25-37
25-7 show ipv6 ospf interface Command Output Details........................................................................ 25-39
25-8 show ipv6 ospf interface stats Output Details................................................................................. 25-41
25-9 show ipv6 ospf neighbor Output Details ........................................................................................ 25-43
25-10 show ipv6 ospf neighbor routerid Output Details............................................................................ 25-44
25-11 show ipv6 ospf range Output Details.............................................................................................. 25-45
25-12 show ipv6 ospf stub table Output Details ....................................................................................... 25-45
25-13 show ipv6 ospf virtual-link Output Details....................................................................................... 25-46
26-1 show radius Output Details............................................................................................................... 26-7
26-2 show eapol Output Details.............................................................................................................. 26-22
26-3 show macauthentication Output Details ......................................................................................... 26-26
26-4 show macauthentication session Output Details............................................................................ 26-27
26-5 show vlanauthorization Output Details ........................................................................................... 26-52
26-6 show maclock Output Details ......................................................................................................... 26-59
26-7 show maclock stations Output Details............................................................................................ 26-60
26-8 show pwa Output Details................................................................................................................ 26-69
27-1 show tacacs Output Details.............................................................................................................. 27-2
28-1 sFlow Definitions .............................................................................................................................. 28-2
28-2 show sflow receivers Output Descriptions........................................................................................ 28-6
A-1 Policy Capacities ................................................................................................................................A-1
A-2 Authentication Capacities...................................................................................................................A-2
xxxii
SecureStack C3 Configuration Guide xxxiii
About This Guide
WelcometotheEnterasys
SecureStackC3ConfigurationGuide.Thismanualexplainshowto
accessthedevicesCommandLineInterface(CLI)andhowtouseittoconfigureSecureStackC3
switchdevices.
Using This Guide
AgeneralworkingknowledgeofbasicnetworkoperationsandanunderstandingofCLI
managementapplicationsishelpfulbeforeconfiguringtheSecureStackdevice.
Thismanualdescribeshowtodothefollowing:
AccesstheSecureStackCLI.
UseCLIcommandstoperformnetworkmanagementanddeviceconfigurationoperations
EstablishandmanageVirtualLocalAreaNetworks(VLANs).
Establishandmanagestaticanddynamicallyassignedpolicyclassifications.
Establishandmanagepriorityclassification.
ConfigureIProutingandroutingprotocols,includingRIPversions1and2,OSPF,DVMRP,
IRDP,andVRRP.
ConfigureIPv6routing,includingOSPFv3.
Configuresecurityprotocols,including802.1XandRADIUS,SSHv2,PWA,MAClocking,and
MACauthentication.
Configureaccesscontrollists(ACLs).
Structure of This Guide
Theguideisorganizedasfollows:
Chapter 1,Introduction,providesanoverviewofthetasksthatcanbeaccomplishedusingthe
CLIinterface,anoverviewoflocalmanagementrequirements,anoverviewofthedevicesfactory
defaultsettings,andinformationaboutusingtheCommandLineInterface(CLI).
Chapter 2,ConfiguringSwitchesinaStack,providesinformationabouthowtoconfigureand
managestackedswitches.
Chapter 3,BasicConfiguration,provideshowtosetbasicsystemproperties,howtodownloada
firmwareimage,howtoconfigureWebViewandTelnet,howtomanageconfigurationfiles,how
tosettheloginpassword,andhowtoexittheCLI.
Chapter 4,ActivatingLicensedFeaturesdescribesthecommandsusedtoenableadvanced
routingandIPv6routinglicensedfeatures.
Important Notice
Depending on the firmware version used in your C3 device, some features described in this
document may not be supported. Refer to the Release Notes shipped with your device to
determine which features are supported.
Structure of This Guide
xxxiv About This Guide
Chapter 5,ConfiguringSystemPowerandPoE,describesthecommandsusedtoreviewandset
systempowerandPoEparametersondevicesthatofferPoweroverEthernet.
Chapter 6,DiscoveryProtocolConfigurationprovideshowtoconfigurediscoveryprotocols
supportedbythedevice.
Chapter 7,PortConfiguration,describeshowtoreviewandconfigureconsoleportsettings,and
howtoenableordisableswitchportsandconfigureswitchportsettings,includingportspeed,
duplexmode,autonegotiation,flowcontrol,portmirroring,linkaggegationandbroadcast
suppression.
Chapter 8,SNMPConfiguration,describeshowtoconfigureSNMPusersandusergroups,access
rights,targetaddresses,andnotificationparameters.
Chapter 9,SpanningTreeConfiguration,describeshowtoreviewandsetSpanningTreebridge
parametersforthedevice,includingbridgepriority,hellotime,maximumagingtimeandforward
delay;andhowtoreviewandsetSpanningTreeportparameters,includingportpriorityandpath
costs.ConfiguringtheSpanGuardandLoopProtectfunctionsisalsodescribed.
Chapter 10,802.1QVLANConfiguration,describeshowtocreatestaticVLANs,selectthemode
ofoperationforeachport,establishVLANforwarding(egress)lists,routeframesaccordingto
VLANID,displaythecurrentportsandporttypesassociatedwithaVLANandprotocol,createa
securemanagementVLAN,andconfigureportsonthedeviceasGVRPawareports.
Chapter 11,PolicyClassificationConfiguration,describeshowtocreate,changeorremoveuser
rolesorprofilesbasedonbusinessspecificuseofnetworkservices;howtopermitordenyaccess
tospecificservicesbycreatingandassigningclassificationruleswhichmapuserprofilestoframe
filteringpolicies;howtoclassifyframestoaVLANorClassofService(CoS);andhowtoassignor
unassignportstopolicyprofilessothatonlyportsactivatedforaprofilewillbeallowedto
transmitframesaccordingly.
Chapter 12,PortPriorityConfiguration,describeshowtosetthetransmitpriorityofeachport
andconfigurearatelimitforagivenportandlistofpriorities.
Chapter 13,IGMPConfiguration,describeshowtoconfigureInternetGroupManagement
Protocol(IGMP)settingsformulticastfiltering.
Chapter 14,LoggingandNetworkManagement,describeshowtoconfigureSyslog,howto
managegeneralswitchsettings,howtomonitornetworkeventsandstatus,andhowtoconfigure
SNTPandnodealiases.
Chapter 15,RMONConfiguration,describeshowtouseRMON(RemoteNetworkMonitoring),
whichprovidescomprehensivenetworkfaultdiagnosis,planning,andperformancetuning
informationandallowsforinteroperabilitybetweenSNMPmanagementstationsandmonitoring
agents.
Chapter 16,DHCPServerConfiguration,describeshowtoreviewandconfigureDHCPserver
parameters,howtoreviewandconfigureDHCPaddresspools,andhowtodisplayDHCPserver
information.
Chapter 17,DHCPSnoopingandDynamicARPInspection,describestwosecurityfeatures:
DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserverto
filterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings,and
DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping
featuretorejectinvalidandmaliciousARPpackets.
Chapter 18,PreparingforRouterMode,providesinformationaboutroutermodes.
Chapter 19,IPConfiguration,describeshowtoenableIProutingforroutermodeoperation,how
toconfigureIPinterfacesettings,howtoreviewandconfiguretheroutingARPtable,howto
reviewandconfigureroutingbroadcasts,howtoconfigurePIM,andhowtoconfigureIProutes.
Related Documents
SecureStack C3 Configuration Guide xxxv
Chapter 20,IPv4RoutingProtocolConfiguration,describeshowtoconfigureIPv4routingand
routingprotocols,includingRIP,OSPF,DVMRP,IRDP,andVRRP.
Chapter 21,IPv6Management,describesthecommandsusedtoconfigureIPv6attheswitch
level.
Chapter 22,IPv6Configuration,describesthecommandsusedtoconfigureIPv6attherouting
level.
Chapter 23,IPv6ProxyRouting,describeshowtoenableIPv6proxyroutingandhowto
configureamixedC2/C3stackforIPv6proxyrouting.
Chapter 24,DHCPv6Configuration,describesthecommandsusedtoconfiguretheDynamic
HostConfigurationProtocolforIPv6.
Chapter 25,OSPFv3Configuration,describesthecommandsusedtoconfiguretheOpenShortest
PathFirstroutingprotocolforIPv6.
Chapter 26,AuthenticationandAuthorizationConfiguration,describeshowtoconfigure802.1X
authenticationusingEAPOL,howtoconfigureRADIUSserver,SecureShellserver,MAC
authentication,MAClocking,PortWebAuthentication,andIPaccesscontrollists(ACLs).
Chapter 27,TACACS+Configuration,providesinformationaboutthecommandsusedto
configureandmonitorTACACS+(TerminalAccessControllerAccessControlSystemPlus).
Chapter 28,sFlowConfiguration, providesinformationaboutthecommandsusedtoconfigure
andmonitorthesFlowsystem.
Appendix A,PolicyandAuthenticationCapacities,liststhepolicyandauthenticationcapacities
oftheSecureStackC3asofthedatethisdocumentwaspublished.
Related Documents
ThefollowingEnterasysNetworksdocumentsmayhelpyoutosetup,control,andmanagethe
SecureStackdevice:
EnterasysFirmwareFeatureGuides
SecureStackC3InstallationGuide(s)
SecureStackRedundantPowerSystemInstallationGuide
Documentslistedabove,canbeobtainedfromtheWorldWideWebinAdobeAcrobatPortable
DocumentFormat(PDF)atthefollowingwebsite:
http://www.enterasys.com/support/manuals/
Conventions Used in This Guide
xxxvi About This Guide
Conventions Used in This Guide
Thefollowingconventionsareusedinthetextofthisdocument:
Thefollowingiconsareusedinthisguide:
Convention Description
Bold font Indicates mandatory keywords, parameters or keyboard keys.
italic font Indicates complete document titles.
Cour i er font Used for examples of information displayed on the screen.
Courier font in italics Indicates a user-supplied value, either required or optional.
[ ] Square brackets indicate an optional value.
{} Braces indicate required values. One or more values may be required.
| A vertical bar indicates a choice in values.
[x | y | z] Square brackets with a vertical bar indicate a choice of a value.
{x | y | z} Braces with a vertical bar indicate a choice of a required value.
[x {y | z}]
A combination of square brackets with braces and vertical bars indicates a
required choice of an optional value.
Note: Calls the readers attention to any item of information that may be of special importance.
Router: Calls the readers attention to router-specific commands and information.
Caution: Contains information essential to avoid damage to the equipment.
Getting Help
SecureStack C3 Configuration Guide xxxvii
Getting Help
Foradditionalsupportrelatedtothisswitchordocument,contactEnterasysNetworksusingone
ofthefollowingmethods:
BeforecallingEnterasysNetworks,havethefollowinginformationready:
YourEnterasysNetworksservicecontractnumber
Adescriptionofthefailure
Adescriptionofanyaction(s)alreadytakentoresolvetheproblem(forexample,changing
modeswitchesorrebootingtheunit)
TheserialandrevisionnumbersofallinvolvedEnterasysNetworksproductsinthenetwork
Adescriptionofyournetworkenvironment(forexample,layout,cabletype)
Networkloadandframesizeatthetimeoftrouble(ifknown)
Theswitchhistory(forexample,haveyoureturnedtheswitchbefore,isthisarecurring
problem?)
AnypreviousReturnMaterialAuthorization(RMA)numbers
World Wide Web http://www.enterasys.com/support
Phone
1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1000
For the Enterasys Networks Support toll-free number in your country:
http://www.enterasys.com/support/contact/
Internet mail
support@enterasys.com
To expedite your message, type [C-SERIES] in the subject line.
To send comments or suggestions concerning this document to the Technical Publications Department:
techpubs@enterasys.com
Make sure to include the document Part Number in the email message.
Getting Help
xxxviii About This Guide
SecureStack C3 Configuration Guide 1-1
1
Introduction
ThischapterprovidesanoverviewoftheSecureStackC3suniquefeaturesandfunctionality,an
overviewofthetasksthatmaybeaccomplishedusingtheCLIinterface,anoverviewofwaysto
managetheswitch,factorydefaultsettings,andinformationabouthowtousetheCommandLine
Interfacetoconfiguretheswitch.
SecureStack C3 CLI Overview
TheEnterasysNetworksSecureStackC3CLIinterfaceallowsyoutoperformavarietyofnetwork
managementtasks,includingthefollowing:
UseCLIcommandstoperformnetworkmanagementandswitchconfigurationoperations.
Downloadanewfirmwareimage.
AssignIPaddressandsubnetmask.
Selectadefaultgateway.
EstablishandmanageVirtualLocalAreaNetworks(VLANs).
Establishandmanagepolicyprofilesandclassifications.
Establishandmanagepriorityclassification.
ConfigureIPv4routingandroutingprotocols.
ConfigureIPv6routingandroutingprotocols,includingOSPFv3.
Configuresecurityprotocols,including802.1XandRADIUS,SSHv2,PWA,MAClocking,and
MACauthentication.
Configureaccesscontrollists(ACLs).
Switch Management Methods
TheSecureStackC3switchcanbemanagedusingthefollowingmethods:
LocallyusingaVTtypeterminalconnectedtotheconsoleport.
RemotelyusingaVTtypeterminalconnectedthroughamodem.
For information about... Refer to page...
SecureStack C3 CLI Overview 1-1
Switch Management Methods 1-1
Factory Default Settings 1-2
Using the Command Line Interface 1-6
Factory Default Settings
1-2 Introduction
RemotelyusinganSNMPmanagementstation.
InbandthroughaTelnetconnection.
InbandusingtheEnterasysNetSight
managementapplication.
RemotelyusingWebView,EnterasysNetworksembeddedwebserverapplication.
TheInstallationGuideforyourSecureStackC3deviceprovidessetupinstructionsforconnectinga
terminalormodemtotheswitch.
Factory Default Settings
ThefollowingtableslistfactorydefaultsettingsavailableontheSecureStackC3switch.
Table 1-1 Default Settings for Basic Switch Operation
Feature Default Setting
Switch Mode Defaults
CDP discovery protocol Auto enabled on all ports.
CDP authentication code Set to 00-00-00-00-00-00-00-00
CDP hold time Set to 180 seconds.
CDP interval Transmit frequency of CDP messages set to 60 seconds.
Cisco discovery protocol Auto enabled on all ports.
Cisco DP hold time Set to 180 seconds.
Cisco DP interval timer Set to 60 seconds.
Community name Public.
Console (serial) port
required settings
Baud rate: 9600
Data bits: 8
Flow control: disabled
Stop bits: 1
Parity: none
DHCP server Disabled.
EAPOL Disabled.
EAPOL authentication
mode
When enabled, set to auto for all ports.
GARP timer J oin timer set to 20 centiseconds; leave timer set to 60 centiseconds; leaveall
timer set to 1000 centiseconds.
GVRP Globally enabled.
History buffer size 20 lines.
IEEE 802.1 authentication Disabled.
IGMP snooping Disabled. When enabled, query interval is set to 260 seconds and response
time is set to 10 seconds.
IP mask and gateway Subnet mask set to 0.0.0.0; default gateway set to 0.0.0.0.
IP routes No static routes configured.
J umbo frame support Enabled on all ports.
Factory Default Settings
SecureStack C3 Configuration Guide 1-3
Link aggregation control
protocol (LACP)
Enabled.
Link aggregation admin
key
Set to 32768 for all ports.
Link aggregation flow
regeneration
Disabled.
Link aggregation system
priority
Set to 32768 for all ports.
Link aggregation outport
algorithm
Set to DIP-SIP.
Lockout Set to disable Read-Write and Read-Only users, and to lockout the default
admin (Super User) account for 15 minutes, after 3 failed login attempts.
Logging Syslog port set to UDP port number 514. Logging severity level set to 6
(significant conditions) for all applications.
MAC aging time Set to 300 seconds.
MAC locking Disabled (globally and on all ports).
Passwords Set to an empty string for all default user accounts. User must press ENTER
at the password prompt to access CLI.
Password aging Disabled.
Password history No passwords are checked for duplication.
Policy classification Classification rules are automatically enabled when created.
Port auto-negotiation Enabled on all ports.
Port advertised ability Maximum ability advertised on all ports.
Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch
ports.
Port duplex mode Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to
full duplex.
Port enable/disable Enabled.
Port priority Set to 0.
Port speed Set to 10 Mbps, except for 1000BASE-X, which is set to 1000 Mbps, and
100BASE-FX, which is set to 100 Mbps.
Port trap All ports are enabled to send link traps.
Power over Ethernet port
admin state
Administrative state is on (auto).
Priority classification Classification rules are automatically enabled when created.
RADIUS client Disabled.
RADIUS last resort action When the client is enabled, set to Challenge.
RADIUS retries When the client is enabled, set to 3.
RADIUS timeout When the client is enabled, set to 20 seconds.
Rate limiting Disabled (globally and on all ports).
Table 1-1 Default Settings for Basic Switch Operation (Continued)
Feature Default Setting
Factory Default Settings
1-4 Introduction
Notallofthefollowingroutingfeaturesareavailableonallplatforms.ChecktheReleaseNotesfor
yourspecificplatformsfordetails.
SNMP Enabled.
SNTP Disabled.
Spanning Tree Globally enabled and enabled on all ports.
Spanning Tree edge port
administrative status
Edge port administrative status begins with the value set to false initially after
the device is powered up. If a Spanning Tree BDPU is not received on the
port within a few seconds, the status setting changes to true.
Spanning Tree edge port
delay
Enabled.
Spanning Tree forward
delay
Set to 15 seconds.
Spanning Tree hello
interval
Set to 2 seconds.
Spanning Tree ID (SID) Set to 0.
Spanning Tree maximum
aging time
Set to 20 seconds.
Spanning Tree port priority All ports with bridge priority are set to 128 (medium priority).
Spanning Tree priority Bridge priority is set to 32768.
Spanning Tree topology
change trap suppression
Enabled.
Spanning Tree version Set to mstp (Multiple Spanning Tree Protocol).
SSH Disabled.
System baud rate Set to 9600 baud.
System contact Set to empty string.
System location Set to empty string.
System name Set to empty string.
Terminal CLI display set to 80 columns and 24 rows.
Timeout Set to 5 minutes.
User names Login accounts set to ro for Read-Only access; rw for Read-Write access;
and admin for Super User access.
VLAN dynamic egress Disabled on all VLANs.
VLAN ID All ports use a VLAN identifier of 1.
Host VLAN Default host VLAN is 1.
Table 1-2 Default Settings for Router Operation
Output... What it displays...
Access groups (IP security) None configured.
Access lists (IP security) None configured.
Table 1-1 Default Settings for Basic Switch Operation (Continued)
Feature Default Setting
Factory Default Settings
SecureStack C3 Configuration Guide 1-5
Area authentication (OSPF) Disabled.
Area default cost (OSPF) Set to 1.
Area NSSA (OSPF) None configured.
Area range (OSPF) None configured.
ARP table No permanent entries configured.
ARP timeout Set to 14,400 seconds.
Authentication key (RIP and OSPF) None configured.
Authentication mode (RIP and OSPF) None configured.
Dead interval (OSPF) Set to 40 seconds.
Disable triggered updates (RIP) Triggered updates allowed.
Distribute list (RIP) No filters applied.
DVMRP Disabled. Metric set to 1.
Hello interval (OSPF) Set to 10 seconds for broadcast and point-to-point networks. Set
to 30 seconds for non-broadcast and point-to-multipoint networks.
ICMP Enabled for echo-reply and mask-reply modes.
IP-directed broadcasts Disabled.
IP forward-protocol Enabled with no port specified.
IP interfaces Disabled with no IP addresses specified.
IRDP Disabled on all interfaces. When enabled, maximum
advertisement interval is set to 600 seconds, minimum
advertisement interval is set to 450 seconds, holdtime is set to
1800 seconds, and address preference is set to 0.
MD5 authentication (OSPF) Disabled with no password set.
MTU size Set to 1500 bytes on all interfaces.
OSPF Disabled.
OSPF cost Set to 10 for all interfaces.
OSPF network None configured.
OSPF priority Set to 1.
Passive interfaces (RIP) None configured.
Proxy ARP Enabled on all interfaces.
Receive interfaces (RIP) Enabled on all interfaces.
Retransmit delay (OSPF) Set to 1 second.
Retransmit interval (OSPF) Set to 5 seconds.
RIP receive version Set to accept both version 1 and version 2.
RIP send version Set to version 1.
RIP offset No value applied.
SNMP Enabled.
Table 1-2 Default Settings for Router Operation (Continued)
Output... What it displays...
Using the Command Line Interface
1-6 Introduction
Using the Command Line Interface
Starting a CLI Session
Connecting Using the Console Port
ConnectaterminaltothelocalconsoleportasdescribedinyourSecureStackC3InstallationGuide.
Thestartupscreen,Figure 11,willdisplayontheterminal.YoucannowstarttheCommandLine
Interface(CLI)by
usingadefaultuseraccount,asdescribedinUsingaDefaultUserAccountonpage 17,or
usinganadministrativelyassigneduseraccountasdescribedinUsinganAdministratively
ConfiguredUserAccountonpage 17.
Figure 1-1 SecureStack C3 Startup Screen
Split horizon Enabled for RIP packets without poison reverse.
Stub area (OSPF) None configured.
Telnet Enabled.
Telnet port (IP) Set to port number 23.
Timers (OSPF) SPF delay set to 5 seconds. SPF holdtime set to 10 seconds.
Transmit delay (OSPF) Set to 1 second.
VRRP Disabled.
Table 1-2 Default Settings for Router Operation (Continued)
Output... What it displays...
User name: admi n
Passwor d:
Ent er asys Secur eSt ack C3
Command Li ne I nt er f ace
Ent er asys Net wor ks, I nc.
50 Mi nut eman Rd.
Andover , MA 01810- 1008 U. S. A.
Phone: +1 978 684 1000
E- mai l : suppor t @ent er asys. com
WWW: ht t p: / / www. ent er asys. com
( c) Copyr i ght Ent er asys Net wor ks, I nc. 2008
Chassi s Ser i al Number : 041800249041
Chassi s Fi r mwar e Revi si on: 6. 03. xx. xxxx
C3( su) - >
Using the Command Line Interface
SecureStack C3 Configuration Guide 1-7
Connecting Using Telnet
OncetheSecureStackC3devicehasavalidIPaddress,youcanestablishaTelnetsessionfromany
TCP/IPbasednodeonthenetwork.ForinformationaboutsettingtheswitchsIPaddress,referto
setipaddressonpage 311.
ToestablishaTelnetsession:
1. TelnettotheswitchsIPaddress.
2. Enterlogin(username)andpasswordinformationinoneofthefollowingways:
Iftheswitchsdefaultloginandpasswordsettingshavenotbeenchanged,followthe
stepslistedinUsingaDefaultUserAccountonpage 17,or
Enteranadministrativelyconfiguredusernameandpassword.
ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11.
ForinformationaboutconfiguringTelnetsettings,refertoStartingandConfiguringTelneton
page 337.
RefertotheinstructionsincludedwiththeTelnetapplicationforinformationaboutestablishinga
Telnetsession.
Logging In
Bydefault,theSecureStackC3switchisconfiguredwiththreeuserloginaccountsrofor
ReadOnlyaccess,rwforReadWriteaccess,andadminforsuperuseraccesstoallmodifiable
parameters.Thedefaultpasswordissettoablankstring.Forinformationonchangingthese
defaultsettings,refertoSettingUserAccountsandPasswordsonpage 32.
Using a Default User Account
IfthisisthefirsttimeyouareloggingintotheSecureStackC3switch,orifthedefaultuser
accountshavenotbeenadministrativelychanged,proceedasfollows:
1. Attheloginprompt,enteroneofthefollowingdefaultusernames:
roforReadOnlyaccess.
rwforReadWriteaccess.
adminforSuperUseraccess.
2. PressENTER.ThePasswordpromptdisplays.
3. LeavethisstringblankandpressENTER.Theswitchinformationandpromptdisplaysas
showninFigure 11.
Using an Administratively Configured User Account
Iftheswitchsdefaultuseraccountsettingshavebeenchanged,proceedasfollows:
1. Attheloginprompt,enteryouradministrativelyassignedusernameandpressENTER.
2. AtthePasswordprompt,enteryourpasswordandpressENTER.
ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11.
Note: Users with Read-Write (rw) and Read-Only access can use the set password command
(page 3-5) to change their own passwords. Administrators with Super User (su) access can use
the set system login command (page 3-4) to create and change user accounts, and the set
password command to change any local account password.
Using the Command Line Interface
1-8 Introduction
Navigating the Command Line Interface
Getting Help with CLI Syntax
TheSecureStackC3switchallowsyoutodisplayusageandsyntaxinformationforindividual
commandsbytypinghelpor?afterthecommand.
CLI Command Defaults Descriptions
EachcommanddescriptioninthisguideincludesasectionentitledDefaultswhichcontains
differentinformationfromthefactorydefaultsettingsontheswitchdescribedinTable 11.The
sectiondefinesCLIbehavioriftheuserentersacommandwithouttypingoptionalparameters
(indicatedbysquarebrackets[]).Forcommandswithoutoptionalparameters,thedefaults
sectionlistsNone.Forcommandswithoptionalparameters,thissectiondescribeshowtheCLI
respondsiftheuseroptstoenteronlythekeywordsofthecommandsyntax.Figure 12provides
anexample.
Figure 1-2 Sample CLI Defaults Description
CLI Command Modes
EachcommanddescriptioninthisguideincludesasectionentitledModewhichstateswhether
thecommandisexecutableinAdmin(SuperUser),ReadWrite,orReadOnlymode.Userswith
ReadOnlyaccesswillonlybepermittedtoviewReadOnly(show)commands.UserswithRead
Writeaccesswillbeabletomodifyallmodifiableparametersinsetandshowcommands,aswell
asviewReadOnlycommands.AdministratorsorSuperUserswillbeallowedallReadWriteand
ReadOnlyprivileges,andwillbeabletomodifylocaluseraccounts.TheSecureStackC3switch
indicateswhichmodeauserisloggedinasbydisplayingoneofthefollowingprompts:
Admin:C3(su)>
ReadWrite:C3(rw)>
ReadOnly:C3(ro)>
Performing Keyword Lookups
Enteringaspaceandaquestionmark(?)afterakeywordwilldisplayallcommandsbeginning
withthekeyword.Figure 13showshowtoperformakeywordlookupfortheshowsnmp
command.Inthiscase,fouradditionalkeywordsareusedbytheshowsnmpcommand.Entering
aspaceandaquestionmark(?)afteranyoftheseparameters(suchasshowsnmpcommunity)
willdisplayadditionalparametersnestedwithinthesyntax.
Figure 1-3 Performing a Keyword Lookup
Syntax
show port status [ port-string]
Defaults
Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.
C3( su) - >show snmp ?
communi t y SNMP v1/ v2c communi t y name conf i gur at i on
not i f y SNMP not i f y conf i gur at i on
t ar get addr SNMP t ar get addr ess conf i gur at i on
t ar get par ams SNMP t ar get par amet er s conf i gur at i on
Using the Command Line Interface
SecureStack C3 Configuration Guide 1-9
Enteringaquestionmark(?)withoutaspaceafterapartialkeywordwilldisplayalistof
commandsthatbeginwiththepartialkeyword.Figure 14showshowtousethisfunctionforall
commandsbeginningwithco:
Figure 1-4 Performing a Partial Keyword Lookup
Displaying Scrolling Screens
IftheCLIscreenlengthhasbeensetusingthesetlengthcommandasdescribedonpage329,CLI
outputrequiringmorethanonescreenwilldisplay- - Mor e- - toindicatecontinuingscreens.To
displayadditionalscreenoutput:
PressanykeyotherthanENTERtoadvancetheoutputonescreenatatime.
PressENTERtoadvancetheoutputonelineatatime.
TheexampleinFigure 15showshowtheshowmaccommandindicatesthatoutputcontinueson
morethanonescreen.
Figure 1-5 Scrolling Screen Output
Abbreviating and Completing Commands
TheSecureStackC3switchallowsyoutoabbreviateCLIcommandsandkeywordsdowntothe
numberofcharactersthatwillallowforauniqueabbreviation.Figure 16showshowto
abbreviatetheshownetstatcommandtoshnet.
C3( r w) - >co?
conf i gur e copy
C3( su) - >co
Note: At the end of the lookup display, the system will repeat the command you entered without the
?.
C3( su) - >show mac
MAC Addr ess FI D Por t Type
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
00- 00- 1d- 67- 68- 69 1 host Management
00- 00- 02- 00- 00- 00 1 ge. 1. 2 Lear ned
00- 00- 02- 00- 00- 01 1 ge. 1. 3 Lear ned
00- 00- 02- 00- 00- 02 1 ge. 1. 4 Lear ned
00- 00- 02- 00- 00- 03 1 ge. 1. 5 Lear ned
00- 00- 02- 00- 00- 04 1 ge. 1. 6 Lear ned
00- 00- 02- 00- 00- 05 1 ge. 1. 7 Lear ned
00- 00- 02- 00- 00- 06 1 ge. 1. 8 Lear ned
00- 00- 02- 00- 00- 07 1 ge. 1. 9 Lear ned
00- 00- 02- 00- 00- 08 1 ge. 1. 10 Lear ned
- - Mor e- -
Using the Command Line Interface
1-10 Introduction
Figure 1-6 Abbreviating a Command
Basic Line Editing Commands
TheCLIsupportsEMACslikelineeditingcommands.Table 13listssomecommonlyused
commands.
C3( su) - >sh net
Act i ve I nt er net connect i ons ( i ncl udi ng ser ver s)
Pr ot o Recv- Q Send- Q Local Addr ess For ei gn Addr ess St at e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TCP 0 0 10. 21. 73. 13. 23 134. 141. 190. 94. 51246 ESTABLI SHED
TCP 0 275 10. 21. 73. 13. 23 134. 141. 192. 119. 4724 ESTABLI SHED
TCP 0 0 *. 80 *. * LI STEN
TCP 0 0 *. 23 *. * LI STEN
UDP 0 0 10. 21. 73. 13. 1030 134. 141. 89. 113. 514
UDP 0 0 *. 161 *. *
UDP 0 0 *. 1025 *. *
UDP 0 0 *. 123 *. *
Table 1-3 Basic Line Editing Commands
Key Sequence Command
Ctrl+A Move cursor to beginning of line.
Ctrl+B Move cursor back one character.
Ctrl+D Delete a character.
Ctrl+E Move cursor to end of line.
Ctrl+F Move cursor forward one character.
Ctrl+H Delete character to left of cursor.
Ctrl+I or TAB Complete word.
Ctrl+K Delete all characters after cursor.
Ctrl+N Scroll to next command in command history (use the CLI history command to
display the history).
Ctrl+P Scroll to previous command in command history.
Ctr1+Q Resume the CLI process.
Ctr1+S Pause the CLI process (for scrolling).
Ctrl+T Transpose characters.
Ctrl+U or Ctrl+X Delete all characters before cursor.
Ctrl+W Delete word to the left of cursor.
Ctrl+Y Restore the most recently deleted item.
SecureStack C3 Configuration Guide 2-1
2
Configuring Switches in a Stack
ThischapterprovidesinformationaboutconfiguringSecureStackC3switchesinastack.
About SecureStack C3 Switch Operation in a Stack
TheSecureStackC3productsarestackableswitchesthatcanbeadaptedandscaledtohelpmeet
yournetworkneeds.Theseswitchesprovideamanagementplatformanduplinktoanetwork
backboneforastackedgroupofuptoeightSecureStackC3switches.
Onceinstalledinastack,theswitchesbehaveandperformasasingleswitchproduct.Assuch,
youcanstartwithasingleunitandaddmoreunitsasyournetworkexpands.Youcanalsomix
differentproductsinthefamilyinasinglestacktoprovideadesiredcombinationofporttypes
andfunctionstomatchtherequirementsofindividualapplications.Inallcases,astackofunits
performsasonelargeproduct,andismanagedasasinglenetworkentity.
WhenswitchesareinstalledandconnectedasdescribedintheSecureStackC3InstallationGuides,
thefollowingoccursduringinitialization:
Theswitchthatwillmanagethestackisautomaticallyestablished.Thisisknownasthe
managerswitch.
Allotherswitchesareestablishedasmembersinthestack.
Thehierarchyoftheswitchesthatwillassumethefunctionofbackupmanagerisalso
determinedincasethecurrentmanagermalfunctions,ispowereddown,orisdisconnected
fromthestack.
For information about ... Refer to page ...
About SecureStack C3 Switch Operation in a Stack 2-1
Installing a New Stackable System of Up to Eight Units 2-2
Installing Previously-Configured Systems in a Stack 2-3
Adding a New Unit to an Existing Stack 2-3
Creating a Virtual Switch Configuration 2-3
Considerations About Using Clear Config in a Stack 2-5
Issues Related to Mixed Type Stacks 2-5
Stacking Configuration and Management Commands 2-6
Note: You can mix SecureStack C2 and C3 switches in a single stack, although only the lowest
common denominator of functionality will be supported in a mixed stack. Refer to Issues Related to
Mixed Type Stacks on page 2-5 for information about configuring a mixed stack.
Installing a New Stackable System of Up to Eight Units
2-2 Configuring Switches in a Stack
Theconsoleportonthemanagerswitchremainsactiveforoutofband(local)switch
management,buttheconsoleportoneachmemberswitchisdeactivated.Thisenablesyouto
settheIPaddressandsystempasswordusingasingleconsoleport.Noweachswitchcanbe
configuredlocallyusingonlythemanagersconsoleport,orinbandusingaremotedeviceand
theCLIsetofcommandsdescribedinthissection.
Onceastackiscreated(morethanoneswitchisinterconnected),thefollowingprocedureoccurs:
1. Bydefault,unitIDsarearbitrarilyassignedonafirstcome,firstservedbasis.
2. UnitIDsaresavedagainsteachmodule.Then,everytimeaboardispowercycled,itwill
initializewiththesameunitID.Thisisimportantforportspecificinformation(forexample:
ge.4.12isthe12thGigabitEthernetportonUnit#4).
3. Themanagementelectionprocessusesthefollowingprecedencetoassignamanagement
switch:
a. Previouslyassigned/electedmanagementunit
b. Managementassignedpriority(values115)
c. Hardwarepreferencelevel
d. HighestMACAddress
Usethefollowingrecommendedprocedureswheninstallinganewstackablesystemoraddinga
newunittoanexistingstack.
Installing a New Stackable System of Up to Eight Units
Usethefollowingprocedureforinstallinganewstackofuptoeightunitsoutofthebox.
1. Beforeapplyingpower,makeallphysicalconnectionswiththestackcablesasdescribedinthe
SecureStackC3InstallationGuides.
2. Onceallofthestackcableshavebeenconnected,individuallypoweroneachunitfromtopto
bottom.
3. (Optional)Ifdesired,changethemanagementunitusingthesetswitchmovemanagement
commandasdescribedinsetswitchmovemanagementonpage211.
4. Oncethedesiredmasterunithasbeenselected,resetthesystemusingtheresetcommand
(page350).
5. Afterthestackhasbeenconfigured,youcanusetheshowswitchunitcommand(page26)to
physicallyidentifyeachunit.Whenyouenterthecommandwithaunitnumber,theMGR
LEDofthespecifiedswitchwillblinkfor10seconds.ThenormalstateofthisLEDisofffor
memberunitsandsteadygreenforthemanagerunit.
Important
The following procedures assume that all units have a clean configuration from manufacturing. When adding
a new unit to an already running stack, it is also assumed that the new unit is using the same firmware image
version as other units in the stack.
Notes: Ensure that each switch is fully operational before applying power to the next switch.
Since unit IDs are assigned on a first-come, first-served basis, this will ensure that unit IDs are
ordered sequentially.
Once unit IDs are assigned, they are persistent and will be retained during a power cycle to any or
all of the units.
Installing Previously-Configured Systems in a Stack
SecureStack C3 Configuration Guide 2-3
Installing Previously-Configured Systems in a Stack
Ifmemberunitsinastackhavebeenpreviousmembersofadifferentstack,youmayneedto
configuretherenumberingofthestackasfollows:
1. Stacktheunitsinthemethoddesired,andconnectthestackcables.
2. Poweruponlytheunityouwishtobemanager.
3. Oncethemanagementunitispoweredup,logintotheCLI,andusetheshowswitch
commandasdescribedinshowswitchonpage26todisplaystackinginformation.
4. Clearanyswitcheswhicharelistedasunassignedusingtheclearswitchmember
commandasdescribedinclearswitchmemberonpage212.
5. Powerupthememberofthestackyouwishtobecomeunit2.Oncethesecondunitisfully
powered,theCOMsessionoftheCLIwillstatethatanewCPUwasadded.
6. Usetheshowswitchcommandtoredisplaystackinginformation.
a. Ifthenewmemberdisplaysasunit2,youcanproceedtorepeatthisstepwiththenext
unit.
b. Ifthenewmemberdisplaysadifferentunitnumber,youmust:
(1) Renumberthestackusingthesetswitchrenumbercommandasdescribedinset
switchonpage29,then
(2) Cleartheoriginalunitnumberusingtheclearswitchmembercommand.
7. RepeatStep6untilallmembershavebeenrenumberedintheorderyoudesire.
8. Afterthestackhasbeenreconfigured,youcanusetheshowswitchunitcommand(show
switchonpage26)tophysicallyconfirmtheidentityofeachunit.Whenyouenterthe
commandwithaunitnumber,theMGRLEDofthespecifiedswitchwillblinkfor10seconds.
ThenormalstateofthisLEDisoffformemberunitsandsteadygreenforthemanagerunit.
Adding a New Unit to an Existing Stack
Usethefollowingprocedureforinstallinganewunittoanexistingstackconfiguration.This
procedureassumesthatthenewunitbeingaddedhasacleanconfigurationfrommanufacturing
andisrunningthesamefirmwareimageversionasotherunitsinthestack.
1. Ensurethatpowerisoffonthenewunitbeinginstalled.
2. Useoneofthefollowingmethodstocompletestackcableconnections:
Iftherunningstackusesadaisychaintopology,makethestackcableconnectionsfrom
thebottomofthestacktothenewunit(thatis,STACKDOWNportfromthebottomunit
oftherunningstacktotheSTACKUPportonthenewunit).
Iftherunningstackusesaringstacktopology,breaktheringandmakethestackcable
connectionstothenewunittoclosethering.
3. Applypowertothenewunit.
Creating a Virtual Switch Configuration
YoucancreateaconfigurationforaSecureStackC3switchbeforeaddingtheactualphysical
devicetoastack.Thispreconfigurationfeatureincludesconfiguringprotocolsontheportsofthe
virtualswitch.
Creating a Virtual Switch Configuration
2-4 Configuring Switches in a Stack
Tocreateavirtualswitchconfigurationinastackenvironment:
1. Displaythetypesofswitchessupportedinthestack,usingtheshowswitchswitchtype
command(page27).
2. Usingtheoutputoftheshowswitchswitchtypecommand,determinetheswitchindex(SID)
ofthemodelofswitchbeingconfigured.
3. Addthevirtualswitchtothestackusingthesetswitchmembercommand(page211).Use
theSIDoftheswitchmodel,determinedinthepreviousstep,andtheunitIDthatyouwantto
assigntothisswitchmember.
4. Proceedtoconfiguretheportsofthevirtualswitchasyouwoulddoforphysicallypresent
devices.
ThefollowingexampleaddsaC3G12424modetoastackasunit2ofthestack.Thefirstporton
thatvirtualswitchisthenassociatedwithVLAN555.
C3( su) - >show swi t ch swi t cht ype
Mgmt Code
SI D Swi t ch Model I D Pr ef Ver si on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 C2G124- 24 1 0xa08245
2 C2K122- 24 1 0xa08245
3 C2G124- 48 1 0xa08245
4 C2G124- 48P 1 0xa08245
5 C2H124- 48 1 0xa08245
6 C2H124- 48P 1 0xa08245
7 C2G134- 24P 1 0xa08245
8 C2G170- 24 1 0xa08245
9 C3G124- 24P 1 0xa08245
10 C3G124- 48P 1 0xa08245
11 C3G124- 48 1 0xa08245
12 C3G124- 24 1 0xa08245
13 C3K172- 24 1 0xa08245
15 C3K122- 24 1 0xa08245
17 C3K122- 24P 1 0xa08245
C3( su) - >set swi t ch member 2 12
C3( su) - >show swi t ch
Management Pr econf i g Pl ugged- i n Swi t ch Code
Swi t ch St at us Model I D Model I D St at us Ver si on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Mgmt Swi t ch C3G124- 48 C3G124- 48 OK 6. 03. xx. xxxx
2 Unassi gned C3G124- 24 Not Pr esent 00. 00. 00
C3( su) - >set vl an cr eat e 555
C3( su) - >cl ear vl an egr ess 1 ge. 2. 1
C3( su) - >set por t vl an ge. 2. 1 555 unt agged
C3( su) - >show por t vl an ge. 2. 1
ge. 2. 1 i s set t o 555
Note: If you preconfigure a virtual switch and then add a physical switch of a different type to the
stack as that unit number, any configured functionality that cannot be supported on the physical
switch will cause a configuration mismatch status for that device and the ports of the new device will
join detached. You must clear the mismatch before the new device will properly join the stack.
Considerations About Using Clear Config in a Stack
SecureStack C3 Configuration Guide 2-5
Considerations About Using Clear Config in a Stack
Whenusingtheclearconfigcommand(page351)toclearconfigurationparametersinastack,it
isimportanttorememberthefollowing:
UseclearconfigtoclearconfigparameterswithoutclearingstackunitIDs.Thiscommand
WILLNOTclearstackparametersortheIPaddressandavoidstheprocessofrenumbering
thestack.
Useclearconfigallwhenitisnecessarytoclearallconfigparameters,includingstackunit
IDsandswitchpriorityvalues.ThiscommandwillnotcleartheIPaddressnorwillitremove
anappliedadvancedfeaturelicense.
UseclearipaddresstoremovetheIPaddressofthestack.
Useclearlicensetoremoveanappliedlicensefromaswitch.
Configurationparametersandstackinginformationcanalsobeclearedonthemasterunitonly
byselectingtherestoreconfigurationtofactorydefaultsoptionfromthebootmenuonswitch
startup.Thisselectionwillleavestackingprioritiesonallotherunits.
Issues Related to Mixed Type Stacks
Feature Support
BecausetheSecureStackC2andC3switcheshavedifferenthardwarearchitectures,the
functionalitysupportedbythetwoswitchtypesisdifferent.Whenthetwotypesofswitchesare
mixedinastack,thefunctionalitysupportedwillbethelowestcommondenominatoroffeatures
supportedonallplatforms.RefertothefirmwareReleaseNotesforinformationaboutsupported
features.
Configuration
Common Firmware Version
MixedstackingissupportedbySecureStackC2firmwareversion5.02.xx.xxxxonly.Youcaninstall
theC2firmwarefirst,withtheC3switchinstandalonemode,oryoucanaddtheC3switchtothe
stackandthencopytheC2firmwaretotheC3switchusingthesetswitchcopyfwcommand
(page210).AftercopyingtheC2firmwaretotheC3switch,youmustresetthestack.
Switch Manager
ItisrecommendedthataSecureStackC3switchbemadethemanagerofamixedstack.Usetheset
switchmovemanagementcommand(page211)tochangethemanagerunit.
Stacking Configuration and Management Commands
2-6 Configuring Switches in a Stack
Stacking Configuration and Management Commands
Purpose
Toreview,individuallyconfigureandmanageswitchesinaSecureStackC3stack.
Commands
show switch
Usethiscommandtodisplayinformationaboutoneormoreunitsinthestack.
Syntax
show switch [status] [ unit]
Parameters
Defaults
Ifnotspecified,statusandotherconfigurationinformationaboutallunitswillbedisplayed.
Mode
Switchcommand,readonly.
Usage
Afterastackhasbeenconfigured,youcanusethiscommandtophysicallyconfirmtheidentityof
eachunit.Whenyouenterthecommandwithaunitnumber,theMGRLEDofthespecified
switchwillblinkfor10seconds.ThenormalstateofthisLEDisoffformemberunitsandsteady
greenforthemanagerunit.
For information about... Refer to page...
show switch 2-6
show switch switchtype 2-7
show switch stack-ports 2-8
set switch 2-9
set switch copy-fw 2-10
set switch description 2-10
set switch movemanagement 2-11
set switch member 2-11
clear switch member 2-12
status (Optional)Displayspowerandadministrativestatusinformationforone
ormoreunitsinthestack.
unit (Optional)Specifiestheunit(s)forwhichinformationwilldisplay.
show switch switchtype
SecureStack C3 Configuration Guide 2-7
Examples
Thisexampleshowshowtodisplayinformationaboutallswitchunitsinthestack:
C3( r w) - >show swi t ch
Management Pr econf i g Pl ugged- i n Swi t ch Code
Swi t ch St at us Model I D Model I D St at us Ver si on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Mgmt Swi t ch C3G124- 24 C3G124- 24 OK 06. 03. xx. xxxx
2 St ack Member C3G124- 24 C3G124- 24 OK 06. 03. xx. xxxx
3 St ack Member C3G124- 24 C3G124- 24 OK 06. 03. xx. xxxx
4 St ack Member C3G124- 24 C3G124- 24 OK 06. 03. xx. xxxx
5 St ack Member C3G124- 24 C3G124- 24 OK 06. 03. xx. xxxx
6 St ack Member C3G124- 24 C3G124- 24 OK 06. 03. xx. xxxx
7 St ack Member C3G124- 24 C3G124- 24 OK 06. 03. xx. xxxx
8 St ack Member C3G124- 24 C3G124- 24 OK 06. 03. xx. xxxx
Thisexampleshowshowtodisplayinformationaboutswitchunit1inthestack:
C3( r o) - >show swi t ch 1
Swi t ch 1
Management St at us Management Swi t ch
Har dwar e Management Pr ef er ence Unassi gned
Admi n Management Pr ef er ence Unassi gned
Swi t ch Type C3G124- 24
Pr econf i gur ed Model I dent i f i er C3G124- 24
Pl ugged- i n Model I dent i f i er C3G124- 24
Swi t ch St at us OK
Swi t ch Descr i pt i on Ent er asys Net wor ks, I nc. C3 - - Model
C3G124- 24
Det ect ed Code Ver si on 06. 03. xx. xxxx
Det ect ed Code i n Fl ash 03. 01. 20
Det ect ed Code i n Back I mage 02. 01. 37
Up Ti me 0 days 6 hr s 37 mi ns 54 secs
Thisexampleshowshowtodisplaystatusinformationforswitchunit1inthestack:
C3( r o) - >show swi t ch st at us 1
Swi t ch 1
Swi t ch St at us Ful l
Admi n St at e
Power St at e
I nser t ed Swi t ch:
Model I dent i f i er C3G124- 24
Descr i pt i on Ent er asys Net wor ks, I nc. C3 - - Model
C3G124- 24
Conf i gur ed Swi t ch:
Model I dent i f i er C3G124- 24
Descr i pt i on Ent er asys Net wor ks, I nc. C3 - - Model
C3G124- 24
show switch switchtype
Usethiscommandtodisplayinformationaboutsupportedswitchtypesinthestack.
Syntax
show switch switchtype [ switchindex]
show switch stack-ports
2-8 Configuring Switches in a Stack
Parameters
Defaults
None.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplayswitchtypeinformationaboutallswitchesinthestack:
C3( r o) - >show swi t ch swi t cht ype
Mgmt Code
SI D Swi t ch Model I D Pr ef Ver si on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 C2G124- 24 1 0xa08245
2 C2K122- 24 1 0xa08245
3 C2G124- 48 1 0xa08245
4 C2G124- 48P 1 0xa08245
5 C2H124- 48 1 0xa08245
6 C2H124- 48P 1 0xa08245
7 C2G134- 24P 1 0xa08245
8 C2G170- 24 1 0xa08245
9 C3G124- 24P 1 0xa08245
10 C3G124- 48P 1 0xa08245
11 C3G124- 48 1 0xa08245
12 C3G124- 24 1 0xa08245
13 C3K172- 24 1 0xa08245
15 C3K122- 24 1 0xa08245
17 C3K122- 24P 1 0xa08245
ThisexampleshowshowtodisplayswitchtypeinformationaboutSID1:
C3( r o) - >show swi t ch swi t cht ype 1
Swi t ch Type 0x56950200
Model I dent i f i er C2G124- 24
Swi t ch Descr i pt i on Ent er asys Net wor ks, I nc. C2 - -
Model C2G124- 24
Management Pr ef er ence 1
Expect ed Code Ver si on 0xa08245
Suppor t ed Car ds:
Sl ot 0
Car d I ndex ( CI D) 1
Model I dent i f i er C2G124- 24
show switch stack-ports
Usethiscommandtodisplayvariousdataflowanderrorcountersonstackports.
Syntax
show switch stack-ports [ unit]
switchindex (Optional)Specifiestheswitchindex(SID)oftheswitchtypetodisplay.
set switch
SecureStack C3 Configuration Guide 2-9
Parameters
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaydataanderrorinformationonstackports:
C3( r o) - >show swi t ch st ack- por t s
- - - - - - - - - - - - TX- - - - - - - - - - - - - - - - - - - - - - - - - - RX- - - - - - - - - - -
Dat a Er r or Dat a Er r or
St acki ng Rat e Rat e Tot al Rat e Rat e Tot al
Swi t ch Por t ( Mb/ s) ( Er r or s/ s) Er r or s ( Mb/ s) ( Er r or s/ s) Er r or s
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Up 0 0 0 0 0 0
Down 0 0 0 0 0 0
set switch
UsethiscommandtoassignaswitchID,tosetaswitchspriorityforbecomingthemanagement
switchifthepreviousmanagementswitchfails,ortochangetheswitchunitIDforaswitchinthe
stack.
Syntax
set switch {unit [ priority value | renumber newunit] }
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
unit (Optional)SpecifiestheswitchunitID,anintegerrangingfrom1to8.
unit Specifiesaunitnumberfortheswitch.Valuecanrangefrom1to8.
priorityvalue Specifiesapriorityvaluefortheunit.Validvaluesare1to15withhigher
valuesassigninghigherpriority.
renumbernewunit Specifiesanewnumberfortheunit.
Note: This number must be a previously unassigned unit ID number.
set switch copy-fw
2-10 Configuring Switches in a Stack
Examples
Thisexampleshowshowtoassignpriority3toswitch5:
C3( su) - >set swi t ch 5 pr i or i t y 3
Thisexampleshowshowtorenumberswitch5toswitch7:
C3( su) - >set swi t ch 5 r enumber 7
set switch copy-fw
Usethiscommandtoreplicatethecodeimagefilefromthemanagementswitchtoother
switch(es)inthestack.
Syntax
set switch copy-fw [ destination-system unit]
Parameters
Defaults
Ifdestinationsystemisnotspecified,themanagementimagefilewillbereplicatedtoallswitches
inthestack.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoreplicatethemanagementimagefiletoallswitchesinthestack:
C3( su) - >set swi t ch copy- f w
Ar e you sur e you want t o copy f i r mwar e? ( y/ n) y
Code t r ansf er compl et ed successf ul l y.
set switch description
Usethiscommandtoassignanametoaswitchinthestack.
Syntax
set switch description unit description
Parameters
Defaults
None.
destinationsystem
unit
(Optional)Specifiestheunitnumberofunitonwhichtocopythe
managementimagefile.
unit Specifiesaunitnumberfortheswitch.
description Specifiesatextdescriptionfortheunit.
set switch movemanagement
SecureStack C3 Configuration Guide 2-11
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoassignthenameFirstUnittoswitchunit1inthestack:
C3( su) - >set swi t ch descr i pt i on 1 Fi r st Uni t
set switch movemanagement
Usethiscommandtomovemanagementswitchfunctionalityfromoneswitchtoanother.
Syntax
set switch movemanagement fromunit tounit
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtomovemanagementfunctionalityfromswitch1toswitch2:
C3( su) - >set swi t ch movemenagement 1 2
Movi ng st ack management wi l l unconf i gur e ent i r e st ack i ncl udi ng al l i nt er f aces.
Ar e you sur e you want t o move st ack management ? ( y/ n) y
set switch member
Usethiscommandtoaddavirtualmembertoastack.Thisallowsyoutopreconfigureaswitch
beforethephysicaldeviceisactuallyaddedtothestack.
Syntax
set switch member unit switch-id
Parameters
Defaults
None.
fromunit Specifiestheunitnumberofthecurrentmanagementswitch.
tounit Specifiestheunitnumberofthenewlydesignatedmanagementswitch.
unit Specifiesaunitnumberfortheswitch.
switchid SpecifiesaswitchID(SID)fortheswitch.SIDscanbedisplayedwiththe
showswitchswitchtypecommand.
clear switch member
2-12 Configuring Switches in a Stack
Mode
Switchcommand,readwrite.
Usage
RefertoCreatingaVirtualSwitchConfigurationonpage23formoreinformationabouthowto
addavirtualswitchtoastack.
Example
Thisexampleshowshowtospecifyaswitchasunit1withaswitchIDof1:
C3( su) - >set switch member 1 1
clear switch member
Usethiscommandtoremoveamemberentryfromthestack.
Syntax
clear switch member unit
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovetheswitch5entryfromthestack:
C3( su) - >cl ear swi t ch member 5
unit Specifiestheunitnumberoftheswitch.
SecureStack C3 Configuration Guide 3-1
3
Basic Configuration
Atstartup,theSecureStackC3switchisconfiguredwithmanydefaultsandstandardfeatures.
Thischapterdescribeshowtocustomizebasicsystemsettingstoadapttoyourworkenvironment.
Quick Start Setup Commands
ThetablesinthissectionprovideaquickreferencefortheCLIcommandsneededtobeginbasic
C3switchoperation.Table 31liststasksandtheirassociatedCLIcommandsrequiredforsetting
uptheswitchwiththelatestfirmware.Table 32listsoptionalCLIcommandsthatwillhelpyou
performadditionalbasicconfigurationontheswitch.Refertothepageslistedformore
informationabouteachcommand.
For information about... Refer to page...
Quick Start Setup Commands 3-1
Setting User Accounts and Passwords 3-2
Setting Basic Switch Properties 3-9
Downloading a Firmware Image 3-32
Reviewing and Selecting a Boot Firmware Image 3-35
Starting and Configuring Telnet 3-37
Managing Switch Configuration and Files 3-39
Clearing and Closing the CLI 3-49
Resetting the Switch 3-50
Using and Configuring WebView 3-52
Gathering Technical Support Information 3-55
Configuring Hostprotect 3-56
Table 3-1 Required CLI Setup Commands
Step Task CLI commands
Refer to
page...
1 Set a new password. set password [ username] 3-5
2 Set the switch IP address. set ip address ip-address [ mask
ip-mask] [ gateway ip-gateway]
3-11
3 Download, activate, and verify new
firmware on the switch using TFTP
copy.
copy tftp://tftp_server_ip_address/
filename system:image
3-45
set boot system filename 3-36
show version 3-26
Setting User Accounts and Passwords
3-2 Basic Configuration
Setting User Accounts and Passwords
Purpose
Tochangetheswitchsdefaultuserloginandpasswordsettings,andtoaddnewuseraccounts
andpasswords.
Commands
Table 3-2 Optional CLI Setup Commands
Task CLI commands
Refer to
page...
Save the active configuration. save config 3-41
Enable or disable SSH. set ssh enable | disable 26-77
Enable or disable Telnet. set telnet {enable | disable} [ inbound |
outbound | all]
3-37
Enable or disable HTTP
management (WebView).
set webview {enable | disable} 3-53
Enable or disable SNMP port link
traps.
set port trap port-string {enable | disable} 7-25
Set the per port broadcast limit set port broadcast port-string threshold-value 7-34
Configure a VLAN. set vlan create vlan-id 10-5
set port vlan port-string vlan-id modify-egress 10-9
Set a Syslog server IP and
severity
set logging server index ip-addr ip-addr
severity severity state enable
10-9
Configure and enable a RADIUS
server.
set radius server index ip-addr
port [ secret-value] {realm {management-access |
any | network-access}
26-7
set radius enable 26-7
For information about... Refer to page...
show system login 3-3
set system login 3-4
clear system login 3-4
set password 3-5
set system password length 3-6
set system password aging 3-6
set system password history 3-7
show system lockout 3-7
set system lockout 3-8
show system login
SecureStack C3 Configuration Guide 3-3
show system login
Usethiscommandtodisplayuserloginaccountinformation.
Syntax
show system login
Parameters
None.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtodisplayloginaccountinformation.Inthiscase,switchdefaultshave
notbeenchanged:
C3( su) - >show syst eml ogi n
Passwor d hi st or y si ze: 0
Passwor d agi ng : di sabl ed
User name Access St at e
admi n super - user enabl ed
r o r ead- onl y enabl ed
r w r ead- wr i t e enabl ed
Table 31providesanexplanationofthecommandoutput.
Table 3-1 show system login Output Details
Output Field What It Displays...
Password history size Number of previously used user login passwords that will be checked for
duplication when the set password command is executed. Configured with set
system password history (page 3-7).
Password aging Number of days user passwords will remain valid before aging out. Configured
with set system password aging (page 3-6).
Username Login user names.
Access Access assigned to this user account: super-user, read-write or read-only.
State Whether this user account is enabled or disabled.
set system login
3-4 Basic Configuration
set system login
Usethiscommandtocreateanewuserloginaccount,ortodisableorenableanexistingaccount.
TheSecureStackC3switchsupportsupto16useraccounts,includingtheadminaccount,which
cannotbedeleted.
Syntax
set system login username {super-user | read-write | read-only} {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,superuser.
Usage
Loginaccounts,includingtheadminuseraccount,canbelockedoutaftermultiplefailedattempts
tologintothesystem.Refertoshowsystemlockoutonpage37andsetsystemlockouton
page38formoreinformationaboutlockoutparameters.
Iftheadminuseraccounthasbeenlockedout,youmustwaituntiltheconfiguredlockouttime
periodhasexpiredoryoucanpowercycletheswitchtorebootit,whichwillreenabletheadmin
useraccount.
Example
Thisexampleshowshowtoenableanewuseraccountwiththeloginnamenetopswithsuper
useraccessprivileges:
C3( su) - >set syst eml ogi n net ops super - user enabl e
clear system login
Usethiscommandtoremovealocalloginuseraccount.
Syntax
clear system login username
username Specifiesaloginnameforaneworexistinguser.Thisstringcanbea
maximumof80characters,althoughamaximumof16charactersis
recommendedforproperviewingintheshowsystemlogindisplay.
superuser|
readwrite|
readonly
Specifiestheaccessprivilegesforthisuser.
enable|disable Enablesordisablestheuseraccount.
set password
SecureStack C3 Configuration Guide 3-5
Parameters
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtoremovethenetopsuseraccount:
C3( su) - >cl ear syst eml ogi n net ops
set password
UsethiscommandtochangesystemdefaultpasswordsortosetanewloginpasswordontheCLI.
Syntax
set password [ username]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Switchcommand,superuser.
Usage
ReadWriteuserscanchangetheirownpasswords.
SuperUsers(Admin)canchangeanypasswordonthesystem.
Ifyouforgetthepasswordfortheadminuseraccount,youcanresetthepasswordtothedefault
passwordvaluebypressingthepasswordresetbuttonontheswitch.
username Specifiestheloginnameoftheaccounttobecleared.
Note: The default admin (su) account cannot be deleted.
username (Onlyavailabletouserswithsuperuseraccess.)Specifiesasystemdefault
orauserconfiguredloginaccountname.Bydefault,theSecureStackC3
switchprovidesthefollowingaccountnames:
roforReadOnlyaccess.
rwforReadWriteaccess.
adminforSuperUseraccess.(ThisaccesslevelallowsReadWriteaccess
toallmodifiableparameters,includinguseraccounts.)
set system password length
3-6 Basic Configuration
Examples
ThisexampleshowshowasuperuserwouldchangetheReadWritepasswordfromthesystem
default(blankstring):
C3( su) - >set passwor d r w
Pl ease ent er new passwor d: ********
Pl ease r e- ent er new passwor d: ********
Passwor d changed.
C3( su) - >
ThisexampleshowshowauserwithReadWriteaccesswouldchangehispassword:
C3( su) - >set passwor d
Pl ease ent er ol d passwor d: ********
Pl ease ent er new passwor d: ********
Pl ease r e- ent er new passwor d: ********
Passwor d changed.
C3( su) - >
set system password length
Usethiscommandtosettheminimumuserloginpasswordlength.
Syntax
set system password length characters
Parameters
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtosettheminimumsystempasswordlengthto8characters:
C3( su) - >set syst empasswor d l engt h 8
set system password aging
Usethiscommandtosetthenumberofdaysuserpasswordswillremainvalidbeforeagingout,or
todisableuseraccountpasswordaging.
Syntax
set system password aging {days | disable}
characters Specifiestheminimumnumberofcharactersforauseraccountpassword.
Validvaluesare0to40.
set system password history
SecureStack C3 Configuration Guide 3-7
Parameters
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtosetthesystempasswordagetimeto45days:
C3( su) - >set syst empasswor d agi ng 45
set system password history
Usethiscommandtosetthenumberofpreviouslyuseduserloginpasswordsthatwillbechecked
forpasswordduplication.Thispreventsduplicatepasswordsfrombeingenteredintothesystem
withthesetpasswordcommand.
Syntax
set system password history size
Parameters
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtoconfigurethesystemtocheckthelast10passwordsforduplication
C3( su) - >set syst empasswor d hi st or y 10
show system lockout
Usethiscommandtodisplaysettingsforlockingoutusersafterfailedattemptstologintothe
system.
Syntax
show system lockout
days Specifiesthenumberofdaysuserpasswordswillremainvalidbefore
agingout.Validvaluesare1to365.
disable Disablespasswordaging.
size Specifiesthenumberofpasswordscheckedforduplication.Validvalues
are0to10.
set system lockout
3-8 Basic Configuration
Parameters
None.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtodisplayuserlockoutsettings.Inthiscase,switchdefaultshavenot
beenchanged:
C3( su) - >show syst eml ockout
Lockout at t empt s: 3
Lockout t i me: 15 mi nut es.
Table 33providesanexplanationofthecommandoutput.Thesesettingsareconfiguredwiththe
setsystemlockoutcommand(setsystemlockoutonpage38).
set system lockout
Usethiscommandtosetthenumberoffailedloginattemptsbeforelockingout(disabling)aread
writeorreadonlyuseraccount,andthenumberofminutestolockoutthedefaultadminsuper
useraccountaftermaximumloginattempts.
Syntax
set system lockout {[ attempts attempts] [ time time] }
Parameters
Defaults
None.
Mode
Switchcommand,superuser.
Table 3-3 show system lockout Output Details
Output Field What It Displays...
Lockout attempts Number of failed login attempts allowed before a read-write or read-only users
account will be disabled.
Lockout time Number of minutes the default admin user account will be locked out after the
maximum login attempts.
attemptsattempts Specifiesthenumberoffailedloginattemptsallowedbeforeareadwrite
orreadonlyusersaccountwillbedisabled.Validvaluesare1to10.
timetime Specifiesthenumberofminutesthedefaultadminuseraccountwillbe
lockedoutafterthemaximumloginattempts.Validvaluesare0to60.
Setting Basic Switch Properties
SecureStack C3 Configuration Guide 3-9
Usage
Onceauseraccountislockedout,itcanonlybereenabledbyasuperuserwiththesetsystem
logincommand(page34).
Ifthedefaultadminsuperuseraccounthasbeenlockedout,youcanwaituntilthelockouttime
hasexpiredoryoucanresettheswitchinordertoreenabletheadminaccount.
Example
Thisexampleshowshowtosetloginattemptsto5andlockouttimeto30minutes:
C3( su) - >set syst eml ockout at t empt s 5 t i me 30
Setting Basic Switch Properties
Purpose
TodisplayandsetthesystemIPaddressandotherbasicsystem(switch)properties.
Commands
For information about... Refer to page...
show ip address 3-10
set ip address 3-11
clear ip address 3-11
show ip protocol 3-12
set ip protocol 3-12
show system 3-13
show system hardware 3-14
show system utilization 3-15
set system utilization 3-16
clear system utilization 3-17
show system enhancedbuffermode 3-17
set system enhancedbuffermode 3-18
set system temperature 3-18
clear system temperature 3-19
show time 3-20
set time 3-20
show summertime 3-21
set summertime 3-22
set summertime date 3-22
set summertime recurring 3-23
show ip address
3-10 Basic Configuration
show ip address
UsethiscommandtodisplaythesystemIPaddressandsubnetmask.
Syntax
show ip address
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythesystemIPaddressandsubnetmask:
C3( su) - >show i p addr ess
Name Addr ess Mask
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host 10. 42. 13. 20 255. 255. 0. 0
clear summertime 3-24
set prompt 3-24
show banner motd 3-25
set banner motd 3-25
clear banner motd 3-26
show version 3-26
set system name 3-27
set system location 3-28
set system contact 3-28
set width 3-29
set length 3-29
show logout 3-30
set logout 3-30
show console 3-31
set console baud 3-31
For information about... Refer to page...
set ip address
SecureStack C3 Configuration Guide 3-11
set ip address
UsethiscommandtosetthesystemIPaddress,subnetmaskanddefaultgateway.
Syntax
set ip address ip-address [ mask ip-mask] [ gateway ip-gateway]
Parameters
Defaults
Ifnotspecified,ipmaskwillbesettothenaturalmaskoftheipaddressandipgatewaywillbesetto
theipaddress.
Mode
Switchcommand,readwrite.
Usage
Parametersmustbeenteredintheordershown(hostIP,thenmask,thengateway)forthe
commandtobeaccepted.
Example
ThisexampleshowshowtosetthesystemIPaddressto10.1.10.1withamaskof255.255.128.0:
C3( su) - >set i p addr ess 10. 1. 10. 1 mask 255. 255. 128. 0
clear ip address
UsethiscommandtoclearthesystemIPaddress.
Syntax
clear ip address
Parameters
None.
Defaults
None.
Note: The C3 does not support the ability for a user to configure the host's gateway to be a local
routed interface IP. The host's gateway must exist on a different device in the network if one is
configured.
ipaddress SetstheIPaddressforthesystem.ForSecureStackC3systems,thisisthe
IPaddressofthemanagementswitchasdescribedinAboutSecureStack
C3SwitchOperationinaStackonpage21.
maskipmask (Optional)Setsthesystemssubnetmask.
gatewayipgateway (Optional)Setsthesystemsdefaultgateway(nexthopdevice).
show ip protocol
3-12 Basic Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthesystemIPaddress:
C3( r w) - >cl ear i p addr ess
show ip protocol
UsethiscommandtodisplaythemethodusedtoacquireanetworkIPaddressforswitch
management.
Syntax
show ip protocol
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythemethodusedtoacquireanetworkIPaddress:
C3( su) - >show i p pr ot ocol
Syst emI P addr ess acqui si t i on met hod: dhcp
set ip protocol
UsethiscommandtospecifytheprotocolusedtoacquireanetworkIPaddressforswitch
management.
Syntax
set ip protocol {bootp | dhcp | none}
Parameters
Defaults
None.
bootp SelectsBOOTPastheprotocoltousetoacquirethesystemIPaddress.
dhcp SelectsDHCPastheprotocoltousetoacquirethesystemIPaddress.
none NoprotocolwillbeusedtoacquirethesystemIPaddress.
show system
SecureStack C3 Configuration Guide 3-13
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthemethodusedtoacquireanetworkIPaddresstoDHCP.
C3( su) - >set i p pr ot ocol dhcp
show system
Usethiscommandtodisplaysysteminformation,includingcontactinformation,powerandfan
traystatusanduptime.
Syntax
show system
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaysysteminformation:
C3( su) - >show syst em
Syst emcont act :
Syst eml ocat i on:
Syst emname:
Swi t ch 1
- - - - - - - -
PS1- St at us PS2- St at us
- - - - - - - - - - - - - - - - - - - -
Ok Not I nst al l ed and/ or Not Oper at i ng
Fan1- St at us Fan2- St at us
- - - - - - - - - - - - - - - - - - - - - -
Ok Ok
Temp- Al ar m
- - - - - - - - - - -
of f
Ther mal Thr eshol d: 58%
Temp al ar mmax t hr eshol d: 100%
Temp al ar mt r ap: di sabl ed
Temp al ar msysl og: di sabl ed
Upt i me d, h: m: s Logout
- - - - - - - - - - - - - - - - - - - - -
0, 20: 36: 49 0 mi n
show system hardware
3-14 Basic Configuration
Thefollowingtableprovidesanexplanationofthecommandoutput.
show system hardware
Usethiscommandtodisplaythesystemshardwareconfiguration.
Syntax
show system hardware
Parameters
None.
Defaults
None.
Table 3-4 show system Output Details
Output What It Displays...
System contact Contact person for the system. Default of a blank string can be changed with the
set system contact command (set system contact on page 3-28).
System location Where the system is located. Default of a blank string can be changed with the
set system location command (set system location on page 3-28).
System name Name identifying the system. Default of a blank string can be changed with the
set system name command (set system name on page 3-27).
Switch x Indicates the switch position in the stack. When multiple switches are in a stack,
information for each switch is displayed.
PS1-Status Operational status for the primary power supply.
PS2-Status Operational status for the secondary power supply, if installed.
Fanx-Status Operational status of the fan(s).
Temp-Alarm Indicates status of temperature alarm on, off. The status will show NA (not
available) on switches that do not support this functionality.
Thermal Threshold Percentage of thermal threshold reached. The status will show NA (not available)
on switches that do not support this functionality.
Temp alarm max
threshold
The temperature alarm threshold expressed as a percentage of the maximum
rated. The default value is 100%.
Temp alarm trap Indicates whether the sending of temperature alarm traps is enabled or disabled.
The default is disabled.
Temp alarm syslog Indicates whether temperature alarm syslog messages are enabled or disabled.
The default is disabled.
Uptime d,h:m:s System uptime.
Logout Time an idle console or Telnet CLI session will remain connected before timing
out. Default of 5 minutes can be changed with the set logout command (set
logout on page 3-30).
show system utilization
SecureStack C3 Configuration Guide 3-15
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythesystemshardwareconfiguration.Pleasenotethatthe
informationyouseedisplayedmaydifferfromthisexample.
C3( su) - >show syst emhar dwar e
SLOT 1 HARDWARE I NFORMATI ON
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Model :
Ser i al Number : 777777777777
Vendor I D: 0xbc00
Base MAC Addr ess: 00: 11: 88: B1: 76: C0
Har dwar e Ver si on: BCM56514 REV 1
Fi r mWar e Ver si on: 01. 00. 00. 0052
Boot Code Ver si on: 01. 00. 42
show system utilization
Usethiscommandtodisplaydetailedinformationabouttheprocessorrunningontheswitch,or
theoverallmemoryusageoftheFlashandSDRAMstoragedevicesontheunit,ortheprocesses
runningontheswitch.Onlythememoryusageinthemasterunitofastackisshown.
Syntax
show system utilization {cpu | storage | process}
Parameters
Defaults
None.
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplaythesystemsCPUutilization:
C3( r o) - >show syst emut i l i zat i on cpu
CPU Ut i l i zat i on Thr eshol d Tr aps enabl e: Thr eshol d = 80. 0%
Tot al CPU Ut i l i zat i on:
Swi t ch CPU 5 sec 1 mi n 5 mi n
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 1 50% 49% 49%
cpu Displayinformationabouttheprocessorrunningontheswitch.
storage Displayinformationabouttheoverallmemoryusageontheswitch.
process Displayinformationabouttheprocessesrunningontheswitch.
set system utilization
3-16 Basic Configuration
Thisexampleshowshowtodisplaythesystemsoverallmemoryusage:
C3( r o) - >show syst emut i l i zat i on st or age
St or age Ut i l i zat i on:
Type Descr i pt i on Si ze( Kb) Avai l abl e ( Kb)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RAM RAM devi ce 262144 97173
Fl ash I mages, Conf i g, Ot her 31095 8094
Thisexampleshowshowtodisplayinformationabouttheprocessesrunningonthesystem.Only
partialoutputisshown.
C3( r o) - >show syst emut i l i zat i on pr ocess
Swi t ch: 1 CPU: 1
TI D Name 5Sec 1Mi n 5Mi n
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
c157930 i pMapFor war di ngTask 3. 60% 3. 02% 3. 48%
cc70000 RMONTask 0. 00% 0. 00% 0. 00%
ccb0b60 SNMPTask 34. 80% 34. 06% 31. 78%
d4847a0 t EmWeb 0. 00% 0. 03% 0. 01%
d4ca360 hapi RxTask 3. 20% 4. 80% 5. 00%
dec8600 l vl 7TaskUt i l Moni t or Tas 0. 40% 0. 40% 0. 40%
eb74120 bcmRX 2. 00% 2. 91% 4. 48%
eb7f bc8 bcmLI NK. 0 0. 40% 0. 22% 0. 32%
f 00c9a0 bcmTX 0. 00% 0. 33% 0. 53%
f 027648 bcmCNTR. 0 0. 00% 0. 00% 0. 03%
f 034858 bcmL2X. 0 0. 00% 0. 02% 0. 04%
set system utilization
UsethiscommandtosetthethresholdforsendingCPUutilizationnotificationmessages.
Syntax
set system utilization threshold threshold
Parameters
Defaults
Thedefaultthresholdvalueis80%.
Mode
Switchcommand,readwrite.
Usage
ThiscommandsetsthepercentageofsystemCPUutilitizationthatwillcauseatrapnotificationto
besent.Afterthethresholdhasbeenexceeded,additionalnotificationswillbesentonceaminute
untiltheutilizationhasdroppedbackbelowthethreshold.
Example
ThisexamplesetstheCPUutilizationthresholdto75%.
thresholdthreshold Specifiesathresholdvaluein1/10ofapercent.Validrangeis1to1000.
Avalueof0disablesutilizationnotificationmessages.
clear system utilization
SecureStack C3 Configuration Guide 3-17
C3( r w) - >set syst emut i l i zat i on t hr eshol d 750
clear system utilization
UsethiscommandtoresettheCPUutilizationthresholdtothedefaultof80%.
Syntax
clear system utilization
Parameters
None.
Defaults
Thedefaultthresholdvalueis80%.
Mode
Switchcommand,readwrite.
Example
ThisexampleresetstheCPUutilizationthresholdtothedefault.
C3( r w) - >show syst emut i l i zat i on cpu
CPU Ut i l i zat i on Thr eshol d Tr aps enabl e: Thr eshol d = 75. 0%
Tot al CPU Ut i l i zat i on:
Swi t ch CPU 5 sec 1 mi n 5 mi n
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 1 10% 10% 10%
C3( r w) - >cl ear syst emut i l i zat i on
C3( r w) - >show syst emut i l i zat i on cpu
CPU Ut i l i zat i on Thr eshol d Tr aps enabl e: Thr eshol d = 80. 0%
Tot al CPU Ut i l i zat i on:
Swi t ch CPU 5 sec 1 mi n 5 mi n
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 1 14% 11% 10%
show system enhancedbuffermode
Usethiscommandtodisplaythestatusofenhancedbuffermode,whichoptimizesbuffer
distributionintoasingleCoSqueueoperationforstandaloneswitchesornonstackedswitches.
Syntax
show system enhancedbuffermode
Parameters
None.
set system enhancedbuffermode
3-18 Basic Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisplayenhancedbuffermodestatus:
C3( su) - >show syst emenhancedbuf f er mode enabl e
Opt i mi zed syst embuf f er di st r i but i on Di sabl e
set system enhancedbuffermode
Usethiscommandtoenableordisableenhancedbuffermode,whichoptimizesbuffer
distributionintoasingleCoSqueueoperationforstandaloneswitchesornonstackedswitches.
Executingthiscommandwillresettheswitch,sothesystempromptsyoutoconfirmwhetheryou
wanttoproceed.
Syntax
set system enhancedbuffermode {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableenhancedbuffermode:
C3( su) - >set syst emenhancedbuf f er mode enabl e
Changes i n t he enhanced buf f er mode wi l l r equi r e r eset t i ng t hi s uni t .
Ar e you sur e you want t o cont i nue? ( y/ n)
set system temperature
Usethiscommandtosetthesystemhightemperaturethresholdlimitandthehightemperature
alertparameters,ontheplatformsthatsupportthisfeature.
Syntax
set system temperature {[ syslog enable | disable] [ trap enable | disable]
[ overtemp-threshold value] }
enable|disable Enablesordisablesenhancedbuffermode.
clear system temperature
SecureStack C3 Configuration Guide 3-19
Parameters
Defaults
Syslogalertsaredisabledbydefault.
Trapalertsaredisabledbydefault.
Overtempthresholdis100%bydefault.
Mode
Switchcommand,readwrite.
Usage
Ontheplatformsthatsupportthisfeature,temperaturesensorsarelocatedinseveraldifferent
locationswithinthedevice.Thresholdcalibrationshavebeencalculatedseparatelyforeach
platform.Thethermalovertempthresholdisthehighwatermarkthat,whenreached,triggersan
alerttowarnthesystemadministratorthatthedeviceisoperatingathightemperatures.
Whenahightemperaturealertconditionoccurs,theCPULEDonthefrontpaneloftheswitch
willflashred.Inaddition,ifenabled,asyslogmessagewillbeloggedand/oranSNMPtrapwill
besent.
Thevaluessetwiththiscommandcanbeviewedwiththeshowsystemcommand.
Example
ThefollowingexampleenablessendingSNMPtrapsandsetstheovertempthresholdto60%.
C3( su) - >set syst emt emper at ur e t r ap enabl e over t emp- t hr eshol d 60
clear system temperature
Usethiscommandtoresetsystemhightemperatureparameterstotheirdefaultvalues,onthe
platformsthatsupportthisfeature.
Syntax
clear system temperature
Parameters
None.
Defaults
None.
syslogenable|
disable
Enablesordisableslogginghightemperaturealertstothesystemlog
whenthesystemtransitionsintoanalarmstate.
trapenable|disable EnablesordisablessendinghightemperaturealertsbymeansofSNMP
trapswhenthesystemtransitionsintoanalarmstate.
overtempthreshold
value
Setsthethermalthresholdasapercentageofthemaximumratedforthe
specificplatform.Valuecanrangefrom0to100%.
show time
3-20 Basic Configuration
Mode
Switchcommand,readwrite.
Usage
Thiscommandresetsallthehightemperatureparameterstotheirdefaultvalues:
Syslogalertsaredisabledbydefault.
Trapalertsaredisabledbydefault.
Overtempthresholdis100%bydefault.
Example
Thisexampleresetsallhightemperatureparameterstotheirdefaults.
C3( su) - >cl ear syst emt emper at ur e
show time
Usethiscommandtodisplaythecurrenttimeofdayinthesystemclock.
Syntax
show time
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythecurrenttime.Theoutputshowsthedayoftheweek,
month,day,andthetimeofdayinhours,minutes,andsecondsandtheyear:
C3( su) - >show t i me
THU SEP 05 09: 21: 57 2002
set time
Usethiscommandtochangethetimeofdayonthesystemclock.
Syntax
set time [ mm/dd/yyyy] [ hh:mm:ss]
show summertime
SecureStack C3 Configuration Guide 3-21
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemclockto7:50a.m:
C3( su) - >set t i me 7: 50: 00
show summertime
Usethiscommandtodisplaydaylightsavingstimesettings.
Syntax
show summertime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaydaylightsavingstimesettings:
C3( su) - >show summer t i me
Summer t i me i s di sabl ed and set t o ' '
St ar t : SUN APR 04 02: 00: 00 2004
End : SUN OCT 31 02: 00: 00 2004
Of f set : 60 mi nut es ( 1 hour s 0 mi nut es)
Recur r i ng: yes, st ar t i ng at 2: 00 of t he f i r st Sunday of Apr i l and endi ng at 2: 00
of t he l ast Sunday of Oct ober
[mm/dd/yyyy]
[hh:mm:ss]
Setsthetimein:
month,day,yearand/or
24hourformat
Atleastonesetoftimeparametersmustbeentered.
set summertime
3-22 Basic Configuration
set summertime
Usethiscommandtoenableordisablethedaylightsavingstimefunction.
Syntax
set summertime {enable | disable} [ zone]
Parameters
Defaults
Ifazonenameisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtoenabledaylightsavingstimefunction:
C3( su) - >set summer t i me enabl e
set summertime date
Usethiscommandtoconfigurespecificdatestostartandstopdaylightsavingstime.These
settingswillbenonrecurringandwillhavetoberesetannually.
Syntax
set summertime date start_month start_date start_year start_hr_min end_month
end_date end_year end_hr_min [ offset_minutes]
Parameters
Defaults
Ifanoffsetisnotspecified,nonewillbeapplied.
enable|disable Enablesordisablesthedaylightsavingstimefunction.
zone (Optional)Appliesanametothedaylightsavingstimesettings.
start_month Specifiesthemonthoftheyeartostartdaylightsavingstime.
start_date Specifiesthedayofthemonthtostartdaylightsavingstime.
start_year Specifiestheyeartostartdaylightsavingstime.
start_hr_min Specifiesthetimeofdaytostartdaylightsavingstime.Formatishh:mm.
end_month Specifiesthemonthoftheyeartoenddaylightsavingstime.
end_date Specifiesthedayofthemonthtoenddaylightsavingstime.
end_year Specifiestheyeartoenddaylightsavingstime.
end_hr_min Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm.
offset_minutes (Optional)Specifiestheamountoftimeinminutestooffsetdaylight
savingstimefromthenondaylightsavingstimesystemsetting.Valid
valuesare11440.
set summertime recurring
SecureStack C3 Configuration Guide 3-23
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetadaylightsavingstimestartdateofApril4,2004at2a.m.andan
endingdateofOctober31,2004at2a.m.withanoffsettimeofonehour:
C3( su) - >set summer t i me dat e Apr i l 4 2004 02: 00 Oct ober 31 2004 02: 00 60
set summertime recurring
Usethiscommandtoconfigurerecurringdaylightsavingstimesettings.Thesesettingswillstart
andstopdaylightsavingstimeatthespecifieddayofthemonthandhoureachyearandwillnot
havetoberesetannually.
Syntax
set summertime recurring start_week start_day start_month start_hr_min end_week
end_day end_month end_hr_min [ offset_minutes]
Parameters
Defaults
Ifanoffsetisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowsetdaylightsavingstimetorecurstartingonthefirstSundayofAprilat
2a.m.andendingthelastSundayofOctoberat2a.m.withanoffsettimeofonehour:
C3( su) - >set summer t i me r ecur r i ng f i r st Sunday Apr i l 02: 00 l ast Sunday Oct ober
02: 00 60
start_week Specifiestheweekofthemonthtorestartdaylightsavingstime.Valid
valuesare:first,second,third,fourth,andlast.
start_day Specifiesthedayoftheweektorestartdaylightsavingstime.
start_hr_min Specifiesthetimeofdaytorestartdaylightsavingstime.Formatis
hh:mm.
end_week Specifiestheweekofthemonthtoenddaylightsavingstime.
end_day Specifiesthedayoftheweektoenddaylightsavingstime.
end_hr_min Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm.
offset_minutes (Optional)Specifiestheamountoftimeinminutestooffsetdaylight
savingstimefromthenondaylightsavingstimesystemsetting.Valid
valuesare11440.
clear summertime
3-24 Basic Configuration
clear summertime
Usethiscommandtoclearthedaylightsavingstimeconfiguration.
Syntax
clear summertime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthedaylightsavingstimeconfiguration:
C3( su) - >cl ear summer t i me
set prompt
Usethiscommandtomodifythecommandprompt.
Syntax
set prompt prompt_string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthecommandprompttoSwitch1:
C3( su) - >set pr ompt Swi t ch 1
Swi t ch 1( su) - >
prompt_string Specifiesatextstringforthecommandprompt.
Note: A prompt string containing a space in the text must be enclosed
in quotes as shown in the example below.
show banner motd
SecureStack C3 Configuration Guide 3-25
show banner motd
Usethiscommandtoshowthebannermessageofthedaythatwilldisplayatsessionlogin.
Syntax
show banner motd
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythebannermessageoftheday:
C3( r w) - >show banner mot d
Thi s syst embel ongs t o XYZ Cor por at i on.
Use of t hi s syst emi s st r i ct l y l i mi t ed t o aut hor i zed per sonnel .
set banner motd
Usethiscommandtosetthebannermessageofthedaydisplayedatsessionlogin.
Syntax
set banner motd message
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthemessageofthedaybannertoread:Thissystembelongsto
XYZCorporation.Useofthissystemisstrictlylimitedtoauthorizedpersonnel.
Note: Banner message text must be enclosed in beginning and ending double quotation marks.
The message itself cannot contain any additional double quotation marks.
message Specifiesamessageoftheday.Thisisatextstringthatneedstobein
doublequotesifanyspacesareused.Usea\nforanewlineand\tfora
tab(eightspaces).
clear banner motd
3-26 Basic Configuration
C3( r w) - >set banner mot d " \ t Thi s syst embel ongs t o XYZ Cor por at i on. \ nUse of t hi s
syst emi s st r i ct l y l i mi t ed t o aut hor i zed per sonnel . "
clear banner motd
Usethiscommandtoclearthebannermessageofthedaydisplayedatsessionlogintoablank
string.
Syntax
clear banner motd
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthemessageofthedaybannertoablankstring:
C3( r w) - >cl ear banner mot d
show version
Usethiscommandtodisplayhardwareandfirmwareinformation.RefertoDownloadinga
FirmwareImageonpage332forinstructionsonhowtodownloadafirmwareimage.
Syntax
show version
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayversioninformation.Pleasenotethatyoumayseedifferent
informationdisplayed,dependingonthetypeofhardware.
C3( su) - >show ver si on
Copyr i ght ( c) 2007 by Ent er asys Net wor ks, I nc.
set system name
SecureStack C3 Configuration Guide 3-27
Model Ser i al # Ver si ons
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
C3G124- 48P 001188021035 Hw: BCM5665 REV 17
Bp: 01. 00. 29
Fw: 6. 03. xx. xxxx
BuFw: 03. 01. 13
PoE: 500_3
Table 35providesanexplanationofthecommandoutput.
set system name
Usethiscommandtoconfigureanameforthesystem.
Syntax
set system name [ string]
Parameters
Defaults
Ifstringisnotspecified,thesystemnamewillbecleared.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthesystemnametoInformationSystems:
C3( su) - >set syst emname I nf or mat i on Syst ems
Table 3-5 show version Output Details
Output Field What It Displays...
Model Switchs model number.
Serial # Serial number of the switch.
Versions Hw: Hardware version number.
Bp: BootPROM version.
Fw: Current firmware version number.
BuFw: Backup firmware version number.
PoE: Power over Ethernet driver version. (Displays only for PoE switches.)
string (Optional)Specifiesatextstringthatidentifiesthesystem.
Note: A name string containing a space in the text must be enclosed in
quotes as shown in the example below.
set system location
3-28 Basic Configuration
set system location
Usethiscommandtoidentifythelocationofthesystem.
Syntax
set system location [ string]
Parameters
Defaults
Ifstringisnotspecified,thelocationnamewillbecleared.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemlocationstring:
C3( su) - >set syst eml ocat i on Bl dg N32- 04 Cl oset 9
set system contact
Usethiscommandtoidentifyacontactpersonforthesystem.
Syntax
set system contact [ string]
Parameters
Defaults
Ifstringisnotspecified,thecontactnamewillbecleared.
Mode
Switchcommand,readwrite.
string (Optional)Specifiesatextstringthatindicateswherethesystemis
located.
Note: A location string containing a space in the text must be
enclosed in quotes as shown in the example below.
string (Optional)Specifiesatextstringthatcontainsthenameofthepersonto
contactforsystemadministration.
Note: A contact string containing a space in the text must be enclosed
in quotes as shown in the example below.
set width
SecureStack C3 Configuration Guide 3-29
Example
Thisexampleshowshowtosetthesystemcontactstring:
C3( su) - >set syst emcont act J oe Smi t h
set width
Usethiscommandtosetthenumberofcolumnsfortheterminalconnectedtotheswitchsconsole
port.
Syntax
set width screenwidth [default]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThenumberofrowsofCLIoutputdisplayedissetusingthesetlengthcommandasdescribedin
setlengthonpage329.
Example
Thisexampleshowshowtosettheterminalcolumnsto50:
C3( su) - >set wi dt h 50
set length
UsethiscommandtosetthenumberoflinestheCLIwilldisplay.Thiscommandispersistent
(writtentoNVRAM).
Syntax
set length screenlength
Parameters
screenwidth Setsthenumberofterminalcolumns.Validvaluesare50to150.
default (Optional)Makesthissettingpersistentforallfuturesessions(writtento
NVRAM).
screenlength SetsthenumberoflinesintheCLIdisplay.Validvaluesare0,which
disablesthescrollingscreenfeaturedescribedinDisplayingScrolling
Screensonpage19,andfrom5to512.
show logout
3-30 Basic Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheterminallengthto50:
C3( su) - >set l engt h 50
show logout
Usethiscommandtodisplaythetime(inseconds)anidleconsoleorTelnetCLIsessionwill
remainconnectedbeforetimingout.
Syntax
show logout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheCLIlogoutsetting:
C3( su) - >show l ogout
Logout cur r ent l y set t o: 10 mi nut es.
set logout
Usethiscommandtosetthetime(inminutes)anidleconsoleorTelnetCLIsessionwillremain
connectedbeforetimingout.
Syntax
set logout timeout
Parameters
Defaults
None.
timeout Setsthenumberofminutesthesystemwillremainidlebeforetimingout.
show console
SecureStack C3 Configuration Guide 3-31
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemtimeoutto10minutes:
C3( su) - >set l ogout 10
show console
Usethiscommandtodisplayconsolesettings.
Syntax
show console [baud] [bits] [flowcontrol] [parity] [stopbits]
Parameters
Defaults
Ifnoparametersarespecified,allsettingswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayallconsolesettings:
C3( su) - >show consol e
Baud Fl ow Bi t s St opBi t s Par i t y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9600 Di sabl e 8 1 none
set console baud
Usethiscommandtosettheconsoleportbaudrate.
Syntax
set console baud rate
Parameters
baud (Optional)Displaystheinput/outputbaudrate.
bits (Optional)Displaysthenumberofbitspercharacter.
flowcontrol (Optional)Displaysthetypeofflowcontrol.
parity (Optional)Displaysthetypeofparity.
stopbits (Optional)Displaysthenumberofstopbits.
rate Setstheconsolebaudrate.Validvaluesare:300,600,1200,2400,4800,5760,
9600,14400,19200,38400,and115200.
Downloading a Firmware Image
3-32 Basic Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheconsoleportbaudrateto19200:
C3( su) - >set consol e baud 19200
Downloading a Firmware Image
YoucanupgradetheoperationalfirmwareintheSecureStackC3switchwithoutphysically
openingtheswitchorbeinginthesamelocation.Therearetwowaystodownloadfirmwaretothe
switch:
ViaTFTPdownload.ThisprocedureusesaTFTPserverconnectedtothenetworkand
downloadsthefirmwareusingtheTFTPprotocol.FordetailsonhowtoperformaTFTP
downloadusingthecopycommand,refertocopyonpage345.Forinformationonsetting
TFTPtimeoutandretryparameters,refertosettftptimeoutonpage347andsettftp
retryonpage348.
Viatheserial(console)port.Thisprocedureisanoutofbandoperationthatcopiesthe
firmwarethroughtheserialporttotheswitch.Itshouldbeusedincaseswhenyoucannot
connecttheswitchtoperformtheinbandcopydownloadprocedureviaTFTP.Serialconsole
downloadhasbeensuccessfullytestedwiththefollowingapplications:
HyperTerminalCopyright1999
TeraTermProVersion2.3
Anyotherterminalapplicationsmayworkbutarenotexplicitlysupported.
TheC3switchallowsyoutodownloadandstoredualimages.Thebackupimagecanbe
downloadedandselectedasthestartupimagebyusingthecommandsdescribedinthissection.
Downloading from a TFTP Server
ToperformaTFTPdownload,proceedasfollows:
1. Ifyouhavenotalreadydoneso,settheswitchsIPaddressusingthesetipaddresscommand
asdetailedinsetipaddressonpage311.
2. Downloadanewimagefileusingthecopycommandasdetailedincopyonpage345.
Downloading via the Serial Port
Todownloadswitchfirmwareviatheserial(console)port,proceedasfollows:
1. Withtheconsoleportconnected,poweruptheswitch.Thefollowingmessagedisplays:
Ver si on 01. 00. 29 05- 09- 2005
Comput i ng MD5 Checksumof oper at i onal code. . .
Sel ect an opt i on. I f no sel ect i on i n 2 seconds t hen
oper at i onal code wi l l st ar t .
Downloading a Firmware Image
SecureStack C3 Configuration Guide 3-33
1 - St ar t oper at i onal code.
2 - St ar t Boot Menu.
Sel ect ( 1, 2) : 2
Passwor d: *************
2. Beforethebootupcompletes,type2toselectStartBootMenu.Useadministratorfor
thePassword.
Boot Menu Ver si on 01. 00. 29 05- 09- 2005
Opt i ons avai l abl e
1 - St ar t oper at i onal code
2 - Change baud r at e
3 - Ret r i eve event l og usi ng XMODEM ( 64KB) .
4 - Load new oper at i onal code usi ng XMODEM
5 - Di spl ay oper at i onal code vi t al pr oduct dat a
6 - Run Fl ash Di agnost i cs
7 - Updat e Boot Code
8 - Del et e oper at i onal code
9 - Reset t he syst em
10 - Rest or e Conf i gur at i on t o f act or y def aul t s ( del et e conf i g f i l es)
11 - Set new Boot Code passwor d
[ Boot Menu] 2
3. Type2.Thefollowingbaudrateselectionscreendisplays:
1 - 1200
2 - 2400
3 - 4800
4 - 9600
5 - 19200
6 - 38400
7 - 57600
8 - 115200
0 - no change
4. Type8tosettheswitchbaudrateto115200.Thefollowingmessagedisplays:
Set t i ng baud r at e t o 115200, you must change your t er mi nal baud r at e.
5. Settheterminalbaudrateto115200andpressENTER.
6. Fromthebootmenuoptionsscreen,type4toloadnewoperationalcodeusingXMODEM.
WhentheXMODEMtransferiscomplete,thefollowingmessageandheaderinformationwill
display:
[ Boot Menu] 4
Ready t o r ecei ve t he f i l e wi t h XMODEM/ CRC. . . .
Ready t o RECEI VE Fi l e xcode. bi n i n bi nar y mode
Send sever al Cont r ol - X char act er s t o cCKCKCKCKCKCKCK
XMODEM t r ansf er compl et e, checki ng CRC. . . .
Ver i f i ed oper at i onal code CRC.
Note: The Boot Menu password administrator can be changed using boot menu option 11.
Downloading a Firmware Image
3-34 Basic Configuration
The f ol l owi ng Ent er asys Header i s i n t he i mage:
MD5 Checksum. . . . . . . . . . . . . . . . . . . . f e967970996c4c8c43a10cd1cd7be99a
Boot Fi l e I dent i f i er . . . . . . . . . . . . 0x0517
Header Ver si on. . . . . . . . . . . . . . . . . . 0x0100
I mage Type. . . . . . . . . . . . . . . . . . . . . . 0x82
I mage Of f set . . . . . . . . . . . . . . . . . . . . 0x004d
I mage l engt h. . . . . . . . . . . . . . . . . . . . 0x006053b3
I dent St r i ngs Lengt h. . . . . . . . . . . . 0x0028
I dent St r i ngs. . . . . . . . . . . . . . . . . . .
C2G124- 24
C2G124- 48
C2H124- 48
C2K124_24
I mage Ver si on Lengt h. . . . . . . . . . . . 0x7
I mage Ver si on Byt es. . . . . . . . . . . . . 0x30 0x2e 0x35 0x2e 0x30 0x2e 0x34 ( 0. 5. 0. 4)
7. Fromthebootmenuoptionsscreen,type2todisplaythebaudrateselectionscreenagain.
8. Type4settheswitchbaudrateto9600.Thefollowingmessagedisplays:
Set t i ng baud r at e t o 9600, you must change your t er mi nal baud r at e.
9. Settheterminalbaudrateto9600andpressENTER.
10. Fromthebootmenuoptionsscreen,type1tostartthenewoperationalcode.Thefollowing
messagedisplays:
Oper at i onal Code Dat e: Tue J un 29 08: 34: 05 2004
Uncompr essi ng. . . . .
Reverting to a Previous Image
Intheeventthatyouneedtodowngradetoapreviousversionofcode,youcandosoby
completingthefollowingstepsasdescribedinthischapter.
1. Saveyourrunningconfigurationwiththesaveconfigcommand.
2. Makeacopyofthecurrentconfigurationwiththeshowconfigoutfileconfigs/filename
command.Usethedircommandtoconfirmthatthefilewascreated.
3. Ifdesired,copythefiletoaremoteTFTPserverwiththecopycommand:
copytftp://configs/filename server_ipaddr/pathandfilename
4. Loadyourpreviousversionofcodeonthedevice,asdescribedinDownloadingaFirmware
Image(page 332).
5. Setthisolderversionofcodetobethebootcodewiththesetbootsystemcommand(page3
36).Whenthesystemasksifyouwanttoresetthedevice,specifyno(n).
6. Reloadthesavedconfigurationontothedevicewiththeconfigurecommand,describedon
page344.
Caution: Before reverting to a previous image, always back up your configuration by saving it to a
file (show config outfile on page 3-43). You can then copy the file to a remote location (copy on
page 3-45).
Note: You will not be able to peform these steps remotely unless you have remote console support.
Reviewing and Selecting a Boot Firmware Image
SecureStack C3 Configuration Guide 3-35
7. Rebootthesystemusingtheresetcommand(page350).
Reviewing and Selecting a Boot Firmware Image
Purpose
Todisplayandsettheimagefiletheswitchloadsatstartup.TheC3switchallowsyouto
downloadandstoreabackupimage,whichcanbeselectedasthestartupimagebyusingthe
commandsdescribedinthissection.
Commands
show boot system
Usethiscommandtodisplaythefirmwareimagetheswitchloadsatstartup.
Syntax
show boot system
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheswitchsbootfirmwareimage:
C3( su) - >show boot syst em
Cur r ent syst emi mage t o boot : boot f i l e
Caution: If you do not follow the steps above, you may lose remote connectivity to the switch.
For information about... Refer to page...
show boot system 3-35
set boot system 3-36
set boot system
3-36 Basic Configuration
set boot system
Usethiscommandtosetthefirmwareimagetheswitchloadsatstartup.
Syntax
set boot system filename
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommandallowsyoutosetthefirmwareimagetobeloadedatstartup.Youcanchooseto
resetthesystemtousethenewfirmwareimageimmediately,oryoucanchoosetoonlyspecifythe
newimagetobeloadedthenexttimetheswitchisrebooted.
YoucanusethedircommandtodisplaytheActiveimageandtheBootimage,whichwillbe
theimageloadedatthenextsystemreboot.
Example
Thisexampleshowshowtosetthebootfirmwareimagefiletobeusedatthenextrebootofthe
system,byansweringntotheprompt.ThedircommandisthenexecutedtodisplaytheActive
andBootimages.
C3( su) - >set boot syst emc3_06. 03. 03. 0007
Thi s command can opt i onal l y r eset t he syst emt o boot t he new i mage.
Do you want t o r eset now ( y/ n) [ n] ?n
C3( su) - >di r
I mages:
==================================================================
Fi l ename: c3_06. 03. 00. 0026 ( Act i ve)
Ver si on: 06. 03. 00. 0026
Si ze: 9405440 ( byt es)
Dat e: Fr i J ul 18 12: 48: 35 2008
CheckSum: f 1626ccf 10d8f 48cd6c3e79ab602342a
Compat i bi l i t y: <platform specific>
Fi l ename: c3_06. 03. 03. 0007 ( Boot )
Ver si on: 06. 03. 03. 0007
Si ze: 8290304 ( byt es)
Dat e: Fr i May 9 11: 35: 27 2008
CheckSum: 9f 820d79239f 10890442f 8f f 1f 2bc914
Compat i bi l i t y: <platform specific>
filename Specifiesthenameofthefirmwareimagefile.
Note: If you are changing the firmware image to a version earlier than the current version, refer to
Reverting to a Previous Image on page 3-34 for the correct steps to follow.
Starting and Configuring Telnet
SecureStack C3 Configuration Guide 3-37
Starting and Configuring Telnet
Purpose
ToenableordisableTelnet,andtostartaTelnetsessiontoaremotehost.TheSecureStackC3
switchallowsatotaloffourinboundand/oroutboundTelnetsessiontorunsimultaneously.
Commands
show telnet
UsethiscommandtodisplaythestatusofTelnetontheswitch.
Syntax
show telnet
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayTelnetstatus:
C3( su) - >show t el net
Tel net i nbound i s cur r ent l y: ENABLED
Tel net out bound i s cur r ent l y: ENABLED
set telnet
UsethiscommandtoenableordisableTelnetontheswitch.
Syntax
set telnet {enable | disable} [ inbound | outbound | all]
For information about... Refer to page...
show telnet 3-37
set telnet 3-37
telnet 3-38
telnet
3-38 Basic Configuration
Parameters
Defaults
Ifnotspecified,bothinboundandoutboundTelnetservicewillbeenabled.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableinboundandoutboundTelnetservices:
C3( su) - >set t el net di sabl e al l
Di sconnect al l t el net sessi ons and di sabl e now ( y/ n) ? [ n] : y
Al l t el net sessi ons have been t er mi nat ed, t el net i s now di sabl ed.
telnet
UsethiscommandtostartaTelnetconnectiontoaremotehost.TheSecureStackC3switchallows
atotaloffourinboundand/oroutboundTelnetsessiontorunsimultaneously.
Syntax
telnet host [ port]
Parameters
Defaults
Ifnotspecified,thedefaultportnumber23willbeused.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtostartaTelnetsessiontoahostat10.21.42.13:
C3( su) - >t el net 10. 21. 42. 13
enable|disable EnablesordisablesTelnetservices.
inbound|
outbound|all
(Optional)Specifiesinboundservice(theabilitytoTelnettothisswitch),
outboundservice(theabilitytoTelnettootherdevices),orall(both
inboundandoutbound).
host SpecifiesthenameorIPaddressoftheremotehost.
port (Optional)Specifiestheserverportnumber.
Managing Switch Configuration and Files
SecureStack C3 Configuration Guide 3-39
Managing Switch Configuration and Files
Configuration Persistence Mode
Thedefaultstateofconfigurationpersistencemodeisauto,whichmeansthatwhenCLI
configurationcommandsareentered,orwhenaconfigurationfilestoredontheswitchis
executed,theconfigurationissavedtoNVRAMautomaticallyatthefollowingintervals:
Onastandaloneunit,theconfigurationischeckedeverytwominutesandsavediftherehas
beenachange.
Onastack,theconfigurationissavedacrossthestackevery30minutesiftherehasbeena
change.
IfyouwanttosavearunningconfigurationtoNVRAMmoreoftenthantheautomaticintervals,
executethesaveconfigcommandandwaitforthesystemprompttoreturn.Aftertheprompt
returns,theconfigurationwillbepersistent.
Youcanchangethepersistencemodefromautotomanualwiththesetsnmppersistmode
command.Ifthepersistencemodeissettomanual,configurationcommandswillnotbe
automaticallywrittentoNVRAM.Althoughtheconfigurationcommandswillactivelymodifythe
runningconfiguration,theywillnotpersistacrossaresetunlessthesaveconfigcommandhas
beenexecuted.
Purpose
TosetandviewthepersistencemodeforCLIconfigurationcommands,manuallysavethe
runningconfiguration,view,manage,andexecuteconfigurationfilesandimagefiles,andsetand
viewTFTPparameters.
Commands
Note: When your device is configured for manual SNMP persistence mode, and you attempt to
change the boot system image, the device will not prompt you to save changes or warn you that
changes will be lost.
For information about... Refer to page...
show snmp persistmode 3-40
set snmp persistmode 3-40
save config 3-41
dir 3-41
show file 3-42
show config 3-43
configure 3-44
copy 3-45
delete 3-46
show tftp settings 3-46
set tftp timeout 3-47
show snmp persistmode
3-40 Basic Configuration
show snmp persistmode
Usethiscommandtodisplaytheconfigurationpersistencemodesetting.
Syntax
show snmp persistmode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Bydefault,themodeissettoautosave,whichautomaticallysavesconfigurationchangesat
specificintervals.Ifthemodeissettomanual,configurationcommandsareneverautomatically
saved.Inordertomakeconfigurationchangespersistentwhenthemodeismanual,thesave
configcommandmustbeissuedasdescribedinConfigurationPersistenceModeonpage339.
Example
Thisexampleshowshowtodisplaytheconfigurationpersistencemodesetting.Inthiscase,
persistencemodeissettomanual,whichmeansconfigurationchangesarenotbeing
automaticallysaved.
C3( su) - >show snmp per si st mode
per si st mode i s manual
set snmp persistmode
Usethiscommandtosettheconfigurationpersistencemode,whichdetermineswhetheruser
definedconfigurationchangesaresavedautomatically,orrequireissuingthesaveconfig
command.SeeConfigurationPersistenceModeonpage339formoreinformation.
Syntax
set snmp persistmode {auto | manual}
clear tftp timeout 3-47
set tftp retry 3-48
clear tftp retry 3-48
For information about... Refer to page...
save config
SecureStack C3 Configuration Guide 3-41
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheconfigurationpersistencemodetomanual:
C3( su) - >set snmp per si st mode manual
save config
Usethiscommandtosavetherunningconfiguration.Ifapplicable,thiscommandwillsavethe
configurationtoallswitchmembersinastack.
Syntax
save config
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosavetherunningconfiguration:
C3( su) - >save conf i g
dir
Usethiscommandtolistconfigurationandimagefilesstoredinthefilesystem.
Syntax
dir [ filename]
auto Setstheconfigurationpersistencemodetoautomatic.Thisisthedefault
state.
manual Setstheconfigurationpersistencemodetomanual.Inordertomake
configurationchangespersistent,thesaveconfigcommandmustbe
issuedasdescribedinsaveconfigonpage341.Thismodeisusefulfor
revertingbacktooldconfigurations.
show file
3-42 Basic Configuration
Parameters
Defaults
Iffilenameisnotspecified,allfilesinthesystemwillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtolistalltheconfigurationandimagefilesinthesystem.Thedisplay
indicateswhichimagefileistheActivefileandwhichimagefileistheBootfilethatwillbeused
thenexttimethesystemreboots.
C3( su) - >di r
I mages:
==================================================================
Fi l ename: c3- ser i es_06. 03. 00. 0029 ( Act i ve)
Ver si on: 06. 03. 00. 0029
Si ze: 9411584 ( byt es)
Dat e: Fr i Aug 1 06: 55: 23 2008
CheckSum: 6126a7aadf df 05150af b6eca51982302
Compat i bi l i t y: <platform specific>
Fi l ename: c3- ser i es_06. 03. 00. 0030 ( Boot )
Ver si on: 06. 03. 00. 0030
Si ze: 9411584 ( byt es)
Dat e: Fr i Aug 8 08: 44: 04 2008
CheckSum: 627938b785f a7f db8eed74672af 1edcc
Compat i bi l i t y: <platform specific>
Fi l es: Si ze
================================ ========
conf i gs:
base_may 22629
base_apr 22629
base_j ul y 20581
base_j une 20581
l ogs:
cur r ent . l og 2065
show file
Usethiscommandtodisplaythecontentsofafile.
Syntax
show file filename
Parameters
filename (Optional)Specifiesthefilenameordirectorytolist.
filename Specifiesthenameofthefiletodisplay.
show config
SecureStack C3 Configuration Guide 3-43
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayatextfilenamedmyconfigintheconfigs/directory.Note
thatonlyaportionofthefileisshowninthisexample.
C3( r w) - >show f i l e conf i gs/ myconf i g
. . .
17 : #snmp
18 :
19 : set snmp access r o secur i t y- model v1 exact r ead Al l not i f y Al l nonvol at i l e
20 :
21 : set snmp access r o secur i t y- model v2c exact r ead Al l not i f y Al l nonvol at i l e
22 :
23 : set snmp access publ i c secur i t y- model v1 exact r ead Al l wr i t e Al l not i f y Al l
nonvol at i l e
24 :
25 : set snmp access publ i c secur i t y- model v2c exact r ead Al l wr i t e Al l not i f y Al l
nonvol at i l e
26 :
27 : set snmp access publ i c secur i t y- model usmexact r ead Al l wr i t e Al l not i f y Al l
nonvol at i l e
28 :
29 : set snmp communi t y : xxxxxxxxxxx:
30 :
31 : set snmp gr oup r o user r o secur i t y- model v1
32 :
33 : set snmp gr oup publ i c user publ i c secur i t y- model v1
34 :
35 : set snmp gr oup r o user r o secur i t y- model v2c
36 :
37 : set snmp gr oup publ i c user publ i c secur i t y- model v2c
38 :
39 : set snmp gr oup publ i c user publ i c secur i t y- model usm
40 :
41 : set snmp user publ i c aut hent i cat i on md5 : xxxxxxxxx: encr ypt i on des pr i vacy
: xxxxxxxxxx:
42 :
43 : set snmp vi ew vi ewname Al l subt r ee 1
44 :
45 : !
show config
Usethiscommandtodisplaythesystemconfigurationorwritetheconfigurationtoafile.
Syntax
show config [ all | facility] [ outfile {configs/filename}]
configure
3-44 Basic Configuration
Parameters
Defaults
Bydefault,showconfigwilldisplayallnondefaultconfigurationinformationforallfacilities.
Mode
Switchcommand,readonly.
Usage
Theseparatefacilitiesthatcanbedisplayedbythiscommandareidentifiedinthedisplayofthe
currentconfigurationbya#precedingthefacilityname.Forexample,#portindicatesthefacility
nameport.
Examples
Thisexampleshowshowtowritethecurrentconfigurationtoafilenamedsave_config2:
C3( r w) - >show conf i g al l out f i l e conf i gs/ save_conf i g2
Thisexampleshowshowtodisplayconfigurationforthefacilityport.
C3( r w) - >show conf i g por t
Thi s command shows non- def aul t conf i gur at i ons onl y.
Use ' show conf i g al l ' t o show bot h def aul t and non- def aul t conf i gur at i ons.
begi n
!
#***** NON- DEFAULT CONFI GURATI ON *****
!
!
#por t
set por t j umbo di sabl e ge. 1. 1
!
end
configure
Usethiscommandtoexecuteapreviouslydownloadedconfigurationfilestoredontheswitch.
Syntax
configure filename [ append]
all (Optional)Displaysdefaultandnondefaultconfigurationsettings.
facility (Optional)Specifiestheexactnameofonefacilityforwhichtoshow
configuration.Forexample,enterroutertoshowonlyrouter
configuration.
outfile (Optional)Specifiesthatthecurrentconfigurationwillbewrittentoatext
fileintheconfigs/directory.
configs/filename Specifiesafilenameintheconfigs/directorytodisplay.
copy
SecureStack C3 Configuration Guide 3-45
Parameters
Defaults
Ifappendisnotspecified,thecurrentrunningconfigurationwillbereplacedwiththecontentsof
theconfigurationfile,whichwillrequireanautomatedresetofthechassis.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoexecutetheJan1_2004.cfgconfigurationfile:
C3( su) - >conf i gur e conf i gs/ J an1_2004. cf g
copy
UsethiscommandtouploadordownloadanimageoraCLIconfigurationfile.
Syntax
copy source {destination | system:image}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
SFTPandSCPcanonlybeusedtotransferconfigurationfilesorthelogs/current.logfile.You
cannotuseSFTPorSCPtodownloadimages(system:image).
filename Specifiesthepathandfilenameoftheconfigurationfiletoexecute.
append (Optional)Appendstheconfigurationfilecontentstothecurrent
configuration.Thisisequivalenttotypingthecontentsoftheconfigfile
directlyintotheCLIandcanbeused,forexample,tomakeincremental
adjustmentstothecurrentconfiguration.
source Specifieslocationandnameofthesourcefiletocopy.Optionsarealocalfile
pathintheconfigsorlogsdirectory,ortheURLofaTFTP,SecureFTP(SFTP),
orSecureCopy(SCP)server.
destination Specifieslocationandnameofthedestinationwherethefilewillbecopied.
Optionsarealocalfilepathintheconfigsdirectory,ortheURLofaTFTP,
SFTP,orSCPserver.
system:image Therequireddestinationofanimagefile.
Note: Only TFTP can be used to download an image file.
delete
3-46 Basic Configuration
Examples
ThisexampleshowshowtodownloadanimageviaTFTP:
C3( su) - >copy t f t p: / / 10. 1. 192. 34/ ver si on01000 syst em: i mage
Thisexampleshowshowtodownloadaconfigurationfiletotheconfigsdirectory:
C3( su) - >copy t f t p: / / 10. 1. 192. 1/ J an1_2004. cf g conf i gs/ J an1_2004. cf g
ThisexampleshowshowtouploadaconfigurationfilefromtheconfigsdirectoryusingSFTP.
C3( su) - >copy conf i gs/ J an1_2009. cf g sf t p: / / user : passwd@10. 1. 192. 1/ J an1_2009. cf g
delete
UsethiscommandtoremoveanimageoraCLIconfigurationfilefromtheswitch.
Syntax
delete filename
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Usethedircommand(page341)todisplaycurrentimageandconfigurationfilenames.
Example
ThisexampleshowshowtodeletetheJan1_2004.cfgconfigurationfile:
C3( su) - >del et e conf i gs/ J an1_2004. cf g
show tftp settings
UsethiscommandtodisplayTFTPsettingsusedbytheswitchduringdatatransfersusingTFTP.
Syntax
show tftp settings
Parameters
None.
Defaults
None.
filename Specifiesthelocalpathnametothefile.Validdirectoriesare/imagesand
/configs.44.
set tftp timeout
SecureStack C3 Configuration Guide 3-47
Mode
Switchcommand,readonly.
Usage
TheTFTPtimeoutvaluecanbesetwiththesettftptimeoutcommand.TheTFTPretryvaluecan
besetwiththesettftpretrycommand.
Example
Thisexampleshowstheoutputofthiscommand.
C3( r o) - >show t f t p set t i ngs
TFTP packet t i meout ( seconds) : 2
TFTP max r et r y: 5
set tftp timeout
UsethiscommandtoconfigurehowlongTFTPwillwaitforareplyofeitheranacknowledgement
packetoradatapacketduringadatatransfer.
Syntax
set tftp timeout seconds
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthetimeoutperiodto4seconds.
C3( r w) - >set t f t p t i meout 4
clear tftp timeout
UsethiscommandtoresettheTFTPtimeoutvaluetothedefaultvalueof2seconds.
Syntax
clear tftp timeout
Parameters
None.
seconds Specifiesthenumberofsecondstowaitforareply.Thevalidrangeis
from1to30seconds.Defaultvalueis2seconds.
set tftp retry
3-48 Basic Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthetimeoutvaluetothedefaultof2seconds.
C3( r w) - > cl ear t f t p t i meout
set tftp retry
UsethiscommandtoconfigurehowmanytimesTFTPwillresendapacket,eitheran
acknowledgementpacketoradatapacket.
Syntax
set tftp retry retry
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetstheretrycountto3.
C3( r w) - >set t f t p r et r y 3
clear tftp retry
UsethiscommandtoresettheTFTPretryvaluetothedefaultvalueof5retries.
Syntax
clear tftp retry
Parameters
None.
Defaults
None.
retry Specifiesthenumberoftimesapacketwillberesent.Thevalidrangeis
from1to1000.Defaultvalueis5retries.
Clearing and Closing the CLI
SecureStack C3 Configuration Guide 3-49
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocleartheretryvaluetothedefaultof5retries.
C3( r w) - > cl ear t f t p r et r y
Clearing and Closing the CLI
Purpose
TocleartheCLIscreenortocloseyourCLIsession.
Commands
cls (clear screen)
UsethiscommandtoclearthescreenforthecurrentCLIsession.
Syntax
cls
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtocleartheCLIscreen:
C3( su) - >cl s
For information about... Refer to page...
cls 3-49
exit 3-50
exit
3-50 Basic Configuration
exit
UseeitherofthesecommandstoleaveaCLIsession.
Syntax
exit
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Bydefault,switchtimeoutoccursafter15minutesofuserinactivity,automaticallyclosingyour
CLIsession.Usethesetlogoutcommand(page330)tochangethisdefault.
Example
ThisexampleshowshowtoexitaCLIsession:
C3( su) - >exi t
Resetting the Switch
Purpose
Toresetoneormoreswitches,andtocleartheuserdefinedconfigurationparameters.
Commands
reset
Usethiscommandtoresettheswitchwithoutlosinganyuserdefinedconfigurationsettings.
Syntax
reset [ unit]
Parameters
For information about... Refer to page...
reset 3-50
clear config 3-51
unit (Optional)Specifiesaunittobereset.
clear config
SecureStack C3 Configuration Guide 3-51
Defaults
IfnounitIDisspecified,theentiresystemwillbereset.
Mode
Switchcommand,readwrite.
Usage
ASecureStackC3switchcanalsoberesetwiththeRESETbuttonlocatedonitsfrontpanel.For
informationonhowtodothis,refertotheSecureStackC3InstallationGuideshippedwithyour
switch.
Examples
Thisexampleshowshowtoresetthesystem:
C3( su) - >r eset
Ar e you sur e you want t o r el oad t he st ack? ( y/ n) y
Savi ng Conf i gur at i on t o st acki ng member s
Rel oadi ng al l swi t ches.
Thisexampleshowshowtoresetunit1:
C3( su) - >r eset 1
Ar e you sur e you want t o r el oad t he swi t ch? ( y/ n) y
Rel oadi ng swi t ch 1.
Thi s swi t ch i s manager of t he st ack.
STACK: det ach 3 uni t s
clear config
Usethiscommandtocleartheuserdefinedconfigurationparameters.
Syntax
clear config [ all]
Parameters
Defaults
Ifallisnotspecified,stackingconfigurationparameterswillnotbecleared.
Mode
Switchcommand,readwrite.
Usage
Whenusingtheclearconfigcommandtoclearconfigurationparametersinastack,itisimportant
torememberthefollowing:
all (Optional)Clearsuserdefinedconfigurationparameters(andstackunit
numbersandpriorities,ifapplicable).
Using and Configuring WebView
3-52 Basic Configuration
UseclearconfigtoclearconfigurationparameterswithoutclearingstackunitIDs.This
commandWILLNOTclearstackparametersandavoidstheprocessofrenumberingthe
stack.
Useclearconfigallwhenitisnecessarytoclearallconfigurationparameters,includingstack
unitIDs(ifapplicable)andswitchpriorityvalues.
UsetheclearipaddresscommandtocleartheIPaddress.
Configurationparametersandstackinginformationcanalsobeclearedonthemasterunitonlyby
selectingoption10(restoreconfigurationtofactorydefaults)fromthebootmenuonswitch
startup.Thisselectionwillleavestackingprioritiesonallotherunits,ifapplicable.
Example
Thisexampleshowshowtoclearconfigurationparameters(includingstackingparameters,if
applicable):
C3( su) - >cl ear conf i g al l
Using and Configuring WebView
Purpose
Bydefault,WebView(TheEnterasysNetworksembeddedwebserverforswitchconfiguration
andmanagementtasks)isenabledonTCPportnumber80ontheSecureStackC3switch.Youcan
verifyWebViewstatus,andenableordisableWebViewusingthecommandsdescribedinthis
section.WebViewcanalsobesecurelyusedoverSSLport443,ifSSLisenabledontheswitch.By
default,SSLisdisabled.
TouseWebView,typetheIPaddressoftheswitchinyourbrowser.TouseWebViewoverSSL,
typeinhttps://thentheIPaddressoftheswitch.Forexample,https://172.16.2.10.
Commands
show webview
UsethiscommandtodisplayWebViewstatus.
Syntax
show webview
Parameters
None.
For information about... Refer to page...
show webview 3-52
set webview 3-53
show ssl 3-53
set ssl 3-54
set webview
SecureStack C3 Configuration Guide 3-53
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayWebViewstatus:
C3( r w) - >show webvi ew
WebVi ew i s Enabl ed.
set webview
UsethiscommandtoenableordisableWebViewontheswitch.
Syntax
set webview {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ItisgoodpracticeforsecurityreasonstodisableHTTPaccessontheswitchwhenfinished
configuringwithWebView,andthentoonlyenableWebViewontheswitchwhenchangesneedto
bemade.
Example
ThisexampleshowshowtodisableWebViewontheswitch:
C3( r w) - >set webvi ew di sabl e
show ssl
UsethiscommandtodisplaySSLstatus.
Syntax
show ssl
Parameters
None.
enable|disable EnableordisableWebViewontheswitch.
set ssl
3-54 Basic Configuration
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySSLstatus:
C3( r w) - >show ssl
SSL st at us: Enabl ed
set ssl
UsethiscommandtoenableordisabletheuseofWebViewoverSSLport443.Bydefault,SSLis
disabledontheswitch.Thiscommandcanalsobeusedtoreinitializethehostkeythatisusedfor
encryption.
Syntax
set ssl {enabled | disabled | reinitialize | hostkey reinitialize}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableSSL:
C3( r w) - >set ssl enabl ed
enabled|disabled EnablesordisablestheabilitytouseWebViewoverSSL.
reinitialize StopsandthenrestartstheSSLprocess.
hostkeyreinitialize StopsSSL,regeneratesnewkeys,andthenrestartsSSL.
Gathering Technical Support Information
SecureStack C3 Configuration Guide 3-55
Gathering Technical Support Information
Purpose
Togathercommontechnicalsupportinformation.
Command
show support
Usethiscommandtodisplayswitchinformationfortroubleshooting.
Syntax
show support
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Thiscommandinitiatesanumberofshowcommandstoeasilygatherbasicinformationfroman
installeddevice.Tousethiscommand,setyourconsoletocapturetheoutputtoafilefirst,before
executingthecommand,sincetheoutputisextensive.
Outputfromthefollowingcommandsisgatheredbythiscommand:
showversion
showloggingbuffer
showportstatus
showsystemutilizationprocess
showsystemutilizationstorage
showconfig
Example
Thereisnodisplayexamplebecausetheoutputofthiscommandisquitelengthy.
For information about... Refer to page...
show support 3-55
Configuring Hostprotect
3-56 Basic Configuration
Configuring Hostprotect
Purpose
ThisfeatureenablesratelimitingofhostboundtrafficonSecureStackC3switches,toassistinthe
preventionofDenialofServiceissues.Whenenabled,thehostprotectfunctionalityappliesa64
kbpsmetertocontrolplanetraffic,suchasBPDUsorLACPpackets,destinedforthehost
processor.
Commands
show system hostprotect
Usethiscommandtodisplaythestatusofthehostprotectfeature.
Syntax
show system hostprotect
Parameters
None.
Defaults
Hostprotectisenabledbydefault.
Mode
Switchcommand,readonly.
Example
Thisexampleshowstheoutputofthiscommand.
C3( r w) - >show syst emhost pr ot ect
host pr ot ect Enabl e
set system hostprotect
Usethiscommandtoenableordisablehostprotectontheswitch.
Syntax
set system hostprotect {enable | disable}
For information about... Refer to page...
show system hostprotect 3-56
set system hostprotect 3-56
clear system hostprotect 3-57
clear system hostprotect
SecureStack C3 Configuration Guide 3-57
Parameters
Defaults
Thisfeatureisdisabledbydefault.
Mode
Switchcommand,readwrite.
Usage
Hostprotectuseshardwareresourcesthatarealsousedforpriorityqueues(seeConfiguring
PrioritytoTransmitQueueMappingonpage124),soifhostprotectisenabled,priorityqueues
arelimited.
Atboottime,ifmorethantwopriorityqueuemappingsaredefined,inadditiontothedefault
mapping,hostprotectwillbedisabled.
Atruntime,ifhostprotectifenabled,andyouattempttodefinemorethantwopriorityqueue
mappings(withthesetportpriorityqueuecommand),thesetwillfailandawarningmessage
willbedisplayed.
Atruntime,ifmorethantwopriorityqueuemappingsexist,andyouattempttoenable
hostprotectwiththiscommand,thesetwillfailandawarningmessagewillbedisplayed.
Changingthehostprotectstatusrequiresaresetoftheswitchorstackofswitches.
Example
Thisexampledisableshostprotect.
C3( r w) - >set syst emhost pr ot ect di sabl e
Changes i n t he host pr ot ect mode wi l l r equi r e r eset t i ng t hi s st ack.
Ar e you sur e you want t o cont i nue? ( y/ n) y
clear system hostprotect
Usethiscommandtoreturnthehostprotectstatustothedefaultofenabled.
Syntax
clear system hostprotect
Parameters
None.
Defaults
Thedefaultstateisenabled.
Mode
Switchcommand,readwrite.
enable Enableshostprotectmode.
disable Disableshostprotectmode.
clear system hostprotect
3-58 Basic Configuration
Usage
Changingthehostprotectstatusrequiresaresetoftheswitchorstackofswitches.Ifmorethan
twopriorityqueuemappingsexistandyouexecutethiscommandtoresetthehostprotectstatus
toenabled,thecommandwillnotcompleteandyouwillgetawarningmessage.
Example
Thisexampleattemptstoreturnthehostprotectstatustothedefault,butthecommandcannot
completebecausemorethantwopriorityqueuemappingsexist.
C3( r w) - >cl ear syst emhost pr ot ect
Changes i n t he host pr ot ect mode wi l l r equi r e r eset t i ng t hi s st ack.
Ar e you sur e you want t o cont i nue? ( y/ n) y
Er r or : Coul d not set syst emhost pr ot ect t o def aul t
SecureStack C3 Configuration Guide 4-1
4
Activating Licensed Features
InordertoenabletheC3advancedfeatures,suchasAdvancedRouting,youmustpurchaseand
activatealicensekey.Ifyouhavepurchasedalicense,youcanproceedtoactivateyourlicenseas
describedinthissection.Ifyouwishtoobtainapermanentorevaluationlicense,usethe
EnterasysCustomerPortalorcontacttheEnterasysNetworksSalesDepartment.
License Key Field Descriptions
WhenEnterasyssuppliesalicense,itwillbesenttoyouasacharacterstringsimilartothe
following:
I NCREMENT advr out er 2006. 0127 27- j an- 2011 0123456789AB 0123456789AB
Thecontentsofthesixfields,fromtheleft,indicate:
Typethetypeoflicense.FortheSecureStackC3,thevalueinthisfieldisalways
INCREMENT.
Featuredescriptionofthefeaturebeinglicensed.Forexample,advrouterasshowninthe
characterstringabove.
Datebasedversion(DBV)adaterelatedstring.FortheSecureStackC3,thevalueinthis
fieldisnotsignificant.
Expirationtypeindicateswhetherthelicenseisapermanentoranevaluationlicense.Ifthe
licenseisanevaluationlicense,thisfieldwillcontaintheexpirationdateofthelicense.Ifthe
licenseisapermanentlicense,thisfieldwillcontainthewordpermanent.
Keythelicensekey.
HostIDtheserialnumberoftheswitchtowhichthislicenseapplies.
WhenactivatinglicensesonSecureStackdevices,werecommendthatyoucopyandpastethe
licensecharacterstring,ratherthanenteringthetextmanually.
Licensing Procedure in a Stack Environment
ThelicensesforallmembersofanoperatingstackcanbeactivatedduringasingleCLIsession,by
followingthesesteps:
1. ObtainvalidlicensesforallmembersofthestackfromtheEnterasysCustomerPortal.
Note: All members of a stack must be licensed in order to support licensed features in a stack
environment. If the master unit in a stack has an activated license, all member units also must have
an activated license in order to operate. If the master unit in a stack does not have an activated
license, then the licensed functionality will not be available to member units, even if they have
licenses installed.
Clearing, Showing, and Applying Licenses
4-2 Activating Licensed Features
2. Optionally,notetheserialnumbersoftheswitchesinthestack.Youcanusetheshowsystem
hardwarecommand(page314)todisplaytheswitchserialnumbers.
3. Enablethelicensesonthestackmembersfirst,beforeenablingthemasterunit,usingtheset
licensecommand(page43).Forexample:
C3( r w) - >set l i cense I NCREMENT advr out er 2006. 0127 27- j an- 2011 0123456789AB
0123456789AB
4. Enablethelicenseontheswitchmasterunitlast,usingthesetlicensecommand.
Adding a New Member to a Licensed Stack
WhenaSecureStackC3switchwithoutalicenseisaddedtoastackthathaslicensingenabled,the
portsonthenewswitchwillnotpasstrafficuntilalicensehasbeenappliedtothenewswitch.To
addanewmembertoalicensedstack:
1. ObtainalicenseforthenewswitchfromtheEnterasysCustomerPortal.
2. Addthenewunittothestack,followingtheprocedureinAddingaNewUnittoanExisting
Stackonpage 23.
3. Usethesetlicensecommandtoinstallandactivatethenewswitchslicense.Thenewswitch
willthenjointhestackanditsportswillbeattached.
Alternatively,youcaninstallandactivatethenewswitchslicensefirst,beforeaddingtheswitch
tothestack.
Clearing, Showing, and Applying Licenses
Licensescanbedisplayed,applied,andclearedonlywiththelicensecommandsdescribedinthis
chapter.Generalconfigurationcommandssuchasshowconfigorclearconfigdonotapplyto
licenses.
Everylicenseisassociatedwithaspecifichardwareplatform,basedontheserialnumberofthe
hardwareplatform.Ifyouneedtomovealicensefromonehardwareplatformtoanother,you
mustcontactEnterasysCustomerSupporttoarrangeforrehostingofthelicense.
Commands
Note: Since license keys are applied to the correct stack member switch automatically, based on
the switch serial number that is part of the license string, you should know the serial numbers of the
switches in order to enable the licenses of the member switches first, before the master unit.
For information about... Refer to page...
set license 4-3
show license 4-4
clear license 4-4
set license
SecureStack C3 Configuration Guide 4-3
set license
UsethiscommandtoactivatetheSecureStackC3licensedfeatures.
Syntax
set license type feature DBV expiration key hostid
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Ifmultipleswitchesareusedinastack,anindividuallicenseisrequiredforeachstackmember.
RefertoLicensingProcedureinaStackEnvironmentonpage 41formoreinformation.
Whenactivatinglicenseswiththiscommand,EnterasysNetworksrecommendsthatyoucopyand
pastetheentirelicensecharacterstring,ratherthanenterthetextmanually.Ifyouenterthe
characterstringmanually,ensurethatyouexactlymatchthecapitalizationofthecharacterstring
senttoyou.
Everylicenseisassociatedwithaspecifichardwareplatform,basedontheserialnumberofthe
hardwareplatform.Ifyouneedtomovealicensefromonehardwareplatformtoanother,you
mustcontactEnterasysCustomerSupporttoarrangeforrehostingofthelicense.
Example
Thisexampleshowshowtoactivateapermanentlicensekeyontheswitchwithserialnumber
075103099041.Inthisexample,theswitchisastandaloneunitsoitsunitnumberis1.
C3( r w) - >set l i cense I NCREMENT advr out er 2008. 0212 per manent DF6A8558E5AB
075103099041
Val i dat i ng l i cense on uni t 1
Li cense successf ul l y val i dat ed and set on uni t 1
C3( r w) - >
type Specifiesthetypeoflicense.FortheSecureStackC3,thevalueinthisfield
isalwaysINCREMENT.
feature Thenameofthefeaturebeinglicensed.
DBV Adaterelatedstringgeneratedaspartofthelicense.
expiration Indicateswhetherthelicenseisapermanentoranevaluationlicense.If
thelicenseisanevaluationlicense,thisfieldwillcontaintheexpiration
dateofthelicense.Ifthelicenseisapermanentlicense,thisfieldwill
containthewordpermanent.
key Thelicensekey.
hostid Theserialnumberoftheswitchtowhichthislicenseapplies.
show license
4-4 Activating Licensed Features
show license
Usethiscommandtodisplaylicensekeyinformationforswitcheswithactivatedlicenses.
Syntax
show license [ unit number]
Parameters
Defaults
Ifnounitnumberisspecified,licensekeyinformationforallswitchesinthestackisdisplayed.
Mode
Switchcommand,readonly.
Usage
Licensescanbedisplayed,applied,andclearedonlywiththelicensecommandsdescribedinthis
chapter.Generalconfigurationcommandssuchasshowconfigorclearconfigdonotaffect
licenses.
Example
Thisexampleshowshowtodisplaylicensekeyinformationforswitchunit1inthestack.
C3( r o) - >show l i cense uni t 1
uni t 1
key: I NCREMENT advr out er 2006. 0728 per manent 31173CAC6495 045100039001
st at us: Act i ve
clear license
Usethiscommandtoclearthelicensekeysettings..
Syntax
clear license featureId feature
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
unitnumber (Optional)Specifiestheswitchforwhichtodisplaylicenseinformation.
RefertoChapter 2,ConfiguringSwitchesinaStack,formore
informationaboutstackunitIDs,ornumbers.
featureIDfeature Thenameofthefeaturebeingcleared.
clear license
SecureStack C3 Configuration Guide 4-5
Example
Thisexampleshowshowtocleartheadvr out er licensedfeature:
C3( r w) - >cl ear l i cense f eat ur eI d advr out er
clear license
4-6 Activating Licensed Features
SecureStack C3 Configuration Guide 5-1
5
Configuring System Power and PoE
ThecommandsinthischapterallowyoutoreviewandsetsystempowerandPoE(Powerover
Ethernet)parameters,includingthepoweravailabletothesystem,theusagethresholdforeach
module,whetherornotSNMPtrapmessageswillbesentwhenpowerstatuschanges,andper
portPoEsettings.
Commands
show inlinepower
Usethiscommandtodisplaysystempowerproperties.
Syntax
show inlinepower
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Important Notice
The commands in this section apply only to PoE-equipped devices. Consult the Installation Guide for your
product to determine if it is PoE-equipped.
For information about... Refer to page...
show inlinepower 5-1
set inlinepower threshold 5-2
set inlinepower trap 5-3
set inlinepower detectionmode 5-3
show port inlinepower 5-4
set port inlinepower 5-5
set inlinepower threshold
5-2 Configuring System Power and PoE
Example
Thisexampleshowshowtodisplaysystempowerproperties:
C3( su) - >show i nl i nepower
Det ect i on Mode : aut o
Uni t St at us Power ( W) Consumpt i on( W) Usage( %) Thr eshol d( %) Tr ap
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 aut o 375 0. 00 0. 00 80 enabl e
Table 51providesanexplanationofthecommandoutput.
set inlinepower threshold
Usethiscommandtosetthepowerusagethresholdonaspecifiedunitormodule.
Syntax
set inlinepower threshold usage-threshold module-number
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Table 5-1 show inlinepower Output Details
Output What It Displays...
Detection Mode Displays the PD detection mode used by the switch. The detection mode can be
configured with the command set inlinepower detectionmode (page 5-3).
Unit Number of PoE-capable module.
Status Whether the PoE administrative state is off (disabled) or auto (on). This state is not
configurable.
Power (W) Units available power wattage.
Consumption (W) Units power wattage consumed.
Usage (%) Units percentage of total system PoE power usage.
Threshold (%) Units alloted percentage of total PoE power available in the system. The threshold
can be configured with the command set inlinepower threshold (page 5-2).
Trap Whether PoE trap messaging is enabled or disabled on this unit. Trap messaging
can be configured with the command set inlinepower trap (page 5-3).
usagethreshold Specifiesapowerthresholdasapercentageofavailablesystempower.
Validvaluesare11to100.
modulenumber Specifiesthemoduleorunitonwhichtosetthepowerthreshold.
set inlinepower trap
SecureStack C3 Configuration Guide 5-3
Usage
ThethresholdisexpressedasapercentageoftheavailablePoEpower.Whenthisthresholdis
reached,atrapwillbesentiftrapsareenabledwiththesetinlinepowertrapcommand.
Example
Thisexampleshowshowtosetthepowerthresholdto90onmodule/unit1:
C3( su) - >set i nl i nepower t hr eshol d 90 1
set inlinepower trap
UsethiscommandtoenableordisablethesendingofanSNMPtrapmessageforaunitormodule
wheneverthestatusofitsportschanges,orwhenevertheunitspowerusagethresholdiscrossed.
Syntax
set inlinepower trap {disable | enable} module-number
Parameters
Defaults
Sendingoftrapsisdisabledbydefault.
Mode
Switchcommand,readwrite.
Usage
Themodulesorunitspowerusagethresholdmustbesetusingthesetinlinepowerthreshold
commandasdescribedonpage52.
Example
Thisexampleshowshowtoenableinlinepowertrapmessagingonmodule1:
C3( su) - >set i nl i nepower t r ap enabl e 1
set inlinepower detectionmode
UsethiscommandtospecifythemethodtheswitchwillusetodetectPDs(powereddevices)
connectedtoitsports.
Syntax
set inlinepower detectionmode {auto | ieee)
disable|enable Disablesorenablesinlinepowertrapmessaging.
modulenumber Specifiesthemoduleorunitonwhichtodisableorenabletrapmessaging.
show port inlinepower
5-4 Configuring System Power and PoE
Parameters
Defaults
Defaultdetectionmodeisauto.
Mode
Switchcommand,readwrite.
Usage
ThiscommandisusedtospecifyhowtheswitchshoulddetectPDsconnectedtoitsports.ThePoE
hardwareintheswitchescanusetheIEEEstandard802.3af(resistorbased)methodora
proprietarymethodusingcapacitordetection.
Ifautoisconfigured,theswitchwillfirstusetheIEEEresistorbaseddetectionmethod,andifthat
fails,theswitchwillusethecapacitorbaseddetectionmethod.Ifieeeisconfigured,onlytheIEEE
resistorbaseddetectionmethodwillbeused.
Example
ThisexamplesetstheswitchsPDdetectionmodetoIEEEstandard802.3afonly.
C3( su) - >set i nl i nepower det ect i onmode i eee
show port inlinepower
UsethiscommandtodisplayallportssupportingPoE.
Syntax
show port inlinepower [ port-string]
Parameters
Defaults
Ifnotspecified,informationforallPoEportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPoEinformationforportge. 2. 1.Inthiscase,theports
administrativestate,PoEpriorityandclasshavenotbeenchangedfromdefaultvalues:
auto Specifiesthattheswitchwillusethestandard802.3afdetectionmethod
first.Ifthatfails,thentheswitchwillusethelegacy(pre802.3af
standard)capacitancemethodofdetection.
ieee Specifiesthattheswitchwillonlyusethestandard802.3afdetection
method.
portstring (Optional)DisplaysinformationforspecificPoEport(s).
set port inlinepower
SecureStack C3 Configuration Guide 5-5
C3( su) - >show por t i nl i nepower ge. 2. 1
Por t Type Admi n Oper Pr i or i t y Cl ass Power ( W)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 2. 1 wi r el ess aut o sear chi ng l ow 0 15. 4
set port inlinepower
UsethiscommandtoconfigurePoEparametersononeormoreports.
Syntax
set port inlinepower port-string {[ admin {off | auto}] [ priority {critical | high
| low}] [ type type] }
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePoEonportge. 3.1withcriticalpriority:
C3( su) - >set por t i nl i nepower ge. 3. 1 admi n aut o pr i or i t y cr i t i cal
portstring Specifiestheport(s)onwhichtoconfigurePoE.
adminoff|auto SetsthePoEadministrativestatetooff(disabled)orauto(on).
prioritycritical|
high|low
Setstheport(s)priorityforthePoEallocationalgorithmtocritical
(highest),highorlow.
typetype Specifiesastringdescribingthetypeofdeviceconnectedtoaport.
set port inlinepower
5-6 Configuring System Power and PoE
SecureStack C3 Configuration Guide 6-1
6
Discovery Protocol Configuration
Thischapterdescribeshowtoconfigurediscoveryprotocols.Formoreextensiveconfiguration
information,refertotheConfiguringNeighborDiscoveryfeatureguideontheEnterasys
Networkswebsite:http://www.enterasys.com/support/manuals
Configuring CDP
Purpose
ToreviewandconfiguretheEnterasysCDPdiscoveryprotocol.Thisprotocolisusedtodiscover
networktopology.Whenenabled,thisprotocolallowsEnterasysdevicestosendperiodicPDUs
aboutthemselvestoneighboringdevices.
Commands
ThecommandsusedtoreviewandconfiguretheCDPdiscoveryprotocolarelistedbelow.
For information about... Refer to page...
Configuring CDP 6-1
Configuring Cisco Discovery Protocol 6-7
Configuring Link Layer Discovery Protocol and LLDP-MED 6-13
For information about... Refer to page...
show cdp 6-2
set cdp state 6-3
set cdp auth 6-4
set cdp interval 6-4
set cdp hold-time 6-5
clear cdp 6-5
show neighbors 6-6
show cdp
6-2 Discovery Protocol Configuration
show cdp
UsethiscommandtodisplaythestatusoftheCDPdiscoveryprotocolandmessageintervalon
oneormoreports.
Syntax
show cdp [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,allCDPinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayCDPinformationforportsge.1.1throughge.1.9:
C3( su) - >show cdp ge.1. 1- 9
CDP Gl obal St at us : aut o- enabl e
CDP Ver si on Suppor t ed : 30 hex
CDP Hol d Ti me : 180
CDP Aut hent i cat i on Code : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 hex
CDP Tr ansmi t Fr equency : 60
Por t St at us
- - - - - - - - - - - - - - - - -
ge.1. 1 aut o- enabl e
ge.1. 2 aut o- enabl e
ge.1. 3 aut o- enabl e
ge.1. 4 aut o- enabl e
ge.1. 5 aut o- enabl e
ge.1. 6 aut o- enabl e
ge.1. 7 aut o- enabl e
ge.1. 8 aut o- enabl e
ge.1. 9 aut o- enabl e
Table 61providesanexplanationofthecommandoutput.
portstring (Optional)DisplaysCDPstatusforaspecificport.Foradetaileddescription
ofpossibleportstringvalues,refertoPort String Syntax Used in the CLIon
page71.
Table 6-1 show cdp Output Details
Output Field What It Displays...
CDP Global Status Whether CDP is globally auto-enabled, enabled or disabled. The default state of
auto-enabled can be reset with the set cdp state command. For details, refer to set
cdp state on page 6-3.
CDP Versions
Supported
CDP version number(s) supported by the switch.
CDP Hold Time Minimum time interval (in seconds) at which CDP configuration messages can be
set. The default of 180 seconds can be reset with the set cdp hold-time command.
For details, refer to set cdp hold-time on page 6-5.
set cdp state
SecureStack C3 Configuration Guide 6-3
set cdp state
UsethiscommandtoenableordisabletheCDPdiscoveryprotocolononeormoreports.
Syntax
set cdp state {auto | disable | enable} [port-string]
Parameters
Defaults
Ifportstringisnotspecified,theCDPstatewillbegloballyset.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtogloballyenableCDP:
C3( su) - >set cdp st at e enabl e
ThisexampleshowshowtoenabletheCDPforportge.1.2:
C3( su) - >set cdp st at e enabl e ge.1. 2
ThisexampleshowshowtodisabletheCDPforportge.1.2:
C3( su) - >set cdp st at e di sabl e ge.1. 2
CDP Authentication
Code
Authentication code for CDP discovery protocol. The default of 00-00-00-00-00-00-
00-00 can be reset using the set cdp auth command. For details, refer to set cdp
auth on page 6-4.
CDP Transmit
Frequency
Frequency (in seconds) at which CDP messages can be transmitted. The default of
60 seconds can be reset with the set cdp interval command. For details, refer to set
cdp interval on page 6-4.
Port Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
Status Whether CDP is enabled, disabled or auto-enabled on the port.
Table 6-1 show cdp Output Details (Continued)
Output Field What It Displays...
auto|disable|
enable
Autoenables,disablesorenablestheCDPprotocolonthespecifiedport(s).
Inautoenablemode,whichisthedefaultmodeforallports,aport
automaticallybecomesCDPenableduponreceivingitsfirstCDPmessage.
portstring (Optional)EnablesordisablesCDPonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage71.
set cdp auth
6-4 Discovery Protocol Configuration
set cdp auth
UsethiscommandtosetaglobalCDPauthenticationcode.
Syntax
set cdp auth auth-code
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheauthenticationcodevaluedeterminesaswitchsCDPdomain.Iftwoormoreswitcheshave
thesameCDPauthenticationcode,theywillbeenteredintoeachothersCDPneighbortables.If
theyhavedifferentauthenticationcodes,theyareindifferentdomainsandwillnotbeentered
intoeachothersCDPneighbortables.
Aswitchwiththedefaultauthenticationcode(16nullcharacters)willrecognizeallswitches,no
matterwhattheirauthenticationcode,andenterthemintoitsCDPneighbortable.
Example
ThisexampleshowshowtosettheCDPauthenticationcodeto1,2,3,4,5,6,7,8:
C3( su) - >set cdp aut h 1, 2, 3, 4, 5, 6, 7, 8:
set cdp interval
Usethiscommandtosetthemessageintervalfrequency(inseconds)oftheCDPdiscovery
protocol.
Syntax
set cdp interval frequency
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
authcode SpecifiesanauthenticationcodefortheCDPprotocol.Thiscanbeupto16
hexadecimalvaluesseparatedbycommas.
frequency SpecifiesthetransmitfrequencyofCDPmessagesinseconds.Validvalues
arefrom5to900seconds.
set cdp hold-time
SecureStack C3 Configuration Guide 6-5
Example
ThisexampleshowshowtosettheCDPintervalfrequencyto15seconds:
C3( su) - >set cdp i nt er val 15
set cdp hold-time
UsethiscommandtosettheholdtimevalueforCDPdiscoveryprotocolconfigurationmessages.
Syntax
set cdp hold-time hold-time
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetCDPholdtimeto60seconds:
C3( su) - >set cdp hol d- t i me 60
clear cdp
UsethiscommandtoresetCDPdiscoveryprotocolsettingstodefaults.
Syntax
clear cdp {[ state] [ port-state port-string] [ interval] [ hold-time] [ auth-code] }
Parameters
Defaults
Atleastoneoptionalparametermustbeentered.
holdtime SpecifiestheholdtimevalueforCDPmessagesinseconds.Validvaluesare
from15to600.
state (Optional)ResetstheglobalCDPstatetoautoenabled.
portstateportstring (Optional)Resetstheportstateonspecificport(s)toautoenabled.
interval (Optional)Resetsthemessagefrequencyintervalto60seconds.
holdtime (Optional)Resetstheholdtimevalueto180seconds.
authcode (Optional)Resetstheauthenticationcodeto16bytesof00(000000
0000000000).
show neighbors
6-6 Discovery Protocol Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheCDPstatetoautoenabled:
C3( su) - >cl ear cdp st at e
show neighbors
ThiscommanddisplaysNeighborDiscoveryinformationforeithertheCDPorCiscoDP
protocols.
Syntax
show neighbors [ port-string]
Parameters
Defaults
Ifnoportisspecified,allNeighborDiscoveryinformationisdisplayed.
Mode
Switchcommand,readonly.
Usage
ThiscommanddisplaysinformationdiscoveredbyboththeCDPandtheCiscoDPprotocols.
Example
ThisexampledisplaysNeighborDiscoveryinformationforallports.
C3( su) - >show nei ghbor s
Por t Devi ce I D Por t I D Type Net wor k Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 00036b8b1587 12. 227. 1. 176 ci scodp 12. 227. 1. 176
ge. 1. 6 0001f 496126f 140. 2. 3. 1 ci scodp 140. 2. 3. 1
ge. 1. 6 00- 01- f 4- 00- 72- f e 140. 2. 4. 102 cdp 140. 2. 4. 102
ge. 1. 6 00- 01- f 4- 00- 70- 8a 140. 2. 4. 104 cdp 140. 2. 4. 104
ge. 1. 6 00- 01- f 4- c5- f 7- 20 140. 2. 4. 101 cdp 140. 2. 4. 101
ge. 1. 6 00- 01- f 4- 89- 4f - ae 140. 2. 4. 105 cdp 140. 2. 4. 105
ge. 1. 6 00- 01- f 4- 5f - 1f - c0 140. 2. 1. 11 cdp 140. 2. 1. 11
ge. 1. 19 0001f 400732e 165. 32. 100. 10 ci scodp 165. 32. 100. 10
portstring (Optional)SpecifiestheportorportsforwhichtodisplayNeighbor
Discoveryinformation.
Configuring Cisco Discovery Protocol
SecureStack C3 Configuration Guide 6-7
Configuring Cisco Discovery Protocol
Purpose
ToreviewandconfiguretheCiscodiscoveryprotocol.Discoveryprotocolsareusedtodiscover
networktopology.Whenenabled,theyallowCiscodevicestosendperiodicPDUsabout
themselvestoneighboringdevices.Specifically,thisfeatureenablesrecognizingPDUsfromCisco
phones.Atableofinformationaboutdetectedphonesiskeptbytheswitchandcanbequeriedby
thenetworkadministrator.
Commands
ThecommandsusedtoreviewandconfiguretheCiscodiscoveryprotocolarelistedbelow.Refer
alsotoshowneighborsonpage66.
show ciscodp
UsethiscommandtodisplayglobalCiscodiscoveryprotocolinformation.
Syntax
show ciscodp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayglobalCiscoDPinformation.
C3( su) - >show ci scodp
Ci scoDP : Enabl ed
Ti mer : 5
Hol dt i me ( TTl ) : 180
For information about... Refer to page...
show ciscodp 6-7
show ciscodp port info 6-8
set ciscodp status 6-9
set ciscodp timer 6-9
set ciscodp holdtime 6-10
set ciscodp port 6-10
clear ciscodp 6-12
show ciscodp port info
6-8 Discovery Protocol Configuration
Devi ce I D : 001188554A60
Last Change : WED NOV 08 13: 19: 56 2006
Table 62providesanexplanationofthecommandoutput.
show ciscodp port info
UsethiscommandtodisplaysummaryinformationabouttheCiscodiscoveryprotocolononeor
moreports.
Syntax
show ciscodp port info [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,CiscoDPinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayCiscoDPinformationforGigabitEthernetport1inslot1.
C3( su) - >show ci scodp por t i nf o ge. 1. 1
por t st at e vvi d t r ust ed cos
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 enabl e none yes 0
Table 63providesanexplanationofthecommandoutput.
Table 6-2 show ciscodp Output Details
Output Field What It Displays...
CiscoDP Whether Cisco DP is globally enabled or disabled. Auto indicates that Cisco DP will
be globally enabled only if Cisco DP PDUs are received.
Default setting of auto-enabled can be reset with the set ciscodp status command.
Timer The number of seconds between Cisco discovery protocol PDU transmissions. The
default of 60 seconds can be reset with the set ciscodp timer command.
Holdtime Number of seconds neighboring devices will hold PDU transmissions from the
sending device. Default value of 180 can be changed with the set ciscodp holdtime
command.
Device ID The MAC address of the switch.
Last Change The time that the last Cisco DP neighbor was discovered.
portstring (Optional)DisplaysCiscoDPinformationforaspecificport.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage71.
set ciscodp status
SecureStack C3 Configuration Guide 6-9
set ciscodp status
UsethiscommandtoenableordisabletheCiscodiscoveryprotocolgloballyontheswitch.
Syntax
set ciscodp state {auto | disable | enable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballyenableCiscoDP:
C3( su) - >set ci scodp st at e enabl e
set ciscodp timer
UsethiscommandtosetthenumberofsecondsbetweenCiscodiscoveryprotocolPDU
transmissions.
Syntax
set ciscodp timer seconds
Table 6-3 show ciscodp port info Output Details
Output Field What It Displays...
Port Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
State Whether Cisco DP is enabled, disabled or auto-enabled on the port. Default state of
enabled can be changed using the set ciscodp port command.
vvid Whether a voice VLAN ID has been set on this port. Default of none can be changed
using the set ciscodp port command.
trusted The trust mode of the port. Default of trusted can be changed using the set ciscodp
port command.
cos The Class of Service priority value for untrusted traffic. The default of 0 can be
changed using the set ciscodp port command.
auto GloballyenableonlyifCiscoDPPDUsarereceived.
disable GloballydisableCiscodiscoveryprotocol.
enable GloballyenableCiscodiscoveryprotocol.
set ciscodp holdtime
6-10 Discovery Protocol Configuration
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheCiscoDPtimerto120seconds.
C3( su) - >set ci scodp t i mer 120
set ciscodp holdtime
Usethiscommandtosetthetimetolive(TTL)forCiscodiscoveryprotocolPDUs.Thisisthe
amountoftime,inseconds,neighboringdeviceswillholdPDUtransmissionsfromthesending
device.
Syntax
set ciscodp holdtime hold-time
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetCiscoDPholdtimeto180seconds:
C3( su) - >set ci scodp hol d- t i me 180
set ciscodp port
Usethiscommandtosetthestatus,voiceVLAN,extendedtrustmode,andCoSpriorityfor
untrustedtrafficfortheCiscoDiscoveryProtocolononeormoreports.
Syntax
set ciscodp port {[ status {disable | enable}] [ vvid {vlan-id | none | dot1p |
untagged}] [ trusted {yes | no}] [ cos value] } port-string
seconds SpecifiesthenumberofsecondsbetweenCiscoDPPDUtransmissions.
Validvaluesarefrom5to254seconds.
holdtime SpecifiesthetimetoliveforCiscoDPPDUs.Validvaluesarefrom10to255
seconds.
set ciscodp port
SecureStack C3 Configuration Guide 6-11
Parameters
Defaults
Status:enabled
VoiceVLAN:none
Trustmode:trusted
CoSvalue:0
Mode
Switchmode,readwrite.
Usage
ThefollowingpointsdescribehowtheCiscoDPextendedtrustsettingsworkontheswitch.
ACiscoDPporttruststatusoftrustedoruntrustedisonlymeaningfulwhenaCiscoIPphone
isconnectedtoaswitchportandaPCorotherdeviceisconnectedtothebackoftheCiscoIP
phone.
ACiscoDPportstateoftrustedoruntrustedonlyaffectstaggedtraffictransmittedbythe
deviceconnectedtotheCiscoIPphone.Untaggedtraffictransmittedbythedeviceconnected
totheCiscoIPphoneisunaffectedbythissetting.
IftheswitchportisconfiguredtoaCiscoDPtruststateoftrusted(withthetrustedyes
parameterofthiscommand),thissettingiscommunicatedtotheCiscoIPphoneinstructingit
toallowthedeviceconnectedtoittotransmittrafficcontaininganyCoSorLayer2802.1p
marking.
status SetstheCiscoDPportoperationalstatus.
disable DoesnottransmitorprocessCiscoDPPDUs.
enable TransmitsandprocessesCiscoDPPDUs.
vvid SetstheportvoiceVLANforCiscoDPPDUtransmission.
vlanid SpecifiestheVLANID,range14093.
none NovoiceVLANwillbeusedinCiscoDPPDUs.Thisisthedefault.
dot1p Instructsattachedphonetosend802.1ptaggedframes.
untagged Instructsattachedphonetosenduntaggedframes.
trusted Setstheextendedtrustmodeontheport.
yes Instructsattachedphonetoallowthedeviceconnectedtoittotransmit
trafficcontaininganyCoSorLayer2802.1pmarking.Thisisthedefault
value.
no Instructsattachedphonetooverwritethe802.1ptagoftraffic
transmittedbythedeviceconnectedtoitto0,bydefault,ortothevalue
configuredwiththecosparameter.
cosvalue Instructsattachedphonetooverwritethe802.1ptagoftraffic
transmittedbythedeviceconnectedtoitwiththespecifiedvalue,when
thetrustmodeoftheportissettountrusted.Valuecanrangefrom0to
7,with0indicatingthelowestpriority.
portstring Specifiestheport(s)onwhichstatuswillbeset.
clear ciscodp
6-12 Discovery Protocol Configuration
IftheswitchportisconfiguredtoaCiscoDPtruststateofuntrusted(trustedno),thissetting
iscommunicatedtotheCiscoIPphoneinstructingittooverwritethe802.1ptagoftraffic
transmittedbythedeviceconnectedtoitto0,bydefault,ortothevaluespecifiedbythecos
parameterofthiscommand.
Thereisaonetoonecorrelationbetweenthevaluesetwiththecosparameterandthe802.1p
valueassignedtoingressedtrafficbytheCiscoIPphone.Avalueof0equatestoan802.1p
priorityof0.Therefore,avalueof7isgiventhehighestpriority.
Examples
ThisexampleshowshowtosettheCiscoDPportvoiceVLANIDto3onportge.1.6andenable
theportoperationalstate.
C3( r w) - >set ci scodp por t st at us enabl e vvi d 3 ge.1. 6
ThisexampleshowshowtosettheCiscoDPextendedtrustmodetountrustedonportge.1.5and
settheCoSpriorityto1.
C3( r w) - >set ci scodp por t t r ust ed no cos 1 ge.1. 5
clear ciscodp
UsethiscommandtocleartheCiscodiscoveryprotocolbacktothedefaultvalues.
Syntax
clear ciscodp [ status | timer | holdtime | {port {status | vvid | trust | cos}
[ port-string] }]
Parameters
Defaults
Ifnoparametersareentered,allCiscoDPparametersareresettothedefaultsgloballyandforall
ports.
Mode
Switchmode,readwrite.
Note: The Cisco Discovery Protocol must be globally enabled using the set ciscodp status
command before operational status can be set on individual ports.
status ClearsglobalCiscoDPenablestatustodefaultofauto.
timer ClearsthetimebetweenCiscoDPPDUtransmissionstodefaultof60
seconds.
holdtime ClearsthetimetoliveforCiscoDPPDUdatatodefaultof180seconds.
port ClearstheCiscoDPportconfiguration.
status Clearstheindividualportoperationalstatustothedefaultofenabled.
vvid ClearstheindividualportvoiceVLANforCiscoDPPDUtransmission
to0.
trust Clearsthetrustmodeconfigurationoftheporttotrusted.
cos ClearstheCoSpriorityforuntrustedtrafficoftheportto0.
portstring (Optional)Specifiestheport(s)onwhichstatuswillbeset.
Configuring Link Layer Discovery Protocol and LLDP-MED
SecureStack C3 Configuration Guide 6-13
Examples
ThisexampleshowshowtoclearalltheCiscoDPparametersbacktothedefaultsettings.
C3( r w) - >cl ear ci scodp
ThisexampleshowshowtocleartheCiscoDPstatusonportge.1.5.
C3( r w) - >cl ear ci scodp por t st at us ge.1. 5
Configuring Link Layer Discovery Protocol and LLDP-MED
Overview
TheLinkLayerDiscoveryProtocol(LLPD)providesanindustrystandard,vendorneutralwayto
allownetworkdevicestoadvertisetheiridentitiesandcapabilitiesonalocalareanetwork,andto
discoverthatinformationabouttheirneighbors.
LLDPMEDisanenhancementtoLLDPthatprovidesthefollowingbenefits:
AutodiscoveryofLANpolicies,suchasVLANid,802.1ppriority,andDiffServcodepoint
settings,leadingtoplugandplaynetworking
Devicelocationandtopologydiscovery,allowingcreationoflocationdatabasesand,inthe
caseofVoIP,provisionofE911services
ExtendedandautomatedpowermanagementofPoweroverEthernetendpoints
Inventorymanagement,allowingnetworkadministratorstotracktheirnetworkdevicesand
todeterminetheircharacteristics,suchasmanufacturer,softwareandhardwareversions,and
serialorassetnumbers
TheinformationsentbyanLLDPenableddeviceisextractedandtabulatedbyitspeers.The
communicationcanbedonewheninformationchangesoronaperiodicbasis.Theinformation
tabulatedisagedtoensurethatitiskeptuptodate.Portscanbeconfiguredtosendthis
information,receivethisinformation,orbothsendandreceive.
EitherLLDPorLLDPMED,butnotboth,canbeusedonaninterfacebetweentwodevices.A
switchportusesLLDPMEDwhenitdetectsthatanLLDPMEDcapabledeviceisconnectedtoit.
LLDPinformationiscontainedwithinaLinkLayerDiscoveryProtocolDataUnit(LLDPDU)sent
inasingle802.3Ethernetframe.TheinformationfieldsinLLDPDUareasequenceofshort,
variablelength,informationelementsknownasTLVstype,length,andvaluefieldswhere:
Typeidentifieswhatkindofinformationisbeingsent
Lengthindicatesthelengthoftheinformationstringinoctets
Valueistheactualinformationthatneedstobesent
TheLLDPstandardspecifiesthatcertainTLVsaremandatoryintransmittedLLDPDUs,while
othersareoptional.YoucanconfigureonaportspecificbasiswhichoptionalLLDPandLLDP
MEDTLVsshouldbesentinLLDPDUs.
Purpose
ToreviewandconfigureLLPDandLLPDMED.
Configuring Link Layer Discovery Protocol and LLDP-MED
6-14 Discovery Protocol Configuration
Commands
ThecommandsusedtoreviewandconfiguretheCDPdiscoveryprotocolarelistedbelow.
Configuration Tasks
Thecommandsincludedinthisimplementationallowyoutoperformthefollowingconfiguration
tasks:
For information about... Refer to page...
show lldp 6-15
show lldp port status 6-16
show lldp port trap 6-16
show lldp port tx-tlv 6-17
show lldp port location-info 6-17
show lldp port local-info 6-18
show lldp port remote-info 6-21
show lldp port network-policy 6-22
set lldp tx-interval 6-23
set lldp hold-multiplier 6-24
set lldp trap-interval 6-24
set lldp med-fast-repeat 6-25
set lldp port status 6-26
set lldp port trap 6-26
set lldp port med-trap 6-27
set lldp port location-info 6-27
set lldp port tx-tlv 6-28
set lldp port network-policy 6-30
clear lldp 6-31
clear lldp port status 6-32
clear lldp port trap 6-32
clear lldp port med-trap 6-33
clear lldp port location-info 6-33
clear lldp port network-policy 6-34
clear lldp port tx-tlv 6-35
show lldp
SecureStack C3 Configuration Guide 6-15
show lldp
UsethiscommandtodisplayLLDPconfigurationinformation.
Syntax
show lldp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLLDPconfigurationinformation.
C3( r o) - >show l l dp
Message Tx I nt er val : 30
Message Tx Hol d Mul t i pl i er : 4
Not i f i cat i on Tx I nt er val : 5
MED Fast St ar t Count : 3
Tx- Enabl ed Por t s : ge. 1. 1- 60; ge. 2. 1- 24; ge. 3. 1- 30; ge. 4. 1- 12;
Rx- Enabl ed Por t s : ge. 1. 1- 60; ge. 2. 1- 24; ge. 3. 1- 30; ge. 4. 1- 12;
Tr ap- Enabl ed Por t s : ge. 1. 1- 60; ge. 2. 1- 24; ge. 3. 1- 30; ge. 4. 1- 12;
MED Tr ap- Enabl ed Por t s : ge. 1. 1- 60; ge. 2. 1- 24; ge. 3. 1- 30; ge. 4. 1- 12;
Step Task Command(s)
1. Configure global system LLDP parameters set lldp tx-interval
set lldp hold-multiplier
set lldp trap-interval
set lldp med-fast-repeat
clear lldp
2. Enable/disable specific ports to:
Transmit and process received LLDPDUs
Send LLDP traps
Send LLDP-MED traps
set/clear lldp port status
set/clear lldp port trap
set/clear lldp port med-trap
3. Configure an ECS ELIN value for specific ports set/clear lldp port location-info
4. Configure Network Policy TLVs for specific ports set/clear lldp port network-policy
5. Configure which optional TLVs should be sent by
specific ports. For example, if you configured an
ECS ELIN and/or Network Policy TLVs, you must
enable those optional TLVs to be transmitted on
the specific ports.
set/clear lldp tx-tlv
show lldp port status
6-16 Discovery Protocol Configuration
show lldp port status
UsethiscommandtodisplaytheLLDPstatusofoneormoreports.Thecommandliststheports
thatareenabledtosendandreceiveLLDPPDUs.Portsareenabledordisabledwiththesetlldp
portstatuscommand.
Syntax
show lldp port status [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,LLDPstatusinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLLDPportstatusinformationforallports.
C3( r o) - >show l l dp por t st at us
Tx- Enabl ed Por t s : ge. 1. 1- 60; ge. 2. 1- 24; ge. 3. 1- 30; ge. 4. 1- 12
Rx- Enabl ed Por t s : ge. 1. 1- 60; ge. 2. 1- 24; ge. 3. 1- 30; ge. 4. 1- 12
show lldp port trap
UsethiscommandtodisplaytheportsthatareenabledtosendanLLDPnotificationwhena
remotesystemchangehasbeendetectedoranLLDPMEDnotificationwhenachangeinthe
topologyhasbeensensed.PortsareenabledtosendLLDPnotificationswiththesetlldpporttrap
commandandtosendLLDPMEDnotificationswiththesetlldpportmedtrapcommand.
Syntax
show lldp port trap [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,LLDPporttrapinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
portstring (Optional)DisplaysLLDPstatusforoneorarangeofports.
portstring (Optional)Displaystheportorrangeofportsthathavebeenenabled
tosendLLDPand/orLLDPMEDnotifications.
show lldp port tx-tlv
SecureStack C3 Configuration Guide 6-17
Example
ThisexampleshowshowtodisplayLLDPporttrapinformationforallports.
C3( r o) - >show l l dp por t t r ap
Tr ap- Enabl ed Por t s :
MED Tr ap- Enabl ed Por t s:
show lldp port tx-tlv
UsethiscommandtodisplayinformationaboutwhichoptionalTLVshavebeenconfiguredtobe
transmittedonports.PortsareconfiguredtosendoptionalTLVswiththesetlldpporttxtlv
command.
Syntax
showlldpporttxtlv[portstring]
Parameters
Defaults
Ifportstringisnotspecified,TLVconfigurationinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytransmitTLVinformationforthreeports.
C3( r o) - >show l l dp por t t x- t l v ge. 1. 1- 3
* Means TLV i s suppor t ed and enabl ed on t hi s por t
o Means TLV i s suppor t ed on t hi s por t
Means TLV i s not suppor t ed on t hi s por t
Col umn Pr o I d uses l et t er not at i on f or enabl e: s- st p, l - l acp, g- gvr p
Por t s Por t Sys Sys Sys Mgmt Vl an Pr o MAC PoE Li nk Max MED MED MED MED
Desc Name Desc Cap Addr I d I d PHY Aggr Fr ame Cap Pol Loc PoE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 * * * * * * sl g * * * * *
ge. 1. 2 * * * * * * sl g * * *
ge. 1. 3 * * * * * * sl g * * * * *
show lldp port location-info
Usethiscommandtodisplayconfiguredlocationinformationforoneormoreports.Portsare
configuredwithalocationvalueusingthesetlldpportlocationinfocommand.
Syntax
show lldp port location-info [ port-string]
portstring (Optional)DisplaysinformationaboutTLVconfigurationforoneora
rangeofports.
show lldp port local-info
6-18 Discovery Protocol Configuration
Parameters
Defaults
Ifportstringisnotspecified,portlocationconfigurationinformationwillbedisplayedforall
ports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayportlocationinformationforthreeports.
C3( r o) - >show l l dp por t l ocat i on- i nf o ge. 1. 1- 3
Por t s Type Locat i on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 ELI N 1234567890
ge. 1. 2 ELI N 1234567890
ge. 1. 3 ELI N 1234567890
show lldp port local-info
Usethiscommandtodisplaythelocalsysteminformationstoredforoneormoreports.Youcan
usethisinformationtodetectmisconfigurationsorincompatibilitiesbetweenthelocalportand
theattachedendpointdevice(remoteport).
Syntax
show lldp port local-info [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,localsysteminformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythelocalsysteminformationstoredforportge.4.1.Table 64
describestheoutputfieldsofthiscommand.
C3( r w) - >show l l dp por t l ocal - i nf o ge.4. 1
Local Por t : ge.4. 1 Local Por t I d: ge.4. 1
- - - - - - - - - - - - - - - - - - - -
Por t Desc : . . . 1000BASE- TX RJ 45 Gi gabi t Et her net Fr ont panel Por t
portstring (Optional)Displaysportlocationinformationforoneorarangeof
ports.
portstring (Optional)Displayslocalsysteminformationforoneorarangeof
ports.
show lldp port local-info
SecureStack C3 Configuration Guide 6-19
Mgmt Addr : 10. 21. 64. 100
Chassi s I D : 00- E0- 63- 93- 74- A5
Sys Name : LLDP PoE t est Chassi s
Sys Desc : Ent er asys Net wor ks, I nc.
Sys Cap Suppor t ed/ Enabl ed : br i dge, r out er / br i dge
Aut o- Neg Suppor t ed/ Enabl ed : yes/ yes
Aut o- Neg Adver t i sed : 10BASE- T, 10BASE- TFD,
100BASE- TX, 100BASE- TXFD,
1000BASE- TFD,
Bpause
Oper at i onal Speed/ Dupl ex/ Type : 100 f ul l t x
Max Fr ame Si ze ( byt es) : 1522
Vl an I d : 1
LAG Suppor t ed/ Enabl ed/ I d : no/ no/ 0
Pr ot ocol I d : Spanni ng Tr ee v- 3 ( I EEE802. 1s)
LACP v- 1
GVRP
Net wor k Pol i cy
( app/ t ag/ vl anI d/ cos/ dscp) : voi ce/ t agged/ 10/ 3/ 5
voi ce si gnal i ng/ t agged/ 10/ 3/ 5
guest voi ce/ t agged/ 10/ 3/ 5
guest voi ce si gnal i ng/ t agged/ 10/ 3/ 5
sof t phone voi ce/ t agged/ 10/ 3/ 5
vi deo conf er enci ng/ t agged/ 10/ 3/ 5
st r eami ng vi deo/ t agged/ 10/ 3/ 5
vi deo si gnal i ng/ t agged/ 10/ 3/ 5
ECS ELI N : 1234567890123456789012345
PoE Devi ce : PSE devi ce
PoE Power Sour ce : pr i mar y
PoE MDI Suppor t ed/ Enabl ed : yes/ yes
PoE Pai r Cont r ol l abl e/ Used : f al se/ spar e
PoE Power Cl ass : 2
PoE Power Li mi t ( mW) : 15400
PoE Power Pr i or i t y : hi gh
Table 64describestheinformationdisplayedbytheshowlldpportlocalinfocommand.
Table 6-4 show lldp port local-info Output Details
Output Field What it Displays...
Local Port Identifies the port for which local system information is displayed.
Local Port Id Mandatory basic LLDP TLV that identifies the port transmitting the
LLDPDU. Value is ifName object defined in RFC 2863.
Port Desc Optional basic LLDP TLV. Value is ifDescr object defined in RFC 2863.
Mgmt Addr Optional basic LLDP TLV. IPv4 address of host interface.
Chassis ID Mandatory basic LLDP TLV that identifies the chassis transmitting the
LLDPDU. Value is MAC address of chassis.
Sys Name Optional basic LLDP TLV. Value is the administratively assigned name for
the system.
Sys Desc Optional basic LLDP TLV. Value is sysDescr object defined in RFC 3418.
Sys Cap Supported/Enabled Optional basic LLDP TLV. System capabilities, value can be bridge and/or
router.
show lldp port local-info
6-20 Discovery Protocol Configuration
Auto-Neg Supported/Enabled IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Auto-
negotiation supported and enabled settings should be the same on the
two systems attached to the same link.
Auto-Neg Advertised IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Lists the
configured advertised values on the port.
Operational Speed/Duplex/
Type
IEEE 802.3 Extensions MAC-PHY Configuration/Status TLV. Lists the
operational MAU type, duplex, and speed of the port. If the received TLV
indicates that auto-negotiation is supported but not enabled, these values
will be used by the port.
Max Frame Size (bytes) IEEE 802.3 Extensions Maximum Frame Size TLV. Value indicates
maximum frame size capability of the devices MAC and PHY. In normal
mode, max frame size is 1522 bytes. In jumbo mode, max frame size is
10239 bytes.
Vlan Id IEEE 802.1 Extensions Port VLAN ID TLV. Value is port VLAN ID (pvid).
LAG Supported/Enabled/Id IEEE 802.3 Extensions Link Aggregation TLV. Values indicate whether the
link associated with this port can be aggregated, whether it is currently
aggregated, and if aggregated, the aggregated port identifier.
Protocol Id IEEE 802.1 Extensions Protocol Identity TLV. Values can include
Spanning tree, LACP, and GARP protocols and versions. Only those
protocols enabled on the port are displayed.
Network Policy
(app/tag/vlanId/cos/dscp)
LLDP-MED Extensions Network Policy TLV. For all applications enabled
on the port to be transmitted in a TLV, displays the application name,
VLAN type (tagged or untagged), VLAN Id, and both the Layer 2 and
Layer 3 priorities associated with the application.
ECS ELIN LLDP-MED Extensions Location Identification TLV. Emergency Call
Services (ECS) Emergency Location Identification Number (ELIN) is
currently the only type supported. Value is the ELIN configured on this
port.
PoE Device LLDP-MED Extensions Extended Power via MDI TLV. Displayed only
when a port has PoE capabilities. Value is the Power Type of the device.
On a switch port, the value is Power Sourcing Entity (PSE).
PoE Power Source LLDP-MED Extensions Extended Power via MDI TLV. Displayed only
when a port has PoE capabilities. Value can be primary or backup,
indicating whether the PSE is using its primary or backup power source.
PoE MDI Supported/Enabled IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port
has PoE capabilities. Indicates whether sending the Power via MDI TLV is
supported/enabled. Value can be yes or no.
PoE Pair Controllable/Used IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port
has PoE capabilities. Indicates whether pair selection can be controlled on
the given port (refer to RFC 3621). Value for Controllable can be true or
false. Value of Used can be signal (signal pairs only are in use) or spare
(spare pairs only are in use).
PoE Power Class IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port
has PoE capabilities. Indicates the power class supplied by the port. Value
can range from 0 to 4.
Table 6-4 show lldp port local-info Output Details (Continued)
Output Field What it Displays...
show lldp port remote-info
SecureStack C3 Configuration Guide 6-21
show lldp port remote-info
Usethiscommandtodisplaytheremotesysteminformationstoredforaremotedeviceconnected
toalocalport.Youcanusethisinformationtodetectmisconfigurationsorincompatibilities
betweenthelocalportandtheattachedendpointdevice(remoteport).
Syntax
show lldp port remote-info [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,remotesysteminformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheremotesysteminformationstoredforportge.3.1.The
remotesysteminformationwasreceivedfromanIPphone,whichisanLLDPMEDenabled
device.Table 65describestheoutputfieldsthatareuniquetotheremotesysteminformation
displayedforaMEDenableddevice.
C3( r o) - >show l l dp por t r emot e- i nf o ge. 3. 1
Local Por t : ge. 3. 1 Remot e Por t I d : 00- 09- 6e- 0e- 14- 3d
- - - - - - - - - - - - - - - - - - - - -
Mgmt Addr : 0. 0. 0. 0
Chassi s I D : 0. 0. 0. 0
Devi ce Type : Communi cat i on Devi ce Endpoi nt ( cl ass I I I )
Sys Name : AVE0E143D
Sys Cap Suppor t ed/ Enabl ed : br i dge, t el ephone/ br i dge
Aut o- Neg Suppor t ed/ Enabl ed : yes/ yes
Aut o- Neg Adver t i sed : 10BASE- T, 10BASE- TFD
: 100BASE- TX, 100BASE- TXFD
: pause, Spause
Oper at i onal Speed/ Dupl ex/ Type : 100/ f ul l / TX
Net wor k Pol i cy
( app/ t ag/ vl anI d/ cos/ dscp) : voi ce/ unt agged/ 0/ 6/ 46
PoE Power Limit (mW) LLDP-MED Extensions Extended Power via MDI TLV. Displayed only
when a port has PoE capabilities. Indicates the total power the port is
capable of sourcing over a maximum length cable, based on its current
configuration, in milli-Watts.
PoE Power Priority LLDP-MED Extensions Extended Power via MDI TLV. Displayed only
when a port has PoE capabilities. Indicates the power priority configured
on the port. Value can be critical, high, or low.
Table 6-4 show lldp port local-info Output Details (Continued)
Output Field What it Displays...
portstring (Optional)Displaysremotesysteminformationforoneorarangeof
ports.
show lldp port network-policy
6-22 Discovery Protocol Configuration
Har dwar e Revi si on : 4610D01A
Fi r mwar e Revi si on : b10d01b2_7. bi n
Sof t war e Revi si on : a10d01b2_7. bi n
Ser i al Number : 05GM42004348
Manuf act ur er : Avaya
Model Number : 4610
Notethattheinformationfieldsdisplayedbytheshowlldpportremoteinfocommandwillvary,
dependingonthetypeofremotedevicethatisconnectedtotheport.
Table 65describestheoutputfieldsthatareuniquetotheremotesysteminformationdatabase.
RefertoTable 64onpage 19fordescriptionsoftheinformationfieldsthatarecommontoboththe
localandtheremotesysteminformationdatabases.
show lldp port network-policy
UsethiscommandtodisplayLLDPportnetworkpolicyconfigurationinformation.Network
policyinformationisconfiguredusingthesetlldpportnetworkpolicycommand.
Syntax
show lldp port network-policy {all | voice | voice-signaling | guest-voice | guest-
voice-signaling | softphone-voice | video-conferencing | streaming-video | video-
signaling} [ port-string]
Parameters
Table 6-5 show lldp port remote-info Output Display
Output Field What it Displays...
Remote Port Id Displays whatever port Id information received in the LLDPDU from the remote
device. In this case, the port Id is MAC address of remote device.
Device Type Mandatory LLDP-MED Capabilities TLV. Displayed only when the port is
connected to an LLDP-MED-capable endpoint device.
Hardware Revision LLDP-MED Extensions Inventory Management TLV component.
Firmware Revision LLDP-MED Extensions Inventory Management TLV component.
Software Revision LLDP-MED Extensions Inventory Management TLV component.
Serial Number LLDP-MED Extensions Inventory Management TLV component.
Manufacturer LLDP-MED Extensions Inventory Management TLV component.
Model Number LLDP-MED Extensions Inventory Management TLV component.
Asset ID LLDP-MED Extensions Inventory Management TLV component. In the above
example, no asset ID was received from the remote device so the field is not
displayed.
all Displaysinformationaboutallnetworkpolicyapplications.
voice Displaysinformationaboutonlythevoiceapplicationtype.
voicesignaling Displaysinformationaboutonlythevoicesignalingapplication
type.
guestvoice Displaysinformationaboutonlytheguestvoiceapplicationtype.
guestvoicesignaling Displaysinformationaboutonlytheguestvoicesignaling
applicationtype.
set lldp tx-interval
SecureStack C3 Configuration Guide 6-23
Defaults
Ifportstringisnotspecified,onlynondefaultvalueswillbedisplayedforallportsthathavenon
defaultvaluesconfigured.
Ifaportstringisspecified,thenallvalues,defaultandnondefault,aredisplayedforthespecified
ports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayallLLDPnetworkpolicyinformationforge.1.1.
C3( r o) - >show l l dp por t net wor k- pol i cy al l ge. 1. 1
Por t s Appl i cat i on St at e Tag Vl an- I d Cos Dscp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 voi ce enabl ed unt agged 1 0 0
voi ce si gnal i ng enabl ed unt agged 1 0 0
guest voi ce enabl ed unt agged 1 0 0
guest voi ce si gnal i ng enabl ed unt agged 1 0 0
sof t phone voi ce enabl ed unt agged 1 0 0
vi deo conf er enci ng enabl ed unt agged 1 0 0
st r eami ng vi deo enabl ed unt agged 1 0 0
vi deo si gnal i ng enabl ed unt agged 1 0 0
set lldp tx-interval
Usethiscommandtosetthetime,inseconds,betweensuccessiveLLDPframetransmissions
initiatedbychangesintheLLDPlocalsysteminformation.
Syntax
set lldp tx-interval frequency
Parameters
softphonevoice Displaysinformationaboutonlythesoftphonevoiceapplication
type.
videoconferencing Displaysinformationaboutonlythevideoconferencing
applicationtype.
streamingvideo Displaysinformationaboutonlythestreamingvideoapplication
type.
videosignaling Displaysinformationaboutonlythevideosignalingapplication
type.
portstring (Optional)DisplaysinformationaboutLLDPnetworkpolicyfor
oneorarangeofports.
frequency SpecifiesthenumberofsecondsbetweentransmissionsofLLDP
frames.Valuecanrangefrom5to32,768seconds.Thedefaultis30
seconds.
set lldp hold-multiplier
6-24 Discovery Protocol Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthetransmitintervalto20seconds.
C3( r w) - >set l l dp t x- i nt er val 20
set lldp hold-multiplier
UsethiscommandtosetthetimetolivevalueusedinLLDPframessentbythisdevice.Thetime
toliveforLLDPDUdataiscalculatedbymultiplyingthetransmitintervalbytheholdmultiplier
value.
Syntax
set lldp hold-multiplier multiplier-val
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthetransmitintervalto20secondsandtheholdmultiplierto5,whichwill
configureatimetoliveof100tobeusedintheTTLfieldintheLLDPDUheader.
C3( r w) - >set l l dp t x- i nt er val 20
C3( r w) - >set l l dp hol d- mul t i pl i er 5
set lldp trap-interval
UsethiscommandtosettheminimumintervalbetweenLLDPnotificationssentbythisdevice.
LLDPnotificationsaresentwhenaremotesystemchangehasbeendetected.
Syntax
set lldp trap-interval frequency
multiplierval Specifiesthemultipliertoapplytothetransmitintervaltodetermine
thetimetolivevalue.Valuecanrangefrom2to10.Defaultvalueis4.
set lldp med-fast-repeat
SecureStack C3 Configuration Guide 6-25
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexamplesetstheminimumintervalbetweenLLDPtrapsto10seconds.
C3( r w) - >set l l dp t r ap- i nt er val 10
set lldp med-fast-repeat
NetworkconnectivitydevicestransmitonlyLLDPTLVsinLLDPDUsuntiltheydetectthatan
LLDPMEDendpointdevicehasconnectedtoaport.Atthatpoint,thenetworkconnectivity
devicestartssendingLLDPMEDTLVsatafaststartrateonthatport.Usethiscommandtosetthe
numberofsuccessiveLLDPDUs(withLLDPMEDTLVs)tobesentforonecompletefaststart
interval.
Syntax
set lldp med-fast-repeat count
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexamplesetsthenumberoffaststartLLDPDUstobesentto4.
C3( r w) - >set l l dp med- f ast - r epeat 4
frequency SpecifiestheminimumtimebetweenLLDPtraptransmissions,in
seconds.Thevaluecanrangefrom5to3600seconds.Thedefault
valueis5seconds.
count SpecifiesthenumberoffaststartLLDPDUstobesentwhenan
LLDPMEDendpointdeviceisdetected.Valuecanrangefrom1to
10.Defaultis3.
set lldp port status
6-26 Discovery Protocol Configuration
set lldp port status
UsethiscommandtoenableordisabletransmittingandprocessingreceivedLLDPDUsonaport
orrangeofports.
Syntax
set lldp port status {tx-enable | rx-enable | both | disable} port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesbothtransmittingLLDPDUsandreceivingandprocessingLLDPDUsfrom
remotesystemsonportsge.1.1throughge.1.6.
C3( r w) - >set l l dp por t st at us bot h ge. 1. 1- 6
set lldp port trap
UsethiscommandtoenableordisablesendingLLDPnotifications(traps)whenaremotesystem
changeisdetected.
Syntax
set lldp port trap {enable | disable} port-string
Parameters
Defaults
None.
txenable EnablestransmittingLLDPDUsonthespecifiedports.
rxenable EnablesreceivingandprocessingLLDPDUsfromremotesystemson
thespecifiedports.
both EnablesbothtransmittingandprocessingreceivedLLDPDUsonthe
specifiedports.
disable DisablesbothtransmittingandprocessingreceivedLLDPDUsonthe
specifiedports.
portstring Specifiestheportorrangeofportstobeaffected.
enable EnabletransmittingLLDPtrapsonthespecifiedports.
disable DisabletransmittingLLDPtrapsonthespecifiedports.
portstring Specifiestheportorrangeofportstobeaffected.
set lldp port med-trap
SecureStack C3 Configuration Guide 6-27
Mode
Switchcommand,readwrite.
Example
ThisexampleenablestransmittingLLDPtrapsonportsge.1.1throughge.1.6.
C3( r w) - >set l l dp por t t r ap enabl e ge. 1. 1- 6
set lldp port med-trap
UsethiscommandtoenableordisablesendinganLLDPMEDnotificationwhenachangeinthe
topologyhasbeensensedontheport(thatis,aremoteendpointdevicehasbeenattachedor
removedfromtheport).
Syntax
set lldp port med-trap {enable | disable} port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablestransmittingLLDPMEDtrapsonportsge.1.1throughge.1.6.
C3( r w) - >set l l dp por t med- t r ap enabl e ge. 1. 1- 6
set lldp port location-info
UsethiscommandtoconfigureLLDPMEDlocationinformationonaportorrangeofports.
Currently,onlyEmergencyCallServices(ECS)EmergencyLocationIdentificationNumber(ELIN)
issupported.
Syntax
set lldp port location-info elin elin-string port-string
Parameters
enable EnablestransmittingLLDPMEDtrapsonthespecifiedports.
disable DisablestransmittingLLDPMEDtrapsonthespecifiedports.
portstring Specifiestheportorrangeofportstobeaffected.
elin SpecifiesthattheECSELINdataformatistobeused.
elinstring Specifiesthelocationidentifier.Valuecanbefrom10to25numerical
characters.
portstring Specifiestheportorrangeofportstobeaffected.
set lldp port tx-tlv
6-28 Discovery Protocol Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Afteryouconfigurealocationinformationvalue,youmustalsoconfiguretheporttosendthe
LocationInformationTLVwiththesetlldpporttxtlvcommand.Thisexampleconfiguresthe
ELINidentifier5551234567onportsge.1.1throughge.1.6andthenconfigurestheportstosend
theLocationInformationTLV.
C3( r w) - >set l l dp por t l ocat i on- i nf o 5551234567 ge. 1. 1- 6
C3( r w) - >set l l dp por t t x- t l v med- l oc ge. 1. 1- 6
set lldp port tx-tlv
UsethiscommandtoselecttheoptionalLLDPandLLDPMEDTLVstobetransmittedin
LLDPDUsbythespecifiedportorports.Usetheshowlldpportlocalinfocommandtodisplay
thevaluesoftheseTLVsfortheport.
Syntax
set lldp port tx-tlv {[ all] | [ port-desc] [ sys-name] [ sys-desc] [ sys-cap] [ mgmt-
addr] [ vlan-id] [ stp] [ lacp] [ gvrp] [ mac-phy] [ poe] [ link-aggr] [ max-frame] [ med-
cap] [ med-pol] [ med-loc] [ med-poe] } port-string
Parameters
all AddsalloptionalTLVstotransmittedLLDPDUs.
portdesc PortDescriptionoptionalbasicLLDPTLV.ValuesentisifDescrobject
definedinRFC2863.
sysname SystemNameoptionalbasicLLDPTLV.Valuesentisthe
administrativelyassignednameforthesystem.
sysdesc SystemDescriptionoptionalbasicLLDPTLV.ValuesentissysDescr
objectdefinedinRFC3418.
syscap SystemCapabilitiesoptionalbasicLLDPTLV.Foranetwork
connectivitydevice,valuesentcanbebridgeand/orrouter.
mgmtaddr ManagementAddressoptionalbasicLLDPTLV.ValuesentisIPv4
addressofhostinterface.
vlanid PortVLANIDIEEE802.1ExtensionsTLV.ValuesentisportVLAN
ID(PVID).
stp SpanningTreeinformationdefinedbyProtocolIdentityIEEE802.1
ExtensionsTLV.IfSTPisenabledontheport,valuesentincludes
versionofprotocolbeingused.
lacp LACPinformationdefinedbyProtocolIdentityIEEE802.1
ExtensionsTLV.IfLACPisenabledontheport,valuesentincludes
versionofprotocolbeingused.
set lldp port tx-tlv
SecureStack C3 Configuration Guide 6-29
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfiguresthemanagementaddress,MEDcapability,MEDnetworkpolicy,and
MEDlocationidentificationTLVstobesentinLLDPDUsbyportge. 1.1.
C3( r w) - >set l l dp por t t x- t l v mgmt - addr med- cap med- pol med- l oc ge. 1. 1
gvrp GVRPinformationdefinedbyProtocolIdentityIEEE802.1
ExtensionsTLV.IfLACPisenabledontheport,valuesentincludes
versionofprotocolbeingused.
macphy MACPHYConfiguration/StatusIEEE802.3ExtensionsTLV.Value
sentincludestheoperationalMAUtype,duplex,andspeedofthe
port.
poe PowerviaMDIIEEE802.3ExtensionsTLV.Valuessentinclude
whetherpairselectioncanbecontrolledonport,andthepowerclass
suppliedbytheport.OnlyvalidforPoEenabledports.
linkaggr LinkAggregationIEEE802.3ExtensionsTLV.Valuessentindicate
whetherthelinkassociatedwiththisportcanbeaggregated,
whetheritiscurrentlyaggregated,andifaggregated,theaggregated
portidentifier.
maxframe MaximumFrameSizeIEEE802.3ExtensionsTLV.Valuesent
indicatesmaximumframesizeoftheportsMACandPHY.
medcap LLDPMEDCapabilitiesTLV.Valuesentindicatesthecapabilities
(whetherthedevicesupportslocationinformation,networkpolicy,
extendedpowerviaMDI)andDeviceType(networkconnectivity
device)ofthesendingdevice.
medpol LLDPMEDNetworkPolicyTLV.Valuessentincludeapplication
name,VLANtype(taggedoruntagged),VLANID,andbothLayer2
andLayer3prioritiesassociatedwithapplication,forallapplications
enabledontheport.Seethesetlldpportnetworkpolicycommand
formoreinformation.
medloc LLDPMEDLocationIdentificationTLV.ValuesentistheECSELIN
valueconfiguredontheport.Seethesetlldpportlocationinfo
commandformoreinformation.
medpoe LLDPMEDExtendedPowerviaMDITLV.Valuessentincludethe
PowerLimit(totalpowertheportiscapableofsourcingovera
maximumlengthcable)andthepowerpriorityconfiguredonthe
port.OnlyvalidforPoEenabledports.
portstring Specifiestheportorrangeofportstobeaffected.
set lldp port network-policy
6-30 Discovery Protocol Configuration
set lldp port network-policy
UsethiscommandtoconfigureLLDPnetworkpoliciesforasetofapplicationsonaportorrange
ofports.ThepoliciesconfiguredwiththiscommandaresentinLLDPDUsasLLDPMED
NetworkPolicyTLVs.MultipleNetworkPolicyTLVscanbesentinasingleLLDPDU.
Syntax
set lldp port network-policy {all | voice | voice-signaling | guest-voice |
guest-voice-signaling | softphone-voice | video-conferencing | streaming-video |
video-signaling} [ state {enable | disable}] [ tag {tagged | untagged}]
[ vid {vlan-id | dot1p}] [ cos cos-value] [ dscp dscp-value] port-string
Parameters
all Configuresallapplications.
voice Configuresthevoiceapplication.
voicesignaling Configuresthevoicesignalingapplication.
Thisapplicationwillnotbeadvertisedifthevoiceapplicationis
configuredwiththesameparameters.
guestvoice Configurestheguestvoiceapplication.
guestvoicesignaling Configurestheguestvoicesignalingapplication.
Thisapplicationwillnotbeadvertisediftheguestvoice
applicationisconfiguredwiththesameparameters.
softphonevoice Configuresthesoftphonevoiceapplication.
videoconferencing Configuresthevideoconferencingapplication.
streamingvideo Configuresthestreamingvideoapplication.
videosignaling Configuresthevideosignalingapplication.
Thisapplicationwillnotbeadvertisedifthevideoconferencing
applicationisconfiguredwiththesameparameters.
stateenable|disable (Optional)Enablesordisablesadvertisingtheapplication
informationbeingconfigured.
tagtagged|untagged (Optional)Indicateswhethertheapplicationbeingconfiguredis
usingataggedoruntaggedVLAN.Ifuntagged,boththeVLANID
andtheCoSpriorityfieldsareignoredandonlytheDSCPvalue
hasrelevance.
vidvlanid|dot1p (Optional)VLANidentifierfortheport.Thevalueofvlanidcan
rangefrom1to4093.
Usedot1pifthedeviceisusingprioritytaggedframes,meaning
thatonlytheIEEE802.1Dprioritylevelissignificantandthe
defaultPVIDoftheingressportisused.
coscosvalue (Optional)SpecifiestheLayer2prioritytobeusedforthe
applicationbeingconfigured.Thevaluecanrangefrom0to7.A
valueof0representsuseofthedefaultpriorityasdefinedinIEEE
802.1D.
dscpdscpvalue (Optional)SpecifiestheDSCPvaluetobeusedtoprovideDiffserv
nodebehaviorfortheapplicationbeingconfigured.Thevaluecan
rangefrom0to63.Avalueof0representsuseofthedefaultDSCP
valueasdefinedinRFC2475.
clear lldp
SecureStack C3 Configuration Guide 6-31
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThisfeatureallowsadministratorstoquicklyprovisionLLDPendpointsviatheswitch.LLDP
clientswillusetheseLLDPnetworkpolicyparametersfortrafficoriginatingfromtheendpoint.
AsdescribedintheANSI/TIAStandardsdocument1057,theNetworkPolicyTLVisintendedfor
usewithapplicationsthathavespecificrealtimenetworkpolicyrequirements,suchasinteractive
voiceand/orvideoservicesandshouldbeimplementedonlyondirectlinksbetweennetwork
connectivitydevicesandendpointdevices.RefertotheANSI/TIAStandardsdocument1057for
descriptionsoftheapplicationtypes.
AfteryouconfigureNetworkPolicyTLVs,youmustalsoconfiguretheporttosendtheNetwork
PolicyTLVwiththesetlldpporttxtlvcommand.
Example
ThisexampleconfiguresthevoiceapplicationTLVonportge.2.1andthenconfigurestheportto
sendtheNetworkPolicyTLV.
C3( r w) - >set l l dp por t net wor k- pol i cy voi ce st at e enabl e t ag t agged vl an dot 1p
ge. 2. 1
C3( r w) - >set l l dp por t t x- t l v med- pol ge. 2. 1
clear lldp
UsethiscommandtoreturnLLDPparameterstotheirdefaultvalues.
Syntax
clear lldp {all | tx-interval | hold-multiplier | trap-interval | med-fast-repeat}
Parameters
portstring Specifiestheportorrangeofportstobeaffected.
all ReturnsallLLDPconfigurationparameterstotheirdefaultvalues,
includingportLLDPconfigurationparameters.
txinterval ReturnsthenumberofsecondsbetweentransmissionsofLLDP
frames.tothedefaultof30seconds.
holdmultiplier Returnsthemultipliertoapplytothetransmitintervaltodetermine
thetimetolivevaluetothedefaultvalueof4.
trapinterval ReturnstheminimumtimebetweenLLSPtraptransmissionstothe
defaultvalueof5seconds.
medfastrepeat ReturnsthenumberoffaststartLLDPDUstobesentwhenanLLDP
MEDendpointdeviceisdetectedtothedefaultof3.
clear lldp port status
6-32 Discovery Protocol Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplereturnsthetransmitintervaltothedefaultvalueof30seconds.
C3( r w) - >cl ear l l dp t x- i nt er val
clear lldp port status
Usethiscommandtoreturntheportstatustothedefaultvalueofboth(bothtransmittingand
processingreceivedLLDPDUsareenabled).
Syntax
clear lldp port status port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplereturnsportge. 1.1tothedefaultstateofenabledforbothtransmittingand
processingreceivedLLDPDUs.
C3( r w) - >cl ear l l dp por t st at us ge. 1. 1
clear lldp port trap
UsethiscommandtoreturntheportLLDPtrapsettingtothedefaultvalueofdisabled.
Syntax
clear lldp port trap port-string
Parameters
Defaults
None.
portstring Specifiestheportorrangeofportstobeaffected.
portstring Specifiestheportorrangeofportstobeaffected.
clear lldp port med-trap
SecureStack C3 Configuration Guide 6-33
Mode
Switchcommand,readwrite.
Example
Thisexamplereturnsportge. 1.1tothedefaultLLDPtrapstateofdisabled.
C3( r w) - >cl ear l l dp por t t r ap ge. 1. 1
clear lldp port med-trap
UsethiscommandtoreturntheportLLDPMEDtrapsettingtothedefaultvalueofdisabled.
Syntax
clear lldp port med-trap port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplereturnsportge. 1.1tothedefaultLLDPMEDtrapstateofdisabled.
C3( r w) - >cl ear l l dp por t med- t r ap ge. 1. 1
clear lldp port location-info
UsethiscommandtoreturntheportECSELINlocationsettingtothedefaultvalueofnull.
Syntax
clear lldp port location-info elin port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
portstring Specifiestheportorrangeofportstobeaffected.
elin SpecifiesthattheECSELINlocationinformationvalueshouldbe
cleared.
portstring Specifiestheportorrangeofportstobeaffected.
clear lldp port network-policy
6-34 Discovery Protocol Configuration
Example
ThisexamplereturnsthelocationinformationELINvalueonportge.1.1tothedefaultvalueof
null.
C3( r w) - >cl ear l l dp por t l ocat i on- i nf o el i n ge. 1. 1
clear lldp port network-policy
UsethiscommandtoreturnLLDPnetworkpolicyforasetofapplicationsonaportorrangeof
portstodefaultvalues.
Syntax
clear lldp port network-policy {all | voice | voice-signaling | guest-voice |
guest-voice-signaling | softphone-voice | video-conferencing | streaming-video |
video-signaling} {[ state] [ tag] [ vid] [ cos] [ dscp] } port-string
Parameters
Defaults
Atleastoneapplication(orall)andonepolicyparametermustbespecified.
Mode
Switchcommand,readwrite.
all Appliescommandtoallapplications.
voice Appliescommandtothevoiceapplication.
voicesignaling Appliescommandtothevoicesignalingapplication.
guestvoice Appliescommandtotheguestvoiceapplication.
guestvoicesignaling Appliescommandtotheguestvoicesignalingapplication.
softphonevoice Appliescommandtothesoftphonevoiceapplication.
videoconferencing Appliescommandtothevideoconferencingapplication.
streamingvideo Appliescommandtothestreamingvideoapplication.
videosignaling Appliescommandtothevideosignalingapplication.
state (Optional)Clearsthestateofadvertisingtheapplication
informationbeingconfiguredtodisabled.
tag (Optional)Clearsthetagvalueoftheapplicationbeingconfigured
tountagged.
vid (Optional)ClearstheVLANidentifierfortheporttothedefault
valueof1.
cos (Optional)ClearstheLayer2prioritytobeusedfortheapplication
beingconfiguredtothedefaultvalueof0.(Avalueof0represents
useofthedefaultpriorityasdefinedinIEEE802.1D.)
dscp (Optional)ClearstheDSCPvaluetobeusedtoprovideDiffserv
nodebehaviorfortheapplicationbeingconfiguredtothedefault
valueof0.(Avalueof0representsuseofthedefaultDSCPvalue
asdefinedinRFC2475.)
portstring Specifiestheportorrangeofportstobeaffected.
clear lldp port tx-tlv
SecureStack C3 Configuration Guide 6-35
Example
Thisexamplereturnsallnetworkpolicyvaluesforallapplicationsonportge.1.1totheirdefault
values.
C3( r w) - >cl ear l l dp por t net wor k- pol i cy al l st at e t ag vi d cos dscp ge. 1. 1
clear lldp port tx-tlv
UsethiscommandtocleartheoptionalLLDPandLLDPMEDTLVstobetransmittedin
LLDPDUsbythespecifiedportorportstothedefaultvalueofdisabled.
Syntax
clear lldp port tx-tlv {[ all] | [ port-desc] [ sys-name] [ sys-desc] [ sys-cap] [ mgmt-
addr] [ vlan-id] [ stp] [ lacp] [ gvrp] [ mac-phy] [ poe] [ link-aggr] [ max-frame] [ med-
cap] [ med-pol] [ med-loc] [ med-poe] } port-string
Parameters
all DisablesalloptionalTLVsfrombeingtransmittedinLLDPDUs.
portdesc DisablesthePortDescriptionoptionalbasicLLDPTLVfrombeing
transmittedinLLDPDUs.
sysname DisablestheSystemNameoptionalbasicLLDPTLVfrombeing
transmittedinLLDPDUs.
sysdesc DisablestheSystemDescriptionoptionalbasicLLDPTLVfrombeing
transmittedinLLDPDUs.
syscap DisablestheSystemCapabilitiesoptionalbasicLLDPTLVfrom
beingtransmittedinLLDPDUs.
mgmtaddr DisablestheManagementAddressoptionalbasicLLDPTLVfrom
beingtransmittedinLLDPDUs.
vlanid DisablesthePortVLANIDIEEE802.1ExtensionsTLVfrombeing
transmittedinLLDPDUs.
stp DisablestheSpanningTreeinformationdefinedbyProtocolIdentity
IEEE802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs.
lacp DisablestheLACPinformationdefinedbyProtocolIdentityIEEE
802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs.
gvrp DisablestheGVRPinformationdefinedbyProtocolIdentityIEEE
802.1ExtensionsTLVfrombeingtransmittedinLLDPDUs.
macphy DisablestheMACPHYConfiguration/StatusIEEE802.3Extensions
TLVfrombeingtransmittedinLLDPDUs.
poe DisablesthePowerviaMDIIEEE802.3ExtensionsTLVfrombeing
transmittedinLLDPDUs.OnlyvalidforPoEenabledports.
linkaggr DisablestheLinkAggregationIEEE802.3ExtensionsTLVfrombeing
transmittedinLLDPDUs.
maxframe DisablestheMaximumFrameSizeIEEE802.3ExtensionsTLVfrom
beingtransmittedinLLDPDUs.
medcap DisablestheLLDPMEDCapabilitiesTLVfrombeingtransmittedin
LLDPDUs.
clear lldp port tx-tlv
6-36 Discovery Protocol Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledisablesthemanagementaddress,MEDcapability,MEDnetworkpolicy,andMED
locationidentificationTLVsfrombeingsentinLLDPDUsbyportge. 1.1.
C3( r w) - >cl ear l l dp por t t x- t l v mgmt - addr med- cap med- pol med- l oc ge. 1. 1
medpol DisablestheLLDPMEDNetworkPolicyTLVfrombeingtransmitted
inLLDPDUs.
medloc DisablestheLLDPMEDLocationIdentificationTLVfrombeing
transmittedinLLDPDUs.
medpoe DisablestheLLDPMEDExtendedPowerviaMDITLVfrombeing
transmittedinLLDPDUs.OnlyvalidforPoEenabledports.
portstring Specifiestheportorrangeofportstobeaffected.
SecureStack C3 Configuration Guide 7-1
7
Port Configuration
ThischapterdescribesthePortConfigurationsetofcommandsandhowtousethem.
Port Configuration Summary
Port String Syntax Used in the CLI
Commandsrequiringaportstringparameterusethefollowingsyntaxtodesignateporttype,slot
location,andportnumber:
porttype.unit_or_slotnumber.portnumber
Whereporttypecanbe:
fefor100MbpsEthernet
gefor1GbpsEthernet
tgfor10GbpsEthernet
hostforthehostport
vlanforvlaninterfaces
lagforIEEE802.3linkaggregationports
Whereunit_or_slotnumbercanbe:
18forswitchunitsinastack
For information about... Refer to page...
Port Configuration Summary 7-1
Reviewing Port Status 7-2
Disabling / Enabling and Naming Ports 7-7
Setting Speed and Duplex Mode 7-11
Enabling / Disabling J umbo Frame Support 7-14
Setting Auto-Negotiation and Advertised Ability 7-16
Setting Flow Control 7-22
Setting Port Link Traps and Link Flap Detection 7-24
Configuring Broadcast Suppression 7-33
Port Mirroring 7-36
Link Aggregation Control Protocol (LACP) 7-42
Configuring Protected Ports 7-56
Reviewing Port Status
7-2 Port Configuration
Whereportnumberdependsonthedevice.Thehighestvalidportnumberisdependentonthe
numberofportsinthedeviceandtheporttype.
Port Slot/Unit Parameters Used in the CLI
TheunitparameterisoftenusedinterchangeablywithmoduleinthestandaloneswitchCLI
toindicateamoduleslotlocation.
Examples
Thisexampleshowstheportstringsyntaxforspecifyingthe1GigabitEthernetport14inslotunit
3.
ge. 3. 14
Thisexampleshowstheportstringsyntaxforspecifyingall1GigabitEthernetportsinslotunit3
inthesystem.
ge. 3. *
Thisexampleshowstheportstringsyntaxforspecifyingallports(ofanyinterfacetype)inthe
system.
*. *. *
Reviewing Port Status
Purpose
Todisplayoperatingstatus,duplexmode,speed,porttype,andstatisticalinformationabout
trafficreceivedandtransmittedthroughoneorallswitchportsonthedevice.
Commands
Note: You can use a wildcard (*) to indicate all of an item. For example, fe.3.* would represent all
100Mbps Ethernet (fe) ports in slot 3, and ge.3 * would represent all 1-Gigabit Ethernet (ge) ports
in slot 3.
For information about... Refer to page...
show port 7-3
show port status 7-3
show port counters 7-4
clear port counters 7-6
show port cablestatus 7-6
show port
SecureStack C3 Configuration Guide 7-3
show port
Usethiscommandtodisplaywhetherornotoneormoreportsareenabledforswitching.
Syntax
show port [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,operationalstatusinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayoperationalstatusinformationforge.3.14:
C3( su) - >show por t ge.3. 14
Por t ge.3. 14 enabl ed
show port status
Usethiscommandtodisplayoperatingandadminstatus,speed,duplexmodeandporttypefor
oneormoreportsonthedevice.
Syntax
show port status [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaystatusinformationforge.3.14:
C3( su) - >show por t st at us ge.3. 14
Por t Al i as Oper Admi n Speed Dupl ex Type
portstring (Optional)Displaysoperationalstatusforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage71.
portstring (Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page71.
show port counters
7-4 Port Configuration
( t r uncat ed) St at us St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge.3. 14 up up N/ A N/ A BaseT RJ 45
Table 71providesanexplanationofthecommandoutput.
show port counters
Usethiscommandtodisplayportcounterstatisticsdetailingtrafficthroughthedeviceand
throughallMIB2networkdevices.
Syntax
show port counters [ port-string] [ switch | mib2]
Parameters
Defaults
Ifportstringisnotspecified,counterstatisticswillbedisplayedforallports.
Ifmib2orswitcharenotspecified,allcounterstatisticswillbedisplayedforthespecifiedport(s).
Mode
Switchcommand,readonly.
Table 7-1 show port status Output Details
Output Field What It Displays...
Port Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
Alias (truncated) Alias configured for the port. For details on using the set port alias command, refer
to set port alias on page 7-9.
Oper Status Operating status (up or down).
Admin Status Whether the specified port is enabled (up) or disabled (down). For details on using
the set port disable command to change the default port status of enabled, refer to
set port disable on page 7-8. For details on using the set port enable command to
re-enable ports, refer to set port enable on page 7-8.
Speed Operational speed in Mbps or Kbps of the specified port. For details on using the set
port speed command to change defaults, refer to set port speed on page 7-12.
Duplex Duplex mode (half or full) of the specified port. For details on using the set port
duplex command to change defaults, refer to Setting Auto-Negotiation and
Advertised Ability on page 7-16.
Type Physical port and interface type.
portstring (Optional)Displayscounterstatisticsforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage71.
switch|mib2 (Optional)DisplaysswitchorMIB2statistics.Switchstatisticsdetail
performanceoftheSecureStackC3device.MIB2interfacestatisticsdetail
performanceofallnetworkdevices.
show port counters
SecureStack C3 Configuration Guide 7-5
Examples
Thisexampleshowshowtodisplayallcounterstatistics,includingMIB2networktrafficand
trafficthroughthedeviceforge.3.1:
C3( su) - >show por t count er s ge.3. 1
Por t : ge.3. 1 MI B2 I nt er f ace: 1
No count er di scont i nui t y t i me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MI B2 I nt er f ace Count er s
- - - - - - - - - - - - - - - - - - - - - - -
I n Oct et s 0
I n Uni cast Pkt s 0
I n Mul t i cast Pkt s 0
I n Br oadcast Pkt s 0
I n Di scar ds 0
I n Er r or s 0
Out Oct et s 0
Out Uni cast s Pkt s 0
Out Mul t i cast Pkt s 0
Out Br oadcast Pkt s 0
Out Er r or s 0
802. 1Q Swi t ch Count er s
- - - - - - - - - - - - - - - - - - - - - -
Fr ames Recei ved 0
Fr ames Tr ansmi t t ed 0
Thisexampleshowshowtodisplayallge.3.1portcounterstatisticsrelatedtotrafficthroughthe
device.
C3( su) - >show por t count er s ge.3. 1 swi t ch
Por t : ge.3. 1 Br i dge Por t : 2
802. 1Q Swi t ch Count er s
- - - - - - - - - - - - - - - - - - - - - - -
Fr ames Recei ved 0
Fr ames Tr ansmi t t ed 0
Table 72providesanexplanationofthecommandoutput.
Table 7-2 show port counters Output Details
Output Field What It Displays...
Port Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
MIB2 Interface MIB2 interface designation.
Bridge Port IEEE 802.1D bridge port designation.
MIB2 Interface
Counters
MIB2 network traffic counts
802.1Q Switch
Counters
Counts of frames received, transmitted, and filtered.
clear port counters
7-6 Port Configuration
clear port counters
Usethiscommandtoclearportcounterstatisticsforaportorrangeofports.
Syntax
clear port counters [ port-string]
Parameters
Defaults
Ifnoportstringisspecified,portcountersareclearedforallports.
Mode
Switchcommand,readwrite
Example
Thisexampleclearstheportcountersforge.3.1.
C3( r w) - >cl ear por t count er s ge3. 1
show port cablestatus
Usethiscommandtotroubleshootandlocatefaultsincoppercableconnectionsonaperport
basis.Thiscommandisonlyavailableonswitchplatformsthatprovide1GigabitEthernetRJ45
ports.
Syntax
show port cablestatus [ port-string]
Parameters
Defaults
Ifnoportisspecified,informationaboutallportswillbedisplayed.
Mode
Switchcommand,readonly.
Usage
For1GigabitEthernetRJ45portsonly,thiscommandwilldisplaythestatusoftheportscable
connection(describedinTable 73below),andtheapproximatelengthofthecableattachedtothe
port.Ifyourswitchplatformdoesnotsupport1GERJ45ports,thiscommandwillnotbe
available.
Ifnocableisattachedtotheport,thestatuswillbeOpenandnolengthwillbeshown.Ifthe
portisnota1GERJ45port,thecommandwillreturnastatusofNotSupported.
portstring (Optional)Specifiestheportorrangeofportstoclearportcounter
statistics.
portstring (Optional)Specifiestheportorportstoshowstatusfor.
Disabling / Enabling and Naming Ports
SecureStack C3 Configuration Guide 7-7
Sincerunningthecablediagnosticsmaymomentarilyinterruptpacketflow,awarningmessageis
displayedandyouarepromptedtocontinue.
Example
Thisexampleshowsthecablestatusfor1GEportge.1.31.
C3( su) - >show por t cabl est at us ge. 1. 31
War ni ng: por t ( s) wi l l be of f l i ne moment ar i l y.
Do you want t o cont i nue ( y/ n) [ n] ?y
Por t St at us Lengt h
- - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 31 Nor mal 3( m) - 5( m)
Table 73providesanexplanationofthecommandoutput.
Disabling / Enabling and Naming Ports
Purpose
Todisableandreenableoneormoreports,andtoassignanaliastoaport.Bydefault,allportsare
enabledatdevicestartup.Youmaywanttodisableportsforsecurityortotroubleshootnetwork
issues.Portsmayalsobeassignedanaliasforconvenience.
Commands
Table 7-3 show port cablestatus Output Details
Output Field What it displays...
Port Lists the port designation.
Status Indicates the status of the port. The value is one of the following:
Normal =normal
Open =no cable attached to port
Short =detection of an inter-pair short
Fail =unknown error or crosstalk
Detach =indicates ports on stack units that are no longer present,
but were previously connected
Not Supported =ports other than 1GE RJ 45 ports
Length Indicates the approximate length of the cable attached to the port.
For information about... Refer to page...
set port disable 7-8
set port enable 7-8
show port alias 7-9
set port alias 7-9
set port disable
7-8 Port Configuration
set port disable
Usethiscommandtoadministrativelydisableoneormoreports.Whenthiscommandis
executed,inadditiontodisablingthephysicalEthernetlink,theportwillnolongerlearnentries
intheforwardingdatabase.
Syntax
set port disable port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisablege.1.1:
C3( su) - >set por t di sabl e ge.1. 1
set port enable
Usethiscommandtoadministrativelyenableoneormoreports.
Syntax
set port enable port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenablege.1.3:
C3( su) - >set por t enabl e ge.1. 3
portstring Specifiestheport(s)todisable.Foradetaileddescriptionofpossibleport
stringvalues,refertoPortStringSyntaxUsedintheCLIonpage71.
portstring Specifiestheport(s)toenable.Foradetaileddescriptionofpossibleport
stringvalues,refertoPortStringSyntaxUsedintheCLIonpage71.
show port alias
SecureStack C3 Configuration Guide 7-9
show port alias
Usethiscommandtodisplaythealiasnameforoneormoreports.
Syntax
show port alias [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,aliasesforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayaliasinformationforports13onslot3:
C3( r w) - >show por t al i as ge. 3. 1- 3
Por t ge. 3. 1 user
Por t ge. 3. 2 user
Por t ge. 3. 3 Admi n
set port alias
Usethiscommandtoassignanaliasnametoaport.
Syntax
set port alias port-string [ name]
Parameters
Defaults
Ifnameisnotspecified,thealiasassignedtotheportwillbecleared.
Mode
Switchcommand,readwrite.
portstring (Optional)Displaysaliasname(s)forspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage71.
portstring Specifiestheporttowhichanaliaswillbeassigned.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage71.
name (Optional)Assignsanaliasnametotheport.Ifthealiasnamecontains
spaces,thetextstringmustbesurroundedbydoublequotes.Maximum
lengthis60characters.
set port alias
7-10 Port Configuration
Examples
ThisexampleshowshowtoassignthealiasAdmintoge. 3.3:
C3( r w) - >set por t al i as ge. 3. 3 Admi n
Thisexampleshowshowtoclearthealiasforge. 3.3:
C3( r w) - >set por t al i as ge. 3. 3
Setting Speed and Duplex Mode
SecureStack C3 Configuration Guide 7-11
Setting Speed and Duplex Mode
Purpose
ToreviewandsettheoperationalspeedinMbpsandthedefaultduplexmode:Half,forhalf
duplex,orFull,forfullduplexforoneormoreports.
Commands
show port speed
Usethiscommandtodisplaythedefaultspeedsettingononeormoreports.
Syntax
show port speed [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,defaultspeedsettingsforallportswilldisplay.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythedefaultspeedsettingfor1GigabitEthernetport14in
slot 3:
C3( su) - >show por t speed ge. 3. 14
def aul t speed i s 10 on por t ge. 3. 14.
Note: These settings only take effect on ports that have auto-negotiation disabled.
For information about... Refer to page...
show port speed 7-11
set port speed 7-12
show port duplex 7-12
set port duplex 7-16
portstring (Optional)Displaysdefaultspeedsetting(s)forspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage71.
set port speed
7-12 Port Configuration
set port speed
Usethiscommandtosetthedefaultspeedofoneormoreports.Thissettingonlytakeseffecton
portsthathaveautonegotiationdisabled.
Syntax
set port speed port-string {10 | 100 | 1000}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetge.3.3toaportspeedof10 Mbps:
C3( su) - >set por t speed ge.3. 3 10
show port duplex
Usethiscommandtodisplaythedefaultduplexsetting(halforfull)foroneormoreports.
Syntax
show port duplex [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,defaultduplexsettingsforallportswillbedisplayed.
Mode
Switchcommand,readonly.
portstring Specifiestheport(s)forwhichtoaspeedvaluewillbeset.Fora
detaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage71.
10|100|1000 Specifiestheportspeed.Validvaluesare:10 Mbps,100 Mbps,or
1000 Mbps.
portstring (Optional)Displaysdefaultduplexsetting(s)forspecificport(s).
Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage71.
set port duplex
SecureStack C3 Configuration Guide 7-13
Example
ThisexampleshowshowtodisplaythedefaultduplexsettingforEthernetport14inslot 3:
C3( su) - >show por t dupl ex ge. 3. 14
def aul t dupl ex mode i s f ul l on por t ge. 3. 14.
set port duplex
Usethiscommandtosetthedefaultduplextypeforoneormoreports.Thiscommandwillonly
takeeffectonportsthathaveautonegotiationdisabled.
Syntax
set port duplex port-string {full | half}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetge.1.17tofullduplex:
C3( su) - >set por t dupl ex ge.1. 17 f ul l
portstring Specifiestheport(s)forwhichduplextypewillbeset.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage71.
full|half Setstheport(s)tofullduplexorhalfduplexoperation.
Enabling / Disabling J umbo Frame Support
7-14 Port Configuration
Enabling / Disabling Jumbo Frame Support
Purpose
Toreview,enable,anddisablejumboframesupportononeormoreports.ThisallowsGigabit
Ethernetportstotransmitframesupto10KBinsize.
Commands
show port jumbo
Usethiscommandtodisplaythestatusofjumboframesupportandmaximumtransmissionunits
(MTU)ononeormoreports.
Syntax
show port jumbo [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,jumboframesupportstatusforallportswilldisplay.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestatusofjumboframesupportforge. 1.1:
C3( su) - >show por t j umbo ge. 1. 1
Por t Number J umbo St at us Max Fr ame Si ze
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 Enabl e 9216
For information about... Refer to page...
show port jumbo 7-14
set port jumbo 7-15
clear port jumbo 7-15
portstring (Optional)Displaysthestatusofjumboframesupportforspecific
port(s).Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage71.
set port jumbo
SecureStack C3 Configuration Guide 7-15
set port jumbo
Usethiscommandtoenableordisablejumboframesupportononeormoreports.
Syntax
set port jumbo {enable | disable}[ port-string]
Parameters
Defaults
Ifportstringisnotspecified,jumboframesupportwillbeenabledordisabledonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablejumboframesupportforGigabitEthernetport14inunit/slot
3:
C3( su) - >set por t j umbo enabl e ge. 3. 14
clear port jumbo
Usethiscommandtoresetjumboframesupportstatustoenabledononeormoreports.
Syntax
clear port jumbo [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,jumboframesupportstatuswillberesetonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetjumboframesupportstatusforGigabitEthernetport14inslot 3:
C3( su) - >cl ear por t j umbo ge. 3. 14
enable|disable Enablesordisablesjumboframesupport.
portstring (Optional)Specifiestheport(s)onwhichtodisableorenablejumbo
framesupport.Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage71.
portstring (Optional)Specifiestheport(s)onwhichtoresetjumboframe
supportstatustoenabled.Foradetaileddescriptionofpossible
portstringvalues,refertoPortStringSyntaxUsedintheCLIon
page71.
Setting Auto-Negotiation and Advertised Ability
7-16 Port Configuration
Setting Auto-Negotiation and Advertised Ability
Purpose
Toreview,disableorenableautonegotiation,andtoconfigureportadvertisementforspeedand
duplex.
Duringautonegotiation,theporttellsthedeviceattheotherendofthesegmentwhatits
capabilitiesandmodeofoperationare.Ifautonegotiationisdisabled,theportrevertstothe
valuesspecifiedbydefaultspeed,defaultduplex,andtheportflowcontrolcommands.
Innormaloperation,withallcapabilitiesenabled,advertisedabilityenablesaporttoadvertise
thatithastheabilitytooperateinanymode.Theusermaychoosetoconfigureaportsothatonly
aportionofitscapabilitiesareadvertisedandtheothersaredisabled.
Commands
show port negotiation
Usethiscommandtodisplaythestatusofautonegotiationforoneormoreports.
Syntax
show port negotiation [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,autonegotiationstatusforallportswillbedisplayed.
Note: Advertised ability can be activated only on ports that have auto-negotiation enabled.
For information about... Refer to page...
show port negotiation 7-16
set port negotiation 7-17
show port advertise 7-17
set port advertise 7-18
clear port advertise 7-19
show port mdix 7-20
set port mdix 7-20
portstring (Optional)Displaysautonegotiationstatusforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage71.
set port negotiation
SecureStack C3 Configuration Guide 7-17
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayautonegotiationstatusfor1GigabitEthernetport14inslot 3:
C3( su) - >show por t negot i at i on ge. 3. 14
aut o- negot i at i on i s enabl ed on por t ge. 3. 14.
set port negotiation
Usethiscommandtoenableordisableautonegotiationononeormoreports.
Syntax
set port negotiation port-string {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisableautonegotiationon1GigabitEthernetport3inslot14:
C3( su) - >set por t negot i at i on ge. 3. 14 di sabl e
show port advertise
Usethiscommandtodisplayportcapabilityandadvertisementasfarasspeedandduplexfor
autonegotiation.
Syntax
show port advertise [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,advertisementforallportswillbedisplayed.
portstring Specifiestheport(s)forwhichtoenableordisableautonegotiation.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage71.
enable|disable Enablesordisablesautonegotiation.
portstring (Optional)Displaysadvertisedabilityforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage71.
set port advertise
7-18 Port Configuration
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayadvertisementstatusforGigabitports13and14:
C3( su) - >show por t adver t i se ge. 1. 13- 14
ge. 1. 13 capabi l i t y adver t i sed r emot e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10BASE- T yes yes yes
10BASE- TFD yes yes yes
100BASE- TX yes yes yes
100BASE- TXFD yes yes yes
1000BASE- T no no no
1000BASE- TFD yes yes yes
pause yes yes no
ge. 1. 14 capabi l i t y adver t i sed r emot e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10BASE- T yes yes yes
10BASE- TFD yes yes yes
100BASE- TX yes yes yes
100BASE- TXFD yes yes yes
1000BASE- T no no no
1000BASE- TFD yes yes yes
pause yes yes no
set port advertise
Usethiscommandtoconfigurewhataportwilladvertiseforspeed/duplexcapabilitiesinauto
negotiation.
Syntax
set port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd
| pause}
Parameters
Defaults
None.
portstring Selecttheportsforwhichtoconfigureadvertisements.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage71.
10t Advertise10BASEThalfduplexmode.
10tfd Advertise10BASETfullduplexmode.
100tx Advertise100BASETXhalfduplexmode.
100txfd Advertise100BASETXfullduplexmode.
1000t Advertise1000BASEThalfduplexmode.
1000tfd Advertise1000BASETfullduplexmode.
pause AdvertisePAUSEforfullduplexlinks.
clear port advertise
SecureStack C3 Configuration Guide 7-19
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoconfigureport1toadvertise1000BASETfullduplex:
C3( su) - >set por t adver t i se ge. 1. 1 1000t f d
clear port advertise
Usethiscommandtoconfigureaporttonotadvertiseaspecificspeed/duplexcapabilitywhen
autonegotiatingwithanotherport.
Syntax
clear port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd
| pause}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoconfigureport1tonotadvertise10MBcapabilityforauto
negotiation:
C3( su) - >cl ear por t adver t i se ge. 1. 1 10t 10t f d
portstring Clearadvertisementsforspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedinthe
CLIonpage71.
10t Donotadvertise10BASEThalfduplexmode.
10tfd Donotadvertise10BASETfullduplexmode.
100tx Donotadvertise100BASETXhalfduplexmode.
100txfd Donotadvertise100BASETXfullduplexmode.
1000t Donotadvertise1000BASEThalfduplexmode.
1000tfd Donotadvertise1000BASETfullduplexmode.
pause DonotadvertisePAUSEforfullduplexlinks.
show port mdix
7-20 Port Configuration
show port mdix
Usethiscommandtodisplaythestatusofcableconnectiontypeconfigurationmodeforoneor
moreports.Switchportscanautomaticallydetectandconfiguretherequiredcabletype,either
straightthrough(MDI)orcrossover(MDIX),ortheportscanbeconfiguredtoonlyallowone
typeofcabletype,eitherMDIorMDIX.
Syntax
show port mdix {all| auto| forced-auto| mdi| mdix} [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,informationisdisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampledisplaysinformationaboutportsconfiguredforMDIXonlymode.
C3( su) - >show por t mdi x mdi x
Por t Number MDI X Mode
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 27 MDI X
ge. 1. 28 MDI X
set port mdix
Usethiscommandtoconfigurecableconnectiontypeconfigurationmodeforoneormoreports.
Syntax
set port mdix {auto| forced-auto| mdi| mdix} [ port-string]
Parameters
all Displayinformationaboutallports.
auto Displayinformationabouttheportsconfiguredtoautomatically
determinetherequiredMDI/MDIXmode.
forcedauto Displayinformationabouttheportsforcedautomaticallytodetermine
therequiredMDI/MDIXmode.
mdi DisplayinformationabouttheportsconfiguredwithMDIonlymode.
mdix DisplayinformationabouttheportsconfiguredwithMDIXonlymode.
portstring (Optional)DisplaytheselectedMDI/MDIXmodeonlyfortheportor
portsspecified.
auto ConfigureportstoautomaticallydeterminetherequiredMDI/MDIX
mode.Thisisthedefaultcondition.
forcedauto ForceportstoautomaticallydeterminetherequiredMDI/MDIXmode.
set port mdix
SecureStack C3 Configuration Guide 7-21
Defaults
Ifportstringisnotentered,allportsontheswitchareconfigured.
Mode
Switchcommand,readwrite.
Usage
Bydefault,Enterasys Networksswitchdevicesareconfiguredtoautomaticallydetectthecable
typeconnection,straightthrough(MDI)orcrossover(MDIX),requiredbythecableconnectedto
theport.YoucanconfigureportstoonlyuseMDIorMDIXconnectionswiththiscommand.
ThiscommandonlyconfiguresEthernetports,andcannotbeusedtoconfigurecomboportson
theswitch.
Example
Thisexampleconfiguresportsge.1.1andge.1.2touseMDIXmode.
C3( su) - >set por t mdi x mdi x ge. 1. 1- 2
mdi ConfigureportstouseMDImodeonly.
mdix ConfigureportstouseMDIXmodeonly.
portstring (Optional)Specifytheportorportstoconfigure.
Setting Flow Control
7-22 Port Configuration
Setting Flow Control
Purpose
Toreview,enableordisableportflowcontrol.Flowcontrolisusedtomanagethetransmission
betweentwodevicesasspecifiedbyIEEE 802.3xtopreventreceivingportsfrombeing
overwhelmedbyframesfromtransmittingdevices.
Commands
show flowcontrol
Usethiscommandtodisplaytheflowcontrolstate.
Syntax
show flowcontrol
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportflowcontrolstate:
C3( su) - >show f l owcont r ol
Fl ow cont r ol st at us: enabl ed
set flowcontrol
Usethiscommandtoenableordisableflowcontrol.
Syntax
set flowcontrol {enable | disable}
Parameters
For information about... Refer to page...
show flowcontrol 7-22
set flowcontrol 7-22
enable|disable Enablesordisablesflowcontrolsettings.
set flowcontrol
SecureStack C3 Configuration Guide 7-23
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableflowcontrol:
C3( su) - >set f l owcont r ol enabl e
Setting Port Link Traps and Link Flap Detection
7-24 Port Configuration
Setting Port Link Traps and Link Flap Detection
Purpose
Todisableorreenablelinktraps,displaylinktrapstatus,andtoconfigurethelinkflapping
detectionfunction.Bydefault,allportsareenabledtosendSNMPtrapmessagesindicating
changestotheirlinkstatus(upordown).
Thelinkflapfunctiondetectswhenalinkisgoingupanddownrapidly(alsocalledlink
flapping)onaphysicalport,andtakestherequiredactions(disableport,andeventuallysend
notificationtrap)tostopsuchacondition.Ifleftunresolved,thelinkflappingconditioncanbe
detrimentaltonetworkstabilitybecauseitcantriggerSpanningTreeandroutingtable
recalculation.
Commands
show port trap
UsethiscommandtodisplaywhethertheportisenabledforgeneratinganSNMPtrapmessageif
itslinkstatechanges.
Syntax
show port trap [ port-string]
Parameters
For information about... Refer to page...
show port trap 7-24
set port trap 7-25
show linkflap 7-25
set linkflap globalstate 7-28
set linkflap portstate 7-28
set linkflap interval 7-29
set linkflap action 7-29
clear linkflap action 7-30
set linkflap threshold 7-30
set linkflap downtime 7-31
clear linkflap down 7-31
clear linkflap 7-32
portstring (Optional)Displayslinktrapstatusforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage71.
set port trap
SecureStack C3 Configuration Guide 7-25
Defaults
Ifportstringisnotspecified,thetrapstatusforallportswillbedisplayed.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisplaylinktrapstatusforge.3.1through4:
C3( su) - >show por t t r ap ge.3. 1- 4
Li nk t r aps enabl ed on por t ge.3. 1.
Li nk t r aps enabl ed on por t ge.3. 2.
Li nk t r aps enabl ed on por t ge.3. 3.
Li nk t r aps enabl ed on por t ge.3. 4.
set port trap
UsethiscommandtoenableofdisableportsforsendingSNMPtrapmessageswhentheirlink
statuschanges.
Syntax
set port trap port-string {enable | disable}
Parameters
Defaults
Sendingtrapswhenlinkstatuschangesisenabledbydefault.
Mode
Switchcommand,readwrite.
Example
Thefollowingexampledisablessendingtraponge.3.1.
C3( su) - >set por t t r ap ge.3. 1 di sabl e
show linkflap
Usethiscommandtodisplaylinkflapdetectionstateandconfigurationinformation.
Syntax
show linkflap {globalstate | portstate | parameters | metrics | portsupported |
actsupported | maximum | downports | action | operstatus | threshold | interval]
| downtime | currentcount | totalcount | timelapsed | violations [ port-string] }
portstring Specifiestheport(s)forwhichtoenableordisableporttraps.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage71.
enable|disable Enablesordisablessendingtrapmessageswhenlinkstatuschanges.
show linkflap
7-26 Port Configuration
Parameters
Defaults
Ifnotspecified,informationaboutalllinkflapdetectionsettingswillbedisplayed.
Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchmode,readonly.
Usage
Thelinkflapdefaultconditionsareshowninthefollowingtable.
globalstate Displaystheglobalenablestateoflinkflapdetection.
portstate Displaystheportenablestateoflinkflapdetection.
parameters Displaysthecurrentvalueofsettablelinkflapdetectionparameters.
metrics Displayslinkflapdetectionmetrics.
portsupported Displaysportswhichcansupportthelinkflapdetectionfunction.
actsupported Displayslinkflapdetectionactionssupportedbysystemhardware.
maximum Displaysthemaximumallowedlinkdownsper10secondssupported
bysystemhardware.
downports Displaysportsdisabledbylinkflapdetectionduetoaviolation.
action Displayslinkflapactionstakenonviolatingport(s).
operstatus Displayswhetherlinkflaphasdeactivatedport(s).
threshold Displaysthenumberofallowedlinkdowntransitionsbeforeactionis
taken.
interval Displaysthetimeperiodforcountinglinkdowntransitions.
downtime Displayshowlongviolatingport(s)aredeactivated.
currentcount Displayshowmanylinkdowntransitionsareinthecurrentinterval.
totalcount Displayshowmanylinkdowntransitionshaveoccurredsincethelast
reset.
timelapsed Displaysthetimeperiodsincethelastlinkdowneventorreset.
violations Displaysthenumberoflinkflapviolationssincethelastreset.
portstring (Optional)Displaysinformationforspecificport(s).
Linkflap Parameter Default Condition
Linkflap global state Disabled
Linkflap port state Disabled
Linkflap action None
Linkflap interval 5
Linkflap maximum allowed link downs per 10 seconds 20
Linkflap threshold
(number of allowed link down transitions before action is taken)
10
show linkflap
SecureStack C3 Configuration Guide 7-27
Examples
Thisexampleshowshowtodisplaytheglobalstatusofthelinktrapdetectionfunction:
C3( r w) - >show l i nkf l ap gl obal st at e
Li nkf l ap f eat ur e gl obal l y di sabl ed
Thisexampleshowshowtodisplayportsdisabledbylinkflapdetectionduetoaviolation:
C3( r w) - >show l i nkf l ap downpor t s
Por t s cur r ent l y hel d DOWN f or Li nkf l ap vi ol at i ons:
None.
Thisexampleshowshowtodisplaythelinkflapparameterstable:
C3( r w) - >show l i nkf l ap par amet er s
Li nkf l ap Por t Set t abl e Par amet er Tabl e ( X means er r or occur r ed)
Por t LF St at us Act i ons Thr eshol d I nt er val Downt i me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 di sabl ed . . . . . . . 10 5 300
ge. 1. 2 enabl ed D. . S. . T 3 5 300
ge. 1. 3 di sabl ed . . . S. . T 10 5 300
Table 74providesanexplanationoftheshowlinkflapparameterscommandoutput.
Thisexampleshowshowtodisplaythelinkflapmetricstable:
C3( r w) - >show l i nkf l ap met r i cs
Por t Li nkSt at us Cur r ent Count Tot al Count Ti meEl apsed Vi ol at i ons
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 oper at i onal 0 0 241437 0
ge. 1. 2 di sabl ed 4 15 147 5
ge. 1. 3 oper at i onal 3 3 241402 0
Table 75providesanexplanationoftheshowlinkflapmetricscommandoutput.
Table 7-4 show linkflap parameters Output Details
Output Field What it displays...
Port Port designation.
LF Status Link flap enabled state.
Actions Actions to be taken if the port violates allowed link flap behavior.
D =disabled, S =Syslog entry will be generated, T=SNMP trap
will be generated.
Threshold Number of link down transitions necessary to trigger the link flap
action.
Interval Time interval (in seconds) for accumulating link down transitions.
Downtime Interval (in seconds) port(s) will be held down after a link flap
violation.
Table 7-5 show linkflap metrics Output Details
Output Field What it displays...
Port Port designation.
LinkStatus Link status according to the link flap function.
CurrentCount Link down count accruing toward the link flap threshold.
TotalCount Number of link downs since system start,
set linkflap globalstate
7-28 Port Configuration
set linkflap globalstate
Usethiscommandtogloballyenableordisablethelinkflapdetectionfunction.
Syntax
set linkflap globalstate {disable | enable}
Parameters
Defaults
Bydefault,thefunctionisdisabledgloballyandonallports.
Mode
Switchmode,readwrite.
Usage
Bydefault,thefunctionisdisabledgloballyandonallports.Ifdisabledgloballyafterperport
settingshavebeenconfiguredusingthelinkflapcommands,perportsettingswillberetained.
Example
Thisexampleshowshowtogloballyenablethelinktrapdetectionfunction.
C3( r w) - >set l i nkf l ap gl obal st at e enabl e
set linkflap portstate
Usethiscommandtoenableordisablelinkflapmonitoringononeormoreports.
Syntax
set linkflap portstate {disable | enable} [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,allportsareenabledordisabled.
TimeElapsed Time (in seconds) since the last link down event.
Violations Number of link flap violations on listed ports since system start.
Table 7-5 show linkflap metrics Output Details (Continued)
Output Field What it displays...
disable|enable Globallydisablesorenablesthelinkflapdetectionfunction.
disable|enable Disablesorenablesthelinkflapdetectionfunction.
portstring (Optional)Specifiestheportorportsonwhichtodisableorenable
monitoring.
set linkflap interval
SecureStack C3 Configuration Guide 7-29
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenablethelinktrapmonitoringonallports.
C3( r w) - >set l i nkf l ap por t st at e enabl e
set linkflap interval
Usethiscommandtosetthetimeinterval(inseconds)foraccumulatinglinkdowntransitions.
Syntax
set linkflap interval port-string interval-value
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthelinkflapintervalonportge.1.4to1000seconds.
C3( r w) - >set l i nkf l ap i nt er val ge.1. 4 1000
set linkflap action
Usethiscommandtosetreactionstoalinkflapviolation.
Syntax
set linkflap action port-string {disableInterface | gensyslogentry | gentrap |
all}
Parameters
portstring Specifiestheport(s)onwhichtosetthelinkflapinterval.
intervalvalue Specifiesanintervalinseconds.Avalueof0willsettheintervalto
forever.
portstring Specifiestheport(s)onwhichtosetthelinkflapaction.
disableInterface Setsthereactionasdisablingtheinterface.
gensyslogentry Setsthereactionasgeneratingasyslogentry.
gentrap SetsthereactionasgeneratinganSNMPtrap.
all Setsthereactionasalloftheabove.
clear linkflap action
7-30 Port Configuration
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapviolationactiononportge.1.4togeneratingaSyslog
entry.
C3( r w) - >set l i nkf l ap act i on ge.1. 4 gensysl ogent r y
clear linkflap action
Usethiscommandtoclearreactionstoalinkflapviolation.
Syntax
clear linkflap action [ port-string] {disableInterface | gensyslogentry | gentrap
| all}
Parameters
Defaults
Ifportstringisnotspecified,actionswillbeclearedonallports.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtoclearthelinkflapviolationactiononportge.1.4togeneratinga
Syslogentry.
C3( r w) - >cl ear l i nkf l ap act i on ge.1. 4 gensysl ogent r y
set linkflap threshold
Usethiscommandtosetthelinkflapactiontriggercount.
Syntax
set linkflap threshold port-string threshold-value
portstring (Optional)Specifiestheport(s)onwhichtoclearthelinkflapaction.
disableInterface Clearsthereactionasdisablingtheinterface.
gensyslogentry Clearsthereactionasgeneratingasyslogentry.
gentrap ClearsthereactionasgeneratinganSNMPtrap.
all Clearsthereactionasalloftheabove.
set linkflap downtime
SecureStack C3 Configuration Guide 7-31
Parameters
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapthresholdonportge.1.4to5.
C3( r w) - >set l i nkf l ap t hr eshol d ge.1. 4 5
set linkflap downtime
Usethiscommandtosetthetimeinterval(inseconds)oneormoreportswillbehelddownaftera
linkflapviolation.
Syntax
set linkflap downtime port-string downtime-value
Parameters
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapdowntimeonportge.1.4to5000seconds.
C3( r w) - >set l i nkf l ap downt i me ge.1. 4 5000
clear linkflap down
Usethiscommandtotogglelinkflapdisabledportstooperational.
Syntax
clear linkflap down [ port-string]
portstring Specifiestheport(s)onwhichtosetthelinkflapactiontriggercount.
thresholdvalue Specifiesthenumberoflinkdowntransitionsnecessarytotriggerthe
linkflapaction.Aminimumof1mustbeconfigured.
portstring Specifiestheport(s)onwhichtosetthelinkflapdowntime.
downtimevalue Specifiesadowntimeinseconds.Avalueof0willsetthedowntimeto
forever.
clear linkflap
7-32 Port Configuration
Parameters
Defaults
Ifportstringisnotspecified,allportsdisabledbyalinkflapviolationwillbemadeoperational.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtomakedisabledportge.1.4operational.
C3( r w) - >cl ear l i nkf l ap down ge.1. 4
clear linkflap
Usethiscommandtoclearalllinkflapoptionsand/orstatisticsononeormoreports.
Syntax
clear linkflap {all | stats [ port-string] | parameter port-string {threshold |
interval | downtime | all}
Parameters
Defaults
Ifportstringisnotspecified,settingsand/orstatisticswillbeclearedonallports.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtoclearalllinkflapoptionsonportge.1.4.
C3( r w) - >cl ear l i nkf l ap al l ge.1. 4
portstring (Optional)Specifiestheportstomakeoperational.
all|stats Clearsalloptionsandstatistics,orclearsonlystatistics.
parameter Clearslinkflapparameters.
threshold|interval|
downtime|all
Clearslinkflapthreshold,interval,downtimeorallparameters.
portstring (Optionalunlessparameterisspecified)Specifiestheport(s)onwhich
toclearsettings.
Configuring Broadcast Suppression
SecureStack C3 Configuration Guide 7-33
Configuring Broadcast Suppression
Purpose
Toreviewandsetthebroadcastsuppressionthresholdforoneormoreports.Thisfeaturelimits
thenumberofreceivedbroadcastframestheswitchwillacceptperport.Broadcastsuppression
thresholdsapplyonlytobroadcasttrafficmulticasttrafficisnotaffected.Bydefault,abroadcast
suppressionthresholdof14881packetspersecond(pps)willbeused,regardlessofactualport
speed.BroadcastsuppressionprotectsagainstbroadcaststormsandARPsweeps.
Commands
show port broadcast
Usethiscommandtodisplayportbroadcastsuppressionthresholds.
Syntax
show port broadcast [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,broadcaststatusofallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythebroadcastsuppressionthresholdsforports1through4:
C3( su) - >show por t br oadcast ge. 1. 1- 4
Por t Tot al BC Thr eshol d
Packet s ( pkt s/ s)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 0 50
Note: Class of Service functionality can also be used to control broadcast, unknown unicast, and/or
multicast flooding. This feature prevents configured ports from being disrupted by a traffic storm by
rate-limiting specific types of packets through those ports. Refer to About CoS-Based Flood
Control on page 10-20 for more information.
For information about... Refer to page...
show port broadcast 7-33
set port broadcast 7-34
clear port broadcast 7-34
portstring (Optional)Selecttheportsforwhichtoshowbroadcastsuppression
thresholds.Foradetaileddescriptionofpossibleportstringvalues,refer
toPortStringSyntaxUsedintheCLIonpage71.
set port broadcast
7-34 Port Configuration
ge. 1. 2 0 50
ge. 1. 3 0 40
ge. 1. 4 0 14881
set port broadcast
Usethiscommandtosetthebroadcastsuppressionthreshold,inpacketspersecond,ononeor
moreports.Thissetsathresholdonthebroadcasttrafficthatisreceivedandswitchedouttoother
ports.
Syntax
set port broadcast port-string threshold-val
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
PerportbroadcastsuppressionishardsettobegloballyenabledontheC3.Ifyouwouldliketo
disablebroadcastsuppression,youcangetthesameresultbysettingthethresholdlimitforeach
porttothemaximumnumberofpacketswhichcanbereceivedpersecondaslistedinthe
parameterssection,above.Thedefaultbroadcastsuppressionthresholdforallportsissetto
14881.
Example
Thisexampleconfiguresports1through5withabroadcastlimitof50pps:
C3( su) - >set por t br oadcast ge. 1. 1- 5 50
clear port broadcast
Usethiscommandtoclearthebroadcastthresholdlimittothedefaultvalueof14881forthe
selectedport.
Syntax
clear port broadcast port-string threshold
portstring Selecttheportsforwhichtoconfigurebroadcastsuppressionthresholds.
Foradetaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage71.
thresholdval Setsthepacketspersecondthresholdonbroadcasttraffic.Maximum
valueis
148810forFastEthernetports
1488100for1Gigabitports.
14881000for10Gigabitports
clear port broadcast
SecureStack C3 Configuration Guide 7-35
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthebroadcastthresholdlimitto14881ppsforports1through5:
C3( su) - >cl ear por t br oadcast ge. 1. 1- 5 t hr eshol d
portstring Selecttheportsforwhichtoclearbroadcastsuppressionthresholds.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage71.
Port Mirroring
7-36 Port Configuration
Port Mirroring
TheSecureStackC3deviceallowsyoutomirror(orredirect)thetrafficbeingswitchedonaport
forthepurposesofnetworktrafficanalysisandconnectionassurance.Whenportmirroringis
enabled,oneportbecomesamonitorportforanotherportwithinthedevice.
Mirroring Features
TheSecureStackC3devicesupportsthefollowingmirroringfeatures:
Mirroringcanbeconfiguredinamanytooneconfigurationsothatonetarget(destination)
portcanmonitortrafficonupto8sourceports.Onlyonemirrordestinationportcanbe
configuredperstack,ifapplicable.
Bothtransmitandreceivetrafficwillbemirrored.
Adestinationportwillonlyactasamirroringportwhenthesessionisoperationallyactive.
Whenaportmirroriscreated,themirrordestinationportisremovedfromtheegresslistof
VLAN1afterareboot.
MACaddresseswillbelearnedforpacketstaggedwiththemirrorVLANID.Thiswill
preventtheabilitytosnooptrafficacrossmultiplehops.
Remote Port Mirroring
Remoteportmirroringisanextensiontoportmirroringwhichfacilitatessimultaneousmirroring
ofmultiplesourceportsonmultipleswitchesacrossanetworktooneormoreremotedestination
ports.
Remoteportmirroringinvolvesconfigurationofthefollowingportmirroringrelatedparameters:
1. Configurationofnormalportmirroringsourceportsandonedestinationportonallswitches,
asdescribedabove.
2. ConfigurationofamirrorVLAN,whichisauniqueVLANonwhichmirroredpackets
traverseacrossthenetwork.ThemirrorVLANhastobeconfiguredonALLswitchesacross
thenetworkalongwhichmirroredtraffictraverses,fromtheswitchwherethesourceports
residetotheswitchwherethemirroredpacketsaresniffedand/orcaptured.
Youmustensurethatswitchesinvolvedareproperlyconfiguredtofacilitatecorrectremoteport
mirroringoperation.Thefollowingpointsinparticularneedtobeobserved:
Onthesourceswitch,thecorrectdestinationportmustbechosentoensurethatthereisan
egresspathfromthatporttothedesiredremotedestination(s).
Allportsonthepathfromthesourceporttotheremotedestinationmustbemembersofthe
mirrorVLAN.
Caution: Port mirroring configuration should be performed only by personnel who are
knowledgeable about the effects of port mirroring and its impact on network operation.
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of port
mirroring configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
Caution: Traffic mirrored to a VLAN may contain control traffic. This may be interpreted by the
downstream neighbor as legal control frames. It is recommended that you disable any protocols
(such as Spanning Tree) on inter-switch connections that might be affected .
Port Mirroring
SecureStack C3 Configuration Guide 7-37
Onswitchesonthepathfromthesourceporttotheremotedestination,egresstagginghasto
beenabledonpotentialegressportsforthemirrorVLAN.
Withtheintroductionofremoteportmirroring:
ConfiguredmirrordestinationportswillNOTlosetheirswitchingorroutingpropertiesas
theydoonSecureStackA2,B2,orC2products.
OnswitcheswherethemirrorVLANhasbeenconfigured,anytrafficonthatVLANwillbe
floodedontheVLAN.Itwillneverbeunicast,evenifthesourceaddressofthetrafficasbeen
learnedontheswitch.
Configuring SMON MIB Port Mirroring
Overview
SMONportmirroringsupportallowsyoutoredirecttrafficonportsremotelyusingSMONMIBs.
Thisisusefulfortroubleshootingorproblemsolvingwhennetworkmanagementthroughthe
consoleport,telnet,orSSHisnotfeasible.
Procedures
PerformthefollowingstepstoconfigureandmonitorportmirroringusingSMONMIBobjects.
Tocreateandenableaportmirroringinstance:
1. OpenaMIBbrowser,suchasNetsightMIBTools
2. IntheMIBdirectorytree,navigatetotheportCopyEntryfolderandexpandit.
3. SelecttheportCopyStatusMIB.
4. EnteradesiredsourceandtargetportintheInstancefieldusingtheformatsource.target.
Forexample,3.2wouldcreatearelationshipwheresourceportge.1.3wouldbemirroredto
targetportge.1.2.
5. EnterMIBoption4(createAndGo)andperformanSNMPSetoperation.
6. (Optional)UsetheCLItoverifytheportmirroringinstancehasbeencreatedandenabledas
showninthefollowingexample:
C3( su) - >show por t mi r r or i ng
Por t Mi r r or i ng
==============
Sour ce Por t = ge. 1. 3
Tar get Por t = ge. 1. 2
Fr ames Mi r r or ed = Rx and Tx
Por t Mi r r or i ng st at us enabl ed
Tocreateaportmirroringinstancewithoutautomaticallyenablingit:
1. Completesteps14above.
2. EnterMIBoption5(createAndWait)andperformanSNMPSetoperation.
3. (Optional)UsetheCLItoverifytheportmirroringinstancehasbeencreatedsettodisabled
modeasshowninthefollowingexample:
C3( su) - >show por t mi r r or i ng
Note: In order to configure a port mirroring relationship, both source and destination interfaces must
be enabled and operational (up).
show port mirroring
7-38 Port Configuration
Por t Mi r r or i ng
==============
Sour ce Por t = ge. 1. 3
Tar get Por t = ge. 1. 2
Fr ames Mi r r or ed = Rx and Tx
Por t Mi r r or i ng st at us di sabl ed
4. Whenyouarereadytoenablethisinstance,enterMIBoption1(active)andperformanSNMP
Setoperation.
5. (Optional)UsetheCLItoverifytheportmirroringinstancehasbeenenabled.
Todeleteaportmirroringinstance:
1. SelectapreviouslycreatedportmirroringinstanceinyourMIBbrowser.
2. EnterMIBoption6(destroy)andperformanSNMPSetoperation.
3. (Optional)UsetheCLItoverifytheportmirroringinstancehasbeendeletedasshowninthe
followingexample:
C3( su) - >show por t mi r r or i ng
No Por t Mi r r or s conf i gur ed.
Purpose
Toreviewandconfigureportmirroringonthedevice.
Commands
show port mirroring
Usethiscommandtodisplaythesourceandtargetportsformirroring,andwhethermirroringis
currentlyenabledordisabledforthoseports.
Syntax
show port mirroring
Parameters
None.
Defaults
None.
For information about... Refer to page...
show port mirroring 7-38
set port mirroring 7-39
clear port mirroring 7-40
set mirror vlan 7-40
clear mirror vlan 7-41
set port mirroring
SecureStack C3 Configuration Guide 7-39
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayportmirroringinformation.Inthiscase,ge.1.4isconfigured
asasourceportandge.1.11isatargetandmirroringhasbeenenabledbetweentheseports:
C3( su) - >show por t mi r r or i ng
Por t Mi r r or i ng
==============
Sour ce Por t = ge.1. 4
Tar get Por t = ge.1. 11
Fr ames Mi r r or ed = Rx and Tx
Por t Mi r r or i ng st at us enabl ed.
set port mirroring
Usethiscommandtocreateanewmirroringrelationshiportoenableordisableanexisting
mirroringrelationshipbetweentwoports.
Syntax
set port mirroring {create | disable | enable} source destination}
Parameters
Defaults
Portmirrorsareautomaticallyenabledwhencreatedonthisplatform.
Mode
Switchcommand,readwrite.
Usage
NotethatLAGportsandtheirunderlyingphysicalports,asdescribedinLinkAggregation
ControlProtocol(LACP)onpage742,cannotbemirrored.
Notes: When a port mirror is created, the mirror destination port is removed from VLAN 1s egress
list after a reboot.
"MAC addresses will be learned for packets tagged with the mirror VLAN ID. This will prevent the
ability to snoop traffic across multiple hops.
create|disable|
enable
Creates,disablesorenablesmirroringsettingsonthespecifiedports.By
default,portmirrorsareenabledautomaticallywhencreated.
source Specifiesthesourceportdesignation.Thisistheportonwhichthetraffic
willbemonitored.Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage71.
destination Specifiesthetargetportdesignation.Thisistheportthatwillduplicateor
mirrorallthetrafficonthemonitoredport.Onlyonedestinationport
canbeconfiguredperstack,ifapplicable.
Foradetaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage71.
clear port mirroring
7-40 Port Configuration
Example
Thisexampleshowshowtocreateandenableportmirroringwithge.1.4asthesourceport,and
ge.1.11asthetargetport:
C3( su) - >set por t mi r r or i ng cr eat e ge.1. 4 ge.1. 11
clear port mirroring
Usethiscommandtoclearaportmirroringrelationship.
Syntax
clear port mirroring source destination
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearaportmirroringrelationshipbetweensourceportge.1.4and
targetportge.1.11:
C3( su) - >cl ear por t mi r r or i ng ge.1. 4 ge.1. 11
set mirror vlan
AssignsaVLANtobereservedformirroringtraffic.IfamirroredVLANiscreated,allmirrored
trafficwillegressVLANtagged.AlltrafficonthemirrorVLANwillbeflooded.
Syntax
set mirror vlan vlan-id
Parameters
Defaults
None.
source Specifiesthesourceportofthemirroringconfigurationtobecleared.For
adetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage71.
destination Specifiesthetargetportofthemirroringconfigurationtobecleared.
vlanid SpecifiestheVLANtobeusedforremoteportmirroring.TheIDcan
rangefrom2to4093.
clear mirror vlan
SecureStack C3 Configuration Guide 7-41
Mode
Switchcommand,readwrite.
Usage
RefertoRemotePortMirroringonpage736forinformationaboutconfiguringmirrorVLANs.
UsetheshowportmirroringcommandtodisplaytheVLANsconfiguredforremoteport
mirroring.
Example
ThefollowingexampleassignsaVLANformirroringtrafficandthenshowstheconfiguredport
mirroringwiththeshowportmirrorcommand.
C3( su) - >set mi r r or vl an 2
C3( su) - >show por t mi r r or i ng
Por t Mi r r or i ng
==============
Sour ce Por t = ge. 1. 1
Tar get Por t = ge. 1. 10
Fr ames Mi r r or ed = Rx and Tx
Por t Mi r r or i ng st at us enabl ed
Mi r r or Vl an = 2
clear mirror vlan
UsethiscommandtocleartheVLANtobereservedformirroringtraffic.
Syntax
clear mirror vlan vlan-id
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThefollowingexampleclearsVLAN2frombeingusedforremoteportmirroring.
C3( su) - >cl ear mi r r or vl an 2
vlanid SpecifiestheVLANtobecleared.TheIDcanrangefrom2to4093.
Link Aggregation Control Protocol (LACP)
7-42 Port Configuration
Link Aggregation Control Protocol (LACP)
Usingmultiplelinkssimultaneouslytoincreasebandwidthisadesirableswitchfeature,which
canbeaccomplishedifbothsidesagreeonasetofportsthatarebeingusedasaLinkAggregation
Group(LAG).OnceaLAGisformedfromselectedports,problemswithloopingcanbeavoided
sincetheSpanningTreecantreatthisLAGasasingleport.
Enabledbydefault,theLinkAggregationControlProtocol(LACP)logicallygroupsinterfaces
togethertocreateagreaterbandwidthuplink,orlinkaggregation,accordingtotheIEEE802.3ad
standard.ThisstandardallowstheswitchtodeterminewhichportsareinLAGsandconfigure
themdynamically.SincetheprotocolisbasedontheIEEE802.3adspecification,anyswitchfrom
anyvendorthatsupportsthisstandardcanaggregatelinksautomatically.
802.3adLACPaggregationscanalsoberuntoendusers(thatis,aserver)ortoarouter.
LACP Operation
Foreachaggregatableportinthedevice,LACP:
Maintainsconfigurationinformation(reflectingtheinherentpropertiesoftheindividuallinks
aswellasthoseestablishedbymanagement)tocontrolaggregation.
ExchangesconfigurationinformationwithotherdevicestoallocatethelinktoaLink
AggregationGroup(LAG).
AttachestheporttotheaggregatorusedbytheLAG,anddetachestheportfromthe
aggregatorwhenitisnolongerusedbytheLAG.
Usesinformationfromthepartnerdeviceslinkaggregationcontrolentitytodecidewhether
toaggregateports.
TheoperationofLACPinvolvesthefollowingactivities:
Checkingthatcandidatelinkscanactuallybeaggregated.
ControllingtheadditionofalinktoaLAG,andthecreationofthegroupifnecessary.
Monitoringthestatusofaggregatedlinkstoensurethattheaggregationisstillvalid.
RemovingalinkfromaLAGifitsmembershipisnolongervalid,andremovingthegroupifit
nolongerhasanymemberlinks.
InordertoallowLACPtodeterminewhetherasetoflinksconnecttothesamedevice,andto
determinewhetherthoselinksarecompatiblefromthepointofviewofaggregation,itis
necessarytobeabletoestablish
Agloballyuniqueidentifierforeachdevicethatparticipatesinlinkaggregation.
Caution: Link aggregation configuration should only be performed by personnel who are
knowledgeable about Spanning Tree and Link Aggregation, and fully understand the ramifications
of modifications beyond device defaults. Otherwise, the proper operation of the network could be
at risk.
Note: Earlier (proprietary) implementations of port aggregation referred to groups of aggregated
ports as trunks.
Note: A given link is allocated to, at most, one Link Aggregation Group (LAG) at a time. The
allocation mechanism attempts to maximize aggregation, subject to management controls.
Link Aggregation Control Protocol (LACP)
SecureStack C3 Configuration Guide 7-43
Ameansofidentifyingthesetofcapabilitiesassociatedwitheachportandwitheach
aggregator,asunderstoodbyagivendevice.
AmeansofidentifyingaLAGanditsassociatedaggregator.
LACP Terminology
Table 76defineskeyterminologyusedinLACPconfiguration.
SecureStack C3 Usage Considerations
Innormalusage(andtypicalimplementations)thereisnoneedtomodifyanyofthedefault
LACPparametersontheswitch.Thedefaultvalueswillresultinthemaximumnumberof
aggregationspossible.Iftheswitchisplacedinaconfigurationwithitspeersnotrunningthe
protocol,nodynamiclinkaggregationswillbeformedandtheswitchwillfunctionnormally(that
Note: The path cost of a LAG port will be displayed as zero when it is not an active link.
Table 7-6 LACP Terms and Definitions
Term Definition
Aggregator Virtual port that controls link aggregation for underlying physical ports. Each
SecureStack C3 module provides 6 aggregator ports, which are designated in
the CLI as lag.0.1 through lag.0.6.
LAG Link Aggregation Group. Once underlying physical ports (for example, fe.x.x)
are associated with an aggregator port, the resulting aggregation will be
represented as one LAG with a lag.x.x port designation.
SecureStack C3 LAGs can have up to 8 associated physical ports.
LACPDU Link Aggregation Control Protocol Data Unit. The protocol exchanges
aggregation state/mode information by way of a ports actor and partner
operational states. LACPDUs sent by the first party (the actor) convey to the
second party (the actors protocol partner) what the actor knows, both about
its own state and that of its partner.
Actor and Partner An actor is the local device sending LACPDUs. Its protocol partner is the
device on the other end of the link aggregation. Each maintains current status
of the other via LACPDUs containing information about their ports LACP
status and operational state.
Admin Key Value assigned to aggregator ports and physical ports that are candidates for
joining a LAG. The LACP implementation on SecureStack C3 devices will use
this value to form an oper key and will determine which underlying physical
ports are capable of aggregating by comparing oper keys. Aggregator ports
allow only underlying ports with oper keys matching theirs to join their LAG.
On SecureStack C3 devices, the default admin key value is 32768.
System Priority Value used to build a LAG ID, which determines aggregation precedence. If
there are two partner devices competing for the same aggregator, LACP
compares the LAG IDs for each grouping of ports. The LAG with the lower
LAG ID is given precedence and will be allowed to use the aggregator.
Note: Only one LACP system priority can be set on a
SecureStack C3 device, using either the set lacp asyspri
command (page 7-47), or the set port lacp command
(page 7-52).
Link Aggregation Control Protocol (LACP)
7-44 Port Configuration
is,willblockredundantpaths).Forinformationaboutbuildingstaticaggregations,refertoset
lacpstatic(page 748).
EachSecureStackC3moduleprovidessixvirtuallinkaggregatorports,whicharedesignatedin
theCLIaslag.0.1throughlag.0.6.EachLAGcanhaveuptoeightassociatedphysicalports.Once
underlyingphysicalports(forexample,fe.x.x,orge.x.x)areassociatedwithanaggregatorport,
theresultingaggregationwillberepresentedasoneLAGwithalag.0.xportdesignation.LACP
determineswhichunderlyingphysicalportsarecapableofaggregatingbycomparingoperational
keys.AggregatorportsallowonlyunderlyingportswithkeysmatchingtheirstojointheirLAG.
LACPusesasystempriorityvaluetobuildaLAGID,whichdeterminesaggregationprecedence.
Iftherearetwopartnerdevicescompetingforthesameaggregator,LACPcomparestheLAGIDs
foreachgroupingofports.TheLAGwiththelowerLAGIDisgivenprecedenceandwillbe
allowedtousetheaggregator.
Thereareafewcasesinwhichportswillnotaggregate:
Anunderlyingphysicalportisattachedtoanotherportonthissameswitch(loopback).
ThereisnoavailableaggregatorfortwoormoreportswiththesameLAGID.Thiscan
happeniftherearesimplynoavailableaggregators,orifnoneoftheaggregatorshavea
matchingadminkeyandsystempriority.
802.1xauthenticationisenabledusingtheseteapolcommand(page 1618)andportsthat
wouldotherwiseaggregatearenot802.1Xauthorized.
TheLACPimplementationontheSecureStackC3devicewillallowuptoeightphysicalportsinto
aLAG.ThedevicewiththelowestLAGIDdetermineswhichunderlyingphysicalportsare
allowedintoaLAGbasedontheportsLAGportpriority.PortswiththelowestLAGportpriority
valuesareallowedintotheLAGandallotherspeedgroupingsgointoastandbystate.
MultiportLAGswillcontinuetooperateaslongasthereisatleastoneactiveportintheLAG.
Therefore,thereisnoneedtocreatebackupsingleportLAGsortospecificallyassigntheLAGand
allitsphysicalportstotheegresslistoftheLAGsVLAN.
Typically,twoormoreportsarerequiredtoformaLAG.However,youcanenablethecreationof
singleportLAGsasdescribedinsetlacpsingleportlagonpage750.IfasingleportLAGgoes
downandtheswitchstaysup,theswitchwillreconfiguretheLAGtothesameLAGnumberifthe
portcomesbackup.
Commands
Note: To aggregate, underlying physical ports must be running in full duplex mode and must be of
the same operating speed.
For information about... Refer to page...
show lacp 7-45
set lacp 7-46
set lacp asyspri 7-47
set lacp aadminkey 7-47
clear lacp 7-48
set lacp static 7-48
clear lacp static 7-49
show lacp
SecureStack C3 Configuration Guide 7-45
show lacp
Usethiscommandtodisplayinformationaboutoneormoreaggregatorports.
Syntax
show lacp [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,linkaggregationinformationforallLAGswillbedisplayed.
Mode
Switchcommand,readonly.
Usage
EachSecureStackC3moduleprovides6virtuallinkaggregatorports,whicharedesignatedinthe
CLIaslag.0.1throughlag.0.6.Onceunderlyingphysicalports(thatis,ge.x.x)areassociatedwith
anaggregatorport,theresultingaggregationwillberepresentedasoneLinkAggregationGroup
(LAG)withalag.x.xportdesignation.
Example
Thisexampleshowshowtodisplaylacpinformationforlag.0.1.Thefollowingtabledescribesthe
outputfields.
C3( su) - >show l acp l ag. 0. 1
Gl obal Li nk Aggr egat i on st at e: enabl ed
Si ngl e Por t LAGs: di sabl ed
Aggr egat or : l ag. 0. 1
Act or Par t ner
Syst emI dent i f i er : 00: 01: F4: 5F: 1E: 20 00: 11: 88: 11: 74: F9
Syst emPr i or i t y: 32768 32768
Admi n Key: 32768
Oper Key: 32768 0
At t ached Por t s: ge. 1. 1
ge. 1. 3
Table 77providesanexplanationofthecommandoutput.
set lacp singleportlag 7-50
clear lacp singleportlag 7-49
show port lacp 7-51
set port lacp 7-52
clear port lacp 7-54
For information about... Refer to page...
portstring (Optional)DisplaysLACPinformationforspecificLAGport(s).Valid
portdesignationsarelag.0.16.
set lacp
7-46 Port Configuration
set lacp
UsethiscommandtodisableorenabletheLinkAggregationControlProtocol(LACP)onthe
device.
Syntax
set lacp {disable | enable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableLACP:
C3( su) - >set l acp di sabl e
Table 7-7 show lacp Output Details
Output Field What It Displays...
Global Link
Aggregation state
Shows if LACP is enabled or disabled on the switch.
Single Port LAGs Displays if the single port LAG feature has been enabled on the switch. See set lacp
singleportlag on page 7-50 for more about single port LAG.
Aggregator LAG port designation. Each SecureStack C3 module provides 6 virtual link
aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6. Once
underlying physical ports (for example, fe.x.x) are associated with an aggregator
port, the resulting Link Aggregation Group (LAG) is represented with a lag.x.x port
designation.
Actor Local device participating in LACP negotiation.
Partner Remote device participating in LACP negotiation.
System Identifier MAC addresses for actor and partner.
System Priority System priority value which determines aggregation precedence. Only one LACP
system priority can be set on a SecureStack C3 device, using either the set lacp
asyspri command (page 7-47), or the set port lacp command (page 7-52).
Admin Key Ports assigned key. SecureStack C3 devices provide a default admin key value of
32768 for all LAG ports (lag.0.1 though lag.0.6).
Oper Key Ports operational key, derived from the admin key. Only underlying physical ports
with oper keys matching the aggregators will be allowed to aggregate.
Attached Ports Underlying physical ports associated with this aggregator.
disable|enable DisablesorenablesLACP.
set lacp asyspri
SecureStack C3 Configuration Guide 7-47
set lacp asyspri
UsethiscommandtosettheLACPsystempriority.
Syntax
set lacp asyspri value
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
LACPusesthisvaluetodetermineaggregationprecedence.Iftherearetwopartnerdevices
competingforthesameaggregator,LACPcomparestheLAGIDsforeachgroupingofports.The
LAGwiththelowerLAGIDisgivenprecedenceandwillbeallowedtousetheaggregator.
Example
ThisexampleshowshowtosettheLACPsystempriorityto1000:
C3( su) - >set l acp asyspr i 1000
set lacp aadminkey
Usethiscommandtosettheadministrativelyassignedkeyforoneormoreaggregatorports.
Syntax
set lacp aadminkey port-string value
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
asyspri SetsthesystemprioritytobeusedincreatingaLAG(LinkAggregation
Group)ID.Validvaluesare0to65535.
value Specifiesasystempriorityvalue.Validvaluesare0to65535,with
precedencegiventolowervalues.
portstring SpecifiestheLAGport(s)onwhichtoassignanadminkey.
value Specifiesanadminkeyvaluetoset.Validvaluesare0to65535.The
defaultadminkeyvalueis32768.
clear lacp
7-48 Port Configuration
Usage
LACPwillusethisvaluetoformanoperkey.Onlyunderlyingphysicalportswithoperkeys
matchingthoseoftheiraggregatorswillbeallowedtoaggregate.Thedefaultadminkeyvaluefor
allLAGportsis32768.
Example
ThisexampleshowshowtosettheLACPadminkeyto2000forLAGport6:
C3( su) - >set l acp aadmi nkey l ag. 0. 6 2000
clear lacp
UsethiscommandtoclearLACPsystempriorityoradminkeysettings.
Syntax
clear lacp {[ asyspri] [ aadminkey port-string]}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheactoradminkeyforLAGport6:
C3( su) - >cl ear l acp aadmi nkey l ag. 0. 6
set lacp static
Usethiscommandtodisableorenablestaticlinkaggregation,ortoassignoneormoreunderlying
physicalportstoaLinkAggregationGroup(LAG).
Syntax
set lacp static {disable | enable} | lagportstring [ key] port-string
Parameters
asyspri Clearssystempriority.
aadminkeyportstring Resetsadminkeysforoneormoreportstothedefaultvalueof32768.
disable|enable Disablesorenablesstaticlinkaggregation.
lagportstring SpecifiestheLAGaggregatorporttowhichnewportswillbeassigned.
clear lacp static
SecureStack C3 Configuration Guide 7-49
Defaults
Ifnotspecified,akeywillbeassignedaccordingtothespecifiedaggregator.Forexampleakeyof4
wouldbeassignedtolag.0.4.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoaddportge.1.6totheLAGofaggregatorport6:
C3( su) - >set l acp st at i c l ag. 0. 6 ge.1. 6
clear lacp static
UsethiscommandtoremovespecificportsfromaLinkAggregationGroup.
Syntax
clear lacp static lagportstring port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovege.1.6fromtheLAGofaggregatorport6:
C3( su) - >cl ear l acp st at i c l ag. 0. 6 ge.1. 6
key (Optional)SpecifiesthenewmemberportandLAGportaggregator
adminkeyvalue.Onlyportswithmatchingkeysareallowedto
aggregate.Validvaluesare065535.
Note: This key value must be unique. If ports other than the desired
underlying physical ports share the same admin key value, aggregation
will fail or undesired aggregations will form.
portstring Specifiesthememberport(s)toaddtotheLAG.Foradetaileddescription
ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage71.
lagportstring SpecifiestheLAGaggregatorportfromwhichportswillberemoved.
portstring Specifiestheport(s)toremovefromtheLAG.Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage71.
set lacp singleportlag
7-50 Port Configuration
set lacp singleportlag
UsethiscommandtoenableordisabletheformationofsingleportLAGs.
Syntax
set lacp singleportlag {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
WhensingleportLAGsareenabled,LinkAggregrationGroupscanbeformedwhenonlyone
portisreceivingprotocoltransmissionsfromapartner.Whenthissettingisdisabled,twoormore
portsarerequiredtoformaLAG.
ThissettinghasnoeffectonexistingLAGscreatedwithmultiplememberports.Italsodoesnot
preventpreviouslyformedLAGsfromcomingupaftertheyhavegonedown,aslongasany
previousLAGmemberportscomeupconnectedtothesameswitchasbeforetheLAGwent
down.
Example
ThisexampleenablestheformationofsingleportLAGs:
C3( su) - >set l acp si ngl epor t l ag enabl e
clear lacp singleportlag
UsethiscommandtoresetthesingleportLAGfunctionbacktothedefaultstateofdisabled.
Syntax
clear lacp singleportlag
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
disable|enable EnablesordisablestheformationofsingleportLAGs.
show port lacp
SecureStack C3 Configuration Guide 7-51
Example
ThisexampleshowshowtoresetthesingleportLAGfunctionbacktodisabled:
C3( su) - >cl ear l acp si ngl epor t l ag
show port lacp
Usethiscommandtodisplaylinkaggregationinformationforoneormoreunderlyingphysical
ports.
Syntax
show port lacp port port-string {[ status {detail | summary}] | [ counters] }
Parameters
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Statedefinitions,suchasActorAdminStateandPartnerAdminState,areindicatedwithletter
abbreviations.Iftheshowportlacpcommanddisplaysoneormoreofthefollowingletters,it
meansthestateistruefortheassociatedactororpartnerports:
E=Expired
F=Defaulted
D=Distributing(txenabled)
C=Collecting(rxenabled)
S=Synchronized(actorandpartneragree)
G=Aggregationallowed
S/l=Short/LongLACPtimeout
A/p=Active/PassiveLACP
Formoreinformationaboutthesestates,refertosetportlacp(page 752)andtheIEEE802.32002
specification.
Examples
ThisexampleshowshowtodisplaydetailedLACPstatusinformationforportge.1.12:
C3( su) - > show por t l acp por t ge.1. 12 st at us det ai l
portportstring DisplaysLACPinformationforspecificport(s).Foradetaileddescription
ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage71.
statusdetail|
summary
DisplaysLACPstatusindetailedorsummaryinformation.
counters DisplaysLACPcounterinformation.
set port lacp
7-52 Port Configuration
Por t I nst ance: ge.1. 12
Act or Por t : 1411 Par t ner Admi nPor t : 1411
Act or Syst emPr i or i t y: 32768 Par t ner Oper Por t : 1411
Act or Por t Pr i or i t y: 32768 Par t ner Admi nSyst emPr i or i t y: 32768
Act or Admi nKey: 32768 Par t ner Oper Syst emPr i or i t y: 32768
Act or Oper Key: 32768 Par t ner Admi nPor t Pr i or i t y: 32768
Act or Admi nSt at e: - - - - - Gl A Par t ner Oper Por t Pr i or i t y: 32768
Act or Oper St at e: - F- - - - l A Par t ner Admi nKey: 1411
Act or Syst emI D: 00- e0- 63- 9d- b5- 87 Par t ner Oper Key: 1411
Sel ect edAggI D: none Par t ner Admi nSt at e: - - DCSGl p
At t achedAggI D: none Par t ner Oper St at e: - - DC- Gl p
MuxSt at e: Det ached Par t ner Admi nSyst emI D: 00- 00- 00- 00- 00- 00
DebugRxSt at e: por t Di sabl ed Par t ner Oper Syst emI D: 00- 00- 00- 00- 00- 00
ThisexampleshowshowtodisplaysummarizedLACPstatusinformationforportge.1.12:
C3( su) - >show por t l acp por t ge.1. 12 st at us summar y
Por t Aggr Act or Syst em Par t ner Syst em
Pr i : Syst emI D: Key: Pr i : Syst emI D: Key:
ge.1. 12 none [( 32768, 00e0639db587, 32768) , ( 32768, 000000000000, 1411) ]
ThisexampleshowshowtodisplayLACPcountersforportge.1.12:
C3( su) - >show por t l acp por t ge.1. 12 count er s
Por t I nst ance: ge.1. 12
LACPDUsRx: 11067
LACPDUsTx: 0
I l l egal Rx: 0
UnknownRx: 0
Mar ker PDUsRx: 0
Mar ker PDUsTx: 0
Mar ker ResponsePDUsRx: 0
Mar ker ResponsePDUsTx: 374
set port lacp
Usethiscommandtosetlinkaggregationparametersforoneormoreports.Thesesettingswill
determinethespecifiedunderlyingphysicalportsabilitytojoinaLAG,andtheiradministrative
stateonceaggregated.
Syntax
set port lacp port port-string {[ aadminkey aadminkey] [ aadminstate {lacpactive |
lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}]
[ aportpri aportpri] [ asyspri asyspri] [ enable | [ disable] [ padminkey padminkey]
[ padminport padminport] [ padminportpri padminportpri] [ padminstate {lacpactive |
lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}]
[ padminsysid padminsysid] [ padminsyspri padminsyspri]
Parameters
portportstring Specifiesthephysicalport(s)onwhichtoconfigureLACP.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage71.
aadminkey
aadminkey
Setstheportsactoradminkey.LACPwillusethisvaluetoformanoper
keyandwilldeterminewhichunderlyingphysicalportsarecapableof
aggregatingbycomparingoperkeys.Aggregatorportsallowonly
underlyingportswithoperkeysmatchingtheirstojointheirLAG.Valid
valuesare165535.Thedefaultkeyvalueis32768.
set port lacp
SecureStack C3 Configuration Guide 7-53
Defaults
Atleastoneparametermustbeenteredperportstring.
Ifenableordisablearenotspecified,port(s)willbeenabledwiththeLACPparametersentered.
aadminstate
lacpactive|
lacptimeout|
lacpagg|lacpsync
|lacpcollect|
lacpdist|lacpdef|
lacpexpire
SetstheportsactorLACPadministrativestatetoallowfor:
lacpactiveTransmittingLACPPDUs.
lacptimeoutTransmittingLACPPDUsevery1sec.vs30sec.(default).
lacpaggAggregationonthisport.
lacpsyncTransitiontosynchronizationstate.
lacpcollectTransitiontocollectionstate.
lacpdistTransitiontodistributionstate.
lacpdefTransitiontodefaultedstate.
lacpexpireTransitiontoexpiredstate.
aportpriaportpri Setstheportsactorportpriority.Validvaluesare065535,withlower
valuesdesignatinghigherpriority.
asyspriasyspri Setstheportsactorsystempriority.TheLACPimplementationonthe
SecureStackC3deviceusesthisvaluetodetermineaggregation
precedencewhentherearetwodevicescompetingforthesame
aggregator.Validvaluesare065535,withhigherprecedencegivento
lowervalues.
Note: Only one LACP system priority can be set on a SecureStack
C3 device, using either this command, or the set lacp asyspri
command (set lacp asyspri on page 7-47).
enable (Optional)EnablesLACPDUprocessingonthisport.
disable (Optional)DisablesLACPDUprocessingonthisport.
padminkey
padminkey
Setsadefaultvaluetouseastheportspartneradminkey.Onlyportswith
matchingadminkeysareallowedtoaggregate.Validvaluesare165535.
padminport
padminport
Setsadefaultvaluetouseastheportspartneradminvalue.Validvalues
are165535.
padminportpri
padminportpri
Setsadefaultvaluetouseastheportspartnerportpriority.Validvalues
are065535,withlowervaluesgivenhigherpriority.
padminstate
lacpactive|
lacptimeout|
lacpagg|lacpsync
|lacpcollect|
lacpdist|lacpdef|
lacpexpire
SetsaportspartnerLACPadministrativestate.Seeaadminstateforvalid
options.
padminsysid
padminsysid
SetsadefaultvaluetouseastheportspartnersystemID.ThisisaMAC
address.
padminsyspri
padminsyspri
Setsadefaultvaluetouseastheportspartnerpriority.Validvaluesare0
65535,withlowervaluesgivenhigherpriority.
clear port lacp
7-54 Port Configuration
Mode
Switchcommand,readwrite.
Usage
LACPcommandsandparametersbeginningwithana(suchasaadminkey)setactorvalues.
Correspondingcommandsandparametersbeginningwithap(suchaspadminkey)set
correspondingpartnervalues.ActorreferstothelocaldeviceparticipatinginLACPnegotiation,
whilepartnerreferstoitsremotedevicepartnerattheotherendofthenegotiation.Actorsand
partnersmaintaincurrentstatusoftheotherviaLACPDUscontaininginformationabouttheir
portsLACPstatusandoperationalstate.
Example
Thisexampleshowshowtosettheactoradminkeyto3555forportge. 3.16:
C3( su) - >set por t l acp por t ge. 3. 16 aadmi nkey 3555
clear port lacp
Usethiscommandtoclearlinkaggregationsettingsforoneormoreports.
Syntax
clear port lacp port port-string {[ aadminkey] [ aportpri] [ asyspri] [ aadminstate
{lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef
| lacpexpire | all}] [ padminsyspri] [ padminsysid] [ padminkey] [ padminportpri]
[ padminport] [ padminstate {lacpactive | lacptimeout | lacpagg | lacpsync |
lacpcollect | lacpdist | lacpdef | lacpexpire | all}] }
Parameters
portportstring Specifiesthephysicalport(s)onwhichLACPsettingswillbecleared.For
adetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage71.
aadminkey Clearsaportsactoradminkey.
aportpri Clearsaportsactorportpriority.
asyspri Clearstheportsactorsystempriority.
aadminstate
lacpactive|
lacptimeout|
lacpagg|lacpsync
|lacpcollect|
lacpdist|lacpdef|
lacpexpire|all
Clearsaportsspecificactoradminstate,orallactoradminstate(s).For
descriptionsofspecificstates,refertothesetportlacpcommand(set
portlacponpage752).
padminsyspri Clearstheportsdefaultpartnerpriorityvalue.
padminsysid ClearstheportsdefaultpartnersystemID.
padminkey Clearstheportsdefaultpartneradminkey.
padminportpri Clearstheportsdefaultpartnerportpriority.
clear port lacp
SecureStack C3 Configuration Guide 7-55
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
IfyousetaporttoLACPpassiveusingthecommandclearportlacpport<portstring>
aadminstatelacpactive,thecommandclearportlacpport<portstring>aadminstatelacptimeout
willalsobeaddedtotheconfiguration.Ifyouunsetthefirstcommand,itwillremovethesecond
commandautomaticallyfromtheconfigurationfile.
Example
Thisexampleshowshowtoclearalllinkaggregationparametersforportge. 3.16:
C3( su) - >cl ear por t l acp por t ge. 3. 16
padminport DeletesapartnerportfromtheLACPconfiguration.
padminstate
lacpactive|
lacptimeout|
lacpagg|lacpsync
|lacpcollect|
lacpdist|lacpdef|
lacpexpire|all
Clearstheportsspecificpartneradminstate,orallpartneradminstate(s).
Configuring Protected Ports
7-56 Port Configuration
Configuring Protected Ports
TheProtectedPortfeatureisusedtopreventportsfromforwardingtraffictoeachother,even
whentheyareonthesameVLAN.Portsmaybedesignatedaseitherprotectedorunprotected.
Portsareunprotectedbydefault.Multiplegroupsofprotectedportsaresupported.
Protected Port Operation
Portsthatareconfiguredtobeprotectedcannotforwardtraffictootherprotectedportsinthe
samegroup,regardlessofhavingthesameVLANmembership.However,protectedportscan
forwardtraffictoportswhichareunprotected(notlistedinanygroup).Protectedportscanalso
forwardtraffictoprotectedportsinadifferentgroup,iftheyareinthesameVLAN.Unprotected
portscanforwardtraffictobothprotectedandunprotectedports.Aportmaybelongtoonlyone
groupofprotectedports.
Thisfeatureonlyappliestoportswithinaswitchorastack.Itdoesnotapplyacrossmultiple
switchesinanetwork.
Commands
set port protected
Usethiscommandtospecifyaporttobeprotectedandassigntheporttoagroupofprotected
ports.Aportcanbeassignedtoonlyonegroup.
Syntax
set port protected port-string group-id
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
For information about... Refer to page...
set port protected 7-56
show port protected 7-57
clear port protected 7-57
set port protected name 7-58
show port protected name 7-58
clear port protected name 7-59
portstring Specifiestheportorportstobeprotected.
groupid Specifiestheidofthegrouptowhichtheportsshouldbeassigned.Idcan
rangefrom0to2.
show port protected
SecureStack C3 Configuration Guide 7-57
Example
Thisexampleshowshowtoassignportsge.1.1throughge.1.3toprotectedportgroup1:
C3( r w) - >set por t pr ot ect ed ge. 1. 1- 3 1
show port protected
Usethiscommandtodisplayinformationabouttheportsconfiguredforprotectedmode.
Syntax
show port protected [ port-string] | [ group-id]
Parameters
Defaults
Ifnoparametersareentered,informationaboutallprotectedportsisdisplayed.
Mode
Readonly.
Example
Thisexampleshowshowtodisplayinformationaboutallprotectedports:
C3( r o) - >show por t pr ot ect ed
Gr oup i d Por t
- - - - - - - - - - - - - - - - - - - - - -
1 ge. 1. 1
1 ge. 1. 2
1 ge. 1. 3
clear port protected
Usethiscommandtoremoveaportorgroupfromprotectedmode.
Syntax
clear port protected [ port-string] | [ group-id]
Parameters
Defaults
Ifnoparametersareentered,allprotectedportsandgroupsarecleared.
portstring (Optional)Specifiestheportorportsforwhichtodisplayinformation.
groupid (Optional)Specifiestheidofthegroupforwhichtodisplayinformation.
Idcanrangefrom0to2.
portstring (Optional)Specifiestheportorportstoremovefromprotectedmode.
groupid (Optional)Specifiestheidofthegrouptoremovefromprotectedmode.
Idcanrangefrom0to2.
set port protected name
7-58 Port Configuration
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearprotectedportsge.1.1throughge.1.3:
C3( r w) - >cl ear por t pr ot ect ed ge. 1. 1- 3
set port protected name
Usethiscommandtoassignanametoaprotectedportgroupid.
Syntax
set port protected name group-id name
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoassignthenamegroup1toprotectedportgroup1:
C3( r w) - >set por t pr ot ect ed name 1 gr oup1
show port protected name
Usethiscommandtodisplaythenameforthegroupidsspecified.
Syntax
show port protected name group-id
Parameters
Defaults
None.
Mode
Readonly.
groupid Specifiestheidofthisgroup.Idcanrangefrom0to2.
name Specifiesanameforthegroup.Thenamecanbeupto32charactersin
length.
groupid Specifiestheidofthegrouptodisplay.Idcanrangefrom0to2.
clear port protected name
SecureStack C3 Configuration Guide 7-59
Example
Thisexampleshowshowtoshowthenameofprotectedportgroup1:
C3( r o) - >show por t pr ot ect ed name 1
Gr oup I D Gr oup Name
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 gr oup1
clear port protected name
Usethiscommandtoclearthenameofaprotectedgroup.
Syntax
clear port protected name group-id
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthenameofprotectedportgroup1:
C3( r w) - >cl ear por t pr ot ect ed name 1
groupid Specifiestheidofthegroupforwhichtoclearthename.Idcanrange
from0to2.
clear port protected name
7-60 Port Configuration
SecureStack C3 Configuration Guide 8-1
8
SNMP Configuration
ThischapterdescribestheSimpleNetworkManagementProtocol(SNMP)setofcommandsand
howtousethem.
SNMP Configuration Summary
SNMPisanapplicationlayerprotocolthatfacilitatestheexchangeofmanagementinformation
betweennetworkdevices.SNMPenablesnetworkadministratorstomanagenetwork
performance,findandsolvenetworkproblems,andplanfornetworkgrowth.
SecureStackC3devicessupportthreeversionsofSNMP:
Version1(SNMPv1)ThisistheinitialimplementationofSNMP.RefertoRFC1157forafull
descriptionoffunctionality.
Version2(SNMPv2c)ThesecondreleaseofSNMP,describedinRFC1907,hasadditions
andenhancementstodatatypes,countersize,andprotocoloperations.
Version3(SNMPv3)ThisisthemostrecentversionofSNMP,andincludessignificant
enhancementstoadministrationandsecurity.SNMPv3isfullydescribedinRFC2571,
RFC 2572,RFC2573,RFC2574,andRFC2575.
For information about... Refer to page...
SNMP Configuration Summary 8-1
Reviewing SNMP Statistics 8-3
Configuring SNMP Users, Groups, and Communities 8-8
Configuring SNMP Access Rights 8-15
Configuring SNMP MIB Views 8-19
Configuring SNMP Target Parameters 8-23
Configuring SNMP Target Addresses 8-26
Configuring SNMP Notification Parameters 8-29
Creating a Basic SNMP Trap Configuration 8-37
Configuring the SNMP Management Interface 8-39
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of SNMP
configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
SNMP Configuration Summary
8-2 SNMP Configuration
SNMPv1 and SNMPv2c
ThecomponentsofSNMPv1andSNMPv2cnetworkmanagementfallintothreecategories:
Manageddevices(suchasaswitch).
SNMPagentsandMIBs,includingSNMPtraps,communitystrings,andRemoteMonitoring
(RMON)MIBs,whichrunonmanageddevices.
SNMPnetworkmanagementapplications,suchastheEnterasysNetSightapplication,which
communicatewithagentstogetstatisticsandalertsfromthemanageddevices.
SNMPv3
SNMPv3isaninteroperablestandardsbasedprotocolthatprovidessecureaccesstodevicesby
authenticatingandencryptingframesoverthenetwork.Theadvancedsecurityfeaturesprovided
inSNMPv3areasfollows:
MessageintegrityCollectsdatasecurelywithoutbeingtamperedwithorcorrupted.
AuthenticationDeterminesthemessageisfromavalidsource.
EncryptionScramblesthecontentsofaframetopreventitfrombeingseenbyan
unauthorizedsource.
UnlikeSNMPv1andSNMPv2c,inSNMPv3,theconceptofSNMPagentsandSNMPmanagersno
longerapply.TheseconceptshavebeencombinedintoanSNMPentity.AnSNMPentityconsists
ofanSNMPengineandSNMPapplications.AnSNMPengineconsistsofthefollowingfour
components:
DispatcherThiscomponentsendsandreceivesmessages.
MessageprocessingsubsystemThiscomponentacceptsoutgoingPDUsfromthe
dispatcherandpreparesthemfortransmissionbywrappingtheminamessageheaderand
returningthemtothedispatcher.Themessageprocessingsubsystemalsoacceptsincoming
messagesfromthedispatcher,processeseachmessageheader,andreturnstheenclosedPDU
tothedispatcher.
SecuritysubsystemThiscomponentauthenticatesandencryptsmessages.
AccesscontrolsubsystemThiscomponentdetermineswhichusersandwhichoperations
areallowedaccesstomanagedobjects.
About SNMP Security Models and Levels
AnSNMPsecuritymodelisanauthenticationstrategythatissetupforauserandthegroupin
whichtheuserresides.Asecuritylevelisthepermittedlevelofsecuritywithinasecuritymodel.
ThethreelevelsofSNMPsecurityare:Noauthenticationrequired(NoAuthNoPriv);
authenticationrequired(AuthNoPriv);andprivacy(authPriv).Acombinationofasecuritymodel
andasecurityleveldetermineswhichsecuritymechanismisemployedwhenhandlinganSNMP
frame.Table 81identifiesthelevelsofSNMPsecurityavailableonSecureStackC3devicesand
authenticationrequiredwithineachmodel.
Reviewing SNMP Statistics
SecureStack C3 Configuration Guide 8-3
Using SNMP Contexts to Access Specific MIBs
Bydefault,whenoperatingfromtheswitchCLI,SecureStackC3devicesallowaccesstoallSNMP
MIBsorcontexts.AcontextisacollectionofMIBobjects,oftenassociatedwithaparticular
physicalorlogicaldevice.
Ifnooptionalcontextparametersareconfiguredforv1andv2communitynamesandv3user
groups,thesegroupsareabletoaccessallSNMPMIBobjectswheninswitchmode.
SpecifyingacontextparameterwhensettingupSNMPusergroupwouldpermitorrestrictthe
groupsswitchmanagementaccesstotheMIB(s)specifiedbythecontext(MIBobjectID)value.
AllSNMPcontextsknowntothedevicecanbedisplayedusingtheshowsnmpcontextcommand
asdescribedinshowsnmpcontextonpage 821.
Example
ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
C3( su) - >set snmp access power gr oup secur i t y- model usm
Configuration Considerations
CommandsforconfiguringSNMPontheSecureStackC3deviceareindependentduringthe
SNMPsetupprocess.Forinstance,targetparameterscanbespecifiedwhensettingupoptional
notificationfilterseventhoughtheseparametershavenotyetbeencreatedwiththesetsnmp
targetparamscommand.
Reviewing SNMP Statistics
Purpose
ToreviewSNMPstatistics.
Table 8-1 SNMP Security Levels
Model Security Level Authentication Encryption How It Works
v1 NoAuthNoPriv Community string None Uses a community string match for
authentication.
v2c NoAuthNoPriv Community string None Uses a community string match for
authentication.
v3 NoAuthNoPriv User name None Uses a user name match for
authentication.
AuthNoPriv MD5 or SHA None Provides authentication based on
the HMAC-MD5 or HMAC-SHA
algorithms.
authPriv MD5 or SHA DES Provides authentication based on
the HMAC-MD5 or HMAC-SHA
algorithms. Provides DES 56-bit
encryption in addition to
authentication based on the CBC-
DES (DES-56) standard.
show snmp engineid
8-4 SNMP Configuration
Commands
show snmp engineid
UsethiscommandtodisplaytheSNMPlocalengineID.ThisistheSNMPv3engines
administrativelyuniqueidentifier.
Syntax
show snmp engineid
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPengineproperties:
C3( su) - >show snmp engi nei d
Engi neI d: 80: 00: 15: f 8: 03: 00: e0: 63: 9d: b5: 87
Engi ne Boot s = 12
Engi ne Ti me = 162181
Max Msg Si ze = 2048
Table 82providesanexplanationofthecommandoutput.
For information about... Refer to page...
show snmp engineid 8-4
show snmp counters 8-5
Table 8-2 show snmp engineid Output Details
Output Field What It Displays...
EngineId String identifying the SNMP agent on the device.
Engine Boots Number of times the SNMP engine has been started or reinitialized.
Engine Time Time in seconds since last reboot.
Max Msg Size Maximum accepted length, in bytes, of SNMP frame.
show snmp counters
SecureStack C3 Configuration Guide 8-5
show snmp counters
UsethiscommandtodisplaySNMPtrafficcountervalues.
Syntax
show snmp counters
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPcountervalues
C3( su) - >show snmp count er s
- - - mi b2 SNMP gr oup count er s:
snmpI nPkt s = 396601
snmpOut Pkt s = 396601
snmpI nBadVer si ons = 0
snmpI nBadCommuni t yNames = 0
snmpI nBadCommuni t yUses = 0
snmpI nASNPar seEr r s = 0
snmpI nTooBi gs = 0
snmpI nNoSuchNames = 0
snmpI nBadVal ues = 0
snmpI nReadOnl ys = 0
snmpI nGenEr r s = 0
snmpI nTot al ReqVar s = 403661
snmpI nTot al Set Var s = 534
snmpI nGet Request s = 290
snmpI nGet Next s = 396279
snmpI nSet Request s = 32
snmpI nGet Responses = 0
snmpI nTr aps = 0
snmpOut TooBi gs = 0
snmpOut NoSuchNames = 11
snmpOut BadVal ues = 0
snmpOut GenEr r s = 0
snmpOut Get Request s = 0
snmpOut Get Next s = 0
snmpOut Set Request s = 0
snmpOut Get Responses = 396601
snmpOut Tr aps = 0
snmpSi l ent Dr ops = 0
snmpPr oxyDr ops = 0
- - - USM St at s count er s:
usmSt at sUnsuppor t edSecLevel s = 0
usmSt at sNot I nTi meWi ndows = 0
usmSt at sUnknownUser Names = 0
show snmp counters
8-6 SNMP Configuration
usmSt at sUnknownEngi neI Ds = 0
usmSt at sWr ongDi gest s = 0
usmSt at sDecr ypt i onEr r or s = 0
Table 83providesanexplanationofthecommandoutput.
Table 8-3 show snmp counters Output Details
Output Field What It Displays...
snmpInPkts Number of messages delivered to the SNMP entity from the transport
service.
snmpOutPkts Number of SNMP messages passed from the SNMP protocol entity to
the transport service.
snmpInBadVersions Number of SNMP messages delivered to the SNMP entity for an
unsupported SNMP version.
snmpInBadCommunityNames Number of SNMP messages delivered to the SNMP entity that used an
SNMP community name not known to the entity.
snmpInBadCommunityUses Number of SNMP messages delivered to the SNMP entity that
represented an SNMP operation not allowed by the SNMP community
named in the message.
snmpInASNParseErrs Number of ASN.1 (Abstract Syntax Notation) or BER (Basic Encoding
Rules) errors encountered by the SNMP entity when decoding received
SNMP messages.
snmpInTooBigs Number of SNMP PDUs delivered to the SNMP protocol entity with the
value of the error-status field as tooBig.
snmpInNoSuchNames Number of SNMP PDUs delivered to the SNMP protocol entity with the
value of the error-status field as noSuchName.
snmpInBadValues Number of SNMP PDUs delivered to the SNMP protocol entity with the
value of the error-status field as badValue.
snmpInReadOnlys Number of valid SNMP PDUs delivered to the SNMP protocol entity with
the value of the error-status field as "readOnly."
snmpInGenErrs Number of SNMP PDUs delivered to the SNMP protocol entity with the
value of the error-status field as "genErr."
snmpInTotalReqVars Number of MIB objects retrieved successfully by the SNMP protocol
entity as the result of receiving valid SNMP Get-Request and Get-Next
PDUs.
snmpInTotalSetVars Number of MIB objects altered successfully by the SNMP protocol entity
as the result of receiving valid SNMP Set-Request PDUs.
snmpInGetRequests Number of SNMP Get-Request PDUs accepted and processed by the
SNMP protocol entity.
snmpInGetNexts Number of SNMP Get-Next PDUs accepted and processed by the
SNMP protocol entity.
snmpInSetRequests Number of SNMP Set-Request PDUs accepted and processed by the
SNMP protocol entity.
snmpInGetResponses Number of SNMP Get-Response PDUs accepted and processed by the
SNMP protocol entity.
snmpInTraps Number of SNMP Trap PDUs accepted and processed by the SNMP
protocol entity.
snmpOutTooBigs Number of SNMP PDUs generated by the SNMP protocol entity with the
value of the error-status field as "tooBig."
snmpOutNoSuchNames Number of SNMP PDUs generated by the SNMP protocol entity with the
value of the error-status as "noSuchName."
show snmp counters
SecureStack C3 Configuration Guide 8-7
snmpOutBadValues Number of SNMP PDUs generated by the SNMP protocol entity with the
value of the error-status field as "badValue."
snmpOutGenErrs Number of SNMP PDUs generated by the SNMP protocol entity with the
value of the error-status field as "genErr."
snmpOutGetRequests Number of SNMP Get-Request PDUs generated by the SNMP protocol
entity.
snmpOutGetNexts Number of SNMP Get-Next PDUs generated by the SNMP protocol
entity.
snmpOutSetRequests Number of SNMP Set-Request PDUs generated by the SNMP protocol
entity.
snmpOutGetResponses Number of SNMP Get-Response PDUs generated by the SNMP
protocol entity.
snmpOutTraps Number of SNMP Trap PDUs generated by the SNMP protocol entity.
snmpSilentDrops Number of SNMP Get, Set, or Inform request error messages that were
dropped because the reply was larger than the requestors maximum
message size.
snmpProxyDrops Number of SNMP Get, Set, or Inform request error messages that were
dropped because the reply was larger than the proxy targets maximum
message size.
usmStatsUnsupportedSec
Levels
Number of packets received by the SNMP engine that were dropped
because they requested a security level that was unknown to the SNMP
engine or otherwise unavailable.
usmStatsNotInTimeWindows Number of packets received by the SNMP engine that were dropped
because they appeared outside of the authoritative SNMP engine's
window.
usmStatsUnknownUserNames Number of packets received by the SNMP engine that were dropped
because they referenced a user that was not known to the SNMP
engine.
usmStatsUnknownEngineIDs Number of packets received by the SNMP engine that were dropped
because they referenced an snmpEngineID that was not known to the
SNMP engine.
usmStatsWrongDigests Number of packets received by the SNMP engine that were dropped
because they did not contain the expected digest value.
usmStatsDecriptionErrors Number of packets received by the SNMP engine that were dropped
because they could not be decrypted.
Table 8-3 show snmp counters Output Details (Continued)
Output Field What It Displays...
Configuring SNMP Users, Groups, and Communities
8-8 SNMP Configuration
Configuring SNMP Users, Groups, and Communities
Purpose
ToreviewandconfigureSNMPusers,groups,andv1andv2communities.Thesearedefinedas
follows:
UserApersonregisteredinSNMPv3toaccessSNMPmanagement.
GroupAcollectionofuserswhosharethesameSNMPaccessprivileges.
CommunityAnameusedtoauthenticateSNMPv1andv2users.
Commands
show snmp user
UsethiscommandtodisplayinformationaboutSNMPusers.Thesearepeopleregisteredto
accessSNMPmanagement.
Syntax
show snmp user [ list] | [ user] | [ remote remote] [ volatile | nonvolatile | read-
only]
Parameters
Defaults
Iflistisnotspecified,detailedSNMPinformationwillbedisplayed.
For information about... Refer to page...
show snmp user 8-8
set snmp user 8-9
clear snmp user 8-11
show snmp group 8-11
set snmp group 8-12
clear snmp group 8-13
show snmp community 8-13
set snmp community 8-14
clear snmp community 8-15
list (Optional)DisplaysalistofregisteredSNMPusernames.
user (Optional)Displaysinformationaboutaspecificuser.
remoteremote (Optional)DisplaysinformationaboutusersonaspecificremoteSNMP
engine.
volatile|nonvolatile
|readonly
(Optional)Displaysuserinformationforaspecifiedstoragetype.
set snmp user
SecureStack C3 Configuration Guide 8-9
Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed.
Ifremoteisnotspecified,userinformationaboutthelocalSNMPenginewillbedisplayed.
Ifnotspecified,userinformationforallstoragetypeswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplayanSNMPuserlist:
C3( su) - >show snmp user l i st
- - - SNMP user i nf or mat i on - - -
- - - Li st of r egi st er ed user s:
Guest
admi n1
admi n2
net ops
ThisexampleshowshowtodisplayinformationfortheSNMPguestuser:
( su) - >show snmp user guest
- - - SNMP user i nf or mat i on - - -
Engi neI d: 00: 00: 00: 63: 00: 00: 00: a1: 00: 00: 00: 00
User name = Guest
Aut h pr ot ocol = usmNoAut hPr ot ocol
Pr i vacy pr ot ocol = usmNoPr i vPr ot ocol
St or age t ype = nonVol at i l e
Row st at us = act i ve
Table 84providesanexplanationofthecommandoutput.
set snmp user
UsethiscommandtocreateanewSNMPv3user.
Syntax
set snmp user user [ remote remoteid] [ encryption {des | aes}] [ privacy
privpassword] [ authentication {md5 | sha}] [ authpassword] [ volatile | nonvolatile]
Table 8-4 show snmp user Output Details
Output Field What It Displays...
EngineId SNMP local engine identifier.
Username SNMPv1 or v2 community name or SNMPv3 user name.
Auth protocol Type of authentication protocol applied to this user.
Privacy protocol Type of encryption protocol applied to this user.
Storage type Whether entry is stored in volatile, nonvolatile or read-only memory.
Row status Status of this entry: active, notInService, or notReady.
set snmp user
8-10 SNMP Configuration
Parameters
Defaults
Ifremoteisnotspecified,theuserwillberegisteredforthelocalSNMPengine.
Ifencryptionisnotspecified,noencryptionwillbeapplied.
Ifauthenticationisnotspecified,noauthenticationwillbeapplied.
Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.
Mode
Switchcommand,readwrite.
Usage
Althoughalltheparametersexceptfortheusernameareoptional,ifyouareenteringanyofthe
optionalparameters,itisrecommendedthatyouenterthemintheordershowninthesyntax
statement.
Examples
ThisexampleshowshowtocreateanewSNMPusernamednetops.Bydefault,thisuserwillbe
registeredonthelocalSNMPenginewithoutauthenticationandencryption.Entriesrelatedtothis
userwillbestoredinpermanent(nonvolatile)memory:
C3( su) - >set snmp user net ops
ThisexamplecreatesanewSNMPusernamedadminwithDESencryptionandMD5
authenticationrequired.Theencryptionpasswordisadmintest1andtheauthentication
passwordisadmintest2.Bydefault,thisuserwillberegisteredonthelocalSNMPengineand
entriesrelatedtothisuserwillbestoredinpermanent(nonvolatile)memory.
C3( su) - >set snmp user admi n encr ypt i on des pr i vacy admi nt est 1 aut hent i cat i on md5
admi nt est 2
user SpecifiesanamefortheSNMPv3user.
remoteremoteid (Optional)RegisterstheuseronaspecificremoteSNMPengine.
encryptiondes|
aes
(Optional)Specifiestheencryptiontypeforthisuser.
AESreferstotheAdvancedEncryptionStandardusinga128bitkeysize.
privacyprivpassword (Optional)Specifiesanencryptionpassword.Minimumof8characters.
Requiredifencryptionisspecified.
authenticationmd5
|sha
(Optional)SpecifiestheauthenticationtyperequiredforthisuserasMD5
orSHA.
authpassword (Optional)Specifiesapasswordforthisuserwhenauthenticationis
required.Minimumof8characters.
volatile|
nonvolatile
(Optional)Specifiesastoragetypeforthisuserentry.
clear snmp user
SecureStack C3 Configuration Guide 8-11
clear snmp user
UsethiscommandtoremoveauserfromtheSNMPv3securitymodellist.
Syntax
clear snmp user user [ remote remote]
Parameters
Defaults
Ifremoteisnotspecified,theuserwillberemovedfromthelocalSNMPengine.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoremovetheSNMPusernamedbill:
C3( su) - >cl ear snmp user bi l l
show snmp group
UsethiscommandtodisplayanSNMPgroupconfiguration.AnSNMPgroupisacollectionof
SNMPv3userswhosharethesameaccessprivileges.
Syntax
show snmp group [ groupname groupname] [ user user] [ security-model {v1 | v2c | usm}]
[ volatile | nonvolatile | read-only]
Parameters
Defaults
Ifgroupnameisnotspecified,informationaboutallSNMPgroupswillbedisplayed.
Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed.
Ifsecuritymodelisnotspecified,userinformationaboutallSNMPversionswillbedisplayed.
Ifnotspecified,informationforallstoragetypeswillbedisplayed.
user SpecifiesanSNMPv3usertoremove.
remoteremote (Optional)RemovestheuserfromaspecificremoteSNMPengine.
groupname
groupname
(Optional)DisplaysinformationforaspecificSNMPgroup.
useruser (Optional)Displaysinformationaboutuserswithinthespecifiedgroup.
securitymodelv1|
v2c|usm
(Optional)Displaysinformationaboutgroupsassignedtoaspecific
securitySNMPmodel.
volatile|
nonvolatile|read
only
(Optional)DisplaysSNMPgroupinformationforaspecifiedstoragetype.
set snmp group
8-12 SNMP Configuration
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPgroupinformation:
C3( su) - >show snmp gr oup
- - - SNMP gr oup i nf or mat i on - - -
Secur i t y model = SNMPv1
Secur i t y/ user name = publ i c
Gr oup name = Anyone
St or age t ype = nonVol at i l e
Row st at us = act i ve
Secur i t y model = SNMPv1
Secur i t y/ user name = publ i c. r out er 1
Gr oup name = Anyone
St or age t ype = nonVol at i l e
Row st at us = act i ve
Table 85providesanexplanationofthecommandoutput.
set snmp group
UsethiscommandtocreateanSNMPgroup.ThisassociatesSNMPv3userstoagroupthatshares
commonaccessprivileges.
Syntax
set snmp group groupname user user security-model {v1 | v2c | usm} [ volatile |
nonvolatile]
Parameters
Defaults
Ifstoragetypeisnotspecified,nonvolatilestoragewillbeapplied.
Table 8-5 show snmp group Output Details
Output Field What It Displays...
Security model SNMP version associated with this group.
Security/user name User belonging to the SNMP group.
Group name Name of SNMP group.
Storage type Whether entry is stored in volatile, nonvolatile or read-only memory.
Row status Status of this entry: active, notInService, or notReady.
groupname SpecifiesanSNMPgroupnametocreate.
useruser SpecifiesanSNMPv3usernametoassigntothegroup.
securitymodelv1|
v2c|usm
SpecifiesanSNMPsecuritymodeltoassigntothegroup.
volatile|
nonvolatile
(Optional)SpecifiesastoragetypeforSNMPentriesassociatedwiththe
group.
clear snmp group
SecureStack C3 Configuration Guide 8-13
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanSNMPgroupcalledanyone,assignausernamedpublic
andassignSNMPv3securitytothegroup:
C3( su) - >set snmp gr oup anyone user publ i c secur i t y- model usm
clear snmp group
UsethiscommandtoclearSNMPgroupsettingsgloballyorforaspecificSNMPgroupanduser.
Syntax
clear snmp group groupname user [ security-model {v1 | v2c | usm}]
Parameters
Defaults
I f not speci f i ed, set t i ngs r el at ed t o al l secur i t y model s wi l l be cl ear ed.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearallsettingsassignedtothepublicuserwithintheSNMPgroup
anyone:
C3( su) - >cl ear snmp gr oup anyone publ i c
show snmp community
UsethiscommandtodisplaySNMPcommunitynamesandstatus.InSNMPv1andv2,
communitynamesactaspasswordstoremotemanagement.
Syntax
show snmp community [ name]
Parameters
Defaults
Ifnameisnotspecified,informationwillbedisplayedforallSNMPcommunities.
groupname SpecifiestheSNMPgrouptobecleared.
user SpecifiestheSNMPusertobecleared.
securitymodelv1|
v2c|usm
(Optional)Clearsthesettingsassociatedwithaspecificsecuritymodel.
name (Optional)DisplaysSNMPinformationforaspecificcommunityname.
set snmp community
8-14 SNMP Configuration
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayinformationabouttheSNMPpubliccommunityname.For
adescriptionofthisoutput,refertosetsnmpcommunity(page814).
C3( su) - >show snmp communi t y publ i c
- - - Conf i gur ed communi t y st r i ngs - - -
Name = *********
Secur i t y name = publ i c
Cont ext =
Tr anspor t t ag =
St or age t ype = nonVol at i l e
St at us = act i ve
set snmp community
UsethiscommandtoconfigureanSNMPcommunitygroup.
Syntax
set snmp community community [ securityname securityname] [ context context]
[ transport transport] [ volatile | nonvolatile]
Parameters
Defaults
Ifsecuritynameisnotspecified,thecommunitynamewillbeused.
Ifcontextisnotspecified,thedefault(NULL)contextisapplied.
Iftransporttagisnotspecified,nonewillbeapplied.
Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.
Mode
Switchcommand,readwrite.
community Specifiesacommunitygroupname.
securityname
securityname
(Optional)SpecifiesanSNMPsecuritynametoassociatewiththis
community.
contextcontext (Optional)Specifiesasubsetofmanagementinformationthiscommunity
willbeallowedtoaccess.Validvaluesarefullorpartialcontextnames.To
reviewallcontextsconfiguredforthedevice,usetheshowsnmpcontext
commandasdescribedinshowsnmpcontextonpage 821.
transporttransport (Optional)SpecifiesthesetoftransportendpointsfromwhichSNMP
requestwiththiscommunitynamewillbeaccepted.Makesalinktoa
targetaddresstable.
volatile|
nonvolatile
(Optional)Specifiesthestoragetypefortheseentries.
clear snmp community
SecureStack C3 Configuration Guide 8-15
Usage
Whenyouconfigureacommunityname,ifyoudontspecifyacontextwiththecontextparameter,
thedefault(NULL)contextisapplied.Ifyouwanttochangeaconfiguredcontextbacktothe
default(NULL)context,enterahyphenasthevalueofthecontextparameter,asshowninthe
Examplesbelow.
Examples
ThisexampleshowshowtosetanSNMPcommunitynamecalledvip.
C3( su) - >set snmp communi t y vi p
TheexampleshowshowtosetthecontextforSNMPcommunityviptothedefaultNULL
context.
C3( su) - >set snmp communi t y vi p cont ext -
clear snmp community
UsethiscommandtodeleteanSNMPcommunityname.
Syntax
clear snmp community name
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodeletethecommunitynamevip.
C3( su) - >cl ear snmp communi t y vi p
Configuring SNMP Access Rights
Purpose
ToreviewandconfigureSNMPaccessrights,assigningviewingprivilegesandsecuritylevelsto
SNMPusergroups.
name SpecifiestheSNMPcommunitynametoclear.
show snmp access
8-16 SNMP Configuration
Commands
show snmp access
UsethiscommandtodisplayaccessrightsandsecuritylevelsconfiguredforSNMPoneormore
groups.
Syntax
show snmp access [ groupname] [security-model {v1 | v2c | usm}] [noauthentication
| authentication | privacy] [ context context] [ volatile | nonvolatile | read-only]
Parameters
Defaults
Ifgroupnameisnotspecified,accessinformationforallSNMPgroupswillbedisplayed.
Ifsecuritymodelisnotspecified,accessinformationforallSNMPversionswillbedisplayed.
Ifnoauthentication,authenticationorprivacyarenotspecified,accessinformationforall
securitylevelswillbedisplayed.
Ifcontextisnotspecified,allcontextswillbedisplayed.
Ifvolatile,nonvolatileorreadonlyarenotspecified,allentriesofallstoragetypeswillbe
displayed.
Mode
Switchcommand,readonly.
For information about... Refer to page...
show snmp access 8-16
set snmp access 8-18
clear snmp access 8-19
groupname (Optional)DisplaysaccessinformationforaspecificSNMPv3group.
securitymodelv1|
v2c|usm
(Optional)DisplaysaccessinformationforSNMPsecuritymodelversion
1,2cor3(usm).
noauthentication|
authentication|
privacy
(Optional)Displaysaccessinformationforaspecificsecuritylevel.
contextcontext (Optional)Displaysaccessinformationforaspecificcontext.Fora
descriptionofhowtospecifySNMPcontexts,refertoUsingSNMP
ContextstoAccessSpecificMIBsonpage 83.
volatile|
nonvolatile|read
only
(Optional)Displaysaccessentriesforaspecificstoragetype.
show snmp access
SecureStack C3 Configuration Guide 8-17
Example
ThisexampleshowshowtodisplaySNMPaccessinformation:
C3( su) - >show snmp access
Gr oup = Syst emAdmi n
Secur i t y model = USM
Secur i t y l evel = noAut hNoPr i v
Read Vi ew = Al l
Wr i t e Vi ew =
Not i f y Vi ew = Al l
Cont ext mat ch = exact mat ch
St or age t ype = nonVol at i l e
Row st at us = act i ve
Gr oup = Ni ght Oper at or
Secur i t y model = USM
Secur i t y l evel = noAut hNoPr i v
Read Vi ew = Al l
Wr i t e Vi ew =
Not i f y Vi ew = Al l
Cont ext mat ch = exact mat ch
St or age t ype = nonVol at i l e
Row st at us = act i ve
Table 86providesanexplanationofthecommandoutput.
Table 8-6 show snmp access Output Details
Output Field What It Displays...
Group SNMP group name.
Security model Security model applied to this group. Valid types are: SNMPv1,
SNMPv2c, and SNMPv3 (User based - USM).
Security level Security level applied to this group. Valid levels are:
noAuthNoPrivacy (no authentication required)
AuthNoPrivacy (authentication required)
authPriv (privacy -- most secure level)
Read View Name of the view that allows this group to view SNMP MIB objects.
Write View Name of the view that allows this group to configure the contents of the
SNMP agent.
Notify View Name of the view that allows this group to send an SNMP trap message.
Context match Whether or not SNMP context match must be exact (full context name
match) or a partial match with a given prefix.
Storage type Whether access entries for this group are stored in volatile, nonvolatile
or read-only memory.
Row status Status of this entry: active, notInService, or notReady.
set snmp access
8-18 SNMP Configuration
set snmp access
UsethiscommandtosetanSNMPaccessconfiguration.
Syntax
set snmp access groupname security-model {v1 | v2c | usm} [ noauthentication |
authentication | privacy] [ context context] [ exact | prefix] [ read read] [ write
write] [ notify notify] [ volatile | nonvolatile]
Parameters
Defaults
Ifsecuritylevelisnotspecified,noauthenticationwillbeapplied.
Ifcontextisnotspecified,accesswillbeenabledforthedefaultcontext.Ifcontextisspecified
withoutacontextmatch,exactmatchwillbeapplied.
Ifreadviewisnotspecifiednonewillbeapplied.
Ifwriteviewisnotspecified,nonewillbeapplied.
Ifnotifyviewisnotspecified,nonewillbeapplied.
Ifstoragetypeisnotspecified,entrieswillbestoredaspermanentandwillbeheldthroughdevice
reboot.
Mode
Switchcommand,readwrite.
Example
ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
C3( su) - >set snmp access power gr oup secur i t y- model usm
groupname SpecifiesanameforanSNMPv3group.
securitymodelv1|
v2c|usm
SpecifiesSNMPversion1,2cor3(usm).
noauthentication|
authentication|
privacy
(Optional)AppliesSNMPsecuritylevelasnoauthentication,
authentication(withoutprivacy)orprivacy.Privacyspecifiesthat
messagessentonbehalfoftheuserareprotectedfromdisclosure.
contextcontextexact
|prefix
(Optional)Setsthecontextforthisaccessconfigurationandspecifiesthat
thematchmustbeexact(matchingthewholecontextstring)oraprefix
matchonly.ContextisasubsetofmanagementinformationthisSNMP
groupwillbeallowedtoaccess.Validvaluesarefullorpartialcontext
names.Toreviewallcontextsconfiguredforthedevice,usetheshow
snmpcontextcommandasdescribedinshowsnmpcontexton
page 821.
readread (Optional)Specifiesareadaccessview.
writewrite (Optional)Specifiesawriteaccessview.
notifynotify (Optional)Specifiesanotifyaccessview.
volatile|
nonvolatile|read
only
(Optional)StoresassociatedSNMPentriesastemporaryorpermanent,or
readonly.
clear snmp access
SecureStack C3 Configuration Guide 8-19
clear snmp access
UsethiscommandtocleartheSNMPaccessentryofaspecificgroup,includingitssetSNMP
securitymodel,andlevelofsecurity.
Syntax
clear snmp access groupname security-model {v1 | v2c | usm} [ noauthentication |
authentication | privacy] [ context context]
Parameters
Defaults
Ifsecuritylevelisnotspecified,alllevelswillbecleared.
Ifcontextisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearSNMPversion3accessforthemisgroupviathe
authenticationprotocol:
C3( su) - >cl ear snmp access mi s- gr oup secur i t y- model usmaut hent i cat i on
Configuring SNMP MIB Views
Purpose
ToreviewandconfigureSNMPMIBviews.SNMPviewsmapSNMPobjectstoaccessrights.
Commands
groupname SpecifiesthenameoftheSNMPgroupforwhichtoclearaccess.
securitymodelv1|
v2c|usm
SpecifiesthesecuritymodeltobeclearedfortheSNMPaccessgroup.
noauthentication|
authentication|
privacy
(Optional)ClearsaspecificsecuritylevelfortheSNMPaccessgroup.
contextcontext (Optional)ClearsaspecificcontextfortheSNMPaccessgroup.Enter//
toclearthedefaultcontext.
For information about... Refer to page...
show snmp view 8-20
show snmp context 8-21
set snmp view 8-21
clear snmp view 8-22
show snmp view
8-20 SNMP Configuration
show snmp view
UsethiscommandtodisplaytheMIBconfigurationforSNMPv3viewbasedaccess(VACM).
Syntax
show snmp view [ viewname] [ subtree oid-or-mibobject] [ volatile | nonvolatile |
read-only]
Parameters
Defaults
Ifnoparametersarespecified,allSNMPMIBviewconfigurationinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPMIBviewconfigurationinformation:
C3( su) - >show snmp vi ew
- - - SNMP MI B Vi ew i nf or mat i on - - -
Vi ew Name = Al l
Subt r ee OI D = 1
Subt r ee mask =
Vi ew Type = i ncl uded
St or age t ype = nonVol at i l e
Row st at us = act i ve
Vi ew Name = Al l
Subt r ee OI D = 0. 0
Subt r ee mask =
Vi ew Type = i ncl uded
St or age t ype = nonVol at i l e
Row st at us = act i ve
Vi ew Name = Net wor k
Subt r ee OI D = 1. 3. 6. 1. 2. 1
Subt r ee mask =
Vi ew Type = i ncl uded
St or age t ype = nonVol at i l e
Row st at us = act i ve
Table 87providesanexplanationofthecommandoutput.Fordetailsonusingthesetsnmpview
commandtoassignvariables,refertosetsnmpviewonpage 821.
viewname (Optional)DisplaysinformationforaspecificMIBview.
subtreeoidormibobject (Optional)DisplaysinformationforaspecificMIBsubtreewhen
viewnameisspecified.
volatile|nonvolatile|
readonly
(Optional)Displaysentriesforaspecificstoragetype.
show snmp context
SecureStack C3 Configuration Guide 8-21
show snmp context
UsethiscommandtodisplaythecontextlistconfigurationforSNMPsviewbasedaccesscontrol.
Syntax
show snmp context
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
AnSNMPcontextisacollectionofmanagementinformationthatcanbeaccessedbyanSNMP
agentorentity.ThedefaultcontextallowsallSNMPagentstoaccessallmanagementinformation
(MIBs).Whencreatedusingthesetsnmpaccesscommand(setsnmpaccessonpage 818),other
contextscanbeappliedtolimitaccesstoasubsetofmanagementinformation.
Example
ThisexampleshowshowtodisplayalistofallSNMPcontextsknowntothedevice:
C3( su) - >show snmp cont ext
- - - Conf i gur ed cont ext s:
def aul t cont ext ( al l mi bs)
set snmp view
UsethiscommandtosetaMIBconfigurationforSNMPv3viewbasedaccess(VACM).
Syntax
set snmp view viewname viewname subtree subtree [ mask mask] [ included | excluded]
[ volatile | nonvolatile]
Table 8-7 show snmp view Output Details
Output Field What It Displays...
View Name Name assigned to a MIB view.
Subtree OID Name identifying a MIB subtree.
Subtree mask Bitmask applied to a MIB subtree.
View Type Whether or not subtree use must be included or excluded for this view.
Storage type Whether storage is in nonVolatile or Volatile memory
Row status Status of this entry: active, notInService, or notReady.
clear snmp view
8-22 SNMP Configuration
Parameters
Defaults
Ifnotspecified,maskwillbesetto255.255.255.255
Ifnotspecified,subtreeusewillbeincluded.
Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetanSNMPMIBviewtopublicwithasubtreenameof1.3.6.1
included:
C3( su) - >set snmp vi ew vi ewname publ i c subt r ee 1. 3. 6. 1 i ncl uded
clear snmp view
UsethiscommandtodeleteanSNMPv3MIBview.
Syntax
clear snmp view viewname subtree
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteSNMPMIBviewpublic:
C3( su) - >cl ear snmp vi ew publ i c 1. 3. 6. 1
viewnameviewname SpecifiesanameforaMIBview.
subtreesubtree SpecifiesaMIBsubtreename.
maskmask (Optional)Specifiesabitmaskforasubtree.
included|
excluded
(Optional)Specifiessubtreeuse(default)ornosubtreeuse.
volatile|
nonvolatile
(Optional)Specifiestheuseoftemporaryorpermanent(default)storage.
viewname SpecifiestheMIBviewnametobedeleted.
subtree SpecifiesthesubtreenameoftheMIBviewtobedeleted.
Configuring SNMP Target Parameters
SecureStack C3 Configuration Guide 8-23
Configuring SNMP Target Parameters
Purpose
ToreviewandconfigureSNMPtargetparameters.Thiscontrolswhereandunderwhat
circumstancesSNMPnotificationswillbesent.Atargetparameterentrycanbeboundtoatarget
IPaddressallowedtoreceiveSNMPnotificationmessageswiththesetsnmptargetaddr
command(setsnmptargetaddronpage 827).
Commands
show snmp targetparams
UsethiscommandtodisplaySNMPparametersusedtogenerateamessagetoatarget.
Syntax
show snmp targetparams [ targetParams] [ volatile | nonvolatile | read-only]
Parameters
Defaults
IftargetParamsisnotspecified,entriesassociatedwithalltargetparameterswillbedisplayed.
Ifnotspecified,entriesofallstoragetypeswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPtargetparametersinformation:
C3( su) - >show snmp t ar get par ams
- - - SNMP Tar get Par ams i nf or mat i on - - -
Tar get Par amet er Name = v1Exampl ePar ams
Secur i t y Name = publ i c
Message Pr oc. Model = SNMPv1
Secur i t y Level = noAut hNoPr i v
St or age t ype = nonVol at i l e
Row st at us = act i ve
For information about... Refer to page...
show snmp targetparams 8-23
set snmp targetparams 8-24
clear snmp targetparams 8-25
targetParams (Optional)Displaysentriesforaspecifictargetparameter.
volatile|nonvolatile|
readonly
(Optional)Displaystargetparameterentriesforaspecificstorage
type.
set snmp targetparams
8-24 SNMP Configuration
Tar get Par amet er Name = v2cExampl ePar ams
Secur i t y Name = publ i c
Message Pr oc. Model = SNMPv2c
Secur i t y Level = noAut hNoPr i v
St or age t ype = nonVol at i l e
Row st at us = act i ve
Tar get Par amet er Name = v3Exampl ePar ams
Secur i t y Name = Char l i eDChi ef
Message Pr oc. Model = USM
Secur i t y Level = aut hNoPr i v
St or age t ype = nonVol at i l e
Row st at us = act i ve
Table 88providesanexplanationofthecommandoutput.
set snmp targetparams
UsethiscommandtosetSNMPtargetparameters,anamedsetofsecurity/authorizationcriteria
usedtogenerateamessagetoatarget.
Syntax
set snmp targetparams paramsname user user security-model {v1 | v2c | usm} message-
processing {v1 | v2c | v3} [ noauthentication | authentication | privacy] [ volatile
| nonvolatile]
Parameters
Table 8-8 show snmp targetparams Output Details
Output Field What It Displays...
Target Parameter Name Unique identifier for the parameter in the SNMP target parameters table.
Maximum length is 32 bytes.
Security Name Security string definition.
Message Proc. Model SNMP version.
Security Level Type of security level (auth: security level is set to use authentication
protocol, noauth: security level is not set to use authentication protocol,
or privacy).
Storage type Whether entry is stored in volatile, nonvolatile or read-only memory.
Row status Status of this entry: active, notInService, or notReady.
paramsname SpecifiesanameidentifyingparametersusedtogenerateSNMPmessages
toaparticulartarget.
useruser SpecifiesanSNMPv1orv2communitynameoranSNMPv3username.
Maximumlengthis32bytes.
securitymodelv1|
v2c|usm
SpecifiestheSNMPsecuritymodelappliedtothistargetparameteras
version1,2cor3(usm).
message
processingv1|v2c
|v3
SpecifiestheSNMPmessageprocessingmodelappliedtothistarget
parameterasversion1,2cor3.
clear snmp targetparams
SecureStack C3 Configuration Guide 8-25
Defaults
None.
Ifnotspecified,securitylevelwillbesettonoauthentication.
Ifnotspecified,storagetypewillbesettononvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetSNMPtargetparametersnamedv1ExampleParamsforauser
namedfredusingversion3securitymodelandmessageprocessing,andauthentication:
C3( su) - >set snmp t ar get par ams v1Exampl ePar ams user f r ed secur i t y- model usm
message- pr ocessi ng v3 aut hent i cat i on
clear snmp targetparams
UsethiscommandtocleartheSNMPtargetparameterconfiguration.
Syntax
clear snmp targetparams targetParams
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearSNMPtargetparametersnamedv1ExampleParams:
C3( su) - >cl ear snmp t ar get par ams v1Exampl ePar ams
noauthentication|
authentication|
privacy
(Optional)SpecifiestheSNMPsecuritylevelappliedtothistarget
parameterasnoauthentication,authentication(withoutprivacy)or
privacy.Privacyspecifiesthatmessagessentonbehalfoftheuserare
protectedfromdisclosure.
volatile|
nonvolatile
(Optional)Specifiesthestoragetypeappliedtothistargetparameter.
targetParams SpecifiesthenameoftheparameterintheSNMPtargetparameterstable
tobecleared.
Configuring SNMP Target Addresses
8-26 SNMP Configuration
Configuring SNMP Target Addresses
Purpose
ToreviewandconfigureSNMPtargetaddresseswhichwillreceiveSNMPnotificationmessages.
AnaddressconfigurationcanbelinkedtooptionalSNMPtransmit,ortarget,parameters(suchas
timeout,retrycount,andUDPport)setwiththesetsnmptargetparamscommand(page824).
Commands
show snmp targetaddr
UsethiscommandtodisplaySNMPtargetaddressinformation.
Syntax
show snmp targetaddr [ targetAddr] [ volatile | nonvolatile | read-only]
Parameters
Defaults
IftargetAddrisnotspecified,entriesforalltargetaddressnameswillbedisplayed.
Ifnotspecified,entriesofallstoragetypeswillbedisplayedforatargetaddress.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPtargetaddressinformation:
C3( su) - >show snmp t ar get addr
Tar get Addr ess Name = l abmachi ne
Tag Li st = v2cTr ap
I P Addr ess = 10. 2. 3. 116
UDP Por t # = 162
Tar get Mask = 255. 255. 255. 255
Ti meout = 1500
Ret r y count = 4
Par amet er s = v2cPar ams
St or age t ype = nonVol at i l e
For information about... Refer to page...
show snmp targetaddr 8-26
set snmp targetaddr 8-27
clear snmp targetaddr 8-28
targetAddr (Optional)Displaysinformationforaspecifictargetaddressname.
volatile|nonvolatile
|readonly
(Optional)Whentargetaddressisspecified,displaystargetaddress
informationforaspecificstoragetype.
set snmp targetaddr
SecureStack C3 Configuration Guide 8-27
Row st at us = act i ve
Table 89providesanexplanationofthecommandoutput.
set snmp targetaddr
UsethiscommandtoconfigureanSNMPtargetaddress.Thetargetaddressisauniqueidentifier
andaspecificIPaddressthatwillreceiveSNMPnotificationmessagesanddeterminewhich
communitystringswillbeaccepted.ThisaddressconfigurationcanbelinkedtooptionalSNMP
transmitparameters(suchastimeout,retrycount,andUDPport).
Syntax
set snmp targetaddr targetaddr ipaddr param param [ udpport udpport] [ mask mask]
[ timeout timeout] [ retries retries] [ taglist taglist] [ volatile | nonvolatile]
Parameters
Table 8-9 show snmp targetaddr Output Details
Output Field What It Displays...
Target Address Name Unique identifier in the snmpTargetAddressTable.
Tag List Tags a location to the target address as a place to send notifications.
IP Address Target IP address.
UDP Port# Number of the UDP port of the target host to use.
Target Mask Target IP address mask.
Timeout Timeout setting for the target address.
Retry count Retry setting for the target address.
Parameters Entry in the snmpTargetParamsTable.
Storage type Whether entry is stored in volatile, nonvolatile or read-only memory.
Row status Status of this entry: active, notInService, or notReady.
targetaddr SpecifiesauniqueidentifiertoindexthesnmpTargetAddrTable.
Maximumlengthis32bytes.
ipaddr SpecifiestheIPaddressofthetarget.
paramparam SpecifiesanentryintheSNMPtargetparameterstable,whichisused
whengeneratingamessagetothetarget.Maximumlengthis32bytes.
udpportudpport (Optional)SpecifieswhichUDPportofthetargethosttouse.
maskmask (Optional)SpecifiestheIPmaskofthetarget.
timeouttimeout (Optional)Specifiesthemaximumroundtriptimeallowedto
communicatetothistargetaddress.Thisvalueisin.01secondsandthe
defaultis1500(15seconds.)
retriesretries (Optional)Specifiesthenumberofmessageretriesallowedifaresponseis
notreceived.Defaultis3.
clear snmp targetaddr
8-28 SNMP Configuration
Defaults
Ifnotspecified,udpportwillbesetto162.
Ifnotspecified,maskwillbesetto255.255.255.255
Ifnotspecified,timeoutwillbesetto1500.
Ifnotspecified,numberofretrieswillbesetto3.
Iftaglistisnotspecified,nonewillbeset.
Ifnotspecified,storagetypewillbenonvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigureatrapnotificationcalledTrapSink.Thistrapnotification
willbesenttotheworkstation192.168.190.80(whichistargetaddresstr).Itwillusesecurity
andauthorizationcriteriacontainedinatargetparametersentrycalledv2cExampleParams.For
moreinformationonconfiguringabasicSNMPtrap,refertoCreatingaBasicSNMPTrap
Configurationonpage 837:
C3( su) - >set snmp t ar get addr t r 192. 168. 190. 80 par amv2cExampl ePar ams t agl i st
Tr apSi nk
clear snmp targetaddr
UsethiscommandtodeleteanSNMPtargetaddressentry.
Syntax
clear snmp targetaddr targetAddr
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
taglisttaglist (Optional)SpecifiesalistofSNMPnotifytagvalues.Thistagsalocation
tothetargetaddressasaplacetosendnotifications.Listmustbeenclosed
inquotesandtagvaluesmustbeseparatedbyaspace(forexample,
tag1tag2).
volatile|
nonvolatile
(Optional)Specifiestemporary(default),orpermanentstorageforSNMP
entries.
targetAddr Specifiesthetargetaddressentrytodelete.
Configuring SNMP Notification Parameters
SecureStack C3 Configuration Guide 8-29
Example
ThisexampleshowshowtoclearSNMPtargetaddressentrytr:
C3( su) - >cl ear snmp t ar get addr t r
Configuring SNMP Notification Parameters
About SNMP Notify Filters
ProfilesindicatingwhichtargetsshouldnotreceiveSNMPnotificationmessagesarekeptinthe
NotifyFiltertable.Ifthistableisempty,meaningthatnofilteringisassociatedwithanySNMP
target,thennofilteringwilltakeplace.Trapsorinformsnotificationswillbesenttoall
destinationsintheSNMPtargetAddrTablethathavetagsmatchingthosefoundinthe
NotifyTable.
WhentheNotifyFiltertablecontainsprofileentries,theSNMPagentwillfindanyfilterprofile
namethatcorrespondstothetargetparameternamecontainedinanoutgoingnotification
message.Itwillthenapplytheappropriatesubtreespecificfilterwhengeneratingnotification
messages.
Purpose
ToconfigureSNMPnotificationparametersandoptionalfilters.Notificationsareentitieswhich
handlethegenerationofSNMPv1andv2trapsorSNMPv3informsmessagestoselect
managementtargets.Optionalnotificationfiltersidentifywhichtargetsshouldnotreceive
notifications.ForasampleSNMPtrapconfigurationshowinghowSNMPnotificationparameters
areassociatedwithsecurityandauthorizationcriteria(targetparameters)andmappedtoa
managementtargetaddress,refertoCreatingaBasicSNMPTrapConfigurationonpage 837.
Commands
For information about... Refer to page...
show newaddrtrap 8-30
set newaddrtrap 8-30
show snmp notify 8-31
set snmp notify 8-32
clear snmp notify 8-33
show snmp notifyfilter 8-33
set snmp notifyfilter 8-34
clear snmp notifyfilter 8-35
show snmp notifyprofile 8-36
set snmp notifyprofile 8-36
clear snmp notifyprofile 8-37
show newaddrtrap
8-30 SNMP Configuration
show newaddrtrap
UsethiscommandtodisplaytheglobalandportspecificstatusoftheSNMPnewMACaddresses
trapfunction.
Syntax
show newaddrtrap [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,thestatusofthenewMACaddressestrapfunctionwillbedisplayed
forallports.
Mode
Switchcommand,readonly.
Usage
Bydefault,thisfunctionisdisabledgloballyandperport.
Example
ThisexampledisplaystheNewAddressTrapstateforGigabitEthernetports1through5in
unit/slot1.
C3( r o) - >show newaddr t r ap ge. 1. 1- 5
New Addr ess Tr aps Gl obal l y di sabl ed
Por t Enabl e St at e
- - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 di sabl ed
ge. 1. 2 di sabl ed
ge. 1. 3 di sabl ed
ge. 1. 4 di sabl ed
ge. 1. 5 di sabl ed
set newaddrtrap
UsethiscommandtoenableordisableSNMPtrapmessaging,globallyorononeormoreports,
whennewsourceMACaddressesaredetected.
Syntax
set newaddrtrap [ port-string] {enable | disable}
portstring (Optional)DisplaysthestatusofthenewMACaddressestrapfunction
onspecificports.
show snmp notify
SecureStack C3 Configuration Guide 8-31
Parameters
Defaults
Ifportstringisnotspecified,thetrapfunctionissetglobally.
Mode
Switchmode,readwrite.
Usage
ThiscommandenablesanddisablessendingSNMPtrapmessageswhenanewsourceMAC
addressisdetectedbyaport.IftheportisaCDPport,however,trapsfornewsourceMAC
addresseswillnotbesent.
Thedefaultmodeisdisabledgloballyandperport.
Example
ThisexampleenablesthetrapfunctiongloballyandthenonGigabitEthernetports1through5in
unit/slot1.
C3( r w) - >set newaddr t r ap enabl e
C3( r w) - >set newaddr t r ap ge. 1. 1- 5 enabl e
show snmp notify
UsethiscommandtodisplaytheSNMPnotifyconfiguration,whichdeterminesthemanagement
targetsthatwillreceiveSNMPnotifications.
Syntax
show snmp notify [ notify] [ volatile | nonvolatile | read-only]
Parameters
Defaults
Ifanotifynameisnotspecified,allentrieswillbedisplayed.
Ifvolatile,nonvolatile,orreadonlyarenotspecified,allstoragetypeentrieswillbedisplayed.
Mode
Switchcommand,readonly.
portstring (Optional)EnableordisablethenewMACaddressestrapfunctionon
specificports.
enable|disable EnableordisablethenewMACaddressestrapfunction.Ifentered
withouttheportstringparameter,enablesordisablesthefunction
globally.Whenenteredwiththeportstringparameter,enablesor
disablesthefunctiononspecificports.
notify (Optional)Displaysnotifyentriesforaspecificnotifyname.
volatile|
nonvolatile|read
only
(Optional)Displaysnotifyentriesforaspecificstoragetype.
set snmp notify
8-32 SNMP Configuration
Example
ThisexampleshowshowtodisplaytheSNMPnotifyinformation:
C3( su) - >show snmp not i f y
- - - SNMP not i f yTabl e i nf or mat i on - - -
Not i f y name = 1
Not i f y Tag = Consol e
Not i f y Type = t r ap
St or age t ype = nonVol at i l e
Row st at us = act i ve
Not i f y name = 2
Not i f y Tag = Tr apSi nk
Not i f y Type = t r ap
St or age t ype = nonVol at i l e
Row st at us = act i ve
Table 810providesanexplanationofthecommandoutput.
set snmp notify
UsethiscommandtosettheSNMPnotifyconfiguration.ThiscreatesanentryintheSNMPnotify
table,whichisusedtoselectmanagementtargetswhoshouldreceivenotificationmessages.This
commandstagparametercanbeusedtobindeachentrytoatargetaddressusingthesetsnmp
targetaddrcommand(setsnmptargetaddronpage 827).
Syntax
set snmp notify notify tag tag [ trap | inform] [ volatile | nonvolatile]
Parameters
Defaults
Ifnotspecified,messagetypewillbesettotrap.
Table 8-10 show snmp notify Output Details
Output Field What It Displays...
Notify name A unique identifier used to index the SNMP notify table.
Notify Tag Name of the entry in the SNMP notify table.
Notify Type Type of notification: SNMPv1 or v2 trap or SNMPv3 InformRequest
message.
Storage type Whether access entry is stored in volatile, nonvolatile, or read-only
memory.
Row status Status of this entry: active, notInService, or notReady.
notify SpecifiesanSNMPnotifyname.
tagtag SpecifiesanSNMPnotifytag.ThisbindsthenotifynametotheSNMP
targetaddresstable.
trap|inform (Optional)SpecifiesSNMPv1orv2Trapmessages(default)orSNMPv3
InformRequestmessages.
volatile|
nonvolatile
(Optional)Specifiestemporary(default),orpermanentstorageforSNMP
entries.
clear snmp notify
SecureStack C3 Configuration Guide 8-33
Ifnotspecified,storagetypewillbesettononvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetanSNMPnotifyconfigurationwithanotifynameofhelloanda
notifytagofworld.Notificationswillbesentastrapmessagesandstoragetypewill
automaticallydefaulttopermanent:
C3( su) - >set snmp not i f y hel l o t ag wor l d t r ap
clear snmp notify
UsethiscommandtoclearanSNMPnotifyconfiguration.
Syntax
clear snmp notify notify
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNMPnotifyconfigurationforhello:
C3( su) - >cl ear snmp not i f y hel l o
show snmp notifyfilter
UsethiscommandtodisplaySNMPnotifyfilterinformation,identifyingwhichprofileswillnot
receiveSNMPnotifications.
Syntax
show snmp notifyfilter [ profile] [ subtree oid-or-mibobject] [ volatile |
nonvolatile | read-only]
notify SpecifiesanSNMPnotifynametoclear.
set snmp notifyfilter
8-34 SNMP Configuration
Parameters
Defaults
Ifnoparametersarespecified,allnotifyfilterinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Usage
SeeAboutSNMPNotifyFiltersonpage 829formoreinformationaboutnotifyfilters.
Example
ThisexampleshowshowtodisplaySNMPnotifyfilterinformation.Inthiscase,thenotifyprofile
pilot1insubtree1.3.6willnotreceiveSNMPnotificationmessages:
C3( su) - >show snmp not i f yf i l t er
- - - SNMP not i f yFi l t er i nf or mat i on - - -
Pr of i l e = pi l ot 1
Subt r ee = 1. 3. 6
Fi l t er t ype = i ncl uded
St or age t ype = nonVol at i l e
Row st at us = act i ve
set snmp notifyfilter
UsethiscommandtocreateanSNMPnotifyfilterconfiguration.Thisidentifieswhich
managementtargetsshouldNOTreceivenotificationmessages,whichisusefulforfinetuningthe
amountofSNMPtrafficgenerated.
Syntax
set snmp notifyfilter profile subtree oid-or-mibobject [ mask mask] [ included |
excluded] [ volatile | nonvolatile]
Parameters
profile (Optional)Displaysaspecificnotifyfilter.
subtreeoidor
mibobject
(Optional)Displaysanotifyfilterwithinaspecificsubtree.
volatile|
nonvolatile|read
only
(Optional)Displaysnotifyfilterentriesofaspecificstoragetype.
profile SpecifiesanSNMPfilternotifyname.
subtreeoidor
mibobject
SpecifiesaMIBsubtreeIDtargetforthefilter.
maskmask (Optional)Appliesasubtreemask.
clear snmp notifyfilter
SecureStack C3 Configuration Guide 8-35
Defaults
Ifnotspecified,maskisnotset.
Ifnotspecified,subtreewillbeincluded.
Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.
Mode
Switchcommand,readwrite.
Usage
SeeAboutSNMPNotifyFiltersonpage 829formoreinformationaboutnotifyfilters.
Example
ThisexampleshowshowtocreateanSNMPnotifyfiltercalledpilot1withaMIBsubtreeIDof
1.3.6:
C3( su) - >set snmp not i f yf i l t er pi l ot 1 subt r ee 1. 3. 6
clear snmp notifyfilter
UsethiscommandtodeleteanSNMPnotifyfilterconfiguration.
Syntax
clear snmp notifyfilter profile subtree oid-or-mibobject
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeletetheSNMPnotifyfilterpilot1:
C3( su) - >cl ear snmp not i f yf i l t er pi l ot 1 subt r ee 1. 3. 6
included|
excluded
(Optional)Specifiesthatsubtreeisincludedorexcluded.
volatile|
nonvolatile
(Optional)Specifiesastoragetype.
profile SpecifiesanSNMPfilternotifynametodelete.
subtreeoidor
mibobject
SpecifiesaMIBsubtreeIDcontainingthefiltertobedeleted.
show snmp notifyprofile
8-36 SNMP Configuration
show snmp notifyprofile
UsethiscommandtodisplaySNMPnotifyprofileinformation.Thisassociatestargetparameters
toanSNMPnotifyfiltertodeterminewhoshouldnotreceiveSNMPnotifications.
Syntax
show snmp notifyprofile [ profile] [ targetparam targetparam] [ volatile |
nonvolatile | read-only]
Parameters
Defaults
Ifnoparametersarespecified,allnotifyprofileinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPnotifyinformationfortheprofilenamedarea51:
C3( su) - >show snmp not i f ypr of i l e ar ea51
- - - SNMP not i f yPr of i l e i nf or mat i on - - -
Not i f y Pr of i l e = ar ea51
Tar get Par am = v3Exampl ePar ams
St or age t ype = nonVol at i l e
Row st at us = act i ve
set snmp notifyprofile
UsethiscommandtocreateanSNMPnotifyfilterprofileconfiguration.Thisassociatesa
notificationfilter,createdwiththesetsnmpnotifyfiltercommand(setsnmpnotifyfilteron
page 834),toasetofSNMPtargetparameterstodeterminewhichmanagementtargetsshould
notreceiveSNMPnotifications.
Syntax
set snmp notifyprofile profile targetparam targetparam [ volatile | nonvolatile]
profile (Optional)Displaysaspecificnotifyprofile.
targetparam
targetparam
(Optional)Displaysentriesforaspecifictargetparameter.
volatile|
nonvolatile|read
only
(Optional)Displaysnotifyfilterentriesofaspecificstoragetype.
clear snmp notifyprofile
SecureStack C3 Configuration Guide 8-37
Parameters
Defaults
Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanSNMPnotifyprofilenamedarea51andassociateatarget
parametersentry.
C3( su) - >set snmp not i f ypr of i l e ar ea51 t ar get par amv3Exampl ePar ams
clear snmp notifyprofile
UsethiscommandtodeleteanSNMPnotifyprofileconfiguration.
Syntax
clear snmp notifyprofile profile targetparam targetparam
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteSNMPnotifyprofilearea51:
C3( su) - >cl ear snmp not i f ypr of i l e ar ea51 t ar get par amv3Exampl ePar ams
Creating a Basic SNMP Trap Configuration
TrapsarenotificationmessagessentbyanSNMPv1orv2agenttoanetworkmanagementstation,
aconsole,oraterminaltoindicatetheoccurrenceofasignificantevent,suchaswhenaportor
devicegoesupordown,whenthereareauthenticationfailures,andwhenpowersupplyerrors
profile SpecifiesanSNMPfilternotifyname.
targetparam
targetparam
SpecifiesanassociatedentryintheSNMPTargetParamsTable.
volatile|
nonvolatile
(Optional)Specifiesastoragetype.
profile SpecifiesanSNMPfilternotifynametodelete.
targetparam
targetparam
SpecifiesanassociatedentryinthesnmpTargetParamsTable.
Creating a Basic SNMP Trap Configuration
8-38 SNMP Configuration
occur.ThefollowingconfigurationexampleshowshowtouseCLIcommandstoassociateSNMP
notificationparameterswithsecurityandauthorizationcriteria(targetparameters),andmapthe
parameterstoamanagementtargetaddress.
CompleteanSNMPv2trapconfigurationonaSecureStackC3deviceasfollows:
1. CreateacommunitynamethatwillactasanSNMPuserpassword.
2. CreateanSNMPtargetparametersentrytoassociatesecurityandauthorizationcriteriatothe
usersinthecommunitycreatedinStep1.
3. VerifyifanyapplicableSNMPnotificationentriesexist,orcreateanewone.Youwillusethis
entrytosendSNMPnotificationmessagestotheappropriatemanagementtargetscreatedin
Step 2.
4. CreateatargetaddressentrytobindamanagementIPaddressto:
ThenotificationentryandtagnamecreatedinStep3and
ThetargetparametersentrycreatedinStep2.
Table 811showsthecommandsusedtocompleteanSNMPv2trapconfigurationona
SecureStackC3device.
Example
Thisexampleshowshowto:
CreateanSNMPcommunitycalledmgmt.
ConfigureatrapnotificationcalledTrapSink.
Thistrapnotificationwillbesentwiththecommunitynamemgmttotheworkstation
192.168.190.80(whichistargetaddresstr).Itwillusesecurityandauthorizationcriteriacontained
inatargetparametersentrycalledv2cExampleParams.
C3( su) - >set snmp communi t y mgmt
C3( su) - >set snmp t ar get par ams v2cExampl ePar ams user mgmt
secur i t y- model v2c message- pr ocessi ng v2c
C3( su) - >set snmp not i f y ent r y1 t ag Tr apSi nk
C3( su) - >set snmp t ar get addr t r 192. 168. 190. 80 par amv2cExampl ePar ams t agl i st
Tr apSi nk
Note: This example illustrates how to configure an SNMPv2 trap notification. Creating an
SNMPv1 or v3 Trap, or an SNMPv3 Inform notification would require using the same commands
with different parameters, where appropriate. Always ensure that v1/v2 communities or v3 users
used for generating traps or informs are pre-configured with enough privileges to access
corresponding MIBs.
Table 8-11 Basic SNMP Trap Configuration
To do this... Use these commands...
Create a community name. set snmp community
Create an SNMP target parameters entry. set snmp targetparams
Verify if any applicable SNMP notification
entries exist.
show snmp notify
Create a new notification entry. set snmp notify
Create a target address entry. set snmp targetaddr
Configuring the SNMP Management Interface
SecureStack C3 Configuration Guide 8-39
How SNMP Will Use This Configuration
Inordertosendatrap/notificationrequestedbyaMIBcode,theSNMPagentrequiresthe
equivalentofatrapdoor,akeytounlockthedoor,andaprocedureforcrossingthe
doorstep.Todetermineifalltheseelementsareinplace,theSNMPagentproceedsasfollows:
1. Determinesifthekeysfortrapdoorsdoexist.Intheexampleconfigurationabove,the
keythatSNMPislookingforisthenotificationentrycreatedwiththesetsnmpnotify
commandwhich,inthiscase,isakeylabeledentry1.
2. Searchesforthedoorsmatchingsuchakey.Forexample,theparameterssetfortheentry1key
showsthatitopensonlythedoorTrapSink.
3. VerifiesthatthespecifieddoorTrapSinkis,infact,available.Inthiscaseitwasbuiltusingthe
setsnmptargetaddrcommand.Thiscommandalsospecifiesthatthisdoorleadstothe
managementstation192.168.190.80,andtheprocedure(targetparams)tocrossthedoorstep
iscalledv2ExampleParams.
4. Verifiesthatthev2ExampleParamsdescriptionofhowtostepthroughthedooris,infact,
there.Theagentcheckstargetparamsentriesanddeterminesthisdescriptionwasmadewith
thesetsnmptargetparamscommand,whichtellsexactlywhichSNMPprotocoltouseand
whatcommunitynametoprovide.Inthiscase,thecommunitynameismgmt.
5. Verifiesthatthemgmtcommunitynameisavailable.Inthiscase,ithasbeenconfiguredusing
thesetsnmpcommunitycommand.
6. Sendsthetrapnotificationmessage.
Configuring the SNMP Management Interface
Purpose
ToconfigurethesourceIPaddressusedbytheSNMPagentwhengeneratingSNMPtraps.
Commands
show snmp interface
UsethiscommandtodisplaytheinterfaceusedforthesourceIPaddressoftheSNMPagentwhen
generatingSNMPtraps.
Syntax
show snmp interface
Parameters
None.
For information about... Refer to page...
show snmp interface 8-39
set snmp interface 8-40
clear snmp interface 8-41
set snmp interface
8-40 SNMP Configuration
Defaults
None.
Mode
Switchmode,readonly.
Example
Thisexampledisplaystheoutputofthiscommand.Inthiscase,theIPaddressassignedto
loopbackinterface1willbeusedasthesourceIPaddressoftheSNMPagent.
C3( r w) - >show snmp i nt er f ace
l oopback 1 192. 168. 10. 1
set snmp interface
UsethiscommandtospecifytheinterfaceusedforthesourceIPaddressoftheSNMPagentwhen
generatingSNMPtraps.
Syntax
set snmp interface {loopback loop-ID | vlan vlan-ID}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThiscommandallowsyoutoconfigurethesourceIPaddressusedbytheSNMPagentwhen
generatingSNMPtraps.Anyofthemanagementinterfaces,includingVLANroutinginterfaces,
canbeconfiguredasthesourceIPaddressusedinpacketsgeneratedbytheSNMPagent.
AninterfacemusthaveanIPaddressassignedtoitbeforeitcanbesetbythiscommand.
Ifnointerfaceisspecified,thentheIPaddressoftheHostinterfacewillbeused.
Ifanonloopbackinterfaceisconfiguredwiththiscommand,applicationpacketegressis
restrictedtothatinterfaceiftheservercanbereachedfromthatinterface.Otherwise,thepackets
aretransmittedoverthefirstavailableroute.Packetsfromtheapplicationserverarereceivedon
theconfiguredinterface.
Ifaloopbackinterfaceisconfigured,andtherearemultiplepathstotheapplicationserver,the
outgoinginterface(gateway)isdeterminedbasedonthebestroutelookup.Packetsfromthe
applicationserverarethenreceivedonthesendinginterface.Ifrouteredundancyisrequired,
therefore,aloopbackinterfaceshouldbeconfigured.
loopbackloopID Specifiestheloopbackinterfacetobeused.ThevalueofloopIDcan
rangefrom0to7.
vlanvlanID SpecifiestheVLANinterfacetobeused.ThevalueofvlanIDcanrange
from1to4093.
clear snmp interface
SecureStack C3 Configuration Guide 8-41
Example
ThisexampleconfiguresanIPaddressonVLANinterface100andthensetsthatinterfaceasthe
SNMPagentsourceIPaddress.
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #i p addr ess 192. 168. 10. 1 255. 255. 255. 0
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #exi t
C3( r w) - >r out er ( Conf i g) #exi t
C3( r w) - >r out er #exi t
C3( r w) - >r out er >exi t
C3( r w) - >set snmp i nt er f ace vl an 100
C3( r w) - >show snmp i nt er f ace
vl an 100 192. 168. 10. 1
clear snmp interface
UsethiscommandtocleartheinterfaceusedforthesourceIPaddressoftheSNMPagentbackto
thedefaultoftheHostinterface.
Syntax
clear snmp interface
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThiscommandreturnstheinterfaceusedforthesourceIPaddressoftheSNMPagentbacktothe
defaultoftheHostinterface.
C3( r w) - >show snmp i nt er f ace
vl an 100 192. 168. 10. 1
C3( r w) - >cl ear snmp i nt er f ace
C3( r w) - >
clear snmp interface
8-42 SNMP Configuration
SecureStack C3 Configuration Guide 9-1
9
Spanning Tree Configuration
ThischapterdescribestheSpanningTreeConfigurationsetofcommandsandhowtousethem.
Spanning Tree Configuration Summary
Overview: Single, Rapid, and Multiple Spanning Tree Protocols
TheIEEE802.1DSpanningTreeProtocol(STP)resolvestheproblemsofphysicalloopsina
networkbyestablishingoneprimarypathbetweenanytwodevicesinanetwork.Anyduplicate
pathsarebarredfromuseandbecomestandbyorblockedpathsuntiltheoriginalpathfails,at
whichpointtheycanbebroughtintoservice.
RSTP
TheIEEE802.1wRapidSpanningProtocol(RSTP),anevolutionof802.1D,canachievemuch
fasterconvergencethanlegacySTPinaproperlyconfigurednetwork.RSTPsignificantlyreduces
thetimetoreconfigurethenetworksactivetopologywhenphysicaltopologyorconfiguration
parameterchangesoccur.ItselectsoneswitchastherootofaSpanningTreeconnectedactive
topologyandassignsportrolestoindividualportsontheswitch,dependingonwhetherthatport
ispartoftheactivetopology.
RSTPprovidesrapidconnectivityfollowingthefailureofaswitch,switchport,oraLAN.Anew
rootportandthedesignatedportontheothersideofthebridgetransitiontoforwardingthrough
anexplicithandshakebetweenthem.Bydefault,userportsareconfiguredtorapidlytransitionto
forwardinginRSTP.
For information about... Refer to page...
Spanning Tree Configuration Summary 9-1
Configuring Spanning Tree Bridge Parameters 9-3
Configuring Spanning Tree Port Parameters 9-34
Configuring Spanning Tree Loop Protect Parameters 9-42
Caution: Spanning Tree configuration should be performed only by personnel who are very
knowledgeable about Spanning Trees and the configuration of the Spanning Tree Algorithm.
Otherwise, the proper operation of the network could be at risk.
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of
Spanning Tree configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
Spanning Tree Configuration Summary
9-2 Spanning Tree Configuration
MSTP
TheIEEE802.1sMultipleSpanningTreeProtocol(MSTP)buildsupon802.1DandRSTPby
optimizingutilizationofredundantlinksbetweenswitchesinanetwork.Whenredundantlinks
existbetweenapairofswitchesrunningsingleSTP,onelinkisforwardingwhiletheothersare
blockingforalltrafficflowingbetweenthetwoswitches.Theblockinglinksareeffectivelyused
onlyiftheforwardinglinkgoesdown.MSTPassignseachVLANpresentonthenetworktoa
particularSpanningTreeinstance,allowingeachswitchporttobeinadistinctstateforeachsuch
instance:blockingforoneSpanningTreewhileforwardingforanother.Thus,trafficassociated
withonesetofVLANscantraverseaparticularinterswitchlink,whiletrafficassociatedwith
anothersetofVLANscanbeblockedonthatlink.IfVLANsareassignedtoSpanningTrees
wisely,nointerswitchlinkwillbecompletelyidle,maximizingnetworkutilization.
FordetailsoncreatingSpanningTreeinstances,refertosetspantreemstionpage 912.
FordetailsonmappingSpanningTreeinstancestoVLANs,refertosetspantreemstmapon
page 914.
Spanning Tree Features
TheSecureStackC3devicemeetstherequirementsoftheSpanningTreeProtocolsbyperforming
thefollowingfunctions:
CreatingasingleSpanningTreefromanyarrangementofswitchingorbridgingelements.
Compensatingautomaticallyforthefailure,removal,oradditionofanydeviceinanactive
datapath.
Achievingportchangesinshorttimeintervals,whichestablishesastableactivetopology
quicklywithminimalnetworkdisturbance.
Usingaminimumamountofcommunicationsbandwidthtoaccomplishtheoperationofthe
SpanningTreeProtocol.
Reconfiguringtheactivetopologyinamannerthatistransparenttostationstransmittingand
receivingdatapackets.
ManagingthetopologyinaconsistentandreproduciblemannerthroughtheuseofSpanning
TreeProtocolparameters.
Loop Protect
TheLoopProtectfeaturepreventsorshortcircuitsloopformationinanetworkwithredundant
pathsbyrequiringportstoreceivetype2BPDUs(RSTP/MSTP)onpointtopointinterswitch
links(ISLs)beforetheirstatesareallowedtobecomeforwarding.Further,ifaBPDUtimeout
occursonaport,itsstatebecomeslisteninguntilaBPDUisreceived.
Bothupstreamanddownstreamfacingportsareprotected.Whenarootoralternateportlosesits
pathtotherootbridgeduetoamessageageexpirationittakesontheroleofdesignatedport.It
willnotforwardtrafficuntilaBPDUisreceived.Whenaportisintendedtobethedesignatedport
inanISLitconstantlyproposesandwillnotforwarduntilaBPDUisreceived,andwillrevertto
Note: MSTP and RSTP are fully compatible and interoperable with each other and with legacy
STP 802.1D.
Note: The term bridge is used as an equivalent to the term switch or device in this document.
Configuring Spanning Tree Bridge Parameters
SecureStack C3 Configuration Guide 9-3
listeningifitfailstogetaresponse.Thisprotectsagainstmisconfigurationandprotocolfailureby
theconnectedbridge.
TheDisputedBPDUmechanismprotectsagainstloopinginsituationswherethereisoneway
communication.AdisputedBPDUisoneinwhichtheflagsfieldindicatesadesignatedroleand
learningandthepriorityvectorisworsethanthatalreadyheldbytheport.IfadisputedBPDUis
received,theportisforcedtothelisteningstate.WhenaninferiordesignatedBPDUwiththe
learningbitsetisreceivedonadesignatedport,itsstateissettodiscardingtopreventloop
formation.NotethattheDisputemechanismisalwaysactiveregardlessoftheconfiguration
settingofLoopProtection.
LoopProtectoperatesasaperport,perMSTinstancefeature.Itshouldbesetoninterswitch
links.Itiscomprisedofseveralrelatedfunctions:
ControlofportforwardingstatebasedonreceptionofagreementBPDUs
ControlofportforwardingstatebasedonreceptionofdisputedBPDUs
Communicatingportnonforwardingstatusthroughtrapsandsyslogmessages
Disablingaportbasedonfrequencyoffailureevents
PortforwardingstateinthedesignatedportisgatedbyatimerthatissetuponBPDUreception.It
isanalogoustothercvdInfoWhiletimertheportuseswhenreceivingrootinformationintheroot/
alternate/backuprole.
TherearetwooperationalmodesforLoopProtectonaport.Iftheportisconnectedtoadevice
knowntoimplementLoopProtect,itusesfullfunctionalmode.Otherwisetheportoperatesin
limitedfunctionalmode.
ConnectiontoaLoopProtectswitchguaranteesthatthealternateagreementmechanismis
implemented.Thismeansthedesignatedportcanrelyonreceivingaresponsetoitsproposal
regardlessoftheroleoftheconnectedport,whichhastwoimportantimplications.First,the
designatedportconnectedtoanonrootportmaytransitiontoforwarding.Second,thereisno
ambiguitywhenatimeouthappens;aLoopProtecteventhasoccurred.
Infullfunctionalmode,whenatype2BPDUisreceivedandtheportisdesignatedandpointto
point,thetimerissetto3timeshelloTime.Inlimitedfunctionalmodethereistheadditional
requirementthattheflagsfieldindicatearootrole.IftheportisaboundaryporttheMSTIsfor
thatportfollowtheCIST,thatis,theMSTIporttimersaresetaccordingtotheCISTporttimer.If
theportisinternaltotheregionthentheMSTIporttimersaresetindependentlyusingthe
particularMSTImessage.
MessageageexpirationandtheexpirationoftheLoopProtecttimerarebothLoopProtectevents.
Anoticelevelsyslogmessageisproducedforeachsuchevent.Trapsmaybeconfiguredtoreport
theseeventsaswell.AsyslogmessageandtrapmaybeconfiguredfordisputedBPDUs.
ItisalsoconfigurabletoforcethelockingofaSID/portfortheoccurrenceofoneormoreevents.
Whentheconfigurednumberofeventshappenwithinagivenwindowoftime,theportisforced
intoblockingandheldthereuntilitismanuallyunlockedviamanagement.
Configuring Spanning Tree Bridge Parameters
Purpose
TodisplayandsetSpanningTreebridgeparameters,includingdevicepriorities,hellotime,
maximumwaittime,forwarddelay,pathcost,andtopologychangetrapsuppression.
Configuring Spanning Tree Bridge Parameters
9-4 Spanning Tree Configuration
Commands
For information about... Refer to page...
show spantree stats 9-5
set spantree 9-7
show spantree version 9-7
set spantree version 9-8
clear spantree version 9-9
show spantree bpdu-forwarding 9-9
set spantree bpdu-forwarding 9-10
show spantree bridgeprioritymode 9-10
set spantree bridgeprioritymode 9-11
clear spantree bridgeprioritymode 9-11
show spantree mstilist 9-12
set spantree msti 9-12
clear spantree msti 9-13
show spantree mstmap 9-13
set spantree mstmap 9-14
clear spantree mstmap 9-14
show spantree vlanlist 9-15
show spantree mstcfgid 9-15
set spantree mstcfgid 9-16
clear spantree mstcfgid 9-16
set spantree priority 9-17
clear spantree priority 9-17
set spantree hello 9-18
clear spantree hello 9-18
set spantree maxage 9-19
clear spantree maxage 9-20
set spantree fwddelay 9-20
clear spantree fwddelay 9-21
show spantree backuproot 9-21
set spantree backuproot 9-22
clear spantree backuproot 9-22
show spantree tctrapsuppress 9-23
set spantree tctrapsuppress 9-23
clear spantree tctrapsuppress 9-24
show spantree stats
SecureStack C3 Configuration Guide 9-5
show spantree stats
UsethiscommandtodisplaySpanningTreeinformationforoneormoreports.
Syntax
show spantree stats [ port port-string] [ sid sid] [ active]
Parameters
Defaults
Ifportstringisnotspecified,SpanningTreeinformationforallportswillbedisplayed.
Ifsidisnotspecified,informationforSpanningTree0willbedisplayed.
Ifactiveisnotspecifiedinformationforallportswillbedisplayedregardlessofwhetherornot
theyhavereceivedBPDUs.
set spantree protomigration 9-24
show spantree spanguard 9-25
set spantree spanguard 9-25
clear spantree spanguard 9-26
show spantree spanguardtimeout 9-27
set spantree spanguardtimeout 9-27
clear spantree spanguardtimeout 9-28
show spantree spanguardlock 9-28
clear/set spantree spanguardlock 9-29
show spantree spanguardtrapenable 9-29
set spanstree spanguardtrapenable 9-30
clear spanstree spanguardtrapenable 9-30
show spantree legacypathcost 9-31
set spantree legacypathcost 9-31
clear spantree legacypathcost 9-32
show spantree autoedge 9-32
set spantree autoedge 9-32
clear spantree autoedge 9-33
For information about... Refer to page...
portportstring (Optional)Displaysinformationforthespecifiedport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
sidsid (Optional)DisplaysinformationforaspecificSpanningTreeidentifier.If
notspecified,SID0isassumed.
active (Optional)DisplaysinformationforportsthathavereceivedSTPBPDUs
sinceboot.
show spantree stats
9-6 Spanning Tree Configuration
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythedevicesSpanningTreeconfiguration:
C3( su) - >show spant r ee st at s
Spanni ng t r ee st at us - enabl ed
Spanni ng t r ee i nst ance - 0
Desi gnat ed Root MacAddr - 00- e0- 63- 9d- c1- c8
Desi gnat ed Root Pr i or i t y - 0
Desi gnat ed Root Cost - 10000
Desi gnat ed Root Por t - l ag. 0. 1
Root Max Age - 20 sec
Root Hel l o Ti me - 2 sec
Root For war d Del ay - 15 sec
Br i dge I D MAC Addr ess - 00- 01- f 4- da- 5e- 3d
Br i dge I D Pr i or i t y - 32768
Br i dge Max Age - 20 sec
Br i dge Hel l o Ti me - 2 sec
Br i dge For war d Del ay - 15 sec
Topol ogy Change Count - 7
Ti me Si nce Top Change - 00 days 03: 19: 15
Max Hops - 20
Table 91showsadetailedexplanationofcommandoutput.
Table 9-1 show spantree Output Details
Output What It Displays...
Spanning tree instance Spanning Tree ID.
Spanning tree status Whether Spanning Tree is enabled or disabled.
Designated Root MacAddr MAC address of the designated Spanning Tree root bridge.
Designated Root Port Port through which the root bridge can be reached.
Designated Root Priority Priority of the designated root bridge.
Designated Root Cost Total path cost to reach the root.
Root Max Age Amount of time (in seconds) a BPDU packet should be considered valid.
Root Hello Time Interval (in seconds) at which the root device sends BPDU (Bridge Protocol
Data Unit) packets.
Root Forward Delay Amount of time (in seconds) the root device spends in listening or learning
mode.
Bridge ID MAC Address Unique bridge MAC address, recognized by all bridges in the network.
Bridge ID Priority Bridge priority, which is a default value, or is assigned using the set
spantree priority command. For details, refer to set spantree priority on
page 9-17.
Bridge Max Age Maximum time (in seconds) the bridge can wait without receiving a
configuration message (bridge hello) before attempting to reconfigure.
This is a default value, or is assigned using the set spantree maxage
command. For details, refer to set spantree maxage on page 9-19.
set spantree
SecureStack C3 Configuration Guide 9-7
set spantree
UsethiscommandtogloballyenableordisabletheSpanningTreeprotocolontheswitch.
Syntax
set spantree {disable | enable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableSpanningTreeonthedevice:
C3( su) - >set spant r ee di sabl e
show spantree version
UsethiscommandtodisplaythecurrentversionoftheSpanningTreeprotocolrunningonthe
device.
Syntax
show spantree version
Parameters
None.
Bridge Hello Time Amount of time (in seconds) the bridge sends BPDUs. This is a default
value, or is assigned using the set spantree hello command. For details,
refer to set spantree hello on page 9-18.
Bridge Forward Delay Amount of time (in seconds) the bridge spends in listening or learning
mode. This is a default value, or is assigned using the set spantree
fwddelay command. For details, refer to set spantree fwddelay on
page 9-20.
Topology Change Count Number of times topology has changed on the bridge.
Time Since Top Change Amount of time (in days, hours, minutes and seconds) since the last
topology change.
Max Hops Maximum number of hops information for a particular Spanning Tree
instance may traverse (via relay of BPDUs within the applicable MST
region) before being discarded.
Table 9-1 show spantree Output Details (Continued)
Output What It Displays...
disable|enable GloballydisablesorenablesSpanningTree.
set spantree version
9-8 Spanning Tree Configuration
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySpanningTreeversioninformationforthedevice:
C3( su) - >show spant r ee ver si on
For ce Ver si on i s mst p
set spantree version
UsethiscommandtosettheversionoftheSpanningTreeprotocoltoMSTP(MultipleSpanning
TreeProtocol),RSTP(RapidSpanningTreeProtocol)ortoSTP802.1Dcompatible.
Syntax
set spantree version {mstp | stpcompatible | rstp}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Inmostnetworks,SpanningTreeversionshouldnotbechangedfromitsdefaultsettingofmstp
(MultipleSpanningTreeProtocol)mode.MSTPmodeisfullycompatibleandinteroperablewith
legacySTP802.1DandRapidSpanningTree(RSTP)bridges.Settingtheversiontostpcompatible
modewillcausethebridgetotransmitonly802.1DBPDUs,andwillpreventnonedgeportsfrom
rapidlytransitioningtoforwardingstate.
Example
ThisexampleshowshowtogloballychangetheSpanningTreeversionfromthedefaultofMSTP
toRSTP:
C3( su) - >set spant r ee ver si on r st p
mstp SetstheversiontoSTP802.1scompatible.
stpcompatible SetstheversiontoSTP802.1Dcompatible.
rstp Setstheversionto802.1wcompatible.
clear spantree version
SecureStack C3 Configuration Guide 9-9
clear spantree version
UsethiscommandtoresettheSpanningTreeversiontoMSTPmode.
Syntax
clear spantree version
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSpanningTreeversion:
C3( su) - >cl ear spant r ee ver si on
show spantree bpdu-forwarding
Use this command to display the Spanning Tree BPDU forwarding mode.
Syntax
show spantree bpdu-forwarding
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanningTreeBPDUforwardingmode:
C3( su) - >show spant r ee bpdu- f or war di ng
BPDU f or war di ng i s di sabl ed.
set spantree bpdu-forwarding
9-10 Spanning Tree Configuration
set spantree bpdu-forwarding
UsethiscommandtoenableordisableSpanningTreeBPDUforwarding.BydefaultBPDU
forwardingisdisabled.
Syntax
set spantree bpdu-forwarding {disable | enable}
Parameters
Defaults
BydefaultBPDUforwardingisdisabled.
Mode
Switchcommand,readwrite.
Usage
TheSpanningTreeprotocolmustbedisabled(setspantreedisable)forthisfeaturetotakeeffect.
Example
ThisexampleshowshowtoenableBPDUforwarding:
C3( r w) - > set spant r ee bpdu- f or war di ng enabl e
show spantree bridgeprioritymode
UsethiscommandtodisplaytheSpanningTreebridgeprioritymodesetting.
Syntax
show spantree bridgeprioritymode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanningTreebridgeprioritymodesetting:
C3( r w) - >show spant r ee br i dgepr i or i t ymode
Br i dge Pr i or i t y Mode i s set t o I EEE802. 1t mode.
disable|enable DisablesorenablesBPDUforwarding;.
set spantree bridgeprioritymode
SecureStack C3 Configuration Guide 9-11
set spantree bridgeprioritymode
UsethiscommandtosettheSpanningTreebridgeprioritymodeto802.1D(legacy)or802.1t.
Syntax
set spantree bridgeprioritymode {8021d | 8021t}
Parameters
Defaults
None
Mode
Switchcommand,readwrite.
Usage
Themodeaffectstherangeofpriorityvaluesusedtodeterminewhichdeviceisselectedasthe
SpanningTreerootasdescribedinsetspantreepriority(setspantreepriorityonpage 917).The
defaultfortheswitchistouse802.1tbridgeprioritymode.
Example
Thisexampleshowshowtosetthebridgeprioritymodeto802.1D:
C3( r w) - >set spant r ee br i dgepr i or i t ymode 8021d
clear spantree bridgeprioritymode
UsethiscommandtoresettheSpanningTreebridgeprioritymodetothedefaultsettingof802.1t.
Syntax
clear spantree bridgeprioritymode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
8021d Setsthebridgeprioritymodetouse802.1D(legacy)values,whichare0
65535.
8021t Setsthebridgeprioritymodetouse802.1tvalues,whichare0to61440,in
incrementsof4096.Valueswillautomaticallyberoundedupordown,
dependingonthe802.1tvaluetowhichtheenteredvalueisclosest.
Thisisthedefaultbridgeprioritymode.
show spantree mstilist
9-12 Spanning Tree Configuration
Example
Thisexampleshowshowtoresetthebridgeprioritymodeto802.1t:
C3( r w) - >cl ear spant r ee br i dgepr i or i t ymode
show spantree mstilist
UsethiscommandtodisplayalistofMultipleSpanningTree(MST)instancesconfiguredonthe
device.
Syntax
show spantree mstilist
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayalistofMSTinstances.Inthiscase,SID2hasbeenconfigured:
C3( su) - >show spant r ee mst i l i st
Conf i gur ed Mul t i pl e Spanni ng Tr ee i nst ances:
2
set spantree msti
UsethiscommandtocreateordeleteaMultipleSpanningTreeinstance.
Syntax
set spantree msti sid sid {create | delete}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
sidsid SetstheMultipleSpanningTreeID.Validvaluesare14094.
SecureStackC3deviceswillsupportupto4MSTinstances.
create|delete CreatesordeletesanMSTinstance.
clear spantree msti
SecureStack C3 Configuration Guide 9-13
Example
ThisexampleshowshowtocreateanMSTinstance2:
C3( su) - >set spant r ee mst i si d 2 cr eat e
clear spantree msti
UsethiscommandtodeleteoneormoreMultipleSpanningTreeinstances.
Syntax
clear spantree msti [ sid sid]
Parameters
Defaults
Ifsidisnotspecified,allMSTinstanceswillbecleared.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteallMSTinstances:
C3( su) - >clear spantree msti
show spantree mstmap
UsethiscommandtodisplaythemappingofafilteringdatabaseID(FID)toaSpanningTrees.
SinceVLANsaremappedtoFIDs,thisshowstowhichSIDaVLANismapped.
Syntax
show spantree mstmap [ fid fid]
Parameters
Defaults
Iffidisnotspecified,informationforallassignedFIDswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySIDtoFIDmappinginformationforFID1.Inthiscase,no
newmappingshavebeenconfigured:
C3( su) - >show spant r ee mst map f i d 1
sidsid (Optional)DeletesaspecificmultipleSpanningTreeID.
fidfid (Optional)DisplaysinformationforspecificFIDs.
set spantree mstmap
9-14 Spanning Tree Configuration
FI D: SI D:
1 0
set spantree mstmap
UsethiscommandtomaponeormorefilteringdatabaseIDs(FIDs)toaSID.SinceVLANsare
mappedtoFIDs,thisessentiallymapsoneormoreVLANIDstoaSpanningTree(SID).
Syntax
set spantree mstmap fid [ sid sid]
Parameters
Defaults
Ifsidisnotspecified,FID(s)willbemappedtoSpanningTree0.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtomapFID3toSID2:
C3( su) - >set spant r ee mst map 3 si d 2
clear spantree mstmap
UsethiscommandtomapaFIDbacktoSID0.
Syntax
clear spantree mstmap fid
Parameters
Defaults
Iffidisnotspecified,allSIDtoFIDmappingswillbereset.
Mode
Switchcommand,readwrite.
Note: Since any MST maps that are associated with GVRP-generated VLANs will be removed from
the configuration if GVRP communication is lost, it is recommended that you only create MST maps
on statically-created VLANs.
fid SpecifiesoneormoreFIDstoassigntotheMST.Validvaluesare14093,
andmustcorrespondtoaVLANIDcreatedusingthesetvlancommand.
sidsid (Optional)SpecifiesaMultipleSpanningTreeID.Validvaluesare14094,
andmustcorrespondtoaSIDcreatedusingthesetmsticommand.
fid SpecifiesoneormoreFIDstoresetto0.
show spantree vlanlist
SecureStack C3 Configuration Guide 9-15
Example
ThisexampleshowshowtomapFID2backtoSID0:
C3( su) - >cl ear spant r ee mst map 2
show spantree vlanlist
UsethiscommandtodisplaytheSpanningTreeID(s)assignedtooneormoreVLANs.
Syntax
show spantree vlanlist [ vlan-list]
Parameters
Defaults
Ifnotspecified,SIDassignmentwillbedisplayedforallVLANs.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSIDsmappedtoVLAN1.Inthiscase,SIDs2,16and42
aremappedtoVLAN1.Forthisinformationtodisplay,theSIDinstancemustbecreatedusingthe
setspantreemsticommandasdescribedinsetspantreemstionpage 912,andtheFIDsmust
bemappedtoSID 1usingthesetspantreemstmapcommandasdescribedinsetspantree
mstmaponpage 914:
C3( su) - >show spant r ee vl anl i st 1
The f ol l owi ng SI DS ar e assi gned t o VLAN 1: 2 16 42
show spantree mstcfgid
UsethiscommandtodisplaytheMSTconfigurationidentifierelements,includingformatselector,
configurationname,revisionlevel,andconfigurationdigest.
Syntax
show spantree mstcfgid
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
vlanlist (Optional)DisplaysSIDsassignedtospecificVLAN(s).
set spantree mstcfgid
9-16 Spanning Tree Configuration
Example
ThisexampleshowshowtodisplaytheMSTconfigurationidentifierelements.Inthiscase,the
defaultrevisionlevelof0,andthedefaultconfigurationname(astringrepresentingthebridge
MACaddress)havenotbeenchanged.Forinformationonusingthesetspantreemstcfgid
commandtochangethesesettings,refertosetspantreemstcfgidonpage 916:
C3( su) - >show spant r ee mst cf gi d
MST Conf i gur at i on I dent i f i er :
For mat Sel ect or : 0
Conf i gur at i on Name: 00: 01: f 4: 89: 51: 94
Revi si on Level : 0
Conf i gur at i on Di gest : ac: 36: 17: 7f : 50: 28: 3c: d4: b8: 38: 21: d8: ab: 26: de: 62
set spantree mstcfgid
UsethiscommandtosettheMSTconfigurationnameand/orrevisionlevel.
Syntax
set spantree mstcfgid {cfgname name | rev level}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheMSTconfigurationnametomstconfig:
C3( su) - >set spant r ee mst conf i gi d cf gname mst conf i g
clear spantree mstcfgid
UsethiscommandtoresettheMSTrevisionleveltoadefaultvalueof0,andtheconfiguration
nametoadefaultstringrepresentingthebridgeMACaddress.
Syntax
clear spantree mstcfgid
Parameters
None.
Defaults
None.
cfgnamename SpecifiesanMSTconfigurationname.
revlevel SpecifiesanMSTrevisionlevel.Validvaluesare065535.
set spantree priority
SecureStack C3 Configuration Guide 9-17
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheMSTconfigurationidentifierelementstodefaultvalues:
C3( su) - >cl ear spant r ee mst cf gi d
set spantree priority
UsethiscommandtosetthedevicesSpanningTreepriority.
Syntax
set spantree priority priority [ sid]
Parameters
Defaults
Ifsidisnotspecified,prioritywillbesetonSpanningTree0.
Mode
Switchcommand,readwrite.
Usage
Thedevicewiththehighestpriority(lowestnumericalvalue)becomestheSpanningTreeroot
device.Ifalldeviceshavethesamepriority,thedevicewiththelowestMACaddresswillthen
becometherootdevice.Dependingonthebridgeprioritymode(setwiththesetspantree
bridgeprioritymodecommanddescribedinsetspantreebridgeprioritymodeonpage 911,
somepriorityvaluesmayberoundedupordown.
Example
Thisexampleshowshowtosetthebridgepriorityto4096onSID1:
C3( su) - >set spant r ee pr i or i t y 4096 1
clear spantree priority
UsethiscommandtoresettheSpanningTreeprioritytothedefaultvalueof32768.
Syntax
clear spantree priority [ sid]
priority Specifiesthepriorityofthebridge.Validvaluesarefrom0to61440(in
incrementsof4096),with0indicatinghighestpriorityand61440
lowestpriority.
sid (Optional)SetsthepriorityonaspecificSpanningTree.Validvalues
are04094.Ifnotspecified,SID 0isassumed.
set spantree hello
9-18 Spanning Tree Configuration
Parameters
Defaults
Ifsidisnotspecified,prioritywillberesetonSpanningTree0.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthebridgepriorityonSID1:
C3( su) - >cl ear spant r ee pr i or i t y 1
set spantree hello
UsethiscommandtosetthedevicesSpanningTreehellotime,Thisisthetimeinterval(in
seconds)thedevicewilltransmitBPDUsindicatingitisactive.
Syntax
set spantree hello interval
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballysettheSpanningTreehellotimeto10seconds:
C3( su) - >set spant r ee hel l o 10
clear spantree hello
UsethiscommandtoresettheSpanningTreehellotimetothedefaultvalueof2seconds.
Syntax
clear spantree hello
sid (Optional)ResetsthepriorityonaspecificSpanningTree.Validvalues
are04094.Ifnotspecified,SID 0isassumed.
interval Specifiesthenumberofsecondsthesystemwaitsbeforebroadcastinga
bridgehellomessage(amulticastmessageindicatingthatthesystemis
active).Validvaluesare110.
set spantree maxage
SecureStack C3 Configuration Guide 9-19
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballyresettheSpanningTreehellotime:
C3( su) - >cl ear spant r ee hel l o
set spantree maxage
Usethiscommandtosetthebridgemaximumagingtime.
Syntax
set spantree maxage agingtime
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thebridgemaximumagingtimeisthemaximumtime(inseconds)adevicecanwaitwithout
receivingaconfigurationmessage(bridgehello)beforeattemptingtoreconfigure.Alldevice
ports(exceptfordesignatedports)shouldreceiveconfigurationmessagesatregularintervals.
AnyportthatagesoutSTPinformationprovidedinthelastconfigurationmessagebecomesthe
designatedportfortheattachedLAN.Ifitisarootport,anewrootportisselectedfromamong
thedeviceportsattachedtothenetwork.
Example
Thisexampleshowshowtosetthemaximumagingtimeto25seconds:
C3( su) - >set spant r ee maxage 25
agingtime Specifiesthemaximumnumberofsecondsthatthesystemretainsthe
informationreceivedfromotherbridgesthroughSTP.Validvaluesare6
40.
clear spantree maxage
9-20 Spanning Tree Configuration
clear spantree maxage
UsethiscommandtoresetthemaximumagingtimeforaSpanningTreetothedefaultvalueof20
seconds.
Syntax
clear spantree maxage
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtogloballyresetthemaximumagingtime:
C3( su) - >cl ear spant r ee maxage
set spantree fwddelay
UsethiscommandtosettheSpanningTreeforwarddelay.
Syntax
set spantree fwddelay delay
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Theforwarddelayisthemaximumtime(inseconds)therootdevicewillwaitbeforechanging
states(i.e.,listeningtolearningtoforwarding).Thisdelayisrequiredbecauseeverydevicemust
receiveinformationabouttopologychangesbeforeitstartstoforwardframes.Inaddition,each
portneedstimetolistenforconflictinginformationthatwouldmakeitreturntoablockingstate;
otherwise,temporarydataloopsmightresult.
Example
Thisexampleshowshowtogloballysetthebridgeforwarddelayto16seconds:
delay Specifiesthenumberofsecondsforthebridgeforwarddelay.Validvalues
are430.
clear spantree fwddelay
SecureStack C3 Configuration Guide 9-21
C3( su) - >set spant r ee f wddel ay 16
clear spantree fwddelay
UsethiscommandtoresettheSpanningTreeforwarddelaytothedefaultsettingof15seconds.
Syntax
clear spantree fwddelay
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtogloballyresetthebridgeforwarddelay:
C3( su) - >cl ear spant r ee f wddel ay
show spantree backuproot
UsethiscommandtodisplaythebackuprootstatusforanMSTinstance.
Syntax
show spantree backuproot [ sid]
Parameters
Defaults
IfaSIDisnotspecified,thenstatuswillbeshownforSpanningTreeinstance0.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythestatusofthebackuprootfunctiononSID0:
C3( r w) - >show spant r ee backupr oot
Backup r oot i s set t o di sabl e on si d 0
sid (Optional)DisplaybackuprootstatusforaspecificSpanningTree
identifier.Validvaluesare04094.Ifnotspecified,SID0isassumed.
set spantree backuproot
9-22 Spanning Tree Configuration
set spantree backuproot
UsethiscommandtoenableordisabletheSpanningTreebackuprootfunctionontheswitch.
Syntax
set spantree backuproot sid {di sabl e | enabl e}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheSpanningTreebackuprootfunctionisdisabledbydefaultontheSecureStackC3.Whenthis
featureisenabledandtheswitchisdirectlyconnectedtotherootbridge,staleSpanningTree
informationispreventedfromcirculatingiftherootbridgeislost.Iftherootbridgeislost,the
backuprootwilldynamicallyloweritsbridgeprioritysothatitwillbeselectedasthenewroot
overthelostrootbridge.
Example
ThisexampleshowshowtoenablethebackuprootfunctiononSID2:
C3( r w) - >set spant r ee backupr oot 2 enabl e
clear spantree backuproot
UsethiscommandtoresettheSpanningTreebackuprootfunctiontothedefaultstateofdisabled.
Syntax
clear spantree backuproot sid
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
sid SpecifiestheSpanningTreeinstanceonwhichtoenableordisablethe
backuprootfunction.Validvaluesare04094.
disable|enable Enablesordisablesthebackuprootfunction.
sid SpecifiestheSpanningTreeonwhichtoclearthebackuproot
function.Validvaluesare04094.
show spantree tctrapsuppress
SecureStack C3 Configuration Guide 9-23
Example
ThisexampleshowshowtoresetthebackuprootfunctiontodisabledonSID2:
C3( r w) - >cl ear spant r ee backupr oot 2
show spantree tctrapsuppress
UsethiscommandtodisplaythestatusoftopologychangetrapsuppressiononRapidSpanning
Treeedgeports.
Syntax
show spantree tctrapsuppress
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestatusoftopologychangetrapsuppression:
C3( r w) - >show spant r ee t ct r apsuppr ess
Topol ogy change Tr ap Suppr essi on i s set t o enabl ed
set spantree tctrapsuppress
UsethiscommandtodisableorenabletopologychangetrapsuppressiononRapidSpanningTree
edgeports.
Syntax
set spantree tctrapsuppress {disable | enable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
disable|enable Disablesorenablestopologychangetrapsuppression.
clear spantree tctrapsuppress
9-24 Spanning Tree Configuration
Usage
Bydefault,RSTPnonedge(bridge)portsthattransitiontoforwardingorblockingcausethe
switchtoissueatopologychangetrap.Whentopologychangetrapsuppressionisenabled,which
isthedevicedefault,edgeports(suchasendstationPCs)arepreventedfromsendingtopology
changetraps.Thisisbecausethereisusuallynoneedfornetworkmanagementtomonitoredge
portSTPtransitionstates,suchaswhenPCsarepoweredon.Whentopologychangetrap
suppressionisdisabled,allports,includingedgeandbridgeports,willtransmittopologychange
traps.
Example
ThisexampleshowshowtoallowRapidSpanningTreeedgeportstotransmittopologychange
traps:
C3( r w) - >set spant r ee t ct r apsuppr ess di sabl e
clear spantree tctrapsuppress
UsethiscommandtoclearthestatusoftopologychangetrapsuppressiononRapidSpanningTree
edgeportstothedefaultstateofenabled(edgeporttopologychangesdonotgeneratetraps).
Syntax
clear spantree tctrapsuppress
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocleartopologychangetrapsuppressionsetting:
C3( r w) - >cl ear spant r ee t ct r apsuppr ess
set spantree protomigration
UsethiscommandtoresettheprotocolstatemigrationmachineforoneormoreSpanningTree
ports.WhenoperatinginRSTPmode,thisforcesaporttotransmitMSTPBPDUs.
Syntax
set spantree protomigration <port-string>
Parameters
portstring Resettheprotocolstatemigrationmachineforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
show spantree spanguard
SecureStack C3 Configuration Guide 9-25
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresettheprotocolstatemigrationmachineonport20:
C3( su) - >set spant r ee pr ot omi gr at i on ge. 1. 20
show spantree spanguard
UsethiscommandtodisplaythestatusoftheSpanningTreeSpanGuardfunction.
Syntax
show spantree spanguard
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanGuardfunctionstatus:
C3( su) - >show spant r ee spanguar d
Spanguar d i s di sabl ed
set spantree spanguard
UsethiscommandtoenableordisabletheSpanningTreeSpanGuardfunction.
Syntax
set spantree spanguard {enable | disable}
Parameters
Defaults
None.
enable|disable EnablesordisablestheSpanGuardfunction.
clear spantree spanguard
9-26 Spanning Tree Configuration
Mode
Switchcommand,readwrite.
Usage
SpanGuardisdesignedtodisable,orlockoutanedgeportwhenanunexpectedBPDUis
received.Theportcanbeconfiguredtobereenabledafterasettimeperiod,oronlyaftermanual
intervention.
Aportcanbedefinedasanedge(user)portusingthesetspantreeadminedgecommand,
describedinsetspantreeadminedgeonpage 940.Aportdesignatedasanedgeportis
expectedtobeconnectedtoaworkstationorotherendusertypeofdevice,andnottoanother
switchinthenetwork.WhenSpanGuardisenabled,ifanonloopbackBPDUisreceivedonan
edgeport,theSpanningTreestateofthatportwillbechangedtoblockingandwillnolonger
forwardtraffic.Theportwillremaindisableduntiltheamountoftimedefinedbysetspantree
spanguardtimeout(setspantreespanguardtimeoutonpage 927)haspassedsincethelastseen
BPDU,theportismanuallyunlocked(setorclearspantreespanguardlock,clear/setspantree
spanguardlockonpage 929),theconfigurationoftheportischangedsoitisnotlongeranedge
port,ortheSpanGuardfunctionisdisabled.
SpanGuardisenabledanddisabledonlyonaglobalbasis(acrossthestack,ifapplicable).By
default,SpanGuardisdisabledandSpanGuardtrapsareenabled.
Example
ThisexampleshowshowtoenabletheSpanGuardfunction:
C3( r w) - >set spant r ee spanguar d enabl e
clear spantree spanguard
UsethiscommandtoresetthestatusoftheSpanningTreeSpanGuardfunctiontodisabled.
Syntax
clear spantree spanguard
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthestatusoftheSpanGuardfunctiontodisabled:
C3( r w) - >cl ear spant r ee spanguar d
show spantree spanguardtimeout
SecureStack C3 Configuration Guide 9-27
show spantree spanguardtimeout
UsethiscommandtodisplaytheSpanningTreeSpanGuardtimeoutsetting.
Syntax
show spantree spanguardtimeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanGuardtimeoutsetting:
C3( su) - >show spant r ee spanguar dt i meout
Spanguar d t i meout : 300
set spantree spanguardtimeout
Usethiscommandtosettheamountoftime(inseconds)anedgeportwillremainlockedbythe
SpanGuardfunction.
Syntax
set spantree spanguardtimeout timeout
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSpanGuardtimeoutto600seconds:
C3( su) - >set spant r ee spanguar dt i meout 600
timeout Specifiesatimeoutvalueinseconds.Validvaluesare0to65535.
Avalueof0willkeeptheportlockeduntilmanuallyunlocked.Thedefault
valueis300seconds.
clear spantree spanguardtimeout
9-28 Spanning Tree Configuration
clear spantree spanguardtimeout
UsethiscommandtoresettheSpanningTreeSpanGuardtimeouttothedefaultvalueof300
seconds.
Syntax
clear spantree spanguardtimeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSpanGuardtimeoutto300seconds:
C3( r w) - >cl ear spant r ee spanguar dt i meout
show spantree spanguardlock
UsethiscommandtodisplaytheSpanGuardlockstatusofoneormoreports.
Syntax
show spantree spanguardlock [ port-string]
Parameters
Defaults
Ifnoportstringisspecified,theSpanGuardlockstatusforallportsisdisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanGuardlockstatusforge.1.1:
C3( su) - >show spant r ee spanguar dl ock ge. 1. 1
Por t ge. 1. 1 i s Unl ocked
portstring (Optional)Specifiestheport(s)forwhichtoshowSpanGuardlockstatus.
Foradetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
clear / set spantree spanguardlock
SecureStack C3 Configuration Guide 9-29
clear / set spantree spanguardlock
UseeitherofthesecommandstounlockoneormoreportslockedbytheSpanningTree
SpanGuardfunction.WhenSpanGuardisenabled,itlocksportsthatreceiveBPDUswhenthose
portshavebeendefinedasedge(user)ports(asdescribedinsetspantreeadminedgeon
page 940).
Syntax
clear spantree spanguardlock port-string
set spantree spanguardlock port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtounlockportge. 1.16:
C3( r w) - >cl ear spant r ee spanguar dl ock ge. 1. 16
show spantree spanguardtrapenable
UsethiscommandtodisplaythestateoftheSpanningTreeSpanGuardtrapfunction.
Syntax
show spantree spanguardtrapenable
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythestateoftheSpanGuardtrapfunction:
C3( r o) - >show spant r ee spanguar dt r apenabl e
Spanguar d SNMP t r aps ar e enabl ed
portstring Specifiesport(s)tounlock.Foradetaileddescriptionofpossibleportstring
values,refertoPortStringSyntaxUsedintheCLIonpage 71.
set spantree spanguardtrapenable
9-30 Spanning Tree Configuration
set spantree spanguardtrapenable
UsethiscommandtoenableordisablethesendingofanSNMPtrapmessagewhenSpanGuard
haslockedaport.
Syntax
set spantree spanguardtrapenable {disable | enable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisabletheSpanGuardtrapfunction:
C3( su) - >set spant r ee spanguar dt r apenabl e di sabl e
clear spantree spanguardtrapenable
UsethiscommandtoresettheSpanningTreeSpanGuardtrapfunctionbacktothedefaultstateof
enabled.
Syntax
clear spantree spanguardtrapenable
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSpanGuardtrapfunctiontoenabled:
C3( r w) - >cl ear spant r ee spanguar dt r apenabl e
disable|enable DisablesorenablessendingSpanGuardtraps.Bydefault,sendingtraps
isenabled.
show spantree legacypathcost
SecureStack C3 Configuration Guide 9-31
show spantree legacypathcost
UsethiscommandtodisplaythedefaultSpanningTreepathcostsetting.
Syntax
show spantree legacypathcost
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythedefaultSpanningTreepathcostsetting.
C3( su) - >show spant r ee l egacypat hcost
Legacy Pat h Cost i s di sabl ed.
set spantree legacypathcost
Usethiscommandtoenableordisablelegacy(802.1D)pathcostvalues.
Syntax
set spantree legacypathcost {disable | enable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Bydefault,legacypathcostisdisabled.Enablingthedevicetocalculatelegacypathcostsaffects
therangeofvalidvaluesthatcanbeenteredinthesetspantreeadminpathcostcommand.
Example
Thisexampleshowshowtosetthedefaultpathcostvaluesto802.1D.
C3( r w) - >set spant r ee l egacypat hcost enabl e
disable Use802.1t2001valuestocalculatepathcost.
enable Use802.1d1998valuestocalculatepathcost.
clear spantree legacypathcost
9-32 Spanning Tree Configuration
clear spantree legacypathcost
UsethiscommandtosettheSpanningTreedefaultvalueforlegacypathcostto802.1tvalues.
Syntax
clear spantree legacypathcost
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthelegacypathcostto802.1tvalues.
C3( r w) - >cl ear spant r ee l egacypat hcost
show spantree autoedge
Usethiscommandtodisplaythestatusofautomaticedgeportdetection.
Syntax
show spantree autoedge
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestatusoftheautomaticedgeportdetectionfunction:
C3( r w) - >show spant r ee aut oedge
aut oEdge i s cur r ent l y enabl ed.
set spantree autoedge
Usethiscommandtoenableordisabletheautomaticedgeportdetectionfunction.
Syntax
set spantree autoedge {disable | enable}
clear spantree autoedge
SecureStack C3 Configuration Guide 9-33
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisableautomaticedgeportdetection:
C3( r w) - >set spant r ee aut oedge di sabl e
clear spantree autoedge
Usethiscommandtoresetautomaticedgeportdetectiontothedefaultstateofenabled.
Syntax
clear spantree autoedge
Parameters
None.
Defaults
None.
Mode
Switchcommand,ReadWrite.
Example
Thisexampleshowshowtoresetautomaticedgeportdetectiontoenabled:
C3( r w) - >cl ear spant r ee aut oedge
disable|enable Disablesorenablesautomaticedgeportdetection.
Configuring Spanning Tree Port Parameters
9-34 Spanning Tree Configuration
Configuring Spanning Tree Port Parameters
Purpose
TodisplayandsetSpanningTreeportparameters.
Commands
set spantree portadmin
UsethiscommandtodisableorenabletheSpanningTreealgorithmononeormoreports.
Syntax
set spantree portadmin port-string {disable | enable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
For information about... Refer to page...
set spantree portadmin 9-34
clear spantree portadmin 9-35
show spantree portadmin 9-35
show spantree portpri 9-36
set spantree portpri 9-36
clear spantree portpri 9-37
show spantree adminpathcost 9-38
set spantree adminpathcost 9-38
clear spantree adminpathcost 9-39
show spantree adminedge 9-39
set spantree adminedge 9-39
clear spantree adminedge 9-40
show spantree operedge 9-41
portstring Specifiestheport(s)forwhichtoenableordisableSpanningTree.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
disable|enable DisablesorenablesSpanningTree.
clear spantree portadmin
SecureStack C3 Configuration Guide 9-35
Example
ThisexampleshowshowtodisableSpanningTreeonge.1.5:
C3( r w) - >set spant r ee por t admi n ge.1. 5 di sabl e
clear spantree portadmin
UsethiscommandtoresetthedefaultSpanningTreeadminstatustoenableononeormoreports.
Syntax
clear spantree portadmin port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthedefaultSpanningTreeadminstatetoenableonge.1.12:
C3( r w) - >cl ear spant r ee por t admi n ge.1. 12
show spantree portadmin
UsethiscommandtodisplaythestatusoftheSpanningTreealgorithmononeormoreports.
Syntax
show spantree portadmin [ port port-string]
Parameters
Defaults
Ifportstringisnotspecified,statuswillbedisplayedforallports.
Mode
Switchcommand,readonly.
portstring Resetsthedefaultadminstatusonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
portportstring (Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage 71.
show spantree portpri
9-36 Spanning Tree Configuration
Example
Thisexampleshowshowtodisplayportadminstatusforge. 1.1:
C3( r o) - >show spant r ee por t admi n por t ge. 1. 1
Por t ge. 1. 1 has por t admi n set t o enabl ed
show spantree portpri
UsethiscommandtoshowtheSpanningTreepriorityforoneormoreports.Portpriorityisa
componentoftheportID,whichisoneelementusedindeterminingSpanningTreeportroles.
Syntax
show spantree portpri [ port port-string] [ sid sid]
Parameters
Defaults
Ifportstringisnotspecified,portprioritywillbedisplayedforallSpanningTreeports.
Ifsidisnotspecified,portprioritywillbedisplayedforSpanningTree0.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportpriorityforge.2.7:
C3( su) - >show spant r ee por t pr i por t ge.2. 7
Por t ge.2. 7 has a Por t Pr i or i t y of 128 on SI D 0
set spantree portpri
UsethiscommandtosetaportsSpanningTreepriority.
Syntax
set spantree portpri port-string priority [ sid sid]
portportstring (Optional)Specifiestheport(s)forwhichtodisplaySpanningTreepriority.
Foradetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
sidsid (Optional)DisplaysportpriorityforaspecificSpanningTreeidentifier.
Validvaluesare04094.Ifnotspecified,SID0isassumed.
clear spantree portpri
SecureStack C3 Configuration Guide 9-37
Parameters
Defaults
Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthepriorityofge.1.3to240onSID1
C3( su) - >set spant r ee por t pr i ge.1. 3 240 si d 1
clear spantree portpri
UsethiscommandtoresetthebridgepriorityofaSpanningTreeporttoadefaultvalueof128.
Syntax
clear spantree portpri port-string [ sid sid]
Parameters
Defaults
Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthepriorityofge.1.3to128onSID1
C3( su) - >cl ear spant r ee por t pr i ge.1. 3 si d 1
portstring Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
priority SpecifiesanumberthatrepresentsthepriorityofalinkinaSpanningTree
bridge.Validvaluesarefrom0to240(inincrementsof16)with0
indicatinghighpriority.
sidsid (Optional)SetsportpriorityforaspecificSpanningTreeidentifier.Valid
valuesare04094.Ifnotspecified,SID0isassumed.
portstring Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
sidsid (Optional)ResetstheportpriorityforaspecificSpanningTreeidentifier.
Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
show spantree adminpathcost
9-38 Spanning Tree Configuration
show spantree adminpathcost
UsethiscommandtodisplaytheadminpathcostforaportononeormoreSpanningTrees.
Syntax
show spantree adminpathcost [ port port-string] [ sid sid]
Parameters
Defaults
Ifportstringisnotspecified,adminpathcostforallSpanningTreeportswillbedisplayed.
Ifsidisnotspecified,adminpathcostforSpanningTree0willbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheadminpathcostforge.3.4onSID1:
C3( su) - >show spant r ee admi npat hcost por t ge.3. 4 si d 1
Por t ge.3. 4 has a Por t Admi n Pat h Cost of 0 on SI D 1
set spantree adminpathcost
UsethiscommandtosettheadministrativepathcostonaportandoneormoreSpanningTrees.
Syntax
set spantree adminpathcost port-string cost [ sid sid]
Parameters
Defaults
Ifsidisnotspecified,adminpathcostwillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
portportstring (Optional)Displaystheadminpathcostvalueforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
sidsid (Optional)DisplaystheadminpathcostforaspecificSpanningTree
identifier.Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
portstring Specifiestheport(s)onwhichtosetanadminpathcost.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
cost Specifiestheportpathcost.Va1idvaluesare0200000000.
sidsid (Optional)SetstheadminpathcostforaspecificSpanningTreeidentifier.
Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
clear spantree adminpathcost
SecureStack C3 Configuration Guide 9-39
Example
Thisexampleshowshowtosettheadminpathcostto200forge.3.2onSID1:
C3( su) - >set spant r ee admi npat hcost ge.3. 2 200 si d 1
clear spantree adminpathcost
UsethiscommandtoresettheSpanningTreedefaultvalueforportadminpathcostto0.
Syntax
clear spantree adminpathcost port-string [ sid sid]
Parameters
Defaults
Ifsidisnotspecified,adminpathcostwillberesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresettheadminpathcostto0forge.3.2onSID1:
C3( su) - >cl ear spant r ee admi npat hcost ge.3. 2 si d 1
show spantree adminedge
Usethiscommandtodisplaytheedgeportadministrativestatusforaport.
Syntax
show spantree adminedge [port port-string]
Parameters
Defaults
IfportstringisnotspecifiededgeportadministrativestatuswillbedisplayedforallSpanningTree
ports.
portstring Specifiestheport(s)forwhichtoresetadminpathcost.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage 71.
sidsid (Optional)ResetstheadminpathcostforspecificSpanningTree(s).
Validvaluesare04094.Ifnotspecified,SID0isassumed.
portstring (Optional)Displaysedgeportadministrativestatusforspecific
port(s).Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage 71.
set spantree adminedge
9-40 Spanning Tree Configuration
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheedgeportstatusforge.3.2:
C3( su) - >show spant r ee admi nedge por t ge.3. 2
Por t ge.3. 2 has a Por t Admi n Edge of Edge- Por t
set spantree adminedge
UsethiscommandtosettheedgeportadministrativestatusonaSpanningTreeport.
Syntax
set spantree adminedge port-string {true | false}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thedefaultbehavioroftheedgeportadministrativestatusbeginswiththevaluesettofalse
initiallyafterthedeviceispoweredup.IfaSpanningTreeBDPUisnotreceivedontheportwithin
afewseconds,thestatussettingchangestotrue.
Example
Thisexampleshowshowtosetge.1.11asanedgeport:
C3( su) - >set spant r ee admi nedge ge.1. 11 t r ue
clear spantree adminedge
UsethiscommandtoresetaSpanningTreeporttononedgestatus.
Syntax
clear spantree adminedge port-string
portstring Specifiestheedgeport.Foradetaileddescriptionofpossibleportstring
values,refertoPortStringSyntaxUsedintheCLIonpage 71.
true|false Enables(true)ordisables(false)thespecifiedportasaSpanningTreeedge
port.
show spantree operedge
SecureStack C3 Configuration Guide 9-41
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetge.1.11asanonedgeport:
C3( su) - >cl ear spant r ee admi nedge ge.1. 11
show spantree operedge
UsethiscommandtodisplaytheSpanningTreeedgeportoperatingstatusforaport.
Syntax
show spantree operedge [ port port-string]
Parameters
Defaults
Ifportstringisnotspecified,edgeportoperatingstatuswillbedisplayedforallSpanningTree
ports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheedgeportstatusforge.2.7:
C3( r w) - >show spant r ee oper edge por t ge. 2. 7
Por t ge. 2. 7 has a Por t Oper Edge of Edge- Por t
portstring Specifiesport(s)onwhichtoresetedgeportstatus.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
portportstring Displaysedgeportoperatingstatusforspecificport(s).
Configuring Spanning Tree Loop Protect Parameters
9-42 Spanning Tree Configuration
Configuring Spanning Tree Loop Protect Parameters
Purpose
TodisplayandsetSpanningTreeLoopProtectparameters,includingtheglobalparametersof
LoopProtectthreshold,window,enablingtraps,anddisputedBPDUthreshold,aswellasperport
andport/SIDparameters.SeeLoopProtectonpage 92formoreinformationabouttheLoop
Protectfeature.
Commands
For information about... Refer to page...
set spantree lp 9-43
show spantree lp 9-43
clear spantree lp 9-44
show spantree lplock 9-44
clear spantree lplock 9-45
set spantree lpcapablepartner 9-46
show spantree lpcapablepartner 9-46
clear spantree lpcapablepartner 9-47
set spantree lpthreshold 9-47
show spantree lpthreshold 9-48
clear spantree lpthreshold 9-48
set spantree lpwindow 9-49
show spantree lpwindow 9-49
clear spantree lpwindow 9-50
set spantree lptrapenable 9-50
show spantree lptrapenable 9-51
clear spantree lptrapenable 9-51
set spantree disputedbpduthreshold 9-52
show spantree disputedbpduthreshold 9-53
clear spantree disputedbpduthreshold 9-53
show spantree nonforwardingreason 9-54
set spantree lp
SecureStack C3 Configuration Guide 9-43
set spantree lp
UsethiscommandtoenableordisabletheLoopProtectfeatureperportandoptionally,perSID.
TheLoopProtectfeatureisdisabledbydefault.SeeLoopProtectonpage 2.formore
information.
Syntax
set spantree lp port-string {enable | disable} [ sid sid]
Parameters
Defaults
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readwrite.
Usage
LoopProtecttakesprecedenceoverperportSTPenable/disable(portAdmin).Normally
portAdmindisabledwouldcauseaporttogoimmediatelytoforwarding.IfLoopProtectis
enabled,thatportshouldgotolisteningandremainthere.
Example
ThisexampleshowshowtoenableLoopProtectonge.2.3:
C3( su) - >set spant r ee l p ge.1. 11 enabl e
show spantree lp
UsethiscommandtodisplaytheLoopProtectstatusperportand/orperSID.
Syntax
show spantree lp [ port port-string] [ sid sid]
Parameters
portstring Specifiesport(s)onwhichtoenableordisabletheLoopProtectfeature.
enable|disable Enablesordisablesthefeatureonthespecifiedport.
sidsid (Optional)EnablesordisablesthefeatureforspecificSpanningTree(s).
Validvaluesare04094.Ifnotspecified,SID0isassumed.
Note: The Loop Protect enable/disable settings for an MSTI port should match those for the CIST
port.
portstring (Optional)Specifiesport(s)forwhichtodisplaytheLoopProtect
featurestatus.
sidsid (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay
theLoopProtectfeaturestatus.Validvaluesare04094.Ifnot
specified,SID0isassumed.
clear spantree lp
9-44 Spanning Tree Configuration
Defaults
Ifnoportstringisspecified,statusisdisplayedforallports.
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLoopProtectstatusonge.2.3:
C3( su) - >show spant r ee l p por t ge.2. 3
LoopPr ot ect i s di sabl ed on por t ge.2. 3 , SI
clear spantree lp
UsethiscommandtoreturntheLoopProtectstatusperportandoptionally,perSID,toitsdefault
stateofdisabled.
Syntax
clear spantree lp port-string [ sid sid]
Parameters
Defaults
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoreturntheLoopProtectstateonge.2.3todisabled:
C3( r w) - >cl ear spant r ee l p por t ge.2. 3
show spantree lplock
UsethiscommandtodisplaytheLoopProtectlockstatusperportand/orperSID.Aportcan
becomelockedifaconfigurednumberofLoopProtecteventsoccurduringtheconfigured
windowoftime.Seethesetspantreelpthresholdandsetspantreelpwindowcommands.Oncea
portisforcedintoblocking(locked),itremainslockeduntilmanuallyunlockedwiththeclear
spantreelplockcommand.
Syntax
show spantree lplock [ port port-string] [ sid sid]
portstring Specifiesport(s)forwhichtocleartheLoopProtectfeaturestatus.
sidsid (Optional)SpecifiesthespecificSpanningTree(s)forwhichtoclearthe
LoopProtectfeaturestatus.Validvaluesare04094.Ifnotspecified,
SID0isassumed.
clear spantree lplock
SecureStack C3 Configuration Guide 9-45
Parameters
Defaults
Ifnoportstringisspecified,statusisdisplayedforallports.
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayLoopProtectlockstatusonge.1.1:
C3( r w) - >show spant r ee l pl ock por t ge.1. 1
The LoopPr ot ect l ock st at us f or por t ge.1. 1 , SI D 0 i s UNLOCKED
clear spantree lplock
Usethiscommandtomanuallyunlockablockedportandoptionally,perSID.Thedefaultstateis
unlocked.
Syntax
clear spantree lplock port-string [ sid sid]
Parameters
Defaults
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoclearLoopProtectlockfromge.1.1:
C3( r w) - >show spant r ee l pl ock por t ge.1. 1
The LoopPr ot ect l ock st at us f or por t ge.1. 1 , SI D 0 i s LOCKED
C3( r w) - >cl ear spant r ee l pl ock ge.1. 1
C3( r w) - >show spant r ee l pl ock por t ge.1. 1
The LoopPr ot ect l ock st at us f or por t ge.1. 1 , SI D 0 i s UNLOCKED
portstring (Optional)Specifiesport(s)forwhichtodisplaytheLoopProtectlock
status.
sidsid (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay
theLoopProtectlockstatus.Validvaluesare04094.Ifnotspecified,
SID0isassumed.
portstring Specifiesport(s)forwhichtocleartheLoopProtectlock.
sidsid (Optional)SpecifiesthespecificSpanningTree(s)forwhichtoclearthe
LoopProtectlock.Validvaluesare04094.Ifnotspecified,SID0is
assumed.
set spantree lpcapablepartner
9-46 Spanning Tree Configuration
set spantree lpcapablepartner
UsethiscommandtospecifyperportwhetherthelinkpartnerisLoopProtectcapable.SeeLoop
Protectonpage 2.formoreinformation.
Syntax
set spantree lpcapablepartner port-string {true | false}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThedefaultvalueforLoopProtectcapablepartnerisfalse.IftheportisconfiguredwithaLoop
Protectcapablepartner(true),thenthefullfunctionalityoftheLoopProtectfeatureisused.Ifthe
valueisfalse,thenthereissomeambiguityastowhetheranActivePartnertimeoutisduetoa
loopprotectioneventorisanormalsituationduetothefactthatthepartnerportdoesnot
transmitAlternateAgreementBPDUs.Therefore,aconservativeapproachistakeninthat
designatedportswillnotbeallowedtoforwardunlessreceivingagreementsfromaportwithroot
role.
Thistypeoftimeoutwillnotbeconsideredaloopprotectionevent.Loopprotectionismaintained
bykeepingtheportfromforwardingbutsincethisisnotconsideredaloopeventitwillnotbe
factoredintolockingtheport.
Example
ThisexampleshowshowtosettheLoopProtectcapablepartnertotrueforge.1.1:
C3( r w) - >set spant r ee l pcapabl epar t ner ge.1. 1 t r ue
show spantree lpcapablepartner
UsethiscommandtotheLoopProtectcapabilityofalinkpartnerforoneormoreports.
Syntax
show spantree lpcapablepartner [ port port-string]
Parameters
portstring Specifiesport(s)forwhichtoconfigureaLoopProtectcapablelink
partner.
true|false Specifieswhetherthelinkpartneriscapable(true)ornot(false).
portstring (Optional)Specifiesport(s)forwhichtodisplayLoopProtectcapability
foritslinkpartner.
clear spantree lpcapablepartner
SecureStack C3 Configuration Guide 9-47
Defaults
Ifnoportstringisspecified,LoopProtectcapabilityforlinkpartnersisdisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheLoopProtectpartnercapabilityforge.1.1:
C3( r w) - >show spant r ee l pcapabl epar t ner por t ge.1. 1
Li nk par t ner of por t ge.1. 1 i s not LoopPr ot ect - capabl e
clear spantree lpcapablepartner
UsethiscommandtoresettheLoopProtectcapabilityofportlinkpartnerstothedefaultstateof
false.
Syntax
clear spantree lpcapablepartner port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheLoopProtectpartnercapabilityforge.1.1:
C3( r w) - >cl ear spant r ee l pcapabl epar t ner ge.1. 1
set spantree lpthreshold
UsethiscommandtosettheLoopProtecteventthreshold.
Syntax
set spantree lpthreshold value
Parameters
portstring Specifiesport(s)forwhichtocleartheirlinkpartnersLoopProtect
capability(resettofalse).
value Specifiesthenumberofeventsthatmustoccurduringtheevent
windowinordertolockaport/SID.Thedefaultvalueis3events.A
thresholdof0specifiesthatportswillneverbelocked.
show spantree lpthreshold
9-48 Spanning Tree Configuration
Defaults
None.Thedefaulteventthresholdis3.
Mode
Switchcommand,readwrite.
Usage
TheLoopProtecteventthresholdisaglobalintegervariablethatprovidesprotectioninthecaseof
intermittentfailures.Thedefaultvalueis3.Iftheeventcounterreachesthethresholdwithina
givenperiod(theeventwindow),thentheport,forthegivenSID,becomeslocked(thatis,held
indefinitelyintheblockingstate).Ifthethresholdis0,theportsareneverlocked.
Example
ThisexampleshowshowtosettheLoopProtectthresholdvalueto4:
C3( r w) - >set spant r ee l pt hr eshol d 4
show spantree lpthreshold
UsethiscommandtodisplaythecurrentvalueoftheLoopProtecteventthreshold.
Syntax
show spantree lpthreshold
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythecurrentLoopProtectthresholdvalue:
C3( r w) - >show spant r ee l pt hr eshol d
The Loop Pr ot ect event t hr eshol d val ue i s 4
clear spantree lpthreshold
UsethiscommandtoreturntheLoopProtecteventthresholdtoitsdefaultvalueof3.
Syntax
clear spantree lpthreshold
Parameters
None.
set spantree lpwindow
SecureStack C3 Configuration Guide 9-49
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheLoopProtecteventthresholdtothedefaultof3:
C3( r w) - >cl ear spant r ee l pt hr eshol d
set spantree lpwindow
UsethiscommandtosettheLoopProtecteventwindowvalueinseconds.
Syntax
set spantree lpwindow value
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheLoopProtectWindowisatimervalue,inseconds,thatdefinesaperiodduringwhichLoop
Protecteventsarecounted.Thedefaultvalueis180seconds.Ifthetimerissetto0,theevent
counterisnotresetuntiltheLoopProtecteventthresholdisreached.Ifthethresholdisreached,
thatconstitutesaloopprotectionevent.
Example
ThisexampleshowshowtosettheLoopProtecteventwindowto120seconds:
C3( r w) - >set spant r ee l pwi ndow 120
show spantree lpwindow
UsethiscommandtodisplaythecurrentLoopProtecteventwindowvalue.
Syntax
show spantree lpwindow
value Specifiesthenumberofsecondsthatcomprisetheperiodduringwhich
LoopProtecteventsarecounted.Thedefaulteventwindowis180
seconds.
clear spantree lpwindow
9-50 Spanning Tree Configuration
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythecurrentLoopProtectwindowvalue:
C3( r w) - >show spant r ee l pwi ndow
The Loop Pr ot ect event wi ndow i s set t o 120 seconds
clear spantree lpwindow
UsethiscommandtoresettheLoopProtecteventwindowtothedefaultvalueof180seconds.
Syntax
clear spantree lpwindow
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheLoopProtecteventwindowtothedefaultof180seconds:
C3( r w) - >cl ear spant r ee l pwi ndow
set spantree lptrapenable
UsethiscommandtoenableordisableLoopProtecteventnotification.
Syntax
set spantree lptrapenable {enable | disable}
Parameters
enable|disable EnablesordisablesthesendingofLoopProtecttraps.Defaultis
disabled.
show spantree lptrapenable
SecureStack C3 Configuration Guide 9-51
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
LoopProtecttrapsaresentwhenaLoopProtecteventoccurs,thatis,whenaportgoestolistening
duetonotreceivingBPDUs.Thetrapindicatesport,SIDandloopprotectionstatus.
Example
ThisexampleshowshowtoenablesendingofLoopProtecttraps:
C3( r w) - >set spant r ee l pt r apenabl e enabl e
show spantree lptrapenable
UsethiscommandtodisplaythecurrentstatusofLoopProtecteventnotification.
Syntax
show spantree lptrapenable
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythecurrentLoopProtecteventnotificationstatus:
C3( r w) - >show spant r ee l pt r apenabl e
The Loop Pr ot ect event not i f i cat i on st at us i s enabl e
clear spantree lptrapenable
UsethiscommandtoreturntheLoopProtecteventnotificationstatetoitsdefaultstateof
disabled.
Syntax
clear spantree lptrapenable
Parameters
None.
set spantree disputedbpduthreshold
9-52 Spanning Tree Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheLoopProtecteventnotificationstatetothedefaultof
disabled.
C3( r w) - >cl ear spant r ee l pt r apenabl e
set spantree disputedbpduthreshold
UsethiscommandtosetthedisputedBPDUthreshold,whichisthenumberofdisputedBPDUs
thatmustbereceivedonagivenport/SIDuntiladisputedBPDUtrapissent.
Syntax
set spantree disputedbpduthreshold value
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
AdisputedBPDUisoneinwhichtheflagsfieldindicatesadesignatedroleandlearning,andthe
priorityvectorisworsethanthatalreadyheldbytheport.IfadisputedBPDUisreceivedtheport
isforcedtothelisteningstate.Refertothe802.1Q2005standard,IEEEStandardforLocaland
MetropolitanAreaNetworksVirtualBridgedLocalAreaNetworks,forafulldescriptionofthedispute
mechanism,whichpreventsloopingincasesofonewaycommunication.
ThedisputedBPDUthresholdisanintegervariablethatrepresentsthenumberofdisputed
BPDUsthatmustbereceivedonagivenport/SIDuntiladisputedBPDUtrapissentandasyslog
messageisissued.Forexample,ifthethresholdis10,thenatrapisissuedwhen10,20,30,andso
on,disputedBPDUshavebeenreceived.
Ifthevalueis0,trapsarenotsent.Thetrapindicatesport,SIDandtotalDisputedBPDUcount.
Thedefaultis0.
value SpecifiesthenumberofdisputedBPDUsthatmustbereceivedona
givenport/SIDtocauseadisputedBPDUtraptobesent.
Athresholdof0indicatesthattrapsshouldnotbesent.Thedefault
valueis0.
show spantree disputedbpduthreshold
SecureStack C3 Configuration Guide 9-53
Example
ThisexampleshowshowtosetthedisputedBPDUthresholdvalueto5:
C3( r w) - >set spant r ee di sput edbpdut hr eshol d 5
show spantree disputedbpduthreshold
UsethiscommandtodisplaythecurrentvalueofthedisputedBPDUthreshold.
Syntax
show spantree disputedbpduthreshold
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythecurrentdisputedBPDUthreshold:
C3( r w) - >show spant r ee di sput edbpdut hr eshol d
The di sput ed BPDU t hr eshol d val ue i s 0
clear spantree disputedbpduthreshold
UsethiscommandtoreturnthedisputedBPDUthresholdtoitsdefaultvalueof0,meaningthat
disputedBPDUtrapsshouldnotbesent.
Syntax
clear spantree disputedbpduthreshold
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthedisputedBPDUthresholdtothedefaultof0:
C3( r w) - >cl ear spant r ee di sput edbpdut hr eshol d
show spantree nonforwardingreason
9-54 Spanning Tree Configuration
show spantree nonforwardingreason
Usethiscommandtodisplaythereasonforplacingaportinanonforwardingstateduetoan
exceptionalcondition.
Syntax
show spantree nonforwardingreason port-string [ sid sid]
Parameters
Defaults
Ifnoportstringisspecified,nonforwardingreasonisdisplayedforallports.
IfnoSIDisspecified,SID0isassumed.
Mode
Switchcommand,readonly.
Usage
ExceptionalconditionscausingaporttobeplacedinlisteningorblockingstateincludeaLoop
Protectevent,receiptofdisputedBPDUs,andloopbackdetection.
Example
Thisexampleshowshowtodisplaythenonforwardingreasononge.1.1:
C3( r w) - >show spant r ee nonf or war di ngr eason por t ge.1. 1
The non- f or war di ng r eason f or por t ge.1. 1 on SI D 0 i s None
portstring Specifiesport(s)forwhichtodisplaythenonforwardingreason.
sidsid (Optional)SpecifiesthespecificSpanningTree(s)forwhichtodisplay
thenonforwardingreason.Validvaluesare04094.Ifnotspecified,
SID0isassumed.
SecureStack C3 Configuration Guide 10-1
10
802.1Q VLAN Configuration
ThischapterdescribestheSecureStackC3systemscapabilitiestoimplement802.1QvirtualLANs
(VLANs).
VLAN Configuration Summary
VirtualLANsallowthenetworkadministratortopartitionnetworktrafficintologicalgroupsand
controltheflowofthattrafficthroughthenetwork.Oncethetrafficand,ineffect,theusers
creatingthetraffic,areassignedtoaVLAN,thenbroadcastandmulticasttrafficiscontained
withintheVLANanduserscanbeallowedordeniedaccesstoanyofthenetworksresources.
Also,someoralloftheportsonthedevicecanbeconfiguredasGVRPports,whichenableframes
receivedwithaparticularVLANIDandprotocoltobetransmittedonalimitednumberofports.
ThiskeepsthetrafficassociatedwithaparticularVLANandprotocolisolatedfromtheotherparts
ofthenetwork.
Port String Syntax Used in the CLI
ForinformationonhowtodesignateVLANsandportnumbersintheCLIsyntax,refertoPort
StringSyntaxUsedintheCLIonpage 71.
For information about... Refer to page...
VLAN Configuration Summary 10-1
Viewing VLANs 10-3
Creating and Naming Static VLANs 10-5
Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 10-8
Configuring the VLAN Egress List 10-13
Setting the Host VLAN 10-18
Enabling/Disabling GVRP (GARP VLAN Registration Protocol) 10-20
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of VLAN
configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
Note: The device can support up to 1024 802.1Q VLANs. The allowable range for VLAN IDs is 1
to 4093. As a default, all ports on the device are assigned to VLAN ID 1, untagged.
VLAN Configuration Summary
10-2 802.1Q VLAN Configuration
Creating a Secure Management VLAN
Bydefaultatstartup,thereisoneVLANconfiguredontheSecureStackC3device.ItisVLANID
1,theDEFAULTVLAN.Thedefaultcommunityname,whichdeterminesremoteaccessforSNMP
management,issettopublicwithreadwriteaccess.
IftheSecureStackC3deviceistobeconfiguredformultipleVLANs,itmaybedesirableto
configureamanagementonlyVLAN.ThisallowsastationconnectedtothemanagementVLAN
tomanagethedevice.Italsomakesmanagementsecurebypreventingconfigurationviaports
assignedtootherVLANs.
TocreateasecuremanagementVLAN,youmust:
ThecommandsusedtocreateasecuremanagementVLANarelistedinTable 101.Thisexample
assumesthemanagementstationisattachedtoge.1.1andwantsuntaggedframes.
Theprocessdescribedherewouldberepeatedoneverydevicethatisconnectedinthenetworkto
ensurethateachdevicehasasecuremanagementVLAN.
Step Task Refer to page...
1. Create a new VLAN. 10-5
2. Set the PVID for the desired switch port to the VLAN created in Step 1. 10-9
3. Add the desired switch port to the egress list for the VLAN created in
Step 1.
10-15
4. Assign host status to the VLAN. 10-18
5. Set a private community name and access policy. 8-14
Table 10-1 Command Set for Creating a Secure Management VLAN
To do this... Use these commands...
Create a new VLAN and confirm settings. set vlan create 2 (set vlan on page 10-5)
(Optional) show vlan 2 (show vlan on page 10-3)
Set the PVID to the new VLAN. set port vlan ge.1.1 2 (set port vlan on page 10-9)
Add the port to the new VLANs egress list. set vlan egress 2 ge.1.1 untagged (set vlan egress on
page 10-15)
Remove the port from the default VLANs
egress list.
clear vlan egress 1 ge.1.1 (clear vlan egress on
page 10-15)
Assign host status to the VLAN. set host vlan 2 (set host vlan on page 10-18)
Set a private community name and access
policy and confirm settings.
set snmp community private (set snmp community on
page 8-14)
(Optional) show snmp community (show snmp
community on page 8-13)
Viewing VLANs
SecureStack C3 Configuration Guide 10-3
Viewing VLANs
Purpose
TodisplayalistofVLANscurrentlyconfiguredonthedevice,todeterminehowoneormore
VLANswerecreated,theportsallowedanddisallowedtotransmittrafficbelongingtoVLAN(s),
andifthoseportswilltransmitthetrafficwithaVLANtagincluded.
Command
show vlan
UsethiscommandtodisplayallinformationrelatedtooneormoreVLANs.
Syntax
show vlan [ static] [ vlan-list] [ portinfo [ vlan vlan-list | vlan-name] [ port port-
string] ]
Parameters
Defaults
Ifnooptionsarespecified,allinformationrelatedtostaticanddynamicVLANswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayinformationforVLAN1.Inthiscase,VLAN1isnamed
DEFAULTVLAN.PortsallowedtotransmitframesbelongingtoVLAN1arelistedasegress
ports.PortsthatwontincludeaVLANtagintheirtransmittedframesarelistedasuntagged
ports.Therearenoforbiddenports(preventedfromtransmittedframes)onVLAN1:
C3( su) - >show vl an 1
VLAN: 1 NAME: DEFAULT VLAN
For information about... Refer to page...
show vlan 10-3
static (Optional)DisplaysinformationrelatedtostaticVLANs.StaticVLANsare
manuallycreatedusingthesetvlancommand(setvlanonpage 105),
SNMPMIBs,ortheWebViewmanagementapplication.ThedefaultVLAN,
VLAN1,isalwaysstaticallyconfiguredandcantbedeleted.Onlyports
thatuseaspecifiedVLANastheirdefaultVLAN(PVID)willbedisplayed.
vlanlist (Optional)DisplaysinformationforaspecificVLANorrangeofVLANs.
portinfo (Optional)DisplaysVLANattributesrelatedtooneormoreports.
vlanvlanlist|
vlanname
(Optional)DisplaysportinformationforoneormoreVLANs.
portportstring (Optional)Displaysportinformationforoneormoreports.
show vlan
10-4 802.1Q VLAN Configuration
VLAN Type: Def aul t
Egr ess Por t s
ge. 1. 1- 10, ge. 2. 1- 4, ge. 3. 1- 7,
For bi dden Egr ess Por t s
None.
Unt agged Por t s
ge. 1. 1- 10, ge. 2. 1- 4, ge. 3. 1- 7,
Table 102providesanexplanationofthecommandoutput.
Table 10-2 show vlan Output Details
Output Field What It Displays...
VLAN VLAN ID.
NAME Name assigned to the VLAN.
Status Whether it is enabled or disabled.
VLAN Type Whether it is permanent (static) or dynamic.
Egress Ports Ports configured to transmit frames for this VLAN.
Forbidden Egress
Ports
Ports prevented from transmitting frames for this VLAN.
Untagged Ports Ports configured to transmit untagged frames for this VLAN.
Creating and Naming Static VLANs
SecureStack C3 Configuration Guide 10-5
Creating and Naming Static VLANs
Purpose
TocreateanewstaticVLAN,ortoenableordisableexistingVLAN(s).
Commands
set vlan
UsethiscommandtocreateanewstaticIEEE802.1QVLAN,ortoenableordisableanexisting
VLAN.
Syntax
set vlan {create | enable | disable} vlan-list
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
OnceaVLANiscreated,youcanassignitanameusingthesetvlannamecommanddescribedin
setvlannameonpage 106.
EachVLANIDmustbeunique.IfaduplicateVLANIDisentered,thedeviceassumesthatthe
AdministratorintendstomodifytheexistingVLAN.
EntertheVLANIDusingauniquenumberbetween1and4093.TheVLANIDsof0and4094and
highermaynotbeusedforuserdefinedVLANs.
Examples
ThisexampleshowshowtocreateVLAN3:
C3( su) - >set vl an cr eat e 3
For information about... Refer to page...
set vlan 10-5
set vlan name 10-6
clear vlan 10-6
clear vlan name 10-7
create|enable|
disable
Creates,enablesordisablesVLAN(s).
vlanlist SpecifiesoneormoreVLANIDstobecreated,enabledordisabled.
set vlan name
10-6 802.1Q VLAN Configuration
set vlan name
UsethiscommandtosetorchangetheASCIInameforaneworexistingVLAN.
Syntax
set vlan name vlan-list vlan-name
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthenameforVLAN7togreen:
C3( su) - >set vl an name 7 gr een
clear vlan
UsethiscommandtoremoveastaticVLANfromthelistofVLANsrecognizedbythedevice.
Syntax
clear vlan vlan-list
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoremoveastaticVLAN9fromthedevicesVLANlist:
C3( su) - >cl ear vl an 9
vlanlist SpecifiestheVLANIDoftheVLAN(s)tobenamed.
vlanname SpecifiesthestringusedasthenameoftheVLAN(1to32characters).
vlanlist SpecifiestheVLANIDoftheVLAN(s)toberemoved.
clear vlan name
SecureStack C3 Configuration Guide 10-7
clear vlan name
UsethiscommandtoremovethenameofaVLANfromtheVLANlist.
Syntax
clear vlan name vlan-list
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthenameforVLAN9:
C3( su) - >cl ear vl an name 9
vlanlist SpecifiestheVLANIDoftheVLAN(s)forwhichthenamewillbecleared.
Assigning Port VLAN IDs (PVIDs) and Ingress Filtering
10-8 802.1Q VLAN Configuration
Assigning Port VLAN IDs (PVIDs) and Ingress Filtering
Purpose
ToassigndefaultVLANIDstountaggedframesononeormoreports,toconfigureVLANingress
filteringandconstraints,andtosettheframediscardmode.
Commands
show port vlan
UsethiscommandtodisplayportVLANidentifier(PVID)information.PVIDdeterminesthe
VLANtowhichalluntaggedframesreceivedononeormoreportswillbeclassified.
Syntax
show port vlan [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,portVLANinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPVIDsassignedtoge.2.1through6.Inthiscase,untagged
framesreceivedontheseportswillbeclassifiedtoVLAN1:
C3( su) - >show por t vl an ge. 2. 1- 6
ge. 2. 1 i s set t o 1
ge. 2. 2 i s set t o 1
ge. 2. 3 i s set t o 1
ge. 2. 4 i s set t o 1
For information about... Refer to page...
show port vlan 10-8
set port vlan 10-9
clear port vlan 10-9
show port ingress filter 10-10
set port ingress filter 10-11
show port discard 10-11
set port discard 10-12
portstring (Optional)DisplaysPVIDinformationforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
set port vlan
SecureStack C3 Configuration Guide 10-9
ge. 2. 5 i s set t o 1
ge. 2. 6 i s set t o 1
set port vlan
UsethiscommandtoconfigurethePVID(portVLANidentifier)foroneormoreports.
Syntax
set port vlan port-string pvid [ modify-egress | no-modify-egress]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThePVIDisusedtoclassifyuntaggedframesastheyingressintoagivenport.
Example
Thisexampleshowshowtoaddge. 1.10totheportVLANlistofVLAN4(PVID4).
C3( su) - >set vl an cr eat e 4
C3( su) - >set por t vl an ge. 1. 10 4 modi f y- egr ess
clear port vlan
Usethiscommandtoresetaports802.1QportVLANID(PVID)tothehostVLANID1.
Syntax
clear port vlan port-string
portstring Specifiestheport(s)forwhichtoconfigureaVLANidentifier.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
pvid SpecifiestheVLANIDoftheVLANtowhichport(s)willbeadded.
modifyegress (Optional)Addsport(s)toVLANsuntaggedegresslistandremovesthem
fromotheruntaggedegresslists.
nomodifyegress (Optional)Doesnotpromptforormakeegresslistchanges.
Note: The following command will reset the specified ports egress status to tagged. To set the
specified ports back to the default egress status of untagged, you must issue the set port vlan
command as described on page 10-9.
show port ingress filter
10-10 802.1Q VLAN Configuration
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetportsge. 1.3through11toaVLAN IDof1(HostVLAN):
C3( su) - >cl ear por t vl an ge. 1. 3- 11
show port ingress filter
Usethiscommandtoshowallportsthatareenabledforportingressfiltering,whichlimits
incomingVLANIDframesaccordingtoaportVLANegresslist.IftheVLANIDspecifiedinthe
receivedframeisnotontheportsVLANegresslist,thenthatframeisdroppedandnot
forwarded.
Syntax
show port ingress-filter [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,ingressfilteringstatusforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportingressfilterstatusforports10through15inslot1.
Inthiscase,theportsaredisabledforingressfiltering:
C3( su) - >show por t i ngr ess- f i l t er ge. 1. 10- 15
Por t St at e
- - - - - - - - - - - - - - - - -
ge. 1. 10 di sabl ed
ge. 1. 11 di sabl ed
ge. 1. 12 di sabl ed
ge. 1. 13 di sabl ed
ge. 1. 14 di sabl ed
ge. 1. 15 di sabl ed
portstring Specifiestheport(s)toberesettothehostVLANID1.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
portstring (Optional)Specifiestheport(s)forwhichtodisplayingressfilteringstatus.
Foradetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
set port ingress filter
SecureStack C3 Configuration Guide 10-11
set port ingress filter
UsethiscommandtodiscardallframesreceivedwithaVLANIDthatdontmatchtheports
VLANegresslist.
Syntax
set port ingress-filter port-string {di sabl e | enabl e}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Wheningressfilteringisenabledonaport,theVLANIDsofincomingframesarecomparedtothe
portsegresslist.IfthereceivedVLANIDdoesnotmatchaVLANIDontheportsegresslist,then
theframeisdropped.
IngressfilteringisimplementedaccordingtotheIEEE802.1Qstandard.
Example
Thisexampleshowshowtoenableportingressfilteringonge. 1.3:
C3( su) - >set por t i ngr ess- f i l t er ge. 1. 3 enabl e
show port discard
Usethiscommandtodisplaytheframediscardmodeforoneormoreports.Portscanbesetto
discardframesbasedonwhetherornottheframecontainsaVLANtag.Theycanalsobesetto
discardbothtaggedanduntaggedframes,orneither.
Syntax
show port discard [ port-string]
Parameters
Defaults
I f port-string i s not speci f i ed, f r ame di scar d mode wi l l be di spl ayed f or al l
por t s.
portstring Specifiestheport(s)onwhichtoenableofdisableingressfiltering.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
disable|enable Disablesorenablesingressfiltering.
portstring (Optional)Displaystheframediscardmodeforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
set port discard
10-12 802.1Q VLAN Configuration
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheframediscardmodeforge. 2.7.Inthiscase,theporthas
beensettodiscardalltaggedframes:
C3( su) - >show por t di scar d ge. 2. 7
Por t Di scar d Mode
- - - - - - - - - - - - - - - - - - - - - - - - -
ge. 2. 7 t agged
set port discard
Usethiscommandtosettheframediscardmodeononeormoreports.
Syntax
set port discard port-string {tagged | untagged | both | none}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Theoptionsaretodiscardallincomingtaggedframes,allincominguntaggedframes,neither
(essentiallyallowalltraffic),orboth(essentiallydiscardingalltraffic).
Acommonpracticeistodiscardalltaggedpacketonuserports.TypicallyanAdministratordoes
notwanttheendusersdefiningwhatVLANtheyuseforcommunication.
Example
Thisexampleshowshowtodiscardalltaggedframesreceivedonportge. 3.3:
C3( su) - >set por t di scar d ge. 3. 3 t agged
portstring Specifiestheport(s)forwhichtosetframediscardmode.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
tagged|
untagged|both|
none
TaggedDiscardallincoming(received)taggedpacketsonthedefined
port(s).
UntaggedDiscardallincominguntaggedpackets.
BothAlltrafficwillbediscarded(taggedanduntagged).
NoneNopacketswillbediscarded.
Configuring the VLAN Egress List
SecureStack C3 Configuration Guide 10-13
Configuring the VLAN Egress List
Purpose
ToassignorremoveportsontheegresslistofaparticularVLAN.Thisdetermineswhichportson
theswitchwillbeeligibletotransmitframesforaparticularVLAN.Forexample,ports1,5,7,8
couldbeallowedtotransmitframesbelongingtoVLAN20andports7,8,9,10couldbeallowedto
transmitframestaggedwithVLAN30(aportcanbelongtomultipleVLANEgresslists).Note
thatthePortEgresslistforports7and8wouldcontainbothVLAN20and30.
Theportegresstypeforallportscanbesettotagged,forbidden,oruntagged.Ingeneral,VLANs
havenoegress(exceptforVLAN1)untiltheyareconfiguredbystaticadministration,orthrough
dynamicmechanismssuchasGVRP.
SettingaporttoforbiddenpreventsitfromparticipatinginthespecifiedVLANandensuresthat
anydynamicrequests(eitherthroughGVRPordynamicegress)fortheporttojointheVLANwill
beignored.Settingaporttountaggedallowsittotransmitframeswithoutatagheader.This
settingisusuallyusedtoconfigureaportconnectedtoanenduserdevice.Framessentbetween
VLANawareswitchesaretypicallytagged.
ThedefaultVLANdefaultsitsegresstountaggedforallports.
Commands
show port egress
UsethiscommandtodisplaytheVLANmembershipforoneormoreports.
Syntax
show port egress [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,VLANmembershipwillbedisplayedforallports.
For information about... Refer to page...
show port egress 10-13
set vlan forbidden 10-14
set vlan egress 10-15
clear vlan egress 10-15
show vlan dynamicegress 10-16
set vlan dynamicegress 10-17
portstring (Optional)DisplaysVLANmembershipforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
set vlan forbidden
10-14 802.1Q VLAN Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleshowsyouhowtoshowVLANegressinformationforge. 1.1through3.Inthiscase,
allthreeportsareallowedtotransmitVLAN1framesastaggedandVLAN10framesas
untagged.BotharestaticVLANs:
C3( su) - >show por t egr ess ge. 1. 1- 3
Por t Vl an Egr ess Regi st r at i on
Number I d St at us St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 1 t agged st at i c
ge. 1. 1 10 unt agged st at i c
ge. 1. 2 1 t agged st at i c
ge. 1. 2 10 unt agged st at i c
ge. 1. 3 1 t agged st at i c
ge. 1. 3 10 unt agged st at i c
set vlan forbidden
UsethiscommandtopreventoneormoreportsfromparticipatinginaVLAN.Thissetting
instructsthedevicetoignoredynamicrequests(eitherthroughGVRPordynamicegress)forthe
porttojointheVLAN.
Syntax
set vlan forbidden vlan-id port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowsyouhowtosetge. 1.3toforbiddenforVLAN6:
C3( su) - >set vl an f or bi dden 6 ge. 1. 3
vlanid SpecifiestheVLANforwhichtosetforbiddenport(s).
portstring Specifiestheport(s)tosetasforbiddenforthespecifiedvlanid.
set vlan egress
SecureStack C3 Configuration Guide 10-15
set vlan egress
UsethiscommandtoaddportstotheVLANegresslistforthedevice,ortopreventoneormore
portsfromparticipatinginaVLAN.Thisdetermineswhichportswilltransmitframesfora
particularVLAN.
Syntax
set vlan egress vlan-list port-string [ untagged | forbidden | tagged]
Parameters
Defaults
Ifuntagged,forbiddenortaggedisnotspecified,theportwillbeaddedtotheVLANegresslist
astagged.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoaddge. 1.5through10totheegresslistofVLAN7.Thismeansthat
theseportswilltransmitVLAN7framesastagged:
C3( su) - >set vl an egr ess 7 ge. 1. 5- 10 unt agged
Thisexampleshowshowtoforbidports13through15inslot1fromjoiningVLAN7anddisallow
egressonthoseports:
C3( su) - >set vl an egr ess 7 ge. 1. 13- 15 f or bi dden
Thisexampleshowshowtoallowport2inslot1totransmitVLAN7framesasuntagged:
C3( su) - >set vl an egr ess 7 ge. 1. 2 unt agged
clear vlan egress
UsethiscommandtoremoveportsfromaVLANsegresslist.
vlanlist Specifies the VLAN where a port(s) will be added to the egress list.
portstring SpecifiesoneormoreportstoaddtotheVLANegresslistofthespecified
vlanlist.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 71.
untagged|
forbidden|
tagged
(Optional)Addsthespecifiedportsas:
untaggedCausestheport(s)totransmitframeswithoutanIEEE
802.1Qheadertag.
forbiddenInstructsthedevicetoignoredynamicrequests(either
throughGVRPordynamicegress)fromtheport(s)tojointheVLAN
anddisallowsegressonthatport.
taggedCausestheport(s)totransmit802.1Qtaggedframes.
Note: The following command will reset the specified ports egress status to tagged. To set the
specified ports back to the default egress status of untagged, you must issue the set vlan egress
command as described on page 10-15.
show vlan dynamicegress
10-16 802.1Q VLAN Configuration
Syntax
clear vlan egress vlan-list port-string [ forbidden]
Parameters
Defaults
Ifforbiddenisnotspecified,taggedanduntaggedsettingswillbecleared.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoremovege. 3.14fromtheegresslistofVLAN 9:
C3( su) - >cl ear vl an egr ess 9 ge. 3. 14
ThisexampleshowshowtoremoveallEthernetportsinslot2fromtheegresslistofVLAN4:
C3( su) - >cl ear vl an egr ess 4 ge. 2. *
show vlan dynamicegress
Usethiscommandtodisplaythestatusofdynamicegress(enabledordisabled)foroneormore
VLANs.
Syntax
show vlan dynamicegress [ vlan-list]
Parameters
Defaults
Ifvlanlistisnotspecified,thedynamicegressstatusforallVLANswillbedisplayed.
Mode
Switchcommand,readwrite.
vlanlist SpecifiesthenumberoftheVLANfromwhichaport(s)willberemoved
fromtheegresslist.
portstring SpecifiesoneormoreportstoberemovedfromtheVLANegresslistofthe
specifiedvlanlist.Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage 71.
forbidden (Optional)Clearstheforbiddensettingfromthespecifiedport(s)andresets
theport(s)asabletoegressframesifsoconfiguredbyeitherstaticor
dynamicmeans.
vlanlist (Optional)DisplaysdynamicegressstatusforspecificVLAN(s).
set vlan dynamicegress
SecureStack C3 Configuration Guide 10-17
Example
ThisexampleshowshowtodisplaythedynamicegressstatusforVLANs5055:
C3( r w) - >show vl an dynami cegr ess 50- 55
VLAN 50 i s di sabl ed
VLAN 51 i s di sabl ed
VLAN 52 i s di sabl ed
VLAN 53 i s enabl ed
VLAN 54 i s enabl ed
VLAN 55 i s enabl ed
set vlan dynamicegress
UsethiscommandtoadministrativelysetthedynamicegressstatusforoneormoreVLANs.
Syntax
set vlan dynamicegress vlan-list {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
IfdynamicegressisenabledforaparticularVLAN,whenaportreceivesaframetaggedwiththat
VLANsID,theswitchwilladdthereceivingporttothatVLANsegresslist.Dynamicegressis
disabledontheSecureStackC3bydefault.
Forexample,assumeyouhave20AppleTalkusersonyournetworkwhoaremobileusers(thatis,
usedifferentportseveryday),butyouwanttokeeptheAppleTalktrafficisolatedinitsown
VLAN.YoucancreateanAppleTalkVLANwithaVLANIDof55withaclassificationrulethatall
AppleTalktrafficgetstaggedwithVLANID55.Then,youenabledynamicegressforVLAN55.
Now,whenanAppleTalkuserplugsintoportge.3.5andsendsanAppleTalkpacket,theswitch
willtagthepackettoVLAN55andalsoaddportge.3.5toVLAN55segresslist,whichallowsthe
AppleTalkusertoreceiveAppleTalktraffic.
Example
ThisexampleshowshowtoenabledynamicegressonVLAN55:
C3( r w) - >set vl an dynami cegr ess 55 enabl e
vlanlist SpecifiestheVLANsbyIDtoenableordisabledynamicegress.
enable|disable Enablesordisablesdynamicegress.
Setting the Host VLAN
10-18 802.1Q VLAN Configuration
Setting the Host VLAN
Purpose
ToconfigureahostVLANthatonlyselectdevicesareallowedtoaccess.Thissecuresthehostport
formanagementonlytasks.
Commands
show host vlan
UsethiscommandtodisplaythecurrenthostVLAN.
Syntax
show host vlan
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythehostVLAN:
C3( su) - >show host vl an
Host vl an i s 7.
set host vlan
UsethiscommandtoassignhoststatustoaVLAN.
Syntax
set host vlan vlan-id
Note: The host port is the management entity of the device. Refer to Creating a Secure
Management VLAN on page 10-2 for more information.
For information about... Refer to page...
show host vlan 10-18
set host vlan 10-18
clear host vlan 10-19
clear host vlan
SecureStack C3 Configuration Guide 10-19
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThehostVLANshouldbeasecureVLANwhereonlydesignatedusersareallowedaccess.For
example,ahostVLANcouldbespecificallycreatedfordevicemanagement.Thiswouldallowa
managementstationconnectedtothemanagementVLANtomanageallportsonthedeviceand
makemanagementsecurebypreventingmanagementviaportsassignedtootherVLANs.
Example
ThisexampleshowshowtosetVLAN7asthehostVLAN:
C3( su) - >set host vl an 7
clear host vlan
UsethiscommandtoresetthehostVLANtothedefaultsettingof1.
Syntax
clear host vlan
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthehostVLANtothedefaultsetting:
C3( su) - >cl ear host vl an
vlanid SpecifiesthenumberoftheVLANtosetasthehostVLAN.
Note: Before you can designate a VLAN as the host VLAN, you must create a VLAN using the set
of commands described in Creating and Naming Static VLANs on page 10-5.
Enabling/Disabling GVRP (GARP VLAN Registration Protocol)
10-20 802.1Q VLAN Configuration
Enabling/Disabling GVRP (GARP VLAN Registration Protocol)
About GARP VLAN Registration Protocol (GVRP)
Thefollowingsectionsdescribethedeviceoperationwhenitsportsareoperatingunderthe
GenericAttributeRegistrationProtocol(GARP)applicationGARPVLANRegistrationProtocol
(GVRP).
Overview
ThepurposeofGVRPistodynamicallycreateVLANsacrossaswitchednetwork.WhenaVLAN
isdeclared,theinformationistransmittedoutGVRPconfiguredportsonthedeviceinaGARP
formattedframeusingtheGVRPmulticastMACaddress.Aswitchthatreceivesthisframe,
examinestheframe,andextractstheVLANIDs.GVRPthencreatestheVLANsandaddsthe
receivingporttoitstaggedmemberlistfortheextractedVLANID(s).Theinformationisthen
transmittedouttheotherGVRPconfiguredportsofthedevice.Figure 101showsanexampleof
howVLANbluefromendstationAwouldbepropagatedacrossaswitchnetwork.
How It Works
InFigure 101onpage 1021,Switch4,port1isregisteredasbeingamemberofVLANBlueand
thendeclaresthisfactoutallitsports(2and3)toSwitch1andSwitch 2.Thesetwodevices
registerthisintheportegresslistsoftheports(Switch1,port1andSwitch2,port1)thatreceived
theframeswiththeinformation.Switch2,whichisconnectedtoSwitch3andSwitch5declares
thesameinformationtothosetwodevicesandtheportegresslistofeachportisupdatedwiththe
newinformation,accordingly.
ConfiguringaVLANonan802.1QswitchcreatesastaticVLANentry.Theentrywillalways
remainregisteredandwillnottimeout.However,dynamicentrieswilltimeoutandtheir
registrationswillberemovedfromthememberlistiftheendstationAisremoved.Thisensures
that,ifswitchesaredisconnectedorifendstationsareremoved,theregisteredinformation
remainsaccurate.
TheendresultisthattheportegresslistofaportisupdatedwithinformationaboutVLANsthat
resideonthatport,eveniftheactualstationontheVLANisseveralhopsaway.
Enabling/Disabling GVRP (GARP VLAN Registration Protocol)
SecureStack C3 Configuration Guide 10-21
Figure 10-1 Example of VLAN Propagation via GVRP
Purpose
TodynamicallycreateVLANsacrossaswitchednetwork.TheGVRPcommandsetisusedto
displayGVRPconfigurationinformation,thecurrentglobalGVRPstatesetting,individualport
settings(enableordisable)andtimersettings.Bydefault,GVRPisenabledgloballyonthedevice,
butdisabledonallports.
Commands
End
Station A
Switch 4
Switch 5
= Port registered as a member of VLAN Blue
= Port declaring VLAN Blue
D
R
1
1 2 3
D
R
D
Switch 1
1 R
R
3
Switch 2
1 2
D R D
Switch 3
1 R
For information about... Refer to page...
show gvrp 10-22
show garp timer 10-22
set gvrp 10-23
clear gvrp 10-24
set garp timer 10-24
clear garp timer 10-25
show gvrp
10-22 802.1Q VLAN Configuration
show gvrp
UsethiscommandtodisplayGVRPconfigurationinformation.
Syntax
show gvrp [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,GVRPconfigurationinformationwillbedisplayedforallportsand
thedevice.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayGVRPstatusforthedeviceandforfw.2.1:
C3( su) - >show gvr p ge. 2. 1
Gl obal GVRP st at us i s enabl ed.
Por t Number GVRP st at us
- - - - - - - - - - - - - - - - - - - - - -
ge. 2. 1 di sabl ed
show garp timer
UsethiscommandtodisplayGARPtimervaluesforoneormoreports.
Syntax
show garp timer [port-string]
Parameters
Defaults
Ifportstringisnotspecified,GARPtimerinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
portstring (Optional)DisplaysGVRPconfigurationinformationforspecificport(s).For
adetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
portstring (Optional)DisplaysGARPtimerinformationforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
set gvrp
SecureStack C3 Configuration Guide 10-23
Example
ThisexampleshowshowtodisplayGARPtimerinformationonports1through10inslot1:
C3( su) - >show gar p t i mer ge. 1. 1- 10
Por t based GARP Conf i gur at i on: ( Ti mer uni t s ar e cent i seconds)
Por t Number J oi n Leave Leaveal l
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 20 60 1000
ge. 1. 2 20 60 1000
ge. 1. 3 20 60 1000
ge. 1. 4 20 60 1000
ge. 1. 5 20 60 1000
ge. 1. 6 20 60 1000
ge. 1. 7 20 60 1000
ge. 1. 8 20 60 1000
ge. 1. 9 20 60 1000
ge. 1. 10 20 60 1000
Table 103providesanexplanationofthecommandoutput.Fordetailsonusingthesetgvrp
commandtoenableordisableGVRP,refertosetgvrponpage 1023.Fordetailsonusingtheset
garptimercommandtochangedefaulttimervalues,refertosetgarptimeronpage 1024.
set gvrp
UsethiscommandtoenableordisableGVRPgloballyonthedeviceorononeormoreports.
Syntax
set gvrp {enable | disable} [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,GVRPwillbedisabledorenabledforallports.
Note: For a functional description of the terms join, leave, and leaveall timers, refer to the
standard IEEE 802.1Q documentation, which is not supplied with this device.
Table 10-3 show gvrp configuration Output Details
Output Field What It Displays...
Port Number Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
J oin J oin timer setting.
Leave Leave timer setting.
Leaveall Leavall timer setting.
disable|
enable
DisablesorenablesGVRPonthedevice.
portstring (Optional)DisablesorenablesGVRPonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsedin
theCLIonpage 71.
clear gvrp
10-24 802.1Q VLAN Configuration
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoenableGVRPgloballyonthedevice:
C3( su) - >set gvr p enabl e
ThisexampleshowshowtodisableGVRPgloballyonthedevice:
C3( su) - >set gvr p di sabl e
ThisexampleshowshowtoenableGVRPonge. 1.3:
C3( su) - >set gvr p enabl e ge. 1. 3
clear gvrp
UsethiscommandtoclearGVRPstatusorononeormoreports.
Syntax
clear gvrp [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,GVRPstatuswillbeclearedforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearGVRPstatusgloballyonthedevice:
C3( su) - >cl ear gvr p
set garp timer
Usethiscommandtoadjustthevaluesofthejoin,leave,andleavealltimers.
Syntax
set garp timer {[ join timer-value] [ leave timer-value] [ leaveall timer-value] }
port-string
Parameters
portstring (Optional)ClearsGVRPstatusonspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 71.
jointimervalue SetstheGARPjointimerincentiseconds(Referto802.1Qstandard.)
leavetimervalue SetstheGARPleavetimerincentiseconds(Referto802.1Qstandard.)
clear garp timer
SecureStack C3 Configuration Guide 10-25
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thesettingofthesetimersiscriticalandshouldonlybechangedbypersonnelfamiliarwiththe
802.1Qstandardsdocumentation,whichisnotsuppliedwiththisdevice.
Examples
ThisexampleshowshowtosettheGARPjointimervalueto100centisecondsforallports:
C3( su) - >set gar p t i mer j oi n 100 *. *. *
Thisexampleshowshowtosettheleavetimervalueto300centisecondsforallports:
C3( su) - >set gar p t i mer l eave 300 *. *. *
Thisexampleshowshowtosettheleavealltimervalueto20000centisecondsforallports:
C3( su) - >set gar p t i mer l eaveal l 20000 *. *. *
clear garp timer
UsethiscommandtoresetGARPtimersbacktodefaultvalues.
Syntax
clear garp timer {[ join] [ leave] [ leaveall] } port-string
Parameters
Defaults
Atleastoneoptionalparametermustbeentered.
Mode
Switchcommand,readwrite.
leavealltimer
value
SetstheGARPleavealltimerincentiseconds(Referto802.1Qstandard.)
portstring Specifiestheport(s)onwhichtoconfigureGARPtimersettings.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
join (Optional)Resetsthejointimerto20centiseconds.
leave (Optional)Resetstheleavetimerto60centiseconds.
leaveall (Optional)Resetstheleavealltimeto1000centiseconds.
portstring SpecifiestheportorportsonwhichtoresettheGARPtimer(s).
clear garp timer
10-26 802.1Q VLAN Configuration
Example
TheexampleshowshowtoresettheGARPleavetimerto60centiseconds.
C3( su) - >cl ear gar p t i mer l eave ge. 1. 1
SecureStack C3 Configuration Guide 11-1
11
Policy Classification Configuration
ThischapterdescribesthePolicyClassificationsetofcommandsandhowtousethem.
Policy Classification Configuration Summary
SecureStackC3devicessupportpolicyprofilebasedprovisioningofnetworkresourcesby
allowingITadministratorsto:
Create,changeorremovepolicyprofilesbasedonbusinessspecificuseofnetworkservices.
Permitordenyaccesstospecificservicesbycreatingandassigningclassificationruleswhich
mapuserprofilestoprotocolbasedframefilteringpoliciesconfiguredforaparticularVLAN
orClassofService(CoS).
Assignorunassignportstopolicyprofilessothatonlyportsactivatedforaprofilewillbe
allowedtotransmitframesaccordingly.
For information about... Refer to page...
Policy Classification Configuration Summary 11-1
Configuring Policy Profiles 11-2
Configuring Classification Rules 11-6
Assigning Ports to Policy Profiles 11-15
Configuring Policy Class of Service (CoS) 11-17
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of Policy
configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
Note: It is recommended that you use Enterasys Networks NMS Policy Manager as an alternative
to CLI for configuring policy classification on the SecureStack C3 devices.
Configuring Policy Profiles
11-2 Policy Classification Configuration
Configuring Policy Profiles
Purpose
Toreview,create,changeandremoveuserprofilesthatrelatetobusinessdrivenpoliciesfor
managingnetworkresources.
Commands
show policy profile
Usethiscommandtodisplaypolicyprofileinformation.
Syntax
show policy profile {all | profile-index [ consecutive-pids] [ -verbose] }
Parameters
Defaults
Ifoptionalparametersarenotspecified,summaryinformationwillbedisplayedforthespecified
indexorallindices.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaypolicyinformationforprofile11:
C3( su) - >show pol i cy pr of i l e 11
Pr of i l e I ndex : 11
Pr of i l e Name : MacAut h1
Row St at us : act i ve
Por t VI D St at us : Enabl e
Por t VI D Over r i de : 11
CoS : 0
Note: B3, C3, and G3 devices support profile-based CoS traffic rate limiting only. Policy rules
specifying CoS will only rate limit on D2, C2 and B2 devices, including when C2 and B2 devices are
configured on mixed stacks containing B3 and C3 devices.
For information about... Refer to page...
show policy profile 11-2
set policy profile 11-4
clear policy profile 11-5
all|profileindex Displayspolicyinformationforallprofileindexesoraspecificprofileindex.
consecutivepids (Optional)Displaysinformationforspecifiedconsecutiveprofileindexes.
verbose (Optional)Displaysdetailedinformation.
show policy profile
SecureStack C3 Configuration Guide 11-3
CoS St at us : Di sabl e
Egr ess Vl ans : none
For bi dden Vl ans : none
Unt agged Vl ans : none
Rul e Pr ecedence : 1- 31
: MACSour ce( 1) , MACDest ( 2) , Unknown( 3) ,
: Unknown( 4) , Unknown( 5) , Unknown( 6) ,
: Unknown( 7) , Unknown( 8) , Unknown( 9) ,
: Unknown( 10) , Unknown( 11) , I PSour ce( 12) ,
: I PDest ( 13) , I PFr ag( 14) , UDPSr cPor t ( 15) ,
: UDPDest Por t ( 16) , TCPSr cPor t ( 17) , TCPDest Por t ( 18) ,
: I CMPType( 19) , Unknown( 20) , I PTOS( 21) ,
: I PPr ot o( 22) , Unknown( 23) , Unknown( 24) ,
: Et her ( 25) , Unknown( 26) , VLANTag( 27) ,
: Unknown( 28) , Unknown( 29) , Unknown( 30) ,
: por t ( 31)
Admi n Pr of i l e Usage : none
Oper Pr of i l e Usage : none
Dynami c Pr of i l e Usage : none
Table 111providesanexplanationofthecommandoutput.
Table 11-1 show policy profile Output Details
Output Field What It Displays...
Profile Index Number of the profile.
Profile Name User-supplied name assigned to this policy profile.
Row Status Whether or not the policy profile is enabled (active) or disabled.
Port VID Status Whether or not PVID override is enabled or disabled for this profile. If all
classification rules associated with this profile are missed, then this parameter, if
specified, determines default behavior.
Port VID Override The PVID assigned to packets, if PVID override is enabled.
CoS CoS priority value to assign to packets, if CoS override is enabled.
CoS Status Whether or not Class of Service override is enabled or disabled for this profile. If all
classification rules associated with this profile are missed, then this parameter, if
specified, determines default behavior.
Egress VLANs VLAN(s) that ports to which the policy profile is assigned can use for tagged egress.
Forbidden VLANs VLAN(s) forbidden to ports to which the policy profile is assigned.
Untagged VLANs VLAN(s) that ports to which the policy profile is assigned can use for untagged
egress.
Rule Precedence Displays the precedence of types of rules.
Admin Profile Usage Ports administratively assigned to use this policy profile.
Oper Profile Usage Ports currently assigned to use this policy profile.
Dynamic Profile
Usage
Port dynamically assigned to use this policy profile.
set policy profile
11-4 Policy Classification Configuration
set policy profile
Usethiscommandtocreateapolicyprofileentry.
Syntax
set policy profile profile-index [ name name] [ pvid-status {enable | disable}]
[ pvid pvid] [ cos-status {enable | disable}] [ cos cos] [ egress-vlans egress-
vlans] [ forbidden-vlans forbidden-vlans] [ untagged-vlans untagged-vlans]
[ precedence precedence-list] [ append] [ clear]
Parameters
profileindex Specifiesanindexnumberforthepolicyprofile.Validvaluesare1255.
namename (Optional)Specifiesanameforthepolicyprofile.Thisisastringfrom1to
64characters.
pvidstatus
enable|disable
(Optional)EnablesordisablesPVIDoverrideforthisprofile.Ifall
classificationrulesassociatedwiththisprofilearemissed,thenthis
parameter,ifspecified,determinesdefaultbehavior.
pvidpvid (Optional)SpecifiesthePVIDtopackets,ifPVIDoverrideisenabledand
invokedasdefaultbehavior.
cosstatusenable
|disable
(Optional)EnablesordisablesClassofServiceoverrideforthisprofile.Ifall
classificationrulesassociatedwiththisprofilearemissed,thenthis
parameter,ifspecified,determinesdefaultbehavior.
Note: A maximum of 99 rules can be supported per policy profile for policy
profiles that have cos-status enabled.
coscos (Optional)SpecifiesaCoSvaluetoassigntopackets,ifCoSoverrideis
enabledandinvokedasdefaultbehavior.Validvaluesare0to7.
egressvlans
egressvlans
(Optional)Specifiesthattheporttowhichthispolicyprofileisapplied
shouldbeaddedtotheegresslistoftheVLANsdefinedbyegressvlans.
Packetswillbeformattedastagged.
forbiddenvlans
forbiddenvlans
(Optional)Specifiesthattheporttowhichthispolicyprofileisapplied
shouldbeaddedasforbiddentotheegresslistoftheVLANsdefinedby
forbiddenvlans.Packetsfromthisportwillnotbeallowedtoparticipatein
thelistedVLANs.
untaggedvlans
untaggedvlans
(Optional)Specifiesthattheporttowhichthispolicyprofileisapplied
shouldbeaddedtotheegresslistoftheVLANsdefinedbyuntaggedvlans.
Packetswillbeformattedasuntagged.
append (Optional)Appendsthispolicyprofilesettingtosettingspreviously
specifiedforthispolicyprofilebytheegressvlans,forbiddenvlans,or
untaggedvlansparameters.
Ifappendisnotused,previousVLANsettingsarereplaced.
clear (Optional)Appendsthispolicyprofilesettingfromsettingspreviously
specifiedforthispolicyprofilebytheegressvlans,forbiddenvlans,or
untaggedvlansparameters.
precedence
precedencelist
(Optional)Assignsaruleprecedencetothisprofile.Lowervalueswillbe
givenhigherprecedence.Foralistofvalues,refertotheshowpolicy
profilecommandoutput.
clear policy profile
SecureStack C3 Configuration Guide 11-5
Defaults
Ifoptionalparametersarenotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocreateapolicyprofile1namednetadminwithPVIDoverride
enabledforPVID10,andClassofServiceoverrideenabledforCoS5.ThisprofilecanuseVLAN
10foruntaggedegress:
C3( su) - >set pol i cy pr of i l e 1 name net admi n pvi d- st at us enabl e pvi d 10 cos- st at us
enabl e cos 5 unt agged- vl ans 10
clear policy profile
Usethiscommandtodeleteapolicyprofileentry.
Syntax
clear policy profile profile-index
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodeletepolicyprofile8:
C3( su) - >cl ear pol i cy pr of i l e 8
profileindex Specifiestheindexnumberoftheprofileentrytobedeleted.Validvalues
are1to255.
Configuring Classification Rules
11-6 Policy Classification Configuration
Configuring Classification Rules
Purpose
Toreview,create,assign,andunassignclassificationrulestopolicyprofiles.Thismapsuser
profilestoprotocolbasedframefilteringpolicies.
Commands
show policy rule
Usethiscommandtodisplaypolicyclassificationruleinformation.
Syntax
show policy rule [ all | admin-profile | profile-index] [ ether | ipproto |
ipdestsocket | ipsourcesocket | iptos | macdest | macsource | tcpdestport |
tcpsourceport | udpdestport | udpsourceport] [ data] [ mask mask] [ port-string port-
string] [ rule-status {active | not-in-service | not-ready}] [ storage-type {non-
volatile | volatile}] [ vlan vlan] | [ drop | forward] [ dynamic-pid dynamic-pid]
[ cos cos] [ admin-pid admin-pid] [ -verbose] [ usage-list] [ display-if-used]
Parameters
Note: B3, C3, and G3 devices support profile-based CoS traffic rate limiting only. Policy rules
specifying CoS will only rate limit on D2, C2 and B2 devices, including when C2 and B2 devices are
configured on mixed stacks containing B3 and C3 devices.
For information about... Refer to page...
show policy rule 11-6
show policy capability 11-8
set policy rule 11-10
clear policy rule 11-13
clear policy all-rules 11-14
all|admin
profile|profile
index
Displayspolicyclassificationrulesforallprofiles,theadminprofile,orfor
aspecificprofileindexnumber.Validvaluesare11023.
ether DisplaysEthernettypeIIrules.
ipproto DisplaysIPprotocolfieldinIPpacketrules.
ipdestsocket DisplaysIPdestinationaddressrules.
ipsourcesocket DisplaysIPsourceaddressrules.
iptos DisplaysTypeofServicerules.
macdest DisplaysMACdestinationaddressrules.
macsource DisplaysMACsourceaddressrules.
tcpdestport DisplaysTCPdestinationportrules.
show policy rule
SecureStack C3 Configuration Guide 11-7
Defaults
Ifverboseisnotspecified,summaryinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaypolicyclassificationinformationforEthernettype2rules
C3( su) - >show pol i cy r ul e et her
| PI D | Rul e Type | Rul e Dat a | Mk| Por t St r | RS| ST| VLAN| CoS | U|
| 02 | Et her | 2048 ( 0x0800) | 16| Al l | A| NV| f wr d| | ?|
| 02 | Et her | 2049 ( 0x0801) | 16| Al l | A| NV| dr op| | ?|
| 02 | Et her | 2989 ( 0x0bad) | 16| Al l | A| NV| dr op| | ?|
| 02 | Et her | 33079 ( 0x8137) | 16| Al l | A| NV| dr op| | ?|
Thisexampleshowshowtodisplaypolicyclassificationinformationforadministrativerule1
C3( su) - >show pol i cy r ul e admi n- pi d 1
| Admi n| Rul e Type | Rul e Dat a | Mk| Por t St r | RS| ST| dPI D| aPI D| U|
tcpsourceport DisplaysTCPsourceportrules.
udpdestport DisplaysUDPdestinationportrules.
udpsourceport DisplaysUDPsourceportrules.
data Displaysrulesforapredefinedclassifier.Thisvalueisdependentonthe
classificationtypeentered.RefertoTable 113forvalidvaluesforeach
classificationtype.
maskmask (Optional)Displaysrulesforaspecificdatamask.RefertoTable 113for
validvaluesforeachclassificationtypeanddatavalue.
portstringport
string
(Optional)Displaysrulesrelatedtoaspecificingressport.
rulestatusactive
|notinservice|
notready
(Optional)Displaysrulesrelatedtoaspecificrulesstatus.
storagetypenon
volatile|volatile
(Optional)Displaysrulesconfiguredforeithernonvolatileorvolatile
storage.
vlanvlan (Optional)DisplaysrulesforaspecificVLANID.
drop|forward Displaysrulesbasedonwhethermatchingpacketswillbedroppedor
forwarded.
dynamicpid
dynamicpid
DisplaysrulesassociatedwithaspecificdynamicpolicyID.
coscos (Optional)DisplaysrulesforaClassofServicevalue.(Notsupportedon
B3,C3,G3devices.)
adminpid
adminpid
DisplaysrulesassociatedwithaspecificadministrativepolicyID[1..1023].
verbose (Optional)Displaysdetailedinformation.
usagelist (Optional)Ifselected,eachrulesusagelistshallbecheckedandshall
displayonlythoseportswhichhaveappliedthisrule.
displayifused (Optional)Displaysrule(s)onlyiftheyareappliedtoatleastoneport.
show policy capability
11-8 Policy Classification Configuration
| admi n| Por t | ge. 1. 1 | 16| ge. 1. 1 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 2 | 16| ge. 1. 2 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 3 | 16| ge. 1. 3 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 4 | 16| ge. 1. 4 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 5 | 16| ge. 1. 5 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 6 | 16| ge. 1. 6 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 7 | 16| ge. 1. 7 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 8 | 16| ge. 1. 8 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 9 | 16| ge. 1. 9 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 10 | 16| ge. 1. 10 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 11 | 16| ge. 1. 11 | A| NV| | 1| ?|
| admi n| Por t | ge. 1. 12 | 16| ge. 1. 12 | A| NV| | 1| ?|
Table 112providesanexplanationofthecommandoutput.
show policy capability
Usethiscommandtodisplaydetailedpolicyclassificationcapabilitiessupportedbyyour
SecureStackC3device.
Syntax
show policy capability
Parameters
None.
Defaults
None.
Table 11-2 show policy rule Output Details
Output Field What It Displays...
PID Profile index number. Assigned to this classification rule with the set policy profile
command (set policy profile on page 11-4).
Rule Type Type of classification rule. Refer to Table 11-3 for valid types.
Rule Data Rule data value. Refer to Table 11-3 for valid values for each classification type.
Mk Rule data mask. Refer to Table 11-3 for valid values for each classification data
value.
PortStr Ingress port(s) to which this rule applies.
RS Whether or not the status of this rule is active (A), not in service or not ready.
ST Whether or not this rules storage type is non-volatile (NV) or volatile (V).
VLAN VLAN ID to which this rule applies and whether or not matching packets will be
dropped or forwarded.
CoS If applicable, Class of Service value to which this rule applies.
U Whether or not this rule has been used.
dPID Whether or not this is a dynamic profile ID.
aPID Whether or not this is an administrative profile ID.
show policy capability
SecureStack C3 Configuration Guide 11-9
Mode
Switchcommand,readonly.
Usage
Usethiscommandtodisplaydetailedpolicyclassificationcapabilitiessupportedbyyour
SecureStackC3device.Theoutputofthiscommandshowsatablelistingclassifiabletraffic
attributesandthetypeofactions,byruletype,thatcanbeexecutedrelativetoeachattribute.
Abovethetableisalistofalltheactionspossibleonthisdevice.
Theleftmostcolumnofthetablelistsallpossibleclassifiabletrafficattributes.Thenexttwo
columnsfromtheleftindicatehowpolicyprofilesmaybeassigned,eitheradministrativelyor
dynamically.Thenextfourcolumnsfromtheleftindicatetheactionsthatmaybeperformed.The
lastthreecolumnsindicateauditingoptions.
Anxinanactioncolumnforatrafficattributerowindicatesthatyoursystemhasthecapabilityto
performthatactionfortrafficclassifiedbythatattribute.
Example
Thisexampleshowshowtodisplaythedevicespolicyclassificationcapabilities.Refertoset
policyruleonpage 1110foradescriptionoftheparametersdisplayed:
C3( su) - >show pol i cy capabi l i t y
The f ol l owi ng suppor t s r el at ed t o pol i cy ar e suppor t ed i n t hi s devi ce:
VLAN For war di ng Pr i or i t y Per mi t
Deny Pr ecedence Reor der i ng Rul es Tabl e
Longest Pr ef i x Rul es
=============================================================
| | D | | | | | F | | | D |
| | Y | | | | | O | S | | I |
| | N | A | | | | R | Y | | S |
| | A | D | V | | D | W| S | T | A |
| | M | M | L | C | R | A | L | R | B |
| | I | I | A | O | O | R | O | A | L |
| SUPPORTED RULE TYPES | C | N | N | S | P | D | G | P | E |
=============================================================
| MAC sour ce addr ess | | | | X | X | X | | | |
| MAC dest i nat i on addr ess | | | | X | X | X | | | |
| I PX sour ce addr ess | | | | | | | | | |
| I PX dest i nat i on addr ess | | | | | | | | | |
| I PX sour ce socket | | | | | | | | | |
| I PX dest i nat i on socket | | | | | | | | | |
| I PX t r ansmi ssi on cont r ol | | | | | | | | | |
| I PX t ype f i el d | | | | | | | | | |
| I Pv6 sour ce addr ess | | | | | | | | | |
| I Pv6 dest i nat i on addr ess | | | | | | | | | |
| I Pv6 f l ow l abel | | | | | | | | | |
| I P sour ce addr ess | | | | X | X | X | | | |
| I P dest i nat i on addr ess | | | | X | X | X | | | |
| I P f r agment at i on | | | | | | | | | |
| UDP por t sour ce | | | | X | X | X | | | |
| UDP por t dest i nat i on | | | | X | X | X | | | |
| TCP por t sour ce | | | | X | X | X | | | |
| TCP por t dest i nat i on | | | | X | X | X | | | |
| I CMP packet t ype | | | | | | | | | |
| TTL | | | | | | | | | |
| I P t ype of ser vi ce | | | | X | X | X | | | |
| I P pr ot o | | | | X | X | X | | | |
set policy rule
11-10 Policy Classification Configuration
| Et her I I packet t ype | | | X | X | X | X | | | |
| LLC DSAP/ SSAP/ CTRL | | | | | | | | | |
| VLAN t ag | | | | | | | | | |
| Repl ace t ci | | | | | | | | | |
| Por t st r i ng | X | X | X | X | X | X | | | |
=============================================================
set policy rule
UsethiscommandtoassignincominguntaggedframestoaspecificpolicyprofileandtoVLANor
ClassofServiceclassificationrules.
Syntax
Thiscommandhastwoformsofsyntaxonetocreateanadminrule,andtheothertocreatea
trafficclassificationruleandattachittoapolicyprofile.
set policy rule admin-profile {vlantag data [ mask mask] admin-pid profile-index}
[ port-string port-string]
set policy rule profile-index {ether | ipproto | ipdestsocket | ipsourcesocket |
iptos | macdest | macsource | tcpdestport | tcpsourceport | udpdestport |
udpsourceport} data [ mask mask] {[ vlan vlan] [ cos cos] | [ drop | forward] }
Parameters
Thefollowingparametersapplytocreatinganadminrule.SeetheUsagesectionbelowformore
informationaboutadminrules.
Thefollowingparametersapplytocreatingatrafficclassificationrule.
Note: Refer to Appendix A, Policy and Authentication Capacities for information about limits on
certain rule types for this platform.
Note: Classification rules are automatically enabled when created.
adminprofile Specifiesthatthisisanadminrule.
vlantagdata ClassifiesbasedonVLANtagspecifiedbydata.Valueofdatacanrange
from1to4094or0xFFF.
maskmask (Optional)Specifiesthenumberofsignificantbitstomatch,dependent
onthedatavalueentered.Valueofmaskcanrangefrom1to12.
RefertoTable 113forvalidvaluesforeachclassificationtypeanddata
value.
adminpid
profileindex
Associatesthisadminrulewithapolicyprofile,identifiedbyitsindex
number.Policyprofilesareconfiguredwiththesetpolicyprofile
commandasdescribedinsetpolicyprofileonpage 114.
Validprofileindexvaluesare1255.
portstringportstring (Optional)Assignsthisrulewiththespecifiedpolicyprofileonspecific
ingressport(s).Rulewouldnotbeuseduntilpolicyisassignedtothe
specifiedport(s)usingthesetpolicyportcommandasdescribedinset
policyportonpage 1115.
set policy rule
SecureStack C3 Configuration Guide 11-11
Defaults
None.
Mode
Switchcommand,readwrite.
profileindex Specifiesapolicyprofilenumbertowhichthisrulewillbeassigned.
Policyprofilesareconfiguredwiththesetpolicyprofilecommandas
describedinsetpolicyprofileonpage 114.Validprofileindexvalues
are1255.
ether Specifiesthattheruleshouldapplytotrafficwiththespecifiedtypefield
inEthernetIIpacket.
ipproto SpecifiesthattheruleshouldapplytotrafficwiththespecifiedProtocol
fieldinIPpacket.
ipdestsocket Specifiesthattheruleshouldapplytotrafficwiththespecified
destinationIPaddresswithoptionalpostfixedport.
ipsourcesocket SpecifiesthattheruleshouldapplytotrafficwiththespecifiedsourceIP
address,withoptionalpostfixedport.
iptos SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTypeof
ServicefieldinIPpacket.
macdest SpecifiesthattheruleshouldapplytotrafficwiththespecifiedMAC
destinationaddress.
macsource SpecifiesthattheruleshouldapplytotrafficwiththespecifiedMAC
sourceaddress.
tcpdestport SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTCP
destinationport.
tcpsourceport SpecifiesthattheruleshouldapplytotrafficwiththespecifiedTCP
sourceport.
udpdestport SpecifiesthattheruleshouldapplytotrafficwiththespecifiedUDP
destinationport.
udpsourceport SpecifiesthattheruleshouldapplytotrafficwiththespecifiedUDP
sourceport.
data Specifiesthecodeforthespecifiedtrafficclassifier(listedabove).This
valueisdependentontheclassificationtypeentered.RefertoTable 113
forvalidvaluesforeachclassificationtype.
maskmask (Optional)Specifiesthenumberofsignificantbitstomatch,dependenton
thedatavalueentered.RefertoTable 113forvalidvaluesforeach
classificationtypeanddatavalue.
vlanvlan SpecifiestheactionoftheruleistoclassifytoaVLANID.
coscos SpecifiestheactionoftheruleistoclassifytoaClassofServiceID.Valid
valuesare04095.Avalueof1indicatesthatnoCoSforwarding
behaviormodificationisdesired.(NotsupportedonB3,C3,andG3.)
drop|forward Specifiesthatpacketswithinthisclassificationwillbedroppedor
forwarded.
set policy rule
11-12 Policy Classification Configuration
Usage
Anadminrulecanbeusedtomapincomingtaggedframestoapolicyrole(profile).Therecanbe
onlyoneadminruleconfiguredpersystem(stack).Typically,thisruleisusedtoimplementthe
User+IPphonelegacyfeature.RefertoConfiguringUser+IPPhoneAuthenticationon
page 2648formoreinformation.Youwouldconfigureapolicyprofile/roleforIPphones(for
example,assigningthetraffictoavoiceVLAN),thenassociatethatpolicyprofilewiththe
adminrule,andassociatetheadminrulewiththedesiredports.Usersauthenticatingoverthe
sameportwilltypicallyuseadynamicallyassignedpolicyrole.
Apolicyclassificationrulehastwomainparts:TrafficDescriptionandActions.TheTraffic
Descriptionidentifiesthetypeoftraffictowhichtherulewillpertain.Actionsspecifywhether
thattrafficwillbeassignedclassofservice,assignedtoaVLAN,orboth.
Table 113providesthesetpolicyruledatavaluesthatcanbeenteredforaparticularparameter,
andthemaskbitsthatcanbeenteredforeachclassifierassociatedwiththatparameter.
Examples
ThisexampleshowshowtouseTable 113toassignaruletopolicyprofile3thatwillfilter
EthernetIIType1526framestoVLAN7:
C3( su) - >set pol i cy r ul e 3 et her 1526 vl an 7
ThisexampleshowshowtouseTable 113toassignaruletopolicyprofile5thatwillforward
UDPpacketsfromsourceport45:
C3( su) - >set pol i cy r ul e 5 udppor t sour ce 45 f or war d
Table 11-3 Valid Values for Policy Classification Rules
Classification Rule Parameter data value mask bits
ether Type field in Ethernet II packet:
1536 - 65535 or 0x600 - 0xFFFF
Not applicable.
ipproto Protocol field in IP packet:
0 - 255 or 0 - 0xFF
Not applicable.
Destination or Source IP Address:
ipdestsocket
ipsourcesocket
IP Address in dotted decimal
format: 000.000.000.000 and
(Optional) post-fixed port: 0 -
65535
1 - 48
iptos Type of Service field in IP packet:
0 - 252 or 0 - 0xFC
Not applicable.
Destination or Source MAC:
macdest
macsource
MAC Address: 00-00-00-00-00-
00
1 - 48
Destination or Source TCP port:
tcpdestport
tcpsourceport
TCP Port Number:
0 - 65535 or 0 - 0xFFFF
1 - 16
Destination or Source UDP port:
udpsourceport
udpdestport
UDP Port Number:
0 - 65535 or 0 - 0xFFFF
1 - 16
vlantag VLAN tag: 1- 4094 Not applicable.
clear policy rule
SecureStack C3 Configuration Guide 11-13
ThisexampleshowshowtouseTable 113toassignaruletopolicyprofile1thatwilldropIP
sourcetrafficfromIPaddress1.2.3.4.Ifmask32isnotspecifiedasshown,adefaultmaskof48bits
(IPaddress+port)wouldbeapplied:
C3( su) - >set pol i cy r ul e 1 i psour cesocket 1. 2. 3. 4 mask 32 dr op
clear policy rule
Usethiscommandtodeletepolicyclassificationruleentries.
Syntax
Thiscommandhastwoformsofsyntaxonetoclearanadminrule(forpolicyID0),andtheother
toclearaclassificationrule.
clear policy rule admin-profile {vlantag data [ mask mask]
clear policy rule profile-index {all-pid-entries | {ether | ipproto | ipdestsocket
| ipsourcesocket | iptos | macdest | macsource | tcpdestport | tcpsourceport |
udpdestport | udpsourceport}}
Parameters
Thefollowingparametersapplytodeletinganadminrule.
Thefollowingparametersapplytodeletingaclassificationrule.
adminprofile SpecifiesthattheruletobedeletedisanadminruleforpolicyID0.
vlantagdata DeletestherulebasedonVLANtagspecifiedbydata.Valueofdatacan
rangefrom1to4094or0xFFF.
maskmask (Optional)Specifiesthenumberofsignificantbitstomatch,dependent
onthedatavalueentered.Valueofmaskcanrangefrom1to12.
RefertoTable 113forvalidvaluesforeachclassificationtypeanddata
value.
profileindex Specifiesapolicyprofileforwhichtodeleteclassificationrules.Valid
profileindexvaluesare1255.
allpidentries Deletesallentriesassociatedwiththespecifiedpolicyprofile.
ether DeletesassociatedEthernetIIclassificationrule.
ipproto DeletesassociatedIPprotocolclassificationrule.
ipdestsocket DeletesassociatedIPdestinationclassificationrule.
ipsourcesocket DeletesassociatedIPsourceclassificationrule.
iptos DeletesassociatedIPTypeofServiceclassificationrule.
macdest DeletesassociatedMACdestinationaddressclassificationrule.
macsource DeletesassociatedMACsourceaddressclassificationrule.
tcpdestport DeletesassociatedTCPdestinationportclassificationrule.
tcpsourceport DeletesassociatedTCPsourceportclassificationrule.
udpdestport DeletesassociatedUDPdestinationportclassificationrule.
udpsourceport DeletesassociatedUDPsourceportclassificationrule.
clear policy all-rules
11-14 Policy Classification Configuration
Defaults
Whenapplicable,dataandmaskmustbespecifiedforindividualrulestobecleared.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtodeleteEthernetIIType1526classificationruleentriesassociatedwith
policyprofile1fromallports.
C3( su) - >cl ear pol i cy r ul e 1 et her 1526
Thisexampleshowshowtoremovearulefrompolicyprofile5thatwillforwardUDPframes
fromsourceport45.
C3( su) - >cl ear pol i cy r ul e 5 udppor t sour ce 45 f or war d
clear policy all-rules
Usethiscommandtoremoveallpolicyclassificationrules.
Syntax
clear policy all-rules
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovealladministrativeandpolicyindexrules:
C3( su) - >cl ear pol i cy al l - r ul es
Assigning Ports to Policy Profiles
SecureStack C3 Configuration Guide 11-15
Assigning Ports to Policy Profiles
Purpose
Toassignandunassignportstopolicyprofiles.
Commands
set policy port
Usethiscommandtoassignportstoapolicyprofile.
Syntax
set policy port port-string profile-index
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoallowGigabitEthernetports5through15inslot1totransmitframes
accordingtopolicyprofile1:
C3( su) - >set pol i cy por t ge. 1. 5- 15 1
Note: Refer to Appendix A, Policy and Authentication Capacities for information about policy
limits for this platform.
For information about... Refer to page...
set policy port 11-15
clear policy port 11-16
portstring Specifiestheport(s)toaddtothepolicyprofile.Foradetaileddescription
ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage 71.
profileindex SpecifiestheIDofthepolicyprofile(role)towhichtheport(s)willbe
added.Thisvaluemustmatchtheprofileindexvalueassignedusingthe
setpolicyprofilecommand(setpolicyprofileonpage 114)inorder
forapolicyprofiletobeactiveonthespecifiedport.
clear policy port
11-16 Policy Classification Configuration
clear policy port
Usethiscommandtoremoveapolicyprofilefromoneormoreports.
Syntax
clear policy port port-string profile-index
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovepolicyprofile10fromport21inslot1:
C3( r w) - >cl ear pol i cy por t ge. 1. 21 10
portstring Specifiestheport(s)fromwhichtoremovethepolicyprofile.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
profileindex SpecifiestheIDofthepolicyprofile(role)towhichtheport(s)willbe
added.Thisvaluemustmatchtheprofileindexvalueassignedusingthe
setpolicyprofilecommand(setpolicyprofileonpage 114)inorder
forapolicyprofiletobeactiveonthespecifiedport.
Configuring Policy Class of Service (CoS)
SecureStack C3 Configuration Guide 11-17
Configuring Policy Class of Service (CoS)
TheSecureStackC3supportsClassofService(CoS),whichallowsyoutoassignmissioncritical
datatoahigherprioritythroughthedevicebydelayinglesscriticaltrafficduringperiodsof
congestion.Thehigherprioritytrafficgoingthroughthedeviceisservicedfirst(beforelower
prioritytraffic).TheClassofServicecapabilityofthedeviceisimplementedbyapriority
queueingmechanism.ClassofServiceisbasedontheIEEE802.1D(802.1p)standardspecification,
andallowsyoutodefineeightpriorities(07,with7grantedhighestpriority)andupto8transmit
queues(07)foreachport.
Bydefault,policybasedCoSisdisabledonthedevice,anddefaultoruserassignedportbased
802.1D(802.1p)settingsareusedtodeterminetrafficprioritization.WhenpolicybasedCoSis
enabled,thedefaultanduserassignedpolicybasedsettingswilloverrideportbasedsettings
describedinChapter 12.
ClassofServicefunctionalitycanalsobeusedtocontrolbroadcast,unknownunicast,and/or
multicastflooding.Thisfeaturepreventsconfiguredportsfrombeingdisruptedbyatrafficstorm
byratelimitingspecifictypesofpacketsthroughthoseports.RefertoAboutCoSBasedFlood
Controlonpage 1119formoreinformation.
About Policy-Based CoS Configurations
Onceenabledusingthesetcosstatecommand,youcanaddtothepolicybasedCoSfunctionby
definingnewportgroupings,andassigninginboundratelimiters.Theprocessforuserdefined
CoSconfigurationinvolvesthefollowingstepsandassociatedcommandslistedinProcedure 111.
Anexamplefollowstheprocedure.
Example
Thisexamplecreatesdifferentinboundratelimitersfortwoportgroupsandthenassignsthemto
trafficwithaCoSsettingof0.
1. Configuretwoportgroups,oneforuserportsandoneforuplinkportsandassignportstothe
groups.Portgroup1.0willrepresentuserports,group2.0willrepresentuplinkports.
C3( su) - >set cos por t - conf i g i r l 1. 0 name User s por t s ge. 1. 1- 46
C3( su) - >set cos por t - conf i g i r l 2. 0 name Upl i nk por t s ge. 1. 47- 48
C3( su) - >show cos por t - conf i g
I nbound Rat e Li mi t i ng Por t Conf i gur at i on Ent r i es
Note: It is recommended that you use Enterasys Networks NMS Policy Manager as an alternative
to CLI for configuring policy-based CoS on the switches.
Procedure 11-1 User-Defined CoS Configuration
Step Task Command(s)
1. Enable CoS set cos state enable
2. Create CoS IRL port groups set cos port-config irl
3. Define physical rate limiters for groups set cos port-resource irl
4. Create virtual reference for the IRL resource
(physical reference) for each port group
set cos reference
5. Add IRL reference to CoS settings table set cos settings
Configuring Policy Class of Service (CoS)
11-18 Policy Classification Configuration
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Por t Gr oup Name : Def aul t
Por t Gr oup : 0
Por t Type : 0
Assi gned Por t s : none
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Por t Gr oup Name : User s
Por t Gr oup : 1
Por t Type : 0
Assi gned Por t s : ge. 1. 1- 46
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Por t Gr oup Name : Upl i nk
Por t Gr oup : 2
Por t Type : 0
Assi gned Por t s : ge. 1. 47- 48
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. Configurephysicalinboundratelimitersforeachportgroup.Fortheuserportgroup(1.0),
createanIRL(irlindexof1)for512kbps.Fortheuplinkportgroup(2.0),createanIRL(irl
indexof1)for10megabitspersecond(10,000kbps).
C3( su) - >set cos por t - r esour ce i r l 1. 0 1 uni t kbps r at e 512
C3( su) - >set cos por t - r esour ce i r l 2. 0 1 uni t kbps r at e 10000
C3( su) - >show cos por t - r esour ce i r l 1. 0 1
Gr oup I ndex Resour ce Type Uni t Rat e Rat e Li mi t Type Act i on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1. 0 1 i r l kbps 512 dr op none
C3( su) - >show cos por t - r esour ce i r l 2. 0 1
Gr oup I ndex Resour ce Type Uni t Rat e Rat e Li mi t Type Act i on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. 0 1 i r l kbps 10000 dr op none
3. IntheCoSIRLreferencemappingtableforeachportgroup,createareferenceforeachIRL
resourcecreatedinthepreviousstep.Wewillusereferencenumber1.
C3( su) - >set cos r ef er ence i r l 1. 0 1 r at e- l i mi t 1
C3( su) - >set cos r ef er ence i r l 2. 0 1 r at e- l i mi t 1
C3( su) - >show cos r ef er ence i r l 1. 0
Gr oup I ndex Ref er ence Type Rat e Li mi t er
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1. 0 0 i r l none
1. 0 1 i r l 1
1. 0 2 i r l none
1. 0 3 i r l none
. . .
1. 0 97 i r l none
1. 0 98 i r l none
1. 0 99 i r l none
C3( su) - >show cos r ef er ence i r l 2. 0
Gr oup I ndex Ref er ence Type Rat e Li mi t er
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. 0 0 i r l none
2. 0 1 i r l 1
2. 0 2 i r l none
2. 0 3 i r l none
. . .
Configuring Policy Class of Service (CoS)
SecureStack C3 Configuration Guide 11-19
2. 0 97 i r l none
2. 0 98 i r l none
2. 0 99 i r l none
4. IntheCoSsettingstable,configureaCoSsettingforCoSindex1,whichhasapriorityof0.We
entertheIRLreference,createdinthepreviousstep.
C3( su) - >set cos set t i ngs 0 i r l - r ef er ence 1
C3( su) - >show cos set t i ngs
CoS I ndex Pr i or i t y ToS I RL
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 0 * 1
1 1 * *
2 2 * *
3 3 * *
4 4 * *
5 5 * *
6 6 * *
7 7 * *
About CoS-Based Flood Control
CoSbasedfloodcontrolpreventsconfiguredportsfrombeingdisruptedbyatrafficstormbyrate
limitingspecifictypesofpacketsthroughthoseports.Whenfloodcontrolisenabledonaport,
incomingtrafficismonitoredoveronesecondintervals.Duringaninterval,theincomingtraffic
rateforeachconfiguredtraffictype(unicast,broadcast,multicast)iscomparedwiththe
configuredtrafficfloodcontrolrate,specifiedinpacketspersecond.
If,duringaonesecondinterval,theincomingtrafficofaconfiguredtypereachesthetrafficflood
controlrateconfiguredontheport,CoSbasedfloodcontroldropsthetrafficuntiltheinterval
ends.Packetsarethenallowedtoflowagainuntilthelimitisagainreached.
ThefollowingproceduredescribesthestepsandcommandsrequiredtoconfigureCoSbased
floodcontrol.
Example
Thisexamplecreatesabroadcastratelimiter(index1.0)of5packetspersecondandassignsitto
portsge.1.2andge.2.2.
C3( su) - >set cos st at e enabl e
C3( su) - >set cos por t - r esour ce f l ood- ct r l 1. 0 br oadcast r at e 5
C3( su) - >set cos por t - conf i g f l ood- ct r l 1. 0 por t s ge. 1. 2; ge. 2. 2 append
Co
Note: CoS-based flood control does not require a policy license on SecureStack B3 switches or on
standalone D2 switches.
Procedure 11-2
Step Task Command(s)
1. Enable CoS. set cos state enable
2. Create a CoS flood control port resource, which
specifies flood control rate limiters that can be
mapped to specific ports.
set cos port-resource flood-ctrl
3. Assign the flood control resource to specific
ports.
set cos port-config flood-ctrl
set cos state
11-20 Policy Classification Configuration
Commands
set cos state
UsethiscommandtoenableordisableClassofService.
Syntax
set cos state {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
For information about... Refer to page...
set cos state 11-20
show cos state 11-21
clear cos state 11-21
set cos settings 11-22
clear cos settings 11-23
show cos settings 11-23
set cos port-config 11-24
show cos port-config 11-25
clear cos port-config 11-26
set cos port-resource irl 11-27
set cos port-resource flood-ctrl 11-28
show cos port-resource 11-29
clear cos port-resource irl 11-30
clear cos port-resource flood-ctrl 11-31
set cos reference 11-31
show cos reference 11-32
clear cos reference 11-33
show cos unit 11-34
clear cos all-entries 11-35
show cos port-type 11-35
enable|disable EnablesordisablesClassofServiceontheswitch.Defaultstateis
disabled.
show cos state
SecureStack C3 Configuration Guide 11-21
Example
ThisexampleshowshowtoenableClassofService:
C3( r w) - >set cos st at e enabl e
show cos state
UsethiscommandtodisplaytheClassofServiceenablestate.
Syntax
show cos state
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoshowtheClassofServiceenablestate:
C3( r w) - >show cos st at e
Cl ass- of - Ser vi ce appl i cat i on i s enabl ed
clear cos state
UsethiscommandtosetCoSstatebacktoitsdefaultsettingofdisabled.
Syntax
clear cos state
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheCoSstatebacktoitsdefaultsettingofdisabled:
C3( su) - >cl ear cos st at e
set cos settings
11-22 Policy Classification Configuration
set cos settings
UsethiscommandtoconfigureaClassofServiceentryintheCoSsettingstable.
Syntax
set cos settings cos-index priority priority [ tos-value tos-value] [ irl-reference
irl-reference]
Parameters
Defaults
Ifnooptionalparametersarespecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Usage
TheCoSsettingstabletakesindividualclassofservicefeaturesanddisplaysthemasbelongingto
aCoSentry.Essentially,itisusedforCoSfeatureassignment.Eachclassofserviceentryconsists
ofanindex,802.1ppriority,anoptionalToSvalue,andanIRLreference.
CoSIndex
IndexesareuniqueidentifiersforeachCoSsetting.CoSindexes0through7arecreatedby
defaultandmappeddirectlyto802.1ppriorityforbackwardscompatibility.Theseentries
cannotberemoved,and802.1ppriorityvaluescannotbechanged.WhenCoSisenabled,
indexesareassigned.Upto256CoSindexesorentriescanbeconfigured.
Priority
802.1pprioritycanbeappliedperCoSindex.ForeachnewCoSindexcreated,theuserhasthe
optiontoassignan802.1ppriorityvalue0to7fortheclassofservice.CoSindexes0through7
mapdirectlyto802.1pprioritiesandcannotbechangedastheyexistforbackward
compatibility.
ToS
Thisvaluecanbesetperclassofservice,butisnotrequired.Whenaframeisassignedtoa
classofserviceforwhichthisvalueisconfigured,theToSfieldoftheincomingIPpacketwill
beoverwrittentotheuserdefinedvalue.AllbutthelasttwobitsoftheToSfieldare
rewritable.ToScanbesetforCoSindexes0through7.
IRLReference
TheCoSIRLreferencefieldisoptional,asratelimitsarenotrequired.TheIRLreferencedoes
notassignaninboundratelimitbutpointstotheCoSIRLReferenceMappingTable.This
referencemaybethoughtofasthevirtualratelimiterthatwillassignthephysicalratelimiter
definedbytheIRLReferenceMappingTable.
cosindex SpecifiesaClassofServiceentry.Validvaluesare0to255.
prioritypriority Specifiesan802.1dpriorityvalue.Validvaluesare0to7,with0beingthe
lowestpriority.SeeUsagesectionbelowformoreinformation.
tosvaluetosvalue (Optional)SpecifiesaTypeofServicevalue.Validvaluesare0to255.See
Usagesectionbelowformoreinformation.
irlreference
irlreference
(Optional)Settheinboundratelimiterassociatedwiththisentry.Valid
valuesare0to99.SeeUsagesectionbelowformoreinformation.
clear cos settings
SecureStack C3 Configuration Guide 11-23
Example
ThisexampleshowshowtocreateCoSentry8withapriorityvalueof3:
C3( r w) - >set cos set t i ngs 8 pr i or i t y 3
clear cos settings
UsethiscommandtoclearClassofServiceentrysettings.
Syntax
clear cos settings cos-list {[ all] | [ priority] [ tos-value] [ irl-reference] }
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthepriorityforCoSentry8:
C3( r w) - >cl ear cos set t i ngs 8 pr i or i t y
show cos settings
UsethiscommandtodisplayClassofServiceparameters.
Syntax
show cos settings [ cos-list]
Parameters
Defaults
Ifnotspecified,allCoSentrieswillbedisplayed.
Mode
Switchcommand,readonly.
coslist SpecifiesaClassofServiceentrytoclear.
all Clearsallsettingsassociatedwiththisentry.
priority Clearsthepriorityvalueassociatedwiththisentry.
tosvalue ClearstheTypeofServicevalueassociatedwiththisentry.
irlreference CleartheIRLreferenceassociatedwiththisentry.
coslist (Optional)SpecifiesaClassofServiceentrytodisplay.
set cos port-config
11-24 Policy Classification Configuration
Example
ThisexampleshowshowtoshowallCoSsettings:
C3( su) - >show cos set t i ngs
CoS I ndex Pr i or i t y ToS I RL f l ood- ct r l
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 0 48 * enabl ed
1 1 * * enabl ed
2 2 * * enabl ed
3 3 * * enabl ed
4 4 * * enabl ed
5 5 * * enabl ed
6 6 * * enabl ed
7 7 * * enabl ed
set cos port-config
Usethiscommandtocreateaportgroupforinboundratelimitingorfloodcontrolandaddor
removeportsfromthegroup.
Syntax
set cos port-config {irl| flood-ctrl} group-type-index [ name name] [ ports port-
list] [ append] | [ clear]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
CoSportgroupsareidentifiedbygroupnumberandthetypeofportsinthegroup,intheformof
group#.porttype.Theportgroup0.0existsbydefault.Thisdefaultportgroupcannotberemoved
andallphysicalportsinthesystemareassignedtoit.Uptosevenadditionalportgroups(1
irl Specifiesthatthisisaninboundratelimiting(IRL)portgroup.
floodctrl Specifiesthatthisisafloodcontrolportgroup.
grouptypeindex Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare
intheformofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
namename (Optional)Userdefinednameforthegroup.
portsportlist (Optional)Portsassignedtothegroup.Allportsmustbeofthesameport
type(FastEthernet,GigabitEthernet).
append (Optional)Append(add)theportstotheportsthatarealreadyinthe
group.
clear (Optional)Clearthegivenportsfromthoseassignedtothegroup.
show cos port-config
SecureStack C3 Configuration Guide 11-25
through7)canbeconfigured.Currently,onlyoneporttype(type0)issupported.Thisporttype
supports100limiters.
Additionalportgroupsmaybecreatedforflexibility.Portsassignedtoanewportgroupmustbe
mutuallyexclusivefromtheotherportgroupentriesportsareautomaticallyremovedfromthe
defaultportgroupandmustbecomprisedofthesameporttypeasdefinedbytheportgroup.
Thecreationofadditionalportgroupscouldbeusedtocombinesimilarportsbytheirfunctionfor
flexibility.Forinstance,portsassociatedtouserscanbeaddedtoaportgroupcalledUsersand
portsassociatedtouplinkportscanbeaddedtoaportgroupcalledUplink.Usingtheseport
groups,asingleclassofservicecanassigndifferentratelimitstoeachportgroup.Userports
canbeassignedoneratelimit,whileUplinkportscanbeassignedanother.
Thecommandshowcosportconfigdisplayseachportgroupconfiguredbygroupandtype,with
thegroupnameandassociated(assigned)ports.Thecommandshowcosporttypedisplaysthe
availableinboundratelimitingresourcesfortheporttype.
Example
Thisexampleconfigurestwoportgroups,oneforuserportsandoneforuplinkportsandassign
portstothegroups.Portgroup1.0willrepresentuserports,group2.0willrepresentuplinkports.
C3( su) - >set cos por t - conf i g i r l 1. 0 name User s por t s ge. 1. 1- 46
C3( su) - >set cos por t - conf i g i r l 2. 0 name Upl i nk por t s ge. 1. 47- 48
show cos port-config
UsethiscommandtoshowCoSportgroupsandtheassignedports.
Syntax
show cos port-config [ irl| flood-ctrl [ group-type-index] ]
Parameters
Defaults
Theshowcosportconfig commandbyitselfwillshowallPortGroups.
Mode
Switchcommand,readonly.
irl (Optional)Specifiesthatinboundratelimitingconfigurationinformation
shouldbedisplayed.
floodctrl (Optional)Specifiesthatfloodcontrolrateconfigurationinformation
shouldbedisplayed.
grouptypeindex (Optional)Showassignedportsforaspecificportgroup.Validentriesare
intheformofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
clear cos port-config
11-26 Policy Classification Configuration
Example
Thisexampleshowsallinboundratelimitingportgroups.Notethatportsge.1.1throughge.1.48
wereremovedfromthedefaultportgroup0.0whentheywereaddedtoportgroups1.0and2.0.
C3( su) - >show cos por t - conf i g i r l
I nbound Rat e Li mi t i ng Por t Conf i gur at i on Ent r i es
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Por t Gr oup Name : Def aul t
Por t Gr oup : 0
Por t Type : 0
Assi gned Por t s : none
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Por t Gr oup Name : User s
Por t Gr oup : 1
Por t Type : 0
Assi gned Por t s : ge. 1. 1- 46
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Por t Gr oup Name : Upl i nk
Por t Gr oup : 2
Por t Type : 0
Assi gned Por t s : ge. 1. 47- 48
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
clear cos port-config
UsethiscommandtoclearCoSportgroupsorassignedports.
Syntax
clear cos port-config {irl| flood-ctrl} {all | group-type-index [ entry] | [ name]
[ ports] }
Parameters
Defaults
None.
irl ClearanIRLportgroupconfiguration.
floodctrl Clearafloodcontrolportgroupconfiguration.
all Clearallinboundratelimitingportconfignondefaultentries.
grouptypeindex Deleteaspecificportgrouporgroupname,orcleartheportsfromthat
group.Validentriesareintheformofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
entry Deletethisnondefaultinboundratelimiterentry.
name Cleartheadministrativelyassignedtextualdescriptionofthisportgroup
entrytoitsdefault.
ports Cleartheportsassignedtothisgrouptoitsdefault.
set cos port-resource irl
SecureStack C3 Configuration Guide 11-27
Mode
Switchcommand,readwrite.
Usage
Thedefaultportgroup0.0cannotbedeleted.
Example
ThisexampledeletesallIRLPortGroupsexceptfortheDefaultgroup0.0:
C3( su) - >cl ear cos por t - conf i g i r l al l
set cos port-resource irl
UsethiscommandtosettheinboundratelimitparametersforaspecificIRLresourceforaspecific
portgroup.
Syntax
set cos port-resource irl group-type-index irl-index {[ unit {kbps}] [ rate rate]
[ type {drop}] }[ syslog enable | disable] [ trap enable| disable]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
grouptypeindex Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare
intheformofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
irlindex Indexnumberoftheinboundratelimiterresourceassociatedwiththis
entry.Validvaluesrangefrom0to99.
unit Unitofmeasurefortheinboundratelimiter(onlyoptionisKbps).
kbps Kilobitspersecond.
raterate Datarateforthisinboundratelimiter.Thisistheactualratelimit.Valid
valuesrangefrom512to1,000,000KbpsforaGigabitport.
typedrop Actionfortheratelimiter.Theonlyactionoptionisdroptheframeifall
limitersareexceeded.
syslog
enable|disable
Enableordisablereportingasyslogentryiflimitersareexceeded.
trapenable|disable Enableordisablesendingatrapiflimitersareexceeded.
set cos port-resource flood-ctrl
11-28 Policy Classification Configuration
Usage
CoSportresourcesarewhereactualphysicalratelimitersareconfigured.Resourcesmapdirectly
tothenumberofratelimiterssupportedbytheporttype.(Porttype0supports100IRLresources.)
Resourcesexistforeachportgroupandareindexedasgroup#.porttype.irlindex.Portresources
arenotinitiallyconfiguredasratelimiting.
Inboundratelimiting,orratepolicing,simplydropsorclipstrafficinboundifaconfiguredrateis
exceeded.CoSinboundratelimitingallowstheusertoconfigureratelimitsbasedonkilobitsper
second.
Theshowcosportresourcecommanddisplaystheresourcesavailableforeachportgroup.By
default,noIRLresourcesareconfigured.ThedefaultRateLimitingalgorithmisdropandcannot
beconfiguredotherwise.
Example
Thisexamplesetstheinboundratelimitresourceindexnumber1forportgroup2.0to10000Kbps
or1MB:
C3( su) - >set cos por t - r esour ce i r l 2. 0 1 uni t kbps r at e 10000 t ype dr op
set cos port-resource flood-ctrl
UsethiscommandtocreateaCoSbasedfloodcontrolportresource.Thisresourcespecifiesflood
controlratelimitersthatcanbemappedtospecificports.
Syntax
set cos port-resource flood-ctrl group-type-index {unicast | multicast | broadcast
| all} rate rate
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
grouptypeindex Specifiesaportgroup/typeindex.Validentriesareintheformof
group#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
unicast Specifiesratelimitingwillbeappliedtounknownunicasttraffic.
multicast Specifiesratelimitingwillbeappliedtomulticasttraffic.
broadcast Specifiesratelimitingwillbeappliedtobroadcasttraffic.
all Specifiesratelimitingwillbeappliedtounknownunicast,multicast,
andbroadcasttraffic.
raterate Specifiesaratelimitinpacketspersecond.
show cos port-resource
SecureStack C3 Configuration Guide 11-29
Usage
CoSportresourcesarewhereactualphysicalratelimitersareconfigured.Thiscommandcanbe
usedtocreateuptothreedifferentfloodcontrollimitresourcesfortheporttypeindexof0.The
resourcesareassignedtospecificportswiththesetcosportconfigcommand.
Example
Thisexamplecreatesaportresourcebroadcastratelimiterof5packetspersecondfortheport
grouptypeindexof1.0(group#1ofporttypeindex0).
C3( su) - >set cos por t - r esour ce f l ood- ct r l 1. 0 br oadcast r at e 5
show cos port-resource
Usethiscommandtodisplaytheconfiguredportresources.
Syntax
show cos port-resource [ irl [ group-type-index [ irl-index] ] ] | [ flood-ctrl [ group-
type-index] ]
Parameters
Defaults
Ifirlorfloodctrlarenotspecified,allportresourcesareshown.
IfaportgroupandIRLindexarenotspecified,theIRLconfigurationforallresources(099)forall
configuredportgroupswillbeshown.
Ifaportgroupisnotspecifiedwiththefloodctrlparameter,floodcontrolresourcesforall
configuredportgroupswillbeshown.
Mode
Switchcommand,readonly.
Examples
ThisexampledisplaystheIRLresourceindexnumber1configurationforgroup2.0.
C3( su) - >show cos por t - r esour ce i r l 2. 0 1
' ?' af t er t he r at e val ue i ndi cat es an i nval i d r at e val ue
Gr oup I ndex Resour ce Type Uni t Rat e Rat e Li mi t Type Act i on
irl (Optional)Specifiesthatinboundratelimitingportresourcesshouldbe
displayed.
floodctrl (Optional)Specifiesthatfloodcontrolportresourcesshouldbedisplayed.
grouptypeindex (Optional)Specifiesaportgroup/typeindex.Validentriesareintheform
ofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
irlindex (Optional)Inboundratelimiterresourceindexconfiguredforthe
specifiedportgroup.Validvaluesrangefrom0to99.
clear cos port-resource irl
11-30 Policy Classification Configuration
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. 0 1 i r l kbps 10000 dr op none
Thisexampledisplaysthefloodcontrolresourcesconfiguredforgroup1.0.
C3( su) - >show cos por t - r esour ce f l ood- ct r l 1. 0
' ?' af t er t he r at e val ue i ndi cat es an i nval i d r at e val ue
Gr oup Resour ce Type Uni t Rat e Rat e Li mi t Act i on
I ndex t ype
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1. 0 ucast f l ood- ct r l pps 20 dr op none
1. 0 mcast f l ood- ct r l pps 10 dr op none
1. 0 bcast f l ood- ct r l pps 5 dr op none
clear cos port-resource irl
Usethiscommandtoclearinboundratelimitresourcestodefaultvalues.
Syntax
clear cos port-resource irl {all | group-type-index [ irl-index [ unit] [ rate]
[ type] ] }
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthedatarateto0forIRLresourceindex1forgroup2.0.
C3( su) - >cl ear cos por t - r esour ce i r l 2. 0 1 r at e
all ClearallIRLresourcesforallportgroups.
grouptypeindex Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare
intheformofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
irlindex (Optional)Inboundratelimiterresourceindexassociatedwiththe
specifiedportgroup.Validvaluesrangefrom0to99.
unit Cleartheunitofmeasurefortheinboundratelimiter.
rate Clearthedatarateforthisinboundratelimiter.
type Cleartheactionfortheratelimiter.
clear cos port-resource flood-ctrl
SecureStack C3 Configuration Guide 11-31
clear cos port-resource flood-ctrl
Usethiscommandtoclearfloodcontrolportresourcestodefaultvalues.
Syntax
clear cos port-resource flood-ctrl {all | group-type-index {unicast | multicast |
broadcast | all [ rate] }}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearstheunicastportresourceforportgroup1.0todefaultvalues.
C3( su) - >cl ear cos por t - r esour ce f l ood- ct r l 1. 0 uni cast
set cos reference
UsethiscommandtosettheClassofServiceinboundratelimitingreferenceconfiguration.
Syntax
set cos reference irl group-type-index reference rate-limit irl-index
all Clearallfloodcontrolresourcesforallportgroups.
grouptypeindex Specifiesaportgroup/typeindex.Validentriesareintheformof
group#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
unicast Clearunicastportresourcesforthespecifiedportgroup.
multicast Clearmulticastportresourcesforthespecifiedportgroup.
broadcast Clearbroadcastportresourcesforthespecifiedportgroup.
all Clearallfloodcontrolportresourcesforthespecifiedportgroup.
rate (Optional)Clearthedataratelimiterofthespecifiedtypeofport
resourcetothedefault(noneordisabled).
show cos reference
11-32 Policy Classification Configuration
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheCoSreferencetablemapstheuserdefinedIRLreferencesfoundintheCoSsettingstable(see
setcossettingsonpage 1122)toratelimiterscreatedintheportresourcetable(seesetcos
portresourceirlonpage 1127).TheCoSreferencetableindexescanbethoughtofasvirtualrate
limiters.Thetableaccountsforthemaximumnumberofratelimiterssupportedbythedevice.
Thevirtuallimitersthenmaptothephysicalratelimiters.TheCoSIRLReferenceTableisnot
configuredbydefault.
TheCoSIRLreferencetableuses100indexesorvirtualratelimiters,andmapseachvirtuallimiter
toaphysicallimiterorresource.AnIRLreferencetableexistsforeachportgroupconfigured,and
isindexedsimilarlytoportresources,asportgroup#,porttype,reference.IRLreferencesarenot
populatedwithlimiters(resources),butcanbeconfiguredbytheuser.TheIRLreferencetablecan
bedisplayedusingtheshowcosreferencecommand.
Example
IntheCoSIRLreferencemappingtableforportgroups1.0and2.0,createareferencefortheIRL
resourcenumber1createdforeachgroup.Thereferencenumber1isused.
C3( su) - >set cos r ef er ence i r l 1. 0 1 r at e- l i mi t 1
C3( su) - >set cos r ef er ence i r l 2. 0 1 r at e- l i mi t 1
show cos reference
UsethiscommandtoshowtheClassofServiceinboundratelimitingreferenceconfiguration.
Syntax
show cos reference [ irl [ group-type-index] ]
irl SpecifiesthatanIRLreferenceisbeingconfigured.
grouptypeindex Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare
intheformofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
reference IRLreferencenumberassociatedwiththisentry.
ratelimitirlindex Ratelimiter(IRLresourceindex)tobindthisreferenceto.Validvalues
rangefrom0to99.
clear cos reference
SecureStack C3 Configuration Guide 11-33
Parameters
Defaults
Ifirlisnotspecified,allCoSreferenceinformationisdisplayed.
Ifaspecificportgroupisnotspecified,informationforallportgroupsisdisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowstheClassofServiceIRLreferencesforportgroup1.0.Notethatnotallofthe
100possiblereferencesaredisplayedinthisoutputexample.
C3( su) - >show cos r ef er ence i r l 1. 0
Gr oup I ndex Ref er ence Type Rat e Li mi t er
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1. 0 0 i r l none
1. 0 1 i r l 1
1. 0 2 i r l none
1. 0 3 i r l none
. . .
1. 0 97 i r l none
1. 0 98 i r l none
1. 0 99 i r l none
clear cos reference
UsethiscommandtocleartheClassofServiceinboundratelimitingreferenceconfiguration.
Syntax
clear cos reference irl {all | group-type-index reference}
Parameters
irl (Optional)Specifiesthatinboundratelimitingreferenceinformation
shouldbedisplayed.
grouptypeindex (Optional)Specifiesaninboundratelimitingportgroup/typeindex.Valid
entriesareintheformofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
irl SpecifiesthatIRLreferencesarebeingcleared.
all Clearallgroupsindexesandreferences.
show cos unit
11-34 Policy Classification Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheCoSinboundratelimitingreferenceconfigurationforall
groups:
C3( su) - >cl ear cos r ef er ence i r l al l
show cos unit
UsethiscommandtoshowpossibleCoSunitentries.
Syntax
show cos unit [ irl [ port-type index] [ kbps] ] [ flood-ctrl [ port-type index] [ pps] ]
Parameters
Defaults
Ifnoparametersareentered,allCosunitinformationisdisplayed.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowspossibleunitentriesforinboundratelimiting:
C3( su) - >show cos uni t i r l
Type: Uni t :
i r l = i nbound r at e l i mi t i ng Kbps = Ki l obi t s per second
grouptypeindex Specifiesaninboundratelimitingportgroup/typeindex.Validentriesare
intheformofgroup#.porttype.
Validvaluesforgroup#canrangefrom0to7.Validvaluesforporttype
canrangefrom0to1,althoughonlyporttype0iscurrentlysupported.
Forexample,portgroup3wouldbespecifiedas3.0.
reference Clearaspecificreferenceforthespecifiedportgroup.
irl (Optional)DisplayonlyIRLunitinformation.
porttypeindex (Optional)Displayinformationaboutthespecifiedporttype.(Only
porttypeindex0issupported.)
kbps (Optional)Displaykbpsinformation.
floodctrl (Optional)Displayonlyfloodcontrolunitinformation.
pps (Optional)Displayppsinformation.
clear cos all-entries
SecureStack C3 Configuration Guide 11-35
Por t Type Type Uni t Maxi mumRat e Mi ni mumRat e Gr anul ar i t y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 i r l Kbps 1000000 64 1
Thisexamplesshowsfloodcontrolunitinformation.
C3( su) - >show cos uni t f l ood- ct r l
Type: Uni t :
f l ood- ct r l = f l ood cont r ol t ype pps = packet s per second
Por t Type Type Uni t Maxi mumRat e Mi ni mumRat e Gr anul ar i t y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 f l ood- ct r l pps 148810 0 1
clear cos all-entries
UsethiscommandtoclearallClassofServiceentriesexceptentries07.
Syntax
clear cos all-entries
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheCoSconfigurationforallentriesexceptentries07:
C3( su) - >cl ear cos al l - ent r i es
show cos port-type
UsethiscommandtodisplayClassofServiceporttypeconfigurations.
Syntax
show cos port-type [ irl [ port-type] ] [ flood-ctrl [ port-type] ]
Parameters
irl (Optional)Displaysinboundratelimitinginformation.
floodctrl (Optional)Displaysfloodcontrolinformation.
porttype (Optional)Displaysinformationforaspecificporttype.(Onlyporttype
0issupported.)
show cos port-type
11-36 Policy Classification Configuration
Defaults
Ifnoparametersarespecified,inboundratelimitingandfloodcontrolinformationforallport
typesisdisplayed.
Mode
Switchcommand,readonly.
Usage
TheC3implementationprovidesonedefaultporttype(0)fordesignatingavailableinboundrate
limitingorfloodcontrolresources.Porttype0includesallports.
Theporttype0IRLdescriptionisC3100IRL,whichindicatesthatthisporttypeprovidesa
maximumof100inboundratelimitingresourcesperportgroup.Theporttype0floodcontrol
descriptionisC33floodctrlwhichindicatesthatthisporttypeprovidesamaximumof3flood
controlresourcesperportgroup.
Examples
Thisexampleshowsinboundratelimitinginformationforporttype0.
C3( su) - >show cos por t - t ype i r l 0
Number of r esour ces: Suppor t ed r at e t ypes:
i r l = i nbound r at e l i mi t er ( s) Kbps = ki l obi t s per second
Por t t ype Number of Suppor t ed El i gi bl e Unsel ect ed
I ndex descr i pt i on l i mi t er s r at e t ype por t s por t s
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 C3 100 I RL 100 kbps ge. 1. 1- 48 ge. 1. 1- 4
Thisexampleshowsfloodcontrolinformationforporttype0.
C3( su) - >show cos por t - t ype f l ood- ct r l 0
Number of r esour ces: Suppor t ed r at e t ypes:
f l ood- ct r l = f l ood cont r ol t ype Pps = Packet s per second
Por t t ype Number of Suppor t ed El i gi bl e Unsel ect ed
I ndex descr i pt i on l i mi t er s r at e t ype por t s por t s
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 C3 3 f l ood- ct r l 3 pps ge. 1. 1- 24 ge. 1. 1- 24
SecureStack C3 Configuration Guide 12-1
12
Port Priority Configuration
ThischapterdescribesthePortPrioritysetofcommandsandhowtousethem.Refertothe
ConfiguringQoSFeatureGuidefordetailedinformationaboutconfiguringqualityofserviceon
theSecureStackC3.TheEnterasys NetworksfirmwareFeatureGuidesareavailableat:
http://www.enterasys.com/support/manuals
Port Priority Configuration Summary
TheSecureStackC3devicesupportsClassofService(CoS),whichallowsyoutoassignmission
criticaldatatohigherprioritythroughthedevicebydelayinglesscriticaltrafficduringperiodsof
congestion.Thehigherprioritytrafficthroughthedeviceisservicedfirstbeforelowerpriority
traffic.TheClassofServicecapabilityofthedeviceisimplementedbyapriorityqueueing
mechanism.ClassofServiceisbasedontheIEEE802.1D(802.1p)standardspecification,and
allowsyoutodefineeightpriorities(0 through 7)andassignthemtotransmitqueuesforeach
port.
Apriority0 through 7canbesetoneachport,with0beingthelowestpriority.Aportreceivinga
framewithoutpriorityinformationinitstagheaderisassignedapriorityaccordingtothedefault
prioritysettingontheport.Forexample,ifthepriorityofaportissetto4,theframesreceived
throughthatportwithoutapriorityindicatedintheirtagheaderareclassifiedasapriority4and
transmittedaccordingtothatpriority.
For information about... Refer to page...
Port Priority Configuration Summary 12-1
Configuring Port Priority 12-2
Configuring Priority to Transmit Queue Mapping 12-4
Configuring Quality of Service (QoS) 12-7
Note: When CoS override is enabled using the set policy profile command as described in set
policy profile on page 11-4, CoS-based classification rules will take precedence over priority
settings configured with the set port priority command described in this section.
Configuring Port Priority
12-2 Port Priority Configuration
Configuring Port Priority
Purpose
Tovieworconfigureportprioritycharacteristicsasfollows:
DisplayorchangetheportdefaultClassofService(CoS)transmitpriority(0through7)of
eachportforframesthatarereceived(ingress)withoutpriorityinformationintheirtag
header.
Displaythecurrenttrafficclassmappingtopriorityofeachport.
Seteachporttotransmitframesaccordingto802.1D(802.1p)prioritysetintheframeheader.
Commands
show port priority
Usethiscommandtodisplaythe802.1Dpriorityforoneormoreports.
Syntax
show port priority [ port-string]
Parameters
Defaults
I f port-string i s not speci f i ed, pr i or i t y f or al l por t s wi l l be di spl ayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportpriorityforthege.2.1through5.
C3( su) - >show por t pr i or i t y ge.2. 1- 5
ge.2. 1 i s set t o 0
ge.2. 2 i s set t o 0
ge.2. 3 i s set t o 0
ge.2. 4 i s set t o 0
ge.2. 5 i s set t o 0
For information about... Refer to page...
show port priority 12-4
set port priority 12-3
clear port priority 12-3
portstring (Optional)Displayspriorityinformationforaspecificport.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
set port priority
SecureStack C3 Configuration Guide 12-3
set port priority
Usethiscommandtosetthe802.1D(802.1p)ClassofServicetransmitpriority(0 through 7)on
eachport.Aportreceivingaframewithoutpriorityinformationinitstagheaderisassigneda
priorityaccordingtotheprioritysettingontheport.Forexample,ifthepriorityofaportissetto
5,theframesreceivedthroughthatportwithoutapriorityindicatedintheirtagheaderare
classifiedasapriority5.
Aframewithpriorityinformationinitstagheaderistransmittedaccordingtothatpriority.
Syntax
set port priority port-string priority
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thesetportprioritycommandwillnotchangethe802.1pprioritytagontaggedtrafficwitha
defaultprioritytag.Thecommandonlyhasaneffectonhowuntaggedtrafficwillbeprioritized
asitpassesinternallythroughthedevice.
Example
Thisexampleshowshowtosetadefaultpriorityof6onge.1.3.Framesreceivedbythisport
withoutpriorityinformationintheirframeheaderaresettothedefaultsettingof6:
C3( su) - >set por t pr i or i t y ge.1. 3 6
clear port priority
UsethiscommandtoresetthecurrentCoSportprioritysettingto0.Thiswillcauseallframes
receivedwithoutapriorityvalueinitsheadertobesettopriority0.
Syntax
clear port priority port-string
Parameters
portstring Specifiestheportforwhichtosetpriority.Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 71.
priority Specifiesavalueof0to7tosettheCoSpriorityfortheportenteredinthe
portstring.Priorityvalueof0isthelowestpriority.
portstring Specifiestheportforwhichtoclearpriority.Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 71.
Configuring Priority to Transmit Queue Mapping
12-4 Port Priority Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetge.1.11tothedefaultpriority:
C3( r w) - >cl ear por t pr i or i t y ge.1. 11
Configuring Priority to Transmit Queue Mapping
Purpose
Toperformthefollowing:
Viewthecurrentprioritytotransmitqueuemappingofeachphysicalport.
Configureeachporttoeithertransmitframesaccordingtotheportpriority,setusingtheset
portprioritycommanddescribedinsetportpriorityonpage 123,oraccordingtoapriority
basedonapercentageofporttransmissioncapacity,assignedtotransmitqueuesusingtheset
porttxqcommanddescribedinsetporttxqonpage 128.
Clearcurrentportpriorityqueuesettingsforoneormoreports.
Commands
show port priority-queue
Usethiscommandtodisplaytheportprioritylevels(0through7,with0asthelowestlevel)
associatedwiththecurrenttransmitqueues(0beingthelowestpriority)foreachselectedport.A
framewithacertainportpriorityistransmittedaccordingtothesettingsenteredusingtheset
portpriorityqueuecommanddescribedinsetportpriorityqueueonpage 125.
Syntax
show port priority-queue [ port-string]
Parameters
For information about... Refer to page...
show port priority-queue 12-4
set port priority-queue 12-5
clear port priority-queue 12-6
portstring (Optional)Displaysthemappingofprioritiestotransmitqueuesforone
ormoreports.
set port priority-queue
SecureStack C3 Configuration Guide 12-5
Defaults
Ifportstringisnotspecified,priorityqueueinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaypriorityqueueinformationforge.1.1.Inthiscase,frameswith
apriorityof0areassociatedwithtransmitqueue1;frameswith1or2priority,areassociatedwith
transmitqueue0;andsoforth:
C3( su) - >show por t pr i or i t y- queue ge. 1. 1
Por t P0 P1 P2 P3 P4 P5 P6 P7
- - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 1 0 0 2 3 4 5 5
set port priority-queue
Usethiscommandtomap802.1D(802.1p)prioritiestotransmitqueues.
Syntax
set port priority-queue port-string priority queue
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommandenablesyoutochangethetransmitqueue(0to5,with0beingthelowestpriority
queue)foreachportpriorityoftheselectedport.Youcanapplythenewsettingstooneormore
ports.
portstring Specifiestheport(s)forwhichtosetprioritytoqueuemappings.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
priority Specifiesavalueof0through7(0isthelowestlevel)thatdetermines
whatpriorityframeswillbetransmittedonthetransmitqueueenteredin
thiscommand.
queue Specifiesavalueof0through5(0isthelowestlevel)thatdeterminesthe
queueonwhichtotransmittheframeswiththeportpriorityenteredin
thiscommand.
Note: Although there are 8 queues, only queues 0 through 5 may be configured.
Queues 6 and 7 are reserved for management traffic.
clear port priority-queue
12-6 Port Priority Configuration
Example
Thisexampleshowshowtosetpriority5framesreceivedonge.2.12totransmitonqueue0.
C3( su) - >set por t pr i or i t y- queue ge. 2. 12 5 0
clear port priority-queue
Usethiscommandtoresetportpriorityqueuesettingsbacktodefaultsforoneormoreports.
Syntax
clear port priority-queue port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthepriorityqueuesettingsonge.2.12:
C3( su) - >cl ear por t pr i or i t y- queue ge.2. 12
portstring Specifiestheportforwhichtoclearprioritytoqueuemappings.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
Configuring Quality of Service (QoS)
SecureStack C3 Configuration Guide 12-7
Configuring Quality of Service (QoS)
RefertotheConfiguringQoSFeatureGuidefordetailedinformationaboutconfiguringquality
ofserviceontheSecureStackC3.TheEnterasys NetworksfirmwareFeatureGuidesareavailable
at:
http://www.enterasys.com/support/manuals
Purpose
Eighttransmitqueuesareimplementedintheswitchhardwareforeachport.Thecommandsin
thissectionallowyoutosettheprioritymodeandweightforeachoftheavailablequeues(0
through7)foreachphysicalportontheswitch.Prioritymodeandweightcannotbeconfiguredon
LAGs,onlyonthephysicalportsthatmakeuptheLAG.
Commands
show port txq
UsethiscommandtodisplayQoStransmitqueueinformationforoneormorephysicalports.
Syntax
show port txq [ port-string]
Parameters
Defaults
Iftheportstringisnotspecified,theQoSsettingofallphysicalportswillbedisplayed.
Mode
Switchcommand,readonly.
For information about... Refer to page...
show port txq 12-7
set port txq 12-8
clear port txq 12-9
portstring (Optional)Specifiesport(s)forwhichtodisplayQoSsettings.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
Onlyphysicalportswillbedisplayed.LAGportshavenotransmitqueue
information.
set port txq
12-8 Port Priority Configuration
Example
Thisexampleshowshowtodisplaythecurrentalgorithmandtransmitqueueweightsconfigured
onportge.1.10:
C3( su) - >show por t t xq ge.1. 10
Por t Al g Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge.1. 10 WRR 10 10 15 20 25 20 0 0
set port txq
UsethiscommandtosetQoStransmitqueuearbitrationvaluesforphysicalports.
Syntax
set port txq port-string value0 value1 value2 value3 value4 value5 value6 value7
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Queuescanbesetforstrictpriority(SP)orweightedroundrobin(WRR).IfsetforWRRmode,
weightsmaybeassignedtothosequeueswiththiscommand.Weightsarespecifiedintherangeof
0to100percent.Weightsspecifiedforqueues0through7onanyportmusttotal100percent.
Examples
Thisexampleshowshowtochangethearbitrationvaluesfortheeighttransmitqueuesbelonging
toge.1.1:
C3( su) - >set por t t xq ge.1. 1 10 10 10 10 10 10 10 30
Thisexampleshowshowtochangethealgorithmtostrictpriorityfortheeighttransmitqueues
belongingtoge.1.1:
C3( su) - >set por t t xq ge.1. 1 0 0 0 0 0 O O 100
C3( su) - >show por t t xq ge.1. 1
Por t Al g Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge.1. 1 STR SP SP SP SP SP SP SP SP
portstring Specifiesport(s)onwhichtosetqueuearbitrationvalues.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports
cannotbeconfigured.
value0value7 Specifiespercentagetoallocatetoaspecifictransmitqueue.Thevalues
musttotal100percent.
clear port txq
SecureStack C3 Configuration Guide 12-9
clear port txq
Usethiscommandtoclearporttransmitqueuevaluesbacktotheirdefaultvalues.
Syntax
clear port txq port-string
Parameters
Defaults
Bydefault,transmitqueuesaredefinedasfollows:
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocleartransmitqueuevaluesonge.1.1:
C3( su) - >cl ear por t t xq ge.1. 1
portstring Clearstransmitqueuevaluesonspecificport(s)backtotheirdefault
values.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 71.
Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports
cannotbeconfigured.
Queue Mode Weight Queue Mode Weight
0 WRR 1 4 WRR 5
1 WRR 2 5 WRR 6
2 WRR 3 6 WRR 7
3 WRR 4 7 WRR 8
clear port txq
12-10 Port Priority Configuration
SecureStack C3 Configuration Guide 13-1
13
IGMP Configuration
ThischapterdescribestheIGMPConfigurationsetofcommandsandhowtousethem.
IGMP Overview
About IP Multicast Group Management
TheInternetGroupManagementProtocol(IGMP)runsbetweenhostsandtheirimmediately
neighboringmulticastdevice.Theprotocolsmechanismsallowahosttoinformitslocaldevice
thatitwantstoreceivetransmissionsaddressedtoaspecificmulticastgroup.
Amulticastenableddevicecanperiodicallyaskitshostsiftheywanttoreceivemulticasttraffic.If
thereismorethanonedeviceontheLANperformingIPmulticasting,oneofthesedevicesis
electedquerierandassumestheresponsibilityofqueryingtheLANforgroupmembers.
BasedonthegroupmembershipinformationlearnedfromIGMP,adevicecandeterminewhich(if
any)multicasttrafficneedstobeforwardedtoeachofitsports.AtLayer3,multicastdevicesuse
thisinformation,alongwithamulticastroutingprotocol,tosupportIPmulticastingacrossanIP
network.
IGMPprovidesthefinalstepinanIPmulticastpacketdeliveryservice,sinceitisonlyconcerned
withforwardingmulticasttrafficfromthelocaldevicetogroupmembersonadirectlyattached
subnetworkorLANsegment.
ThisdevicesupportsIPmulticastgroupmanagementbypassivelysnoopingontheIGMPquery
andIGMPreportpacketstransferredbetweenIPmulticastdevicesandIPmulticasthostgroupsto
learnIPmulticastgroupmembers.
ThepurposeofIPmulticastgroupmanagementistooptimizeaswitchednetworksperformance
somulticastpacketswillonlybeforwardedtothoseportscontainingmulticastgrouphostsor
multicastdevicesinsteadoffloodingtoallportsinthesubnet(VLAN).
InadditiontopassivelymonitoringIGMPqueryandreportmessages,theSecureStackC3canalso
activelysendL3IGMPquerymessagestolearnlocationsofmulticastdevicesandmemberhosts
inmulticastgroupswithineachVLAN.
However,notethatIGMPneitheraltersnorroutesanyIPmulticastpackets.SinceIGMPisnot
concernedwiththedeliveryofIPmulticastpacketsacrosssubnetworks,multicastroutingis
neededifIPmulticastpacketshavetoberoutedacrossdifferentsubnetworks.
For information about... Refer to page...
IGMP Overview 13-1
Configuring IGMP at Layer 2 13-2
Configuring IGMP on Routing Interfaces 13-10
Configuring IGMP at Layer 2
13-2 IGMP Configuration
About Multicasting
Multicastingisusedtosupportrealtimeapplicationssuchasvideoconferencesorstreaming
audio.Amulticastserverdoesnothavetoestablishaseparateconnectionwitheachclient.It
merelybroadcastsitsservicetothenetwork,andanyhoststhatwanttoreceivethemulticast
registerwiththeirlocalmulticastswitch/router.Althoughthisapproachreducesthenetwork
overheadrequiredbyamulticastserver,thebroadcasttrafficmustbecarefullyprunedatevery
multicastswitch/routeritpassesthroughtoensurethattrafficisonlypassedtothehoststhat
subscribedtothisservice.
TheSecureStackC3switchdeviceusesIGMP(InternetGroupManagementProtocol)toqueryfor
anyattachedhostswhowanttoreceiveaspecificmulticastservice.ThedevicelooksuptheIP
MulticastGroupusedforthisserviceandaddsittotheegresslistoftheLevel3interface.Itthen
propagatestheservicerequestontoanyneighboringmulticastswitch/routertoensurethatitwill
continuetoreceivethemulticastservice.
Configuring IGMP at Layer 2
Purpose
ToconfigureIGMPsnoopingfromtheswitchCLI.
Commands
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of
multicast configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
For information about... Refer to page...
show igmpsnooping 13-3
set igmpsnooping adminmode 13-3
set igmpsnooping interfacemode 13-4
set igmpsnooping groupmembershipinterval 13-4
set igmpsnooping maxresponse 13-5
set igmpsnooping mcrtrexpiretime 13-6
set igmpsnooping add-static 13-6
set igmpsnooping remove-static 13-7
show igmpsnooping static 13-8
show igmpsnooping mfdb 13-8
clear igmpsnooping 13-9
show igmpsnooping
SecureStack C3 Configuration Guide 13-3
show igmpsnooping
UsethiscommandtodisplayIGMPsnoopinginformation.
Syntax
show igmpsnooping
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
ConfiguredinformationisdisplayedwhetherornotIGMPsnoopingisenabled.Status
informationisdisplayedonlywhenthefunctionisenabled.ForinformationonenablingIGMPon
thesystem,refertosetigmpsnoopingadminmodeonpage 133.Forinformationonenabling
IGMPononeormoreports,refertosetigmpsnoopinginterfacemodeonpage 134.
Example
ThisexampleshowshowtodisplayIGMPsnoopinginformation:
C3( su) - >show i gmpsnoopi ng
Admi n Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabl e
Gr oup Member shi p I nt er val . . . . . . . . . . . . . . . . . . . . . . 260
Max Response Ti me. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Mul t i cast Rout er Pr esent Expi r at i on Ti me. . . . . . . 0
I nt er f aces Enabl ed f or I GMP Snoopi ng. . . . . . . . . . . ge. 1. 1, ge. 1. 2, ge. 1. 3
Mul t i cast Cont r ol Fr ame Count . . . . . . . . . . . . . . . . . . 0
Dat a Fr ames For war ded by t he CPU. . . . . . . . . . . . . . . 0
set igmpsnooping adminmode
UsethiscommandtoenableordisableIGMPonthesystem.
Syntax
set igmpsnooping adminmode {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
enable|disable EnablesordisablesIGMPsnoopingonthesystem.
set igmpsnooping interfacemode
13-4 IGMP Configuration
Usage
InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe
devicewiththiscommand,andthenenabledonaport(s)usingthesetigmpsnoopinginterface
modecommandasdescribedinsetigmpsnoopinginterfacemodeonpage 134.
Example
ThisexampleshowshowtoenableIGMPonthesystem:
C3( su) - >set i gmpsnoopi ng admi nmode enabl e
set igmpsnooping interfacemode
UsethiscommandtoenableordisableIGMPononeorallports.
Syntax
set igmpsnooping interfacemode port-string {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe
deviceusingthesetigmpsnoopingadminmodecommandasdescribedinsetigmpsnooping
adminmodeonpage 133,andthenenabledonaport(s)usingthiscommand.
Example
ThisexampleshowshowtoenableIGMPonportge.1.10:
C3( su) - >set i gmpsnoopi ng i nt er f acemode ge. 1. 10 enabl e
set igmpsnooping groupmembershipinterval
UsethiscommandtoconfiguretheIGMPgroupmembershipintervaltimeforthesystem.
Syntax
set igmpsnooping groupmembershipinterval time
Note: IGMP snooping cannot be controlled via WebView.
portstring SpecifiesoneormoreportsonwhichtoenableordisableIGMP.
enable|disable EnablesordisablesIGMP.
set igmpsnooping maxresponse
SecureStack C3 Configuration Guide 13-5
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheIGMPgroupmembershipintervaltimesetsthefrequencyofhostqueryframetransmissions
andmustbegreaterthantheIGMPmaximumresponsetimeasdescribedinsetigmpsnooping
maxresponseonpage 135.
Example
ThisexampleshowshowtosettheIGMPgroupmembershipintervalto250seconds:
C3( su) - >set i gmpsnoopi ng gr oupmember shi pi nt er val 250
set igmpsnooping maxresponse
UsethiscommandtoconfiguretheIGMPquerymaximumresponsetimeforthesystem.
Syntax
set igmpsnooping maxresponse time
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThisvaluemustbelessthantheIGMPmaximumresponsetimedescribedinsetigmpsnooping
groupmembershipintervalonpage 134.
time SpecifiestheIGMPgroupmembershipinterval.Validvaluesare23600
seconds.
Thisvalueworkstogetherwiththesetigmpsnoopingmaxresponsetime
commandtoremoveportsfromanIGMPgroupandmustbegreaterthan
themaxresponsetimevalue.
time SpecifiestheIGMPmaximumqueryresponsetime.Validvaluesare100
255seconds.Thedefaultvalueis100seconds.
Thisvalueworkstogetherwiththesetigmpsnooping
groupmembershipintervalcommandtoremoveportsfromanIGMPgroup
andmustbelesserthanthegroupmembershipintervalvalue.
set igmpsnooping mcrtrexpiretime
13-6 IGMP Configuration
Example
ThisexampleshowshowtosettheIGMPmaximumresponsetimeto100seconds:
C3( su) - >set i gmpsnoopi ng maxr esponse 100
set igmpsnooping mcrtrexpiretime
UsethiscommandtoconfiguretheIGMPmulticastrouterexpirationtimeforthesystem.
Syntax
set igmpsnooping mcrtrexpire time
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thistimerisforexpiringtheswitchfromthemulticastdatabase.Ifthetimerexpires,andtheonly
addressleftisthemulticastswitch,thentheentrywillberemoved.
Example
ThisexampleshowshowtosettheIGMPmulticastrouterexpirationtimetoinfinity:
C3( su) - >set i gmpsnoopi ng mcr t r expi r et i me 0
set igmpsnooping add-static
ThiscommandcreatesanewstaticIGMPentryoraddsoneormorenewportstoanexistingentry.
Syntax
set igmpsnooping add-static group vlan-list [ modify] [ port-string]
Parameters
Defaults
Ifnoportsarespecified,allportsareaddedtotheentry.
time SpecifiestheIGMPmulticastrouterexpirationtime.Validvaluesare0
3600seconds.Avalueof0willconfigurethesystemwithaninfinite
expirationtime.Thedefaultvalueis0.
group SpecifiesthemulticastgroupIPaddressfortheentry.
vlanlist SpecifiestheVLANsonwhichtoconfiguretheentry.
modify (Optional)Addsthespecifiedportorportstoanexistingentry.
portstring (Optional)Specifiestheportorportstoaddtotheentry.
set igmpsnooping remove-static
SecureStack C3 Configuration Guide 13-7
Ifmodifyisnotspecified,anewentryiscreated.
Mode
Switchcommand,readwrite.
Usage
UsethiscommandtocreateandconfigurestaticLayer2IGMPentries.Currently,upto100static
groupscanbeconfigured.Atotalof256dynamicandstaticIGMPgroupsaresupported.
Example
ThisexamplecreatesanIGMPentryforthemulticastgroupwithIPaddressof233.11.22.33
configuredonVLAN20configuredwiththeportge.1.1.
C3( su) - >set i gmpsnoopi ng add- st at i c 233. 11. 22. 33 20 ge. 1. 1
set igmpsnooping remove-static
ThiscommanddeletesastaticIGMPentryorremovesoneormorenewportsfromanexisting
entry.
Syntax
set igmpsnooping remove-static group vlan-list [ modify] [ port-string]
Parameters
Defaults
Ifnoportsarespecified,allportsareremovedfromtheentry.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesportge.1.1fromtheentryforthemulticastgroupwithIPaddressof
233.11.22.33configuredonVLAN20.
C3( su) - >set i gmpsnoopi ng r emove- st at i c 233. 11. 22. 33 20 ge. 1. 1
show igmpsnooping static
ThiscommanddisplaysstaticIGMPportsforoneormoreVLANsorIGMPgroups.
Syntax
show igmpsnooping static vlan-list [ group gr oup]
group SpecifiesthemulticastgroupIPaddressoftheentry.
vlanlist SpecifiestheVLANsonwhichtheentryisconfigured.
modify (Optional)Removesthespecifiedportorportsfromanexistingentry.
portstring (Optional)Specifiestheportorportstoremovefromtheentry.
show igmpsnooping mfdb
13-8 IGMP Configuration
Parameters
Defaults
Ifnogroupisspecified,informationforallgroupsisdisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampledisplaysthestaticIGMPportsforVLAN20.
C3( su) - >show i gmpsnoopi ng st at i c 20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Vl an I d =20 St at i c Mul t i cast Gr oup Addr ess =233. 11. 22. 33 Type =I GMP
I GMP Por t Li st = ge. 1. 1
show igmpsnooping mfdb
Usethiscommandtodisplaymulticastforwardingdatabase(MFDB)information.
Syntax
show igmpsnooping mfdb [ stats]
Parameters
Defaults
Ifstatsisnotspecified,allMFDBtableentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplaymulticastforwardingdatabaseentries:
C3( su) - >show i gmpsnoopi ng mf db
MAC Addr ess Type Descr i pt i on I nt er f aces
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
00: 14: 01: 00: 5E: 02: CD: B0 Dynami c Net wor k Assi st Fwd: ge. 1. 1, ge. 3. 1, ge. 4. 1
00: 32: 01: 00: 5E: 37: 96: D0 Dynami c Net wor k Assi st Fwd: ge. 4. 7
00: 32: 01: 00: 5E: 7F: FF: FA Dynami c Net wor k Assi st Fwd: ge. 4. 7
Thisexampleshowshowtodisplaymulticastforwardingdatabasestatistics:
C3( su) - >show i gmpsnoopi ng mf db st at s
Max MFDB Tabl e Ent r i es. . . . . . . . . . . . . . . . . . . . . . . . . 256
Most MFDB Ent r i es Si nce Last Reset . . . . . . . . . . . . . 1
Cur r ent Ent r i es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0
vlanlist SpecifiestheVLANforwhichtodisplaystaticIGMPports.
groupgroup (Optional)SpecifiestheIGMPgroupforwhichtodisplaystaticIGMP
ports.
stats (Optional)DisplaysMFDBstatistics.
clear igmpsnooping
SecureStack C3 Configuration Guide 13-9
clear igmpsnooping
UsethiscommandtoclearallIGMPsnoopingentries.
Syntax
clear igmpsnooping
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearallIGMPsnoopingentries:
C3( su) - >cl ear i gmpsnoopi ng
Ar e you sur e you want t o cl ear al l I GMP snoopi ng ent r i es? ( y/ n) y
I GMP Snoopi ng Ent r i es Cl ear ed.
Configuring IGMP on Routing Interfaces
13-10 IGMP Configuration
Configuring IGMP on Routing Interfaces
Purpose
ToconfigureIGMPonroutinginterfaces.
Commands
ip igmp
UsethiscommandtoenabletheL3IGMPQuerierfunctionalityontheswitch.Thenoformofthis
commanddisablesIGMPQuerierfunctionality.
Syntax
ip igmp
no ip igmp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Router: The commands covered in this section can be executed only when the device is in router
mode. For details on how to enable router configuration modes, refer to Enabling Router
Configuration Modes on page 18-2.
For information about... Refer to page...
ip igmp 13-10
ip igmp enable 13-11
ip igmp version 13-11
show ip igmp interface 13-12
show ip igmp groups 13-13
ip igmp query-interval 13-13
ip igmp query-max-response-time 13-14
ip igmp startup-query-interval 13-14
ip igmp startup-query-count 13-15
ip igmp last-member-query-interval 13-15
ip igmp last-member-query-count 13-16
ip igmp robustness 13-16
ip igmp enable
SecureStack C3 Configuration Guide 13-11
Usage
EnablingIGMPonaroutinginterfacerequiresboththeipigmpcommand(page1310),which
enablesitontherouter,andtheipigmpenablecommand(page1311),whichenablesitonan
interface.Oncethesecommandsareexecuted,thedevicewillstartsendingandprocessingIGMP
multicasttraffic.IGMPisdisabledbydefault,bothgloballyandonaperinterfacebasis.
Example
ThisexampleshowshowtoenableIGMPontherouter:
C3( su) - >r out er ( Conf i g) #i p i gmp
ip igmp enable
UsethiscommandtoenableIGMPonaninterface.ThenoformofthiscommanddisablesIGMP
onaninterface.
Syntax
ip igmp enable
no ip igmp enable
Parameters
None.
Defaults
None.
Usage
EnablingIGMPonaroutinginterfacerequiresboththeipigmpcommand(page1310),which
enablesitontherouter,andtheipigmpenablecommand(page1311),whichenablesitonan
interface.Oncethesecommandsareexecuted,thedevicewillstartsendingandprocessingIGMP
multicasttraffic.IGMPisdisabledbydefault,bothgloballyandonaperinterfacebasis.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableIGMPontheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp enabl e
ip igmp version
UsethiscommandtosettheversionofIGMPrunningontherouter.Thenoformofthiscommand
resetsIGMPtothedefaultversionof2(IGMPv2).
Syntax
ip igmp version version
no ip igmp
show ip igmp interface
13-12 IGMP Configuration
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPversiontoversion1onVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp ver si on 1
show ip igmp interface
UsethiscommandtodisplayinformationaboutoneormoreIGMProutinginterfaces.
Syntax
show ip igmp interface [vlan vlan-id]
Parameters
Defaults
Ifnotspecified,informationwillbedisplayedforallVLANsconfiguredforIGMProuting.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayIGMProutinginformationforVLAN1:
C3( su) - >r out er #show i p i gmp i nt er f ace vl an 1
Vl an 1 i s Admi n UP
Vl an 1 i s Oper UP
I GMP i s conf i gur ed vi a t he Swi t ch
I GMP ACL cur r ent l y not suppor t ed
Mul t i cast TTL cur r ent l y def aul t s t o 1
I GMP Ver si on i s 2
Quer y I nt er val i s 125 ( secs)
Quer y Max Response Ti me i s 100 ( 1/ 10 of a second)
Robust ness i s 2
St ar t up Quer y I nt er val i s 31 ( secs)
St ar t up Quer y Count i s 2
Last Member Quer y I nt er val i s 10 ( 1/ 10 of a second)
Last Member Quer y Count i s 2
version SpecifiestheIGMPversionnumbertorunontherouter.Validvaluesare
1,2,or3.
vlanvlanid (Optional)DisplaysinformationforoneormoreVLANs.
show ip igmp groups
SecureStack C3 Configuration Guide 13-13
show ip igmp groups
UsethiscommandtodisplayalistofIGMPstreamsandclientconnectionports.
Syntax
show ip igmp groups
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayinformationaboutIGMPgroups:
C3( su) - >r out er #show i p i gmp gr oups
REGI STERED MULTI CAST GROUP DETAI LS
Mul t i cast Ver si on1
I P Addr ess Last Repor t er Up Ti me Expi r y Ti me Host Ti mer
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
228. 1. 1. 1 12. 12. 12. 2 27
ip igmp query-interval
UsethiscommandtosettheIGMPqueryintervalonaroutinginterface.Thenoformofthis
commandresetstheIGMPqueryintervaltothedefaultvalueof125seconds.
Syntax
ip igmp query-interval time
no ip igmp query-interval
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPqueryintervalto1800secondsonVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp quer y- i nt er val 1800
time SpecifiestheIGMPqueryinterval.Validvaluesarefrom1to3600
seconds.Defaultis125seconds.
ip igmp query-max-response-time
13-14 IGMP Configuration
ip igmp query-max-response-time
UsethiscommandtosetthemaximumresponsetimeintervaladvertisedinIGMPv2queries.The
no form of this command resets the IGMP maximum response time to the default value of 100
(one tenth of a second).
Syntax
ip igmp query-max-response-time time
no ip igmp query-max-response-time
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPquerymaximumresponsetimeintervalto200(2tenths
ofasecond)onVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp quer y- max- r esponse- t i me 200
ip igmp startup-query-interval
UsethiscommandtosettheintervalbetweengeneralIGMPqueriessentonstartup.Thenoform
ofthiscommandresetstheIGMPstartupqueryintervaltothedefaultvalueof31seconds.
Syntax
ip igmp startup-query-interval time
no ip igmp startup-query-interval
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
time SpecifiestheIGMPmaximumresponsetimeinterval.Validvaluesare
from0to255tenthsofasecond.The default value is 100 (one tenth of a
second).
time SpecifiestheIGMPstartupqueryinterval.Validvaluesarefrom1to300
seconds.Thedefaultvalueis31seconds.
ip igmp startup-query-count
SecureStack C3 Configuration Guide 13-15
Example
ThisexampleshowshowtosettheIGMPstartupqueryintervalto100secondsonVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp st ar t up- quer y- i nt er val 100
ip igmp startup-query-count
UsethiscommandtosetthenumberofIGMPqueriessentoutonstartup,separatedbythe
startupqueryintervalasdescribedinipigmpstartupqueryinterval(page1314).Thenoformof
thiscommandresetstheIGMPstartupquerycounttothedefaultvalueof2.
Syntax
ip igmp startup-query-count count
no ip igmp startup-query-count
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPstartupquerycountto10onVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp st ar t up- quer y- count 10
ip igmp last-member-query-interval
Usethiscommandtosetthemaximumresponsetimebeinginsertedintogroupspecificqueries
sentinresponsetoleavegroupmessages.ThenoformofthiscommandresetstheIGMPlast
memberqueryintervaltothedefaultvalueof1second.
Syntax
ip igmp last-member-query-interval time
no ip igmp last-member-query-interval
Parameters
Defaults
None.
count SpecifiesthenumberofIGMPstartupqueries.Validvaluesarefrom1to
20.Thedefaultvalueis2.
time SpecifiestheIGMPlastmemberqueryinterval.Validvaluesarefrom0to
255seconds.Thedefaultvalueis1second.
ip igmp last-member-query-count
13-16 IGMP Configuration
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPlastmemberqueryintervalto10secondsonVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp l ast - member - quer y- i nt er val 10
ip igmp last-member-query-count
Usethiscommandtosetthenumberofgroupspecificqueriessentbeforeassumingthereareno
localmembers.ThenoformofthiscommandresetstheIGMPlastmemberquerycounttothe
defaultvalueof2.
Syntax
ip igmp last-member-query-count count
no ip igmp last-member-query-count
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPlastmemberquerycountto10onVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp l ast - member - quer y- count 10
ip igmp robustness
UsethiscommandtoconfiguretherobustnesstuningforexpectedpacketlossonanIGMP
routinginterface.ThenoformofthiscommandresetstheIGMProbustnessvaluetothedefaultof
2.
Syntax
ip igmp robustness robustness
no ip igmp robustness
Parameters
count SpecifiesthenumberofIGMPstartupqueries.Validvaluesarefrom1to
20.Thedefaultvalueis2.
robustness SpecifiestheIGMProbustnessvalue.Validvaluesarefrom1to255.The
defaultvalueis2.
ip igmp robustness
SecureStack C3 Configuration Guide 13-17
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
ThisvaluedetermineshowmanytimesIGMPmessageswillbesent.Ahighernumberwillmean
thatendstationswillbemorelikelytoseethepacket.Aftertherobustnessvalueisreached,IGMP
willassumethereisnoresponsetoqueries.
Example
ThisexampleshowshowtosettheIGMProbustnessvalueto5onVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i gmp r obust ness 5
ip igmp robustness
13-18 IGMP Configuration
SecureStack C3 Configuration Guide 14-1
14
Logging and Network Management
Thischapterdescribesswitchrelatedloggingandnetworkmanagementcommandsandhowto
usethem.
Configuring System Logging
Purpose
Todisplayandconfiguresystemlogging,includingSyslogserversettings,Syslogdefaultsettings,
andtheloggingbuffer.
Commands
Note: The commands in this chapter pertain to network management of the SecureStack C3
device from the switch CLI only. For information on router-related network management tasks,
including reviewing router ARP tables and IP traffic, refer to Chapter 19.
For information about... Refer to page...
Configuring System Logging 14-1
Monitoring Network Events and Status 14-14
Managing Switch Network Addresses and Routes 14-19
Configuring Simple Network Time Protocol (SNTP) 14-29
Configuring Node Aliases 14-40
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of Syslog
configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
For information about... Refer to page...
show logging server 14-2
set logging server 14-3
clear logging server 14-4
show logging default 14-4
set logging default 14-5
show logging server
14-2 Logging and Network Management
show logging server
UsethiscommandtodisplaytheSyslogconfigurationforaparticularserver.
Syntax
show logging server [ index]
Parameters
Defaults
Ifindexisnotspecified,allSyslogserverinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySyslogserverconfigurationinformation:
C3( r o) - >show l oggi ng ser ver
I P Addr ess Faci l i t y Sever i t y Descr i pt i on Por t St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 132. 140. 82. 111 l ocal 4 war ni ng( 5) def aul t 514 enabl ed
2 132. 140. 90. 84 l ocal 4 war ni ng( 5) def aul t 514 enabl ed
Table 141providesanexplanationofthecommandoutput.
clear logging default 14-6
show logging application 14-6
set logging application 14-7
clear logging application 14-9
show logging local 14-9
set logging local 14-10
clear logging local 14-10
show logging buffer 14-11
show logging interface 14-11
set logging interface 14-12
clear logging interface 14-13
For information about... Refer to page...
index (Optional)DisplaysSysloginformationpertainingtoaspecificserver
tableentry.Validvaluesare18.
set logging server
SecureStack C3 Configuration Guide 14-3
set logging server
UsethiscommandtoconfigureaSyslogserver.
Syntax
set logging server index [ ip-addr ip-addr] [ facility facility] [ severity severity]
[ descr descr] [ port port ] [ state {enable | disable}]
Parameters
Table 14-1 show logging server Output Details
Output Field What It Displays...
IP Address Syslog servers IP address. For details on setting this using the set logging server
command, refer to set logging server on page 14-3.
Facility Syslog facility that will be encoded in messages sent to this server. Valid values are:
local0 to local7.
Severity Severity level at which the server is logging messages.
Description Text string description of this facility/server.
Port UDP port the client uses to send to the server.
Status Whether or not this Syslog configuration is currently enabled or disabled.
index Specifiestheservertableindexnumberforthisserver.Validvaluesare1
8.
ipaddripaddr (Optional)SpecifiestheSyslogmessageserversIPaddress.
facilityfacility (Optional)Specifiestheserversfacilityname.Validvaluesare:local0to
local7.
severityseverity (Optional)Specifiestheseveritylevelatwhichtheserverwilllog
messages.Validvaluesandcorrespondinglevelsare:
1emergencies(systemisunusable)
2alerts(immediateactionrequired)
3criticalconditions
4errorconditions
5warningconditions
6notifications(significantconditions)
7informationalmessages
8debuggingmessages
descrdescr (Optional)Specifiesatextualstringdescriptionofthisfacility/server.
portport (Optional)SpecifiesthedefaultUDPporttheclientusestosendtothe
server.
stateenable|
disable
(Optional)Enablesordisablesthisfacility/serverconfiguration.
clear logging server
14-4 Logging and Network Management
Defaults
Ifipaddrisnotspecified,anentryintheSyslogservertablewillbecreatedwiththespecified
indexnumberandamessagewilldisplayindicatingthatnoIPaddresshasbeenassigned.
Ifnotspecified,facility,severityandportwillbesettodefaultsconfiguredwiththesetlogging
defaultcommand(setloggingdefaultonpage 145).
Ifstateisnotspecified,theserverwillnotbeenabledordisabled.
Mode
Switchcommand,readwrite.
Example
ThiscommandshowshowtoenableaSyslogserverconfigurationforindex1,IPaddress
134.141.89.113,facilitylocal4,severitylevel3onport514:
C3( su) - >set l oggi ng ser ver 1 i p- addr 134. 141. 89. 113 f aci l i t y l ocal 4 sever i t y 3
por t 514 st at e enabl e
clear logging server
UsethiscommandtoremoveaserverfromtheSyslogservertable.
Syntax
clear logging server index
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThiscommandshowshowtoremovetheSyslogserverwithindex1fromtheservertable:
C3( su) - >cl ear l oggi ng ser ver 1
show logging default
UsethiscommandtodisplaytheSyslogserverdefaultvalues.
Syntax
show logging default
Parameters
None.
index Specifiestheservertableindexnumberfortheservertoberemoved.
Validvaluesare18.
set logging default
SecureStack C3 Configuration Guide 14-5
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThiscommandshowshowtodisplaytheSyslogserverdefaultvalues.Foranexplanationofthe
commandoutput,referbacktoTable 141onpage 143.
C3( su) - >show l oggi ng def aul t
Faci l i t y Sever i t y Por t
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Def aul t s: l ocal 4 war ni ng( 5) 514
set logging default
Usethiscommandtosetloggingdefaultvalues.
Syntax
set logging default {[ facility facility] [ severity severity] port port]}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
facilityfacility Specifiesthedefaultfacilityname.Validvaluesare:local0tolocal7.
severityseverity Specifiesthedefaultloggingseveritylevel.Validvaluesand
correspondinglevelsare:
1emergencies(systemisunusable)
2alerts(immediateactionrequired)
3criticalconditions
4errorconditions
5warningconditions
6notifications(significantconditions)
7informationalmessages
8debuggingmessages
portport SpecifiesthedefaultUDPporttheclientusestosendtotheserver.
clear logging default
14-6 Logging and Network Management
Example
ThisexampleshowshowtosettheSyslogdefaultfacilitynametolocal2andtheseveritylevelto4
(errorlogging):
C3( su) - >set l oggi ng def aul t f aci l i t y l ocal 2 sever i t y 4
clear logging default
Usethiscommandtoresetloggingdefaultvalues.
Syntax
clear logging default {[ facility] [ severity] [ port] }
Parameters
Defaults
Atleastoneoptionalparametermustbeentered.
Allthreeoptionalkeywordsmustbeenteredtoresetallloggingvaluestodefaults.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSyslogdefaultseveritylevelto6:
C3( su) - >cl ear l oggi ng def aul t sever i t y
show logging application
UsethiscommandtodisplaytheseveritylevelofSyslogmessagesforoneorallapplications
configuredforloggingonyoursystem.
Syntax
show logging application [ mnemonic | all]
facility (Optional)Resetsthedefaultfacilitynametolocal4.
severity (Optional)Resetsthedefaultloggingseveritylevelto6(notificationsof
significantconditions).
port (Optional)ResetsthedefaultUDPporttheclientusestosendtotheserver
to514.
set logging application
SecureStack C3 Configuration Guide 14-7
Parameters
Defaults
Ifnoparameterisspecified,informationforallapplicationswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaysystemlogginginformationpertainingtotheSNMP
application.
C3( r o) - >show l oggi ng appl i cat i on SNMP
Appl i cat i on Cur r ent Sever i t y Level
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
90 SNMP 6
1( emer genci es) 2( al er t s) 3( cr i t i cal )
4( er r or s) 5( war ni ngs) 6( not i f i cat i ons)
7( i nf or mat i on) 8( debuggi ng)
Table 142providesanexplanationofthecommandoutput.
set logging application
Usethiscommandtosettheseverityleveloflogmessagesforoneorallapplications.
Syntax
set logging application {[ mnemonic | all] } [ level level]
mnemonic (Optional)Displaysseveritylevelforoneapplicationconfiguredfor
logging.Mnemonicswillvarydependingonthenumberandtypesof
applicationsrunningonyoursystem.Samplemnemonicsandtheir
correspondingapplicationsarelistedinTable 143onpage 148.
Note: Mnemonic values are case sensitive and must be typed as they appear in
Table 14-3.
all (Optional)Displaysseveritylevelforallapplicationsconfiguredfor
logging.
Table 14-2 show logging application Output Details
Output Field What it displays...
Application A mnemonic abbreviation of the textual description for
applications being logged.
Current Severity Level Severity level at which the server is logging messages for the
listed application. This range (from 1 to 8) and its associated
severity list is shown in the CLI output. For a description of these
entries, which are set using the set logging application
command, refer to set logging application on page 14-7.
set logging application
14-8 Logging and Network Management
Parameters
Defaults
Iflevelisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
mnemonic Specifiesacasesensitivemnemonicabbreviationofanapplicationtobe
logged.Thisparameterwillvarydependingonthenumberandtypesof
applicationsrunningonyoursystem.Todisplayacompletelist,usethe
showloggingapplicationcommandasdescribedinshowlogging
applicationonpage 146.Samplemnemonicsandtheircorresponding
applicationsarelistedinTable 143onpage 148.
Note: Mnemonic values are case sensitive and must be typed as they appear in
Table 14-3.
all Setstheloggingseveritylevelforallapplications.
levellevel (Optional)Specifiestheseveritylevelatwhichtheserverwilllog
messagesforapplications.Validvaluesandcorrespondinglevelsare:
1emergencies(systemisunusable)
2alerts(immediateactionrequired)
3criticalconditions
4errorconditions
5warningconditions
6notifications(significantconditions)
7informationalmessages
8debuggingmessages
Table 14-3 Mnemonic Values for Logging Applications
Mnemonic Application
CLIWEB Command Line Interface and Webview management
SNMP Simple Network Management Protocol
STP Spanning Tree Protocol
Driver Hardware drivers
System Non-application items such as general chassis management
Stacking Stacking management (if applicable)
UPN User Personalized Networking
Router Router
clear logging application
SecureStack C3 Configuration Guide 14-9
Example
ThisexampleshowshowtosettheseveritylevelforSNMPto4sothaterrorconditionswillbe
loggedforthatapplication.
C3( r w) - >set l oggi ng appl i cat i on SNMP l evel 4
clear logging application
Usethiscommandtoresettheloggingseveritylevelforoneorallapplicationstothedefaultvalue
of6(notificationsofsignificantconditions).
Syntax
clear logging application {mnemonic | all}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresettheloggingseveritylevelto6forSNMP.
C3( r w) - >cl ear l oggi ng appl i cat i on SNMP
show logging local
Usethiscommandtodisplaythestateofmessageloggingtotheconsoleandapersistentfile.
Syntax
show logging local
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
mnemonic Resetstheseveritylevelforaspecificapplicationto6.Validmnemonic
valuesandtheircorrespondingapplicationsarelistedinTable 143on
page 148.
all Resetstheseveritylevelforallapplicationsto6.
set logging local
14-10 Logging and Network Management
Example
Thisexampleshowshowtodisplaythestateofmessagelogging.Inthiscase,loggingtothe
consoleisenabledandloggingtoapersistentfileisdisabled.
C3( su) - >show l oggi ng l ocal
Sysl og Consol e Loggi ng enabl ed
Sysl og Fi l e Loggi ng di sabl ed
set logging local
Usethiscommandtoconfigurelogmessagestotheconsoleandapersistentfile.
Syntax
set logging local console {enable | disable} file {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thiscommandshowshowtoenableloggingtotheconsoleanddisableloggingtoapersistentfile:
C3( su) - >set l oggi ng l ocal consol e enabl e f i l e di sabl e
clear logging local
Usethiscommandtocleartheconsoleandpersistentstoreloggingforthelocalsession.
Syntax
clear logging local
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
consoleenable|disable Enablesordisablesloggingtotheconsole.
fileenable|disable Enablesordisablesloggingtoapersistentfile.
show logging buffer
SecureStack C3 Configuration Guide 14-11
Example
Thisexampleshowshowtoclearlocallogging:
C3( su) - >cl ear l oggi ng l ocal
show logging buffer
Usethiscommandtodisplaythelast256messageslogged.Bydefault,criticalfailuresanduser
loginandlogouttimestampsaredisplayed.
Syntax
show logging buffer
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowsaportionoftheinformationdisplayedwiththeshowloggingbuffer
command:
C3( su) - >show l oggi ng buf f er
<165>Sep 4 07: 43: 09 10. 42. 71. 13 CLI [ 5] User : r w l ogged i n f r om10. 2. 1. 122 ( t el net )
<165>Sep 4 07: 43: 24 10. 42. 71. 13 CLI [ 5] User : debug f ai l ed l ogi n f r om10. 4. 1. 100
( t el net )
show logging interface
UsethiscommandtodisplaytheinterfaceusedforthesourceIPaddressofthesystemlogging.
Syntax
show logging interface
Parameters
None.
Defaults
None.
Mode
Switchmode,readonly.
set logging interface
14-12 Logging and Network Management
Example
Thisexampledisplaystheoutputofthiscommand.Inthiscase,theIPaddressassignedto
loopbackinterface1willbeusedasthesourceIPaddressofthesystemlogging.
C3( r w) - >show l oggi ng i nt er f ace
l oopback 1 192. 168. 10. 1
set logging interface
UsethiscommandtospecifytheinterfaceusedforthesourceIPaddressofthesystemlogging.
Syntax
set logging interface {loopback loop-ID | vlan vlan-ID}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThiscommandallowsyoutoconfigurethesourceIPaddressusedbythesystemlogging
applicationwhengeneratingpacketsformanagementpurposes.Anyofthemanagement
interfaces,includingVLANroutinginterfaces,canbeconfiguredasthesourceIPaddressusedin
packetsgeneratedbythesystemlogging.
AninterfacemusthaveanIPaddressassignedtoitbeforeitcanbesetbythiscommand.
Ifnointerfaceisspecified,thentheIPaddressoftheHostinterfacewillbeused.
Ifanonloopbackinterfaceisconfiguredwiththiscommand,applicationpacketegressis
restrictedtothatinterfaceiftheservercanbereachedfromthatinterface.Otherwise,thepackets
aretransmittedoverthefirstavailableroute.Packetsfromtheapplicationserverarereceivedon
theconfiguredinterface.
Ifaloopbackinterfaceisconfigured,andtherearemultiplepathstotheapplicationserver,the
outgoinginterface(gateway)isdeterminedbasedonthebestroutelookup.Packetsfromthe
applicationserverarethenreceivedonthesendinginterface.Ifrouteredundancyisrequired,
therefore,aloopbackinterfaceshouldbeconfigured.
Example
ThisexampleconfiguresanIPaddressonVLANinterface100andthensetsthatinterfaceasthe
systemloggingsourceIPaddress.
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #i p addr ess 192. 168. 10. 1 255. 255. 255. 0
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #exi t
loopbackloopID Specifiestheloopbackinterfacetobeused.ThevalueofloopIDcan
rangefrom0to7.
vlanvlanID SpecifiestheVLANinterfacetobeused.ThevalueofvlanIDcanrange
from1to4093.
clear logging interface
SecureStack C3 Configuration Guide 14-13
C3( r w) - >r out er ( Conf i g) #exi t
C3( r w) - >r out er #exi t
C3( r w) - >r out er >exi t
C3( r w) - >set l oggi ng i nt er f ace vl an 100
C3( r w) - >show l oggi ng i nt er f ace
vl an 100 192. 168. 10. 1
clear logging interface
UsethiscommandtocleartheinterfaceusedforthesourceIPaddressofthesystemloggingback
tothedefaultoftheHostinterface.
Syntax
clear logging interface
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThiscommandreturnstheinterfaceusedforthesourceIPaddressofthesystemloggingbackto
thedefaultoftheHostinterface.
C3( r w) - >show l oggi ng i nt er f ace
vl an 100 192. 168. 10. 1
C3( r w) - >cl ear l oggi ng i nt er f ace
C3( r w) - >
Monitoring Network Events and Status
14-14 Logging and Network Management
Monitoring Network Events and Status
Purpose
Todisplayswitcheventsandcommandhistory,tosetthesizeofthehistorybuffer,andtodisplay
anddisconnectcurrentusersessions.
Commands
history
Usethiscommandtodisplaythecontentsofthecommandhistorybuffer.Thecommandhistory
bufferincludesalltheswitchcommandsentereduptoamaximumof100,asspecifiedintheset
historycommand(sethistoryonpage 1415).
Syntax
history
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythecontentsofthecommandhistorybuffer.Itshowsthereare
fivecommandsinthebuffer:
C3( su) - >hi st or y
1 hi st
2 show gvr p
3 show vl an
4 show i gmp
5 show i p addr ess
For information about... Refer to page...
history 14-14
show history 14-15
set history 14-15
ping 14-16
show users 14-16
disconnect 14-17
show netstat 14-17
show history
SecureStack C3 Configuration Guide 14-15
show history
Usethiscommandtodisplaythesize(inlines)ofthehistorybuffer.
Syntax
show history
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythesizeofthehistorybuffer:
C3( su) - >show hi st or y
Hi st or y buf f er si ze: 20
set history
Usethiscommandtosetthesizeofthehistorybuffer.
Syntax
set history size [ default]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesizeofthecommandhistorybufferto30lines:
C3( su) - >set hi st or y 30
size Specifiesthesizeofthehistorybufferinlines.Validvaluesare1to100.
default (Optional)Makesthissettingpersistentforallfuturesessions.
ping
14-16 Logging and Network Management
ping
UsethiscommandtosendICMPechorequestpacketstoanothernodeonthenetworkfromthe
switchCLI.
Syntax
ping host
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtopingIPaddress134.141.89.29.Inthiscase,thishostisalive:
C3( su) - >pi ng 134. 141. 89. 29
134. 141. 89. 29 i s al i ve
Inthisexample,thehostatIPaddressisnotresponding:
C3( su) - >pi ng 134. 141. 89. 255
no answer f r om134. 141. 89. 255
show users
UsethiscommandtodisplayinformationabouttheactiveconsoleportorTelnetsession(s)logged
intotheswitch.
Syntax
show users
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtousetheshowuserscommand.Inthisoutput,therearetwoTelnet
usersloggedinwithReadWriteaccessprivilegesfromIPaddresses134.141.192.119and
134.141.192.18:
host SpecifiestheIPaddressofthedevicetowhichthepingwillbesent.
disconnect
SecureStack C3 Configuration Guide 14-17
C3( su) - >show user s
Sessi on User Locat i on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* t el net r w 134. 141. 192. 119
t el net r w 134. 141. 192. 18
disconnect
UsethiscommandtocloseanactiveconsoleportorTelnetsessionfromtheswitchCLI.
Syntax
disconnect {ip-addr | console}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtocloseaTelnetsessiontohost134.141.192.119:
C3( su) - >di sconnect 134. 141. 192. 119
Thisexampleshowshowtoclosethecurrentconsolesession:
C3( su) - >di sconnect consol e
show netstat
Usethiscommandtodisplaynetworklayerstatistics.
Syntax
show netstat
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
ipaddr SpecifiestheIPaddressoftheTelnetsessiontobedisconnected.This
addressisdisplayedintheoutputshowninshowusersonpage 1215.
console Closesanactiveconsoleport.
show netstat
14-18 Logging and Network Management
Example
Thefollowingexampleshowstheoutputofthiscommand.
C3( su) - >show net st at
Pr ot Local Addr ess For ei gn Addr ess St at e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TCP 127. 0. 0. 1. 2222 0. 0. 0. 0. * LI STEN
TCP 0. 0. 0. 0. 80 0. 0. 0. 0. * LI STEN
TCP 0. 0. 0. 0. 23 0. 0. 0. 0. * LI STEN
TCP 10. 1. 56. 17. 23 134. 141. 99. 104. 47718 ESTABLI SHED
UDP 0. 0. 0. 0. 17185 0. 0. 0. 0. *
UDP 127. 0. 0. 1. 49152 127. 0. 0. 1. 17185
UDP 0. 0. 0. 0. 161 0. 0. 0. 0. *
UDP 0. 0. 0. 0. * 0. 0. 0. 0. *
UDP 0. 0. 0. 0. 514 0. 0. 0. 0. *
Thefollowingtabledescribestheoutputofthiscommand.
Table 14-4 show netstat Output Details
Output Field What it displays...
Prot Type of protocol running on the connection.
Local Address IP address of the connections local host.
Foreign Address IP address of the connections foreign host.
State Communications mode of the connection.
Managing Switch Network Addresses and Routes
SecureStack C3 Configuration Guide 14-19
Managing Switch Network Addresses and Routes
Purpose
TodisplayordeleteswitchARPtableentries,andtodisplayMACaddressinformation.
Commands
show arp
UsethiscommandtodisplaytheswitchsARPtable.
Syntax
show arp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
For information about... Refer to page...
show arp 14-19
set arp 14-20
clear arp 14-21
traceroute 14-21
show mac 14-22
show mac agetime 14-23
set mac agetime 14-24
clear mac agetime 14-24
set mac algorithm 14-25
show mac algorithm 14-25
clear mac algorithm 14-26
set mac multicast 14-26
clear mac address 14-27
show mac unreserved-flood 14-28
set mac unreserved-flood 14-28
set arp
14-20 Logging and Network Management
Example
ThisexampleshowshowtodisplaytheARPtable:
C3( su) - >show ar p
LI NK LEVEL ARP TABLE
I P Addr ess Phys Addr ess Fl ags I nt er f ace
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10. 20. 1. 1 00- 00- 5e- 00- 01- 1 S host
134. 142. 21. 194 00- 00- 5e- 00- 01- 1 S host
134. 142. 191. 192 00- 00- 5e- 00- 01- 1 S host
134. 142. 192. 18 00- 00- 5e- 00- 01- 1 S host
134. 142. 192. 119 00- 00- 5e- 00- 01- 1 S host
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Table 145providesanexplanationofthecommandoutput.
set arp
UsethiscommandtoaddmappingentriestotheswitchsARPtable.
Syntax
set arp ip-address mac-address
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtomapIPaddress192.168.219.232toMACaddress00000c400fbc:
C3( su) - >set ar p 192. 168. 219. 232 00- 00- 0c- 40- 0f - bc
Table 14-5 show arp Output Details
Output Field What It Displays...
IP Address IP address mapped to MAC address.
Phys Address MAC address mapped to IP address.
Flags Route status. Possible values and their definitions include:
S - manually configured entry (static)
P - respond to ARP requests for this entry
ipaddress SpecifiestheIPaddresstomaptotheMACaddressandaddtotheARP
table.
macaddress SpecifiestheMACaddresstomaptotheIPaddressandaddtotheARP
table.TheMACaddresscanbeformattedasxx:xx:xx:xx:xx:xxorxxxx
xxxxxxxx.
clear arp
SecureStack C3 Configuration Guide 14-21
clear arp
UsethiscommandtodeleteaspecificentryorallentriesfromtheswitchsARPtable.
Syntax
clear arp {ip-address | all}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodeleteentry10.1.10.10fromtheARPtable:
C3( su) - >cl ear ar p 10. 1. 10. 10
traceroute
UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa
specificdestinationhost.ThreeUDPorICMPprobeswillbetransmittedforeachhopbetweenthe
sourceandthetraceroutedestination.
Syntax
traceroute [ -w waittime] [ -f first-ttl] [ -m max-ttl] [ -p port] [ -q nqueries] [ -r]
[ -d] [ -n] [ -v] host
Parameters
ipaddress|all SpecifiestheIPaddressintheARPtabletobecleared,orclearsallARP
entries.
wwaittime (Optional)Specifiestimeinsecondstowaitforaresponsetoaprobe.
ffirstttl (Optional)Specifiesthetimetolive(TTL)ofthefirstoutgoingprobe
packet.
mmaxttl (Optional)Specifiesthemaximumtimetolive(TTL)usedinoutgoing
probepackets.
pport (Optional)SpecifiesthebaseUDPportnumberusedinprobes.
qnqueries (Optional)Specifiesthenumberofprobeinquiries.
r (Optional)Bypassesthenormalhostroutingtables.
d (Optional)Setsthedebugsocketoption.
n (Optional)Displayshopaddressesnumerically.(Supportedinafuture
release.)
show mac
14-22 Logging and Network Management
Defaults
Ifnotspecified,waittimewillbesetto5seconds.
Ifnotspecified,firstttlwillbesetto1second.
Ifnotspecified,maxttlwillbesetto30seconds.
Ifnotspecified,portwillbesetto33434.
Ifnotspecified,nquerieswillbesetto3.
Ifrisnotspecified,normalhostroutingtableswillbeused.
Ifdisnotspecified,thedebugsocketoptionwillnotbeused.
Ifvisnotspecified,summaryoutputwillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.167.252.17.In
thiscase,hop1istheSecureStackC3switch,hop2is14.1.0.45,andhop3isbacktothehostIP
address.RoundtriptimesforeachofthethreeUDPprobesaredisplayednexttoeachhop:
C3( su) - >t r acer out e 192. 167. 252. 17
t r acer out e t o 192. 167. 252. 17 ( 192. 167. 252. 17) , 30 hops max, 40 byt e packet s
1 mat r i x. ent er asys. com( 192. 167. 201. 40) 20. 000 ms 20. 000 ms 20. 000 ms
2 14. 1. 0. 45 ( 14. 1. 0. 45) 40. 000 ms 10. 000 ms 20. 000 ms
3 192. 167. 252. 17 ( 192. 167. 252. 17) 50. 000 ms 0. 000 ms 20. 000 ms
show mac
UsethiscommandtodisplayMACaddressesintheswitchsfilteringdatabase.Theseare
addresseslearnedonaportthroughtheswitchingprocess.
Syntax
show mac [ address mac- address] [ fid fid] [ port port-string] [ type {other | learned
| self | mgmt}]
Parameters
v (Optional)Displaysverboseoutput,includingthesizeanddestinationof
eachresponse.
host SpecifiesthehosttowhichtherouteofanIPpacketwillbetraced.
addressmacaddress (Optional)DisplaysaspecificMACaddress(ifitisknownbythe
device).
fidfid (Optional)DisplaysMACaddressesforaspecificfilterdatabase
identifier.
portportstring (Optional)DisplaysMACaddressesforspecificport(s).
typeother|learned|
self|mgmt
(Optional)Displaysinformationrelatedtoother,learned,selfor
mgmt(management)addresstype.
show mac agetime
SecureStack C3 Configuration Guide 14-23
Defaults
Ifnoparametersarespecified,allMACaddressesforthedevicewillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMACaddressinformationforge.3.1:
C3( su) - >show mac por t ge. 3. 1
MAC Addr ess FI D Por t Type
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
00- 09- 6B- 0F- 13- E6 15 ge. 3. 1 Lear ned
MAC Addr ess VLAN Por t Type St at us Egr ess Por t s
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
01- 01- 23- 34- 45- 56 20 any mcast per m ge. 3. 1
Table 146providesanexplanationofthecommandoutput.
show mac agetime
UsethiscommandtodisplaythetimeoutperiodforaginglearnedMACentries.
Syntax
show mac agetime
Parameters
None.
Table 14-6 show mac Output Details
Output Field What It Displays...
MAC Address MAC addresses mapped to the port(s) shown.
FID Filter database identifier.
Port Port designation.
Type Address type. Valid types are:
Learned
Self
Management
Other (this will include any static MAC locked addresses as described in
Configuring MAC Locking on page 26-54).
mcast (multicast)
VLAN The VLAN ID configured for the multicast MAC address.
Status The status of the multicast address.
Egress Ports The ports which have been added to the egress ports list.
set mac agetime
14-24 Logging and Network Management
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheMACtimeoutperiod:
C3( su) - >show mac aget i me
Agi ng t i me: 300 seconds
set mac agetime
UseThiscommandtosetthetimeoutperiodforaginglearnedMACentries.
Syntax
set mac agetime time
Parameters
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtosettheMACtimeoutperiod:
C3( su) - >set mac aget i me 250
clear mac agetime
UsethiscommandtoresetthetimeoutperiodforaginglearnedMACentriestothedefaultvalue
of300seconds.
Syntax
clear mac agetime
Parameters
None.
Defaults
None.
time SpecifiesthetimeoutperiodinsecondsforaginglearnedMAC
addresses.Validvaluesare10to1,000,000seconds.Defaultvalueis300
seconds.
set mac algorithm
SecureStack C3 Configuration Guide 14-25
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoresettheMACtimeoutperiodtothedefaultvalueof300seconds.
C3( su) - >cl ear mac aget i me
set mac algorithm
UsethiscommandtosettheMACalgorithmmode,whichdeterminesthehashmechanismused
bythedevicewhenperformingLayer2lookupsonreceivedframes.
Syntax
set mac algorithm {mac-crc16-lowerbits | mac-crc16-upperbits |
mac-crc32-lowerbits | mac-crc32-upperbits}
Parameters
Defaults
ThedefaultMACalgorithmismaccrc16upperbits.
Mode
Switchcommand,readwrite.
Usage
EachalgorithmisoptimizedforadifferentspreadofMACaddresses.Whenchangingthismode,
theswitchwilldisplayawarningmessageandpromptyoutorestartthedevice.
ThedefaultMACalgorithmismaccrc16upperbits.
Example
Thisexamplesetsthehashingalgorithmtomaccrc32upperbits.
C3( r w) - >set mac al gor i t hmmac- cr c32- upper bi t s
show mac algorithm
ThiscommanddisplaysthecurrentlyselectedMACalgorithmmode.
Syntax
show mac algorithm
maccrc16lowerbits SelecttheMACCRC16lowerbitsalgorithmforhashing.
maccrc16upperbits SelecttheMACCRC16upperbitsalgorithmforhashing.
maccrc32lowerbits SelecttheMACCRC32lowerbitsalgorithmforhashing.
maccrc32upperbits SelecttheMACCRC32upperbitsalgorithmforhashing.
clear mac algorithm
14-26 Logging and Network Management
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowstheoutputofthiscommand.
C3( su) - >show mac al gor i t hm
Mac hashi ng al gor i t hmi s mac- cr c16- upper bi t s.
clear mac algorithm
UsethiscommandtoreturntheMAChashingalgorithmtothedefaultvalueofmaccrc16
upperbits.
Syntax
clear mac algorithm
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleresetstheMAChashingalgorithmtothedefaultvalue.
C3( su) - >cl ear mac al gor i t hm
set mac multicast
UsethiscommandtodefineonwhatportswithinaVLANamulticastaddresscanbedynamically
learnedon,oronwhatportsaframewiththespecifiedMACaddresscanbeflooded.Also,use
thiscommandtoappendportstoorclearportsfromtheegressportslist.
Syntax
set mac multicast mac-address vlan-id [ port-string] [ {append | clear} port-string]
clear mac address
SecureStack C3 Configuration Guide 14-27
Parameters
Defaults
Ifnoportstringisdefined,thecommandwillapplytoallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleconfiguresmulticastMACaddress010122334455forVLAN24.
C3( su) - >set mac mul t i cast 01- 01- 22- 33- 44- 55 24
clear mac address
UsethiscommandtoremoveamulticastMACaddress.
Syntax
clear mac address mac-address [ vlan-id]
Parameters
Defaults
Ifnovlanidisspecified,themulticastMACaddressisclearedfromallVLANs.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearsmulticastMACaddress010122334455fromVLAN24.
C3( su) - >cl ear mac mul t i cast 01- 01- 22- 33- 44- 55 24
macaddress SpecifiesthemulticastMACaddress.TheMACaddresscanbe
formattedasxx:xx:xx:xx:xx:xxorxxxxxxxxxxxx.
vlanid SpecifiestheVLANIDcontainingtheports.
portstring SpecifiestheportorrangeofportsthemulticastMACaddresscanbe
learnedonorfloodedto.
append|clear Appendsorclearstheportorrangeofportsfromtheegressportlist.
macaddress SpecifiesthemulticastMACaddresstobecleared.TheMACaddress
canbeformattedasxx:xx:xx:xx:xx:xxorxxxxxxxxxxxx.
vlanid (Optional)SpecifiestheVLANIDfromwhichtoclearthestatic
multicastMACaddress.
show mac unreserved-flood
14-28 Logging and Network Management
show mac unreserved-flood
Usethiscommandtodisplaythestateofmulticastfloodprotection.
Syntax
show mac unreserved-flood
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledisplaysthestatusofmulticastfloodprotection.
C3( su) - >show mac unr eser ved- f l ood
mac unr eser ved f l ood i s di sabl ed.
set mac unreserved-flood
Usethiscommandtoenableordisablemulticastfloodprotection.Whenenabled,thisprevents
policyprofilesrequiringafull10masksfrombeingloaded.
Syntax
set mac unreserved-flood {disable | enable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thefollowingaddresseswillbeforwardedwhenthisfunctionisenabled:
01:80:C2:00:00:11
01:80:C2:00:00:14
01:80:C2:00:00:15
Thedefaultstateisdisabled,andtheseaddresseswillnotbeforwarded.
disable|enable Disablesorenablesmulticastfloodprotection.
Configuring Simple Network Time Protocol (SNTP)
SecureStack C3 Configuration Guide 14-29
Example
Thisexampleenablesmulticastfloodprotection.
C3( su) - >set mac unr eser ved- f l ood enabl e
Configuring Simple Network Time Protocol (SNTP)
Purpose
ToconfiguretheSimpleNetworkTimeProtocol(SNTP),whichsynchronizesdeviceclocksina
network.
Commands
show sntp
UsethiscommandtodisplaySNTPclientsettings.
Syntax
show sntp
Note: A management IP (host, routing interface, or loopback) address must be configured for SNTP
to work..
For information about... Refer to page...
show sntp 14-29
set sntp client 14-31
clear sntp client 14-31
set sntp server 14-32
clear sntp server 14-32
set sntp poll-interval 14-33
clear sntp poll-interval 14-33
set sntp poll-retry 14-34
clear sntp poll-retry 14-34
set sntp poll-timeout 14-35
clear sntp poll-timeout 14-35
set timezone 14-36
show sntp interface 14-37
set sntp interface 14-37
clear sntp interface 14-38
show sntp
14-30 Logging and Network Management
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNTPclientsettings:
C3( su) - >show snt p
SNTP Ver si on: 3
Cur r ent Ti me: TUE SEP 09 16: 13: 33 2003
Ti mezone: ' EST' , of f set f r omUTC i s - 4 hour s and 0 mi nut es
Cl i ent Mode: uni cast
Br oadcast Count : 0
Pol l I nt er val : 512 seconds
Pol l Ret r y: 1
Pol l Ti meout : 5 seconds
SNTP Pol l Request s: 1175
Last SNTP Updat e: TUE SEP 09 16: 05: 24 2003
Last SNTP Request : TUE SEP 09 16: 05: 24 2003
Last SNTP St at us: Success
SNTP- Ser ver Pr ecedence St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10. 2. 8. 6 2 Act i ve
144. 111. 29. 19 1 Act i ve
Table 147providesanexplanationofthecommandoutput.
Table 14-7 show sntp Output Details
Output Field What It Displays...
SNTP Version SNTP version number.
Current Time Current time on the system clock.
Timezone Time zone name and amount it is offset from UTC (Universal Time). Set using the
set timezone command (set timezone on page 14-36).
Client Mode Whether SNTP client is operating in unicast or broadcast mode. Set using set sntp
client command (set sntp client on page 14-31).
Broadcast Count Number of SNTP broadcast frames received.
Poll Interval Interval between SNTP unicast requests. Default of 512 seconds can be reset using
the set sntp poll-interval command (set sntp poll-interval on page 14-33).
Poll Retry Number of poll retries to a unicast SNTP server. Default of 1 can be reset using the
set sntp poll-retry command (set sntp poll-retry on page 14-34).
Poll Timeout Timeout for a response to a unicast SNTP request. Default of 5 seconds can be
reset using set sntp poll-timeout command (set sntp poll-timeout on page 14-35).
SNTP Poll Requests Total number of SNTP poll requests.
set sntp client
SecureStack C3 Configuration Guide 14-31
set sntp client
UsethiscommandtosettheSNTPoperationmode.
Syntax
set sntp client {broadcast | unicast | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableSNTPinbroadcastmode:
C3( su) - >set snt p cl i ent br oadcast
clear sntp client
UsethiscommandtocleartheSNTPclientsoperationalmode.
Syntax
clear sntp client
Parameters
None.
Last SNTP Update Date and time of most recent SNTP update.
Last SNTP Request Date and time of most recent SNTP request.
Last SNTP Status Whether or not broadcast reception or unicast transmission and reception was
successful.
SNTP-Server IP address(es) of SNTP server(s).
Precedence Precedence level of SNTP server in relation to its peers. Highest precedence is 1
and lowest is 10. Default of 1 can be reset using the set sntp server command (set
sntp server on page 14-32).
Status Whether or not the SNTP server is active.
Table 14-7 show sntp Output Details (Continued)
Output Field What It Displays...
broadcast EnablesSNTPinbroadcastclientmode.
unicast EnablesSNTPinunicast(pointtopoint)clientmode.Inthismode,the
clientmustsupplytheIPaddressfromwhichtoretrievethecurrenttime.
disable DisablesSNTP.
set sntp server
14-32 Logging and Network Management
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNTPclientsoperationalmode:
C3( su) - >cl ear snt p cl i ent
set sntp server
UsethiscommandtoaddaserverfromwhichtheSNTPclientwillretrievethecurrenttimewhen
operatinginunicastmode.Upto10serverscanbesetasSNTPservers.
Syntax
set sntp server ip-address [ precedence]
Parameters
Defaults
Ifprecedenceisnotspecified,1willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheserveratIPaddress10.21.1.100 asan SNTPserver:
C3( su) - >set snt p ser ver 10. 21. 1. 100
clear sntp server
UsethiscommandtoremoveoneorallserversfromtheSNTPserverlist.
Syntax
clear sntp server {ip-address | all}
Parameters
ipaddress SpecifiestheSNTPserversIPaddress.
precedence (Optional)SpecifiesthisSNTPserversprecedenceinrelationtoitspeers.
Validvaluesare1(highest)to10(lowest).
ipaddress SpecifiestheIPaddressofaservertoremovefromtheSNTPserverlist.
all RemovesallserversfromtheSNTPserverlist.
set sntp poll-interval
SecureStack C3 Configuration Guide 14-33
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoremovetheserveratIPaddress10.21.1.100 fromtheSNTPserverlist:
C3( su) - >cl ear snt p ser ver 10. 21. 1. 100
set sntp poll-interval
UsethiscommandtosetthepollintervalbetweenSNTPunicastrequests.
Syntax
set sntp poll-interval value
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSNTPpollintervalto64seconds:
C3( su) - >set snt p pol l - i nt er val 6
clear sntp poll-interval
UsethiscommandtoclearthepollintervalbetweenunicastSNTPrequests.
Syntax
clear sntp poll-interval
Parameters
None.
Defaults
None.
value Thepollintervalis2tothepowerofvalueinseconds,wherevaluecanrange
from6to10.
set sntp poll-retry
14-34 Logging and Network Management
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNTPpollinterval:
C3( su) - >cl ear snt p pol l - i nt er val
set sntp poll-retry
UsethiscommandtosetthenumberofpollretriestoaunicastSNTPserver.
Syntax
set sntp poll-retry retry
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthenumberofSNTPpollretriesto5:
C3( su) - >set snt p pol l - r et r y 5
clear sntp poll-retry
UsethiscommandtoclearthenumberofpollretriestoaunicastSNTPserver.
Syntax
clear sntp poll-retry
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
retry Specifiesthenumberofretries.Validvaluesare0to10.
set sntp poll-timeout
SecureStack C3 Configuration Guide 14-35
Example
ThisexampleshowshowtoclearthenumberofSNTPpollretries:
C3( su) - >cl ear snt p pol l - r et r y
set sntp poll-timeout
Usethiscommandtosetthepolltimeout(inseconds)foraresponsetoaunicastSNTPrequest.
Syntax
set sntp poll-timeout timeout
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSNTPpolltimeoutto10seconds:
C3( su) - >set snt p pol l - t i meout 10
clear sntp poll-timeout
UsethiscommandtocleartheSNTPpolltimeout.
Syntax
clear sntp poll-timeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNTPpolltimeout:
C3( su) - >cl ear snt p pol l - t i meout
timeout Specifiesthepolltimeoutinseconds.Validvaluesare1to30.
set timezone
14-36 Logging and Network Management
set timezone
UsethiscommandtoconfigurethecurrenttimezoneasanoffsetfromUTC.
Syntax
set timezone name [ hours] [ minutes]
Parameters
Defaults
Ifyouenteratimezonenamewithoutspecifyinganoffsetinhoursandminutes,thedefaultisan
offsetfromUTCof0hoursand0minutes.
Mode
Switchcommand,readwrite.
Usage
Typically,thiscommandisusedtoconfigurethelocaltimezoneoffsetfromUTC(UniveralTime)
whenSNTPisusedtosynchronizethetimeusedbydevicesonthenetwork.
TodisplaythecurrenttimezonesettingusedbySNTP,usetheshowsntpcommand.Toclearan
existingoffsettozero,enterthecommandwithoutspecifyinganyhoursorminutes.
StandardtimezonenamesandoffsetscanbefoundatthefollowingURL,amongothers:
http://www.timeanddate.com/library/abbreviations/timezones/
Example
ThefollowingexamplesetsthetimezonenametoESTandtheoffsettoNorthAmericanEastern
StandardTimeoffsetof5hoursfromUTC,thendisplaysthetimezoneusedwithSNTP.
C3( su) - >set t i mezone EST - 5
C3( su) - >show snt p
SNTP Ver si on: 3
Cur r ent Ti me: WED J UL 16 11: 35: 52 2008
Ti mezone: ' EST' of f set f r omUTC i s - 5 hour s and 0 mi nut es
Cl i ent Mode: uni cast
Br oadcast Count : 0
Pol l I nt er val : 6 ( 64 seconds)
Pol l Ret r y: 1
Pol l Ti meout : 5 seconds
SNTP Pol l Request s: 2681
Last SNTP Updat e: WED J UL 16 16: 35: 23 2008
Last SNTP Request : WED J UL 16 16: 35: 23 2008
Last SNTP St at us: Success
name Thenameofthetimezone.Typically,thisnameisastandard
abbreviationsuchasEST(EasternStandardTime)orEDT(Eastern
DaylightTime).
hours (Optional)SpecifiestheoffsetinhoursfromUTC.Thevaluecanrange
from13to13.Thedefaultis0hours.
minutes (Optional)SpecifiesadditionaloffsetinminutesfromUTC.Thevalue
canrangefrom0to59.Thedefaultis0minutes.
show sntp interface
SecureStack C3 Configuration Guide 14-37
SNTP- Ser ver Pr ecedence St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
192. 255. 255. 254 2 Act i ve
show sntp interface
UsethiscommandtodisplaytheinterfaceusedforthesourceIPaddressoftheSNTPclient.
Syntax
show sntp interface
Parameters
None.
Defaults
None.
Mode
Switchmode,readonly.
Example
Thisexampledisplaystheoutputofthiscommand.Inthiscase,theIPaddressassignedto
loopbackinterface1willbeusedasthesourceIPaddressoftheSNTPclient.
C3( r w) - >show snt p i nt er f ace
l oopback 1 192. 168. 10. 1
set sntp interface
UsethiscommandtospecifytheinterfaceusedforthesourceIPaddressoftheSNTPclient.
Syntax
set sntp interface {loopback loop-ID | vlan vlan-ID}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
loopbackloopID Specifiestheloopbackinterfacetobeused.ThevalueofloopIDcan
rangefrom0to7.
vlanvlanID SpecifiestheVLANinterfacetobeused.ThevalueofvlanIDcanrange
from1to4093.
clear sntp interface
14-38 Logging and Network Management
Usage
ThiscommandallowsyoutoconfigurethesourceIPaddressusedbytheSNTPapplicationwhen
generatingpacketsformanagementpurposes.Anyofthemanagementinterfaces,including
VLANroutinginterfaces,canbeconfiguredasthesourceIPaddressusedinpacketsgeneratedby
theSNTPclient.
AninterfacemusthaveanIPaddressassignedtoitbeforeitcanbesetbythiscommand.
Ifnointerfaceisspecified,thentheIPaddressoftheHostinterfacewillbeused.
Ifanonloopbackinterfaceisconfiguredwiththiscommand,applicationpacketegressis
restrictedtothatinterfaceiftheservercanbereachedfromthatinterface.Otherwise,thepackets
aretransmittedoverthefirstavailableroute.Packetsfromtheapplicationserverarereceivedon
theconfiguredinterface.
Ifaloopbackinterfaceisconfigured,andtherearemultiplepathstotheapplicationserver,the
outgoinginterface(gateway)isdeterminedbasedonthebestroutelookup.Packetsfromthe
applicationserverarethenreceivedonthesendinginterface.Ifrouteredundancyisrequired,
therefore,aloopbackinterfaceshouldbeconfigured.
Example
ThisexampleconfiguresanIPaddressonVLANinterface100andthensetsthatinterfaceasthe
SNTPclientsourceIPaddress.
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #i p addr ess 192. 168. 10. 1 255. 255. 255. 0
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #exi t
C3( r w) - >r out er ( Conf i g) #exi t
C3( r w) - >r out er #exi t
C3( r w) - >r out er >exi t
C3( r w) - >set snt p i nt er f ace vl an 100
C3( r w) - >show snt p i nt er f ace
vl an 100 192. 168. 10. 1
clear sntp interface
UsethiscommandtocleartheinterfaceusedforthesourceIPaddressoftheSNTPclientbackto
thedefaultoftheHostinterface.
Syntax
clear sntp interface
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
clear sntp interface
SecureStack C3 Configuration Guide 14-39
Example
ThiscommandreturnstheinterfaceusedforthesourceIPaddressoftheSNTPclientbacktothe
defaultoftheHostinterface.
C3( r w) - >show snt p i nt er f ace
vl an 100 192. 168. 10. 1
C3( r w) - >cl ear snt p i nt er f ace
C3( r w) - >
Configuring Node Aliases
14-40 Logging and Network Management
Configuring Node Aliases
ThenodealiasfeatureenablesadministratorstodeterminetheMACaddressandlocationofa
givenendstation(ornode)usingthenodesLayer3aliasinformation(IPaddress)asakey.With
thismethod,itispossibletodeterminethat,forinstance,IPaddress123.145.2.23islocatedon
switch5port3.
Thepassiveaccumulationofanetworksnode/aliasinformationisaccomplishedbysnooping
onthecontentsofnetworktrafficasitpassesthroughtheswitchfabric.
IntheC3,nodedataisautomaticallyaccumulatedintothectaliasmib,andbydefaultthisfeature
isenabled.TheNetSightConsoleCompassutilityandAutomatedSecurityManager(ASM)use
theinformationinthenode/aliasMIBtable.
Itsimportanttomakesurethatinterswitchlinksarenotlearningnode/aliasinformation,asit
wouldslowdownsearchesbytheNetSightCompassandASMtoolsandgiveinaccurateresults.
Purpose
Toreview,disable,andreenablenode(port)aliasfunctionalityontheswitch.
Commands
show nodealias config
Usethiscommandtodisplaynodealiasconfigurationsettingsononeormoreports.
Syntax
show nodealias config [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,nodealiasconfigurationswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaynodealiasconfigurationsettingsforportsge.2.1through9:
C3( r w) - >show nodeal i as conf i g ge. 2. 1- 9
Por t Number Max Ent r i es Used Ent r i es St at us
For information about... Refer to page...
show nodealias config 14-40
set nodealias 14-41
clear nodealias config 14-42
portstring (Optional)Displaysnodealiasconfigurationsettingsforspecificport(s).
set nodealias
SecureStack C3 Configuration Guide 14-41
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 2. 1 16 0 Enabl e
ge. 2. 2 47 0 Enabl e
ge. 2. 3 47 2 Enabl e
ge. 2. 4 47 0 Enabl e
ge. 2. 5 47 0 Enabl e
ge. 2. 6 47 2 Enabl e
ge. 2. 7 47 0 Enabl e
ge. 2. 8 47 0 Enabl e
ge. 2. 9 4000 1 Enabl e
Table 148providesanexplanationofthecommandoutput.
set nodealias
Usethiscommandtoenableordisableanodealiasagentononeormoreports,orsetthe
maximumnumberofaliasentriesstoredperport.
Syntax
set nodealias {enable | disable | maxentries maxentries} port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Uponpacketreception,nodealiasesaredynamicallyassignedtoportsenabledwithanalias
agent,whichisthedefaultsettingonSecureStackC3devices.Nodealiasescannotbestatically
created,butcanbedeletedusingthecommandclearnodealiasconfig(page 1442).
Table 14-8 show nodealias config Output Details
Output Field What It Displays...
Port Number Port designation.
Max Entries Maximum number of alias entries configured for this port.
Used Entries Number of alias entries (out of the maximum amount configured) already used by
this port.
Status Whether or not a node alias agent is enabled (default) or disabled on this port.
enable|disable Enablesordisablesanodealiasagent.
maxentriesmaxentries Setthemaximumnumberofaliasentriesstoredperport.Validrange
is0to4096.Thedefaultvalueis32.
portstring Specifiestheport(s)onwhichtoenable/disablenodealiasagentorset
amaximumnumberofstoredentries.
clear nodealias config
14-42 Logging and Network Management
Itsimportanttomakesurethatinterswitchlinksarenotlearningnode/aliasinformation,asit
wouldslowdownsearchesbytheNetSightCompassandASMtoolsandgiveinaccurateresults.
Example
Thisexampleshowshowtodisablethenodealiasagentonge.1.3:
C3( su) - >set nodeal i as di sabl e ge. 1. 3
clear nodealias config
Usethiscommandtoresetnodealiasstatetoenabledandclearthemaximumentriesvalue.
Syntax
clear nodealias config port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthenodealiasconfigurationonge.1.3:
C3( su) - >cl ear nodeal i as conf i g ge. 1. 3
portstring Specifiestheport(s)onwhichtoresetthenodealiasconfiguration.
SecureStack C3 Configuration Guide 15-1
15
RMON Configuration
ThischapterdescribesthecommandsusedtoconfigureRMONonaSecureStackC3switch.
RMON Monitoring Group Functions
RMON(RemoteNetworkMonitoring)providescomprehensivenetworkfaultdiagnosis,
planning,andperformancetuninginformationandallowsforinteroperabilitybetweenSNMP
managementstationsandmonitoringagents.RMONextendstheSNMPMIBcapabilityby
definingadditionalMIBsthatgenerateamuchrichersetofdataaboutnetworkusage.TheseMIB
groupseachgatherspecificsetsofdatatomeetcommonnetworkmonitoringrequirements.
Table 151liststheRMONmonitoringgroupssupportedonSecureStackC3devices,eachgroups
functionandtheelementsitmonitors,andtheassociatedconfigurationcommandsneeded.
For information about... Refer to page...
RMON Monitoring Group Functions 15-1
Design Considerations 15-2
Statistics Group Commands 15-3
History Group Commands 15-6
Alarm Group Commands 15-9
Event Group Commands 15-13
Filter Group Commands 15-17
Packet Capture Commands 15-22
Table 15-1 RMON Monitoring Group Functions and Commands
RMON
Group What It Does... What It Monitors... CLI Command(s)
Statistics Records statistics
measured by the RMON
probe for each monitored
interface on the device.
Packets dropped, packets
sent, bytes sent (octets),
broadcast and multicast
packets, CRC errors,
oversized and undersized
packets, fragments, jabbers,
and counters for packets.
show rmon stats on
page 15-4
set rmon stats on
page 15-4
clear rmon stats on
page 15-5
Design Considerations
15-2 RMON Configuration
Design Considerations
TheC3supportsRMONPacketCapture/FilterSamplingthroughboththeCLIandMIBs,butwith
thefollowingconstraints:
History Records periodic statistical
samples from a network.
Sample period, number of
samples and item(s) sampled.
show rmon history on
page 15-6
set rmon history on
page 15-7
clear rmon history on
page 15-7
Alarm Periodically gathers
statistical samples from
variables in the probe and
compares them with
previously configured
thresholds. If the monitored
variable crosses a
threshold, an event is
generated.
Alarm type, interval, starting
threshold, stop threshold.
show rmon alarm on
page 15-9
set rmon alarm properties
on page 15-10
set rmon alarm status on
page 15-11
clear rmon alarm on
page 15-12
Event Controls the generation and
notification of events from
the device.
Event type, description, last
time event was sent.
show rmon event on
page 15-13
set rmon event properties
on page 15-14
set rmon event status on
page 15-15
clear rmon event on
page 15-15
Filter Allows packets to be
matched by a filter
equation. These matched
packets form a data stream
or channel that may be
captured.
Packets matching the filter
configuration.
show rmon channel on
page 15-17
set rmon channel on
page 15-18
clear rmon channel on
page 15-19
show rmon filter on
page 15-19
set rmon filter on
page 15-20
clear rmon filter on
page 15-21
Packet
Capture
Allows packets to be
captured upon a filter
match.
Packets matching the filter
configuration.
show rmon capture on
page 15-22
set rmon capture on
page 15-23
clear rmon capture on
page 15-24
Table 15-1 RMON Monitoring Group Functions and Commands (Continued)
RMON
Group What It Does... What It Monitors... CLI Command(s)
Statistics Group Commands
SecureStack C3 Configuration Guide 15-3
RMONPacketCapture/FilterSamplingandPortMirroringcannotbeenabledonthesame
interfaceconcurrently.
Youcancaptureatotalof100packetsonaninterface,nomoreandnoless.
Thecapturedframeswillbeasclosetosequentialasthehardwarewillallow.
Onlyoneinterfacecanbeconfiguredforcapturingatatime.
Once100frameshavebeencapturedbythehardware,theapplicationwillstopwithout
manualintervention.
AsdescribedintheMIB,thefilterisonlyappliedaftertheframeiscaptured,thusonlya
subsetoftheframescapturedwillbeavailablefordisplay.
ThereisonlyoneBufferControlEntrysupported.
Duetothelimitationsofthehardware,theBufferControlEntrytablewillhavelimitsonafew
ofitselements:
MaxOctetsRequestedcanonlybesettothevalue1whichindicatestheapplicationwill
captureasmanypacketsaspossiblegivenitsrestrictions.
CaptureSliceSizecanonlybesetto1518.
TheFullActionelementcanonlybesettolocksincethedevicedoesnotsupport
wrappingthecapturebuffer.
Duetohardwarelimitations,theonlyframeerrorcountedisoversizedframes.
TheapplicationdoesnotsupportEvents.Therefore,thefollowingelementsoftheChannel
EntryTablearenotsupported:TurnOnEventIndex,TurnOffEventIndex,EventIndex,and
EventStatus.
ThereisonlyoneChannelEntryavailableatatime.
ThereareonlythreeFilterEntriesavailable,andausercanassociateallthreeFilterEntries
withtheChannelEntry.
Configuredchannel,filter,andbufferinformationwillbesavedacrossresets,butnotframes
withinthecapturebuffer.
Statistics Group Commands
Purpose
Todisplay,configure,andclearRMONstatistics.
Commands
Note: Due to hardware limitations, the only frame error counted is oversized frames.
For information about... Refer to page...
show rmon stats 15-4
set rmon stats 15-4
clear rmon stats 15-5
show rmon stats
15-4 RMON Configuration
show rmon stats
UsethiscommandtodisplayRMONstatisticsmeasuredforoneormoreports.
Syntax
show rmon stats [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,RMONstatswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONstatisticsforGigabitEthernetport1inswitch1.
:
C3( su) - >show r mon st at s ge. 1. 1
Por t : ge. 1. 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I ndex = 1
Owner = moni t or
Dat a Sour ce = i f I ndex. 1
Dr op Event s = 0 Packet s = 0
Col l i si ons = 0 Oct et s = 0
J abber s = 0 0 - 64 Oct et s = 0
Br oadcast Pkt s = 0 65 - 127 Oct et s = 0
Mul t i cast Pkt s = 0 128 - 255 Oct et s = 0
CRC Er r or s = 0 256 - 511 Oct et s = 0
Under si ze Pkt s = 0 512 - 1023 Oct et s = 0
Over si ze Pkt s = 0 1024 - 1518 Oct et s = 0
Fr agment s = 0
Table 152providesanexplanationofthecommandoutput.
set rmon stats
UsethiscommandtoconfigureanRMONstatisticsentry.
Syntax
set rmon stats index port-string [ owner]
Parameters
portstring (Optional)DisplaysRMONstatisticsforspecificport(s).
index Specifiesanindexforthisstatisticsentry.
portstring Specifiesport(s)towhichthisentrywillbeassigned.
owner (Optional)Assignsanownerforthisentry.
clear rmon stats
SecureStack C3 Configuration Guide 15-5
Defaults
Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigureRMONstatisticsentry2forge.1.20:
C3( r w) - >set r mon st at s 2 ge. 1. 20
clear rmon stats
UsethiscommandtodeleteoneormoreRMONstatisticsentries.
Syntax
clear rmon stats {index-list | to-defaults}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteRMONstatisticsentry2:
C3( r w) - >cl ear r mon st at s 2
indexlist Specifiesoneormorestatsentriestobedeleted,causingthemtodisappear
fromanyfutureRMONqueries.
todefaults Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto
reappearinRMONqueries.
History Group Commands
15-6 RMON Configuration
History Group Commands
Purpose
Todisplay,configure,andclearRMONhistorypropertiesandstatistics.
Commands
show rmon history
UsethiscommandtodisplayRMONhistorypropertiesandstatistics.TheRMONhistorygroup
recordsperiodicstatisticalsamplesfromanetwork.
Syntax
show rmon history [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,informationaboutallRMONhistoryentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONhistoryentriesforGigabitEthernetport1inswitch1.
Acontrolentrydisplaysfirst,followedbyactualentriescorrespondingtothecontrolentry.Inthis
case,thedefaultsettingsforentryowner,samplinginterval,andmaximumnumberofentries.
(buckets)havenotbeenchangedfromtheirdefaultvalues.Foradescriptionofthetypesof
statisticsshown,refertoTable 152.
:
C3( su) - >show r mon hi st or y ge. 1. 1
Por t : ge. 1. 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I ndex 1
Owner = moni t or
St at us = val i d
Dat a Sour ce = i f I ndex. 1
I nt er val = 30
Bucket s Request ed = 50
Bucket s Gr ant ed = 10
For information about... Refer to page...
show rmon history 15-6
set rmon history 15-7
clear rmon history 15-7
portstring (Optional)DisplaysRMONhistoryentriesforspecificport(s).
set rmon history
SecureStack C3 Configuration Guide 15-7
Sampl e 2779 I nt er val St ar t : 1 days 0 hour s 2 mi nut es 22 seconds
Dr op Event s = 0 Under si ze Pkt s = 0
Oct et s = 0 Over si ze Pkt s = 0
Packet s = 0 Fr agment s = 0
Br oadcast Pkt s = 0 J abber s = 0
Mul t i cast Pkt s = 0 Col l i si ons = 0
CRC Al i gn Er r or s = 0 Ut i l i zat i on( %) = 0
set rmon history
UsethiscommandtoconfigureanRMONhistoryentry.
Syntax
set rmon history index [ port-string] [ buckets buckets] [ interval interval] [ owner
owner]
Parameters
Defaults
Ifbucketsisnotspecified,themaximumnumberofentriesmaintainedwillbe50.
Ifnotspecified,intervalwillbesetto30seconds.
Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowconfigureRMONhistoryentry1onportge.2.1tosampleevery20
seconds:
C3( r w) - >set r mon hi st or y 1 ge. 2. 1 i nt er val 20
clear rmon history
UsethiscommandtodeleteoneormoreRMONhistoryentriesorresetoneormoreentriesto
defaultvalues.Forspecificvalues,refertosetrmonhistoryonpage 157.
Syntax
clear rmon history {index-list | to-defaults}
indexlist Specifiesanindexnumberforthisentry.
portstring (Optional)Assignsthisentrytoaspecificport.
bucketsbuckets (Optional)Specifiesthemaximumnumberofentriestomaintain.
intervalinterval (Optional)Specifiesthesamplingintervalinseconds.
ownerowner (Optional)Specifiesanownerforthisentry.
clear rmon history
15-8 RMON Configuration
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteRMONhistoryentry1:
C3( r w) - >cl ear r mon hi st or y 1
indexlist Specifiesoneormorehistoryentriestobedeleted,causingthemto
disappearfromanyfutureRMONqueries.
todefaults Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto
reappearinRMONqueries.
Alarm Group Commands
SecureStack C3 Configuration Guide 15-9
Alarm Group Commands
Purpose
Todisplay,configure,andclearRMONalarmentriesandproperties.
Commands
show rmon alarm
UsethiscommandtodisplayRMONalarmentries.TheRMONalarmgroupperiodicallytakes
statisticalsamplesfromRMONvariablesandcomparesthemwithpreviouslyconfigured
thresholds.IfthemonitoredvariablecrossesathresholdanRMONeventisgenerated.
Syntax
show rmon alarm [ index]
Parameters
Defaults
Ifindexisnotspecified,informationaboutallRMONalarmentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONalarmentry3:
C3( r w) - >show r mon al ar m3
I ndex 3
- - - - - - - - - - - - - - - - - - - - -
Owner = Manager
St at us = val i d
Var i abl e = 1. 3. 6. 1. 4. 1. 5624. 1. 2. 29. 1. 2. 1. 0
Sampl e Type = del t a St ar t up Al ar m = r i si ng
I nt er val = 30 Val ue = 0
Ri si ng Thr eshol d = 1 Fal l i ng Thr eshol d = 0
Ri si ng Event I ndex = 2 Fal l i ng Event I ndex = 0
Table 152providesanexplanationofthecommandoutput.
For information about... Refer to page...
show rmon alarm 15-9
set rmon alarm properties 15-10
set rmon alarm status 15-11
clear rmon alarm 15-12
index (Optional)DisplaysRMONalarmentriesforaspecificentryindexID.
set rmon alarm properties
15-10 RMON Configuration
set rmon alarm properties
UsethiscommandtoconfigureanRMONalarmentry,ortocreateanewalarmentrywithan
unusedalarmindexnumber.
Syntax
set rmon alarm properties index [ interval interval] [ object object] [ type
{absolute | delta}] [startup {rising | falling | either}] [ rthresh rthresh]
[ fthresh fthresh] [ revent revent] [ fevent fevent] [ owner owner]
Parameters
Table 15-2 show rmon alarm Output Details
Output Field What It Displays...
Index Index number for this alarm entry.
Owner Text string identifying who configured this entry.
Status Whether this event entry is enabled (valid) or disabled.
Variable MIB object to be monitored.
Sample Type Whether the monitoring method is an absolute or a delta sampling.
Startup Alarm Whether alarm generated when this entry is first enabled is rising, falling, or either.
Interval Interval in seconds at which RMON will conduct sample monitoring.
Rising Threshold Minimum threshold for causing a rising alarm.
Falling Threshold Maximum threshold for causing a falling alarm.
Rising Event Index Index number of the RMON event to be triggered when the rising threshold is
crossed.
Falling Event Index Index number of the RMON event to be triggered when the falling threshold is
crossed.
index Specifiesanindexnumberforthisentry.Maximumnumberorentriesis
50.Maximumvalueis65535.
intervalinterval (Optional)Specifiesaninterval(inseconds)forRMONtoconductsample
monitoring.
objectobject (Optional)SpecifiesaMIBobjecttobemonitored.
Note: This parameter is not mandatory for executing the command, but
must be specified in order to enable the alarm entry configuration.
typeabsolute|
delta
(Optional)Specifiesthemonitoringmethodas:samplingtheabsolute
valueoftheobject,orthedifference(delta)betweenobjectsamples.
set rmon alarm status
SecureStack C3 Configuration Guide 15-11
Defaults
interval3600seconds
typeabsolute
startuprising
rthresh0
fthresh0
revent0
fevent0
ownermonitor
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigurearisingRMONalarm.Thisentrywillconductmonitoring
ofthedeltabetweensamplesevery30seconds:
C3( r w) - >set r mon al ar mpr oper t i es 3 i nt er val 30 obj ect
1. 3. 6. 1. 4. 1. 5624. 1. 2. 29. 1. 2. 1. 0 t ype del t a r t hr esh 1 r event 2 owner Manager
set rmon alarm status
UsethiscommandtoenableanRMONalarmentry.Analarmisanotificationthatastatistical
sampleofamonitoredvariablehascrossedaconfiguredthreshold.
Syntax
set rmon alarm status index enable
startuprising|
falling|either
(Optional)Specifiesthetypeofalarmgeneratedwhenthiseventisfirst
enabledas:
RisingSendsalarmwhenanRMONeventreachesamaximum
thresholdconditionisreached,forexample,morethan30collisions
persecond.
FallingSendsalarmwhenRMONeventfallsbelowaminimum
thresholdcondition,forexamplewhenthenetworkisbehaving
normallyagain.
EitherSendsalarmwheneitherarisingorfallingthresholdis
reached.
rthreshrthresh (Optional)Specifiesaminimumthresholdforcausingarisingalarm.
fthreshfthresh Specifiesamaximumthresholdforcausingafallingalarm.
reventrevent SpecifiestheindexnumberoftheRMONeventtobetriggeredwhenthe
risingthresholdiscrossed.
feventfevent SpecifiestheindexnumberoftheRMONeventtobetriggeredwhenthe
fallingthresholdiscrossed.
ownerowner (Optional)Specifiesthenameoftheentitythatconfiguredthisalarm
entry.
clear rmon alarm
15-12 RMON Configuration
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
AnRMONalarmentrycanbecreatedusingthiscommand,configuredusingthesetrmonalarm
propertiescommand(setrmonalarmpropertiesonpage 1510),thenenabledusingthis
command.AnRMONalarmentrycanbecreatedandconfiguredatthesametimebyspecifying
anunusedindexwiththesetrmonalarmpropertiescommand.
Example
ThisexampleshowshowtoenableRMONalarmentry3:
C3( r w) - >set r mon al ar mst at us 3 enabl e
clear rmon alarm
UsethiscommandtodeleteanRMONalarmentry.
Syntax
clear rmon alarm index
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONalarmentry1:
C3( r w) - >cl ear r mon al ar m1
index Specifiesanindexnumberforthisentry.Maximumnumberorentriesis
50.Maximumvalueis65535.
enable Enablesthisalarmentry.
index Specifiestheindexnumberofentrytobecleared.
Event Group Commands
SecureStack C3 Configuration Guide 15-13
Event Group Commands
Purpose
TodisplayandclearRMONevents,andtoconfigureRMONeventproperties.
Commands
show rmon event
UsethiscommandtodisplayRMONevententryproperties.
Syntax
show rmon event [ index]
Parameters
Defaults
Ifindexisnotspecified,informationaboutallRMONentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONevententry3:
C3( r w) - >show r mon event 3
I ndex 3
- - - - - - - - - - - - - - - -
Owner = Manager
St at us = val i d
Descr i pt i on = STP Topol ogy change
Type = l og- and- t r ap
Communi t y = publ i c
Last Ti me Sent = 0 days 0 hour s 0 mi nut es 37 seconds
Table 153providesanexplanationofthecommandoutput.
For information about... Refer to page...
show rmon event 15-13
set rmon event properties 15-14
set rmon event status 15-15
clear rmon event 15-15
index (Optional)DisplaysRMONpropertiesandlogentriesforaspecificentry
indexID.
set rmon event properties
15-14 RMON Configuration
set rmon event properties
UsethiscommandtoconfigureanRMONevententry,ortocreateanewevententrywithan
unusedeventindexnumber.
Syntax
set rmon event properties index [ description description] [ type {none | log | trap
| both}] [ community community] [ owner owner]
Parameters
Defaults
Ifdescriptionisnotspecified,nonewillbeapplied.
Ifnotspecified,typenonewillbeapplied.
Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
Table 15-3 show rmon event Output Details
Output Field What It Displays...
Index Index number for this event entry.
Owner Text string identifying who configured this entry.
Status Whether this event entry is enabled (valid) or disabled.
Description Text string description of this event.
Type Whether the event notification will be a log entry, and SNMP trap, both, or none.
Community SNMP community name if message type is set to trap.
Last Time Sent When an event notification matching this entry was sent.
index Specifiesanindexnumberforthisentry.Maximumnumberofentriesis
100.Maximumvalueis65535.
description
description
(Optional)Specifiesatextstringdescriptionofthisevent.
typenone|log|
trap|both
(Optional)SpecifiesthetypeofRMONeventnotificationas:none,alog
tableentry,anSNMPtrap,orbothalogentryandatrapmessage.
community
community
(Optional)SpecifiesanSNMPcommunitynametouseifthemessage
typeissettotrap.FordetailsonsettingSNMPtrapsandcommunity
names,refertoCreatingaBasicSNMPTrapConfigurationon
page 837.
ownerowner (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
set rmon event status
SecureStack C3 Configuration Guide 15-15
Example
ThisexampleshowshowtocreateandenableanRMONevententrycalledSTPtopology
changethatwillsendbothalogentryandanSNMPtrapmessagetothepubliccommunity:
C3( r w) - >set r mon event pr oper t i es 2 descr i pt i on " STP t opol ogy change" t ype bot h
communi t y publ i c owner Manager
set rmon event status
UsethiscommandtoenableanRMONevententry.Anevententrydescribestheparametersofan
RMONeventthatcanbetriggered.EventscanbefiredbyRMONalarmsandcanbeconfiguredto
createalogentry,generateatrap,orboth.
Syntax
set rmon event status index enable
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
AnRMONevententrycanbecreatedusingthiscommand,configuredusingthesetrmonevent
propertiescommand(setrmoneventpropertiesonpage 1514),thenenabledusingthis
command.AnRMONevententrycanbecreatedandconfiguredatthesametimebyspecifyingan
unusedindexwiththesetrmoneventpropertiescommand.
Example
ThisexampleshowshowtoenableRMONevententry1:
C3( r w) - >set r mon event st at us 1 enabl e
clear rmon event
UsethiscommandtodeleteanRMONevententryandanyassociatedlogentries.
Syntax
clear rmon event index
Parameters
index Specifiesanindexnumberforthisentry.Maximumnumberofentriesis
100.Maximumvalueis65535.
enable Enablesthisevententry.
index Specifiestheindexnumberoftheentrytobecleared.
clear rmon event
15-16 RMON Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONevent1:
C3( r w) - >cl ear r mon event 1
Filter Group Commands
SecureStack C3 Configuration Guide 15-17
Filter Group Commands
Thepacketcaptureandfilterfunctionisdisabledbydefault.Onlyoneinterfacecanbeconfigured
forcapturingandfilteringatatime.
Whenpacketcaptureisenabledonaninterface,theSecureStackC3switchwillcapture100frames
asclosetosequentiallyaspossible.These100frameswillbeplacedintoabufferforinspection.If
thereisdatainthebufferwhenthefunctionisstarted,thebufferwillbeoverwritten.Once100
frameshavebeencaptured,thecapturewillstop.Filteringwillbeperformedontheframes
capturedinthebuffer.Therefore,onlyasubsetoftheframescapturedwillbeavailablefordisplay.
Onechannelatatimecanbesupported,withuptothreefilters.Configuredchannel,filter,and
buffercontrolinformationwillbesavedacrossresets,butcapturedframeswithinthebufferwill
notbesaved.
Thisfunctioncannotbeusedconcurrentlywithportmirroring.Thesystemwillchecktoprevent
concurrentlyenablingbothfunctions,andawarningwillbegeneratedintheCLIifattempted.
Commands
show rmon channel
UsethiscommandtodisplayRMONchannelentriesforoneormoreports.
Syntax
show rmon channel [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,informationaboutallchannelswillbedisplayed.
Mode
Switchcommand,readonly.
Note: Packet capture is sampling only and does not guarantee receipt of back to back packets.
For information about... Refer to page...
show rmon channel 15-17
set rmon channel 15-18
clear rmon channel 15-19
show rmon filter 15-19
set rmon filter 15-20
clear rmon filter 15-21
portstring (Optional)DisplaysRMONchannelentriesforaspecificport(s).
set rmon channel
15-18 RMON Configuration
Example
ThisexampleshowshowtodisplayRMONchannelinformationforge.2.12:
C3( r w) - >show r mon channel ge. 2. 12
Por t ge. 2. 12 Channel i ndex= 628 Ent r ySt at us= val i d
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cont r ol of f Accept Type mat ched
OnEvent I ndex 0 Of f Event I ndex 0
Event I ndex 0 St at us r eady
Mat ches 4498
Descr i pt i on Thu Dec 16 12: 57: 32 EST 2004
Owner Net Si ght smi t h
set rmon channel
UsethiscommandtoconfigureanRMONchannelentry.
Syntax
set rmon channel index port-string [ accept {matched | failed}] [ control {on | off}]
[ description description] [ owner owner]
Parameters
Defaults
Ifanactionisnotspecified,packetswillbeacceptedonfiltermatches.
Ifnotspecified,controlwillbesettooff.
Ifadescriptionisnotspecified,nonewillbeapplied.
Ifownerisnotspecified,itwillbesettomonitor.
Mode
Switchcommand,readwrite.
index Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe
createdifanunusedindexnumberischosen.Maximumnumberof
entriesis2.Maximumvalueis65535.
portstring Specifiestheportonwhichtrafficwillbemonitored.
acceptmatched|
failed
(Optional)Specifiestheactionofthefiltersonthischannelas:
matchedPacketswillbeacceptedonfiltermatches
failedPacketswillbeacceptediftheyfailamatch
controlon|off (Optional)Enablesordisablescontroloftheflowofdatathroughthe
channel.
description
description
(Optional)Specifiesadescriptionforthischannel.
ownerowner (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
clear rmon channel
SecureStack C3 Configuration Guide 15-19
Example
ThisexampleshowshowtocreateanRMONchannelentry:
C3( r w) - >set r mon channel 54313 ge. 2. 12 accept f ai l ed cont r ol on descr i pt i on
" capt ur e al l "
clear rmon channel
UsethiscommandtoclearanRMONchannelentry.
Syntax
clear rmon channel index
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONchannelentry2:
C3( r w) - >cl ear r mon channel 2
show rmon filter
UsethiscommandtodisplayoneormoreRMONfilterentries.
Syntax
show rmon filter [ index index | channel channel]
Parameters
Defaults
Ifnooptionsarespecified,informationforallfilterentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayallRMONfilterentriesandchannelinformation:
index Specifiesthechannelentrytobecleared.
indexindex|
channelchannel
(Optional)Displaysinformationaboutaspecificfilterentry,oraboutall
filterswhichbelongtoaspecificchannel.
set rmon filter
15-20 RMON Configuration
C3( r w) - >show r mon f i l t er
I ndex= 55508 Channel I ndex= 628 Ent r ySt at us= val i d
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dat a Of f set 0 Pkt St at us 0
Pkt St at usMask 0 Pkt St at usNot Mask 0
Owner ETS, NAC- D
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dat a
f f f f f f f f f f f f
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dat aMask
f f f f f f f f f f f f
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dat aNot Mask
00 00 00 00 00 00
set rmon filter
UsethiscommandtoconfigureanRMONfilterentry.
Syntax
set rmon filter index channel-index [ offset offset] [ status status] [ smask smask]
[ snotmask snotmask] [ data data] [ dmask dmask] [ dnotmask dnotmask] [ owner owner]
Parameters
Defaults
Ifownerisnotspecified,itwillbesettomonitor.
Ifnootheroptionsarespecified,none(0)willbeapplied.
index Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe
createdifanunusedindexnumberischosen.Maximumnumberof
entriesis10.Maximumvalueis65535.
channelindex Specifiesthechanneltowhichthisfilterwillbeapplied.
offsetoffset (Optional)Specifiesanoffsetfromthebeginningofthepackettolookfor
matches.
statusstatus (Optional)Specifiespacketstatusbitsthataretobematched.
smasksmask (Optional)Specifiesthemaskappliedtostatustoindicatewhichbitsare
significant.
snotmasksnotmask (Optional)Specifiestheinversionmaskthatindicateswhichbitsshould
besetornotset
datadata (Optional)Specifiesthedatatobematched.
dmaskdmask (Optional)Specifiesthemaskappliedtodatatoindicatewhichbitsare
significant.
dnotmaskdnotmask (Optional)Specifiestheinversionmaskthatindicateswhichbitsshould
besetornotset.
owner (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
clear rmon filter
SecureStack C3 Configuration Guide 15-21
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateRMONfilter1andapplyittochannel9:
C3( r w) - >set r mon f i l t er 1 9 of f set 30 dat a 0a154305 dmask f f f f f f f f
clear rmon filter
UsethiscommandtoclearanRMONfilterentry.
Syntax
clear rmon filter {index index | channel channel}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONfilterentry1:
C3( r w) - >cl ear r mon f i l t er i ndex 1
indexindex|
channelchannel
Clearsaspecificfilterentry,orallentriesbelongingtoaspecificchannel.
Packet Capture Commands
15-22 RMON Configuration
Packet Capture Commands
Notethatpacketcapturefilterissamplingonlyanddoesnotguaranteereceiptofbacktoback
packets.
Purpose
TodisplayRMONcaptureentries,configure,enable,ordisablecaptureentries,andclearcapture
entries.
Commands
show rmon capture
UsethiscommandtodisplayRMONcaptureentriesandassociatedbuffercontrolentries.
Syntax
show rmon capture [ index [ nodata] ]
Parameters
Defaults
Ifnooptionsarespecified,allbuffercontrolentriesandassociatedcapturedpacketswillbe
displayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONcaptureentriesandassociatedbufferentries:
C3( r w) - >show r mon capt ur e
Buf . cont r ol = 28062 Channel = 38283 Ent r ySt at us= val i d
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Ful l St at us avai l Ful l Act i on l ock
Capt ur ed packet s 251 Capt ur e sl i ce 1518
Downl oad si ze 100 Downl oad of f set 0
Max Oct et Request ed 50000 Max Oct et Gr ant ed 50000
St ar t t i me 1 days 0 hour s 51 mi nut es 15 seconds
For information about... Refer to page...
show rmon capture 15-22
set rmon capture 15-23
clear rmon capture 15-24
index (Optional)Displaysthespecifiedbuffercontrolentryandallcaptured
packetsassociatedwiththatentry.
nodata (Optional)Displaysonlythebuffercontrolentryspecifiedbyindex.
set rmon capture
SecureStack C3 Configuration Guide 15-23
Owner moni t or
capt ur eEnt r y= 1 Buf f . cont r ol = 28062
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Pkt I D 9 Pkt t i me 1 days 0 hour s 51 mi nut es 15 seconds
Pkt Lengt h 93 Pkt st at us 0
Dat a:
00 00 5e 00 01 01 00 01 f 4 00 7d ce 08 00 45 00
00 4b b4 b9 00 00 40 11 32 5c 0a 15 43 05 86 8d
bf e5 00 a1 0e 2b 00 37 cf ca 30 2d 02 01 00 04
06 70 75 62 6c 69 63 a2 20 02 02 0c 92 02 01 00
02 01 00 30 14 30 12 06 0d 2b 06 01 02 01 10 07
01 01 0b 81 f d 1c 02 01 01 00 11 0b 00
set rmon capture
UsethiscommandtoconfigureanRMONcaptureentry.
Syntax
set rmon capture index {channel [ action {lock}] [ slice slice] [ loadsize loadsize]
[ offset offset] [ asksize asksize] [ owner owner] }
Parameters
Defaults
Ifnotspecified,actiondefaultstolock.
Ifnotspecified,offsetdefaultsto0.
Ifnotspecified,asksizedefaultsto1(whichwillrequestasmanyoctetsaspossible).
Ifsliceisnotspecified,1518willbeapplied.
Ifloadsizeisnotspecified,100willbeapplied.
Ifownerisnotspecified,itwillbesettomonitor.
index Specifiesabuffercontrolentry.
channel Specifiesthechanneltowhichthiscaptureentrywillbeapplied.
actionlock (Optional)Specifiestheactionofthebufferwhenitisfullas:
lockPacketswillceasetobeaccepted
sliceslice (Optional)Specifiesthemaximumoctetsfromeachpackettobesavedin
abuffer.Currently,theonlyvalueallowedis1518.
loadsizeloadsize (Optional)Specifiesthemaximumoctetsfromeachpackettobe
downloadedfromthebuffer.Thedefaultis100.
offsetoffset (Optional)Specifiesthefirstoctetfromeachpacketthatwillberetrieved.
asksizeasksize (Optional)Specifiestherequestedmaximumoctetstobesavedinthis
buffer.Currently,theonlyvalueacceptedis1,whichrequestsasmany
octetsaspossible.
owner (Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
clear rmon capture
15-24 RMON Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateRMONcaptureentry1tolistenonchannel628:
C3( r w) - >set r mon capt ur e 1 628
clear rmon capture
UsethiscommandtoclearsanRMONcaptureentry.
Syntax
clear rmon capture index
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONcaptureentry1:
C3( r w) - >cl ear r mon capt ur e 1
index Specifiesthecaptureentrytobecleared.
SecureStack C3 Configuration Guide 16-1
16
DHCP Server Configuration
ThischapterdescribesthecommandstoconfiguretheIPv4DHCPserverfunctionalityona
SecureStackC3switch.
DHCP Overview
DynamicHostConfigurationProtocol(DHCP)forIPv4isanetworklayerprotocolthat
implementsautomaticormanualassignmentofIPaddressesandotherconfigurationinformation
toclientdevicesbyservers.ADHCPservermanagesauserconfiguredpoolofIPaddressesfrom
whichitcanmakeassignmentsuponclientrequests.ArelayagentpassesDHCPmessages
betweenclientsandserverswhichareondifferentphysicalsubnets.
DHCP Relay Agent
TheDHCP/BOOTPrelayagentfunctioncanbeconfiguredonalloftheSecureStackC3srouting
interfaces.TherelayagentcanforwardaDHCPclientsrequesttoaDHCPserverlocatedona
differentnetworkiftheaddressoftheserverisconfiguredasahelperaddressonthereceiving
interface.TherelayagentinterfacemustbeaVLANwhichisconfiguredwithanIPaddress.Refer
totheiphelperaddresscommand(iphelperaddressonpage 1918)formoreinformation.
DHCP Server
DHCPserverfunctionalityallowstheSecureStackC3switchtoprovidebasicIPconfiguration
informationtoaclientonthenetworkwhorequestssuchinformationusingtheDHCPprotocol.
DHCPprovidesthefollowingmechanismsforIPaddressallocationbyaDHCPserver:
AutomaticDHCPserverassignsanIPaddresstoaclientforalimitedperiodoftime(or
untiltheclientexplicitlyrelinquishestheaddress)fromadefinedpoolofIPaddresses
configuredontheserver.
ManualAclientsIPaddressisassignedbythenetworkadministrator,andDHCPisused
simplytoconveytheassignedaddresstotheclient.Thisismanagedbymeansofstatic
addresspoolsconfiguredontheserver.
TheamountoftimethataparticularIPaddressisvalidforasystemiscalledalease.The
SecureStackC3maintainsaleasedatabasewhichcontainsinformationabouteachassignedIP
For information about... Refer to page...
DHCP Overview 16-1
Configuring General DHCP Server Parameters 16-3
Configuring IP Address Pools 16-12
DHCP Overview
16-2 DHCP Server Configuration
address,theMACaddresstowhichitisassigned,theleaseexpiration,andwhethertheaddress
assignmentisdynamic(automatic)orstatic(manual).TheDHCPleasedatabaseisstoredinflash
memory.
InadditiontoassigningIPaddresses,theDHCPservercanalsobeconfiguredtoassignthe
followingtorequestingclients:
Defaultrouter(s)
DNSserver(s)anddomainname
NetBIOSWINSserver(s)andnodename
Bootfile
DHCPoptionsasdefinedbyRFC2132
Configuring a DHCP Server
ForDHCPtofunctiononSecureStackC3systems,thesystemhastoknowabouttheIPnetwork
forwhichtheDHCPpoolistobecreated.
OntheC3,therearetwowaystoconfigureaDHCPserver:oneistoassociatetheDHCPaddress
poolwiththeswitchshostportIPaddress,andtheotheristoassociatetheDHCPaddresspool
witharoutedinterface.
SinceonaC3system,thehostportIPaddresscannotfallwithinaconfiguredroutedinterfaceon
thesystem,atypicalC3systemconfiguredwithroutinginterfaceswillnothaveahostportIP
address.Therefore,allDHCPpoolswouldbeassociatedwithroutedinterfaces.
ThefollowingtasksprovidebasicDHCPserverfunctionalitywhentheDHCPpoolisassociated
withthesystemshostIPaddress.ThisprocedurewouldtypicallybeusedwhentheC3systemis
NOTconfiguredforrouting.
1. Configurethesystem(stack)hostportIPaddresswiththesetipaddresscommand.Oncethe
systemsIPaddressisconfigured,thesystemthenknowsabouttheconfiguredsubnet.For
example:
set i p addr ess 192. 0. 0. 50 mask 255. 255. 255. 0
2. EnableDHCPserverfunctionalityonthesystemwiththesetdhcpenablecommand.
3. ConfigureanIPaddresspoolfordynamicIPaddressassignment.Theonlyrequiredstepsare
tonamethepoolanddefinethenetworknumberandmaskforthepool.Notethatthepool
hastobeinthesamesubnetandusethesamemaskasthesystemhostportIPaddress.For
example:
set dhcp pool aut o- pool net wor k 192. 0. 0. 0 255. 255. 255. 0
AllDHCPclientsservedbythisswitchmustbeinthesameVLANasthesystemshostport.
ThefollowingtasksprovidebasicDHCPserverfunctionalitywhentheDHCPpoolisassociated
witharoutedinterface.
1. CreateaVLANandaddportstotheVLAN.OnlyDHCPclientsassociatedwiththisVLAN
willbeservedIPaddressesfromtheDHCPaddresspoolassociatedwiththisroutedinterface
(VLAN).Inthisexample,VLAN6iscreatedandportsge.1.1throughge.1.10areaddedto
VLAN6:
set vlan create 6
Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the
entire switch, can be configured on the SecureStack C3.
Configuring General DHCP Server Parameters
SecureStack C3 Configuration Guide 16-3
set port vlan ge.1.1-10 6
2. CreatearoutedinterfacefortheVLANinrouterconfigurationmode.Inthefollowing
example,anIPaddressisassociatedwithroutedinterfaceVLAN6:
Inrouterconfigurationmode:
interface vlan 6
no shutdown
ip address 6.6.1.1 255.255.0.0
3. EnableDHCPserverfunctionalityonthesystemwiththesetdhcpenablecommand.
4. CreatetheDHCPaddresspool.Theonlyrequiredstepsaretonamethepoolanddefinethe
networknumberandmaskforthepool.Notethatthepoolhastobeinthesamesubnetasthe
routedinterfaceandusethesamemaskconfiguredontheroutedinterface.Forexample:
set dhcp pool auto-pool network 6.6.0.0 255.255.0.0
DHCPclientsinVLAN6willbeservedIPaddressesfromthisDHCPaddresspool.
OptionalDHCPservertasksinclude:
Youcanlimitthescopeofaddressesassignedtoapoolfordynamicaddressassignmentwith
thesetdhcpexcludecommand.Upto128nonoverlappingaddressrangescanbeexcluded
ontheSecureStackC3.Forexample:
set dhcp excl ude 192. 0. 0. 1 192. 0. 0. 10
Configurestaticaddresspoolsformanualaddressassignment.Theonlyrequiredstepsareto
namethepool,configureeitherthehardwareaddressoftheclientortheclientidentifier,and
configuretheIPaddressandmaskforthemanualbinding.Forexample:
set dhcp pool st at i c- pool har dwar e- addr ess 0011. 2233. 4455
set dhcp pool st at i c- pool host 192. 0. 0. 200 255. 255. 255. 0
SetotherDHCPserverparameterssuchasthenumberofpingpacketstobesentbefore
assigninganIPaddress,orenablingconflictlogging.
Configuring General DHCP Server Parameters
Purpose
ToconfigureDHCPserverparameters,andtodisplayandclearaddressbindinginformation,
serverstatistics,andconflictinformation.
Commands
Note: The IP address of the systems host port or the routed interface is automatically
excluded.
For information about... Refer to page...
set dhcp 16-4
set dhcp bootp 16-4
set dhcp conflict logging 16-5
show dhcp conflict 16-5
set dhcp
16-4 DHCP Server Configuration
set dhcp
UsethiscommandtoenableordisabletheDHCPserverfunctionalityontheSecureStackC3.
Syntax
set dhcp {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesDHCPserverfunctionality.
C3( r w) - >set dhcp enabl e
set dhcp bootp
UsethiscommandtoenableordisableautomaticaddressallocationforBOOTPclients.By
default,addressallocationforBOOTPclientsisdisabled.RefertoRFC1534,Interoperation
BetweenDHCPandBOOTP,formoreinformation.
Syntax
set dhcp bootp {enable | disable}
Parameters
clear dhcp conflict 16-6
set dhcp exclude 16-7
clear dhcp exclude 16-7
set dhcp ping 16-8
clear dhcp ping 16-8
show dhcp binding 16-9
clear dhcp binding 16-9
show dhcp server statistics 16-10
clear dhcp server statistics 16-10
For information about... Refer to page...
enable|disable EnablesordisablesDHCPserverfunctionality.Bydefault,DHCPserveris
disabled.
enable|disable EnablesordisablesaddressallocationforBOOTPclients.
set dhcp conflict logging
SecureStack C3 Configuration Guide 16-5
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesaddressallocationforBOOTPclients.
C3( r w) - >set dhcp boot p enabl e
set dhcp conflict logging
Usethiscommandtoenableconflictlogging.Bydefault,conflictloggingisenabled.Usetheclear
dhcpconflictloggingcommandtodisableconflictlogging.
Syntax
set dhcp conflict logging
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesDHCPconflictlogging.
C3( r w) - >set dhcp conf l i ct l oggi ng
show dhcp conflict
Usethiscommandtodisplayconflictinformation,foroneaddressoralladdresses.
Syntax
show dhcp conflict [ address]
Parameters
Defaults
Ifnoaddressisspecified,conflictinformationforalladdressesisdisplayed.
address [Optional]Specifiestheaddressforwhichtodisplayconflictinformation.
clear dhcp conflict
16-6 DHCP Server Configuration
Mode
Readonly.
Example
Thisexampledisplaysconflictinformationforalladdresses.Notethatpingistheonlydetection
methodused.
C3( r o) - >show dhcp conf l i ct
I P addr ess Det ect i on Met hod Det ect i on Ti me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
192. 0. 0. 2 Pi ng 0 days 19h: 01m: 23s
192. 0. 0. 3 Pi ng 0 days 19h: 00m: 46s
192. 0. 0. 4 Pi ng 0 days 19h: 01m: 25s
192. 0. 0. 12 Pi ng 0 days 19h: 01m: 26s
clear dhcp conflict
Usethiscommandtoclearconflictinformationforoneoralladdresses,ortodisableconflict
logging.
Syntax
clear dhcp conflict {logging | ip-address| *}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampledisablesDHCPconflictlogging.
C3( r w) - >cl ear dhcp conf l i ct l oggi ng
ThisexampleclearstheconflictinformationfortheIPaddress192.0.0.2.
C3( r w) - >cl ear dhcp conf l i ct 192. 0. 0. 2
logging Disablesconflictlogging.
ipaddress ClearstheconflictinformationforthespecifiedIPaddress.
* ClearstheconflictinformationforallIPaddresses.
set dhcp exclude
SecureStack C3 Configuration Guide 16-7
set dhcp exclude
UsethiscommandtoconfiguretheIPaddressesthattheDHCPservershouldnotassigntoDHCP
clients.Multipleaddressrangescanbeconfiguredbuttherangescannotoverlap.Upto128non
overlappingaddressrangescanbeexcluded.
Syntax
set dhcp exclude low-ipaddr [ high-ipaddr]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplefirstconfigurestheaddresspoolnamedauto1with255addressesfortheClassC
network172,20.28.0,withthesetdhcppoolnetworkcommand.Then,theexamplelimitsthe
scopeoftheaddressesthatcanbeassignedbyaDHCPserverbyexcludingaddresses172.20.28.80
100,withthesetdhcpexcludecommand.
C3( r w) - >set dhcp pool aut o1 net wor k 172. 20. 28. 0 24
C3( r w) - >set dhcp excl ude 172. 20. 28. 80 172. 20. 28. 100
clear dhcp exclude
UsethiscommandtocleartheconfiguredIPaddressesthattheDHCPservershouldnotassignto
DHCPclients.
Syntax
clear dhcp exclude low-ipaddr [ high-ipaddr]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
lowipaddr SpecifiesthefirstIPaddressintheaddressrangetobeexcludedfrom
assignment.
highipaddr (Optional)SpecifiesthelastIPaddressintheaddressrangetobe
excluded.
lowipaddr SpecifiesthefirstIPaddressintheaddressrangetobecleared.
highipaddr (Optional)SpecifiesthelastIPaddressintheaddressrangetobecleared.
set dhcp ping
16-8 DHCP Server Configuration
Example
ThisexampleclearsthepreviouslyexcludedrangeofIPaddressesbetween192.168.1.88through
192.168.1.100.
C3( r w) - >cl ear dhcp excl ude 192. 168. 1. 88 192. 168. 1. 100
set dhcp ping
UsethiscommandtoconfigurethenumberofpingpacketstheDHCPserversendstoanIP
addressbeforeassigningtheaddresstoarequestingclient.
Syntax
set dhcp ping packets number
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthenumberofpingpacketssentto3.
C3( r w) - >set dhcp pi ng packet s 3
clear dhcp ping
UsethiscommandtoresetthenumberofpingpacketssentbytheDHCPserverbacktothe
defaultvalueof2.
Syntax
clear dhcp ping packets
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
packetsnumber Specifiesthenumberofpingpacketstobesent.Thevalueofnumbercan
be0,orrangefrom2to10.Entering0disablesthisfunction.Thedefault
valueis2packets.
show dhcp binding
SecureStack C3 Configuration Guide 16-9
Example
Thisexampleresetsthenumberofpingpacketssentbacktothedefaultvalue.
C3( r w) - >cl ear dhcp pi ng packet s
show dhcp binding
UsethiscommandtodisplaybindinginformationforoneorallIPaddresses.
Syntax
show dhcp binding [ ip-address]
Parameters
Defaults
IfnoIPaddressisspecified,bindinginformationforalladdressesisdisplayed.
Mode
Readonly.
Example
Thisexampledisplaysbindinginformationaboutalladdresses.
C3( r w) - >show dhcp bi ndi ng
I P addr ess Har dwar e Addr ess Lease Expi r at i on Type
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
192. 0. 0. 6 00: 33: 44: 56: 22: 39 00: 11: 02 Aut omat i c
192. 0. 0. 8 00: 33: 44: 56: 22: 33 00: 10: 22 Aut omat i c
192. 0. 0. 10 00: 33: 44: 56: 22: 34 00: 09: 11 Aut omat i c
192. 0. 0. 11 00: 33: 44: 56: 22: 35 00: 10: 05 Aut omat i c
192. 0. 0. 12 00: 33: 44: 56: 22: 36 00: 10: 30 Aut omat i c
192. 0. 0. 13 00: 33: 44: 56: 22: 37 i nf i ni t e Manual
192. 0. 0. 1400: 33: 44: 56: 22: 38 i nf i ni t e Manual
clear dhcp binding
Usethiscommandtoclear(delete)oneorallDHCPaddressbindings.
Syntax
clear dhcp binding {ip-addr | *}
Parameters
Defaults
None.
ipaddress (Optional)SpecifiestheIPaddressforwhichtodisplaybinding
information.
ipaddr SpecifiestheIPaddressforwhichtoclear/deletetheDHCPbinding.
* Deletesalladdressbindings.
show dhcp server statistics
16-10 DHCP Server Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampledeletestheDHCPaddressbindingforIPaddress192.168.1.1.
C3( r w) - >cl ear dhcp bi ndi ng 192. 168. 1. 1
show dhcp server statistics
UsethiscommandtodisplayDHCPserverstatistics.
Syntax
show dhcp server statistics
Parameters
None.
Defaults
None.
Mode
Readonly.
Example
Thisexampledisplaysserverstatistics.
C3( r o) - >show dhcp ser ver st at i st i cs
Aut omat i c Bi ndi ngs 36
Expi r ed Bi ndi ngs 6
Mal f or med Bi ndi ngs 0
Messages Recei ved
- - - - - - - - - - - - - - - - - - - -
DHCP DI SCOVER 382
DHCP REQUEST 3855
DHCP DECLI NE 0
DHCP RELEASE 67
DHCP I NFORM 1
Messages Sent
- - - - - - - - - - - - - - - -
DHCP OFFER 381
DHCP ACK 727
DHCP NACK 2
clear dhcp server statistics
UsethiscommandtoclearallDHCPservercounters.
Syntax
clear dhcp server statistics
clear dhcp server statistics
SecureStack C3 Configuration Guide 16-11
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearsallDHCPservercounters.
C3( r w) - >cl ear dhcp ser ver st at i st i cs
Configuring IP Address Pools
16-12 DHCP Server Configuration
Configuring IP Address Pools
Manual Pool Configuration Considerations
ThesubnetoftheIPaddressbeingissuedshouldbeonthesamesubnetastheingress
interface(thatis,thesubnetofthehostIPaddressoftheswitch,orifroutinginterfacesare
configured,thesubnetoftheroutinginterface).
Amanualpoolcanbeconfiguredusingeithertheclientshardwareaddress(setdhcppool
hardwareaddress)ortheclientsclientidentifier(setdhcppoolclientidentifier),butusing
bothisnotrecommended.
IftheincomingDHCPrequestpacketcontainsaclientidentifier,thenamanualpool
configuredwiththatclientidentifiermustexistontheswitchinorderfortherequesttobe
processed.Thehardwareaddressisnotchecked.
Ahardwareaddressandtype(EthernetorIEEE802)configuredinamanualpoolischecked
onlywhenaclientidentifierisnotalsoconfiguredforthepoolandtheincomingDHCP
requestpacketdoesnotincludeaclientidentifieroption.
Purpose
ToconfigureandclearDHCPaddresspoolparameters,andtodisplayaddresspoolconfiguration
information.
Commands
Note: A total of 16 address pools, dynamic and/or static, can be configured on the SecureStack C3.
For information about... Refer to page...
set dhcp pool 16-13
clear dhcp pool 16-14
set dhcp pool network 16-14
clear dhcp pool network 16-15
set dhcp pool hardware-address 16-15
clear dhcp pool hardware-address 16-16
set dhcp pool host 16-16
clear dhcp pool host 16-17
set dhcp pool client-identifier 16-17
clear dhcp pool client-identifier 16-18
set dhcp pool client-name 16-19
clear dhcp pool client-name 16-19
set dhcp pool bootfile 16-20
clear dhcp pool bootfile 16-20
set dhcp pool
SecureStack C3 Configuration Guide 16-13
set dhcp pool
UsethiscommandtocreateandassignanametoaDHCPserverpoolofaddresses.Upto16
addresspoolsmaybeconfiguredonaSecureStackC3.Notethatenteringthiscommandisnot
requiredtocreateanaddresspoolbeforeconfiguringotheraddresspoolparameters.
Syntax
set dhcp pool poolname
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplecreatesanaddresspoolnamedauto1.
C3( r w) - >set dhcp pool aut o1
set dhcp pool next-server 16-21
clear dhcp pool next-server 16-21
set dhcp pool lease 16-22
clear dhcp pool lease 16-22
set dhcp pool default-router 16-23
clear dhcp pool default-router 16-23
set dhcp pool dns-server 16-24
clear dhcp pool dns-server 16-24
set dhcp pool domain-name 16-25
clear dhcp pool domain-name 16-25
set dhcp pool netbios-name-server 16-26
clear dhcp pool netbios-name-server 16-26
set dhcp pool netbios-node-type 16-27
clear dhcp pool netbios-node-type 16-27
set dhcp pool option 16-28
clear dhcp pool option 16-29
show dhcp pool configuration 16-29
For information about... Refer to page...
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
clear dhcp pool
16-14 DHCP Server Configuration
clear dhcp pool
UsethiscommandtodeleteaDHCPserverpoolofaddresses.
Syntax
clear dhcp pool poolname
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheaddresspoolnamedauto1.
C3( r w) - >cl ear dhcp pool aut o1
set dhcp pool network
UsethiscommandtoconfigurethesubnetnumberandmaskforanautomaticDHCPaddress
pool.
Syntax
set dhcp pool poolname network number {mask | prefix-length}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
UsethiscommandtoconfigureasetofIPaddressestobeassignedbytheDHCPserverusingthe
specifiedaddresspool.Inordertolimitthescopeoftheaddressesconfiguredwiththiscommand,
usethesetdhcpexcludecommandonpage167.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
number SpecifiesanIPsubnetfortheaddresspool.
mask Specifiesthesubnetmaskindottedquadnotation.
prefixlength Specifiesthesubnetmaskasaninteger.
clear dhcp pool network
SecureStack C3 Configuration Guide 16-15
Examples
ThisexampleconfigurestheIPsubnet172.20.28.0withaprefixlengthof24fortheautomatic
DHCPpoolnamedauto1.Alternatively,themaskcouldhavebeenspecifiedas255.255.255.0.
C3( r w) - >set dhcp pool aut o1 net wor k 172. 20. 28. 0 24
Thisexamplelimitsthescopeof255addressescreatedfortheClassCnetwork172,20.28.0bythe
previousexample,byexcludingaddresses172.20.28.80100.
C3( r w) - >set dhcp excl ude 172. 20. 28. 80 172. 20. 28. 100
clear dhcp pool network
UsethiscommandtoremovethenetworknumberandmaskofaDHCPserverpoolofaddresses.
Syntax
clear dhcp pool poolname network
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletesthenetworkandmaskfromtheaddresspoolnamedauto1.
C3( r w) - >cl ear dhcp pool aut o1 net wor k
set dhcp pool hardware-address
UsethiscommandtoconfiguretheMACaddressoftheDHCPclientandcreateanaddresspool
formanualbinding.Youcanuseeitherthiscommandorthesetdhcppoolclientidentifier
commandtocreateamanualbindingpool,butusingbothisnotrecommended.
Syntax
set dhcp pool poolname hardware-address hw-addr [ type]
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
hwaddr SpecifiestheMACaddressoftheclientshardwareplatform.Thisvalue
canbeenteredusingdottedhexadecimalnotationorcolons.
type (Optional)Specifiestheprotocolofthehardwareplatform.Validvalues
are1forEthernetor6forIEEE802.Defaultvalueis1,Ethernet.
clear dhcp pool hardware-address
16-16 DHCP Server Configuration
Defaults
Ifnotypeisspecified,Ethernetisassumed.
Mode
Switchcommand,readwrite.
Example
Thisexamplespecifies0001.f401.2710astheEthernetMACaddressforthemanualaddresspool
namedmanual1.Alternatively,theMACaddresscouldhavebeenteredas00:01:f4:01:27:10.
C3( r w) - >set dhcp pool manual 1 har dwar e- addr ess 0001. f 401. 2710
clear dhcp pool hardware-address
UsethiscommandtoremovethehardwareaddressofaDHCPclientfromamanualbinding
addresspool.
Syntax
clear dhcp pool poolname hardware-address
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclienthardwareaddressfromtheaddresspoolnamedmanual1.
C3( r w) - >cl ear dhcp pool manual 1 har dwar e- addr ess
set dhcp pool host
UsethiscommandtoconfigureanIPaddressandnetworkmaskforamanualDHCPbinding.
Syntax
set dhcp pool poolname host ip-address [ mask | prefix-length]
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
ipaddress SpecifiestheIPaddressformanualbinding.
clear dhcp pool host
SecureStack C3 Configuration Guide 16-17
Defaults
Ifamaskorprefixisnotspecified,theclassA,B,orCnaturalmaskwillbeused.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress
pool.First,thehardwareaddressoftheclientshardwareplatformisconfigured,followedby
configurationoftheaddresstobeassignedtothatclientmanually.
C3( r w) - >set dhcp pool manual 1 har dwar e- addr ess 0001. f 401. 2710
C3( r w) - >set dhcp pool manual 1 host 15. 12. 1. 99 255. 255. 248. 0
clear dhcp pool host
UsethiscommandtoremovethehostIPaddressfromamanualbindingaddresspool.
Syntax
clear dhcp pool poolname host
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampledeletesthehostIPaddressfromtheaddresspoolnamedmanual1.
C3( r w) - >cl ear dhcp pool manual 1 host
set dhcp pool client-identifier
UsethiscommandtoconfiguretheclientidentifieroftheDHCPclientandcreateanaddresspool
formanualbinding.Youcanuseeitherthiscommandorthesetdhcppoolhardwareaddress
commandtocreateamanualbindingpool,butusingbothisnotrecommended.
Syntax
set dhcp pool poolname client-identifier id
mask (Optional)Specifiesthesubnetmaskindottedquadnotation.
prefixlength (Optional)Specifiesthesubnetmaskasaninteger.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
clear dhcp pool client-identifier
16-18 DHCP Server Configuration
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheclientidentifierisformedbyconcatenatingthemediatypeandtheMACaddress.For
example,iftheclienthardwaretypeisEthernetandtheclientMACaddressis00:01:22:33:44:55,
thentheclientidentifierconfiguredwiththiscommandmustbe01:00:01:22:33:44:55.
Example
Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress
pool,usingaclientidentifierratherthanthehardwareaddressoftheclientshardwareplatform.
C3( r w) - >set dhcp pool manual 2 cl i ent - i dent i f i er 01: 00: 01: 22: 33: 44: 55
C3( r w) - >set dhcp pool manual 2 host 10. 12. 1. 10 255. 255. 255. 0
clear dhcp pool client-identifier
UsethiscommandtoremovetheuniqueidentifierofaDHCPclientfromamanualbinding
addresspool.
Syntax
clear dhcp pool poolname client-identifier
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclientidentifierfromtheaddresspoolnamedmanual1.
C3( r w) - >cl ear dhcp pool manual 1 cl i ent - i dent i f i er
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
id Specifiestheuniqueclientidentifierforthisclient.Thevaluemustbe
enteredinxx:xx:xx:xx:xx:xxformat.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool client-name
SecureStack C3 Configuration Guide 16-19
set dhcp pool client-name
UsethiscommandtoassignanametoaDHCPclientwhencreatinganaddresspoolformanual
binding.
Syntax
set dhcp pool poolname client-name name
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfigurestheclientnameappsvr1tothemanualbindingpoolmanual2.
C3( r w) - >set dhcp pool manual 2 cl i ent - i dent i f i er 01: 22: 33: 44: 55: 66
C3( r w) - >set dhcp pool manual 2 host 10. 12. 1. 10 255. 255. 255. 0
C3( r w) - >set dhcp pool manual 2 cl i ent - name appsvr 1
clear dhcp pool client-name
UsethiscommandtodeleteaDHCPclientnamefromanaddresspoolformanualbinding.
Syntax
clear dhcp pool poolname client-name
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclientnamefromthemanualbindingpoolmanual2.
C3( r w) - >cl ear dhcp pool manual 2 cl i ent - name
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
name Specifiesthenametobeassignedtothisclient.Clientnamesmaybeupto
31charactersinlength.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool bootfile
16-20 DHCP Server Configuration
set dhcp pool bootfile
UsethiscommandtospecifyadefaultbootimagefortheDHCPclientswhowillbeservedbythe
addresspoolbeingconfigured.
Syntax
set dhcp pool poolname bootfile filename
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthebootimagefilenameforaddresspoolnamedauto1.
C3( r w) - >set dhcp pool aut o1 boot f i l e i mage1. i mg
clear dhcp pool bootfile
Usethiscommandtoremoveadefaultbootimagefromtheaddresspoolbeingconfigured.
Syntax
clear dhcp pool poolname bootfile
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthebootimagefilenamefromaddresspoolnamedauto1.
C3( r w) - >cl ear dhcp pool aut o1 boot f i l e
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
filename Specifiesthebootimagefilename.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool next-server
SecureStack C3 Configuration Guide 16-21
set dhcp pool next-server
Usethiscommandtospecifythefileserverfromwhichthedefaultbootimageistobeloadedby
theclient.
Syntax
set dhcp pool poolname next-server ip-address
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplespecifiesthefileserverfromwhichclientsbeingservedbyaddresspoolauto1
shoulddownloadthebootimagefileimage1.img.
C3( r w) - >set dhcp pool aut o1 boot f i l e i mage1. i mg
C3( r w) - >set dhcp pool aut o1 next - ser ver 10. 1. 1. 10
clear dhcp pool next-server
Usethiscommandtoremovethebootimagefileserverfromtheaddresspoolbeingconfigured.
Syntax
clear dhcp pool poolname next-server
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthefileserverfromaddresspoolauto1.
C3( r w) - >cl ear dhcp pool aut o1 next - ser ver
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
ipaddress SpecifiestheIPaddressofthefileservertheDHCPclientshouldcontact
toloadthedefaultbootimage.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool lease
16-22 DHCP Server Configuration
set dhcp pool lease
UsethiscommandtospecifythedurationoftheleaseforanIPaddressassignedbytheDHCP
serverfromtheaddresspoolbeingconfigured.
Syntax
set dhcp pool poolname lease {days [ hours [ minutes] ] | infinite}
Parameters
Defaults
Ifnoleasetimeisspecified,aleasedurationof1dayisconfigured.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfiguresaleasedurationof12hoursfortheaddresspoolbeingconfigured.Note
thattoconfigurealeasetimelessthanoneday,enter0fordays,thenthenumberofhoursand
minutes.
C3( r w) - >set dhcp pool aut o1 l ease 0 12
clear dhcp pool lease
Usethiscommandtorestorethedefaultleasetimevalueofonedayfortheaddresspoolbeing
configured.
Syntax
clear dhcp pool poolname lease
Parameters
Defaults
Clearstheleasetimeforthisaddresspooltothedefaultvalueofoneday.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
days Specifiesthenumberofdaysanaddressleasewillremainvalid.Valuecan
rangefrom0to59.
hours (Optional)Whenadaysvaluehasbeenassigned,specifiesthenumberof
hoursanaddressleasewillremainvalid.Valuecanrangefrom0to1439.
minutes (Optional)Whenadaysvalueandanhoursvaluehavebeenassigned,
specifiesthenumberofminuteanaddressleasewillremainvalid.Value
canrangefrom0to86399.
infinite Specifiesthatthedurationoftheleasewillbeunlimited.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool default-router
SecureStack C3 Configuration Guide 16-23
Mode
Switchcommand,readwrite.
Example
Thisexamplerestoresthedefaultleasedurationofonedayforaddresspoolauto1.
C3( r w) - >cl ear dhcp pool aut o1 l ease
set dhcp pool default-router
UsethiscommandtospecifyadefaultrouterlistfortheDHCPclientsservedbytheaddresspool
beingconfigured.Upto8defaultrouterscanbeconfigured.
Syntax
set dhcp pool poolname default-router address [ address2 ... address8]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleassignsadefaultrouterat10.10.10.1totheaddresspoolnamedauto1.
C3( r w) - >set dhcp pool aut o1 def aul t - r out er 10. 10. 10. 1
clear dhcp pool default-router
Usethiscommandtodeletethedefaultroutersconfiguredforthisaddresspool.
Syntax
clear dhcp pool poolname default-router
Parameters
Defaults
None.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
address SpecifiestheIPaddressofadefaultrouter.
address2...address8 (Optional)Specifies,inorderofpreference,upto7additionaldefault
routeraddresses.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool dns-server
16-24 DHCP Server Configuration
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthedefaultrouterfromtheaddresspoolauto1.
C3( r w) - >cl ear dhcp pool aut o1 def aul t - r out er
set dhcp pool dns-server
UsethiscommandtospecifyoneormoreDNSserversfortheDHCPclientsservedbytheaddress
poolbeingconfigured.Upto8DNSserverscanbeconfigured.
Syntax
set dhcp pool poolname dns-server address [ address2 ... address8]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleassignsaDNSserverat10.14.10.1totheaddresspoolauto1.
C3( r w) - >set dhcp pool aut o1 dns- ser ver 10. 14. 10. 1
clear dhcp pool dns-server
UsethiscommandtoremovetheDNSserverlistfromtheaddresspoolbeingconfigured.
Syntax
clear dhcp pool poolname dns-server
Parameters
Defaults
None.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
address SpecifiestheIPaddressofaDNSserver.
address2...address8 (Optional)Specifies,inorderofpreference,upto7additionalDNS
serveraddresses.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool domain-name
SecureStack C3 Configuration Guide 16-25
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheDNSserverlistfromtheaddresspoolauto1.
C3( r w) - >cl ear dhcp pool aut o1 dns- ser ver
set dhcp pool domain-name
UsethiscommandtospecifyadomainnametobeassignedtoDHCPclientsservedbytheaddress
poolbeingconfigured.
Syntax
set dhcp pool poolname domain-name domain
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleassignsthemycompany.comdomainnametotheaddresspoolauto1.
C3( r w) - >set dhcp pool aut o1 domai n- name mycompany. com
clear dhcp pool domain-name
Usethiscommandtoremovethedomainnamefromtheaddresspoolbeingconfigured.
Syntax
clear dhcp pool poolname domain-name
Parameters
Defaults
None.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
domain Specifiesthedomainnamestring.Thedomainnamecanbeupto255
charactersinlength.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool netbios-name-server
16-26 DHCP Server Configuration
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthedomainnamefromtheaddresspoolauto1.
C3( r w) - >cl ear dhcp pool aut o1 domai n- name
set dhcp pool netbios-name-server
UsethiscommandtoassignoneormoreNetBIOSnameserversfortheDHCPclientsservedby
theaddresspoolbeingconfigured.Upto8NetBIOSnameserverscanbeconfigured.
Syntax
set dhcp pool poolname netbios-name-server address [ address2 ... address8]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleassignsaNetBIOSnameserverat10.15.10.1totheaddresspoolbeingconfigured.
C3( r w) - >set dhcp pool aut o1 net bi os- name- ser ver 10. 15. 10. 1
clear dhcp pool netbios-name-server
UsethiscommandtoremovetheNetBIOSnamerserverlistfromtheaddresspoolbeing
configured.
clear dhcp pool poolname netbios-name-server
Parameters
Defaults
None.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
address SpecifiestheIPaddressofaNetBIOSnameserver.
address2...address8 (Optional)Specifies,inorderofpreference,upto7additionalNetBIOS
nameserveraddresses.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool netbios-node-type
SecureStack C3 Configuration Guide 16-27
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheNetBIOSnameserverlistfromtheaddresspoolauto1.
C3( r w) - >cl ear dhcp pool aut o1 net bi os- name- ser ver
set dhcp pool netbios-node-type
UsethiscommandtospecifyaNetBIOSnode(server)typefortheDHCPclientsservedbythe
addresspoolbeingconfigured.
Syntax
set dhcp pool poolname netbios-node-type {b-node | h-node | p-node | m-node}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexamplespecifieshybridastheNetBIOSnodetypefortheaddresspoolauto1.
C3( r w) - >set dhcp pool aut o1 net bi os- node- t ype h- node
clear dhcp pool netbios-node-type
UsethiscommandtoremovetheNetBIOSnodetypefromtheaddresspoolbeingconfigured.
Syntax
clear dhcp pool poolname netbios-node-type
Parameters
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
bnode SpecifiestheNetBIOsnodetypetobebroadcast(noWINS).
hnode SpecifiestheNetBIOsnodetypetobehybrid(WINS,thenbroadcast).
pnode SpecifiestheNetBIOsnodetypetobepeer(WINSonly).
mnode SpecifiestheNetBIOsnodetypetobemixed(broadcast,thenWINS).
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
set dhcp pool option
16-28 DHCP Server Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheNetBIOSnodetypefromtheaddresspoolauto1.
C3( r w) - >cl ear dhcp pool aut o1 net bi os- node- t ype
set dhcp pool option
UsethiscommandtoconfigureDHCPoptions,describedinRFC2132.
Syntax
set dhcp pool poolname option code {ascii string | hex string-list | ip address-
list}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleconfiguresDHCPoption19,whichspecifieswhethertheclientshouldconfigureits
IPlayerforpacketforwarding.Inthiscase,IPforwardingisenabledwiththe01value.
C3( r w) - >set dhcp pool aut o1 opt i on 19 hex 01
ThisexampleconfiguresDHCPoption72,whichassignsoneormoreWebserversforDHCP
clients.Inthiscase,twoWebserveraddressesareconfigured.
C3( r w) - >set dhcp pool aut o1 opt i on 72 i p 168. 24. 3. 252 168. 24. 3. 253
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
code SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange
from1to254.
asciistring SpecifiesthedatainASCIIformat.AnASCIIcharacterstringcontaininga
spacemustbeenclosedinquotations.
hexstringlist SpecifiesthedatainHEXformat.Upto8HEXstringscanbeentered.
ipaddresslist SpecifiesthedatainIPaddressformat.Upto8IPaddressescanbeentered.
clear dhcp pool option
SecureStack C3 Configuration Guide 16-29
clear dhcp pool option
UsethiscommandtoremoveaDHCPoptionfromtheaddresspoolbeingconfigured.
Syntax
clear dhcp pool poolname option code
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesoption19fromaddresspoolauto1.
C3( r w) - >cl ear dhcp pool aut o1 opt i on 19
show dhcp pool configuration
Usethiscommandtodisplayconfigurationinformationforoneoralladdresspools.
Syntax
show dhcp pool configuration {poolname | all}
Parameters
Defaults
None.
Mode
Readonly.
Example
Thisexampledisplaysconfigurationinformationforalladdresspools.
C3( r w) - >show dhcp pool conf i gur at i on al l
Pool : At g_Pool
Pool Type Dynami c
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
code SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange
from1to254.
poolname Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
show dhcp pool configuration
16-30 DHCP Server Configuration
Net wor k 192. 0. 0. 0 255. 255. 255. 0
Lease Ti me 1 days 0 hr s 0 mi ns
Def aul t Rout er s 192. 0. 0. 1
Pool : st at i c1
Pool Type Manual
Cl i ent Name appsvr 1
Cl i ent I dent i f i er 01: 00: 01: f 4: 01: 27: 10
Host 10. 1. 1. 1 255. 0. 0. 0
Lease Ti me i nf i ni t e
Opt i on 19 hex 01
Pool : st at i c2
Pool Type Manual
Har dwar e Addr ess 00: 01: f 4: 01: 27: 10
Har dwar e Addr ess Type i eee802
Host 192. 168. 10. 1 255. 255. 255. 0
Lease Ti me i nf i ni t e
SecureStack C3 Configuration Guide 17-1
17
DHCP Snooping and
Dynamic ARP Inspection
Thischapterdescribestwosecurityfeatures:
DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserver
tofilterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings
DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping
featuretorejectinvalidandmaliciousARPpackets
DHCP Snooping Overview
DHCPsnoopingmonitorsDHCPmessagesbetweenDHCPclientsandDHCPserverstofilter
harmfulDHCPmessagesandtobuildabindingsdatabaseof{MACaddress,IPaddress,VLAN
ID,port}tuplesthatareconsideredauthorized.
DHCPsnoopingisdisabledgloballyandonallVLANsbydefault.Portsareuntrustedbydefault.
DHCPsnoopingmustbeenabledgloballyandonspecificVLANs.PortswithintheVLANsmust
beconfiguredastrustedoruntrusted.DHCPserversmustbereachedthroughtrustedports.
DHCPsnoopingenforcesthefollowingsecurityrules:
DHCPpacketsfromaDHCPserver(DHCPOFFER,DHCPACK,DHCPNAK)aredroppedif
receivedonanuntrustedport.
DHCPRELEASEandDHCPDECLINEmessagesaredroppediftheyareforaMACaddress
inthesnoopingdatabasebutthebindingsinterfaceinthedatabaseisdifferentfromthe
interfacewherethemessagewasreceived.
Onuntrustedinterfaces,theswitchdropsDHCPpacketswhosesourceMACaddressdoesnot
matchtheclienthardwareaddress.Thisfeatureisaconfigurableoption.
DHCP Message Processing
ThehardwareidentifiesallincomingDHCPpacketsonportswhereDHCPsnoopingisenabled.
Onuntrustedports,thehardwaretrapsallincomingDHCPpacketstotheCPU.Ontrustedports,
For information about... Refer to page...
DHCP Snooping Overview 17-1
DHCP Snooping Commands 17-4
Dynamic ARP Inspection Overview 17-15
Dynamic ARP Inspection Commands 17-20
DHCP Snooping Overview
17-2 DHCP Snooping and Dynamic ARP Inspection
thehardwareforwardsclientmessagesandcopiesservermessagestotheCPUsoDHCPsnooping
canlearnthebinding.
TheDHCPsnoopingapplicationprocessesincomingDHCPmessages.ForDHCPRELEASEand
DHCPDECLINEmessages,theapplicationcomparesthereceiveinterfaceandVLANwiththe
clientsinterfaceandVLANinthebindingsdatabase.Iftheinterfacesdonotmatch,the
applicationlogstheeventanddropsthemessage.Forvalidclientmessages,DHCPsnooping
comparesthesourceMACaddresstotheDHCPclienthardwareaddress.Wherethereisa
mismatch,DHCPsnoopinglogsanddropsthepacket.Youcandisablethisfeatureusingtheset
dhcpsnoopingverifymacaddressdisablecommand.
DHCPsnoopingcanbeconfiguredonswitchingVLANsandroutingVLANs.WhenaDHCP
packetisreceivedonaroutingVLAN,theDHCPsnoopingapplicationappliesitsfilteringrules
andupdatesthebindingsdatabase.Ifaclientmessagepassesfilteringrules,themessageisplaced
intothesoftwareforwardingpath,whereitmaybeprocessedbytheDHCPrelayagent,thelocal
DHCPserver,orforwardedasanIPpacket.
DHCPsnoopingforwardsvalidDHCPclientmessagesreceivedonnonroutingVLANs.The
messageisforwardedonalltrustedinterfacesintheVLAN.IfaDHCPrelayagentorlocalDHCP
servercoexistwiththeDHCPsnoopingfeature,DHCPclientmessageswillbesenttotheDHCP
relayagentorlocalDHCPservertoprocessfurther.
TheDHCPsnoopingapplicationdoesnotforwardservermessagessincetheyareforwardedin
hardware.
Building and Maintaining the Database
TheDHCPsnoopingapplicationusesDHCPmessagestobuildandmaintainthebindings
database.Thebindingsdatabaseincludesonlydataforclientsonuntrustedports.Thebindings
databaseincludesthefollowinginformationforeachentry:
ClientMACaddress
ClientIPaddress
Timewhenclientsleaseexpires
ClientVLANID
Clientport
DHCPsnoopingcreatesatentativebindingfromDHCPDISCOVERandREQUESTmessages.
Tentativebindingstieaclienttoaport(theportwheretheDHCPclientmessagewasreceived).
TentativebindingsarecompletedwhenDHCPsnoopinglearnstheclientsIPaddressfroma
DHCPACKmessageonatrustedport.DHCPsnoopingremovesbindingsinresponseto
DECLINE,RELEASE,andNACKmessages.TheDHCPsnoopingapplicationignorestheACK
messagessentinreplytotheDHCPInformmessagesreceivedontrustedports.Youcanalso
enterstaticbindingsintothebindingsdatabase.
Whenaswitchlearnsofnewbindingsorwhenitlosesbindings,theswitchimmediatelyupdates
theentriesinthedatabase.
Iftheabsoluteleasetimeofasnoopingdatabaseentryexpires,thenthatentrywillberemoved.
Careshouldbetakentoensurethatsystemtimeisconsistentacrossthereboots.Otherwise,
snoopingentrieswillnotexpireproperly.IfahostsendsaDHCPRELEASEmessagewhilethe
Note: If the switch has been configured as a DHCP relay agent, to forward client requests to a
DHCP server that does not reside on the same broadcast domain as the client, MAC address
verification should be disabled in order to allow DHCP RELEASE packets to be processed by the
DHCP snooping functionality and client bindings removed from the bindings database.
DHCP Snooping Overview
SecureStack C3 Configuration Guide 17-3
switchisrebooting,whentheswitchreceivesaDHCPDISCOVERYorREQUESTmessage,the
clientsbindingwillgotoatentativebindingstate.
Rate Limiting
ToprotecttheswitchagainstDHCPattackswhenDHCPsnoopingisenabled,thesnooping
applicationenforcesaratelimitforDHCPpacketsreceivedonuntrustedinterfaces.DHCP
snoopingmonitorsthereceiverateoneachinterfaceseparately.Ifthereceiverateexceedsa
configurablelimit,DHCPsnoopingbringsdowntheinterface.Usethesetportenablecommand
toreenabletheinterface.Boththerateandtheburstintervalcanbeconfigured.
Basic Configuration
Thefollowingconfigurationproceduredoesnotchangethewritedelaytothesnoopingdatabase
oranyofthedefaultratelimitingvalues.Additionalconfigurationnotesfollowthisprocedure.
Configuration Notes
DHCP Server
Whentheswitchisoperatinginswitchmode,thentheDHCPserverandDHCPclientsmust
beinthesameVLAN.
Iftheswitchisinroutingmode(onthoseplatformsthatsupportrouting),thentheDCHP
servercanberemotelyconnectedtoaroutinginterface,orrunninglocally.
IftheDHCPserverisremotelyconnected,thentheuseofanIPhelperaddressisrequiredand
MACaddressverificationshouldbedisabled(setdhcpsnoopingverifymacaddress
disable).
TheDHCPservermustuseScopesinordertoprovidetheIPaddressesperVLAN.
DHCPsnoopingmustbeenabledontheinterfaceswheretheDHCPclientsareconnected,
andtheinterfacesmustbeuntrustedDHCPsnoopingports.
TheroutinginterfacethatisconnectedtotheDHCPservermustbeenabledforDHCP
snoopingandmustbeatrustedDHCPsnoopingport.
Procedure 17-1 Basic Configuration for DHCP Snooping
Step Task Command(s)
1. Enable DHCP snooping globally on the switch. set dhcpsnooping enable
2. Determine where DHCP clients will be
connected and enable DHCP snooping on their
VLANs.
set dhcpsnooping vlan vlan-list
enable
3. Determine which ports will be connected to the
DHCP server and configure them as trusted
ports.
set dhcpsnooping trust port
port-string enable
4. If desired, enable logging of invalid DHCP
messages on specfic ports.
set dhcpsnooping log-invalid port
port-string enable
5. If desired, add static bindings to the database. set dhcpsnooping binding mac-address
vlan vlan-id ipaddr port port-string
DHCP Snooping Commands
17-4 DHCP Snooping and Dynamic ARP Inspection
DHCP Snooping Commands
set dhcpsnooping
UsethiscommandtoenableordisableDHCPsnoopingglobally.
Syntax
set dhcpsnooping {enable | disable}
Parameters
Defaults
Disabledglobally.
Mode
Switchcommand,readwrite.
Usage
Bydefault,DHCPsnoopingisdisabledgloballyandonallVLANs.Youmustenableitglobally
withthiscommand,andthenenableitonspecificVLANs.
For information about... Refer to page...
set dhcpsnooping 17-4
set dhcpsnooping vlan 17-5
set dhcpsnooping database write-delay 17-5
set dhcpsnooping trust 17-6
set dhcpsnooping binding 17-7
set dhcpsnooping verify 17-7
set dhcpsnooping log-invalid 17-8
set dhcpsnooping limit 17-9
show dhcpsnooping 17-10
show dhcpsnooping database 17-11
show dhcpsnooping port 17-11
show dhcpsnooping binding 17-12
show dhcpsnooping statistics 17-13
clear dhcpsnooping binding 17-14
clear dhcpsnooping statistics 17-14
clear dhcpsnooping database 17-14
clear dhcpsnooping limit 17-15
enable EnableDHCPsnoopinggloballyontheswitch.
disable DisableDHCPsnoopinggloballyontheswitch.
set dhcpsnooping vlan
SecureStack C3 Configuration Guide 17-5
Example
ThefollowingexampleenablesDHCPsnoopingglobally.
C3( r w) - >set dhcpsnoopi ng enabl e
set dhcpsnooping vlan
UsethiscommandtoenableordisableDHCPsnoopingonaVLANorrangeofVLANs.
Syntax
set dhcpsnooping vlan vlan-range {enable | disable}
Parameters
Defaults
DHCPsnoopingisdisabledbydefaultonallVLANs.
Mode
Switchcommand,readwrite.
Usage
Bydefault,DHCPsnoopingisdisabledgloballyandonallVLANs.Youmustenableitglobally
withthesetdhcpsnoopingcommand,andthenenableitonspecificVLANswiththiscommand.
Example
ThisexampleenablesDHCPsnoopingonVLANS10through20.
C3( r w) - >set dhcpsnoopi ng vl an 10- 20 enabl e
set dhcpsnooping database write-delay
Usethiscommandtospecifytheintervalbetweenupdatestothestoredbindingsdatabase.
Syntax
set dhcpsnooping database write-delay seconds
Parameters
Defaults
Every5minutes(300seconds).
vlanrange SpecifiestheVLANorrangeofVLANsonwhichDHCPsnoopingisto
beenabledordisabled.
enable|disable EnablesordisablesDHCPsnoopingforthespecifiedVLANs.
second Specifytheintervalinsecondsbetweenupdatestothestoredbindings
database.Thevaluecanrangefrom15to86400seconds.
set dhcpsnooping trust
17-6 DHCP Snooping and Dynamic ARP Inspection
Mode
Switchcommand,readwrite.
Usage
Whenaswitchlearnsofnewbindingsorwhenitlosesbindings,theswitchupdatestheentriesin
thebindingsdatabaseaccordingtothewritedelaytimer.Theswitchalsoupdatestheentriesin
thebindingfile.Thefrequencyatwhichthefileisupdatedisbasedonthedelayconfiguredwith
thiscommand,andtheupdatesarebatched.
Example
Thefollowingexamplespecifiesthatthestoreddatabaseshouldbeupdatedonceanhour.
C3( r w) - >set dhcpsnoopi ng dat abase wr i t e- del ay 3600
set dhcpsnooping trust
UsethiscommandtoenableordisableaportasaDHCPsnoopingtrustedport.
Syntax
set dhcpsnooping trust port port-string {enable | disable}
Parameters
Defaults
Bydefault,portsareuntrusted.
Mode
Switchcommand,readwrite.
Usage
InorderforDHCPsnoopingtooperate,snoopinghastobeenabledgloballyandonspecific
VLANs,andtheportswithintheVLANshavetobeconfiguredastrustedoruntrusted.On
trustedports,DHCPclientmessagesareforwardeddirectlybythehardware.Onuntrustedports,
clientmessagesaregiventotheDHCPsnoopingapplication.
TheDHCPsnoopingapplicationbuildsthebindingsdatabasefromclientmessagesreceivedon
untrustedports.DHCPsnoopingcreatesatentativebindingfromDHCPDISCOVERand
REQUESTmessages.Tentativebindingstieaclienttotheportonwhichthemessagepacketwas
received.TentativebindingsarecompletedwhenDHCPsnoopinglearnstheclientsIPaddress
fromaDHCPACKmessageonatrustedport.
TheportsontheswitchthroughwhichDHCPserversarereachedmustbeconfiguredastrusted
portssothatpacketsreceivedfromthoseportswillbeforwardedtoclients.DCHPpacketsfroma
DHCPserver(DHCPOFFER,DHCPACK,DHCPNAK)aredroppedifreceivedonanuntrusted
port.
portportstring Specifiestheportorportstobeenabledordisabledastrustedports.The
portscanbephysicalportsorLAGsthataremembersofaVLAN.
enable|disable Enablesordisablesthespecifiedportsastrustedports.
set dhcpsnooping binding
SecureStack C3 Configuration Guide 17-7
Example
Thisexampleconfiguresportge.1.1asatrustedport.
C3( r w) - >set dhcpsnoopi ng t r ust por t ge. 1. 1 enabl e
set dhcpsnooping binding
UsethiscommandtoaddastaticDHCPbindingtotheDHCPsnoopingdatabase.
Syntax
set dhcpsnooping binding mac-address vlan vlan-id ipaddr port port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
WhenenabledgloballyandonVLANs,DHCPsnoopingbuildsitsbindingsdatabasefromDHCP
clientmessagesreceivedonuntrustedports.Suchentriesinthedatabasearedynamicentries
whichwillberemovedinresponsetovalidDECLINE,RELEASE,andNACKmessagesorwhen
theabsoluteleasetimeoftheentryexpires.
Youcanaddstaticentriestothebindingsdatabasewiththiscommand.
Example
Thisexamplecreatesastaticentry,associatingMACaddress00:01:02:33:44:55withIPaddress
192.168.10.10andVLAN10,portge.1.1.
C3( r w) - >set dhcpsnoopi ng bi ndi ng 00: 01: 02: 33: 44: 55 vl an 10 192. 168. 10. 10 por t
ge. 1. 1
set dhcpsnooping verify
UsethiscommandtoenableordisableDHCPsnoopingtofilteronsourceMACaddress.
Syntax
set dhcpsnooping verify mac-address {enable | disable}
macaddress SpecifiestheMACaddressofthebindingentry.
vlanvlanid SpecifiestheVLANofthebindingentry.
ipaddr SpecifiestheIPaddressofthebindingentry.
portportstring Specifiestheportofthebindingentry.
set dhcpsnooping log-invalid
17-8 DHCP Snooping and Dynamic ARP Inspection
Parameters
Defaults
SourceMACaddressverificationisenabledbydefault.
Mode
Switchcommand,readwrite.
Usage
Whenthisverificationisenabled,theDHCPsnoopingapplicationcomparesthesourceMAC
addresscontainedinvalidclientmessageswiththeclientshardwareaddress.Ifthereisa
mismatch,DHCPsnoopinglogstheeventanddropsthepacket.
Usetheshowdhcpsnoopingcommandtodisplaythestatus(enabledordisabled)ofsourceMAC
addressverificationforeachinterfaceinanenabledVLAN.Theshowdhcpsnoopingstatistics
commandshowstheactualnumberofMACverificationerrorsthatoccurredonuntrustedports.
Example
ThisexampledisablessourceMACaddressverificationandlogging.
C3( r w) - >set dhcpsnoopi ng ver i f y mac- addr ess di sabl e
set dhcpsnooping log-invalid
UsethiscommandtoenableordisableloggingofinvalidDHCPmessagesonports.
Syntax
set dhcpsnooping log-invalid port port-string {enable | disable}
Parameters
Defaults
Disabled.
Mode
Switchcommand,readwrite.
Usage
TheDHCPsnoopingapplicationprocessesincomingDHCPmessages.ForDHCPRELEASEand
DHCPDECLINEmessages,theapplicationcomparesthereceiveinterfaceandVLANwiththe
enable EnablesverificationofthesourceMACaddressinclientmessages
againsttheclienthardwareaddress.
disable DisablesverificationofthesourceMACaddressinclientmessages
againsttheclienthardwareaddress.
portportstring Specifiestheportorportsonwhichtoenableordisableloggingof
invalidpackets.
enable|disable Enablesordisablesloggingonthespecifiedports.
set dhcpsnooping limit
SecureStack C3 Configuration Guide 17-9
clientsinterfaceandVLANinthebindingsdatabase.Iftheinterfacesdonotmatch,the
applicationlogstheeventiflogginghasbeenenabled.
Usetheshowdhcpsnoopingcommandtodisplaythestatus(enabledordisabled)oflogging
invalidpacketsforeachinterfaceinanenabledVLAN.Theshowdhcpsnoopingstatistics
commandshowstheactualnumberofservermessagesreceivedonuntrustedports.
Example
ThisexampleenablesloggingofinvalidDHCPmessagesonportge.1.1andthendisplaysthe
DHCPconfigurationsettings.
C3( r w) - >set dhcpsnoopi ng l og i nval i d por t ge. 1. 1 enabl e
C3( su) - >show dhcpsnoopi ng
DHCP snoopi ng i s Di sabl ed
DHCP snoopi ng sour ce MAC ver i f i cat i on i s enabl ed
DHCP snoopi ng i s enabl ed on t he f ol l owi ng VLANs:
3
I nt er f ace Tr ust ed Log I nval i d Pkt s
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 No Yes
ge. 1. 2 No No
ge. 1. 3 Yes No
set dhcpsnooping limit
UsethiscommandtoconfigureratelimitingparametersforincomingDHCPpacketsonaportor
ports.
Syntax
set dhcpsnooping limit port-string {none | rate pps {burst interval secs] }
Parameters
Defaults
Rate=15packetspersecond
BurstInterval=1second
Mode
Switchcommand,readwrite.
portstring Specifiestheportorportstowhichtoapplytheseratelimiting
parameters.
none ConfiguresnolimitonincomingDHCPpackets.
ratepps Specifiesaratelimitinpacketspersecond.Thevalueofppscanrange
from0to100packetspersecond.
burstintervalsecs Specifiesaburstintervalinseconds.Thevalueofsecscanrangefrom1
to15seconds.
show dhcpsnooping
17-10 DHCP Snooping and Dynamic ARP Inspection
Usage
ToprotecttheswitchfromDHCPattackswhenDHCPsnoopingisenabled,thesnooping
applicationenforcesaratelimitforDHCPpacketsreceivedonuntrustedinterfaces.DHCP
snoopingmonitorsthereceiverateoneachinterfaceseparately.Ifthereceiverateexceedsthe
configuredlimit,DHCPsnoopingbringsdowntheinterface.Youcanreenabletheinterfacewith
thesetportenablecommand.Boththerateandtheburstintervalcanbeconfigured.
Youcandisplaythecurrentlyconfiguredratelimitparameterswiththeshowdhcpsnoopingport
command.
Example
Thisexampleconfiguresratelimitparametersonportge.1.1.
C3( r w) - >set dhcpsnoopi ng l i mi t ge. 1. 1 r at e 20 bur st i nt er val 2
C3( r w) - >show dhcpsnoopi ng por t ge. 1. 1
I nt er f ace Tr ust St at e Rat e Li mi t Bur st I nt er val
( pps) ( seconds)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 No 20 2
show dhcpsnooping
UsethiscommandtodisplayDHCPsnoopingconfigurationparameters.
Syntax
show dhcpsnooping
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommanddisplaysthestatus(enabledordisabled)ofDHCPsnoopingglobally,liststhe
VLANsonwhichDHCPsnoopingisenabled,displayswhethersourceMACaddressverification
isenabledordisabled,andforportsthatareenabledforsnooping,displayswhethertheyare
trustedoruntrustedandwhetherloggingofinvalidpacketshasbeenenabled.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingcommand.
C3( su) - >show dhcpsnoopi ng
DHCP snoopi ng i s Enabl ed
DHCP snoopi ng sour ce MAC ver i f i cat i on i s enabl ed
DHCP snoopi ng i s enabl ed on t he f ol l owi ng VLANs:
show dhcpsnooping database
SecureStack C3 Configuration Guide 17-11
3
I nt er f ace Tr ust ed Log I nval i d Pkt s
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 47 Yes No
ge. 1. 48 No No
l ag. 0. 1 No No
show dhcpsnooping database
UsethiscommandtodisplayDHCPsnoopingdatabaseconfigurationparameters.
Syntax
show dhcpsnooping database
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommanddisplayswherethedatabasefileisstored(locally)andwhatthewritedelayvalue
is.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingdatabasecommand.
C3( su) - >show dhcpsnoopi ng dat abase
agent ur l : l ocal
wr i t e- del ay: 300
show dhcpsnooping port
UsethiscommandtodisplayDHCPsnoopingconfigurationparametersforspecificports.
Syntax
show dhcpsnooping port port-string
Parameters
portstring Specifiestheportorportsforwhichtodisplayconfiguration
information.
show dhcpsnooping binding
17-12 DHCP Snooping and Dynamic ARP Inspection
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommanddisplaysthetruststateandratelimitingparametersconfiguredonthespecified
ports.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingportcommand.
C3( su) - >show dhcpsnoopi ng por t ge. 1. 1
I nt er f ace Tr ust St at e Rat e Li mi t Bur st I nt er val
( pps) ( seconds)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 No 20 2
show dhcpsnooping binding
UsethiscommandtodisplaythecontentsoftheDHCPsnoopingbindingsdatabase.
Syntax
show dhcpsnooping binding [ dynamic | static] [ port port-string] [ vlan vlan-id]
Parameters
Defaults
Ifnoparametersareentered,allbindingsinthedatabasearedisplayed.
Mode
Switchcommand,readwrite.
Usage
ThiscommanddisplaysinformationabouttheDHCPbindingsintheDHCPsnoopingdatabase.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingbindingcommandwhenno
parametersareentered.
C3( su) - >show dhcpsnoopi ng bi ndi ng
Tot al number of bi ndi ngs: 2
dynamic|static (Optional)Limitsthedisplayofbindingsinthedatabasebytypeof
entry,eitherdynamicorstatic.
portportstring (Optional)Limitsthedisplayofbindingsinthedatabasebyport.
vlanvlanid (Optional)LimitsthedisplayofbindingsinthedatabasebyVLANid.
show dhcpsnooping statistics
SecureStack C3 Configuration Guide 17-13
MAC Addr ess I P Addr ess VLAN I nt er f ace Type Lease ( mi n)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
00: 02: B3: 06: 60: 80 192. 168. 10. 10 3 ge. 1. 1 STATI C
00: 0F: FE: 00: 13: 04 192. 168. 20. 1 5 ge. 1. 30 DYNAMI C 1440
show dhcpsnooping statistics
UsethiscommandtodisplayDHCPsnoopingstatisticsforuntrustedports.
Syntax
show dhcpsnooping statistics
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheDHCPsnoopingapplicationprocessesincomingDHCPmessagesonenableduntrusted
interfaces.ForDHCPRELEASEandDHCPDECLINEmessages,theapplicationcomparesthe
receiveinterfaceandVLANwiththeclientsinterfaceandVLANinthebindingsdatabase.Ifthe
interfacesdonotmatch,theapplicationlogstheevent(ifloggingofinvalidmessagesisenabled)
anddropsthemessage.IfsourceMACverificationisenabled,forvalidclientmessages,DHCP
snoopingcomparesthesourceMACaddresstotheDHCPclienthardwareaddress.Wherethereis
amismatch,DHCPsnoopinglogsanddropsthepacket.
Thiscommanddisplays,foreachenableduntrustedinterface,thenumberofsourceMAC
verificationfailuresandclientinterfacemismatchesthatoccurredsincethelasttimethese
statisticswerecleared.
SinceDHCPserversshouldnotbeconnectedthroughanuntrustedport,theDHCPsnooping
applicationwilldropincomingDHCPservermessagesonuntrustedinterfacesandincrementa
counterthatisdisplayedwiththiscommand.
Example
Thisexampleshowstheoutputoftheshowdhcpsnoopingstatisticscommand.
C3( su) - >show dhcpsnoopi ng st at i st i cs
I nt er f ace MAC Ver i f y Cl i ent I f c DHCP Ser ver
Fai l ur es Mi smat ch Msgs Rec' d
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 48 0 0 0
l ag. 0. 1 0 0 0
clear dhcpsnooping binding
17-14 DHCP Snooping and Dynamic ARP Inspection
clear dhcpsnooping binding
UsethiscommandtoremovebindingsfromtheDHCPsnoopingbindingsdatabase.
Syntax
clear dhcpsnooping binding [ port port-string | mac mac-addr]
Parameters
Defaults
Ifnoparametersareentered,allbindings(staticanddynamic)areremoved.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthestaticbindingentrythatincludesportge.1.2.
C3( su) - >cl ear dhcpsnoopi ng bi ndi ng por t ge. 1. 2
clear dhcpsnooping statistics
UsethiscommandtocleartheDHCPsnoopingstatisticscounters.
Syntax
clear dhcpsnooping statistics
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearstheDHCPsnoopingstatisticscountersforallenableduntrustedports.
C3( su) - >cl ear dhcpsnoopi ng st at i st i cs
clear dhcpsnooping database
Usethiscommandtoreturnthewritedelayvaluetoitsdefaultvalueof300seconds.
portportstring (Optional)Specifiestheentryorentriestoremovebyportidentifier.
macmacaddr (Optional)SpecifiestheentrytoremovebyMACaddress.
clear dhcpsnooping limit
SecureStack C3 Configuration Guide 17-15
Syntax
clear dhcpsnooping database [ write-delay]
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thiscommandwillsetthedatabasewritedelayvaluetothedefaultof300seconds.
Example
Thisexamplesetsthedatabasestoragelocationtothedefaultoflocal.
C3( su) - >cl ear dhcpsnoopi ng dat abase
clear dhcpsnooping limit
Usethiscommandtoresettheratelimitvaluestothedefaultsof15packetspersecondwitha
burstintervalof1second.
Syntax
clear dhcpsnooping limit port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleresetstheratelimitvaluestotheirdefaultsonportge.1.1.
C3( su) - >cl ear dhcpsnoopi ng l i mi t ge. 1. 1
Dynamic ARP Inspection Overview
DynamicARPinspection(DAI)isasecurityfeaturethatrejectsinvalidandmaliciousARP
packets.Thefeaturepreventsaclassofmaninthemiddleattackswhereanunfriendlystation
writedelay (Optional)Specifiesthatthewritedelayvalueshouldbereturnedtothe
defaultvalueof300seconds.
portstring Specifiestheportorportstowhichthiscommandapplies.
Dynamic ARP Inspection Overview
17-16 DHCP Snooping and Dynamic ARP Inspection
interceptstrafficforotherstationsbypoisoningtheARPcachesofitsunsuspectingneighbors.
ARPpoisoningisatacticwhereanattackerinjectsfalseARPpacketsintothesubnet,normallyby
broadcastingARPresponsesinwhichtheattackerclaimstobesomeoneelse.Bypoisoningthe
ARPcache,amalicioususercaninterceptthetrafficintendedforotherhostsonthenetwork.
TheDynamicARPInspectionapplicationperformsARPpacketvalidation.WhenDAIisenabled,
itverifiesthatthesenderMACaddressandthesourceIPaddressareavalidpairintheDHCP
snoopingbindingdatabaseanddropsARPpacketswhosesenderMACaddressandsenderIP
addressdonotmatchanentryinthedatabase.AdditionalARPpacketvalidationcanbe
configured.
IfDHCPsnoopingisdisabledontheingressVLANorthereceiveinterfaceistrustedforDHCP
snooping,ARPpacketsaredropped.
Functional Description
DAIisenabledonVLANs,effectivelyenablingDAIontheinterfaces(physicalportsorLAGs)that
aremembersofthatVLAN.Individualinterfacesareconfiguredastrustedoruntrusted.Thetrust
configurationforDAIisindependentofthetrustconfigurationforDHCPsnooping.Atrusted
portisaportthenetworkadministratordoesnotconsidertobeasecuritythreat.Anuntrusted
portisonewhichcouldpotentiallybeusedtolaunchanetworkattack.
DAIconsidersallphysicalportsandLAGsuntrustedbydefault.
Static Mappings
StaticmappingsareusefulwhenhostsconfigurestaticIPaddresses,DHCPsnoopingcannotbe
run,orotherswitchesinthenetworkdonotrundynamicARPinspection.Astaticmapping
associatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstaticmappingsbeforeit
consultsDHCPsnoopingthus,staticmappingshaveprecedenceoverDHCPsnooping
bindings.
ARPACLsareusedtodefinestaticmappingsforDAI.Inthisimplementation,onlythesubsetof
ARPACLsyntaxrequiredforDAIissupported.ARPACLsarecompletelyindependentofACLs
usedforQoS.Amaximumof100ARPACLscanbeconfigured.WithinanACL,amaximumof20
rulescanbeconfigured.
Optional ARP Packet Validation
IfoptionalARPpacketvalidationhasbeenconfigured,DAIverifiesthatthesenderMACaddress
equalsthesourceMACaddressintheEthernetheader.Additionally,theoptiontoverifythatthe
targetMACaddressequalsthedestinationMACaddressintheEthernetheadercanbe
configured.ThischeckonlyappliestoARPresponses,sincethetargetMACaddressis
unspecifiedinARPrequests.
YoucanalsoenableIPaddresschecking.Whenthisoptionisenabled,DAIdropsARPpackets
withaninvalidIPaddress.ThefollowingIPaddressesareconsideredinvalid:
0.0.0.0
255.255.255.255
AllIPmulticastaddresses
AllclassEaddresses(240.0.0.0/4)
Loopbackaddresses(intherange127.0.0.0/8)
Dynamic ARP Inspection Overview
SecureStack C3 Configuration Guide 17-17
Logging Invalid Packets
Bydefault,DAIwritesalogmessagetothenormalbufferedlogforeachinvalidARPpacketit
drops.YoucanconfigureDAItonotloginvalidpacketsforspecificVLANs.
Packet Forwarding
DAIforwardsvalidARPpacketswhosedestinationMACaddressisnotlocal.TheingressVLAN
couldbeaswitchingorroutingVLAN.ARPrequestsarefloodedintheVLAN.ARPresponsesare
unicasttowardtheirdestination.DAIqueriestheMACaddresstabletodeterminetheoutgoing
port.IfthedestinationMACaddressislocal,DAIgivesvalidARPpacketstotheARPapplication.
Rate Limiting
ToprotecttheswitchfromDHCPattackswhenDAIisenabled,theDAIapplicationenforcesarate
limitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach
interfaceseparately.Ifthereceiverateexceedsaconfigurablelimit,DAIerrordisablesthe
interface,whicheffectivelybringsdowntheinterface.Youcanusethesetportenablecommand
toreenabletheport.
Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted
interfacewitharangeof0to100pps.Thedefaultburstintervalis1secondwitharangeto1to15
seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted
interfacesdonotcometotheCPU.
Eligible Interfaces
DynamicARPinspectionisenabledperVLAN,effectivelyenablingDAIonthemembersofthe
VLAN,eitherphysicalportsorLAGs.TrustisspecifiedontheVLANmembers.
DAIcannotbeenabledonportbasedroutinginterfaces.Itmaybeconnectedto:
Asinglehostthroughatrustedlink(forexample,aserver)
Ifmultiplehostsneedtoconnected,theremustbeaswitchbetweentherouterandthehosts,
withDAIenabledonthatswitch
Interaction with Other Functions
DAIreliesontheDHCPsnoopingapplicationtoverifythata{IPaddress,MACaddress,
VLAN,interface}tupleisvalid.
DAIregisterswithdot1qtoreceivenotificationofVLANmembershipchangesfortheVLANs
whereDAIisenabled.
DAItellsthedriverabouteachuntrustedinterface(physicalportorLAG)whereDAIis
enabledsothatthehardwarewillinterceptARPpacketsandsendthemtotheCPU.
Dynamic ARP Inspection Overview
17-18 DHCP Snooping and Dynamic ARP Inspection
Basic Configuration
Thefollowingbasicconfigurationdoesnotchangethedefaultratelimitingparameters.
Procedure 17-2 Basic Dynamic ARP Inspection Configuration
Step Task Command(s)
1. Configure DHCP snooping. Refer to Procedure 17-1 on page 17-3.
2. Enable ARP inspection on the VLANs where
clients are connected, and optionally, enable
logging of invalid ARP packets.
set arpinspection vlan vlan-range
[ logging]
3. Determine which ports are not security threats
and configure them as DAI trusted ports.
set arpinspection trust port
port-string enable
4. If desired, configure optional validation
parameters.
set arpinspection validate
{[ src-mac] [ dst-mac] [ ip] }
5. If desired, configure static mappings for DAI by
creating ARP ACLs:
Create the ARP ACL
Apply the ACL to a VLAN
set arpinspection filter name permit
ip host sender-ipaddr mac host
sender-macaddr
set arpinspection filter name vlan
vlan-range [ static]
Dynamic ARP Inspection Overview
SecureStack C3 Configuration Guide 17-19
Example Configuration
ThefollowingexampleconfiguresDHCPsnoopinganddynamicARPinspectioninarouting
environmentusingRIP.Theexampleconfigurestwointerfacesontheswitch,configuringRIPon
bothinterfaces,assigningeachtoadifferentVLAN,andthenenablingDHCPsnoopingand
dynamicARPinspectiononthem:
Interfacege.1.1,whichisconnectedtoaremoteDHCPserver,onVLAN192
Interfacege.1.2,whichisconnectedtoDHCPclients,onVLAN10
Inaddition,thedefaultVLAN,VLAN1,isalsoenabledforDHCPsnoopinganddynamicARP
inspection.
SincetheDHCPserverisremote,theswitchhasbeenconfiguredasaDHCPrelayagent(withthe
iphelperaddresscommand),toforwardclientrequeststotheDHCPserver.Therefore,MAC
addressverificationisdisabled(withthesetdhcpsnoopingverifymacaddressdisable
command)inordertoallowDHCPRELEASEpacketstobeprocessedbytheDHCPsnooping
functionalityandclientbindingsremovedfromthebindingsdatabase
Router Configuration
r out er
enabl e
conf i gur e
i nt er f ace vl an 10
no shut down
i p addr ess 10. 2. 0. 1 255. 255. 0. 0
i p hel per - addr ess 192. 168. 0. 200
i p r i p send ver si on 2
i p r i p r ecei ve ver si on 2
i p r i p enabl e
exi t
i nt er f ace vl an 192
no shut down
i p addr ess 192. 168. 0. 1 255. 255. 255. 0
i p r i p send ver si on 2
i p r i p r ecei ve ver si on 2
i p r i p enabl e
exi t
r out er r i p
exi t
VLAN Configuration
set vl an cr eat e 10
set vl an cr eat e 192
cl ear vl an egr ess 1 ge. 1. 1- 2
T
Note: This example applies only to platforms that support routing.
Dynamic ARP Inspection Commands
17-20 DHCP Snooping and Dynamic ARP Inspection
set vl an egr ess 10 ge. 1. 2 unt agged
set vl an egr ess 192 ge. 1. 1 unt agged
DHCP Snooping Configuration
set dhcpsnoopi ng enabl e
set dhcpsnoopi ng vl an 1 enabl e
set dhcpsnoopi ng vl an 10 enabl e
set dhcpsnoopi ng vl an 192 enabl e
set dhcpsnoopi ng ver i f y mac- addr ess di sabl e
set dhcpsnoopi ng t r ust por t ge. 1. 1 enabl e
Dynamic ARP Inspection Configuration
set ar pi nspect i on vl an 1
set ar pi nspect i on vl an 10
set ar pi nspect i on vl an 192
set ar pi nspect i on t r ust por t ge. 1. 1 enabl e
Dynamic ARP Inspection Commands
set arpinspection vlan
UsethiscommandtoenabledynamicARPinspectionononeormoreVLANs,andoptionally,
enableloggingofinvalidARPpackets.
Syntax
set arpinspection vlan vlan-range [ logging]
For information about... Refer to page...
set arpinspection vlan 17-20
set arpinspection trust 17-21
set arpinspection validate 17-22
set arpinspection limit 17-23
set arpinspection filter 17-24
show arpinspection access-list 17-24
show arpinspection ports 17-25
show arpinspection vlan 17-26
show arpinspection statistics 17-26
clear arpinspection validate 17-27
clear arpinspection vlan 17-28
clear arpinspection filter 17-29
clear arpinspection limit 17-30
clear arpinspection statistics 17-31
set arpinspection trust
SecureStack C3 Configuration Guide 17-21
Parameters
Defaults
Loggingisdisabledbydefault.
Mode
Switchcommand,readwrite.
Usage
ThiscommandenablesdynamicARPinspection(DAI)ononeormoreVLANs.WhenDAIis
enabledonaVLAN,DAIiseffectivelyenabledontheinterfaces(physicalportsorLAGs)thatare
membersofthatVLAN.
DAIusestheDHCPsnoopingbindingsdatabasetoverifythatthesenderMACaddressandthe
sourceIPaddressareavalidpairinthedatabase.ARPpacketswhosesenderMACaddressand
senderIPaddressdonotmatchanentryinthedatabasearedropped.
Ifloggingisenabled,invalidARPpacketsarealsologged.
Example
ThisexampleenablesDAIonVLANs2through5andalsoenablesloggingofinvalidARPpackets
onthoseVLANs.
C3( su) - >set ar pi nspect i on vl an 2- 5 l oggi ng
set arpinspection trust
UsethiscommandtoenableordisableaportasadynamicARPinspectiontrustedport.
Syntax
set arpinspection trust port port-string {enable | disable}
Parameters
Defaults
Bydefault,allphysicalportsandLAGsareuntrusted.
Mode
Switchcommand,readwrite.
vlanrange SpecifiestheVLANorrangeofVLANsonwhichtoenabledynamic
ARPinspection.
logging (Optional)EnablesloggingofinvalidARPpacketsforthatVLAN.
portstring SpecifiestheportorportstobeenabledordisabledasDAItrusted
ports.TheportscanbephysicalportsorLAGsthataremembersofa
VLAN.
enable|disable EnablesordisablesthespecifiedportsastrustedforDAI.
set arpinspection validate
17-22 DHCP Snooping and Dynamic ARP Inspection
Usage
Individualinterfacesareconfiguredastrustedoruntrusted.ThetrustconfigurationforDAIis
independentofthetrustconfigurationforDHCPsnooping.Atrustedportisaportthenetwork
administratordoesnotconsidertobeasecuritythreat.Anuntrustedportisonewhichcould
potentiallybeusedtolaunchanetworkattack.
DAIconsidersallphysicalportsandLAGsuntrustedbydefault.Packetsarrivingontrusted
interfacesbypassallDAIvalidationchecks.
Example
Thisexampleenablesportge.1.1astrustedforDAI.
C3( su) - >set ar pi nspect i on t r ust por t ge. 1. 1 enabl e
set arpinspection validate
UsethiscommandtoconfigureadditionaloptionalARPvalidationparameters.
Syntax
set arpinspection validate {[ src-mac] [ dst-mac] [ ip] }
Parameters
Defaults
Allparametersareoptional,butatleastoneparametermustbespecified.
Mode
Switchcommand,readwrite.
Usage
ThiscommandaddsadditionalvalidationofARPpacketsbyDAI,beyondthebasicvalidation
thattheARPpacketssenderMACaddressandsenderIPaddressmatchanentryintheDHCP
snoopingbindingsdatabase.
srcmac SpecifiesthatDAIshouldverifythatthesenderMACaddressequals
thesourceMACaddressintheEthernetheader.
dstmac SpecifiesthatDAIshouldverifythatthetargetMACaddressequalsthe
destinationMACaddressintheEthernetheader.
ThischeckonlyappliestoARPresponses,sincethetargetMACaddress
isunspecifiedinARPrequests.
ip SpecifiesthatDAIshouldchecktheIPaddressanddropARPpackets
withaninvalidaddress.Aninvalidaddressisoneofthefollowing:
0.0.0.0
255.255.255.255
All IP multicast addresses
All class E addresses (240.0.0.0/4)
Loopback addresses (in the range 127.0.0.0/8)
set arpinspection limit
SecureStack C3 Configuration Guide 17-23
Example
ThisexampleaddstheoptionalverificationthatsenderMACaddressesarethesameasthesource
MACaddressesintheEthernetheadersofARPpackets.
C3( su) - >set ar pi nspect i on val i dat e sr c- mac
set arpinspection limit
UsethiscommandtoconfigureratelimitingparametersforincomingARPpacketsonaportor
ports
Syntax
set arpinspection limit port port-string {none | rate pps {burst interval secs] }
Parameters
Defaults
Rate=15packetspersecond
BurstInterval=1second
Mode
Switchcommand,readwrite.
Usage
ToprotecttheswitchagainstDHCPattackswhenDAIisenabled,theDAIapplicationenforcesa
ratelimitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach
interfaceseparately.Ifthereceiverateexceedsthelimitconfiguredwiththiscommand,DAI
disablestheinterface,whicheffectivelybringsdowntheinterface.Youcanusethesetportenable
commandtoreenabletheport.
Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted
interfacewitharangeof0to100pps.Thedefaultburstintervalis1secondwitharangeto1to15
seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted
interfacesdonotcometotheCPU.
Example
Thisexamplesetstherateto20packetspersecondandtheburstintervalto2secondsonports
ge.1.1andge.1.2.
C3( su) - >set ar pi nspect i on l i mi t por t ge. 1. 1- 2 r at e 20 bur st i nt er val 2
portstring Specifiestheportorportstowhichtoapplytheseratelimiting
parameters.
none ConfiguresnolimitonincomingARPpackets.
ratepps Specifiesaratelimitinpacketspersecond.Thevalueofppscanrange
from0to100packetspersecond.
burstintervalsecs Specifiesaburstintervalinseconds.Thevalueofsecscanrangefrom1
to15seconds.
set arpinspection filter
17-24 DHCP Snooping and Dynamic ARP Inspection
set arpinspection filter
UsethiscommandtocreateanARPACLandthentoassignanACLtoaVLAN,optionallyasa
staticmapping.
Syntax
set arpinspection filter name {permit ip host sender-ipaddr mac host
sender-macaddr | vlan vlan-range [ static] }
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ARPACLsareusedtodefinestaticmappingsforDAI.ARPACLsarecompletelyindependentof
ACLsusedforQoS.Amaximumof100ARPACLscanbeconfigured.WithinanACL,a
maximumof20rulescanbeconfigured.
AstaticmappingassociatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstatic
mappingsbeforeitconsultstheDHCPsnoopingbindingsdatabasethus,staticmappingshave
precedenceoverDHCPsnoopingbindings.
Example
ThisexamplecreatesanACLnamedstaticARPandcreatesapermitruleforIPaddress
192.168.1.10.Then,theACLisassignedtoaVLANasastaticmapping.
C3( su) - >set ar pi nspect i on f i l t er st at i cARP per mi t i p host 192. 168. 1. 10 mac host
00: 01: 22: 33: 44: 55
C3( su) - >set ar pi nspect i on f i l t er st at i cARP vl an 10 st at i c
show arpinspection access-list
UsethiscommandtodisplayARPaccesslistconfigurationinformation.
Syntax
show arpinspection access-list [ acl-name]
name SpecifiesthenameoftheARPACL.
permit Specifiesthatapermitruleisbeingcreated.
iphostsenderipaddr SpecifiestheIPaddressintherulebeingcreated.
machost
sendermacaddr
SpecifiestheMACaddressintherulebeingcreated.
vlanvlanrange SpecifiestheVLANorVLANstowhichthisARPACLisassigned.
static (Optional)SpecifiesthatthisARPACLconfiguresstaticmappingsfor
theVLANorVLANs.
show arpinspection ports
SecureStack C3 Configuration Guide 17-25
Parameters
Defaults
IfaspecificACLisnotspecified,informationaboutallconfiguredARPACLsisdisplayed.
Mode
Switchcommand,readwrite.
Example
ThisexampledisplaysinformationabouttheARPACLnamedstaticARP.
C3( su) - >show ar pi nspect i on access- l i st st at i cARP
ARP access l i st st at i cARP
per mi t i p host 192. 168. 1. 10 mac host 00: 01: 22: 33: 44: 55
per mi t i p host 192. 168. 1. 20 mac host 00: 0A: 11: 22: 33: 66
show arpinspection ports
UsethiscommandtodisplaytheARPconfigurationofoneormoreports.
Syntax
show arpinspection ports [ port-string]
Parameters
Defaults
Ifaportstringisnotspecified,informationaboutallDAIenableduntrustedportsisdisplayed.
Mode
Switchcommand,readwrite.
Example
ThisexampledisplaystheARPconfigurationoflag.0.1.
C3( su) - >show ar pi nspect i on por t s l ag. 0. 1
I nt er f ace Tr ust St at e Rat e Li mi t Bur st I nt er val
( pps) ( seconds)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
l ag. 0. 1 No 15 1
aclname (Optional)SpecifiestheARPACLtodisplay.
portstring (Optional)SpecifiestheportorportsforwhichtodisplayARP
configurationinformation.
show arpinspection vlan
17-26 DHCP Snooping and Dynamic ARP Inspection
show arpinspection vlan
UsethiscommandtodisplaytheARPconfigurationofoneormoreVLANs.
Syntax
show arpinspection vlan vlan-range
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampledisplaysARPconfigurationinformationforVLAN5.
C3( su) - >show ar pi nspect i on vl an 5
Sour ce MAC Val i dat i on Di sabl ed
Dest i nat i on MAC Val i dat i on Di sabl ed
I P Addr ess Val i dat i on Di sabl ed
Vl an Conf i gur at i on Log I nval i d ACL Name St at i c f l ag
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Di sabl ed Enabl ed st at i cARP Enabl ed
show arpinspection statistics
UsethiscommandtodisplayARPstatisticsforallDAIenabledVLANsorforspecificVLANs.
Syntax
show arpinspection statistics [ vlan vlan-range]
Parameters
Defaults
IfnoVLANsarespecified,limitedstatisticsforallDAIenabledVLANsisdisplayed.
Mode
Switchcommand,readwrite.
Usage
WhennospecificVLANsareentered,thiscommanddisplaysthenumberofForwardedand
DroppedARPpacketsperDAIenabledVLAN.WhenoneormoreVLANsarespecified,this
commanddisplaysmoredetailedstatistics.
vlanrange SpecifiestheVLANsforwhichtodisplayconfigurationinformation.
vlanvlanrange (Optional)SpecifiestheVLANsforwhichtodisplaystatistics.
clear arpinspection validate
SecureStack C3 Configuration Guide 17-27
Examples
ThisexampleshowswhatisdisplayedwhennoVLANsarespecified.
C3( su) - >show ar pi nspect i on st at i st i cs
VLAN For war ded Dr opped
- - - - - - - - - - - - - - - - - - - - - - - - -
5 0 0
ThisexampleshowswhatinformationisdisplayedwhenoneormoreVLANsarespecified.
C3( su) - >show ar pi nspect i on st at i st i cs vl an 5
VLAN DHCP ACL DHCP ACL Bad Sr c Bad Dest I nval i d
Dr ops Dr ops Per mi t s Per mi t s MAC MAC I P
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 0 0 0 0 0 0 0
clear arpinspection validate
UsethiscommandtoremoveadditionaloptionalARPvalidationparametersthatwerepreviously
configured.
Syntax
clear arpinspection validate {[ src-mac] [ dst-mac] [ ip] }
Parameters
Defaults
Allparametersareoptional,butatleastoneparametermustbespecified.
Mode
Switchcommand,readwrite.
Usage
ThiscommandremovespreviouslyconfiguredadditionalvalidationofARPpacketsbyDAI,
beyondthebasicvalidationthattheARPpacketssenderMACaddressandsenderIPaddress
matchanentryintheDHCPsnoopingbindingsdatabase.
Usetheshowarpinspectionvlancommandtodisplaythecurrentstatusoftheadditional
validationrules.
Example
Thisexampleremovesall3additionalvalidationconditions.
C3( su) - >cl ear ar pi nspect i on val i dat e sr c- mac dst - mac i p
srcmac Clear,orremove,theverificationthatthesenderMACaddressequals
thesourceMACaddressintheEthernetheader.
dstmac Clear,orremove,theverificationthatthetargetMACaddressequals
thedestinationMACaddressintheEthernetheader.
ip Clear,orremove,checkingtheIPaddressanddroppingARPpackets
withaninvalidaddress.
clear arpinspection vlan
17-28 DHCP Snooping and Dynamic ARP Inspection
clear arpinspection vlan
UsethiscommandtodisabledynamicARPinspectionononeormoreVLANsortodisable
loggingofinvalidARPpacketsononeormoreVLANs.
Syntax
clear arpinspection vlan vlan-range [ logging]
Parameters
Defaults
IfloggingisenabledforthespecifiedVLANbutloggingisnotenteredwiththiscommand,
loggingwillremainenabled.
Mode
Switchcommand,readwrite.
Usage
YoucanusethiscommandtodisabledynamicARPinspectionononeormoreVLANs,oryoucan
disableloggingofinvalidARPpacketsonspecifiedVLANs.TodisablebothloggingandDAI,you
mustenterthiscommandtwice.
Example
ThisexamplefirstdisplaystheDAIconfigurationforVLAN5,thendisablesDAIonVLAN5,then
disablesloggingofinvalidARPpacketsonVLAN5.
C3( su) - >show ar pi nspect i on vl an 5
Sour ce MAC Val i dat i on Di sabl ed
Dest i nat i on MAC Val i dat i on Di sabl ed
I P Addr ess Val i dat i on Di sabl ed
Vl an Conf i gur at i on Log I nval i d ACL Name St at i c f l ag
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Enabl ed Enabl ed st at i cARP Enabl ed
C3( su) - >cl ear ar pi nspect i on vl an 5
C3( su) - >show ar pi nspect i on vl an 5
Sour ce MAC Val i dat i on Di sabl ed
Dest i nat i on MAC Val i dat i on Di sabl ed
I P Addr ess Val i dat i on Di sabl ed
Vl an Conf i gur at i on Log I nval i d ACL Name St at i c f l ag
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Di sabl ed Enabl ed st at i cARP Enabl ed
vlanrange SpecifiestheVLANorrangeofVLANsonwhichtodisabledynamic
ARPinspection.
logging (Optional)DisableloggingofinvalidARPpacketsforthespecified
VLANs.
clear arpinspection filter
SecureStack C3 Configuration Guide 17-29
C3( su) - >cl ear ar pi nspect i on vl an 5 l oggi ng
C3( su) - >show ar pi nspect i on vl an 5
Sour ce MAC Val i dat i on Di sabl ed
Dest i nat i on MAC Val i dat i on Di sabl ed
I P Addr ess Val i dat i on Di sabl ed
Vl an Conf i gur at i on Log I nval i d ACL Name St at i c f l ag
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Di sabl ed Di sabl ed st at i cARP Enabl ed
clear arpinspection filter
UsethiscommandtoremoveanARPACLfromaVLANorfromtheswitch,ortoremovea
permitrulefromanexistingACL,ortochangethestatusofstaticmappingtodisabled.
Syntax
clear arpinspection filter name [ permit ip host sender-ipaddr mac host
sender-macaddr] | [ vlan vlan-range [ static]
Parameters
Defaults
Ifonlythenameisspecified,theACLisdeletedfromtheswitch.
Mode
Switchcommand,readwrite.
Usage
Youcanusethiscommandto:
RemoveaconfiguredARPACLfromtheswitch,or
RemoveapermitrulefromaconfiguredARPACL,or
RemovetheassociationofanARPACLwithaVLANorVLANs,or
DisablestaticmappingofanARPACLassociatedwithaVLANorVLANs.
UsethesetarpinspectionfiltercommandtocreateandassignanARPACL.
UsetheshowarpinspectionaccesslistcommandtodisplaycurrentlyconfiguredARPACLs.
name SpecifiesthenameoftheARPACL.
permit (Optional)Specifiesthatapermitruleisbeingdeleted.
iphostsenderipaddr SpecifiestheIPaddressintherulebeingdeleted.
machost
sendermacaddr
SpecifiestheMACaddressintherulebeingdeleted.
vlanvlanrange (Optional)SpecifiestheVLANorVLANstowhichthiscommand
shouldapply.RemovetheACLfromtheVLAN,ifstaticisnotspecified
also.
static (Optional)SpecifiesthatstaticmappingshouldbedisabledforthisARP
ACLforthespecifiedVLANorVLANs.
clear arpinspection limit
17-30 DHCP Snooping and Dynamic ARP Inspection
Examples
ThisexampleremovesapermitrulefromtheARPACLnamedstaticARP.
C3( su) - >cl ear ar pi nspect i on f i l t er st at i cARP per mi t i p host 192. 168. 1. 10 mac host
00: 01: 22: 33: 44: 55
ThisexampledisablesstaticmappingoftheARPACLnamedstaticARPthatisassociatedwith
VLAN5.
C3( su) - >cl ear ar pi nspect i on f i l t er st at i cARP vl an 5 st at i c
ThisexampleremovestheARPACLnamedstaticARPfromVLAN5.
C3( su) - >cl ear ar pi nspect i on f i l t er st at i cARP vl an 5
ThisexampleremovestheARPACLnamedstaticARPfromtheswitchcompletely.
C3( su) - >cl ear ar pi nspect i on f i l t er st at i cARP
clear arpinspection limit
UsethiscommandtoreturntheDAIratelimitingvaluestotheirdefaultvaluesforaportorrange
ofports.
Syntax
clear arpinspection limit port port-string
Parameters
Defaults
Rate=15packetspersecond
BurstInterval=1second
Mode
Switchmode,readwrite.
Usage
Usethesetarpinspectionlimitcommandtochangethevaluesoftheratelimitandburstinterval.
Usetheshowarpinspectionportscommandtodisplaythecurrentlyconfiguredratelimits.
Example
ThisexamplereturnstheDAIratelimitingvaluestotheirdefaultsforportge.1.1.
C3( su) - >cl ear ar pi nspect i on l i mi t por t ge. 1. 1
portstring Specifiestheportsonwhichtoreturntheratelimitingvaluesto
defaults.
clear arpinspection statistics
SecureStack C3 Configuration Guide 17-31
clear arpinspection statistics
UsethiscommandtoclearalldynamicARPinspectionstatistics.
Syntax
clear arpinspection statistics
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearsallDAIstatisticsfromtheswitch.
C3( su) - >cl ear ar pi nspect i on st at i st i cs
clear arpinspection statistics
17-32 DHCP Snooping and Dynamic ARP Inspection
SecureStack C3 Configuration Guide 18-1
18
Preparing for Router Mode
Thischapterdescribeshowtopreparetheswitchforrouting.
Pre-Routing Configuration Tasks
StartupandgeneralconfigurationoftheSecureStackC3switchmustoccurfromtheswitchCLI.
Fordetailsonhowtostarttheswitchandconfiguregeneralplatformsettings,refertoChapter 1,
Introduction,Chapter 2,ConfiguringSwitchesinaStack,andChapter 3,BasicConfiguration.
Oncestartupandgeneralswitchsettingsarecomplete,IPconfigurationandotherrouterspecific
commandscanbeexecutedwhentheswitchisinroutermode.Fordetailsonhowtoenablerouter
modefromtheswitchCLI,refertoTable 182inEnablingRouterConfigurationModes.
ThefollowingpreroutingtasksmustbeperformedfromtheswitchCLI:
StartinguptheCLI.(UsingtheCommandLineInterfaceonpage16)
Settingthesystempassword.(setpasswordonpage35)
Configuringbasicplatformsettings,suchashostname,systemclock,andterminaldisplay
settings.(SettingBasicSwitchPropertiesonpage39)
SettingthesystemIPaddress.(setipaddressonpage311)
CreatingandenablingVLANs.(Chapter 10)
Filemanagementtasks,includinguploadingordownloadingflashortextconfigurationfiles,
anddisplayingdirectoryandfilecontents.(ManagingSwitchConfigurationandFileson
page339)
Configuringtheswitchtoruninroutermode.(EnablingRouterConfigurationModeson
page182)
Enablingadvancedrouterfeatures.(ActivatingAdvancedRoutingFeaturesonpage201)
For information about... Refer to page...
Pre-Routing Configuration Tasks 18-1
Enabling Router Configuration Modes 18-2
Note: The command prompts used as examples in Table 18-1 and throughout this guide show
switch operation for a user in admin (su) access mode, and a system where the VLAN 1 interface
has been configured for routing. The prompt changes depending on your current configuration
mode, your specific switch, and the interface types and numbers configured for routing on your
system.
Enabling Router Configuration Modes
18-2 Preparing for Router Mode
Example
ThefollowingexampleshowshowtoconfigureVLAN1onIPaddress182.127.63.1255.255.255.0
asaroutinginterface.
C3( su) - >r out er
C3( su) - >r out er >enabl e
C3( su) - >r out er #conf i gur e
Ent er conf i gur at i on commands:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p addr ess 182. 127. 63. 1 255. 255. 255. 0
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #no shut down
Enabling Router Configuration Modes
TheSecureStackC3CLIprovidesdifferentmodesofrouteroperationforissuingasubsetof
commandsfromeachmode.Table 182describesthesemodesofoperation.
Table 18-1 Enabling the Switch for Routing
Step To do this task... Type this command... At this prompt... For details, see...
1 From admin (su) mode,
enable router mode.
router Switch:
C3(su)->
2 Enable router Privileged
EXEC mode.
enable Router:
C3(su)->router>
3 Enable global router
configuration mode.
configure Router:
C3(su)->router#
4 Enable interface
configuration mode using the
routing VLAN or loopback id.
interface {vlan vlan-id | loopback
loop-id}
Router:
C3(su)>router(Config)#
interface on page
19-3
5 Assign an IP address to the
routing interface.
ip address {ip-address ip-mask} Router:
C3(su)->router (Config-if
(Vlan 1))#
interface on page
19-3
6 Enable the interface for IP
routing.
no shutdown Router:
C3(su)->router(Config-if
(Vlan 1))#
no shutdown on
page 19-6
Table 18-2 Router CLI Configuration Modes
Use this mode... To... Access method... Resulting Prompt...
Privileged EXEC
Mode
Set system operating
parameters
Show configuration
parameters
Save/copy
configurations
From the switch CLI:
Type router, then
Type enable.
C3(su)->router>
C3(su)->router#
Global Configuration
Mode
Set system-wide
parameters.
Type configure from
Privileged EXEC mode.
C3(su)->router (Config)#
Interface
Configuration Mode
Configure router
interfaces.
Type interface vlan or
loopback and the
interfaces id from Global
Configuration mode.
C3(su)->router(Config-if
(Vlan 1))#
C3(su)->router(Config-if
(Lpbk 1))#
Enabling Router Configuration Modes
SecureStack C3 Configuration Guide 18-3
Router Configuration
Mode
Set IP protocol
parameters.
Type router and the
protocol name (and, for
OSPF, the instance ID)
from Global or Interface
Configuration mode.
C3(su)->router(Config-router)#
Note: To jump to a lower configuration mode, type exit at the command prompt. To revert back to
switch CLI, type exit from Privileged EXEC router mode.
Table 18-2 Router CLI Configuration Modes (Continued)
Use this mode... To... Access method... Resulting Prompt...
Enabling Router Configuration Modes
18-4 Preparing for Router Mode
SecureStack C3 Configuration Guide 19-1
19
IP Configuration
ThischapterdescribestheInternetProtocol(IP)configurationsetofcommandsandhowtouse
them.
Configuring Routing Interface Settings
Purpose
Toenableroutinginterfaceconfigurationmodeonthedevice,tocreateroutinginterfaces,to
reviewtheusabilitystatusofinterfacesconfiguredforIP,tosetIPaddressesforinterfaces,to
enableinterfacesforIProutingatdevicestartup,andtoreviewtherunningconfiguration.
Commands
Router: Unless otherwise noted, the commands covered in this chapter can be executed only
when the device is in router mode. For details on how to enable router configuration modes, refer
to Enabling Router Configuration Modes on page 18-2.
For information about... Refer to page...
Configuring Routing Interface Settings 19-1
Configuring Tunnel Interfaces 19-8
Reviewing and Configuring the ARP Table 19-12
Configuring Broadcast Settings 19-16
Reviewing IP Traffic and Configuring Routes 19-19
Configuring ICMP Redirects 19-23
Note: For information about configuring tunnel interfaces, see Configuring Tunnel Interfaces on
page 19-8.
For information about... Refer to page...
show interface 19-2
interface 19-3
show ip interface 19-4
ip address 19-5
show interface
19-2 IP Configuration
show interface
Usethiscommandtodisplayinformationaboutoneormoreinterfaces(VLANsorloopbacks)
configuredontherouter.
Syntax
show interface [ vlan vlan-id] [ loopback loop-id]
Parameters
Defaults
Ifinterfacetypeisnotspecified,informationforallroutinginterfaceswillbedisplayed.
Mode
Anyroutermode.
Examples
Thisexampleshowshowtodisplayinformationforallinterfacesconfiguredontherouter.Fora
detaileddescriptionofthisoutput,refertoTable 191:
C3( su) - >r out er #show i nt er f ace
Vl an 1 i s Admi ni st r at i vel y DOWN
Vl an 1 i s Oper at i onal l y DOWN
Mac Addr ess i s: 0001. f 4da. 2cba
The name of t hi s devi ce i s Vl an 1
The MTU i s 1500 byt es
The bandwi dt h i s 10000 Mb/ s
Encapsul at i on ARPA, Loopback not set
ARP t ype: ARPA, ARP Ti meout : 14400 seconds
Thisexampleshowshowtodisplayinformationforloopbackinterface1.
C3( su) - >r out er #show i nt er f ace l oopback 1
Loopback 1 i s Admi ni st r at i vel y UP
Loopback 1 i s Oper at i onal l y UP
I nt er net Addr ess i s 10. 1. 192. 100, Subnet Mask i s 255. 255. 255. 0
The name of t hi s devi ce i s Loopback 1
The MTU i s 1500 byt es
show running-config 19-6
no shutdown 19-6
no ip routing 19-7
For information about... Refer to page...
vlanvlanid (Optional)DisplaysinterfaceinformationforaspecificVLANinterface.
ThisinterfacemustbeconfiguredforIProutingasdescribedinPre
RoutingConfigurationTasksonpage 181.
loopbackloopid (Optional)Displaysinterfaceinformationforaspecificloopbackinterface.
interface
SecureStack C3 Configuration Guide 19-3
interface
UsethiscommandtoconfigureinterfacesforIProuting.
Syntax
interface vlan vlan-id | loopback loop-id
Parameters
Defaults
None.
Mode
Routerglobalconfigurationmode:C3(su)>router(Config)#
Usage
Thiscommandenablesinterfaceconfigurationmodefromglobalconfigurationmode,and,ifthe
interfacehasnotpreviouslybeencreated,thiscommandcreatesanewroutinginterface.For
detailsonconfigurationmodessupportedbytheSecureStackC3deviceandtheiruses,referto
Table 182inEnablingRouterConfigurationModesonpage 182.
VLANsmustbecreatedfromtheswitchCLIbeforetheycanbeconfiguredforIProuting.For
detailsoncreatingVLANsandconfiguringthemforIP,refertoEnablingRouterConfiguration
Modesonpage 182.
EachVLANinterfacemustbeconfiguredforroutingseparatelyusingtheinterfacecommand.To
endconfigurationononeinterfacebeforeconfiguringanother,typeexitatthecommandprompt.
Enablinginterfaceconfigurationmodeisrequiredforcompletinginterfacespecificconfiguration
tasks.Foranexampleofhowthesecommandsareused,refertoPreRoutingConfiguration
Tasksonpage 181.
Aloopbackinterfaceisalwaysexpectedtobeup.Thisinterfacecanprovidethesourceaddressfor
sentpacketsandcanreceivebothlocalandremotepackets.Theloopbackinterfaceistypically
usedbyroutingprotocols,butitcanalsobeusedformanagementornetworkservicessuchas
RADIUS,SNMP,Syslog,SNTP,orsFlow.Bydefault,ifRADIUSisconfiguredwithnohostIP
addressonthedevice,itwillusetheloopbackinterface0IPaddress(ifithasbeenconfigured)as
itssourcefortheNASIPattribute.(Administratorscanassignwheretosourcemanagementor
networkserviceIPpacketsviathesetinterfacecommands.)
EachSecureStackC3system(stack)cansupportupto24routinginterfaces.Eachinterfacecanbe
configuredfortheRIPand/orOSPFroutingprotocols.
vlanvlanid SpecifiesthenumberoftheVLANinterfacetobeconfiguredforrouting.
ThisinterfacemustbeconfiguredforIProutingasdescribedinPre
RoutingConfigurationTasksonpage 181.
loopbackloopid Specifiesthenumberoftheloopbackinterfacetobeconfiguredforrouting.
Thevalueofloopidcanrangefrom0to7.
Note: For information about configuring tunnel interfaces, see Configuring Tunnel Interfaces on
page 19-8.
show ip interface
19-4 IP Configuration
Examples
ThisexampleshowshowtoenterconfigurationmodeforVLAN1:
C3( su) - >r out er #conf i gur e
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #
Thisexampleshowshowtoenterconfigurationmodeforloopback1:
C3( su) - >r out er #conf i gur e
C3( su) - >r out er ( Conf i g) #i nt er f ace l oopback 1
C3( su) - >r out er ( Conf i g- i f ( Lpbk 1) ) #
show ip interface
Usethiscommandtodisplayinformation,includingadministrativestatus,IPaddress,MTU
(MaximumTransmissionUnit)sizeandbandwidth,andACLconfigurations,forinterfaces
configuredforIP.
Syntax
show ip interface [ vlan vlan-id] [ loopback loop-id]
Parameters
Defaults
Ifinterfacetypeisnotspecified,statusinformationforallroutinginterfaceswillbedisplayed.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayconfigurationinformationforVLAN1:
C3( su) - >r out er #show i p i nt er f ace vl an 1
Vl an 1 i s Admi n DOWN
Vl an 1 i s Oper DOWN
Pr i mar y I P Addr ess i s 192. 168. 10. 1 Mask 255. 255. 255. 0
Fr ame Type Et her net
MAC- Addr ess 0001. F45C. C993
I ncomi ng Accessl i st i s not set
Out goi ng AccessLi st i s not set
MTU i s 6145 byt es
ARP Ti meout i s 1 seconds
Di r ect Br oadcast Di sabl ed
Pr oxy ARP i s Di sabl ed
Table 191providesanexplanationofthecommandoutput.
vlanvlanid (Optional)DisplaysinformationforaspecificVLANinterface.This
interfacemustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage 181.
loopbackloopid (Optional)Displaysinterfaceinformationforaspecificloopbackinterface.
ip address
SecureStack C3 Configuration Guide 19-5
ip address
Usethiscommandtoset,remove,ordisableaprimaryorsecondaryIPaddressforaninterface.
ThenoformofthiscommandremovesthespecifiedIPaddressanddisablestheinterfaceforIP
processing.
Syntax
ip address ip-address ip-mask [ secondary]
no ip address ip-address ip-mask
Parameters
Defaults
Ifsecondaryisnotspecified,theconfiguredaddresswillbetheprimaryaddressfortheinterface.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
EachSecureStackC3systemsupportsupto24routinginterfaces,withupto8secondary
addressesallowedforeachprimaryIPaddress.
Table 19-1 show ip interface Output Details
Output Field What It Displays...
Vlan N Whether the interface is administratively and operationally up or down.
Primary IP Address Intefaces primary IP address and mask. Set using the ip address command as
described in ip address on page 19-5.
Frame Type Encapsulation type used by this interface. Set using the arp command as described
in arp on page 19-13.
MAC-Address MAC address mapped to this interface.
Incoming Access
List
Whether or not an access control list (ACL) has been configured for ingress on this
interface using the commands described in Configuring Access Lists on
page 26-79.
Outgoing Access
List
Not supported.
MTU Interfaces Maximum Transmission Unit size.
ARP Timeout Duration for entries to stay in the ARP table before expiring. Set using the arp
timeout command as described in arp timeout on page 19-15.
Direct Broadcast Whether or not IP directed broadcast is enabled. Set using the ip directed-broadcast
command described in ip directed-broadcast on page 19-16.
Proxy Arp Whether or not proxy ARP is enabled or disabled for this interface. Set using the ip
proxy arp command as described in ip proxy-arp on page 19-14.
ipaddress SpecifiestheIPaddressoftheinterfacetobeaddedorremoved.
ipmask SpecifiesthemaskfortheassociatedIPsubnet.
secondary (Optional)SpecifiesthattheconfiguredIPaddressisasecondaryaddress.
show running-config
19-6 IP Configuration
Example
ThisexamplesetstheIPaddressto192.168.1.1andthenetworkmaskto255.255.255.0forVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p addr ess 192. 168. 1. 1 255. 255. 255. 0
show running-config
Usethiscommandtodisplaythenondefault,usersuppliedcommandsenteredwhileconfiguring
thedevice.
Syntax
show running-config
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
Thisexampleshowshowtodisplaythecurrentrouteroperatingconfiguration:
C3( su) - >r out er #show r unni ng- conf i g
!
i nt er f ace vl an 10
i p addr ess 99. 99. 2. 10 255. 255. 255. 0
no shut down
!
r out er ospf 1
net wor k 99. 99. 2. 0 0. 0. 0. 255 ar ea 0. 0. 0. 0
net wor k 192. 168. 100. 1 0. 0. 0. 0 ar ea 0. 0. 0. 0
no shutdown
UsethiscommandtoenableaninterfaceforIProutingandtoallowtheinterfacetoautomatically
beenabledatdevicestartup.
Syntax
no shutdown
shutdown
Parameters
None.
Defaults
None.
no ip routing
SecureStack C3 Configuration Guide 19-7
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
TheshutdownformofthiscommanddisablesaninterfaceforIProuting.
Example
ThisexampleshowshowtoenableVLAN1forIProuting:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #no shut down
no ip routing
UsethiscommandtodisableIProutingonthedevice.Bydefault,IProutingisenabledwhen
interfacesareconfiguredforitasdescribedinConfiguringRoutingInterfaceSettingson
page 191.
Syntax
no ip routing
Parameters
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Defaults
None.
Example
This example shows how to disable IP routing on the device:
C3( su) - >r out er ( Conf i g) #no i p r out i ng
Configuring Tunnel Interfaces
19-8 IP Configuration
Configuring Tunnel Interfaces
Purpose
Thecommandsinthissectiondescribehowtocreate,delete,andmanagetunnelinterfaces.
SeveraldifferenttypesoftunnelsprovidefunctionalitytofacilitatethetransitionofIPv4networks
toIPv6networks.Thesetunnelsaredividedintotwoclasses:configuredandautomatic.The
distinctionisthatconfiguredtunnelsareexplicitlyconfiguredwithadestinationorendpointof
thetunnel.Automatictunnels,incontrast,infertheendpointofthetunnelfromthedestination
addressofpacketsroutedintothetunnel.
ForinformationaboutconfiguringIPv6parametersontunnelinterfaces,suchasanIPv6address,
seeChapter 22,IPv6Configuration.
Commands
interface tunnel
Usethiscommandtoconfigureatunnelinterface.
Syntax
interface tunnel tunnel-id
no interface tunnel tunnel-id
Parameters
Defaults
None.
Mode
Routerglobalconfigurationmode:C3(su)>router(Config)#
Note: IPv6 routing must be enabled with an IPv6 routing license key in order for these commands
to be visible in the CLI.
For information about... Refer to page...
interface tunnel 19-8
tunnel source 19-9
tunnel destination 19-10
tunnel mode 19-10
show interface tunnel 19-11
tunnelid Specifiesthenumberofthetunnelinterfacetobeconfiguredfor
routing.Thevalueoftunnelidcanrangefrom0to7.
tunnel source
SecureStack C3 Configuration Guide 19-9
Usage
Thiscommandenablestunnelinterfaceconfigurationmodefromglobalconfigurationmode,and,
iftheinterfacehasnotpreviouslybeencreated,thiscommandcreatesanewtunnelrouting
interface.
Thenoformofthiscommandremovesthetunnelinterfaceandassociatedconfiguration
parameters.
Example
Thisexamplecreatesaconfiguredtunnelinterface1.
C3( su) - >r out er ( Conf i g) # i nt er f ace t unnel 1
C3( su) - >r out er ( Conf i g- i f ( Tnnl 1) ) #
tunnel source
ThiscommandspecifiestheIPv4sourcetransportaddressofthetunnel.
Syntax
tunnel source {ipv4-addr | interface vlan vlan-id}
no tunnel source
Parameters
Defaults
None.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Tnnl1))#
Usage
ThenoformofthiscommandremovesthesourceIPv4addressforthetunnelinterfacebeing
configured.
Example
ThefollowingexampleconfiguresthesourceIPv4addressfortunnel1.
C3( su) - >r out er ( Conf i g) # i nt er f ace t unnel 1
C3( su) - >r out er ( Conf i g- i f ( Tnnl 1) ) #
C3( su) - >r out er ( Conf i g- i f ( Tnnl 1) ) # t unnel sour ce 192. 168. 10. 10
ipv4addr TheIPv4sourceaddressofthetunnel.
interfacevlanvlanid Specifyaninterfacetousealinklocaladdress.TheVLANmustbe
configuredinswitchmode.
tunnel destination
19-10 IP Configuration
tunnel destination
ThiscommandspecifiestheIPv4destinationtransportaddressofthetunnel.
Syntax
tunnel destination ipv4-addr
no tunnel destination
Parameters
Defaults
None.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Tnnl1))#
Usage
ThenoformofthiscommandremovesthedestinationIPv4addressforthetunnelinterfacebeing
configured.
Example
ThefollowingexampleconfiguresthedestinationIPv4addressfortunnel1.
C3( su) - >r out er ( Conf i g) # i nt er f ace t unnel 1
C3( su) - >r out er ( Conf i g- i f ( Tnnl 1) ) #
C3( su) - >r out er ( Conf i g- i f ( Tnnl 1) ) # t unnel dest i nat i on 192. 168. 10. 20
tunnel mode
Thiscommandspecifiesthemodeofthetunnelinterface.
Syntax
tunnel mode ipv6ip
no tunnel mode ipv6ip
Parameters
Defaults
None.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Tnnl1))#
Usage
Thenoformofthiscommandremovesthemodeofthetunnel.
ipv4addr TheIPv4destinationaddressofthetunnel.
ipv6ip SpecifiesthatthetunnelmodeisIPv6overIPv4
show interface tunnel
SecureStack C3 Configuration Guide 19-11
Example
ThisexamplesetsthetunnelmodetoIPv6overIPv4.
C3( su) - >r out er ( Conf i g) # i nt er f ace t unnel 1
C3( su) - >r out er ( Conf i g- i f ( Tnnl 1) ) #
C3( su) - >r out er ( Conf i g- i f ( Tnnl 1) ) # t unnel mode i pv6i p
show interface tunnel
Thiscommanddisplaysinformationaboutaconfiguredtunnelinterface.
Syntax
show interface tunnel tunnel-id
Parameters
Defaults
None.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Routerprivilegedexec:C3(su)>router#
Usage
Usethiscommandtodisplaygeneralinterfaceinformation.RefertoinChapter 22,IPv6
Configurationforadescriptionoftheshowipv6interfacetunnelcommand.
Example
Thisexampleshowstheoutputofthiscommand.
C3( su) - >r out er ( Conf i g) #show i nt er f ace t unnel 1
Tunnel 1 i s Oper at i onal l y DOWN
The name of t hi s devi ce i s Tunnel 1
The MTU i s 1480 byt es
tunnelid Specifiesthetunnelforwhichtodisplayinformation.
Reviewing and Configuring the ARP Table
19-12 IP Configuration
Reviewing and Configuring the ARP Table
Purpose
ToreviewandconfiguretheroutingARPtable,toenableproxyARPonaninterface,andtoseta
MACaddressonaninterface.
Commands
show ip arp
UsethiscommandtodisplayentriesintheARP(AddressResolutionProtocol)table.ARP
convertsanIPaddressintoaphysicaladdress.
Syntax
show ip arp [ ip-address] | [ vlan vlan-id] | [ output-modifier]
Parameters
Defaults
Ifnoparametersarespecified,allentriesintheARPcachewillbedisplayed.
Mode
Anyroutermode.
For information about... Refer to page...
show ip arp 19-12
arp 19-13
ip proxy-arp 19-14
arp timeout 19-15
clear arp-cache 19-15
ipaddress (Optional)DisplaysARPentriesrelatedtoaspecificIPaddress.
vlanvlanid (Optional)DisplaysonlyARPentrieslearnedthroughaspecificVLAN
interface.ThisVLANmustbeconfiguredforIProutingasdescribedin
PreRoutingConfigurationTasksonpage 181.
outputmodifier (Optional)DisplaysARPentrieswithinaspecificrange.Optionsare:
|beginipaddressDisplaysonlyARPentriesthatbeginwiththe
specifiedIPaddress.
|excludeipaddressExcludesARPentriesmatchingthespecified
IPaddress.
|includeipaddressIncludesARPentriesmatchingthespecified
IPaddress.
arp
SecureStack C3 Configuration Guide 19-13
Example
Thisexampleshowshowtousetheshowiparpcommand:
C3( su) - >r out er #show i p ar p
Pr ot ocol Addr ess Age ( mi n) Har dwar e Addr Type I nt er f ace
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I nt er net 134. 141. 235. 251 0 0003. 4712. 7a99 ARPA Vl an1
I nt er net 134. 141. 235. 165 - 0002. 1664. a5b3 ARPA Vl an1
I nt er net 134. 141. 235. 167 4 00d0. cf 00. 4b74 ARPA Vl an2
C3( su) - >r out er #show i p ar p 134. 141. 235. 165
Pr ot ocol Addr ess Age ( mi n) Har dwar e Addr Type I nt er f ace
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I nt er net 134. 141. 235. 165 - 0002. 1664. a5b3 ARPA Vl an2
C3( su) - >r out er #show i p ar p vl an 2
Pr ot ocol Addr ess Age ( mi n) Har dwar e Addr Type I nt er f ace
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I nt er net 134. 141. 235. 251 0 0003. 4712. 7a99 ARPA Vl an2
Table 192providesanexplanationofthecommandoutput.
arp
Usethiscommandtoaddorremovepermanent(static)ARPtableentries.Upto1,000staticARP
entriesaresupportedperSecureStackC3system.AmulticastMACaddresscanbeusedinastatic
ARPentry.ThenoformofthiscommandremovesthespecifiedpermanentARPentry:
Syntax
arp ip-address mac-address
no arp ip-address
Parameters
Table 19-2 show ip arp Output Details
Output Field What It Displays...
Protocol ARP entrys type of network address.
Address Network address mapped to the entrys MAC address.
Age (min) Interval (in minutes) since the entry was entered in the table.
Hardware Addr MAC address mapped to the entrys network address.
Type Encapsulation type used for the entrys network address.
Interface Interface (VLAN or loopback) through which the entry was learned.
ipaddress SpecifiestheIPaddressofadeviceonthenetwork.ValidvaluesareIP
addressesindotteddecimalnotation.
macaddress Specifiesthe48bithardwareaddresscorrespondingtotheipaddress
expressedinhexadecimalnotation.
ip proxy-arp
19-14 IP Configuration
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
TheIPaddressspecifiedforthestaticARPentrymustfallwithinoneofthesubnetsornetworks
definedontheroutedinterfacesofthesystem(orstack,ifapplicable).Thesystemcanthenmatch
theIPaddressofthestaticARPentrywiththeappropriateroutedinterfaceandassociateitwith
thecorrectVLAN.
Example
ThisexampleshowshowtoaddapermanentARPentryfortheIPaddress130.2.3.1andMAC
address0003.4712.7a99:
C3( su) - >r out er ( Conf i g) #ar p 130. 2. 3. 1 0003. 4712. 7a99
ip proxy-arp
UsethiscommandtoenableproxyARPonaninterface.Thenoformofthiscommanddisables
proxyARP.
Syntax
ip proxy-arp
no ip proxy-arp
Parameters
None.
Defaults
Disabled.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
ThisvariationoftheARPprotocolallowstheroutertosendanARPresponseonbehalfofanend
nodetotherequestinghost.ProxyARPcanbeusedtoresolveroutingissuesonendstationsthat
areunabletorouteinthesubnettedenvironment.TheSecureStackC3willanswertoARP
requestsonbehalfoftargetedendstationsonneighboringnetworks.Itisdisabledbydefault.
Example
ThisexampleshowshowtoenableproxyARPonVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p pr oxy- ar p
arp timeout
SecureStack C3 Configuration Guide 19-15
arp timeout
Usethiscommandtosettheduration(inseconds)fordynamicallylearnedentriestoremaininthe
ARPtablebeforeexpiring.Thenoformofthiscommandrestoresthedefaultvalueof14,400
seconds.
arp timeout seconds
no arp timeout
Parameters
Defaults
14,400seconds.
Mode
Globalconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtosettheARPtimeoutto7200seconds:
C3( su) - >r out er ( Conf i g) #ar p t i meout 7200
clear arp-cache
Usethiscommandtodeleteallnonstatic(dynamic)entriesfromtheARPtable.
clear arp-cache
Parameters
None.
Mode
PrivilegedEXEC:C3(su)>router#
Defaults
None.
Example
ThisexampleshowshowtodeletealldynamicentriesfromtheARPtable:
C3( su) - >r out er #cl ear ar p- cache
seconds SpecifiesthetimeinsecondsthatanentryremainsintheARPcache.Valid
valuesare065535.Avalueof0specifiesthatARPentrieswillneverbe
agedout.
Configuring Broadcast Settings
19-16 IP Configuration
Configuring Broadcast Settings
Purpose
ToconfigureIPbroadcastsettings.Bydefault,interfacesontheSecureStackC3donotforward
broadcastpackets.
Commands
ip directed-broadcast
UsethiscommandtoenableordisableIPdirectedbroadcastsonaninterface.Bydefault,
interfacesontheSecureStackC3donotforwarddirectedbroadcasts.Thenoformofthis
commanddisablesIPdirectedbroadcastontheinterface.
Syntax
ip directed-broadcast
no ip directed-broadcast
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>Router1(Configif(Vlan1))#
Usage
Directedbroadcastisanefficientmechanismforcommunicatingwithmultiplehostsonanetwork
whileonlytransmittingasingledatagram.Adirectedbroadcastisapacketsenttoallhostsona
specificnetworkorsubnet.Thedirectedbroadcastaddressincludesthenetworkorsubnetfields,
withthebinarybitsofthehostportionoftheaddresssettoone.Forexample,foranetworkwith
theaddress192.168.0.0/16,thedirectedbroadcastaddresswouldbe192.168.255.255.Forasubnet
withtheaddress192.168.12.0/24,thedirectedbroadcastaddresswouldbe192.168.12.255.
InordertominimizebroadcastDoSattacks,forwardingofdirectedbroadcastsisdisabledby
defaultontheSecureStackC3,asrecommendedbyRFC2644.
Iftheabilitytosenddirectedbroadcaststoanetworkisrequired,youshouldenabledirected
broadcastsonlyontheoneinterfacethatwillbetransmittingthedatagrams.Forexample,ifa
SecureStackC3hasfiveroutedinterfacesforthe10,20,30,40,and50networks,enablingdirected
For information about... Refer to page...
ip directed-broadcast 19-16
ip forward-protocol 19-17
ip helper-address 19-18
ip forward-protocol
SecureStack C3 Configuration Guide 19-17
broadcastonlyonthe30networkinterfacewillallowanyonefromanyothernetworks(10,20,40,
50)tosenddirectedbroadcasttothe30network.
Example
ThisexampleshowshowtoenableIPdirectedbroadcastsonVLAN1:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p di r ect ed- br oadcast
ip forward-protocol
UsethiscommandtoenableUDPbroadcastforwardingandspecifywhichprotocolswillbe
forwarded.
Syntax
ip forward-protocol udp [ port]
no ip forward-protocol udp [ port]
Parameters
Defaults
Ifportisnotspecified,thefollowingdefaultsareused:
TrivialFileTransferProtocol(TFTP)(port69)
DomainNamingSystem(port53)
Timeservice(port37)
NetBIOSNameServer(port137)
NetBIOSDatagramServer(port138)
TACACSservice(port49)
EN116NameService(port42)
Mode
Routercommand,Globalconfiguration:C3(su)>router(Config)#
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1)#
Usage
Inordertoactuallyforwardprotocols,youmustconfigureanIPhelperaddressontheindividual
routerinterfaceswiththecommandiphelperaddress(page 1918).
Ifacertainserviceexistsinsidethenode,andthereisnoneedtoforwardtherequesttoremote
networks,thenoformofthiscommandshouldbeusedtodisabletheforwardingforthespecific
port.Suchrequestswillnotbeautomaticallyblockedfrombeingforwardedjustbecauseaservice
forthemexistsinthenode.
ThenoformofthiscommandremovesaUDPportorprotocol,disablingforwarding.
udp SpecifiesUDPastheIPforwardingprotocol.
port (Optional)SpecifiesadestinationportthatcontrolswhichUDPservices
areforwarded.
ip helper-address
19-18 IP Configuration
Examples
ThefollowingexamplegloballydisablesIPforwardingforUDPport69.
C3( su) - >r out er ( Conf i g) #no i p f or war d- pr ot ocol udp 69
ThefollowingexampledisablesIPforwardingforUDPport69onaspecificinterface.
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 10
C3( su) - >r out er ( Conf i g- i f ( Vl an 10) ) #no i p f or war d- pr ot ocol udp 69
ip helper-address
UsethiscommandtoenabletheDHCP/BOOTPrelayagentonaSecureStackC3routedinterface
and/ortoforwardbroadcasttrafficidentifiedwiththeipforwardprotocolcommandtoaunicast
address.EnablingtherelayagentallowsforwardingofclientDHCP/BOOTPrequeststoaDHCP/
BOOTPserverthatdoesnotresideonthesamebroadcastdomainastheclient.Upto6IPhelper
addressesmaybeconfiguredperinterface.
ThenoformofthiscommanddisablestheforwardingofUDPdatagramstothespecifiedaddress.
Syntax
ip helper-address address
no ip helper-address address
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>Router1(Configif(Vlan1))#
Usage
TypicallyforDHCP/BootP,whenahostrequestsanIPaddress,itsendsoutaDHCPbroadcast
packet.Normally,therouterdropsallbroadcastpackets.However,byexecutingthiscommand,
youenabletheroutedinterfacetopassDHCPbroadcastframesthrough,sendingthemdirectlyto
theremoteDHCPserversIPaddress.
TheDHCP/BOOTPrelayagentwilldetectDHCP/BOOTPrequestsbasedonUDPsourceand
destinationports.Itwillthenmakethenecessarychangestothepacketandsendthepackettothe
DHCPserver.Thechangesinclude:
ReplacingthedestinationIPaddresswiththeaddressoftheDHCPserver,
ReplacingthesourceIPaddresswithitsownaddress(thatis,theIPaddressofthelocal
routedinterface),and
WithintheBOOTPpartofthepacket,changingtheRelayAgentIPaddressfrom0.0.0.0tothe
addressofthelocalroutedinterface.
ThelastchangetotheBootPpackettellstheDHCPserverthatitneedstoassignanIPaddress
thatisinthesamesubnetastheRelayAgentIP.Whentheresponsecomesfromtheserver,the
DHCP/BOOTPrelayagentsendsittothehost.
address AddressofthehostwhereUDPbroadcastpacketsshouldbeforwarded.
Reviewing IP Traffic and Configuring Routes
SecureStack C3 Configuration Guide 19-19
Forotherprotocolsspecifiedthroughtheipforwardprotocolcommand,thesystemforwards
broadcastUDPtrafficasaunicastpackettothespecifiedIPaddresses.
Example
ThisexampleshowhowtohaveallclientDHCPrequestsforusersinVLAN1tobeforwardedto
theremoteDHCPserverwithIPaddress192.168.1.28.
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p hel per - addr ess 192. 168. 1. 28
Reviewing IP Traffic and Configuring Routes
Purpose
ToreviewIPtrafficandconfigureroutes,tosendrouterICMP(ping)messages,andtoexecute
traceroute.
Commands
show ip route
UsethiscommandtodisplayinformationaboutIProutes.
Syntax
show ip route [ destination-prefix [ destination-prefix-match] | connected | ospf |
rip | static | summary]
Parameters
For information about... Refer to page...
show ip route 19-19
ip route 19-21
ping 19-21
traceroute 19-22
destinationprefix
destinationprefix
match
(Optional)Convertsthespecifiedaddressandmaskintoaprefixand
displaysanyroutesthatmatchtheprefix.
connected (Optional)Displaysconnectedroutes.
ospf (Optional)DisplaysroutesconfiguredfortheOSPFroutingprotocol.For
detailsonconfiguringOSPF,refertoConfiguringOSPFonpage 2011.
rip (Optional)DisplaysroutesconfiguredfortheRIProutingprotocol.For
detailsonconfiguringRIP,refertoConfiguringRIPonpage 202.
static (Optional)Displaysstaticroutes.
summary (Optional)DisplaysasummaryoftheIProutingtable.
show ip route
19-20 IP Configuration
Defaults
Ifnoparametersarespecified,allIProuteinformationwillbedisplayed.
Mode
Anyroutermode.
Usage
Theroutingtablecontainsallactivestaticroutes,alltheRIProutes,anduptothreebestOSPF
routeslearnedforeachnetwork.
Example
ThisexampleshowshowtousetheshowiproutecommandtodisplayallIProuteinformation.A
portionoftheoutputisshown:
C3( su) - >r out er #show i p r out e
Codes: C - connect ed, S - st at i c, R - RI P, O - OSPF, I A - OSPF i nt er ar ea
N1 - OSPF NSSA ext er nal t ype 1, N2 - OSPF NSSA ext er nal t ype 2
E1 - OSPF ext er nal t ype 1, E2 - OSPF ext er nal t ype 2
E - EGP, i - I S- I S, L1 - I S- I S l evel - 1, LS - I S- I S l evel - 2
* - candi dat e def aul t , U - per user st at i c r out e
I A 1. 255. 255. 248/ 29 [ 10/ 30] vi a 168. 0. 0. 249, Vl an 3205
O 2. 0. 0. 0/ 10 [ 8/ 30] vi a 168. 1. 0. 254, Vl an 1200
O 2. 224. 0. 0/ 11 [ 8/ 30] vi a 168. 1. 0. 254, Vl an 1200
C 7. 15. 0. 0/ 24 [ 0/ 0] di r ect l y connect ed, Vl an 715
O 11. 11. 12. 12/ 32 [ 8/ 30] vi a 168. 0. 0. 249, Vl an 3205
O 11. 11. 13. 13/ 32 [ 8/ 10] vi a 168. 1. 0. 249, Vl an 1300
O 11. 11. 16. 16/ 32 [ 8/ 20] vi a 168. 0. 0. 249, Vl an 3205
E2 11. 11. 17. 17/ 32 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
I A 11. 11. 21. 21/ 32 [ 10/ 30] vi a 168. 0. 0. 249, Vl an 3205
I A 11. 11. 22. 22/ 32 [ 10/ 30] vi a 168. 0. 0. 249, Vl an 3205
E2 11. 11. 24. 24/ 32 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
O 11. 11. 25. 25/ 32 [ 8/ 20] vi a 168. 0. 0. 249, Vl an 3205
C 11. 11. 26. 26/ 32 [ 0/ 0] di r ect l y connect ed, Loopback 0
O 11. 11. 27. 27/ 32 [ 8/ 10] vi a 168. 1. 0. 254, Vl an 1200
O 11. 11. 28. 28/ 32 [ 8/ 20] vi a 168. 1. 0. 254, Vl an 1200
E2 12. 0. 0. 0/ 17 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
E2 19. 0. 0. 0/ 30 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
I A 20. 0. 0. 0/ 24 [ 10/ 40] vi a 168. 0. 0. 249, Vl an 3205
E2 22. 22. 0. 0/ 16 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
E2 22. 22. 10. 0/ 24 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
E2 22. 22. 12. 0/ 24 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
O 22. 22. 13. 0/ 24 [ 8/ 30] vi a 168. 1. 0. 254, Vl an 1200
E2 22. 22. 14. 0/ 24 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
O 22. 22. 15. 0/ 24 [ 8/ 20] vi a 168. 1. 0. 249, Vl an 1300 vi a 168. 1. 0. 254, Vl an 1200
E2 22. 22. 16. 0/ 24 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
E2 22. 22. 17. 0/ 24 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
O 22. 22. 18. 0/ 24 [ 8/ 30] vi a 168. 1. 0. 254, Vl an 1200
O 22. 22. 19. 0/ 24 [ 8/ 20] vi a 168. 1. 0. 249, Vl an 1300 vi a 168. 1. 0. 254, Vl an 1200
I A 22. 22. 20. 0/ 24 [ 10/ 40] vi a 168. 0. 0. 249, Vl an 3205
I A 22. 22. 21. 0/ 24 [ 10/ 50] vi a 168. 0. 0. 249, Vl an 3205
I A 22. 22. 22. 0/ 24 [ 10/ 30] vi a 168. 0. 0. 249, Vl an 3205
O 22. 22. 23. 0/ 24 [ 8/ 30] vi a 168. 0. 0. 249, Vl an 3205
I A 22. 22. 24. 0/ 24 [ 10/ 40] vi a 168. 0. 0. 249, Vl an 3205
E2 22. 22. 25. 0/ 24 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
E2 22. 22. 26. 0/ 24 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
C 22. 22. 27. 0/ 24 [ 0/ 0] di r ect l y connect ed, Vl an 4027
ip route
SecureStack C3 Configuration Guide 19-21
O 22. 22. 28. 0/ 24 [ 8/ 20] vi a 168. 1. 0. 249, Vl an 1300 vi a 168. 1. 0. 254, Vl an 1200
E2 22. 22. 29. 0/ 24 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
C 26. 0. 0. 0/ 8 [ 0/ 0] di r ect l y connect ed, Vl an 26
O 33. 9. 8. 0/ 28 [ 8/ 20] vi a 168. 1. 0. 254, Vl an 1200
E2 33. 33. 0. 0/ 16 [ 150/ 20] vi a 168. 0. 0. 249, Vl an 3205
ip route
UsethiscommandtoaddorremoveastaticIProute.Thenoformofthiscommandremovesthe
staticIProute.
ip route prefix mask dest-addr [ distance]
no ip route prefix mask forward-addr
Parameters
Defaults
Ifdistanceisnotspecified,thedefaultvalueof1willbeapplied.
Mode
Globalconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtosetIPaddress10.1.2.3asthenexthopgatewaytodestinationaddress
10.0.0.0:
C3( su) - >r out er ( Conf i g) #i p r out e 10. 0. 0. 0 255. 0. 0. 0 10. 1. 2. 3
ping
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ip-address
Parameters
Defaults
None.
prefix SpecifiesadestinationIPaddressprefix.
mask Specifiesadestinationprefixmask.
destaddr Specifiesaforwarding(gateway)IPaddress.
distance (Optional)Specifiesanadministrativedistancemetricforthisroute.Valid
valuesare1(default)to255.Routeswithlowervaluesreceivehigher
preferenceinrouteselection.
ipaddress SpecifiestheIPaddressofthesystemtoping.
traceroute
19-22 IP Configuration
Mode
PrivilegedEXEC:C3(su)>router#
Usage
Thiscommandisalsoavailableinswitchmode.
Examples
ThisexampleshowsoutputfromasuccessfulpingtoIPaddress182.127.63.23:
C3( su) - >r out er #pi ng 182. 127. 63. 23
182. 127. 63. 23 i s al i ve
ThisexampleshowsoutputfromanunsuccessfulpingtoIPaddress182.127.63.24:
C3( su) - >r out er #pi ng 182. 127. 63. 24
no answer f r om182. 127. 63. 24
traceroute
UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa
specificdestinationhost.ThreeICMPprobeswillbetransmittedforeachhopbetweenthesource
andthetraceroutedestination.
Syntax
traceroute host
Parameters
Defaults
None.
Mode
PrivilegedEXEC:C3(su)>router#
Usage
Thereisalsoatraceroutecommandavailableinswitchmode.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.141.90.183.
C3( su) - >r out er #t r acer out e 192. 141. 90. 183
Tr acer out e t o 192. 141. 90. 183, 30 hops max, 40 byt e packet s
1 10. 1. 56. 1 0. 000 ms 0. 000 ms 0. 000 ms
2 10. 1. 48. 254 10. 000 ms 0. 000 ms 0. 000 ms
3 10. 1. 0. 2 0. 000 ms 0. 000 ms 0. 000 ms
4 192. 141. 89. 17 0. 000 ms 0. 000 ms 10. 000 ms
5 192. 141. 100. 13 0. 000 ms 10. 000 ms 0. 000 ms
6 192. 141. 100. 6 0. 000 ms 0. 000 ms 10. 000 ms
7 192. 141. 90. 183 0. 000 ms 0. 000 ms 0. 000 ms
host SpecifiesahosttowhichtherouteofanIPpacketwillbetraced.
Configuring ICMP Redirects
SecureStack C3 Configuration Guide 19-23
Configuring ICMP Redirects
Purpose
DisableorenablesendingICMPredirectpacketstotheswitchCPUforprocessing,ataglobal
levelandataninterfacelevel.Bydefault,sendingICMPredirectsisenabledgloballyandonall
interfaces.DisablingsendingICMPredirectscanreduceCPUusageincertaindeployments.
Commands
ip icmp redirect enable
UsethiscommandtoenableordisablesendingICMPredirectstotheCPUforprocessingona
globalleveloronaspecificinterface.ThenoformofthiscommanddisablessendingICMP
redirectstotheCPU.
Syntax
ip icmp redirect enable
no ip icmp redirect enable
Parameters
None.
Defaults
Bydefault,sendingICMPredirectstotheCPUisenabledgloballyandonallinterfaces.
Mode
Routerglobalconfigurationmode:C3(su)>router(Config)#
Interfaceconfigurationmode:C3(su)>Router1(Configif(Vlan1))#
Usage
YoucanusethiscommandinrouterglobalconfigurationmodetoenableordisablesendingICMP
redirectsgloballyontheswitch.
Youcanusethiscommandinrouterinterfaceconfigurationmodetoenableordisablesending
ICMPredirectsonlyonspecificinterfaces.
Examples
ThisexampledisablessendingICMPredirectsontheinterfaceVLAN5.
C3( su) - >r out er #conf i gur e
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 5
C3( su) - >Rout er 1( Conf i g- i f ( Vl an 5) ) # no i p i cmp r edi r ect enabl e
For information about... Refer to page...
ip icmp redirect enable 19-23
show ip icmp redirect 19-24
show ip icmp redirect
19-24 IP Configuration
ThisexampledisablessendingICMPredirectsglobally.
C3( su) - >r out er #conf i gur e
C3( su) - >r out er ( Conf i g) #no i p i cmp r edi r ect enabl e
show ip icmp redirect
UsethiscommandtodisplaythestatusofsendingICMPredirectsataglobalorinterfacelevel.
Syntax
show ip icmp redirect {status | interface [ vlan vlan-id] }
Parameters
Defaults
IfnoVLANisspecifiedwiththeinterfaceparameter,informationforallVLANinterfacesis
displayed.
Mode
PrivilegedEXECmode:C3(su)>router#
Routerglobalconfigurationmode:C3(su)>router(Config)#
Examples
ThisexampledisplaystheglobalICMPredirectstatus.
C3( su) - >r out er #show i p i cmp r edi r ect st at us
Gl obal I CMP Redi r ect st at us - Enabl ed
ThisexampledisplaystheICMPredirectstatusforVLAN5.
C3( su) - >r out er #show i p i cmp r edi r ect i nt er f ace vl an 5
Vl an I d Admi n St at us
- - - - - - - - - - - - - - - - - - -
5 Enabl ed
status DisplaytheglobalICMPredirectstatus.
interface DisplayICMPredirectstatusforinterfaces.
vlanvlanid (Optional)DisplayICMPredirectstatusforthespecifiedVLAN.
SecureStack C3 Configuration Guide 20-1
20
IPv4 Routing Protocol Configuration
ThischapterdescribestheIPv4RoutingProtocolConfigurationsetofcommandsandhowtouse
them.
Activating Advanced Routing Features
Inordertoenableadvancedroutingprotocols,suchasOSPF,DVMRP,VRRP,andPIMSM,ona
SecureStackC3device,youmustpurchaseandactivatealicensekey.Ifyouhavepurchasedan
advancedroutinglicense,andhaveenabledroutingonthedevice,youcanactivateyourlicenseas
describedinthechapterentitledActivatingLicensedFeatures.
Ifyouarestackingyourdevicesandrequireadvancedroutingfeatures,alldevicesinthestack
musthaveavalidlicense.
Ifyouwishtopurchaseanadvancedroutinglicense,contactEnterasysNetworksSales.
Router: The commands covered in this chapter can be executed only when the device is in router
mode. For details on how to enable router configuration modes, refer to Enabling Router
Configuration Modes on page 18-2.
For information about... Refer to page...
Activating Advanced Routing Features 20-1
Configuring RIP 20-2
Configuring OSPF 20-11
Configuring DVMRP 20-33
Configuring IRDP 20-37
Configuring VRRP 20-42
Configuring PIM-SM 20-49
Note: The command prompts used in examples throughout this guide show a system where the
VLAN 1 interface has been configured for routing. The prompt changes depending on your current
configuration mode, your specific device, and the interface types and numbers configured for
routing on your system.
Configuring RIP
20-2 IPv4 Routing Protocol Configuration
Configuring RIP
Purpose
ToenableandconfiguretheRoutingInformationProtocol(RIP).
RIP Configuration Task List and Commands
Table 201liststhetasksandcommandsassociatedwithRIPconfiguration.Commandsare
describedintheassociatedsectionasshown.
router rip
UsethiscommandtoenableordisableRIPconfigurationmode.Thenoformofthiscommand
disablesRIP.
Syntax
router rip
no router rip
Parameters
None.
Defaults
None.
Table 20-1 RIP Configuration Task List and Commands
To do this... Use these commands...
Enable RIP configuration mode. router rip on page 20-2
Enable RIP on an interface. ip rip enable on page 20-3
Configure an administrative distance. distance on page 20-3
Allow reception of a RIP version. ip rip send version on page 20-4
Allow transmission of a RIP version. ip rip receive version on page 20-5
Configure RIP simple authentication. ip rip authentication-key on page 20-5
Configure RIP encrypted authentication. ip rip message-digest-key on page 20-6
Disable automatic route summarization
(necessary for enabling CIDR)
no auto-summary on page 20-7
Activate split horizon or poison-reverse. split-horizon poison on page 20-7
Suppress sending routing updates. passive-interface on page 20-8
Control reception of routing updates receive-interface on page 20-9
Control advertising non-RIP routes. redistribute on page 20-9
ip rip enable
SecureStack C3 Configuration Guide 20-3
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
YoumustexecutetherouterripcommandtoenabletheprotocolbeforecompletingmanyRIP
specificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182in
EnablingRouterConfigurationModesonpage182.
Example
ThisexampleshowshowtoenableRIP:
C3( su) - >r out er #conf i gur e
C3( su) - >r out er ( Conf i g) #r out er r i p
C3( su) - >r out er ( Conf i g- r out er ) #
ip rip enable
UsethiscommandtoenableRIPonaninterface.ThenoformofthiscommanddisablesRIPonan
interface:Bydefault,RIPisdisabledonallinterfaces.
Syntax
ip rip enable
no ip rip enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableRIPontheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p r i p enabl e
distance
UsethiscommandtoconfiguretheadministrativedistanceforRIProutes.Thenoformofthis
commandresetsRIPadministrativedistancetothedefaultvalueof120.
Syntax
distance weight
no distance [ weight]
ip rip send version
20-4 IPv4 Routing Protocol Configuration
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
Ifseveralroutes(comingfromdifferentprotocols)arepresentedtotheSecureStackC3,the
protocolwiththelowestadministrativedistancewillbechosenforrouteinstallation.Bydefault,
RIPadministrativedistanceissetto120.Thedistancecommandcanbeusedtochangethisvalue,
resettingRIPsroutepreferenceinrelationtootherroutesasshowninthetablebelow.
Example
ThisexampleshowshowtochangethedefaultadministrativedistanceforRIPto1001:
C3( su) - >r out er ( Conf i g) #r out er r i p
C3( su) - >r out er ( Conf i g- r out er ) #di st ance 100
ip rip send version
UsethiscommandtosettheRIPversionforRIPupdatepacketstransmittedoutaninterface.The
noversionofthiscommandsetstheversionoftheRIPupdatepacketstoRIPv1.
Syntax
ip rip send version {1 | 2 | r1compatible}
no ip rip send version
Parameters
Defaults
None.
weight SpecifiesanadministrativedistanceforRIProutes.Validvaluesare1255.
Route Source Default Distance
Connected 0
Static 1
OSPF 110
RIP 120
1 SpecifiesRIPversion1.Thisisthedefaultsetting.
2 SpecifiesRIPversion2.
r1compatible Specifiesthatpacketsbesentasversion2packets,buttransmitstheseas
broadcastpacketsratherthanmulticastpacketssothatsystemswhichonly
understandRIPversion1canreceivethem.
ip rip receive version
SecureStack C3 Configuration Guide 20-5
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheRIPsendversionto2forpacketstransmittedontheVLAN1
interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p r i p send ver si on 2
ip rip receive version
UsethiscommandtosettheRIPversion(s)forRIPupdatepacketsacceptedonaninterface.The
noversionofthiscommandsetstheacceptablereceiveversionoftheRIPupdatepacketstoRIPv1.
Syntax
ip rip receive version {1 | 2 | 1 2 | none}
no ip rip receive version
Parameters
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Defaults
None.
Example
ThisexampleshowshowtosettheRIPreceiveversionto2forupdatepacketsreceivedonthe
VLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p r i p r ecei ve ver si on 2
ip rip authentication-key
UsethiscommandtoenableordisableaRIPauthenticationkey(password)foruseonan
interface.ThenoformofthiscommandpreventsRIPfromusingauthentication.
Syntax
ip rip authentication-key name
no ip rip authentication-key
1 SpecifiesRIPversion1.Thisisthedefaultsetting.
2 SpecifiesRIPversion2.
12 SpecifiesRIPversions1and2.
none SpecifiesthatnoRIProuteswillbeprocessedonthisinterface.
ip rip message-digest-key
20-6 IPv4 Routing Protocol Configuration
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheRIPauthenticationkeychaintopasswordontheVLAN1
interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p r i p aut hent i cat i on- key passwor d
ip rip message-digest-key
UsethiscommandtoenableordisableaRIPMD5authenticationkey(password)foruseonan
interface.ThenoformofthiscommandpreventsRIPfromusingauthentication.
Syntax
ip rip message-digest-key keyid md5 key
no ip rip message-digest-key keyid
Parameters
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Defaults
None.
Examples
ThisexampleshowshowtosettheMD5authenticationIDto5fortheRIPauthenticationkeyset
ontheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p r i p message- di gest - key 5 md5 passwor d
name SpecifiesthepasswordtoenableordisableforRIPauthentication.
keyid SpecifiesthekeyIDtoenableordisableforRIPauthentication.Validvalues
are1to255.
md5 SpecifiesuseoftheMD5algorithm.
key SpecifiestheRIPauthenticationpassword.
no auto-summary
SecureStack C3 Configuration Guide 20-7
no auto-summary
Usethiscommandtodisableautomaticroutesummarization.
Syntax
no auto-summary
auto-summary
Parameters
None.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
Bydefault,RIPversion2supportsautomaticroutesummarization,whichsummarizes
subprefixestotheclassfulnetworkboundarywhencrossingnetworkboundaries.Disabling
automaticroutesummarizationenablesCIDR,allowingRIPtoadvertiseallsubnetsandhost
routinginformationontheSecureStackC3device.Toverifywhichroutesaresummarizedforan
interface,usetheshowiproutecommandasdescribedinshowiprouteonpage1919.The
reverseofthecommandreenablesautomaticroutesummarization.Bydefault,RIPauto
summarizationaffectsbothRIPv1andRIPv2routes.
Example
ThisexampleshowshowtodisableRIPautomaticroutesummarization:
C3( su) - >r out er ( Conf i g) #r out er r i p
C3( su) - >r out er ( Conf i g- r out er ) #no aut o- summar y
split-horizon poison
UsethiscommandtoenableordisablesplithorizonpoisonreversemodeforRIPpackets.Theno
formofthiscommanddisablessplithorizonpoisonreverse.
Syntax
split-horizon poison
no split-horizon poison
Parameters
None.
Defaults
None.
Note: This command is necessary for enabling CIDR for RIP on the SecureStack C3 device.
passive-interface
20-8 IPv4 Routing Protocol Configuration
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
Splithorizonpreventsanetworkfrombeingadvertisedoutthesameinterfaceitwasreceivedon.
Thisfunctionisdisabledbydefault.
Example
ThisexampleshowshowtodisablesplithorizonpoisonreverseforRIPpacketstransmittedon
theVLAN1interface:
C3( su) - >r out er ( Conf i g) #r out er r i p
C3( su) - >Rout er 1( Conf i g- r out er ) #no spl i t - hor i zon poi son
passive-interface
UsethiscommandtopreventRIPfromtransmittingupdatepacketsonaninterface.Thenoform
ofthiscommanddisablespassiveinterface.
Syntax
passive-interface vlan vlan-id
no passive-interface vlan vlan-id
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
ThiscommanddoesnotpreventRIPfrommonitoringupdatesontheinterface.
Example
ThisexampleshowshowtosetVLAN2asapassiveinterface.NoRIPupdateswillbetransmitted
onVLAN2:
C3( su) - >router(Config)#router rip
C3( su) - >router(Config-router)#passive-interface vlan 2
vlanvlanid SpecifiesthenumberoftheVLANtomakeapassiveinterface.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage181.
receive-interface
SecureStack C3 Configuration Guide 20-9
receive-interface
UsethiscommandtoallowRIPtoreceiveupdatepacketsonaninterface.Thenoformofthis
commanddeniesthereceptionofRIPupdates.Bydefault,receivingisenabledonallrouting
interfaces.
Syntax
receive-interface vlan vlan-id
no receive-interface vlan vlan-id
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
ThiscommanddoesnotaffectthesendingofRIPupdatesonthespecifiedinterface.
Example
ThisexampleshowshowtodenythereceptionofRIPupdatesonVLAN2:
C3( su) - >r out er ( Conf i g) #r out er r i p
C3( su) - >r out er ( Conf i g- r out er ) #no r ecei ve- i nt er f ace vl an 2
redistribute
UsethiscommandtoallowroutinginformationdiscoveredthroughnonRIPprotocolstobe
distributedinRIPupdatemessages.Thenoformofthiscommandclearsredistribution
parameters.
Syntax
redistribute {connected | ospf process-id | static} [ metric metric value]
[ subnets]
no redistribute {connected | ospf process-id | static}
Parameters
vlanvlanid SpecifiesthenumberoftheVLANtomakeareceiveinterface.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage181.
connected SpecifiesthatnonRIProutinginformationdiscoveredviadirectly
connectedinterfaceswillberedistributed.
ospf SpecifiesthatOSPFroutinginformationwillberedistributedinRIP.
processid SpecifiestheprocessID,aninternallyusedidentificationnumberforeach
instanceoftheOSPFroutingprocessrunonarouter.Validvaluesare1to
65535.
redistribute
20-10 IPv4 Routing Protocol Configuration
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Defaults
Ifmetricvalueisnotspecified,1willbeapplied.
Ifsubnetsisnotspecified,onlynonsubnettedrouteswillberedistributed.
Example
Thisexampleshowshowtoredistributeroutinginformationdiscoveredthroughstaticrouteswill
beredistributedintoRIPupdatemessages:
C3( su) - >r out er ( Conf i g) #r out er r i p
C3( su) - >r out er ( Conf i g- r out er ) #r edi st r i but e st at i c
static SpecifiesthatnonRIProutinginformationdiscoveredviastaticrouteswill
beredistributed.Staticroutesarethosecreatedusingtheiproute
commanddetailediniprouteonpage1921.
metricmetricvalue (Optional)Specifiesametricfortheconnected,OSPForstatic
redistributionroute.Thisvalueshouldbeconsistentwiththedesignation
protocol.
subnets (Optional)Specifiesthatconnected,OSPForstaticroutesthatare
subnettedwillberedistributed.
Configuring OSPF
SecureStack C3 Configuration Guide 20-11
Configuring OSPF
Purpose
ToenableandconfiguretheOpenShortestPathFirst(OSPF)routingprotocol.
OSPF Configuration Task List and Commands
Table 202liststhetasksandcommandsassociatedwithOSPFconfiguration.Commandsare
describedintheassociatedsectionasshown.
* Advanced License Required *
OSPF is an advanced routing feature that must be enabled with a license key. If you have purchased an
advanced license key, and have enabled routing on the device, you must activate your license as described in
the chapter entitiled Activating Licensed Features in order to enable the OSPF command set. If you wish to
purchase an advanced routing license, contact Enterasys Networks Sales.
Table 20-2 OSPF Configuration Task List and Commands
To do this... Use these commands...
If necessary, activate your advanced routing
license.
See the Activating Licensed Features chapter.
Enable OSPF configuration mode. router id on page 20-12
router ospf on page 20-13
Enable or disable RFC 1583 compatibility. 1583compatibility on page 20-13
Configure OSPF Interface Parameters.
Enable OSPF on the interface. ip ospf enable on page 20-14
Configure an OSPF area. ip ospf areaid on page 20-14
Set the cost of sending a packet on an
OSPF interface.
ip ospf cost on page 20-15
Set a priority to help determine the OSPF
designated router for the network.
ip ospf priority on page 20-15
Adjust timers and message intervals. timers spf on page 20-16
ip ospf retransmit-interval on page 20-17
ip ospf transmit-delay on page 20-17
ip ospf hello-interval on page 20-18
ip ospf dead-interval on page 20-18
Configure OSPF authentication. ip ospf authentication-key on page 20-19
ip ospf message digest key md5 on page 20-20
Configure OSPF Areas.
Configure an administrative distance. distance ospf on page 20-20
Define the range of addresses to be used
by Area Boundary Routers (ABRs).
area range on page 20-21
router id
20-12 IPv4 Routing Protocol Configuration
router id
UsethiscommandtosettheOSPFrouterIDforthedevice.ThisIPaddressmustbesetmanually
inordertorunOSPF.ThenoformofthiscommandremovestherouterIDforthedevice.
Syntax
router id ip-address
no router id
Parameters
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
ThiscommandsetstheOSPFrouterID.TheOSPFareaIDofaroutedVLANisconfiguredoneach
interfacewiththeinterfacecommandipospfareaidonpage2014.Ifyoudonotconfigurean
areaIDonaroutedinterfacerunningOSPF,thedefaultareaIDof0.0.0.0willbeused.
Example
ThisexampleshowshowtosettheOSPFrouterIDtoIPaddress182.127.62.1:
C3( su) - >r out er ( Conf i g- r out er ) #r out er i d 182. 127. 62. 1
Define an area as a stub area. area stub on page 20-22
Set the cost value for the default route that
is sent into a stub area.
area default cost on page 20-23
Define an area as an NSSA. area nssa on page 20-23
Create virtual links. area virtual-link on page 20-24
Enable redistribution from non-OSPF
routes.
redistribute on page 20-25
Monitor and maintain OSPF. show ip ospf on page 20-26
show ip ospf neighbor on page 20-30
show ip ospf interface on page 20-28
show ip ospf neighbor on page 20-30
show ip ospf virtual-links on page 20-31
clear ip ospf process on page 20-31
Table 20-2 OSPF Configuration Task List and Commands (Continued)
To do this... Use these commands...
ipaddress SpecifiestheIPaddressthatOSPFwilluseastherouterID.
router ospf
SecureStack C3 Configuration Guide 20-13
router ospf
UsethiscommandtoenableordisableOpenShortestPathFirst(OSPF)configurationmode.The
noformofthiscommanddisablesOSPFconfigurationmode.
Syntax
router ospf process-id
no router ospf process-id
Parameters
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
YoumustexecutetherouterospfcommandtoenabletheprotocolbeforecompletingmanyOSPF
specificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182on
page 182.
OnlyoneOSPFprocess(processid)isallowedperSecureStackC3router.
Example
ThisexampleshowshowtoenableroutingforOSPFprocess1:
C3( su) - >r out er #conf t er mi nal
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #
1583compatibility
UsethiscommandtoenableRFC1583compatibilityonOSPFinterfaces.Thenoformofthis
commanddisablesRFC1583compatibilityonOSPFinterfaces.
Syntax
1583compatability
no 1583compatability
Parameters
None.
Defaults
None.
processid SpecifiestheprocessID,aninternallyusedidentificationnumberforan
OSPFroutingprocessrunonarouter.OnlyoneOSPFprocessisallowedper
stackorstandalone.Validvaluesare1to65535.
ip ospf enable
20-14 IPv4 Routing Protocol Configuration
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowtoenableRFC1583compatibility:
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #1583compat abi l i t y
ip ospf enable
UsethiscommandtoenableOSPFonaninterface.ThenoformofthiscommanddisablesOSPFon
aninterface.
Syntax
ip ospf enable
no ip ospf enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableOSPFontheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf enabl e
ip ospf areaid
UsethiscommandtoconfigureareaIDsforOSPFinterfaces.IfOSPFisenabledonaninterfaceas
describedinipospfenableonpage2014,theOSPFareawilldefaultto0.0.0.0.Thenoformof
thiscommandremovesOSPFroutingfortheinterfaces.
Syntax
ip ospf areaid area-id
no ip ospf areaid
Parameters
Defaults
None.
areaid SpecifiestheareaidtobeassociatedwiththeOSPFinterface.Validvalues
aredecimalvaluesorIPaddresses.
ip ospf cost
SecureStack C3 Configuration Guide 20-15
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoconfiguretheVLAN1interfaceasarea0.0.0.31:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf ar eai d 0. 0. 0. 31
ip ospf cost
UsethiscommandtosetthecostofsendinganOSPFpacketonaninterface.Thenoformofthis
commandresetstheOSPFcosttothedefaultof10.
Syntax
ip ospf cost cost
no ip ospf cost
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
EachrouterinterfacethatparticipatesinOSPFroutingisassignedadefaultcost.Thiscommand
overwritesthedefaultof10.
Example
ThisexampleshowshowtosettheOSPFcostto20fortheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf cost 20
ip ospf priority
UsethiscommandtosettheOSPFpriorityvalueforrouterinterfaces.Thenoformofthis
commandresetsthevaluetothedefaultof1.
Syntax
i p ospf priority number
no ip ospf priority
cost Specifiesthecostofsendingapacket.Validvaluesrangefrom1to65535.
timers spf
20-16 IPv4 Routing Protocol Configuration
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Thepriorityvalueiscommunicatedbetweenroutersbymeansofhellomessagesandinfluences
theelectionofadesignatedrouter.
Example
ThisexampleshowshowtosettheOSPFpriorityto20fortheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf pr i or i t y 20
timers spf
UsethiscommandtochangeOSPFtimervaluestofinetunetheOSPFnetwork.Thenoformof
thiscommandrestoresthedefaulttimervalues(5secondsfordelayand10secondsforholdtime).
Syntax
timers spf spf-delay spf-hold
no timers spf
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowtosetSPFdelaytimeto7secondsandholdtimeto3:
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #t i mer s spf 7 3
number SpecifiestheroutersOSPFpriorityinarangefrom0to255.Defaultvalueis
1.
spfdelay Specifiesthedelay,inseconds,betweenthereceiptofanupdateandtheSPF
execution.Validvaluesare0to4294967295.
spfhold Specifiestheminimumamountoftime,inseconds,betweentwo
consecutiveOSPFcalculations.Validvaluesare0to4294967295.Avalueof
0meansthattwoconsecutiveOSPFcalculationsareperformedone
immediatelyaftertheother.
ip ospf retransmit-interval
SecureStack C3 Configuration Guide 20-17
ip ospf retransmit-interval
Usethiscommandtosettheamountoftimebetweenretransmissionsoflinkstateadvertisements
(LSAs)foradjacenciesthatbelongtoaninterface.Thenoformofthiscommandresetsthe
retransmitintervalvaluetothedefault,5seconds.
Syntax
ip ospf retransmit-interval seconds
no ip ospf retransmit-interval
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheOSPFretransmitintervalfortheVLAN1interfaceto20:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf r et r ansmi t - i nt er val 20
ip ospf transmit-delay
Usethiscommandtosettheamountoftimerequiredtotransmitalinkstateupdatepacketonan
interface.Thenoformofthiscommandresetstheretransmitintervalvaluetothedefault,1
second.
Syntax
ip ospf transmit-delay seconds
no ip ospf transmit-delay
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
seconds Specifiestheretransmittimeinseconds.Validvaluesare1to65535.
seconds Specifiesthetransmitdelayinseconds.Validvaluesarefrom1to65535.
ip ospf hello-interval
20-18 IPv4 Routing Protocol Configuration
Example
Thisexampleshowshowtosetthetimerequiredtotransmitalinkstateupdatepacketonthe
VLAN1interfaceat20seconds:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf t r ansmi t - del ay 20
ip ospf hello-interval
Usethiscommandtosetthenumberofsecondsaroutermustwaitbeforesendingahellopacket
toneighborroutersonaninterface.Thenoformofthiscommandsetsthehellointervalvalueto
thedefaultvalueof10seconds.
Syntax
ip ospf hello-interval seconds
no ip ospf hello-interval
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthehellointervalto5fortheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf hel l o- i nt er val 5
ip ospf dead-interval
Usethiscommandtosetthenumberofsecondsaroutermustwaittoreceiveahellopacketfrom
itsneighborbeforedeterminingthattheneighborisoutofservice.Thenoformofthiscommand
setsthedeadintervalvaluetothedefaultvalueof40seconds.
Syntax
ip ospf dead-interval seconds
no ip ospf dead-interval
seconds Specifiesthehellointervalinseconds.Hellointervalmustbethesameon
neighboringrouters(onaspecificsubnet),butcanvarybetweensubnets.
Thisparameterisanunsignedintegerwithvalidvaluesbetween1and
65535.
ip ospf authentication-key
SecureStack C3 Configuration Guide 20-19
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthedeadintervalto20fortheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf dead- i nt er val 20
ip ospf authentication-key
UsethiscommandtoassignapasswordtobeusedbyneighboringroutersusingOSPFssimple
passwordauthentication.ThenoformofthiscommandremovesanOSPFauthentication
passwordonaninterface.
Syntax
ip ospf authentication-key password
no ip ospf authentication-key
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
ThispasswordisusedasakeythatisinserteddirectlyintotheOSPFheaderinroutingprotocol
packets.AseparatepasswordcanbeassignedtoeachOSPFnetworkonaperinterfacebasis.
Allneighboringroutersonthesamenetworkmusthavethesamepasswordconfiguredtobeable
toexchangeOSPFinformation.
seconds Specifiesthenumberofsecondsthataroutermustwaittoreceiveahello
packetbeforedeclaringtheneighborasdeadandremovingitfromthe
OSPFneighborlist.Deadintervalmustbethesameonneighboringrouters
(onaspecificsubnet),butcanvarybetweensubnets.Thisparameterisan
unsignedintegerrangingfrom1to65535.Defaultvalueis40seconds.
password SpecifiesanOSPFauthenticationpassword.Validvaluesarealphanumeric
stringsupto8charactersinlength.
ip ospf message digest key md5
20-20 IPv4 Routing Protocol Configuration
Example
ThisexampleshowshowtoenablesanOSPFauthenticationkeyontheVLAN1interfacewiththe
passwordyourpass:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf aut hent i cat i on- key your pass
ip ospf message digest key md5
UsethiscommandtoenableordisableOSPFMD5authenticationonaninterface.Thisvalidates
OSPFMD5routingupdatesbetweenneighboringrouters.Thenoformofthiscommanddisables
MD5authenticationonaninterface.
Syntax
ip ospf message-digest-key keyid md5 key
no ip ospf message-digest-key keyid
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableOSPFMD5authenticationontheVLAN1interface,setthekey
identifierto20,andsetthepasswordtopassone:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p ospf message- di gest - key 20 md5 passone
distance ospf
UsethiscommandtoconfiguretheadministrativedistanceforOSPFroutes.Thenoformofthis
commandresetsOSPFadministrativedistancetothedefaultvalues.
Syntax
distance ospf {external | inter-area | intra-area} weight
no distance ospf {external | inter-area | intra-area}
keyid SpecifiesthekeyidentifierontheinterfacewhereMD5authenticationis
enabled.Validvaluesareintegersfrom1to255.
key SpecifiesapasswordforMD5authenticationtobeusedwiththekeyid.Valid
valuesarealphanumericstringsofupto16characters.
area range
SecureStack C3 Configuration Guide 20-21
Parameters
Defaults
Ifroutetypeisnotspecified,thedistancevaluewillbeappliedtoallOSPFroutes.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
Ifseveralroutes(comingfromdifferentprotocols)arepresentedtotheSecureStackC3,the
protocolwiththelowestadministrativedistancewillbechosenforrouteinstallation.Bydefault,
OSPFadministrativedistanceissetto110.Thedistanceospfcommandcanbeusedtochangethis
value,resettingOSPFsroutepreferenceinrelationtootherroutesasshowninthetablebelow.
Example
ThisexampleshowshowtochangethedefaultadministrativedistanceforexternalOSPFroutesto
100:
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #di st ance ospf ext er nal 100
area range
UsethiscommandtodefinetherangeofaddressestobeusedbyAreaBorderRouters(ABRs)
whentheycommunicateroutestootherareas.EachSecureStackC3stackcansupportupto4
OSPFareas.Thenoformofthiscommandstopstheroutesfrombeingsummarized.
Syntax
area area-id range ip-address ip-mask [ advertise | no-advertise]
no area area-id range ip-address ip-mask
external|inter
area|intraarea
Appliesthedistancevaluetoexternal(type5andtype7),tointerarea,orto
intraarearoutes.
Note: The value for intra-area distance must be less than the value for
inter-area distance, which must be less than the value for external distance.
weight SpecifiesanadministrativedistanceforOSPFroutes.Validvaluesare1
255.
Route Source Default Distance
Connected 0
Static 1
OSPF Intra-area - 8; Inter-area - 10; External type 1 - 13; External type 2 - 150
RIP 15
area stub
20-22 IPv4 Routing Protocol Configuration
Parameters
Defaults
Ifnotspecified,advertisemodewillbeset.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
Thisexampleshowshowtodefinetheaddressrangeas172.16.0.0/16forsummarizedroutesfrom
area0.0.0.8:
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #ar ea 0. 0. 0. 8 r ange 172. 16. 0. 0 255. 255. 0. 0
area stub
UsethiscommandtodefineanOSPFareaasastubarea.ThisisanareaintowhichAutonomous
SystemexternalASAswillnotbeflooded.Thenoformofthiscommandchangesthestubbackto
aplainarea.
Syntax
area area-id stub [ no-summary]
no area area-id stub [ no-summary]
Parameters
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Defaults
Ifnosummaryisnotspecified,thestubareawillbeabletoreceiveLSAs.
areaid Specifiestheareafromwhichroutesaretobesummarized.Thisisa
decimalvaluefrom0to429496295.
ipaddress SpecifiestheIPaddressassociatedwiththeareaID.
ipmask SpecifiesthemaskfortheIPaddress.
advertise|no
advertise
(Optional)Entersaddressrangeinadvertisemode,ordonotadvertise
mode.
areaid Specifiesthestubarea.Validvaluesaredecimalvaluesoripaddresses.
nosummary (Optional)PreventsanAreaBorderRouter(ABR)fromsendingLinkState
Advertisements(LSAs)intothestubarea.Whenthisparameterisused,it
meansthatalldestinationsoutsideofthestubareaarerepresentedby
meansofadefaultroute.
area default cost
SecureStack C3 Configuration Guide 20-23
Example
ThefollowingexampleshowshowtodefineOSPFarea10asastubarea:
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #ar ea 10 st ub
area default cost
UsethiscommandtosetthecostvalueforthedefaultroutethatissentintoastubareaandNSSA
byanAreaBorderRouter(ABR).Thenoformofthiscommandremovesthecostvaluefromthe
summaryroutethatissentintothestubarea.
Syntax
area area-id default-cost cost
no area area-id default-cost
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
TheuseofthiscommandisrestrictedtoABRsattachedtostubandNSSAareas.
Example
Thisexampleshowshowtosetthecostvalueforstubarea10to99:
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #ar ea 10 def aul t - cost 99
area nssa
UsethiscommandtoconfigureanareaasaNotSoStubbyArea(NSSA).Thenoformofthis
commandchangestheNSSAbacktoaplainarea.
Syntax
area area-id nssa [default-information-originate]
no area area-id nssa [default-information-originate]
areaid Specifiesthestubarea.ValidvaluesaredecimalvaluesorIPaddresses.
cost Specifiesacostvalueforthesummaryroutethatissentintoastubareaby
default.Validvaluesare24bitnumbers,from0to16777215.
area virtual-link
20-24 IPv4 Routing Protocol Configuration
Parameters
Defaults
Ifdefaultinformationoriginateisnotspecified,nodefaulttypewillbegenerated.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
AnNSSAallowssomeexternalroutesrepresentedbyexternalLinkStateAdvertisements(LSAs)
tobeimportedintoit.Thisisincontrasttoastubareathatdoesnotallowanyexternalroutes.
ExternalroutesthatarenotimportedintoanNSSAcanberepresentedbymeansofadefault
route.ThisconfigurationisusedwhenanOSPFinternetworkisconnectedtomultiplenonOSPF
routingdomains.
Example
Thisexampleshowshowtoconfigurearea10asanNSSAarea:
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #ar ea 10 nssa def aul t - i nf or mat i on- or i gi nat e
area virtual-link
UsethiscommandtodefineanOSPFvirtuallink,whichrepresentsalogicalconnectionbetween
thebackboneandanonbackboneOSPFarea.Thenoformofthiscommandremovesthevirtual
linkand/oritsassociatedsettings.
Syntax
area area-id virtual-link router-id
no area area-id virtual-link router-id
Inadditiontothesyntaxabove,theoptionsforusingthiscommandare:
area area-id virtual-link router-id authentication-key key
no area area-id virtual-link router-id authentication-key key
area area-id virtual-link router-id dead-interval seconds
no area area-id virtual-link router-id dead-interval seconds
area area-id virtual-link router-id hello-interval seconds
no area area-id virtual-link router-id hello-interval seconds
area area-id virtual-link router-id retransmit-interval seconds
no area area-id virtual-link router-id retransmit-interval seconds
area area-id virtual-link router-id transmit-delay seconds
no area area-id virtual-link router-id transmit-delay seconds
areaid SpecifiestheNSSAarea.ValidvaluesaredecimalvaluesorIPaddresses.
default
information
originate
(Optional)GeneratesadefaultofType7intotheNSSA.Thisisusedwhen
therouterisanNSSAABR.
redistribute
SecureStack C3 Configuration Guide 20-25
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
Thisexampleshowshowtoconfigureavirtuallinkovertransitionarea0.0.0.2torouterID
192.168.7.2:
C3( su) - >r out er ( Conf i g) #r out er ospf 1
C3( su) - >r out er ( Conf i g- r out er ) #ar ea 0. 0. 0. 2 vi r t ual - l i nk 192. 168. 7. 2
redistribute
UsethiscommandtoallowroutinginformationdiscoveredthroughnonOSPFprotocolstobe
distributedinOSPFupdatemessages.Thenoformofthiscommandclearsredistribution
parameters.
Syntax
redistribute {connected | rip | static} [ metric metric value] [ metric-type type-
value] [ subnets]
no redistribute {connected | rip | static}
areaid Specifiesthetransitareaforthevirtuallink.Validvaluesaredecimalvalues
orIPaddresses.Atransitareaisanareathroughwhichavirtuallinkis
established.
routerid SpecifiestherouterIDofthevirtuallinkneighbor.
authentication
keykey
Specifiesapasswordtobeusedbythevirtuallink.Validvaluesare
alphanumericstringsofupto8characters.Neighborvirtuallinkrouterson
anetworkmusthavethesamepassword.
deadinterval
seconds
Specifiesthenumberofsecondsthataroutermustwaittoreceiveahello
packetbeforedeclaringtheneighborasdeadandremovingitfromthe
OSPFneighborlist.Thisvaluemustbethesameforallvirtuallinksattached
toacertainsubnet,anditisavaluerangingfrom1to8192.
hellointerval
seconds
Specifiesthenumberofsecondsbetweenhellopacketsonthevirtuallink.
Thisvaluemustbethesameforallvirtuallinksattachedtoanetworkandit
isavaluerangingfrom1to8192.
retransmit
intervalseconds
Specifiesthenumberofsecondsbetweensuccessiveretransmissionsofthe
sameLSAs.Validvaluesaregreaterthantheexpectedamountoftime
requiredfortheupdatepackettoreachandreturnfromtheinterface,and
rangefrom1to8192.Defaultis5seconds.
transmitdelay
seconds
Specifiestheestimatednumberofsecondsbeforealinkstateupdatepacket
ontheinterfacetobetransmitted.Validvaluesrangefrom1to8192.Default
is1second.
show ip ospf
20-26 IPv4 Routing Protocol Configuration
Parameters
Defaults
Ifmetricvalueisnotspecified,0willbeapplied.
Iftypevalueisnotspecified,type2(externalroute)willbeapplied.
Ifsubnetsisnotspecified,onlytheshortestprefixmatchingrouteswillberedistributed.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowtoredistributeRIProutinginformationtononsubnettedroutesinOSPF
routes:
C3( su) - >r out er ( Conf i g) #r out er ospf
C3( su) - >r out er ( Conf i g- r out er ) #r edi st r i but e r i p
show ip ospf
UsethiscommandtodisplayOSPFinformation.
Syntax
show ip ospf
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
connected SpecifiesthatnonOSPFinformationdiscoveredviadirectlyconnected
interfaceswillberedistributed.
rip SpecifiesthatRIProutinginformationwillberedistributedinOSPF.
static SpecifiesthatnonOSPFinformationdiscoveredviastaticrouteswillbe
redistributed.Staticroutesarethosecreatedusingtheiproutecommand
detailediniprouteonpage1921.
metricmetricvalue (Optional)Specifiesametricfortheconnected,RIPorstaticredistribution
route.Thisvalueshouldbeconsistentwiththedesignationprotocol.
metrictypetype
value
(Optional)Specifiestheexternallinktypeassociatedwiththedefault
connected,RIPorstaticrouteadvertisedintotheOSPFroutingdomain.
Validvaluesare1fortype1externalroute,and2fortype2externalroute.
subnets (Optional)Specifiesthatconnected,RIP,orstaticroutesthataresubnetted
routeswillberedistributed.
show ip ospf database
SecureStack C3 Configuration Guide 20-27
Example
ThisexampleshowshowtodisplayOSPFinformation:
C3( su) - >r out er #show i p ospf
Rout i ng pr ocess " ospf 1" wi t h I D 155. 155. 155. 155
Suppor t s onl y Nor mal TOS r out e.
I t i s not an ar ea bor der r out er and i s an aut onomous syst emboundar y r out er .
Redi st r i but i ng Ext er nal Rout es f r omst at i c
Number of ar eas i n t hi s r out er i s 2
Ar ea 0. 0. 0. 0
SPF al gor i t hmexecut ed 0 t i mes
Ar ea r anges ar e
Li nk St at e Age I nt er val i s 10
Ar ea 0. 0. 0. 8
SPF al gor i t hmexecut ed 302 t i mes
Ar ea r anges ar e
Li nk St at e Age I nt er val i s 10
show ip ospf database
UsethiscommandtodisplaytheOSPFlinkstatedatabase.
Syntax
show ip ospf database
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayallOSPFlinkstatedatabaseinformation.Thisisaportionof
thecommandoutput:
C3( su) - >r out er #show i p ospf dat abase
OSPF Rout er wi t h I D( 155. 155. 155. 155)
Di spl ayi ng I pnet SumLi nk St at es( Ar ea 0. 0. 0. 0)
Li nkI D ADV Rout er Age Seq# Checksum
192. 168. 16. 0 155. 155. 155. 155 1751 0x80000036 0x18a
Di spl ayi ng As Ext er nal Li nk St at es( Ar ea 0. 0. 0. 0)
Li nkI D ADV Rout er Age Seq# Checksum
191. 2. 2. 0 155. 155. 155. 155 1306 0x8000003c 0x9096
191. 3. 3. 3 155. 155. 155. 155 1306 0x8000003c 0x5bc6
191. 3. 3. 4 155. 155. 155. 155 1306 0x8000003c 0x51cf
191. 3. 3. 5 155. 155. 155. 155 1306 0x8000003c 0x47d8
191. 3. 3. 6 155. 155. 155. 155 1307 0x8000003c 0x3de1
191. 3. 3. 7 155. 155. 155. 155 1307 0x8000003c 0x33ea
191. 3. 3. 8 155. 155. 155. 155 1307 0x8000003c 0x29f 3
191. 3. 3. 9 155. 155. 155. 155 1307 0x8000003c 0x1f f c
show ip ospf interface
20-28 IPv4 Routing Protocol Configuration
191. 4. 0. 0 155. 155. 155. 155 1307 0x8000003c 0x8e98
Di spl ayi ng Rout er Li nk St at es( Ar ea 0. 0. 0. 8)
Li nkI D ADV Rout er Age Seq# Checksum
3. 3. 3. 3 3. 3. 3. 3 986 0x8000008e 0xb6f 9
155. 155. 155. 155 155. 155. 155. 155 977 0x8000009c 0x6e96
Di spl ayi ng Net Li nk St at es( Ar ea 0. 0. 0. 8)
Li nkI D ADV Rout er Age Seq# Checksum
192. 168. 30. 2 155. 155. 155. 155 310 0x8000003b 0x59ab
192. 168. 31. 2 155. 155. 155. 155 997 0x80000002 0xc07c
192. 168. 32. 2 155. 155. 155. 155 997 0x80000002 0xb586
192. 168. 33. 2 155. 155. 155. 155 998 0x80000002 0xaa90
Di spl ayi ng I pnet SumLi nk St at es( Ar ea 0. 0. 0. 8)
Li nkI D ADV Rout er Age Seq# Checksum
0. 0. 0. 0 3. 3. 3. 3 361 0x80000005 0x311d
8. 1. 1. 0 3. 3. 3. 3 1512 0x80000003 0x3de1
8. 1. 2. 0 3. 3. 3. 3 1512 0x80000003 0x32eb
8. 1. 3. 0 3. 3. 3. 3 1502 0x80000003 0x27f 5
8. 1. 4. 0 3. 3. 3. 3 1512 0x80000003 0x1c00
Table 203providesanexplanationofthecommandoutput.
show ip ospf interface
UsethiscommandtodisplayOSPFinterfacerelatedinformation,includingnetworktype,priority,
cost,hellointerval,anddeadinterval.
Syntax
show ip ospf interface [ vlan vlan-id]
Parameters
Table 20-3 show ip ospf database Output Details
Output Field What It Displays...
Link ID Link ID, which varies as a function of the link state record type, as follows:
Net Link States - Shows the interface IP address of the designated router to the
broadcast network.
Router Link States - Shows the ID of the router originating the record.
Summary Link States - Shows the summary network prefix.
ADV Router Router ID of the router originating the link state record.
Age Age (in seconds) of the link state record.
Seq# OSPF sequence number assigned to each link state record.
Checksum Field in the link state record used to verify the contents upon receipt by another
router.
LinkCount Link count of router link state records. This number is equal to, or greater than, the
number of active OSPF interfaces on the originating router.
vlanvlanid (Optional)DisplaysOSPFinformationforaspecificVLAN.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage181.
show ip ospf interface
SecureStack C3 Configuration Guide 20-29
Defaults
Ifvlanidisnotspecified,OSPFstatisticswillbedisplayedforallVLANs.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayallOSPFrelatedinformationfortheVLAN6interface:
C3( su) - >r out er #show i p ospf i nt er f ace vl an 6
Vl an 6
I nt er net Addr ess 192. 168. 6. 2 Mask 255. 255. 255. 0, Ar ea 0. 0. 0. 0
Rout er I D 3. 3. 3. 3 , Cost : 10 ( comput ed)
Tr ansmi t Del ay i s 1 sec , St at e desi gnat ed- r out er , Pr i or i t y 1
Desi gnat ed Rout er i d 3. 3. 3. 3 , I nt er f ace Addr 192. 168. 6. 2
Backup Desi gnat ed Rout er i d 2. 2. 2. 2 ,
Ti mer i nt er val s conf i gur ed , Hel l o 10 , Dead 40 , Ret r ansmi t 5
Table 204providesanexplanationofthecommandoutput.
Table 20-4 show ip ospf interface Output Details
Output Field What It Displays...
Vlan VLAN ID
Internet Address IP address and mask assigned to this interface.
Area Area ID
Router ID Router ID configured on this router.
Cost OSPF interface cost, which is either default, or assigned with the ip ospf cost
command. For details, refer to ip ospf cost on page 20-15.
Transmit Delay The number (in seconds) added to the LSA (Link State Advertisement) age field.
State The interface state (versus the state between neighbors). Valid values include
Backup Designated Router, Designated Router, and Err for error.
Priority The interface priority value, which is either default, or assigned with the ip ospf
priority command. For details, refer to ip ospf priority on page 20-15.
Designated Router
id
The router ID of the designated router on this subnet, if one exists, in which case Err
will be displayed.
Interface Addr IP address of the designated router on this interface.
Backup Designated
Router id
IP address of the backup designated router on this interface, if one exists, in which
case Err will be displayed.
Timer intervals
configured
OSPF timer intervals. These are either default, or configured with the ip ospf
retransmit-interval (ip ospf retransmit-interval on page 20-17), the ip ospf hello-
interval (ip ospf hello-interval on page 20-18), the ip ospf retransmit-delay (ip
ospf transmit-delay on page 20-17) and the ip ospf dead interval (ip ospf dead-
interval on page 20-18) commands.
show ip ospf neighbor
20-30 IPv4 Routing Protocol Configuration
show ip ospf neighbor
UsethiscommandtodisplaythestateofcommunicationbetweenanOSPFrouterandits
neighborrouters.
Syntax
show ip ospf neighbor [ detail] [ ip-address] [ vlan vlan-id]
Parameters
Defaults
Ifdetailisnotspecified,summaryinformationwillbedisplayed.
Ifipaddressisnotspecified,OSPFneighborswillbedisplayedforallIPaddressesconfiguredfor
routing.
Ifvlanidisnotspecified,OSPFneighborswillbedisplayedforallVLANsconfiguredforrouting.
Mode
Anyroutermode.
Example
Thisexampleshowshowtousetheshowospfneighborcommand:
C3( su) - >r out er #show i p ospf nei ghbor
I D Pr i St at e Dead- I nt Addr ess I nt er f ace
182. 127. 62. 1 1 FULL 40 182. 127. 63. 1 vl an1
Table 205providesanexplanationofthecommandoutput.
detail (Optional)Displaysdetailedinformationabouttheneighbors,includingthe
areainwhichtheyareneighbors,whothedesignatedrouter/backup
designatedrouterisonthesubnet,ifapplicable,andthedecimalequivalent
oftheEbitvaluefromthehellopacketoptionsfield.
ipaddress (Optional)DisplaysOSPFneighborsforaspecificIPaddress.
vlanvlanid (Optional)DisplaysOSPFneighborsforaspecificVLAN.ThisVLANmust
beconfiguredforIProutingasdescribedinPreRoutingConfiguration
Tasksonpage181.
Table 20-5 show ip ospf neighbor Output Details
Output Field What It Displays...
ID Neighbors router ID of the OSPF neighbor.
Pri Neighbors priority over this interface.
State Neighbors OSPF communication state.
Dead-Int Interval (in seconds) this router will wait without receiving a Hello packet from a
neighbor before declaring the neighbor is down.
Address Neighbors IP address.
Interface Neighbors interface (VLAN).
show ip ospf virtual-links
SecureStack C3 Configuration Guide 20-31
show ip ospf virtual-links
Usethiscommandtodisplayinformationaboutthevirtuallinksconfiguredonarouter.Avirtual
linkrepresentsalogicalconnectionbetweenthebackboneandanonbackboneOSPFarea.
Syntax
show ip ospf virtual-links
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayOSPFvirtuallinksinformation:
C3( su) - >r out er #show i p ospf vi r t ual - l i nks
Nei ghbor I D 155. 155. 155. 155
Tr ansi t ar ea 0. 0. 0. 8
Tr ansmi t del ay i s 1 sec St at e poi nt - t o- poi nt
Ti mer i nt er val s conf i gur ed:
Hel l o 10, Dead 40, Ret r ansmi t 5
Adj acency St at e Ful l
Table 206providesanexplanationofthecommandoutput.
clear ip ospf process
UsethiscommandtoresettheOSPFprocess.Thiswillrequireadjacenciestobereestablishedand
routestobereconverged.
Syntax
clear ip ospf process process-id
Table 20-6 show ip ospf virtual links Output Details
Output Field What It Displays...
Neighbor ID ID of the virtual link neighbor, and the virtual link status, which is up or down.
Transit area ID of the transit area through which the virtual link is configured.
Transmit delay Amount of time required to transmit a link state update packet on an interface.
State Whether the state of this interface is down or point-to-point.
Timer intervals
configured
Timer intervals configured for the virtual link, including Hello, Wait, and Retransmit
intervals.
Adjacency State State of adjacency between this router and the virtual link neighbor of this router.
clear ip ospf process
20-32 IPv4 Routing Protocol Configuration
Parameters
Defaults
None.
Mode
PrivilegedEXEC:C3(su)>router#
Example
ThisexampleshowshowtoresetOSPFprocess1:
C3( su) - >r out er #cl ear i p ospf pr ocess 1
processid SpecifiestheprocessID,aninternallyusedidentificationnumberforeach
instanceoftheOSPFroutingprocessrunonarouter.Validvaluesare1to
65535.
Configuring DVMRP
SecureStack C3 Configuration Guide 20-33
Configuring DVMRP
Purpose
ToenableandconfiguretheDistanceVectorMulticastRoutingProtocol(DVMRP)onaninterface.
DVMRProutesmulticasttrafficusingatechniqueknownasReversePathForwarding.Whena
routerreceivesapacket,itfloodsthepacketoutofallpathsexcepttheonethatleadsbacktothe
packetssource.DoingsoallowsadatastreamtoreachallVLANs(possiblymultipletimes).Ifa
routerisattachedtoasetofVLANsthatdonotwanttoreceivefromaparticularmulticastgroup,
theroutercansendaprunemessagebackupthedistributiontreetostopsubsequentpackets
fromtravelingwheretherearenomembers.DVMRPwillperiodicallyrefloodinordertoreach
anynewhoststhatwanttoreceivefromaparticulargroup.
Commands
Seealsoshowipmrouteonpage2059,whichcanbeusedtodisplaytheIPmulticastrouting
table.
Enabling DVMRP on an Interface
DVMRPisdisabledbydefault,bothgloballyandoneachinterface.EnablingDVMRPonarouted
interfacerequirescompletingthestepslistedinTable 201.
* Advanced License Required *
DVMRP is an advanced routing feature that must be enabled with a license key. If you have purchased an
advanced license key, and have enabled routing on the device, you must activate your license as described in
the chapter entitled Activating Licensed Features in order to enable the DVMRP command set. If you wish
to purchase an advanced routing license, contact Enterasys Networks Sales.
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of
multicast configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
Note: IGMP must be enabled on all VLANs running DVMRP, and must also be globally enabled
on the SecureStack C3. For details on enabling IGMP, refer to Chapter 13.
For information about... Refer to page...
ip dvmrp 20-34
ip dvmrp enable 20-34
ip dvmrp metric 20-35
show ip dvmrp 20-35
ip dvmrp
20-34 IPv4 Routing Protocol Configuration
ip dvmrp
UsethiscommandtoenabletheDVMRPprocess.Thenoformofthiscommanddisablesthe
DVMRPprocess:
Syntax
ip dvmrp
no ip dvmrp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtoenabletheDVMRPprocess:
C3( su) - >r out er ( Conf i g) #i p dvmr p
ip dvmrp enable
UsethiscommandtoenableDVMRPonaninterface.Thenoformofthiscommanddisables
DVMRPonaninterface:
Syntax
ip dvmrp enable
no ip dvmrp enable
Parameters
None.
Defaults
None.
Table 20-1 Commands to Enable DVMRP on an Interface
To do this... Use these commands...
Globally enable IGMP. ip igmp on page 13-10
Globally enable DVMRP. ip dvmrp on page 20-34.
Enable IGMP on each interface. ip igmp enable on page 13-11
Enable DVMRP on each interface . ip dvmrp enable on page 20-34
ip dvmrp metric
SecureStack C3 Configuration Guide 20-35
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableDVMRPontheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p dvmr p enabl e
ip dvmrp metric
UsethiscommandtoconfigurethemetricassociatedwithasetofdestinationsforDVMRP
reports.
Syntax
ip dvmrp metric metric
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
ToresettheDVMRPmetricbacktothedefaultvalueof1,enteripdvmrpmetric1.
Example
ThisexampleshowshowtosetaDVMRPof16ontheVLAN1interface:
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p dvmr p met r i c 16
show ip dvmrp
UsethiscommandtodisplayDVMRProutinginformation.
Syntax
show ip dvmrp [ route | neighbor | status]
Parameters
metric SpecifiesametricassociatedwithasetofdestinationsforDVMRP
reports.Validvaluesarefrom1to31.
route|neighbor|
status
(Optional)Displays,DVMRProutinginformation,neighborinformation,
orDVMRPenablestatus.
show ip dvmrp
20-36 IPv4 Routing Protocol Configuration
Defaults
Ifnooptionalparametersarespecified,statusinformationwillbedisplayed.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayDVMRPstatusinformation:
C3( su) - >r out er #show i p dvmr p
Vl an I d Met r i c Admi n St at us Oper . St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10 Enabl ed Enabl ed
18 Enabl ed Enabl ed
20 Enabl ed Enabl ed
25 Enabl ed Enabl ed
32 Enabl ed Enabl ed
500 Enabl ed Di sabl ed
Configuring IRDP
SecureStack C3 Configuration Guide 20-37
Configuring IRDP
Purpose
ToenableandconfiguretheICMPRouterDiscoveryProtocol(IRDP)onaninterface.Thisprotocol
enablesahosttodeterminetheaddressofarouteritcanuseasadefaultgateway.Itisdisabledby
default.
Commands
ip irdp enable
UsethiscommandtoenableIRDPonaninterface.ThenoformofthiscommanddisablesIRDPon
aninterface.
Syntax
ip irdp enable
no ip irdp enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableIRDPontheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i r dp enabl e
For information about... Refer to page...
ip irdp enable 20-37
ip irdp maxadvertinterval 20-38
ip irdp minadvertinterval 20-38
ip irdp holdtime 20-39
ip irdp preference 20-39
ip irdp broadcast 20-40
show ip irdp 20-40
ip irdp maxadvertinterval
20-38 IPv4 Routing Protocol Configuration
ip irdp maxadvertinterval
UsethiscommandtosetthemaximumintervalinsecondsbetweenIRDPadvertisements.Theno
formofthiscommandresetsthemaximumadvertisementintervaltothedefaultvalueof600
seconds.
Syntax
ip irdp maxadvertinterval interval
no irdp maxadvertinterval
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosetthemaximumIRDPadvertisementintervalto1000secondsonthe
VLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i r dp maxadver t i nt er val 1000
ip irdp minadvertinterval
UsethiscommandtosettheminimumintervalinsecondsbetweenIRDPadvertisements.Theno
formofthiscommanddeletesthecustomholdtimesetting,andresetstheminimum
advertisementintervaltothedefaultvalueofthreefourthsofthemaxadvertintervalvalue,which
isequalto450seconds.
Syntax
ip irdp minadvertinterval interval
no irdp minadvertinterval
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
interval Specifiesamaximumadvertisementintervalinseconds.Validvaluesare
4to1800.
interval Specifiesaminimumadvertisementintervalinseconds.Validvaluesare3
to1800.
ip irdp holdtime
SecureStack C3 Configuration Guide 20-39
Example
ThisexampleshowshowtosettheminimumIRDPadvertisementintervalto500secondsonthe
VLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i r dp mi nadver t i nt er val 500
ip irdp holdtime
UsethiscommandtosetthelengthoftimeinsecondsIRDPadvertisementsareheldvalid.Theno
formofthiscommandresetstheholdtimetothedefaultvalueofthreetimesthe
maxadvertintervalvalue,whichisequalto1800seconds.
Syntax
ip irdp holdtime holdtime
no irdp holdtime
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIRDPholdtimeto4000secondsontheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i r dp hol dt i me 4000
ip irdp preference
UsethiscommandtosettheIRDPpreferencevalueforaninterface.ThisvalueisusedbyIRDPto
determinetheinterfacesselectionasadefaultgatewayaddress.Thenoformofthiscommand
resetstheinterfacesIRDPpreferencevaluetothedefaultof0.
Syntax
ip irdp preference preference
no irdp preference
Parameters
holdtime Specifiestheholdtimeinseconds.Validvaluesare0to
9000.
preference Specifiesthevaluetoindicatetheinterfacesuseasadefaultrouter
address.Validvaluesare2147483648to2147483647.
Theminimumvalueindicatesthattheaddress,eventhoughitmaybe
advertised,isnottobeusedbyneighboringhostsasadefaultrouter
address.
ip irdp broadcast
20-40 IPv4 Routing Protocol Configuration
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosetIRDPpreferenceontheVLAN1interfacesothattheinterfaces
addressmaystillbeadvertised,butcannotbeusedbyneighboringhostsasadefaultrouter
address:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i r dp pr ef er ence - 2147483648
ip irdp broadcast
UsethiscommandtoconfigureIRDPtousethelimitedbroadcastaddressof255.255.255.255.The
defaultismulticastwithaddress224.0.0.1.ThenoformofthiscommandresetsIRDPtouse
multicastonIPaddress224.0.0.1.
Syntax
ip irdp broadcast
no ip irdp broadcast
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenablebroadcastforIRDPontheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p i r dp br oadcast
show ip irdp
UsethiscommandtodisplayIRDPinformation.
Syntax
show ip irdp [ vlan vlan-id]
show ip irdp
SecureStack C3 Configuration Guide 20-41
Parameters
Defaults
Ifvlanvlanidisnotspecified,IRDPinformationforallinterfaceswillbedisplayed.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtodisplayIRDPinformationfortheVLAN1interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( vl an 1) ) #show i p i r dp vl an 1
I nt er f ace vl an 1 has r out er di scover y enabl ed
Adver t i sement s wi l l occur bet ween 450 and 600 seconds
Adver t i sement s ar e sent wi t h br oadcast s
Adver t i sement s ar e val i d f or 1800 seconds
Def aul t pr ef er ence wi l l be 0
vlanvlanid (Optional)DisplaysIRDPinformationforaspecificVLAN.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage181.
Configuring VRRP
20-42 IPv4 Routing Protocol Configuration
Configuring VRRP
Purpose
ToenableandconfiguretheVirtualRouterRedundancyProtocol(VRRP).Thisprotocoleliminates
thesinglepointoffailureinherentinthestaticdefaultroutedenvironmentbytransferringthe
responsibilityfromoneroutertoanotheriftheoriginalroutergoesdown.VRRPenabledrouters
decidewhowillbecomemasterandwhowillbecomebackupintheeventthemasterfails.
Commands
router vrrp
UsethiscommandtoenableordisableVRRPconfigurationmode.Thenoformofthiscommand
removesallVRRPconfigurationsfromtherunningconfiguration.
Syntax
router vrrp
no router vrrp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
* Advanced License Required *
VRRP is an advanced routing feature that must be enabled with a license key. If you have purchased an
advanced license key, and have enabled routing on the device, you must activate your license as described in
the chapter entitled Activating Licensed Features in order to enable the VRRP command set. If you wish to
purchase an advanced routing license, contact Enterasys Networks Sales.
For information about... Refer to page...
router vrrp 20-42
create 20-43
address 20-44
priority 20-45
advertise-interval 20-45
preempt 20-46
enable 20-47
ip vrrp authentication-key 20-48
show ip vrrp 20-48
create
SecureStack C3 Configuration Guide 20-43
Usage
Youmustexecutetheroutervrrpcommandtoenabletheprotocolbeforecompletingother
VRRPspecificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 182
onpage 182.
Example
ThisexampleshowshowenableVRRPconfigurationmode:
C3( su) - >r out er #conf i gur e
C3( su) - >r out er ( Conf i g) #r out er vr r p
C3( su) - >r out er ( Conf i g- r out er ) #
create
UsethiscommandtocreateaVRRPsession.EachSecureStackC3systemsupportsupto20VRRP
sessions.ThenoformofthiscommanddisablestheVRRPsession.
Syntax
create vlan vlan-id vrid
no create vlan vlan-id vrid
Parameters
Defaults
None.
Mode
Rout er conf i gur at i on: C3( su) - >r out er ( Conf i g- r out er ) #
Usage
ThiscommandmustbeexecutedtocreateaninstanceofVRRPonaroutinginterface(VLAN)
beforeanyotherVRRPsettingscanbeconfigured.
Example
ThisexampleshowshowtocreateaVRRPsessionontheVLAN1interfacewithaVRIDof1:
C3( su) - >r out er ( Conf i g) #r out er vr r p
C3( su) - >r out er ( Conf i g- r out er ) #cr eat e vl an 1 1
vlanvlanid SpecifiesthenumberoftheVLANonwhichtocreateaVRRPsession.This
VLANmustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage181.
vrid SpecifiesauniqueVirtualRouterID(VRID)toassociatewiththerouting
interface.
address
20-44 IPv4 Routing Protocol Configuration
address
UsethiscommandtoconfigureavirtualrouterIPaddress.Thenoformofthiscommandclears
theVRRPaddressconfiguration.
Syntax
address vlan vlan-id vrid ip-address owner
no address vlan vlan-id vrid ip-address owner
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
IfthevirtualrouterIPaddressisthesameastheinterface(VLAN)addressownedbyaVRRP
router,thentherouterowningtheaddressbecomesthemaster.Themastersendsan
advertisementtoallotherVRRProutersdeclaringitsstatusandassumesresponsibilityfor
forwardingpacketsassociatedwithitsvirtualrouterID(VRID).
IfthevirtualrouterIPaddressisnotownedbyanyoftheVRRProuters,thentherouterscompare
theirprioritiesandthehigherpriorityownerbecomesthemaster.Ifpriorityvaluesarethesame,
thentheVRRProuterwiththehigherIPaddressisselectedmaster.Fordetailsonusingthe
prioritycommand,refertopriorityonpage2045.
Example
Thisexampleshowshowtoconfigureavirtualrouteraddressof182.127.62.1ontheVLAN1
interface,VRID1,andtosettherouterconnectedtotheVLANviathisinterfaceasthemaster:
C3( su) - >r out er ( Conf i g) #r out er vr r p
C3( su) - >r out er ( Conf i g- r out er ) #addr ess vl an 1 1 182. 127. 62. 1 1
vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfigureavirtualrouter
address.ThisVLANmustbeconfiguredforIProutingasdescribedinPre
RoutingConfigurationTasksonpage181.
vrid SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting
interface.
ipaddress SpecifiesthevirtualrouterIPaddresstoassociatewiththerouter.
owner SpecifiesavaluetoindicateiftherouterownstheIPaddressasoneofits
interfaces.Validvaluesare:
1toindicatetherouterownstheaddress.
0toindicatetherouterdoesnotowntheaddress.
priority
SecureStack C3 Configuration Guide 20-45
priority
UsethiscommandtosetapriorityvalueforaVRRProuter.Thenoformofthiscommandclears
theVRRPpriorityconfiguration.
Syntax
priority vlan vlan-id vrid priority-value
no priority vlan vlan-id vrid priority-value
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowsetaVRRPpriorityof200ontheVLAN1interface,VRID1:
C3( su) - >r out er ( Conf i g) #r out er vr r p
C3( su) - >r out er ( Conf i g- r out er ) #pr i or i t y vl an 1 1 200
advertise-interval
UsethiscommandtosettheintervalinsecondsbetweenVRRPadvertisements.Thenoformof
thiscommandclearstheVRRPadvertiseintervalvalue.
Syntax
advertise-interval vlan vlan-id vrid interval
no advertise-interval vlan vlan-id vrid interval
vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfigureVRRPpriority.
ThisVLANmustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage181.
vrid SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting
interface.Validvaluesarefrom1to255.
priorityvalue SpecifiestheVRRPpriorityvaluetoassociatewiththevrid.Validvaluesare
from1to254,withthehighestvaluesettingthehighestpriority.Priority
valueof255isreservedfortheVRRProuterthatownstheIPaddress
associatedwiththevirtualrouter.Priority0isreservedforsignalingthatthe
masterhasstoppedworkingandthebackuproutermusttransitionto
masterstate.
preempt
20-46 IPv4 Routing Protocol Configuration
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
VRRPadvertisementsaresentbythemasterroutertootherroutersparticipatingintheVRRP
masterselectionprocess,informingthemofitsconfiguredvalues.Oncethemasterisselected,
thenadvertisementsaresenteveryadvertisingintervaltoletotherVRRProutersinthisVLAN/
VRIDknowtherouterisstillactingasmasteroftheVLAN/VRID.
AllrouterswiththesameVRIDshouldbeconfiguredwiththesameadvertisementinterval.
Example
Thisexampleshowshowsetanadvertiseintervalof3secondsontheVLAN1interface,VRID1:
C3( su) - >r out er ( Conf i g) #r out er vr r p
C3( su) - >r out er ( Conf i g- r out er ) #adver t i se- i nt er val vl an 1 1 3
preempt
UsethiscommandtoenableordisablepreemptmodeonaVRRProuter.Thenoformofthis
commanddisablespreemptmode.
Syntax
preempt vlan-id vrid
no preempt vlan-id vrid
Parameters
Defaults
None.
vlanvlanid SpecifiesthenumberoftheVLANonwhichtoconfiguretheVRRP
advertisementinterval.ThisVLANmustbeconfiguredforIProutingas
describedinPreRoutingConfigurationTasksonpage181.
vrid SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting
interface.Validvaluesarefrom1to255.
interval SpecifiesaVRRPadvertisementintervaltoassociatewiththevrid.Valid
valuesarefrom1to255seconds.
vlanvlanid SpecifiesthenumberoftheVLANonwhichtosetpreemptmode.This
VLANmustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage181.
vrid SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting
interface.Validvaluesarefrom1to255.
enable
SecureStack C3 Configuration Guide 20-47
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
PreemptisenabledonVRRProutersbydefault,whichallowsahigherprioritybackuprouterto
preemptalowerprioritymaster.
TherouterthatownsthevirtualrouterIPaddressalwayspreemptsotherrouters,regardlessof
thissetting.
Example
ThisexampleshowshowtodisablepreemptmodeontheVLAN1interface,VRID1:
C3( su) - >r out er ( Conf i g) #r out er vr r p
C3( su) - >r out er ( Conf i g- r out er ) #no pr eempt vl an 1 1
enable
UsethiscommandtoenableVRRPonaninterface.ThenoformofthiscommanddisablesVRRP
onaninterface.
Syntax
enable vlan vlan-id vrid
no enable vlan vlan-id vrid
Parameters
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowtoenableVRRPontheVLAN1interface,VRID1:
C3( su) - >r out er ( Conf i g) #r out er vr r p
C3( su) - >r out er ( Conf i g- r out er ) #enabl e vl an 1 1
vlanvlanid SpecifiesthenumberoftheVLANonwhichtoenableVRRP.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage181.
vrid SpecifiestheVirtualRouterID(VRID)associatedwiththevlanid.Valid
valuesarefrom1to255.
ip vrrp authentication-key
20-48 IPv4 Routing Protocol Configuration
ip vrrp authentication-key
UsethiscommandtoenableordisableaVRRPauthenticationkey(password)foruseonan
interface.ThenoformofthiscommandpreventsVRRPfromusingauthentication.
Syntax
ip vrrp authentication-key name
no ip vrrp authentication-key
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheVRRPauthenticationkeychaintopasswordontheVLAN1
interface:
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p vr r p aut hent i cat i on- key passwor d
show ip vrrp
UsethiscommandtodisplayVRRProutinginformation.
Syntax
show ip vrrp
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayVRRPinformation
C3( su) - >r out er ( Conf i g) #show i p vr r p
- - - - - - - - - - - VRRP CONFI GURATI ON- - - - - - - - - - -
Vl an Vr i d St at e Owner AssocI pAddr Pr i or i t y
2 1 I ni t i al i ze 0 25. 25. 2. 1 100
name SpecifiesthepasswordtoenableordisableforVRRPauthentication.
Configuring PIM-SM
SecureStack C3 Configuration Guide 20-49
Configuring PIM-SM
Design Considerations
Enterasys Networksrecommendsthatadministratorsconsiderthefollowingrecommendations
beforeconfiguringtheSecureStackC3foraPIMSMenvironment.
ASecureStackC3cannotbeconfiguredasaCandidateRPoraCandidateBSR.
ASecureStackC3shouldnotbethefirsthoprouterforamulticaststream.Inotherwords,the
multicaststreamshouldnotoriginateonaSecureStackC3.
ASecureStackC3shouldnotbepositionedinthecoreofaPIMSMtopology,andshould
onlybepositionedattheedgeinaPIMSMtopology.Inotherwords,theSecureStackC3
shouldonlybeusedtodelivermulticaststreamstoendclients.
Purpose
ToenableandconfigureProtocolIndependentMulticastinSparseMode(PIMSM).Thisprotocol
providesthemeansofdynamicallylearninghowtoforwardmulticasttrafficinanenvironment
wheregroupmembersaresparselylocatedthroughoutthenetworkandbandwidthislimited.In
situationswheremembersaredenselylocatedandbandwidthisplentiful,DVMRPwouldsuffice
(seeConfiguringDVMRPonpage2033.)
PIMSMdeterminesthenetworktopologyusingtheunderlyingunicastroutingprotocoltobuild
aMulticastRoutingInformationBase(MRIB).
Commands
* Advanced License Required *
PIM-SM is an advanced routing feature that must be enabled with a license key. If you have purchased an
advanced license key, and have enabled routing on the device, you must activate your license as described in
the chapter entitled Activating Licensed Features in order to enable the PIM-SM command set. If you wish
to purchase an advanced routing license, contact Enterasys Networks Sales.
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of
multicast configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
Note: IGMP must be enabled on all VLANs running PIM-SM, and must also be globally enabled
on the SecureStack C3. For details on enabling IGMP, refer to Chapter 13.
For information about... Refer to page...
Global configuration commands
ip pimsm 20-50
ip pimsm staticrp 20-50
Interface configuration commands
ip pimsm enable 20-51
ip pimsm query-interval 20-52
ip pimsm
20-50 IPv4 Routing Protocol Configuration
ip pimsm
ThiscommandsetsadministrativemodeofPIMSMmulticastroutingacrosstherouterto
enabled.IGMPmustbeenabledbeforePIMSMcanbeenabled.Bydefault,bothIGMPandPIM
aregloballydisabled.ThenoformofthiscommanddisablesPIMSM(acrosstheentirestack,if
applicable).
Syntax
ip pimsm
no ip pimsm
Parameters
None.
Defaults
None.
Mode
Globalrouterconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtogloballyenableanddisablePIM:
C3( su) - >r out er ( Conf i g) # i p pi msm
C3( su) - >r out er ( Conf i g) # no i p pi msm
ip pimsm staticrp
ThiscommandisusedtocreateamanualRendezvousPointIPaddressforthePIMSMrouter.
ThenoformofthiscommandremovesapreviouslyconfiguredRP.
Syntax
ip pimsm staticrp ipaddress groupadress groupmask
no ip pimsm st at i cr p ipaddress groupadress groupmask
Display commands
show ip pimsm 20-52
show ip pimsm componenttable 20-53
show ip pimsm interface 20-54
show ip pimsm neighbor 20-55
show ip pimsm rp 20-56
show ip pimsm rphash 20-57
show ip pimsm staticrp 20-58
show ip mroute 20-59
For information about... Refer to page...
ip pimsm enable
SecureStack C3 Configuration Guide 20-51
Parameters
Defaults
None.
Mode
GlobalRouterconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtosetanRPforaspecificmulticastgroup.
C3( su) - >r out er ( Conf i g) #i p pi msmst at i cr p 192. 15. 18. 3 224. 0. 0. 0 240. 0. 0. 0
ip pimsm enable
ThiscommandsetstheadministrativemodeofPIMSMmulticastroutingonaroutinginterfaceto
enabled.Bydefault,PIMisdisabledonallIPinterfaces.Thenoformofthiscommanddisables
PIMonthespecificinterface.
Syntax
ip pimsm enable
no ip pimsm enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenablePIMonIPinterfaceforVLAN1.
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p pi msmenabl e
ipaddress TheIPaddressoftheRendezvousPoint
groupadress ThegroupaddresssupportedbytheRendezvousPoint
groupmask Thegroupmaskforthegroupaddress
ip pimsm query-interval
20-52 IPv4 Routing Protocol Configuration
ip pimsm query-interval
Thiscommandconfiguresthetransmissionfrequencyofhellomessagesinsecondsbetween
PIMenabledneighbors.Thenoformofthiscommandresetsthehellointervaltothedefault,30
seconds.
Syntax
ip pimsm query-interval seconds
no ip pimsm query-interval
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthehellointervalrateto100seconds.
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p pi msmquer y- i nt er val 100
show ip pimsm
UsethiscommandtodisplaysystemwidePIMSMroutinginformation.
Syntax
show ip pimsm
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayPIMinformation.
C3( su) - >r out er # show i p pi msm
Admi n Mode Enabl e
J oi n/ Pr une I nt er val ( secs) 60
seconds Thisfieldhasarangeof10to3600seconds.Defaultis30.
show ip pimsm componenttable
SecureStack C3 Configuration Guide 20-53
PI M- SM I NTERFACE STATUS
Vl anI d I nt er f ace Mode Pr ot ocol St at e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8 Di sabl e Non- Oper at i onal
16 Enabl e Oper at i onal
17 Enabl e Oper at i onal
20 Enabl e Oper at i onal
30 Enabl e Oper at i onal
31 Di sabl e Non- Oper at i onal
32 Di sabl e Non- Oper at i onal
33 Di sabl e Non- Oper at i onal
Table 207providesanexplanationofthecommandoutput.
show ip pimsm componenttable
ThiscommanddisplaysthetablecontainingobjectsspecifictoaPIMdomain.Onerowexistsfor
eachdomaintowhichtherouterisconnected.
Syntax
show ip pimsm component t abl e
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayPIMrouterinformation:
C3( su) - >r out er > show i p pi msmcomponent t abl e
Table 20-7 show ip pimsm Output Details
Output Field What it displays
Admin Mode This field indicates whether PIM-SM is enabled or disabled. This is a configured
value.
J oin/Prune Interval
(secs)
This field shows the interval at which periodic PIM-SM J oin/Prune messages are to
be sent.
VlanId VLAN id associated with the PIM IP Interface.
Interface Mode This field indicates whether PIM-SM is enabled or disabled on the interface. This is a
configured value.
Protocol State This field indicates the current state of the PIM-SM protocol on the interface.
Possible values are Operational or Non-Operational.
show ip pimsm interface
20-54 IPv4 Routing Protocol Configuration
COMPONENT TABLE
Component Component Component Component
I ndex BSR Addr ess BSR Expi r y Ti me CRP Hol d Ti me
( hh: mm: ss) ( hh: mm: ss)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 192. 168. 30. 2 00: 02: 10 00: 00: 00
Table 208providesanexplanationofthecommandoutput.
show ip pimsm interface
ThiscommanddisplaysPIMSMstatusoftherouterinterfaces.Withthestatsparameter,this
commanddisplaysstatisticalinformationforPIMSMonthespecifiedinterface.
Syntax
show ip pimsm interface {vlan vlan-id | stats {vlan-id | all}}
Parameters
Defaults
None.
Mode
Anyroutermode.
Examples
ThisexampleshowshowtodisplayPIMinterfaceinformation.
.
C3( su) - >r out er > show i p pi msmi nt er f ace vl an 30
VLAN I D 30
I P Addr ess 192. 168. 30. 1
Subnet Mask 255. 255. 255. 0
Mode enabl e
Table 20-8 show ip pimsm componenettable Output Details
Output Field What it displays
Component Index This field displays a number which uniquely identifies the component.
Component BSR
Address
This field displays the IP address of the bootstrap router (BSR) for the local PIM
region.
Component BSR
Expiry Time
This field displays the minimum time remaining before the BSR in the local domain
will be declared down.
Component CRP
Hold Time
This field displays the hold time of the component when it is a candidate rendezvous
point.
vlanvlanid DisplayPIMSMinformationforthespecifiedIPinterfaceenabledfor
PIM.
stats DisplayPIMSMinterfacestatistics.
vlanid|all DisplaystatisticsforaspecificVLANorallVLANs.
show ip pimsm neighbor
SecureStack C3 Configuration Guide 20-55
Hel l o I nt er val ( secs) 30 secs
CBSR Pr ef er ence - 1
CRP Pr ef er ence - 1
CBSR Hash Mask Lengt h 30
Table 209providesanexplanationoftheshowippimsminterfacevlancommandoutput.
ThisexampleshowshowtodisplayPIMinterfacestatistics.
.
C3( su) - >r out er > show i p pi msmi nt er f ace st at s al l
Nei ghbor
Vl an I D I P Addr ess Subnet Mask Desi gnat ed Rout er count
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6 192. 168. 6. 2 255. 255. 255. 0 0. 0. 0. 0 0
7 192. 168. 7. 1 255. 255. 255. 0 192. 168. 7. 1 0
8 192. 168. 8. 1 255. 255. 255. 0 0. 0. 0. 0 0
30 192. 168. 30. 1 255. 255. 255. 0 192. 168. 30. 2 1
Table 2010providesanexplanationoftheshowippimsminterfacestatscommandoutput.
show ip pimsm neighbor
DisplaytheroutersPIMneighbors.
Syntax
show ip pimsm neighbor [ vlan-id]
Table 20-9 show ip pimsm interface vlan Output Details
Output Field What it displays
IP Address The IP address of the specified interface.
Subnet Mask The Subnet Mask for the IP address of the PIM interface.
Mode Indicates whether PIM-SM is enabled or disabled on the specified interface. This is a
configured value. By default it is disabled.
Hello Interval Indicates the frequency at which PIM hello messages are transmitted on this
interface. This is a configured value. By default, the value is 30 seconds
CBSR Preference The preference value for the local interface as a candidate bootstrap router.
CRP Preference The preference value as a candidate rendezvous point on this interface.
CBSR Hash Mask
Length
The hash mask length to be advertised in bootstrap messages if this interface is
elected as the bootstrap router. The value is used in the hash algorithm for selecting
the RP for a particular group.
Table 20-10 show ip pimsm interface stats Output Details
Output Field What it displays
IP Address The IP Address that represents the PIM-SM interface.
Subnet Mask The Subnet Mask of this PIM-SM interface.
Designated Router IP Address of the Designated Router for this interface.
Neighbor Count The number of neighbors on the PIM-SM interface.
show ip pimsm rp
20-56 IPv4 Routing Protocol Configuration
Parameters
Mode
Anyroutermode.
Defaults
IftheVLANidisomitted,allneighborsoffallinterfaceswillbedisplayed.
Example
ThisexampleshowshowtodisplayPIMinformation:
C3( su) - >r out er > show i p pi msmnei ghbor
NEI GHBOR TABLE
Vl an I D I P Addr ess Up Ti me Expi r y Ti me
( hh: mm: ss) ( hh: mm: ss)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
30 192. 168. 30. 2 01: 36: 41 00: 01: 25
6 192. 168. 6. 1 01: 36: 41 00: 01: 25
Table 2011providesanexplanationofthecommandoutput.
show ip pimsm rp
ThiscommanddisplaysthePIMinformationforcandidateRendezvousPoints(RPs)forallIP
multicastgroupsorforaspecificgroupaddress.Theinformationinthetableisdisplayedforeach
IPmulticastgroup.
Syntax
show ip pimsm rp {group-address group-mask | all | candidate}
Parameters
vlanid (Optional)DisplayallneighborsdiscoveredonaspecificInterface.
Table 20-11 show ip pimsm neighbor Output Details
Output Field What it displays
Vlan ID VLAN id of the interface.
IP Address The IP Address of the neighbor on an interface
Up Time The time since this neighbor has become active on this interface.
Expiry Time The expiry time of the neighbor on this interface.
groupaddress ThemulticastgroupIPaddress.
groupmask Themulticastgroupaddresssubnetmask.
all Forallknowngroupaddresses.
candidate DisplayPIMSMcandidateRPtableinformation.
show ip pimsm rphash
SecureStack C3 Configuration Guide 20-57
Defaults
None.
Mode
Anyroutermode.
Examples
ThisexampleshowshowtodisplaytheRPsetforaspecificgroupaddress.
C3( su) - >r out er > show i p pi msmr p 224. 0. 0. 0 240. 0. 0. 0
RP SET TABLE
Gr oup
Addr ess Gr oup Mask Addr ess Hol d Ti me Expi r y Ti me Component C- RP Pr i or i t y
( hh: mm: ss) ( hh: mm: ss)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
224. 0. 0. 0 240. 0. 0. 0 192. 168. 30. 2 00: 02: 15 00: 02: 30 1 0
Table 2012providesanexplanationofthecommandoutput.
ThisexampleshowshowtodisplaythecandidateRPsforeachgroupaddress.
C3( su) - >r out er > show i p pi msmr p candi dat e
CANDI DATE RP TABLE
Gr oup Addr ess Gr oup Mask Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
224. 0. 0. 0 240. 0. 0. 0 192. 168. 30. 2
show ip pimsm rphash
DisplaystheRendezvousPointrouterthatwillbeselectedfromthesetofactiveRProuters.The
RProuter,forthegroup,isselectedbyusingthehashalgorithmdefinedinRFC2362.
Syntax
show ip pimsm rphash group-address
Table 20-12 show ip pimsm rp Output Details
Output Field What it displays
Group Address The address of the group for which the RP set is displayed.
Group Mask The mask of the group address.
Address The IP address of the RP.
Hold Time The hold time of the RP.
Expiry Time The minimum time remaining before the RP will be declared down.
Component A number which uniquely identifies the component. Each protocol instance
connected to a separate domain should have a different index value.
C-RP Priority The candidate-RP priority of the RP.
show ip pimsm staticrp
20-58 IPv4 Routing Protocol Configuration
Parameters
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayRPthatwillbeselectedforgroupaddress224.0.0.0:
C3( su) - >r out er > show i p pi msmr phash 224. 0. 0. 0
192. 168. 129. 223
show ip pimsm staticrp
DisplaythePIMSMstaticRendezvousPointinformation.
Syntax
show ip pimsm st at i cr p
Parameters
None.
Mode
Anyroutermode.
Defaults
None.
Example
ThisexampleshowshowtodisplayPIMinformation.
C3( su) - >r out er # show i p pi msmst at i cr p
STATI C RP TABLE
Addr ess Gr oup Addr ess Gr oup Mask
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
123. 231. 111. 121 234. 0. 0. 0 255. 0. 0. 0
192. 168. 129. 223 224. 0. 0. 0 240. 0. 0. 0
Table 2013providesanexplanationofthecommandoutput.
groupaddress TheGroupAddressfortheRP.
show ip mroute
SecureStack C3 Configuration Guide 20-59
show ip mroute
UsethiscommandtodisplaytheIPmulticastroutingtable.
Syntax
show ip mroute
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Usage
Themulticastroutingtableshowshowamulticastroutingprotocol,suchasPIMandDVMRP,
willforwardamulticastpacket.Informationinthetableincludessourcenetwork/maskand
upstreamneighbors.
ForinformationaboutDVMRP,seeConfiguringDVMRPonpage2033.
Example
Thisexampleshowstheoutputofthiscommand.
C3( su) - >r out er #show i p mr out e
Act i ve I P Mul t i cast Sour ces
Fl ags: D - Dense, S - Spar se, C - Connect ed, L - Local , P - Pr uned, R - RP- bi t set ,
F - Regi st er f l ag, T - SPT- bi t set , Out goi ng i nt er f ace f l ags: H - Har dwar e swi t ched
Ti mer s: Upt i me/ Expi r es
I nt er f ace st at e: I nt er f ace, Next - Hop or VCD, St at e/ Mode
Sour ce Net wor k : 192. 168. 111. 10
Sour ce Mask : 0. 0. 0. 0
Mul t i Cast Gr oup : 239. 1. 8. 9
Upt i me : 6336
Upst r eamNei ghbor : 0. 0. 0. 0
Upst r eamVl an : 111
Downst r eamVl ans : 8
Sour ce Net wor k : 192. 168. 111. 10
Sour ce Mask : 0. 0. 0. 0
Mul t i Cast Gr oup : 239. 1. 7. 105
Upt i me : 6336
Table 20-13 show ip pimsm staticrp Output Details
Output Field What it displays
Address The IP address of the RP.
Group Address The group address supported by the RP.
Group Mask The group mask for the group address.
show ip mroute
20-60 IPv4 Routing Protocol Configuration
Upst r eamNei ghbor : 0. 0. 0. 0
Upst r eamVl an : 111
Downst r eamVl ans : 8
Sour ce Net wor k : 192. 168. 111. 10
Sour ce Mask : 0. 0. 0. 0
Mul t i Cast Gr oup : 239. 1. 8. 169
Upt i me : 6582
Upst r eamNei ghbor : 0. 0. 0. 0
Upst r eamVl an : 111
Downst r eamVl ans : 8
Sour ce Net wor k : 192. 168. 111. 10
Sour ce Mask : 0. 0. 0. 0
Mul t i Cast Gr oup : 239. 1. 4. 173
Upt i me : 6582
Upst r eamNei ghbor : 0. 0. 0. 0
Upst r eamVl an : 111
Downst r eamVl ans : 8
SecureStack C3 Configuration Guide 21-1
21
IPv6 Management
ThischapterdescribestheswitchmodesetofcommandsusedtomanageIPv6.
Purpose
ToenableordisabletheIPv6managementfunction,toconfigureanddisplaytheIPv6host
addressandIPv6gatewayfortheswitch,andtodisplayIPv6statusinformation.
Commands
show ipv6 status
UsethiscommandtodisplaythestatusoftheIPv6managementfunction.
Syntax
show ipv6 status
Parameters
None.
For information about... Refer to page...
show ipv6 status 21-1
set ipv6 21-2
set ipv6 address 21-3
show ipv6 address 21-4
clear ipv6 address 21-4
set ipv6 gateway 21-5
clear ipv6 gateway 21-6
show ipv6 neighbors 21-6
show ipv6 netstat 21-7
ping ipv6 21-8
traceroute ipv6 21-9
set ipv6
21-2 IPv6 Management
Defaults
None.
Mode
Switchmode,readonly.
Example
ThisexampleshowshowtodisplayIPv6managementfunctionstatus.
C3( r o) - >show i pv6 st at us
I Pv6 Admi ni st r at i ve Mode: Di sabl ed
set ipv6
UsethiscommandtogloballyenableordisabletheIPv6managementfunction.
Syntax
set ipv6 {enable | disable}
Parameters
Defaults
Bydefault,IPv6managementisdisabled.
Mode
Switchmode,readwrite.
Usage
WhenyouenableIPv6managementontheswitch,thesystemautomaticallygeneratesalinklocal
hostaddressfortheswitchfromthehostMACaddress.YoucansetadifferenthostIPv6address
withthesetipv6addresscommand.
Example
ThisexampleshowshowtoenableIPv6management.
C3( su) - > set i pv6 enabl e
C3( su) - >show i pv6 st at us
I Pv6 Admi ni st r at i ve Mode: Enabl ed
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
enable|disable EnableordisabletheIPv6managementfunction.
set ipv6 address
SecureStack C3 Configuration Guide 21-3
set ipv6 address
UsethiscommandtoconfigureIPv6globaladdressinginformation.
Syntax
set ipv6 address ipv6-addr/ prefix-length [ eui64]
Parameters
Defaults
NoglobalunicastIPv6addressisdefinedbydefault.
Mode
Switchmode,readwrite.
Usage
UsethiscommandtomanuallyconfigureaglobalunicastIPv6addressforIPv6management.You
canspecifytheaddresscompletely,oryoucanusetheoptionaleui64parametertoallowthe
switchtogeneratethelowerorder64bitsoftheaddress.
Whenusingtheeui64parameter,youspecifyonlythenetworkprefixandlength.
Examples
ThisexampleshowshowtocompletelyspecifyanIPv6addressbyenteringall128bitsandthe
prefix:
C3( su) - >set i pv6 addr ess 2001: 0db8: 1234: 5555: : 9876: 2/ 64
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
host 2001: DB8: 1234: 5555: : 9876: 2/ 64
Thisexampleshowshowtousetheeui64parametertoconfigurethelowerorder64bits:
C3( su) - >set i pv6 addr ess 2001: 0db8: 1234: 5555: : / 64 eui 64
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
host 2001: DB8: 1234: 5555: 201: F4FF: FE5C: 2880/ 64
ipv6addr TheIPv6addressorprefixtobeconfigured.Thisparametermustbeinthe
formdocumentedinRFC4291,withtheaddressspecifiedinhexadecimal
using16bitvaluesbetweencolons.
prefixlength ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlengthisa
decimalnumberindicatingthenumberofhighordercontiguousbitsofthe
addressthatcomprisethenetworkportionoftheaddress.
eui64 (Optional)FormulatetheIPv6addressusinganEUI64IDinthelower
order64bitsoftheaddress.
show ipv6 address
21-4 IPv6 Management
show ipv6 address
UsethiscommandtodisplaythesystemIPv6address(es)andIPv6gatewayaddress(default
router),ifconfigured.
Syntax
show ipv6 address
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
ThiscommanddisplaystheIPv6addressesconfiguredautomaticallyandwiththesetipv6
addressandsetipv6gatewaycommands.
Example
ThisexampledisplaysthreeIPv6managementaddressesconfiguredfortheswitch.
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
host 2001: DB8: 1234: 5555: 201: F4FF: FE5C: 2880/ 64
gat eway FE80: : 201: F4FF: FE5D: 1234
clear ipv6 address
UsethiscommandtoclearIPv6globaladdresses.
Syntax
clear ipv6 [ address {all| ipv6-addr/ prefix-length}]
Parameters
Defaults
Ifaddressisnotentered,allmanuallyconfiguredglobalIPv6addressesarecleared.
ipv6addr TheIPv6addresstobecleared.Thisparametermustbeintheform
documentedinRFC4291,withtheaddressspecifiedinhexadecimalusing
16bitvaluesbetweencolons.
prefixlength ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlengthisa
decimalnumberindicatingthenumberofhighordercontiguousbitsofthe
addressthatcomprisethenetworkportionoftheaddress.
all DeletesallIPv6globaladdresses.
set ipv6 gateway
SecureStack C3 Configuration Guide 21-5
Mode
Switchmode,readwrite.
Usage
Thiscommandclearsaddressesmanuallyconfiguredwiththesetipv6addresscommand.Usethe
clearipv6gatewaycommandtocleartheIPv6gatewayaddress.
Example
ThisexampleillustratesthatthiscommandclearsonlythoseIPv6addressesconfiguredwiththe
setipv6addresscommand.Thelinklocaladdressforthehostinterfaceandthegatewayaddress
arenotremovedwiththiscommand.
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
host 2001: DB8: 1234: 5555: 201: F4FF: FE5C: 2880/ 64
host 2001: DB8: 1234: 5555: : 9876: 2/ 64
gat eway FE80: : 201: F4FF: FE5D: 1234
C3( su) - >cl ear i pv6 addr ess al l
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
gat eway FE80: : 201: F4FF: FE5D: 1234
set ipv6 gateway
UsethiscommandtoconfiguretheIPv6gateway(defaultrouter)address.
Syntax
set ipv6 gateway ipv6-addr
Parameters
Defaults
None.
Mode
Switchmode,readwrite.
Usage
ThiscommandconfigurestheIPv6gatewayaddress.OnlyoneIPv6gatewayaddresscanbe
configuredfortheswitch,soexecutingthiscommandwhenagatewayaddresshasalreadybeen
configuredwilloverwritethepreviouslyconfiguredaddress.
ipv6addr TheIPv6addresstobeconfigured.Theaddresscanbeaglobalunicastor
linklocalIPv6address,intheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
clear ipv6 gateway
21-6 IPv6 Management
Usetheshowipv6addresscommandtodisplayaconfiguredIPv6gatewayaddress.
Example
ThisexampleshowshowtoconfigureanIPv6gatewayaddressusingalinklocaladdress.
C3( su) - >set i pv6 gat eway f e80: : 201: f 4f f : f e5d: 1234
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
gat eway FE80: : 201: F4FF: FE5D: 1234
clear ipv6 gateway
UsethiscommandtoclearanIPv6gatewayaddress.
Syntax
clear ipv6 gateway
Parameters
None.
Defaults
None.
Mode
Switchmode,readwrite.
Example
ThisexampleshowshowtoremoveaconfiguredIPv6gatewayaddress.
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
gat eway FE80: : 201: F4FF: FE5D: 1234
C3( su) - >cl ear i pv6 gat eway
C3( su) - >show i pv6 addr ess
Name I Pv6 Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
host FE80: : 201: F4FF: FE5C: 2880/ 64
show ipv6 neighbors
UsethiscommandtodisplaythesystemIPv6NeighborDiscoveryProtocolcache.
Syntax
show ipv6 neighbors
show ipv6 netstat
SecureStack C3 Configuration Guide 21-7
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowsexampleoutputofthiscommand.
C3( su) - >show i pv6 nei ghbor s
Last
I Pv6 Addr ess MAC Addr ess i sRt r St at e Updat ed
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2001: db8: 1234: 6666: : 2310: 3 00: 04: 76: 73: 42: 31 Tr ue Reachabl e 00: 01: 16
show ipv6 netstat
UsethiscommandtodisplayIPv6netstatinformation.
Syntax
show ipv6 netstat
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowstheoutputofthiscommand.
C3( su) - >show i pv6 net st at
Pr ot Local Addr ess St at e
For ei gn Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TCP 3333: : 211: 88FF: FE59: 4424. 22 ESTABLI SHED
2020: : D480: 1384: F58C: B114. 1049
TCP 3333: : 211: 88FF: FE59: 4424. 443 TI ME_WAI T
2020: : D480: 1384: F58C: B114. 1056
TCP : : . 23 LI STEN
: : . *
TCP 3333: : 211: 88FF: FE59: 4424. 22 ESTABLI SHED
2020: : D480: 1384: F58C: B114. 1050
TCP 3333: : 211: 88FF: FE59: 4424. 22 ESTABLI SHED
3333: : 2117: F1C0: 90B: 910D. 1045
TCP : : . 80 LI STEN
ping ipv6
21-8 IPv6 Management
: : . *
TCP : : . 22 LI STEN
: : . *
TCP 3333: : 211: 88FF: FE59: 4424. 80 ESTABLI SHED
2020: : D480: 1384: F58C: B114. 1053
TCP 3333: : 211: 88FF: FE59: 4424. 80 ESTABLI SHED
2020: : D480: 1384: F58C: B114. 1054
TCP : : . 443 LI STEN
: : . *
TCP 3333: : 211: 88FF: FE59: 4424. 22 ESTABLI SHED
2020: : D480: 1384: F58C: B114. 1048
TCP 3333: : 211: 88FF: FE59: 4424. 443 TI ME_WAI T
2020: : D480: 1384: F58C: B114. 1055
ping ipv6
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ipv6-addr [ size num]
Parameters
Defaults
None.
Mode
Switchmode,readwrite.
Usage
Thiscommandisalsoavailableinroutermode.
Examples
ThisexampleshowsoutputfromasuccessfulpingtoIPv6address2001:0db8:1234:5555::1234:1.
C3( su) - >pi ng i pv6 2001: 0db8: 1234: 5555: : 1234: 1
2001: DB8: 1234: 5555: : 1234: 1 i s al i ve
ThisexampleshowsoutputfromanunsuccessfulpingtoIPv6address
2001:0db8:1234:5555::1234:1.
C3( su) - >pi ng i pv6 2001: 0db8: 1234: 5555: : 1234: 1
no answer f r om2001: DB8: 1234: 5555: : 1234: 1
ipv6addr SpecifiestheIPv6addressofthesystemtoping.Entertheaddressinthe
formdocumentedinRFC4291,withtheaddressspecifiedinhexadecimal
using16bitvaluesbetweencolons.
sizenum (Optional)Specifiesthesizeofthedatagrampacket.Thevalueofnumcan
rangefrom48to2048bytes.
traceroute ipv6
SecureStack C3 Configuration Guide 21-9
traceroute ipv6
Usethiscommandtodiscovertheroutesthatpacketsactuallytakewhentravelingtotheir
destinationthroughthenetworkonahopbyhopbasis.
Syntax
traceroute ipv6 ipv6-addr
Parameters
Defaults
None.
Mode
Switchmode,readwrite.
Usage
Thiscommandisalsoavailableinroutermode.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost
2001: 0db8: 1234: 5555
C3( su) - >r out er #t r acer out e i pv6 2001: 0db8: 1234: 5555: : 1
Tr acer out e t o 2001: 0db8: 1234: 5555, 30 hops max, 40 byt e packet s
1 2001: 0db8: 1234: 5555 1. 000000e+00 ms 1. 000000e+00 ms 1. 000000e+00 ms
ipv6addr SpecifiesahosttowhichtherouteofanIPv6packetwillbetraced.Enterthe
addressintheformdocumentedinRFC4291,withtheaddressspecifiedin
hexadecimalusing16bitvaluesbetweencolons.
traceroute ipv6
21-10 IPv6 Management
SecureStack C3 Configuration Guide 22-1
22
IPv6 Configuration
ThecommandsinthischapterperformconfigurationofIPv6parametersontheSecureStackC3.
ForinformationaboutspecificIPv6routingprotocols,suchasOSFPv3,refertotheappropriate
chapters.ForinformationaboutmanagingIPv6functionalityattheswitchlevel,referto
Chapter 21,IPv6Management.
Overview
IPv6andIPv4coexistontheSecureStackC3.AswithIPv4,IPv6routingcanbeenabledonVLAN
interfaces.EachLayer3routinginterfacecanbeusedforIPv4,IPv6,orboth.
TheSecureStackC3supportsallIPv6addressformats,includingglobalunicastaddresses,link
localunicast,globalmulticast,scopedmulticast(includinglocalscopedmulticast),IPv4
compatibleaddresses,unspecifiedaddresses,loopbackaddresses,andanycastaddresses.
RefertothefollowingRFCsformoreinformationaboutIPv6addressformats:
RFC4291,IPVersion6AddressingArchitecture
RFC3587,IPv6GlobalUnicastAddressFormat
RFC4007,IPv6ScopedAddressArchitecture
ThebasicIPv6protocolspecifiesPDUoptionsoftwoclasses,bothofwhicharesupported:hop
byhopoptionsanddestinationoptions.Whilenewoptionscanbedefinedinthefuture,the
followingarecurrentlysupported:routing(forsourcerouting),fragment,routeralertandpad.
Jumbogramsarenotsupported.InIPv6,onlysourcenodesfragment.PathMTUdiscoveryis
thereforearequirement.Flowlabelsareignored.
NeighborDiscoveryistheIPv6replacementforARP.TheSecureStackC3supportsneighbor
advertiseandsolicit,duplicateaddressdetection,andunreachabilitydetection.Router
AdvertisementispartoftheNeighborDiscoveryprocessandisrequiredforIPv6.Stateless
* IPv6 Routing License Required *
IPv6 routing must be enabled with a license key. If you have purchased an IPv6 routing license key, and have
enabled routing on the device, you must activate your license as described in the chapter entitled Activating
Licensed Features in order to enable the IPv6 routing configuration command set. If you wish to purchase an
IPv6 routing license, contact Enterasys Networks Sales.
For information about... Refer to page...
General Configuration Commands 22-3
Interface Configuration Commands 22-10
Neighbor Cache and Neighbor Discovery Commands 22-14
Query Commands 22-22
Overview
22-2 IPv6 Configuration
autoconfigurationispartofRouterAdvertisementandtheSecureStackC3cansupportboth
statelessandstatefulautoconfigurationofendnodes.TheSecureStackC3supportsbothEUI64
interfaceidentifiersandmanuallyconfiguredinterfaceIDs.
RefertothefollowingRFCsformoreinformationaboutNeighborDiscoveryandstatelessaddress
autoconfiguration:
RFC2461,NeighborDiscoveryforIPVersion6
RFC2462,IPv6StatelessAddressAutoconfiguration
ForICMPv6,errorPDUgenerationissupported,asarepathMTU,echo,andredirect.
RouterAdvertisementisanintegralpartofIPv6andissupported.Numerousoptionsare
availableincludingstateless/statefuladdressconfiguration,routerandaddresslifetimes,and
NeighborDiscoverytimercontrol.PingandtracerouteapplicationsforIPv6areprovided.
ManagementofIPv6featuresisprovidedbymeansofCLIcommandsandSNMP.SeeChapter 21,
IPv6ManagementfordescriptionsoftheCLIcommands.
Default Conditions
ThefollowingtableliststhedefaultIPv6conditions.
Condition Default Value
IPv6 forwarding Enabled
IPv6 route distance 1
IPv6 unicast-routing Disabled
IPv6 enable Disabled
IPv6 mtu 1500
IPv6 nd dad attempts 1
IPv6 nd managed-config-flag False
IPv6 nd ns-interval 0
IPv6 nd other-config-flag False
IPv6 nd ra-interval 600
IPv6 nd ra-lifetime 1800
IPv6 nd reachable-time 0
IPv6 nd suppress-ra Disabled
IPv6 nd prefix Valid-lifetime 604800
Preferred-lifetime 2592000
Autoconfig enabled
On-link enabled
General Configuration Commands
SecureStack C3 Configuration Guide 22-3
General Configuration Commands
ipv6 forwarding
ThiscommandenablesordisablesIPv6forwardingontherouter.
Syntax
ipv6 forwarding
no ipv6 forwarding
Parameters
None.
Defaults
IPv6forwardingisenabled.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
ThenoformofthiscommanddisablesIPv6forwardingontherouter.
Example
ThisexampledisablesIPv6forwarding.
C3( su) - >r out er ( Conf i g) # no i pv6 f or war di ng
ipv6 hop-limit
ThiscommandsetsthemaximumnumberofIPv6hopsusedinIPv6packetsandrouter
advertisementsgeneratedbythisdevice.
Syntax
ipv6 hop-limit hops
no ipv6 hop-limit
For information about... Refer to page...
ipv6 forwarding 22-3
ipv6 hop-limit 22-3
ipv6 route 22-4
ipv6 route distance 22-5
ipv6 unicast-routing 22-6
ping ipv6 22-6
ping ipv6 interface 22-7
traceroute ipv6 22-8
ipv6 route
22-4 IPv6 Configuration
Parameters
Defaults
ThedefaultmaximumnumberofIPv6hopsis64.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
ThiscommandsetsthevalueofthehoplimitfieldinIPv6packetsoriginatedbythisdevice.This
valueisalsoplacedintheCurHopLimitfieldofrouteradvertisementsgeneratedbythisrouter.
Usethenoformofthiscommandtoresetthelimittothedefaultvalue.
Example
Thisexamplesetsthehoplimitto50.
C3( su) - >r out er ( Conf i g) # i pv6 hop- l i mi t 50
ipv6 route
ThiscommandconfiguresstaticIPv6routes.
Syntax
ipv6 route ipv6-prefix/ prefix-length interface {tunnel tunnel-id | vlan vlan-id}
next-hop-addr [ pref]
no ipv6 route ipv6-prefix/ prefix-length interface {tunnel tunnel-id | vlan vlan-
id} next-hop-addr [ pref]
Parameters
hops SpecifiesthemaximumnumberofIPv6hopsusedinIPv6packetsand
routeradvertisementsgeneratedbythisdevice.Valuecanrangefrom1
to255.Thedefaultvalueis64.
ipv6prefix/prefixlength TheIPv6networkprefixthatisthedestinationofthestaticroute,and
theprefixlength.
TheprefixmustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Theprefixlengthisadecimalnumberindicatingthenumberofhigh
ordercontiguousbitsoftheaddressthatcomprisethenetwork
portionoftheaddress.
interfacetunnel
tunnel-id | vlan
vlan-id
SpecifiestheinterfacetypeandIDofdirectstaticroutesfrompointto
pointandbroadcastinterfaces.
ipv6 route distance
SecureStack C3 Configuration Guide 22-5
Defaults
Defaultpreferenceoradministrativedistanceis1.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
Usethenoformofthiscommandtoremoveastaticroute.Ifyoudonotspecifyanexthopaddress
withthenoform,allstaticroutestothespecifieddestinationwillberemoved.
Example
ThiscommandcreatesastaticIPv6routetonetwork2001:0DB8:2222:4455::/64bywayofinterface
VLAN6andgivesitapreferenceof5.
C3( su) - >r out er ( Conf i g) # i pv6 r out e 2001: 0DB8: 2222: 4455: : / 64 i nt er f ace vl an 6
f e80: : 1234: 5678: 2dd: 1 5
ipv6 route distance
Thiscommandconfiguresthedefaultdistance,orpreference,forstaticIPv6routes.
Syntax
ipv6 route distance pref
no ipv6 route distance
Parameters
Defaults
Defaultpreferenceoradministrativedistanceis1.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
nexthopaddr Linklocaladdressoftheinterface.
pref (Optional)Specifiesthepreferencevaluetherouterusestocompare
thisroutewithroutesfromotherroutesourcesthathavethesame
destination.
Thevalueofprefcanrangefrom1to255.Thedefaultvalueis1,which
givesstaticroutesprecedenceoveranyothertypeofrouteexcept
connectedroutes.
Aroutewithapreferenceof255cannotbeusedtoforwardtraffic.
pref Adistancevalueusedwhennodistanceisspecifiedwhenastatic
routeisconfigured.
Thevaluecanrangefrom1to255.Lowerroutedistancevaluesare
preferredwhendeterminingthebestroute.
ipv6 unicast-routing
22-6 IPv6 Configuration
Usage
Thedefaultdistanceisusedwhennodistanceisspecifiedintheipv6routecommand.Changing
thedefaultdistancedoesnotupdatethedistanceofexistingstaticroutes,eveniftheywere
assignedtheoriginaldefaultdistance.Thenewdefaultdistancewillonlybeappliedtostatic
routescreatedafterinvokingtheipv6routedistancecommand.
Usethenoformofthiscommandtoreturnthedefaultdistanceto1.
Example
Thiscommandsetsthedefaultdistancevalueto3.
C3( su) - >r out er ( Conf i g) # i pv6 r out e di st ance 3
ipv6 unicast-routing
Thiscommandenables/disablesforwardingofIPv6unicastdatagrams.
Syntax
ipv6 unicast-routing
no ipv6 unicast-routing
Parameters
None.
Defaults
Disabled.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtoenableforwardingofIPv6unicastdatagramsontheSecureStackC3.Usethe
noformofthecommandtodisableforwardingofIPv6unicastdatagrams.
Example
ThiscommandenablesforwardingofIPv6unicastdatagramsontherouter.
C3( su) - >r out er ( Conf i g) # i pv6 uni cast - r out i ng
ping ipv6
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ipv6 ipv6-addr [ size num]
ping ipv6 interface
SecureStack C3 Configuration Guide 22-7
Parameters
Defaults
None.
Mode
Routerprivilegedexec:C3(su)>router#
Routeruserexec:C3(su)>router>
Usage
Usethiscommandtodeterminewhetheranothercomputerisonthenetwork.Tousethis
command,configuretheswitchfornetwork(inband)connection.Thesourceandtargetdevices
musthavethepingutilityenabledandrunningontopofTCP/IP.
TheswitchcanbepingedfromanyIPworkstationwithwhichtheswitchisconnectedthroughthe
defaultVLAN(VLAN1),aslongasthereisaphysicalpathbetweentheswitchandthe
workstation.Theterminalinterfacesendsthreepingstothetargetstation.
Examples
ThisexampleshowsoutputfromasuccessfulpingtoIPv6address2001:0db8:1234:5555::1234:1.
C3( su) - >r out er #pi ng i pv6 2001: 0db8: 1234: 5555: : 1234: 1
Send count =3, Recei ve count =3 f r om2001: DB8: 1234: 5555: : 1234: 1
Aver age r ound t r i p t i me = 1. 00 ms
ThisexampleshowsoutputfromanunsuccessfulpingtoIPv6address
2001:0db8:1234:5555::1234:1.
C3( su) - >pi ng i pv6 2001: 0db8: 1234: 5555: : 1234: 1
no answer f r om2001: DB8: 1234: 5555: : 1234: 1
ping ipv6 interface
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ipv6 interface {vlan vlan-id | tunnel tunnel-id | loopback loop-id}
{link-local-address ipv6-lladdr | ipv6-addr} [ size num]
Parameters
ipv6addr SpecifiestheglobalIPv6addressofthesystemtoping.Entertheaddressin
theformdocumentedinRFC4291,withtheaddressspecifiedin
hexadecimalusing16bitvaluesbetweencolons.
sizenum (Optional)Specifiesthesizeofthedatagrampacket.Thevalueofnumcan
rangefrom48to2048bytes.
vlanvlanid SpecifiesaVLANinterfaceasthesource.
tunneltunnelid Specifiesatunnelinterfaceasthesource.
loopbackloopid Specifiesaloopbackinterfaceasthesource.
linklocaladdress
ipv6lladdr
SpecifiesalinklocalIPv6addresstoping.
traceroute ipv6
22-8 IPv6 Configuration
Defaults
None.
Mode
Routerprivilegedexec:C3(su)>router#
Usage
UsethiscommandtopinganinterfacebyusingthelinklocaladdressortheglobalIPv6address
oftheinterface.Youcanusealoopback,tunnel,orlogicalinterfaceasthesource.Thesourceand
targetdevicesmusthavethepingutilityenabledandrunningontopofTCP/IP.
TheswitchcanbepingedfromanyIPworkstationwithwhichtheswitchisconnectedthroughthe
defaultVLAN(VLAN1),aslongasthereisaphysicalpathbetweentheswitchandthe
workstation.Theterminalinterfacesendsthreepingstothetargetstation.
Example
Thisexampleshowsoutputfromasuccessfulpingtolinklocaladdressfe80::211:88ff:fe55:4a7f.
C3( su) - >r out er #pi ng i pv6 i nt er f ace vl an 6 l i nk- l ocal - addr ess
f e80: : 211: 88f f : f e55: 4a7f
Send count =3, Recei ve count =3 f r omf e80: : 211: 88f f : f e55: 4a7f
Aver age r ound t r i p t i me = 1. 00 ms
traceroute ipv6
Usethiscommandtodiscovertheroutesthatpacketsactuallytakewhentravelingtotheir
destinationthroughthenetworkonahopbyhopbasis.
Syntax
traceroute ipv6 ipv6-addr
Parameters
Defaults
None.
Mode
Routerprivilegedexec:C3(su)>router#
ipv6addr SpecifiestheglobalIPv6addressofthesystemtoping.Entertheaddress
intheformdocumentedinRFC4291,withtheaddressspecifiedin
hexadecimalusing16bitvaluesbetweencolons.
sizenum (Optional)Specifiesthesizeofthedatagrampacket.Thevalueofnumcan
rangefrom48to2048bytes.
ipv6addr SpecifiesahosttowhichtherouteofanIPv6packetwillbetraced.Enterthe
addressintheformdocumentedinRFC4291,withtheaddressspecifiedin
hexadecimalusing16bitvaluesbetweencolons.
traceroute ipv6
SecureStack C3 Configuration Guide 22-9
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost
2001: 0db8: 1234: 5555: : 1.
C3( su) - >r out er #t r acer out e i pv6 2001: 0db8: 1234: 5555: : 1
Tr acer out e t o 2001: 0db8: 1234: 5555: : 1, 30 hops max, 40 byt e packet s
1 2001: 0db8: 1234: 5555: : 1 1. 000000e+00 ms 1. 000000e+00 ms 1. 000000e+00 ms
Interface Configuration Commands
22-10 IPv6 Configuration
Interface Configuration Commands
ipv6 address
ThiscommandconfiguresaglobalIPv6addressonaninterface,includingVLAN,tunnel,and
loopbackinterfaces,andenablesIPv6processingontheinterface.
Syntax
ipv6 address {ipv6-addr/ prefix-length | ipv6-prefix/ prefix-length eui64}
no ipv6 address [ ipv6-addr/ prefix-length | ipv6-prefix/ prefix-length eui64]
Parameters
Defaults
NoIPv6addressesaredefinedforanyinterface.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
UsethiscommandtomanuallyconfigureaglobalIPv6addressonaninterface.Youcanenterthe
complete128bitaddressandprefix,orusetheeui64parametertoconfigureaglobalIPv6address
usinganEUI64identifierintheloworder64bitsoftheaddress.Whenusingtheeui64parameter,
youspecifyonlythenetworkprefixandlength,andtheSecureStackC3generatestheloworder64
bits.
ThehexadecimallettersintheIPv6addressesarenotcasesensitive.
For information about... Refer to page...
ipv6 address 22-10
ipv6 enable 22-11
ipv6 mtu 22-12
ipv6addr TheIPv6addresstobeconfiguredontheinterface.
ThisparametermustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
prefixlength ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlength
isadecimalnumberindicatingthenumberofhighordercontiguous
bitsoftheaddressthatcomprisethenetworkportionoftheaddress.
Iftheeui64parameterisused,thisvaluemustbe64bits.
ipv6prefix TheIPv6prefixtobeconfiguredontheinterface.
ThisparametermustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
eui64 ConfiguresanIPv6addressforaninterfaceusinganEUI64interfaceID
intheloworder64bitsoftheaddressandenablesIPv6processingon
theinterface.
ipv6 enable
SecureStack C3 Configuration Guide 22-11
ThiscommandalsoenablesIPv6processingontheinterfaceandautomaticallygeneratesalink
localaddress.
Youcanassignmultiplegloballyreachableaddressestoaninterfacewiththiscommand.
Usethenoipv6addresscommandwithoutanyparameterstoremoveallmanuallyconfigured
IPv6addressesfromtheinterface.
Example
ThisexampleconfiguresanIPv6addressbyusingtheeui64parameter.Then,theshowipv6
interfaceisexecutedtodisplaytheconfiguration.Notethatalinklocaladdresshasalso
automaticallybeengenerated.
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 addr ess 3FFE: 501: FFFF: 101/ 64 eui 64
C3( su) - >r out er >show i pv6 i nt er f ace vl an 7
Vl an 7 Admi ni st r at i ve Mode Enabl ed
Vl an 7 I Pv6 Rout i ng Oper at i onal Mode Enabl ed
I Pv6 i s Enabl ed
I Pv6 Pr ef i x i s FE80: : 211: 88FF: FE55: 4A7F/ 128
3FFE: 501: FFFF: 101: 211: 88FF: FE55: 4A7F/ 64
Rout i ng Mode Enabl ed
I nt er f ace Maxi mumTr ansmi t Uni t 1500
Rout er Dupl i cat e Addr ess Det ect i on Tr ansmi t s 1
Rout er Adver t i sement NS I nt er val 0
Rout er Li f et i me I nt er val 1800
Rout er Adver t i sement Reachabl e Ti me 0
Rout er Adver t i sement I nt er val 600
Rout er Adver t i sement Managed Conf i g Fl ag Di sabl ed
Rout er Adver t i sement Ot her Conf i g Fl ag Di sabl ed
Rout er Adver t i sement Suppr ess Fl ag Di sabl ed
ipv6 enable
ThiscommandenablesIPv6routingonaninterfacethathasnotbeenconfiguredwithanexplicit
IPv6address.
Syntax
ipv6 enable
no ipv6 enable
Parameters
None.
Defaults
IPv6isdisabled.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Whenthiscommandisexecuted,anIPv6linklocalunicastaddressisconfiguredontheinterface
andIPv6processingisenabled.YoudonotneedtousethiscommandifyouconfiguredanIPv6
globaladdressonaninterfacewiththeipv6addresscommand.
ipv6 mtu
22-12 IPv6 Configuration
Thenoipv6enablecommanddisablesIPv6routingonaninterfacethathasbeenenabledwiththe
ipv6enablecommand,butitdoesnotdisableIPv6processingonaninterfacethatisconfigured
withanexplicitIPv6address.
Example
ThisexampleenablesIPv6processingonVLAN7.Notethatalinklocaladdresshasbeen
automaticallyconfigured.
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 enabl e
C3( su) - >r out er >show i pv6 i nt er f ace vl an 7
Vl an 7 Admi ni st r at i ve Mode Enabl ed
Vl an 7 I Pv6 Rout i ng Oper at i onal Mode Enabl ed
I Pv6 i s Enabl ed
I Pv6 Pr ef i x i s FE80: : 211: 88FF: FE55: 4A7F/ 128
Rout i ng Mode Enabl ed
I nt er f ace Maxi mumTr ansmi t Uni t 1500
Rout er Dupl i cat e Addr ess Det ect i on Tr ansmi t s 1
Rout er Adver t i sement NS I nt er val 0
Rout er Li f et i me I nt er val 1800
Rout er Adver t i sement Reachabl e Ti me 0
Rout er Adver t i sement I nt er val 600
Rout er Adver t i sement Managed Conf i g Fl ag Di sabl ed
Rout er Adver t i sement Ot her Conf i g Fl ag Di sabl ed
Rout er Adver t i sement Suppr ess Fl ag Di sabl ed
ipv6 mtu
Thiscommandconfiguresthemaximumtransmissionunit(MTU)sizeofIPv6packetsthatcanbe
sentonaninterface.
Syntax
ipv6 mtu bytes
no ipv6 mtu
Parameters
Defaults
1480bytes
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Themaximumtransmissionunitisthelargestpossibleunitofdatathatcanbesentonagiven
physicalmedium.UsethiscommandtosettheMTUforanIPv6interface.Thenoformofthis
commandresetstheMTUtothedefaultvalueof1480bytes.
Usetheshowipv6interfacetodisplaythecurrentsettingforthisinterface.
bytes SpecifiestheMTUvalueinbytes.Thevaluecanrangefrom1280to1500
bytes.TheMTUcannotbelargerthanthevaluesupportedbythe
underlyinginterface.
ipv6 mtu
SecureStack C3 Configuration Guide 22-13
Example
ThisexamplesetstheMTUvalueto1500bytes.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 mt u 1500
Note: All interfaces attached to the same physical medium must be configured with the same MTU
to operate properly.
Neighbor Cache and Neighbor Discovery Commands
22-14 IPv6 Configuration
Neighbor Cache and Neighbor Discovery Commands
TheIPv6NeighborCachefunctionssimilarlytotheIPv4ARPtable.Entriescanbemadetothe
NeighborCachebytheNeighborDiscoveryprotocol.
TheNeighborDiscoverycommandsallowyoutosetprotocolparametersonaninterfacebasis.
clear ipv6 neighbors
ThiscommandclearsallthedynamicallylearnedentriesintheNeighborCache,oranentryona
specificinterface.
Syntax
clear ipv6 neighbor [ vlan vlan-id]
Parameters
Defaults
None.
Mode
Routerprivilegedexec:C3(su)>router#
Usage
ToclearalldynamicallylearnedNeighborCacheentries,usethiscommandwithoutany
parameters.
Example
Thisexampleclearsalldynamicallylearnedcacheentries.
C3( su) - >r out er #clear ipv6 neighbors
For information about... Refer to page...
clear ipv6 neighbors 22-14
ipv6 nd dad attempts 22-15
ipv6 nd ns-interval 22-15
ipv6 nd reachable-time 22-16
ipv6 nd other-config-flag 22-17
ipv6 nd ra-interval 22-18
ipv6 nd ra-lifetime 22-18
ipv6 nd suppress-ra 22-19
ipv6 nd prefix 22-19
vlanvlanid (Optional)Clearonlytheentriesonthespecifiedinterface.
ipv6 nd dad attempts
SecureStack C3 Configuration Guide 22-15
ipv6 nd dad attempts
Thiscommandconfiguresthenumberofduplicateaddressdetection(DAD)attemptsmadeonthe
interfacewhenconfiguringIPv6unicastaddresses.
Syntax
ipv6 nd dad attempts number
no ipv6 nd dad attempts
Parameters
Defaults
Duplicateaddressdetectionenabled,for1attempt.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
IPv6DuplicateAddressDetectionisdescribedinRFC2462.DuplicateAddressDetectionuses
NeighborSolicitationandNeighborAdvertisementmessagestoverifytheuniquenessofan
address.DuplicateAddressDetectionmustbeperformedonunicastaddressespriortoassigning
themtoaninterface.AnaddressremainsinatentativestatewhileDuplicateAddressDetectionis
beingperformed.Ifatentativeaddressisfoundtobeaduplicate,anerrormessageisreturned
andtheaddressisnotassignedtotheinterface.
UsethiscommandtochangethenumberofNeighborSolicitationmessagesthatcanbesentfor
DuplicateAddressDetectionfromthedefaultvalueof1.Thenoformofthecommandreturnsthe
valuetothedefaultof1.Avalueof0disablesDuplicateAddressDetectionontheinterface.
Theshowipv6interfacecommanddisplaysthecurrentDADattemptsetting.
Example
ThisexamplechangesthenumberofconsecutiveNeighborSolicitationmessagessentforDADto
3onthisinterface.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 nd dad at t empt s 3
ipv6 nd ns-interval
ThiscommandconfigurestheintervalbetweenNeighborSolicitationssentonaninterface.
Syntax
ipv6 nd ns-interval {msec | 0}
no ipv6 nd ns-interval
number SpecifiesthenumberofconsecutiveNeighborSolicitationmessage
transmittedontheinterface,whenDuplicateAddressDetection(DAD)
isperformedonaunicastIPv6addressassignedtotheinterface.
Thevaluecanrangefrom0to600.Avalueof0disablesDuplicate
AddressDetectionontheinterface.Avalueof1,whichisthedefault,
specifiesasingletransmissionwithnofollowuptransmissions.
ipv6 nd reachable-time
22-16 IPv6 Configuration
Parameters
Defaults
Bydefault,avalueof0isadvertisedinRAmessages.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
TheNSintervalisusedtodeterminethetimebetweenretransmissionsofneighborsolicitation
messagestoaneighborwhenresolvingaunicastaddress(DAD)orwhenprobingthereachability
ofaneighbor.ThisvalueisalsoadvertisedinRouterAdvertisement(RA)messagessentonthe
interface.
Usethenoformofthiscommandtosettheintervaltothedefaultof0.
Example
ThisexamplesetstheNSintervalto2seconds.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 nd ns- i nt er val 2000
ipv6 nd reachable-time
Thiscommandconfiguresthelengthoftimewithinwhichsomereachabilityconfirmationmustbe
receivedfromaneighborfortheneighbortobeconsideredreachable.
Syntax
ipv6 nd reachable-time msec
no ipv6 nd reachable-time
Parameters
Defaults
Bydefault,avalueof0isadvertisedinRAmessages.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
ThistimerallowstheC3todetectunavailableneighbors.Theshorterthetime,themorequickly
unavailableneighborsaredetected.Veryshortconfiguredtimesarenotrecommendedinnormal
msec SetstheintervalinmillisecondsbetweenretransmissionsofNeighbor
Solicitationmessagesontheinterface.Thevaluecanrangefrom1000
(onesecond)to3,600,000(onehour)milliseconds.
0 Anadvertisedvalueof0meanstheintervalisunspecified.
msec TheamountoftimeinmillisecondsthataremoteIPv6nodeis
consideredreachable.Thevaluecanrangefrom0to4,294,967,295
milliseconds.
Thedefaultvalueis0,whichmeansthatthetimeisunspecified.
ipv6 nd other-config-flag
SecureStack C3 Configuration Guide 22-17
IPv6operation,however,becauseshortertimesconsumemoreIPv6networkbandwidthand
processingresources.
ThisvalueisalsoincludedinallRouterAdvertisementsmessagessentoutontheinterface.By
default,avalueof0,indicatingthattheconfiguredtimeisunspecifiedbythisrouter,issentoutin
RAmessages.
Usethenoformofthiscommandtoresetthisvaluetothedefault.
Theshowipv6interfacecommanddisplaysthecurrentreachabletimesetting.
Example
Thisexamplesetsthereachabletimeto60seconds.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 nd r eachabl e- t i me 60000
ipv6 nd other-config-flag
Thiscommandsetstheotherstatefulconfigurationflaginrouteradvertisementssentonthis
interfacetotrue.
Syntax
i pv6 nd ot her - conf i g- f l ag
no ipv6 nd other-config-flag
Parameters
None.
Defaults
Flagissettofalsebydefault.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Whenthevalueoftheotherstatefulconfigurationflagistrue,endnodesshouldusestateful
autoconfiguration(DHCPv6)toobtainadditionalinformation(excludingaddresses).Whenthe
valueisfalse,endnodesdonot.RefertoRFC2462,IPv6StatelessAddressAutoconfiguration,
formoreinformation.
Usethenoformofthiscommandtoresettheflagtofalse.
Example
Thisexamplesetstheotherstatefulconfigurationflagtotrue.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 nd ot her - conf i g- f l ag
ipv6 nd ra-interval
22-18 IPv6 Configuration
ipv6 nd ra-interval
Thiscommandsetsthetransmissionintervalbetweenrouteradvertisements.
Syntax
ipv6 nd ra-interval sec
no ipv6 nd ra-interval
Parameters
Defaults
600seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Thenoformofthiscommandresetstheintervalvaluetothedefaultof600seconds.
Example
Thisexamplesetstherouteradvertisementtransmissionintervalto120seconds.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 nd r a- i nt er val 120
ipv6 nd ra-lifetime
Thiscommandsetsthevalue,inseconds,thatisplacedintheRouterLifetimefieldofrouter
advertisementssentfromthisinterface.
Syntax
ipv6 nd ra-lifetime sec | 0
no ipv6 nd ra-lifetime
Parameters
Defaults
1800seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
sec Specifiesthevalueinsecondsoftherouteradvertisementtransmission
interval.Thevaluecanrangefrom4to1800seconds.
sec SpecifiesthevalueoftheRouterLifetimeinseconds.Thevaluemustbe
0,oranintegerbetweenthevalueoftherouteradvertisementinterval
and9000seconds.
Avalueof0meansthatthisrouterisnottobeusedasthedefaultrouter.
ipv6 nd suppress-ra
SecureStack C3 Configuration Guide 22-19
Usage
Thenoformofthiscommandresetsthelifetimevaluetothedefaultof1800seconds.
Example
Thisexamplesetstherouteradvertisementlifetimevalueto3600seconds.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 nd r a- l i f et i me 3600
ipv6 nd suppress-ra
Thiscommandsuppressesrouteradvertisementtransmissiononthisinterface.
Syntax
ipv6 nd suppress-ra
no ipv6 nd suppress-ra
Parameters
None.
Defaults
Suppressiondisabled.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Bydefault,transmissionofrouteradvertisementsisenabled.Thiscommanddisablessuch
transmissions.Usethenoformofthiscommandtoreenabletransmission.
Example
Thisexampledisablesrouteradvertisementtransmission.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 nd suppr ess- r a
ipv6 nd prefix
ThiscommandconfigurestheIPv6prefixestobeincludedinrouteradvertisementssentbythis
interface.
Syntax
ipv6 nd prefix {ipv6-prefix/ prefix-length} [ {valid-lifetime | infinite}
{preferred-lifetime | infinite}] [ no-autoconfig] [ off-link]
no ipv6 nd prefix {ipv6-prefix/ prefix-length}
ipv6 nd prefix
22-20 IPv6 Configuration
Parameters
Defaults
Validlifetime604800
Preferredlifetime2592000
Autoconfigenabled
Onlinkenabled
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
RefertoRFC2461,NeighborDiscoveryforIPVersion6,formoreinformationaboutrouter
advertisements.
Routeradvertisementscontainalistofprefixesusedforonlinkdeterminationand/or
autonomousaddressconfiguration.Flagsassociatedwiththeprefixesspecifytheintendedusesof
aparticularprefix.Hostsusetheadvertisedonlinkprefixestobuildandmaintainalistthatis
usedindecidingwhenapacketsdestinationisonlinkorbeyondarouter.Hostscanusethe
advertisedautoconfigurationprefixestoperformautonomous(stateless)addressconfiguration,if
statelessconfigurationisallowed(seeipv6ndotherconfigflag).
Thenoformofthiscommandremovestheprefixfromthelistofprefixesadvertisedinrouter
advertisementsbythisinterface.
ipv6prefix/prefixlength TheIPv6networkprefixandtheprefixlengthbeingconfigured.
TheprefixmustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Theprefixlengthisadecimalnumberindicatingthenumberofhigh
ordercontiguousbitsoftheaddressthatcomprisethenetworkportion
oftheaddress.
validlifetime|infinite (Optional)Specifiesthelengthoftimeinseconds(relativetothetime
thepacketissent)thattheprefixisvalidforthepurposeofonlink
determination.
Thelifetimevaluecanrangefrom0to4,294,967,295.
Specifyinginfinitemeansthattheprefixisalwaysvalid.
preferredlifetime|
infinite
(Optional)Specifiesthelengthoftimeinseconds(relativetothetime
thepacketissent)thataddressesgeneratedfromtheprefixbymeansof
statelessaddressautoconfigurationremainpreferred.
Thelifetimevaluecanrangefrom0to4,294,967,295.
Specifyinginfinitemeansthattheprefixisalwayspreferred.
noautoconfig Unsetstheautonomousaddressconfigurationflag.Whennotset,
meansthatthisprefixcannotbeusedforautonomousaddress
configuration.Bydefault,theautonomousaddressconfigurationflagis
set/enabled.
offlink Unsetstheonlinkflag.Whennotset,meansthatthisprefixcannotbe
usedforonlinkdetermination.Bydefault,theonlinkflagisset/
enabled.
ipv6 nd prefix
SecureStack C3 Configuration Guide 22-21
Example
Thisexampleconfiguresaprefixthatcanbeusedforbothonlinkdeterminationand
autoconfiguration,usingthedefaultvaluesforvalidlifetimeandpreferredlifetime.
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) # i pv6 nd pr ef i x 2001: 0db8: 4444: 5555/ 64
Query Commands
22-22 IPv6 Configuration
Query Commands
show ipv6
ThiscommanddisplaysthestatusofIPv6forwardingmodeandunicastroutingmode.
Syntax
show ipv6
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
TheoutputofthiscommanddisplayswhetherIPv6forwardingmodeandunicastroutingmode
areenabledordisabled.
Example
ThisexampledisplaysinformationaboutIPv6modes.
C3(su)>router# show i pv6
I Pv6 For war di ng Mode Enabl ed
I Pv6 Uni cast Rout i ng Mode Enabl ed
show ipv6 interface
ThiscommanddisplaysinformationaboutoneorallconfiguredIPv6interfaces.
Syntax
show ipv6 interface [ vlan vlan-id | tunnel tunnel-id | loopback loop-id]
For information about... Refer to page...
show ipv6 22-22
show ipv6 interface 22-22
show ipv6 neighbors 22-24
show ipv6 route 22-25
show ipv6 route preferences 22-27
show ipv6 route summary 22-28
show ipv6 traffic 22-29
clear ipv6 statistics 22-34
show ipv6 interface
SecureStack C3 Configuration Guide 22-23
Parameters
Defaults
Ifnointerfaceisspecified,informationaboutallIPv6interfacesisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtodisplaytheusabilitystatusofIPv6interfaces.
IfanIPv6prefixisconfiguredonaninterface,thefollowinginformationalsodisplays:
TheIPv6prefixandlength
Theconfiguredpreferredlifetimevalue
Theconfiguredvalidlifetimevalue
Thestatusoftheonlinkflag,eitherenabledordisabled
Thestatusoftheautonomousaddressconfigurationflag(autoconfig),eitherenabledor
disabled.
Examples
ThisexampledisplaysinformationaboutIPv6interfaceVLAN7.
C3( su) - >r out er >show i pv6 i nt er f ace vl an 7
Vl an 7 Admi ni st r at i ve Mode Enabl ed
Vl an 7 I Pv6 Rout i ng Oper at i onal Mode Enabl ed
I Pv6 i s Enabl ed
I Pv6 Pr ef i x i s FE80: : 211: 88FF: FE55: 4A7F/ 128
3FFE: 501: FFFF: 101: 211: 88FF: FE55: 4A7F/ 64
3FFD: : 211: 88FF: FE55: 4A7F/ 64
Rout i ng Mode Enabl ed
I nt er f ace Maxi mumTr ansmi t Uni t 1500
Rout er Dupl i cat e Addr ess Det ect i on Tr ansmi t s 1
Rout er Adver t i sement NS I nt er val 0
Rout er Li f et i me I nt er val 1800
Rout er Adver t i sement Reachabl e Ti me 0
Rout er Adver t i sement I nt er val 600
Rout er Adver t i sement Managed Conf i g Fl ag Enabl ed
Rout er Adver t i sement Ot her Conf i g Fl ag Enabl ed
Rout er Adver t i sement Suppr ess Fl ag Di sabl ed
ThisexampledisplaysinformationaboutIPv6interfacetunnel1.
C3( su) - >r out er >show i pv6 i nt er f ace t unnel 1
Tunnel 1 Admi ni st r at i ve Mode Enabl ed
Tunnel 1 I Pv6 Rout i ng Oper at i onal Mode Di sabl ed
Mode f or I Pv6 Tunnel I Pv6OVER4
vlanvlanid
tunneltunnelid
loopbackloopid
(Optional)Displayinformationonlyaboutthespecifiedinterface.
show ipv6 neighbors
22-24 IPv6 Configuration
Sour ce Addr ess f or I Pv6 Tunnel 192. 168. 1. 2
Dest i nat i on Addr ess f or I Pv6 Tunnel 192. 168. 8. 1
Rout i ng Mode Enabl ed
I nt er f ace Maxi mumTr ansmi t Uni t 1480
Rout er Dupl i cat e Addr ess Det ect i on Tr ansmi t s 1
Rout er Adver t i sement NS I nt er val 0
Rout er Li f et i me I nt er val 1800
Rout er Adver t i sement Reachabl e Ti me 0
Rout er Adver t i sement I nt er val 600
Rout er Adver t i sement Managed Conf i g Fl ag Di sabl ed
Rout er Adver t i sement Ot her Conf i g Fl ag Di sabl ed
Rout er Adver t i sement Suppr ess Fl ag Di sabl ed
show ipv6 neighbors
ThiscommanddisplaysIPv6NeighborCacheinformation.
Syntax
show ipv6 neighbors
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
UsethiscommandtodisplaythecontentsoftheNeighborCache.
Example
Thisexampledisplaystheneighborsinthecache.
C3( su) - >r out er >show i pv6 nei ghbor s
Nei ghbor Last
I Pv6 Addr ess MAC Addr ess i sRt r St at e Updat ed
I nt er f ace
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FE80: : 200: FF: FE00: A0A0 00: 00: 00: 00: a0: a0 Fal se St al e 1155
Vl an 6
FE80: : 2D0: B7FF: FE2C: 7697 00: d0: b7: 2c: 76: 97 Fal se St al e 1095
Vl an 6
FE80: : 2D0: B7FF: FE2C: 7698 00: d0: b7: 2c: 76: 98 Fal se St al e 1096
Vl an 6
FE80: : 2D0: B7FF: FE2C: 7699 00: d0: b7: 2c: 76: 99 Fal se St al e 1155
Vl an 6
FE80: : 2D0: B7FF: FE2C: 769E 00: d0: b7: 2c: 76: 9e Fal se St al e 1461
Vl an 6
FE80: : 2D0: B7FF: FE2C: 76AA 00: d0: b7: 2c: 76: aa Fal se St al e 1540
Vl an 6
FE80: : 2D0: B7FF: FE2C: 76AB 00: d0: b7: 2c: 76: ab Fal se St al e 1553
Vl an 6
FE80: : 2D0: B7FF: FE2C: 76AC 00: d0: b7: 2c: 76: ac Fal se St al e 1566
show ipv6 route
SecureStack C3 Configuration Guide 22-25
Vl an 6
FE80: : 2D0: B7FF: FE2C: 76B4 00: d0: b7: 2c: 76: b4 Fal se Del ay 1903
Vl an 6
Table 221providesanexplanationofthecommandoutput.
show ipv6 route
ThiscommanddisplaystheIPv6routingtable.
Syntax
show ipv6 route [ {ipv6-addr [ route-type] | {{ipv6-prefix/ prefix-length | interface
interface} [ route-type] | route-type | all]
Parameters
Table 22-1 show ipv6 neighbor Output Details
Output Field What It Displays...
IPv6 Address The IPv6 address of the neighbor on the interface.
Interface The interface on which this neighbor was discovered.
MAC Address The link layer address of the neighbor.
isRtr Whether the neighbor is a router. If the value is True, the neighbor
is known to be a router. Otherwise, the value is False.
Neighbor State State of the cache entry. Possible values are Incomplete,
Reachable, Stale, Delay, Probe, and Unknown.
Last Updated The system uptime when the information for the neighbor was last
updated.
ipv6addr SpecifiesaspecificIPv6addressforwhichthebestmatchingroute
shouldbedisplayed.
ipv6prefix/prefixlength TheIPv6networkprefixoftheroutetodisplay,andtheprefixlength.
TheprefixmustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Theprefixlengthisadecimalnumberindicatingthenumberofhigh
ordercontiguousbitsoftheaddressthatcomprisethenetworkportion
oftheaddress.
interfaceinterface Specifiesthattherouteswithnexthopsonthisinterfaceshouldbe
displayed.Interfacecanbeoftheform:
vlanvlanid
tunneltunnelid
loopbackloopid
routetype Specifiestheroutetypeasoneofthefollowing:
connected
static
ospf
all Specifiesthatallroutesshouldbedisplayed.
show ipv6 route
22-26 IPv6 Configuration
Defaults
Ifnoparametersareentered,informationaboutallactiveIPv6routesisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Routeruserexecution:C3(su)>router>
Usage
UsethiscommandtodisplayIPv6routingtableinformationforactiveroutes.
Example
ThisexampledisplaysallactiveIPv6routes.
C3( su) - >r out er >show i pv6 r out e
I Pv6 Rout i ng Tabl e - 5 ent r i es
Codes: C - connect ed, S - st at i c
O - OSPF I nt r a, OI - OSPF I nt er , OE1 - OSPF Ext 1, OE2 - OSPF Ext 2
ON1 - OSPF NSSA Ext Type 1, ON2 - OSPF NSSA Ext Type 2
S : : / 0 [ 1/ 0]
vi a FE80: : 2D0: B7FF: FE2C: 7694, Vl an 6
C 3FFE: 501: FFFF: 100: : / 64 [ 0/ 0]
vi a : : , Vl an 6
C 3FFE: 501: FFFF: 101: : / 64 [ 0/ 0]
vi a : : , Vl an 7
C 3FFE: 501: FFFF: 108: : / 64 [ 0/ 0]
vi a : : , Vl an 6
S 3FFE: 501: FFFF: 109: : / 64 [ 1/ 0]
vi a 3FFE: 501: FFFF: 100: 200: FF: FE00: A1A1, Vl an 6
vi a FE80: : 200: FF: FE00: A1A1, Vl an 6
Table 222providesanexplanationofthecommandoutput.
Table 22-2 show ipv6 route Output Details
Output Field What It Displays...
Codes: Key for the routing protocol codes that might appear in the Codes
column of the routing table output.
Codes column The code for the routing protocol that created this routing entry.
IPv6 prefix/prefix-length The IPv6 prefix and prefix length of the destination IPv6 network
corresponding to this route.
[ Preference / Metric ] The administrative distance (preference) and cost (metric)
associated with this route.
Tag The decimal value of the tag associated with a redistributed route,
if it is not 0.
via Next-hop The outgoing router IPv6 address to use when forwarding traffic to
the next router, if any, in the path toward the destination.
Interface The outgoing router interface to use when forwarding traffic to the
next destination.
show ipv6 route preferences
SecureStack C3 Configuration Guide 22-27
show ipv6 route preferences
Thiscommandshowsthepreferencevalueassociatedwiththetypeofroute.
Syntax
show ipv6 route preference
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Routeruserexecution:C3(su)>router>
Usage
Lowernumbershaveagreaterpreference.Aroutewithapreferenceof255cannotbeusedto
forwardtraffic.
Thedefaultpreferencevalueforstaticroutescanbesetwiththeipv6routedistancecommand.
Thedistanceforaspecificstaticroutecanbesetwiththeipv6routecommand.
Example
Thefollowingexampleshowstheoutputofthiscommand.
C3( su) - >r out er #show i pv6 r out e pr ef er ences
Local 0
St at i c 1
OSPF I nt r a 8
OSPF I nt er 10
OSPF Ext T1 13
OSPF Ext T2 150
OSPF NSSA T1 14
OSPF NSSA T2 151
Table 223providesanexplanationofthecommandoutput.
Note: The configuration of NSSA preferences is not supported in this release.
Table 22-3 show ipv6 route preferences Output Details
Output Field What It Displays...
Local Preference of directly-connected routes.
Static Preference of static routes.
OSPF Intra Preference of routes within the OSPF area.
OSPF Inter Preference of routes to other OSPF routes that are outside of the
area.
OSPF Ext T1 Preference of OSPF Type-1 external routes.
show ipv6 route summary
22-28 IPv6 Configuration
show ipv6 route summary
Thiscommanddisplaysthesummaryoftheroutingtable.
Syntax
show ipv6 route summary [ all]
Parameters
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Routeruserexecution:C3(su)>router>
Usage
Usethecommandwithoutparameterstodisplaythecountsummaryforonlythebestroutes.Use
alltodisplaythecountsummaryforallroutes,includingbestandnonbestroutes.
Example
Thisexampleillustratesthesummaryinformationdisplayedbythiscommand.
C3( su) - >r out er >show i pv6 r out e summar y al l
I Pv6 Rout i ng Tabl e Summar y - 6 ent r i es
Connect ed Rout es 3
St at i c Rout es 3
OSPF Rout es 0
I nt r a Ar ea Rout es 0
I nt er Ar ea Rout es 0
Ext er nal Type- 1 Rout es 0
Ext er nal Type- 2 Rout es 0
Tot al r out es 6
Number of Pr ef i xes:
/ 0: 1, / 64: 5
Table 224providesanexplanationofthecommandoutput.
OSPF Est T2 Preference of OSPF Type-2 external routes.
OSPF NSSA T1 Preference of OSPF NSSA Type 1 routes.
OSPF NSS! T2 Preference of OSPF NSSA Type 2 routes.
Table 22-3 show ipv6 route preferences Output Details
Output Field What It Displays...
all (Optional)Displaythecountsummaryforallroutes,includingbestand
nonbestroutes.
show ipv6 traffic
SecureStack C3 Configuration Guide 22-29
show ipv6 traffic
UsethiscommandtoshowtrafficandstatisticsforIPv6andICMPv6.
Syntax
show ipv6 traffic [ interface]
Parameters
Defaults
Ifnointerfaceisspecified,informationabouttrafficonallinterfacesisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
Specifyalogical,loopback,ortunnelinterfacetoviewinformationabouttrafficonaspecific
interface.Ifyoudonotspecifyaninterface,thecommanddisplaysinformationabouttrafficonall
interfaces.
Example
Thefollowingexampledisplaystheoutputofthiscommand.
C3( su) - >r out er >show i pv6 t r af f i c
I Pv6 STATI STI CS
Tot al Dat agr ams Recei ved. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Recei ved Dat agr ams Local l y Del i ver ed. . . . . . . . . . . . . . . . . . . . . . 116
Recei ved Dat agr ams Di scar ded Due To Header Er r or s. . . . . . . . . 0
Recei ved Dat agr ams Di scar ded Due To MTU. . . . . . . . . . . . . . . . . . . 0
Recei ved Dat agr ams Di scar ded Due To No Rout e. . . . . . . . . . . . . . 0
Recei ved Dat agr ams Wi t h Unknown Pr ot ocol . . . . . . . . . . . . . . . . . . 0
Recei ved Dat agr ams Di scar ded Due To I nval i d Addr ess. . . . . . . 0
Recei ved Dat agr ams Di scar ded Due To Tr uncat ed Dat a. . . . . . . . 0
Recei ved Dat agr ams Di scar ded Ot her . . . . . . . . . . . . . . . . . . . . . . . . 0
Table 22-4 show ipv6 summary Output Details
Output Field What It Displays...
Connected Routes Total number of connected routes in the routing table.
Static Routes Total number of static routes in the routing table.
OSPF Routes Total number of routes installed by OSPFv3 protocol.
Number of Prefixes Summarizes the number of routes with prefixes of different lengths
Total Routes Total number of routes in the routing table.
interface (Optional)Specifiestheinterfaceforwhichtrafficinformationshouldbe
displayed.Interfacecanbeoftheform:
vlanvlanid
tunneltunnelid
loopbackloopid
show ipv6 traffic
22-30 IPv6 Configuration
Recei ved Dat agr ams Reassembl y Requi r ed. . . . . . . . . . . . . . . . . . . . 0
Dat agr ams Successf ul l y Reassembl ed. . . . . . . . . . . . . . . . . . . . . . . . 0
Dat agr ams Fai l ed To Reassembl e. . . . . . . . . . . . . . . . . . . . . . . . . . . . 0
Dat agr ams For war ded. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0
Dat agr ams Local l y Tr ansmi t t ed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876
Dat agr ams Tr ansmi t Fai l ed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0
Dat agr ams Successf ul l y Fr agment ed. . . . . . . . . . . . . . . . . . . . . . . . . 0
Dat agr ams Fai l ed To Fr agment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0
Fr agment s Cr eat ed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0
Mul t i cast Dat agr ams Recei ved. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Mul t i cast Dat agr ams Tr ansmi t t ed. . . . . . . . . . . . . . . . . . . . . . . . . . . 547
I CMPv6 STATI STI CS
Tot al I CMPv6 Messages Recei ved. . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
I CMPv6 Messages Wi t h Er r or s Recei ved. . . . . . . . . . . . . . . . . . . . . . 4
I CMPv6 Dest i nat i on Unr eachabl e Messages Recei ved. . . . . . . . . . 0
I CMPv6 Messages Pr ohi bi t ed Admi ni st r at i vel y Recei ved. . . . . . 0
I CMPv6 Ti me Exceeded Messages Recei ved. . . . . . . . . . . . . . . . . . . . 0
I CMPv6 Par amet er Pr obl emMessages Recei ved. . . . . . . . . . . . . . . . 0
I CMPv6 Packet Too Bi g Messages Recei ved. . . . . . . . . . . . . . . . . . . 0
I CMPv6 Echo Request Messages Recei ved. . . . . . . . . . . . . . . . . . . . . 52
I CMPv6 Echo Repl y Messages Recei ved. . . . . . . . . . . . . . . . . . . . . . . 0
I CMPv6 Rout er Sol i ci t Messages Recei ved. . . . . . . . . . . . . . . . . . . 0
I CMPv6 Rout er Adver t i sement Messages Recei ved. . . . . . . . . . . . . 5
I CMPv6 Nei ghbor Sol i ci t Messages Recei ved. . . . . . . . . . . . . . . . . 31
I CMPv6 Nei ghbor Adver t i sement Messages Recei ved. . . . . . . . . . . 28
I CMPv6 Redi r ect Messages Recei ved. . . . . . . . . . . . . . . . . . . . . . . . . 0
I CMPv6 Gr oup Member shi p Quer y Messages Recei ved. . . . . . . . . . . 0
I CMPv6 Gr oup Member shi p Response Messages Recei ved. . . . . . . . 0
I CMPv6 Gr oup Member shi p Reduct i on Messages Recei ved. . . . . . . 0
Tot al I CMPv6 Messages Tr ansmi t t ed. . . . . . . . . . . . . . . . . . . . . . . . . 876
I CMPv6 Messages Not Tr ansmi t t ed Due To Er r or . . . . . . . . . . . . . . 0
I CMPv6 Dest i nat i on Unr eachabl e Messages Tr ansmi t t ed. . . . . . . 0
I CMPv6 Messages Pr ohi bi t ed Admi ni st r at i vel y Tr ansmi t t ed. . . 0
I CMPv6 Ti me Exceeded Messages Tr ansmi t t ed. . . . . . . . . . . . . . . . . 0
I CMPv6 Par amet er Pr obl emMessages Tr ansmi t t ed. . . . . . . . . . . . . 0
I CMPv6 Packet Too Bi g Messages Tr ansmi t t ed. . . . . . . . . . . . . . . . 0
I CMPv6 Echo Request Messages Tr ansmi t t ed. . . . . . . . . . . . . . . . . . 157
I CMPv6 Echo Repl y Messages Tr ansmi t t ed. . . . . . . . . . . . . . . . . . . . 52
I CMPv6 Rout er Sol i ci t Messages Tr ansmi t t ed. . . . . . . . . . . . . . . . 0
I CMPv6 Rout er Adver t i sement Messages Tr ansmi t t ed. . . . . . . . . . 7
I CMPv6 Nei ghbor Sol i ci t Messages Tr ansmi t t ed. . . . . . . . . . . . . . 625
I CMPv6 Nei ghbor Adver t i sement Messages Tr ansmi t t ed. . . . . . . . 27
I CMPv6 Redi r ect Messages Tr ansmi t t ed. . . . . . . . . . . . . . . . . . . . . . 0
I CMPv6 Gr oup Member shi p Quer y Messages Tr ansmi t t ed. . . . . . . . 0
I CMPv6 Gr oup Member shi p Response Messages Tr ansmi t t ed. . . . . 8
I CMPv6 Gr oup Member shi p Reduct i on Messages Tr ansmi t t ed. . . . 0
I CMPv6 Dupl i cat e Addr ess Det ect s. . . . . . . . . . . . . . . . . . . . . . . . . . 0
Table 225providesanexplanationofthecommandoutput.
Table 22-5 show ipv6 traffic Output Details
Output Field What It Displays...
Total Datagrams Received Total number of input datagrams received by the interface,
including those received in error.
Received Datagrams Locally Delivered Total number of datagrams successfully delivered to IPv6 user-
protocols (including ICMP). This counter increments at the
interface to which these datagrams were addressed, which might
not necessarily be the input interface for some of the datagrams.
show ipv6 traffic
SecureStack C3 Configuration Guide 22-31
Received Datagrams Discarded Due
To Header Errors
Number of input datagrams discarded due to errors in their IPv6
headers, including version number mismatch, other format errors,
hop count exceeded, errors discovered in processing their IPv6
options, etc.
Received Datagrams Discarded Due
To MTU
Number of input datagrams that could not be forwarded because
their size exceeded the link MTU of outgoing interface.
Received Datagrams Discarded Due
To No Route
Number of input datagrams discarded because no route could be
found to transmit them to their destination.
Received Datagrams With Unknown
Protocol
Number of locally-addressed datagrams received successfully but
discarded because of an unknown or unsupported protocol. This
counter increments at the interface to which these datagrams
were addressed, which might not be necessarily the input
interface for some of the datagrams.
Received Datagrams Discarded Due
To Invalid Address
Number of input datagrams discarded because the IPv6 address
in their IPv6 header's destination field was not a valid address to
be received at this entity. This count includes invalid addresses
(for example, ::0) and unsupported addresses (for example,
addresses with unallocated prefixes). For entities which are not
IPv6 routers and therefore do not forward datagrams, this counter
includes datagrams discarded because the destination address
was not a local address.
Received Datagrams Discarded Due
To Truncated Data
Number of input datagrams discarded because datagram frame
didn't carry enough data.
Received Datagrams Discarded Other Number of input IPv6 datagrams for which no problems were
encountered to prevent their continue processing, but which were
discarded (e.g., for lack of buffer space). Note that this counter
does not include datagrams discarded while awaiting re-assembly.
Received Datagrams Reassembly
Required
Number of IPv6 fragments received which needed to be
reassembled at this interface. Note that this counter increments at
the interface to which these fragments were addressed, which
might not be necessarily the input interface for some of the
fragments.
Datagrams Successfully Reassembled Number of IPv6 datagrams successfully reassembled. Note that
this counter increments at the interface to which these datagrams
were addressed, which might not be necessarily the input
interface for some of the fragments.
Datagrams Failed To Reassemble Number of failures detected by the IPv6 reassembly algorithm (for
whatever reason: timed out, errors, etc.). Note that this is not
necessarily a count of discarded IPv6 fragments since some
algorithms (notably the algorithm in by combining them as they are
received. This counter increments at the interface to which these
fragments were addressed, which might not be necessarily the
input interface for some of the fragments.
Datagrams Forwarded Number of output datagrams which this entity received and
forwarded to their final destinations. In entities which do not act as
IPv6 routers, this counter will include only those packets which
were Source-Routed via this entity, and the Source-Route
processing was successful. Note that for a successfully forwarded
datagram the counter of the outgoing interface increments.
Table 22-5 show ipv6 traffic Output Details (Continued)
Output Field What It Displays...
show ipv6 traffic
22-32 IPv6 Configuration
Datagrams Locally Transmitted Total number of IPv6 datagrams which local IPv6 user protocols
(including ICMP) supplied to IPv6 in requests for transmission.
Note that this counter does not include any datagrams counted in
ipv6IfStatsOutForwDatagrams.
Datagrams Transmit Failed Number of output IPv6 datagrams for which no problem was
encountered to prevent their transmission to their destination, but
which were discarded (e.g., for lack of buffer space). Note that this
counter would include datagrams counted in
ipv6IfStatsOutForwDatagrams if any such packets met this
(discretionary) discard criterion.
Datagrams Successfully Fragmented Number of IPv6 datagrams that have been successfully
fragmented at this output interface.
Datagrams Failed To Fragment Number of IPv6 datagrams that have been discarded because
they needed to be fragmented at this output interface but could not
be.
Fragments Created Number of output datagram fragments that have been generated
as a result of fragmentation at this output interface.
Multicast Datagrams Received Number of multicast packets received by the interface.
Multicast Datagrams Transmitted Number of multicast packets transmitted by the interface.
Total ICMPv6 Messages Received Total number of ICMP messages received by the interface which
includes all those counted by ipv6IfIcmpInErrors. Note that this
interface is the interface to which the ICMP messages were
addressed which may not be necessarily the input interface for the
messages.
ICMPv6 Messages with Errors
Received
Number of ICMP messages which the interface received but
determined as having ICMP-specific errors (bad ICMP
checksums, bad length, etc.).
ICMPv6 Destination Unreachable
Messages Received
Number of ICMP Destination Unreachable messages received by
the interface.
ICMPv6 Messages Prohibited
Administratively Received
Number of ICMP destination unreachable/communication
administratively prohibited messages received by the interface.
ICMPv6 Time Exceeded Messages
Received
Number of ICMP Time Exceeded messages received by the
interface.
ICMPv6 Parameter Problem
Messages Received
Number of ICMP Parameter Problem messages received by the
interface.
ICMPv6 Packets Too Big Messages
Received
Number of ICMP Packet Too Big messages received by the
interface.
ICMPv6 Echo Request Messages
Received
Number of ICMP Echo (request) messages received by the
interface.
ICMPv6 Echo Reply Messages
Received
Number of ICMP Echo Reply messages received by the interface.
ICMPv6 Router Solicit Messages
Received
Number of ICMP Router Solicit messages received by the
interface.
ICMPv6 Router Advertisement
Messages Received
Number of ICMP Router Advertisement messages received by the
interface.
Table 22-5 show ipv6 traffic Output Details (Continued)
Output Field What It Displays...
show ipv6 traffic
SecureStack C3 Configuration Guide 22-33
ICMPv6 Neighbor Solicit Messages
Received
Number of ICMP Neighbor Solicit messages received by the
interface.
ICMPv6 Neighbor Advertisement
Messages Received
Number of ICMP Neighbor Advertisement messages received by
the interface.
ICMPv6 Redirect Messages Received Number of Redirect messages received by the interface.
ICMPv6 Group Membership Query
Messages Received
Number of ICMPv6 Group Membership Query messages
received.
ICMPv6 Group Membership Response
Messages Received
Number of ICMPv6 group Membership Response messages
received.
ICMPv6 Group Membership Reduction
Messages Received
Number of ICMPv6 Group Membership Reduction messages
received.
Total ICMPv6 Messages Transmitted Total number of ICMP messages which this interface attempted to
send. Note that this counter includes all those counted by
icmpOutErrors.
ICMPv6 Messages Not Transmitted
Due To Error
Number of ICMP messages which this interface did not send due
to problems discovered within ICMP such as a lack of buffers. This
value should not include errors discovered outside the ICMP layer
such as the inability of IPv6 to route the resultant datagram. In
some implementations there may be no types of error which
contribute to this counter's value.
ICMPv6 Destination Unreachable
Messages Transmitted
Number of ICMP Destination Unreachable messages sent by the
interface.
ICMPv6 Messages Prohibited
Administratively Transmitted
Number of ICMP destination unreachable/communication
administratively prohibited messages sent.
ICMPv6 Time Exceeded Messages
Transmitted
Number of ICMP Time Exceeded messages sent by the interface.
ICMPv6 Parameter Problem
Messages Transmitted
Number of ICMP Parameter Problem messages sent by the
interface.
ICMPv6 Packet Too Big Messages
Transmitted
Number of ICMP Packet Too Big messages sent by the interface.
ICMPv6 Echo Request Messages
Transmitted
Number of ICMP Echo (request) messages sent by the
interface.ICMP echo messages sent
ICMPv6 Echo Reply Messages
Transmitted
Number of ICMP Echo Reply messages sent by the interface.
ICMPv6 Router Solicit Messages
Transmitted
Number of ICMP Router Solicitation messages sent by the
interface.
ICMPv6 Router Advertisement
Messages Transmitted
Number of ICMP Router Advertisement messages sent by the
interface.
ICMPv6 Neighbor Solicit Messages
Transmitted
Number of ICMP Neighbor Solicitation messages sent by the
interface.
ICMPv6 Neighbor Advertisement
Messages Transmitted
Number of ICMP Neighbor Advertisement messages sent by the
interface.
ICMPv6 Redirect Messages
Transmitted
Number of Redirect messages sent. For a host, this object will
always be zero, since hosts do not send redirects.
Table 22-5 show ipv6 traffic Output Details (Continued)
Output Field What It Displays...
clear ipv6 statistics
22-34 IPv6 Configuration
clear ipv6 statistics
ThiscommandclearsIPv6statisticsforallinterfacesoraspecificinterface.
Syntax
clear ipv6 statistics [ interface]
Parameters
Defaults
Ifnointerfaceisspecified,statisticsarecleared(resetto0)forallinterfaces.
Mode
RouterprivilegedexecutionC3(su)>router#
Usage
IPv6statisticsaredisplayedwiththeshowipv6trafficcommand.Ifnointerfaceisspecified,the
countersforallIPv6trafficstatisticsareresettozerowhenthiscommandisexecuted.
Example
ThisexampleclearsthestatisticsforVLAN6.
C3( su) - >r out er # cl ear i pv6 st at i st i cs vl an 6
ICMPv6 Group Membership Query
Messages Transmitted
Number of ICMPv6 Group Membership Query messages sent.
ICMPv6 Group Membership Response
Messages Transmitted
Number of ICMPv6 group Membership Response messages sent.
ICMPv6 Group Membership Reduction
Messages Transmitted
Number of ICMPv6 Group Membership Reduction messages
sent.
ICMPv6 Duplicate Address Detects Number of duplicate addresses detected by the interface
Table 22-5 show ipv6 traffic Output Details (Continued)
Output Field What It Displays...
interface (Optional)Specifiestheinterfaceforstatisticsshouldbecleared.
Interfacecanbeoftheform:
vlanvlanid
tunneltunnelid
loopbackloopid
SecureStack C3 Configuration Guide 23-1
23
IPv6 Proxy Routing
ThischapterdescribesthecommandsusedtoenableIPv6proxyroutingandthesuggested
proceduretoconfigureamixedC2andC3stacktouseIPv6proxyrouting.
Overview
IPv6proxyroutingallowsamixedC2/C3stacktosupportsomeIPv6routingfunctionality.When
IPv6proxyroutingisenabled,alltheswitchesinthestackcansupportIPv6unicastroutingand
IPv6tunneling.YoucanconfigureportbasedandVLANbasedIPv6routinginterfacesonanyC2
orC3stackunit.ThereisnochangeinexistingIPv4routingcapabilities.
Sincethisisafunctionthatexistsonlyinamixedstack,itisimplementedonlyintheC2firmware,
release5.01andlater.ForIPv6proxyroutingtoexistinthestack,aC3unitmustrunasthe
managerofthestack.Tofacilitatethis,thestackmanagerpreferenceofC3unitsshouldbesettoa
highervaluethanC2units.IfaC3unitisaddedtoanallC2stack,youmustmovethemanagerto
aC3unittousethisfeature.
MultipleC3unitscanexistinthemixedstack.AlltheC3unitsinthemixedstackwill
independentlyperformhardwareIPv6routing/tunneling.ThemanagerC3unitwilltransparently
dothehardwareIPv6routing/tunnelingforalltheC2units.
WhenIPv6proxyroutingisenabled,theC2beingconfiguredforrouting/tunneling(calledthe
proxyclient)isconfiguredtoredirecttheroutedIPV6/Tunnelingpacketstooneofthestacking
portsoftheC3stackmanager(calledtheproxyserver).TheC2isonlyconfigurediftheproxy
featureisalreadyenabledonthestack.ItshouldbenotedthatonlyIPv6packetswitha
destinationMACoftherouterMACofthesystemareredirectedtotheproxyserver.
Ontheproxyserver,allincomingpacketstothestackingportswithadestinationofoneofthe
stackingportswillbeprocessedthroughL2andL3switchinglogic.Ifthedestinationportisnot
oneofthestackingports(notanIPv6packet),thentheincomingpacketisforwardedbasedon
headerinformation.
Thisfeatureisdisabledbydefault.
InordertousetheOSPF,PIMSM,DVMRP,orVRRPprotocols,youmusthavepurchasedand
installedtheC2advancedroutinglicense.
For information about... Refer to page...
Overview 23-1
Preparing a Mixed Stack for IPv6 Proxy Routing 23-2
Commands 23-3
Preparing a Mixed Stack for IPv6 Proxy Routing
23-2 IPv6 Proxy Routing
Limitations
Proxyroutingwilluseuptotwomasksinthefastforwardingprocessorassociatedwitheach
portinvolvedinroutingofIPv6packets.Thiswillrequirerestrictionsontheuseofpolicy
whenproxyroutingisenabled.
AllIPv6packetsingressingoregressingaC2portmustbesentoverthestacktotheC3stack
master.LimitedstackbandwidthandtheamountofIPv6trafficmustbecarefullyconsidered
whenconfiguringmultipleC2portsforIPv6routing.
IfthestackmastermovesfromaC3unittoaC2unitinthestack,proxyroutingwillnolonger
beavailable.Toensurethatproxyroutingcontinuestooperateintheeventofafailover,C3
unitsmustbeconfiguredtobepreferredwhenanewmasteriselected.
Preparing a Mixed Stack for IPv6 Proxy Routing
AtleasttwoC3switchesshouldbeaddedtoaC2stack,formanagementredundancy.
AsinanymixedC2/C3mixedstack,theC2firmware(release5.01orlater)mustbeinstalledonthe
C3switches.RefertoIssuesRelatedtoMixedTypeStacksonpage 25foradditional
information.
IfyouareaddingtheC3switchestoanexistingC2stack,makeoneoftheC3switchesthestack
manager.Forexample,ifthecurrentstackmanagerisunit1andtheC3switchthatyouwantto
becomemanagerisunit7:
C2( su) - >set swi t ch movemenagement 1 7
Movi ng st ack management wi l l unconf i gur e ent i r e st ack i ncl udi ng al l i nt er f aces.
Ar e you sur e you want t o move st ack management ? ( y/ n) y
SetthemanagementpriorityoftheC3switchestobehigherthanthatoftheC2switches.For
example,ifyourC3switchesareunits7and8,andyouwanttheunit7C3switchtoalways
becomethemanagerandtheunit8C3switchtobethebackupmanager:
C2( su) - >set swi t ch 7 pr i or i t y 15
C2( su) - >set swi t ch 8 pr i or i t y 13
Usetheshowswitchunitcommandtodisplayswitchpriority(AdminManagementPreference).
C2( su) - >show swi t ch 7
Swi t ch 7
Management St at us Management Swi t ch
Har dwar e Management Pr ef er ence Unassi gned
Admi n Management Pr ef er ence 15
Swi t ch Type C3G124- 48
Pr econf i gur ed Model I dent i f i er C3G124- 48
Pl ugged- i n Model I dent i f i er C3G124- 48
Swi t ch St at us OK
Swi t ch Fami l y XGS3
Swi t ch Descr i pt i on
Det ect ed Code Ver si on 05. 02. 00. 0031
Det ect ed Code i n Fl ash 05. 02. 00. 0031
Det ect ed Code i n Back I mage 05. 01. 06. 0006
Up Ti me 0 days 0 hr s 13 mi ns 9 secs
Commands
SecureStack C3 Configuration Guide 23-3
Commands
ipv6 proxy-routing
UsethiscommandtoenableordisableIPv6proxyroutingonamixedC2/C3stack.
Syntax
ipv6 proxy-routing
no ipv6 proxy-routing
Parameters
None.
Defaults
IPv6proxyroutingisdisabledbydefault.
Mode
Routerglobalconfiguration:C2(su)>router(Config)#
Usage
IPv6proxyroutingisdisabledbydefault.ItmustbeenabledwiththiscommandbeforetheC2
switchesinthestackwillstartredirectingroutedIPv6/tunnelingpacketstotheC3proxyserver.
UsesthenoformofthiscommandtodisableIPv6proxyrouting.
Example
ThisexampleenablesIPv6proxyrouting.
c2( su) - >r out er
c2( su) - >r out er >enabl e
c2( su) - >r out er #conf i g
Ent er conf i gur at i on commands:
c2( su) - >r out er ( Conf i g) #i pv6 pr oxy- r out i ng
show ipv6 proxy-routing
UsethiscommandtodisplaythestatusofIPv6proxyrouting.
Syntax
show ipv6 proxy-routing
Parameters
None.
For information about... Refer to page...
ipv6 proxy-routing 23-3
show ipv6 proxy-routing 23-3
show ipv6 proxy-routing
23-4 IPv6 Proxy Routing
Defaults
None.
Mode
Anyroutingmode.
Example
ThisexampleshowstheoutputofthiscommandwhenIPv6proxyroutingisdisabled.
c2( su) - >r out er ( Conf i g) #show i pv6 pr oxy- r out i ng
I Pv6 Pr oxy Rout i ng Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Di sabl e
SecureStack C3 Configuration Guide 24-1
24
DHCPv6 Configuration
ThecommandsdescribedinthischapterperformconfigurationoftheDynamicHost
ConfigurationProtocolforIPv6(DHCPv6)ontheSecureStackC3.
Overview
DHCPisgenerallyusedbetweenclients(forexample,hosts)andservers(forexample,routers)for
thepurposeofassigningIPaddresses,gateways,andothernetworkingdefinitionssuchasDNS,
NTP,and/orSIPparameters.However,IPv6nativelyprovidesforautoconfigurationofIP
addressesthroughtheIPv6NeighborDiscoveryProtocol(NDP)andtheuseofRouter
Advertisementmessages.Thus,theroleofDHCPv6withinthenetworkisdifferentfromDHCPv4
inthatitislessrelieduponforIPaddressassignment.
DHCPv6serverandclientinteractionsaredescribedbyRFC3315.Therearemanysimilarities
betweenDHCPv6andDHCPv4interactionsandoptions,butthemessagesandoptiondefinitions
aresufficientlydifferent.ThereisnomigrationorinteroperabilityfromDHCPv4toDHCPv6.
DHCPv6incorporatesthenotionofthestatelessserver,whereDHCPv6isnotusedforIPaddress
assignmenttoaclient.Instead,itonlyprovidesothernetworkinginformationsuchasDNS,NTP,
and/orSIPinformation.ThestatelessserverbehaviorisdescribedbyRFC3736,whichsimply
containsdescriptionsoftheportionsofRFC3315thatarenecessaryforstatelessserverbehavior.
InorderforaroutertodriveaDHCPv6clienttoutilizestatelessDHCPv6,theotherstateful
configurationoptionmustbeconfiguredforneighbordiscoveryonthecorrespondingIPv6
routerinterface.ThisinturncausesDHCPv6clientstosendtheDHCPv6InformationRequest
messageinresponse.ADHCPv6serverthenrespondsbyprovidingonlynetworkingdefinitions
suchasDNSdomainnameandserverdefinitions,NTPserverdefinitions,and/orSIPdefinitions.
* IPv6 Routing License Required *
IPv6 routing must be enabled with a license key in order to use this feature. If you have purchased an IPv6
routing license key, and have enabled routing on the device, you must activate your license as described in
the chapter entitled Activating Licensed Features in order to enable the DHCPv6 configuration command
set. If you wish to purchase an IPv6 routing license, contact Enterasys Networks Sales.
For information about... Refer to page...
Global Configuration Commands 24-2
Address Pool Configuration Commands 24-6
Interface Configuration Commands 24-10
DHCPv6 Show Commands 24-13
Global Configuration Commands
24-2 DHCPv6 Configuration
RFC3315alsodescribesDHCPv6RelayAgentinteractions,whichareverymuchlikeDHCPv4
RelayAgent.RFC3046describestheDHCPv6RelayAgentInformationOption,whichemploys
verysimilarcapabilitiesasthosedescribedbyDHCPv4RelayAgentOptioninRFC2132.
WiththelargeraddressspaceinherenttoIPv6,addresseswithinanetworkcanbeallocatedmore
effectivelyinahierarchicalfashion.DHCPv6introducesthenotionofprefixdelegationas
describedinRFC3633asawayforrouterstocentralizeanddelegateIPaddressassignment.
Default Conditions
ThefollowingtableliststhedefaultDHCPv6conditions.
Global Configuration Commands
Purpose
TheserouterglobalconfigurationmodecommandsareusedtoenableDHCPv6ontherouter,
configurerelayagentglobalparameters,andenterDHCPpoolconfigurationmode.
Commands
ipv6 dhcp enable
ThiscommandenablesDHCPv6ontherouter.
Syntax
ipv6 dhcp enable
no ipv6 dhcp enable
Condition Default Value
IPv6 DHCP Disabled
IPv6 DHCP Relay Agent Information
Option
32
IPv6 DHCP Relay Agent Information
Remote ID Sub-option
1
IPv6 DHCP Preferred Lifetime 2592000 seconds
IPv6 DHCP Valid Lifetime 604800 seconds
For information about... Refer to page...
ipv6 dhcp enable 24-2
ipv6 dhcp relay-agent-info-opt 24-3
ipv6 dhcp relay-agent-info-remote-id-subopt 24-4
ipv6 dhcp pool 24-4
ipv6 dhcp relay-agent-info-opt
SecureStack C3 Configuration Guide 24-3
Parameters
None.
Defaults
Bydefault,DHCPv6isdisabled.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtoenableDHCPv6ontherouter.Usethenoformofthiscommandtodisable
DHCPv6afterithasbeenenabled.
Example
ThisexampleenablesDHCPv6.
C3( su) - >r out er ( Conf i g) # i pv6 dhcp enabl e
ipv6 dhcp relay-agent-info-opt
ThiscommandconfiguresanumbertorepresenttheDHCPv6RelayAgentInformationOption.
Syntax
ipv6 dhcp relay-agent-info-opt option
Parameters
Defaults
ThedefaultvalueoftheDHCPv6RelayAgentInformationOptionis32.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
TheDHCPv6RelayAgentInformationOptionallowsforvarioussuboptionstobeattachedto
messagesthatarebeingrelayedbythelocalroutertoarelayserver.Therelayservermayinturn
usethisinformationindetermininganaddresstoassigntoaDHCPv6client.RefertoRFC3046for
moreinformation.
Example
ThisexamplesetstheRelayAgentInformationOptionvalueto82.
C3( su) - >r out er ( Conf i g) # i pv6 dhcp r el ay- agent - i nf o- opt 82
option Thevalueofoptionmayrangefrom32to65535.Thedefaultvalueis32.
ipv6 dhcp relay-agent-info-remote-id-subopt
24-4 DHCPv6 Configuration
ipv6 dhcp relay-agent-info-remote-id-subopt
ThiscommandconfiguresanumbertorepresenttheDHCPv6RelayAgentRemoteIDsuboption.
Syntax
ipv6 dhcp relay-agent-info-remote-id-subopt option
Parameters
Defaults
ThedefaultvalueoftheDHCPv6RelayAgentRemoteIDsuboptionis1.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
ThissuboptionmaybeaddedbyDHCPrelayagentswhichterminateswitchedorpermanent
circuitsandhavemechanismstoidentifytheremotehostendofthecircuit.RefertoRFC3046for
moreinformation.
Example
ThisexamplesetstheRelayAgentRemoteIDsuboptionvalueto2.
C3( su) - >r out er ( Conf i g) # i pv6 dhcp r el ay- agent - i nf o- r emot e- i d- subopt 2
ipv6 dhcp pool
ThiscommandallowsyoutoenterIPv6DHCPpoolconfigurationmodeforthespecifiedpool
name.
Syntax
ipv6 dhcp pool pool-name
no ipv6 dhcp pool pool-name
Parameters
Defaults
None.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
option Thevalueofoptionmayrangefrom1to65535.Thedefaultvalueis1.
poolname Specifiesthenameofthepooltobeconfigured.Poolnamesmustbeless
than31alphanumericcharacters.
ipv6 dhcp pool
SecureStack C3 Configuration Guide 24-5
Usage
DHCPv6poolsareusedtospecifyinformationfortheDHCPv6servertodistributetoDHCPv6
clients.ThesepoolsaresharedbetweenmultipleinterfacesoverwhichDHCPv6server
capabilitiesareconfigured.
Afterexecutingthiscommandandenteringpoolconfigurationmode,youcanreturntoglobal
configurationmodebyexecutingtheexitcommand.Poolconfigurationcommandsaredescribed
inthesectionAddressPoolConfigurationCommandsonpage 246.
Usethenoformofthiscommandtoremoveaspecifiedpool.
Example
ThisexampleentersDHCPpoolconfigurationmodetoconfigurethepoolnamedPoolA.
C3( su) - >r out er ( Conf i g) # i pv6 dhcp pool Pool A
C3( su) - >r out er ( Conf i g- dhcp6s- pool ) #
Address Pool Configuration Commands
24-6 DHCPv6 Configuration
Address Pool Configuration Commands
Purpose
TheseDHCPpoolconfigurationmodecommandsareusedtoconfigureaddresspoolparameters.
ThisinformationisprovidedtoDHCPclientsbytheDHCPserver.
Commands
domain-name
ThiscommandsetstheDNSdomainnamewhichisprovidedtoDHCPv6clientsbytheDHCPv6
server.
Syntax
domain-name name
no domain-name name
Parameters
Defaults
None.
Mode
RouterDHCPv6poolconfigurationmode:C3(su)>router(Configdhcp6spool)#
Usage
ADNSdomainnameisconfiguredforstatelessserversupport.ADHCPv6poolcanhaveupto8
domainnamesconfiguredforit.
ThenoformofthiscommandwillremovethedomainnamefromtheDHCPv6poolbeing
configured.
Example
Thisexamplespecifiesthedomainnameenterasys.comforthepoolnamedPoolA.
C3( su) - >r out er ( Conf i g) # i pv6 dhcp pool Pool A
C3( su) - >r out er ( Conf i g- dhcp6s- pool ) # domai n- name ent er asys. com
For information about... Refer to page...
domain-name 24-6
dns-server 24-7
prefix-delegation 24-7
exit 24-8
name SpecifiestheDNSdomainnameforthepoolbeingconfigured.The
namecanconsistofnomorethan31alphanumericcharacters.
dns-server
SecureStack C3 Configuration Guide 24-7
dns-server
ThiscommandsetstheIPv6DNSserveraddresswhichisprovidedtoDHCPv6clientsbythe
DHCPv6server.
Syntax
dns-server server-address
no dns-server server-address
Parameters
Defaults
None.
Mode
RouterDHCPv6poolconfigurationmode:C3(su)>router(Configdhcp6spool)#
Usage
ADNSserveraddressisconfiguredforstatelessserversupport.ADHCPv6poolcanhaveupto8
DNSserveraddressesconfiguredforit.
ThenoformofthiscommandwillremovetheDHCPv6serveraddressfromtheDHCPv6pool
beingconfigured.
Example
ThisexampleconfiguresaDNSserveraddressforthepoolnamedPoolA.
C3( su) - >r out er ( Conf i g) # i pv6 dhcp pool Pool A
C3( su) - >r out er ( Conf i g- dhcp6s- pool ) # dns- ser ver 2001: 0db8: 1234: 5678: : A
prefix-delegation
Thiscommandconfiguresanumericprefixtobedelegatedtoaspecifiedprefixdelegationclient.
Syntax
prefix-delegation prefix/ prefix-length DUID [ name hostname] [ valid-lifetime {secs
| infinite}] [ preferred-lifetime {secs | infinite}]
no prefix-delegation prefix/ prefix-length DUID
serveraddress TheIPv6addressoftheDNSserver.
ThisparametermustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
exit
24-8 DHCPv6 Configuration
Parameters
Defaults
Defaultvalueofvalidlifetimeofprefix:604,800
Defaultvalueofpreferredlifetimeofprefix:2,592,000
Mode
RouterDHCPv6poolconfigurationmode:C3(su)>router(Configdhcp6spool)#
Usage
UsethiscommandtomanuallyconfigureanIPv6addressprefixtobedelegatedtoaspecific
client,identifiedbytheirDHCPuniqueidentifier.RefertoRFC3633,IPv6PrefixOptionsfor
DynamicHostConfigurationProtocol(DHCP)version6,formoreinformationaboutprefix
delegation.
Usethenoformofthiscommandtoremoveaconfiguredprefix.
Example
Thisexampleconfiguresaprefixtobedelegatedtotheprefixdelegationclientidentifiedbythe
DUID00:02:00:00:00:11:0A:C0:89:D3:03:00:09:AA.Thedefaultlifetimevaluesareused.
C3( su) - >r out er ( Conf i g) # i pv6 dhcp pool Pool A
C3( su) - >r out er ( Conf i g- dhcp6s- pool ) # pr ef i x- del egat i on 2001: 0db8: 10: : / 48
00: 02: 00: 00: 00: 11: 0A: C0: 89: D3: 03: 00: 09: AA
exit
ThiscommandexitsfromDHCPv5poolconfigurationmodeandreturnstoglobalconfiguration
mode.
Syntax
exit
Parameters
None.
prefix/prefixlength ThisprefixmustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Thevalueofprefixlengthisadecimalnumberindicatingthenumberof
highordercontiguousbitsoftheaddressthatcomprisetheprefix.
DUID TheDHCPUniqueIdentifier(DUID)oftheprefixdelegationclient,as
describedinRFC3315.
namehostname (Optional)Thenameoftheprefixdelegationclient,consistingofupto
31alphanumericcharacters.Thisnameisusedforloggingand/or
tracingonly.
validlifetimesecs|
infinite
(Optional)Thevalidlifetimeoftheprefix,specifiedassecondsoras
infinite.Thevalueofsecscanrangefrom0to4294967295.
preferredlifetime
secs|infinite
(Optional)Thepreferredlifetimeoftheprefix,specifiedassecondsoras
infinite.Thevalueofsecscanrangefrom0to4294967295.
exit
SecureStack C3 Configuration Guide 24-9
Defaults
None.
Mode
RouterDHCPv6poolconfigurationmode:C3(su)>router(Configdhcp6spool)#
Example
ThisexampleillustrateshowtoexitDHCPv6poolconfigurationmode.
C3( su) - >r out er ( Conf i g- dhcp6s- pool ) # exi t
C3( su) - >r out er ( Conf i g) #
Interface Configuration Commands
24-10 DHCPv6 Configuration
Interface Configuration Commands
Purpose
ThesecommandsareusedtoconfigureaninterfaceaseitheraDHCPv6serveroraDHCPv6relay
agent.
Commands
ipv6 dhcp server
ThiscommandconfiguresDHCPv6serverfunctionalityonaninterface.
Syntax
ipv6 dhcp server pool-name [ rapid-commit} [ preference pref]
no ipv6 dhcp server pool-name
Parameters
Defaults
Bydefault,DHCPv6functionalityisdisabled.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
UsethiscommandtoconfigureDHCPv6serverparameterswhenaninterfacewillactasa
DHCPv6server.AddresspoolsareconfiguredusingthecommandsdescribedinsectionAddress
PoolConfigurationCommandsonpage 246.
AninterfacecanbeconfiguredaseitheraDHCPv6serveroraDHCPv6relayagent,butnotboth.
UsethenoformofthiscommandtoremoveDHCPv6serverfunctionalityfromaninterface.
For information about... Refer to page...
ipv6 dhcp server 24-10
ipv6 dhcp relay 24-11
poolname Specifiesthepoolcontainingstatelessand/orprefixdelegation
parametersthatshouldbeusedbytheDHCPv6server.Referto
AddressPoolConfigurationCommandsonpage 246forthe
commandstoconfigureanaddresspool.
rapidcommit (Optional)SpecifythattheservershouldusetheRapidCommitoption
thatallowsforanabbreviatedexchangebetweenDHCPv6clientand
server.RefertoRFC3315formoreinformation.
preferencepref (Optional)SpecifiesthevalueoftheserversPreferenceoption.This
value,whichcanrangefrom0to4,294,967,295,isusedbyclientsto
determinepreferenceamongmultipleDHCPv6servers.
ipv6 dhcp relay
SecureStack C3 Configuration Guide 24-11
Example
ThisexampleconfiguresroutinginterfaceVLAN7tobeaDHCPv6server,usingtheaddresspool
namedPoolA.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 dhcp ser ver Pool A
ipv6 dhcp relay
ThiscommandconfiguresaninterfaceforDHCPv6relayagentfunctionality.
Syntax
ipv6 dhcp relay {destination dest-addr interface intf | interface intf} [ remote-id
{duid-ifid | user-defined-string}]
no ipv6 dhcp relay {destination dest-addr interface intf | interface intf}
Parameters
Defaults
Ifremoteidisnotspecified,theRelayAgentInformationOptionRemoteIDsuboptionisnot
addedtorelayedmessages.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
UsethiscommandtoconfigurearoutinginterfaceasaDHCPv6relayagent.
AninterfacecanbeconfiguredaseitheraDHCPv6serveroraDHCPv6relayagent,butnotboth.
UsethenoformofthiscommandtoremoveDHCPv6relayagentfunctionalityfromaninterface.
destinationdestaddr SpecifiestheIPv6addressofaDHCPv6relayserver.ThisIPv6address
canbeaglobaladdress,amulticastaddress,oralinklocaladdress.
Iftheaddressisamulticastorlinklocaladdress,thenyoumustspecify
theinterfacetobeusedtocontacttherelayserverwiththeinterface
parameter.
interfaceintf Specifiestheinterfacetobeusedtocontacttherelayserver.The
interfaceisidentifiedbyporttype.unitnumber.portnumber.For
example,ge.3.1.
Ifdestinationdestaddrisnotspecified,thenaninterfacemustbe
specifiedandtheDHCPV6ALLAGENTSmulticastaddress(FF02::1:2)
isusedtorelayDHCPv6messagestotherelayserver.
remoteid{duidifid|
userdefinedstring}
(Optional)SpecifiesthattheRelayAgentInformationOption
RemoteIDsuboptionistobeaddedtorelayedmessages.
SpecifyingduidifidcausestheremoteIDtobederivedfromtherelay
agentsDUIDandtherelayinterfacenumber.Alternatively,youcan
specifytheremoteIDasauserdefinedstringofalphanumeric
characters.RefertoRFC3046andRFC4649formoreinformationabout
theRemoteIDoption.
ipv6 dhcp relay
24-12 DHCPv6 Configuration
Examples
ThisexampleconfiguresinterfaceVLAN8asaDHCPv6relayagentthatrelaysDHCPv6
messagestotheDHCPv6serverattheglobaladdress2001:0db8:1234:5555::122:10.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 8
C3( su) - >r out er ( Conf i g- i f ( Vl an 8) ) # i pv6 dhcp r el ay dest i nat i on
2001: 0db8: 1234: 5555: : 122: 10/ 64
ThisexampleconfiguresinterfaceVLAN8asaDHCPv6relayagentbyconfiguringtheinterface
throughwhichtherelayagentrelaysmessagesusingtheDHCPV6ALLAGENTSmulticast
address.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 8
C3( su) - >r out er ( Conf i g- i f ( Vl an 8) ) # i pv6 dhcp r el ay i nt er f ace ge. 3. 1
DHCPv6 Show Commands
SecureStack C3 Configuration Guide 24-13
DHCPv6 Show Commands
Purpose
ThesecommandsareusedtodisplayDHCPv6configurationinformationandstatistics,toclear
statisticsgloballyorforaspecificinterface,andtodisplayaddresspoolandbindinginformation.
Commands
show ipv6 dhcp
ThiscommanddisplaysthestateofDHCPv6ontheswitchand,ifDHCPv6isenabled,the
switchsDHCPuniqueidentifier(DUID).
Syntax
show ipv6 dhcp
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleillustratestheoutputofthiscommandwhenDHCPv6isenabledontheswitch.
C3( su) - >r out er # show i pv6 dhcp
DHCPv6 i s enabl ed
Ser ver DUI D: 00: 01: 00: 06: 90: 83: 57: c7: 00: 11: 88: 56: 5d: 58
For information about... Refer to page...
show ipv6 dhcp 24-13
show ipv6 dhcp interface 24-14
show ipv6 dhcp statistics 24-16
clear ipv6 dhcp statistics 24-17
show ipv6 dhcp pool 24-18
show ipv6 dhcp binding 24-18
show ipv6 dhcp interface
24-14 DHCPv6 Configuration
show ipv6 dhcp interface
ThiscommanddisplaysDHCPv6configurationinformationorDHCPv6statisticsforthespecified
routinginterface.
Syntax
show ipv6 dhcp vlan vlan-id [ statistics]
Parameters
Defaults
Ifstatisticsisnotspecified,configurationinformationabouttheinterfaceisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
WhenyoudisplayDHCPv6configurationinformation,theinformationdisplayedisdifferent
dependingonwhethertheinterfacehasbeenconfiguredasaDHCPv6serverorrelayagent.
Examples
ThisexampledisplaysDHCPv6configurationinformationaboutVLAN80,whichwasconfigured
asaDHCPv6server.
C3( su) - >r out er # show i pv6 dhcp i nt er f ace vl an 80
I Pv6 I nt er f ace Vl an 80
Mode Ser ver
Pool Name newpool
Ser ver Pr ef er ence 5
Opt i on Fl ags Rapi d Commi t
ThisexampledisplaysDHCPv6configurationinformationaboutVLAN10,whichwasconfigured
asarelayagent.TheoutputfieldsaredescribedinTable 241onpage 2415.
C3( su) - >r out er # show i pv6 dhcp i nt er f ace vl an 10
I Pv6 I nt er f ace Vl an 10
Mode Rel ay
Rel ay Addr ess 5006: 4567: : 100: 1
Rel ay I nt er f ace Number
Rel ay Remot e I D
Opt i on Fl ags
Table 241providesanexplanationofthecommandoutput.
vlanvlanid SpecifiestheIDoftheroutinginterfaceforwhichtodisplayDHCPv6
information.
statistics (Optional)SpecifiesthatDHCPv6statisticsforthespecifiedinterface
shouldbedisplayed.
show ipv6 dhcp interface
SecureStack C3 Configuration Guide 24-15
ThisexampledisplaystheDHCPv6statisticsforVLAN80.
C3( su) - >r out er # show i pv6 dhcp i nt er f ace vl an 80 st at i st i cs
DHCPv6 I nt er f ace Vl an 80 St at i st i cs
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DHCPv6 Sol i ci t Packet s Recei ved 0
DHCPv6 Request Packet s Recei ved 0
DHCPv6 Conf i r mPacket s Recei ved 0
DHCPv6 Renew Packet s Recei ved 0
DHCPv6 Rebi nd Packet s Recei ved 0
DHCPv6 Rel ease Packet s Recei ved 0
DHCPv6 Decl i ne Packet s Recei ved 0
DHCPv6 I nf or mPacket s Recei ved 0
DHCPv6 Rel ay- f or war d Packet s Recei ved 0
DHCPv6 Rel ay- r epl y Packet s Recei ved 0
DHCPv6 Mal f or med Packet s Recei ved 0
Recei ved DHCPv6 Packet s Di scar ded 0
Tot al DHCPv6 Packet s Recei ved 0
DHCPv6 Adver t i sement Packet s Tr ansmi t t ed 0
DHCPv6 Repl y Packet s Tr ansmi t t ed 0
DHCPv6 Reconf i g Packet s Tr ansmi t t ed 0
DHCPv6 Rel ay- r epl y Packet s Tr ansmi t t ed 0
DHCPv6 Rel ay- f or war d Packet s Tr ansmi t t ed 0
Tot al DHCPv6 Packet s Tr ansmi t t ed 0
Table 242providesanexplanationofthecommandoutput.
Table 24-1 Output of show ipv6 dhcp interface Command
Output... What it displays...
IPv6 Interface Shows the interface name.
Mode Shows whether the interface is an IPv6 DHCP relay agent or
server.
Pool Name Displays when interface is a server. Shows the pool name
specifying information for DHCPv6 server distribution to DHCPv6
clients.
Server Preference Displays when interface is a server. Shows the preference of the
server.
Option Flags Displays when interface is a server. Shows whether rapid commit
is enabled.
Relay Address Displays when interface is a relay agent. Shows the IPv6 address
of the relay server.
Relay Interface Number Displays when interface is a relay agent. Shows the relay server
interface in port type.unit number.port number format.
Relay Remote ID Displays when interface is a relay agent. If configured, shows the
contents of the remote-id field for the Remote-ID option.
Option Flags Displays when interface is a relay agent. Shows whether rapid
commit is configured.
show ipv6 dhcp statistics
24-16 DHCPv6 Configuration
show ipv6 dhcp statistics
ThiscommanddisplaysIPv6DHCPstatisticsforallinterfaces.
Syntax
show ipv6 dhcp statistics
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
Thisexampledisplaystheoutputofthiscommand.
C3( su) - >r out er # show i pv6 dhcp st at i st i cs
DHCPv6 I nt er f ace Gl obal St at i st i cs
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DHCPv6 Sol i ci t Packet s Recei ved 0
DHCPv6 Request Packet s Recei ved 0
DHCPv6 Conf i r mPacket s Recei ved 0
DHCPv6 Renew Packet s Recei ved 0
DHCPv6 Rebi nd Packet s Recei ved 0
DHCPv6 Rel ease Packet s Recei ved 0
DHCPv6 Decl i ne Packet s Recei ved 0
DHCPv6 I nf or mPacket s Recei ved 0
DHCPv6 Rel ay- f or war d Packet s Recei ved 0
DHCPv6 Rel ay- r epl y Packet s Recei ved 0
DHCPv6 Mal f or med Packet s Recei ved 0
Recei ved DHCPv6 Packet s Di scar ded 0
Tot al DHCPv6 Packet s Recei ved 0
DHCPv6 Adver t i sement Packet s Tr ansmi t t ed 0
DHCPv6 Repl y Packet s Tr ansmi t t ed 0
DHCPv6 Reconf i g Packet s Tr ansmi t t ed 0
DHCPv6 Rel ay- r epl y Packet s Tr ansmi t t ed 0
DHCPv6 Rel ay- f or war d Packet s Tr ansmi t t ed 0
Tot al DHCPv6 Packet s Tr ansmi t t ed 0
Table 242providesanexplanationofthecommandoutput.
Table 24-2 Output of show ipv6 dhcp statistics Command
Output... What it displays...
DHCPv6 Solicit Packets Received Number of solicit received statistics.
DHCPv6 Request Packets Received Number of request received statistics.
DHCPv6 Confirm Packets Received Number of confirm received statistics.
DHCPv6 Renew Packets Received Number of renew received statistics.
DHCPv6 Rebind Packets Received Number of rebind received statistics.
DHCPv6 Release Packets Received Number of release received statistics.
clear ipv6 dhcp statistics
SecureStack C3 Configuration Guide 24-17
clear ipv6 dhcp statistics
ThiscommandclearsIPv6DHCPstatistics,eitherallstatisticsoronlyforaspecificinterface.
Syntax
clear ipv6 dhcp statistics [ vlan vlan-id]
Parameters
Defaults
Ifnointerfaceisspecified,IPv6DHCPstatisticsforallinterfacesarecleared.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleclearsDHCPv6statisticsforVLAN80.
C3( su) - >r out er # cl ear i pv6 dhcp st at i st i cs vl an 80
DHCPv6 Decline Packets Received Number of decline received statistics.
DHCPv6 Inform Packets Received Number of inform received statistics.
DHCPv6 Relay-forward Packets
Received
Number of relay forward received statistics.
DHCPv6 Relay-reply Packets
Received
Number of relay-reply received statistics.
DHCPv6 Malformed Packets Received Number of malformed packets statistics.
Received DHCPv6 Packets Discarded Number of DHCP discarded statistics.
Total DHCPv6 Packets Received Total number of DHCPv6 received statistics.
DHCPv6 Advertisement Packets
Transmitted
Number of advertise sent statistics.
DHCPv6 Reply Packets Transmitted Number of reply sent statistics.
DHCPv6 Reconfig Packets
Transmitted
Number of reconfigure sent statistics.
DHCPv6 Relay-reply Packets
Transmitted
Number of relay-reply sent statistics.
DHCPv6 Relay-forward Packets
Transmitted
Number of relay-forward sent statistics.
Total DHCPv6 Packets Transmitted Total number of DHCPv6 sent statistics.
Table 24-2 Output of show ipv6 dhcp statistics Command (Continued)
Output... What it displays...
vlanvlanid (Optional)SpecifiestheinterfaceforwhichtoclearDHCPv6statistics.
show ipv6 dhcp pool
24-18 DHCPv6 Configuration
show ipv6 dhcp pool
Thiscommanddisplaysinformationaboutaspecificconfiguredpool.
Syntax
show ipv6 dhcp pool pool-name
Parameters
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
Theinformationdisplayedbythiscommanddiffers,dependingontheconfigurationparameters
ofthepool.
Examples
ThisexampledisplaystheoutputforPoolAthatwasnotconfiguredforprefixdelegation.
C3( su) - >r out er # show i pv6 dhcp pool Pool A
DHCPv6 Pool : Pool A
DNS Ser ver : 2001: db8: 1234: 5678: : A
Domai n Name: ent er asys. com
ThisexampledisplaystheoutputforPoolBthatwasconfiguredforprefixdelegation.
C3( su) - >r out er # show i pv6 dhcp pool Pool B
DHCPv6 Pool : Pool B
Cl i ent DUI D: 00: 02: 00: 00: 00: 11: 0A: C0: 89: D3: 03: 00: 09: AA
Host :
Pr ef i x/ Pr ef i x Lengt h: 2001: db8: 10: : / 48
Pr ef er r ed Li f et i me: 2592000
Val i d Li f et i me: 604800
DNS Ser ver :
Domai n Name:
show ipv6 dhcp binding
ThiscommanddisplaysinformationaboutDHCPv6bindings.
Syntax
show ipv6 dhcp binding [ ipv6-addr]
poolname Thenameoftheconfiguredaddresspoolforwhichtodisplay
information.
show ipv6 dhcp binding
SecureStack C3 Configuration Guide 24-19
Parameters
Defaults
IfnoIPv6addressisspecified,allbindingsaredisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampledisplaysallbindingsfortheclientwiththeIPv6addressFE80::111:FCF1:DEA5:10.
C3( su) - >r out er # show i pv6 dhcp bi ndi ng FE80: : 111: FCF1: DEA5: 10
DHCP Cl i ent Addr ess: FE80: : 111: FCF1: DEA5: 10
DUI D: 000300010002FCA5DC1C
I A I D: 0x00040001, T1 0, T2 0
Pr ef i x/ Pr ef i x Lengt h: 3FFE: C00: C18: 11: : / 68
Pr ef i x Type: I PPD
Expi r at i on: 12320 seconds
Val i d Li f et i me: 12345
Pr ef er r ed Li f et i me: 180
ipv6addr (Optional)SpecifiestheIPv6addressoftheDHCPprefixdelegation
clientforwhichtodisplaybindinginformation.
show ipv6 dhcp binding
24-20 DHCPv6 Configuration
SecureStack C3 Configuration Guide 25-1
25
OSPFv3 Configuration
ThecommandsinthischapterperformconfigurationoftheOSPFv3routingprotocolonthe
SecureStackC3.ForinformationaboutgeneralIPv6configuration,refertoChapter 22,IPv6
Configuration.ForinformationaboutmanagingIPv6hostfunctionalityattheswitchlevel,refer
toChapter 21,IPv6Management.
Overview
OSPFv3istheOpenShortestPathFirstroutingprotocolforIPv6.ItissimilartoOSPFv2inits
conceptofalinkstatedatabase,intra/interareaandASexternalroutesandvirtuallinks.OSPFv3
alsodiffersfromOSPFv2inanumberofrespects:
Peeringisdonevialinklocaladdresses.
Theprotocolislinkratherthannetworkcentric.
AddressingsemanticshavebeenmovedtoleafLSAs,whicheventuallywillallowitsusefor
bothIPv4andIPv6.
TwonewLSAshavebeenintroduced:thelinkLSAandtheintraareaLSA.
Pointtopointlinksaresupportedinordertoenableoperationovertunnels.OSPFv3views
IPv6overIPv4tunnelsasapointtopointinterfacewithalinklocaladdressandpossibly,aglobal
unicastaddress.OSPFv3usesthereportedMTUfortunnelinterfaces.
OSPFv3supportsECMProutes.OSPFv3includesNSSAandASexternalLSAoverflowlimit
support.RFC1583compatibilitydoesnotapplytoOSPFv3.NoOSPFv3authenticationmethods
aresupportedatthistime.
LSAformatsarechanged,andthetype3and4summaryLSAsarerenamedinterareaprefix
andinterarearouterLSAs.AlsonotethatOSPFv3LSAidentifierscontainnoaddressing
* IPv6 Routing License Required *
IPv6 routing must be enabled with a license key in order to use this feature. If you have purchased an IPv6
routing license key, and have enabled routing on the device, you must activate your license as described in
the chapter entitled Activating Licensed Features in order to enable the OSPFv3 protocol configuration
command set. If you wish to purchase an IPv6 routing license, contact Enterasys Networks Sales.
For information about... Refer to page...
Global OSPFv3 Configuration Commands 25-3
Area Configuration Commands 25-10
Interface Configuration Commands 25-21
OSPFv3 Show Commands 25-29
Overview
25-2 OSPFv3 Configuration
semantics.LSAscopeisgeneralizedtolink,area,andASscope.OSPFv3specifiestheprocessing
ofunsupportedLSAs.UnsupportedLSAsaremaintainedinthedatabaseandfloodedaccording
toscope.InOSPFv3,routerswith100ormoreinterfacesgeneratemorethanonerouterLSA.A
newlinkLSAhasbeencreated.AddressesinLSAsarespecifiedas[prefix,prefixlength].
AreaIDandRouterIDremain32bitidentifiers.OSPFv3identifiesNeighborsbyrouterIDinstead
oftheinterfaceaddressusedinOSPFv2.
NotethatbothOSPFv3andOSPFv2canbeenabledandrunontheSecureStackC3.
Default Conditions
ThefollowingtableliststhedefaultOSPFv3conditions.
Condition Default Value
IPv6 OSPF Disabled
IPv6 OSPF cost 10
IPv6 OSPF dead-interval 40 seconds
IPv6 OSPF hello-interval 10 seconds
IPv6 OSPF mtu-ignore Enabled
IPv6 OSPF network Broadcast
IPv6 OSPF priority 1
IPv6 OSPF retransmit-interval 4
IPv6 OSPF transmit-delay 1
Area stub no-summary Enabled
Area virtual-link dead-interval 40
Area virtual-link hello-interval 10
Area virtual-link retransmit-interval 5
Area virtual-link transmit-delay 1
Default-information originate Metric unspecified
Type 2
Distance OSPF Intra 8
Inter 10
Type-1 13
Type-2 50
Administrative mode of OSPF Enabled
Exit-overflow-interval 0
External-lsdb-limit -1
Maximum-paths 4
Redistribute Metric unspecified
Type 2
Tag 0
Trapflags Enabled
Global OSPFv3 Configuration Commands
SecureStack C3 Configuration Guide 25-3
Global OSPFv3 Configuration Commands
Purpose
ThesecommandsareusedtoconfigurearouterIDfortheOSPFv3router,toenterrouterOSPFv3
configurationmode,andtoconfigureglobalOSPFv3parameters.
Command
ipv6 router id
Thiscommandconfiguresa32bitinteger,enteredin32bitdottedquadnotation,usedto
uniquelyidentifythisOSPFv3router.
Syntax
ipv6 router id ip-address
Parameters
Defaults
None.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtoconfiguretheOSPFv3routerID.
Example
ThisexampleillustratesconfiguringtheOSPFv3routerIDas2.2.2.2.
C3( su) - >r out er ( Conf i g) # i pv6 r out er i d 2. 2. 2. 2
For information about... Refer to page...
ipv6 router id 25-3
ipv6 router ospf 25-4
default-information originate 25-4
default-metric 25-5
distance ospf 25-5
exit-overflow-interval 25-6
external-lsdb-limit 25-7
maximum-paths 25-8
redistribute 25-8
ipaddress SpecifiestheIDoftheOSPFv3router,in32bitdottedquadnotation.
ipv6 router ospf
25-4 OSPFv3 Configuration
ipv6 router ospf
ThiscommandentersRouterOSPFv3configurationmode.
Syntax
ipv6 router ospf
Parameters
None.
Defaults
None.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtoenterOSPFv3configurationmodesoyoucanconfigureglobalOSPFv3
parameters.
Example
ThisexampleillustratesenteringrouterOSPFv3configurationmode.
C3( su) - >r out er ( Conf i g) # i pv6 r out er ospf
C3( su) - >r out er ( Conf i g- r out er ) #
default-information originate
Thiscommandisusedtocontroltheadvertisementofdefaultroutes.
Syntax
default-information originate [ always] [ metric value] [ metric-type type]
no default-information originate [ metric] [ metric-type]
Parameters
Defaults
Adefaultexternalrouteisnotgenerated.
Thedefaultmetricisunspecified.
Thedefaulttypeistype2.
always (Optional)Alwaysadvertisesthedefaultrouteinformation.
metricvalue (Optional)Specifiesthemetricofthedefaultroute.Themetricvaluecan
rangefrom0to16777214.
metrictypetype (Optional)Specifiesthemetrictypeofthedefaultroute.Themetrictype
canbe1,whichspecifiestype1externalroute,or2,whichspecifiestype
2externalroute.
default-metric
SecureStack C3 Configuration Guide 25-5
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
UsethiscommandtogenerateadefaultexternalrouteintoanOSPFv3routingdomain.Usetheno
formofthiscommandtostopthegenerationofadefaultexternalroute.
Example
Thisexamplespecifiesametricof100forthedefaultrouteredistributedintotheOSPFv3routing
domain,andanexternalmetrictypeof1.
C3( su) - >r out er ( Conf i g- r out er ) # def aul t - i nf or mat i on or i gi nat e met r i c 100
met r i c- t ype 1
default-metric
ThiscommandsetsadefaultmetricforroutesredistributedfromanotherprotocolintoOSPFv3.
Syntax
default-metric metric
no default-metric
Parameters
Defaults
Nodefaultmetricisconfigured.
Mode
RouterOSPFv3configuration:C3( su) - >r out er ( Conf i g- r out er ) #
Usage
Usethiscommandtocausethesamemetricvaluetobeusedforallredistributedroutes.
Usethenoformofthiscommandtoremoveaconfigureddefaultmetric.
Example
Thisexampleconfiguresametricof100tobeusedforallredistributedroutes.
C3( su) - >r out er ( Conf i g- r out er ) # def aul t - met r i c 100
distance ospf
ThiscommandsetstheroutepreferencevalueofOSPFv3.
Syntax
distance ospf {intra | inter | type1 | type2} preference
no distance ospf {intra | inter | type1 | type2}
metric Thevalueofmetriccanrangefrom1to16777214.
exit-overflow-interval
25-6 OSPFv3 Configuration
Parameters
Defaults
Thedefaultpreferencevaluesare:
Intraarea=8
Interarea=10
Type1=13
Type2=50
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
Lowerroutepreferencevaluesarepreferredwhendeterminingthebestroute.TheOSPFv3
specification(RFC2328)requiresthatpreferencesmustbegiventotherouteslearnedviaOSPFv3
inthefollowingorder:intraarea<interarea<Type1<Type2.
Aroutewithapreferenceof255cannotbeusedtoforwardtraffic.
Usethenoformofthiscommandtoresetthepreferencevaluesbacktothedefaults.
Example
Thefollowingexamplesettheintraareapreferenceto5.
C3( su) - >r out er ( Conf i g- r out er ) # di st ance ospf i nt r a 5
exit-overflow-interval
ThiscommandconfigurestheexitoverflowintervalforOSPFv3.
Syntax
exit-overflow-interval seconds
no exit-overflow-interval
Parameters
Defaults
Thedefaultintervalvalueis0.
intra Specifiesthepreferenceforintraarearoutes(allrouteswithinanarea)
inter Specifiesthepreferenceforinterarearoutes(allroutesbetweenareas)
type1 SpecifiesthepreferenceforType1externalroutes(routeslearnedby
redistributionfromotherroutingdomains)
type2 SpecifiesthepreferenceforType2externalroutes(routeslearnedby
redistributionfromotherroutingdomains)
preference Thepreferencerangeisfrom1to255.
seconds Specifiestherangeforseconds,whichisfrom0to2147483647.
external-lsdb-limit
SecureStack C3 Configuration Guide 25-7
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
TheexitoverflowintervalisthenumberofsecondsafterenteringOverflowstatethatarouterwill
waitbeforeattemptingtoleavetheOverflowState.Thisallowstheroutertoagainoriginate
nondefaultASexternalLSAs.Whensetto0,therouterwillnotleaveOverflowStateuntil
restarted.
Thenoformofthiscommandresetstheintervaltothedefaultof0.
Example
Thisexamplesetstheexitoverflowintervalto10seconds.
C3( su) - >r out er ( Conf i g- r out er ) # exi t - over f l ow- i nt er val 10
external-lsdb-limit
ThiscommandconfigurestheexternalLSDBlimitforOSPFv3.
Syntax
external-lsdb-limit limit
no external-lsdb-limit
Parameters
Defaults
Thedefaultvalueis1.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
WhenthenumberofnondefaultASexternalLSAsinarouterslinkstatedatabasereachesthe
externalLSDBlimit,therouterentersoverflowstate.Therouterneverholdsmorethanthe
externalLSDBlimitnondefaultASexternalLSAsinitdatabase.TheexternalLSDBlimitMUST
besetidenticallyinallroutersattachedtotheOSPFv3backboneand/oranyregularOSPFv3area.
Thenoformofthiscommandresetsthelimittothedefaultvalueof1,meaningnolimit.
Example
ThisexamplesetstheexternalLSDBlimitto1000.
C3( su) - >r out er ( Conf i g- r out er ) # ext er nal - l sdb- l i mi t 1000
limit Specifiesthelimit,whichcanrangefrom1to2147483647.Avalueof1
meansthatthereisnolimit.
maximum-paths
25-8 OSPFv3 Configuration
maximum-paths
ThiscommandsetsthenumberofpathsthatOSPFv3canreportforagivendestination.
Syntax
maximum-paths maxpaths
no maximum-paths
Parameters
Defaults
Thedefaultvalueis4.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
Usethenoformofthiscommandtoresetthemaximumnumberofpathstothedefaultvalueof4.
Example
Thisexamplesetsthemaximumnumberofpathsforagivendestinationto3.
C3( su) - >r out er ( Conf i g- r out er ) # maxi mum- pat hs 3
redistribute
ThiscommandconfigurestheOSPFv3protocoltoallowredistributionofroutesfromthespecified
sourceprotocol/routers.
Syntax
redistribute {connected | static} [ metric value] [ metric-type type] [ tag tag]
no redistribute {connected | static} [ metric] [ metric-type] [ tag]
Parameters
Defaults
Thedefaultvaluesare:
maxpaths Specifiesthevalueformaxpaths,whichcanrangefrom1to4.
connected|static Specifiesthesourceprotocoltoredistribute.
metricvalue (Optional)Specifiestherouteredistributionmetric.Themetricvaluecan
rangefrom0to16777214.
metrictypetype (Optional)Specifiestherouteredistributionmetrictype.Themetrictype
canbe1,whichspecifiestype1externalroute,or2,whichspecifiestype
2externalroute.
tagtag (Optional)Specifiesarouteredistributiontag.Thevalueoftagcan
rangefrom0to4294967295.
redistribute
SecureStack C3 Configuration Guide 25-9
Metric=unspecified
Metrictype=Type2
Tag=0
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
ThenoformofthiscommandconfigurestheOSPFv3protocoltoprohibitredistributionofroutes
fromthespecifiedsourceprotocol/routers.
Example
Thisexampleconfiguresrouteredistributionofstaticroutesandappliesametricof10
C3( su) - >r out er ( Conf i g- r out er ) # r edi st r i but e st at i c met r i c 10
Area Configuration Commands
25-10 OSPFv3 Configuration
Area Configuration Commands
Purpose
Thesecommandsareusedtoconfigureareaparameters.
Commands
area default-cost
Thiscommandconfiguresthedefaultcostforthesummarydefaultroutegeneratedbythearea
borderrouterintothestuborNSSAarea.
Syntax
area areaid default-cost cost
no area areaid default-cost
Parameters
Defaults
None.
For information about... Refer to page...
area default-cost 25-10
area nssa 25-11
area nssa default-info-originate 25-12
area nssa no-redistribute 25-12
area nssa no-summary 25-13
area nssa translator role 25-14
area nssa translator-stab-intv 25-14
area range 25-15
area stub 25-16
area stub no-summary 25-17
area virtual-link 25-17
area virtual-link dead-interval 25-18
area virtual-link hello-interval 25-19
area virtual-link retransmit-interval 25-19
area virtual-link transmit-delay 25-20
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
cost Specifiesacost,whichcanrangebetween1and16777215.
area nssa
SecureStack C3 Configuration Guide 25-11
Mode
RouterOSPFv3configuration:C3( su) - >r out er ( Conf i g- r out er ) #
Usage
UsethiscommandtosetthecostvalueforthedefaultroutethatissentintoastubareaorNSSA
byanAreaBorderRouter(ABR).Thenoformofthiscommandremovesthecostvaluefromthe
summaryroutethatissentintothestubarea.
Example
Thisexamplesetsthedefaultroutecostto50forarea20.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 def aul t - cost 50
area nssa
Thiscommandconfiguresthespecifiedareatofunctionasanotsostubbyarea(NSSA).
Syntax
area areaid nssa
no area areaid nssa
Parameters
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
AnNSSAallowssomeexternalroutesrepresentedbyexternalLinkStateAdvertisements(LSAs)
tobeimportedintoit.Thisisincontrasttoastubareathatdoesnotallowanyexternalroutes.
ExternalroutesthatarenotimportedintoanNSSAcanberepresentedbymeansofadefault
route.ThisconfigurationisusedwhenanOSPFv3internetworkisconnectedtomultiplenon
OSPFroutingdomains.
ThenoformofthiscommandchangestheNSSAbacktoaplainarea.
Example
Thisexampleshowshowtoconfigurearea20asanNSSA.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 nssa
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
area nssa default-info-originate
25-12 OSPFv3 Configuration
area nssa default-info-originate
Thiscommandconfiguresthemetricvalueandtypeforthedefaultrouteadvertisedintothe
NSSA.
Syntax
area areaid nssa default-info-originate [ metric] [ comparable | non-comparable]
no area areaid nssa default-info-originate
Parameters
Defaults
Defaultmetricvalueis10.
Mode
RouterOSPFv3configuration:C3( su) - >r out er ( Conf i g- r out er ) #
Usage
Usethiscommandtoallowadefaultroutetobeadvertisedwithinthearea.Thisoptionshouldbe
configuredonlyonareaborderrouters(ABRs).
Usethenoformofthiscommandtopreventadefaultroutetobeadvertisedwithinthearea.
Example
ThisexampleconfiguresNSSAarea20toadvertiseadefaultroute.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 nssa def aul t - i nf o- or i gi nat e
area nssa no-redistribute
ThiscommandconfigurestheNSSAareaborderroutertonotredistributelearnedexternalroutes
totheNSSA.
Syntax
area areaid no-redistribute
no area areaid no-redistribute
Parameters
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
metric (Optional)Specifiesthemetricofthedefaultroute,intherangeof1to
16777214.
comparable|
noncomparable
(Optional)Specifiesthemetrictype:
comparablenssaexternal1
noncomparablenssaexternal2
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
area nssa no-summary
SecureStack C3 Configuration Guide 25-13
Defaults
None.
Mode
RouterOSPFv3configuration:C3( su) - >r out er ( Conf i g- r out er ) #
Usage
UsethiscommandtopreventredistributionoflearnedexternalroutestotheNSSAbythisarea
borderrouter(ABR).Usethenoformofthiscommandtoenableredistributionoflearnedexternal
routestotheNSSA.
Example
ThisexampleconfigurestheroutertonotredistributelearnedexternalroutesintoNSSA20.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 no- r edi st r i but e
area nssa no-summary
ThiscommandconfigurestheNSSAareaborderroutertonotadvertisesummaryroutesintothe
NSSA.
Syntax
area areaid nssa no-summary
no area areaid nssa no-summary
Parameters
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
UsethiscommandtopreventtheadvertisingofsummaryroutesintothespecifiedNSSAbythis
router.UsethenoformofthiscommandtoenableadvertisingofsummaryroutesintotheNSSA.
Example
ThisexampletheroutertonotadvertisesummaryroutesintoNSSA20.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 nssa no- summar y
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
area nssa translator role
25-14 OSPFv3 Configuration
area nssa translator role
Thiscommandconfiguresthetranslatorroleoftherouter.
Syntax
area areaid nssa translator-role {always | candidate}
no area areaid nssa translator-role
Parameters
Defaults
Bydefault,thetranslatorroleisdisabled.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
TheNSSATranslatorRolespecifieswhetherornotanNSSArouterwillunconditionallytranslate
Type7LSAstoType5LSAswhenactingasanNSSAborderrouter.
Whenthealwaysparameterisspecifiedwiththiscommand,therouterwillalwaystranslateType
7LSAs,regardlessofthetranslatorstateofotherNSSAborderrouters.Whenthecandidate
parameterisspecified,theNSSArouterwillparticipateinthetranslatorelectionprocess
describedinRFC3101,TheOSPFNotSoStubbyArea(NSSA)Option.
Usethenoformofthiscommandtoreturntheconfiguredtranslatorroletothedefaultof
disabled.
Example
Thisexampleconfigurestheroutertoalwaysassumethetranslatorrolewhenitbecomesanarea
borderrouterforNSSA20.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 nssa t r ansl at or - r ol e al ways
area nssa translator-stab-intv
ThiscommandconfiguresthetranslatorstabilityintervaloftheNSSA.
Syntax
area areaid translator-stab-intv interval
no area areaid translator-stab-intv
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
always Specifiesthattherouterwillalwaysassumetheroleofthetranslatorthe
instantisbecomesaborderrouter.
candidate Specifiesthattherouterwillparticipateinthetranslatorelection
processwhenitbecomesaborderrouter.
area range
SecureStack C3 Configuration Guide 25-15
Parameters
Defaults
Thedefaultintervalis40seconds.
Mode
RouterOSPFv3configuration:C3( su) - >r out er ( Conf i g- r out er ) #
Usage
Thestabilityintervalistheperiodoftimethatanelectedtranslatorcontinuestoperformitsduties
afteritdeterminesthatitstranslatorstatushasbeendeposedbyanotherrouter.
Example
Thisexamplesetsthetranslatorstabilityintervalto60secondsforNSSA20.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 nssa t r ansl at or - st ab- i nt v 60
area range
ThiscommandcreatesanaddressrangeforthespecifiedNSSA.
Syntax
area areaid range ipv6-prefix/ prefix-length {summarylink | nssaexternallink}
[ advertise | not-advertise]
no area areaid range ipv6-prefix/ prefix-length
Parameters
Defaults
Areaaddressrangesarenotconfiguredbydefault.
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
interval Specifiesthestabilityintervalinseconds.Thevalueofintervalcanrange
from0to3600seconds.
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
ipv6prefix/prefixlength SpecifiesIPv6prefixandthelengthoftheIPv6prefixfortheaddress
range.Theprefixmustbespecifiedinhexadecimalusing16bitvalues
betweencolons.
Thevalueofprefixlengthisadecimalnumberindicatingthenumberof
highordercontiguousbitsthatcomprisetheprefix.
summarylink SpecifiesthatroutesummarizationshouldbebasedonsummaryLSAs.
nssaexternallink SpecifiesthatroutesummarizationshouldbebasedonexternalLSAs
Type7.
advertise|
notadvertise
(Optional)Specifieswhetherornottheroutesshouldbeadvertised.If
neitherparameterisspecifies,thedefaultisadvertise.
area stub
25-16 OSPFv3 Configuration
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
Addressrangescontroltheadvertisementofroutesacrossareaboundaries.Routinginformation
issummarized,oraggregated,atareaboundaries.Externaltothearea,atmostasinglerouteis
advertised(viaaninterareaprefixLSA)foreachaddressrange.Arouteisadvertisedifandonly
iftheaddressrangesstatusissettoadvertise.Thedefaultconditionistoadvertise.
ForABRsconfiguredforNSSA,routesummarization/aggregationcanbeimplementedbasedon
LSAtypeeithersummaryLSAs(specifiedwiththesummarylinkparameter),orNSSAexternal
LSAsType7(specifiedwiththenssaexternallinkparameter).
Youcanconfiguremultipleaddressrangeswiththiscommand.
Usethenoformofthiscommandtoremoveaconfiguredaddressrange.
Example
Thisexampleconfiguresanaddressrangetobeconsolidatedandadvertisedbasedonsummary
LSAs.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 r ange 3FFe: 501: : / 32 summar yl i nk
area stub
ThiscommandcreatesastubareaforthespecifiedareaID.
Syntax
area areaid stub
no area areaid stub
Parameters
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
AstubareaischaracterizedbythefactthatASexternalLSAsarenotpropagatedintothearea.
RemovingASexternalLSAsandsummaryLSAscansignificantlyreducethelinkstatedatabaseof
routerswithinthestubarea.
Usethenoformofthecommandtodeleteastubarea.
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
area stub no-summary
SecureStack C3 Configuration Guide 25-17
Example
ThisexamplecreatesastubareawiththeIDof30.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 30 st ub
area stub no-summary
ThiscommanddisablestheimportofsummaryLSAsintothespecifiedstubarea.
Syntax
area areaid stub no-summary
no area areaid stub no-summary
Parameters
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
UsethenoformofthiscommandtosetthesummaryLSAimportmodetothedefaultforthe
specifiedstubarea.
Example
TheexampledisablestheimportofsummaryLSAsintostubarea30.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 30 st ub no- summar y
area virtual-link
ThiscommandcreatestheOSPFv3virtualinterfaceforthespecifiedareaandneighbor.
Syntax
area areaid virtual-link neighborid
no area areaid virtual-link neighborid
Parameters
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid SpecifiesthevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
area virtual-link dead-interval
25-18 OSPFv3 Configuration
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
ThevirtuallinkneighborisidentifiedbyitsrouterID.Usethenoformofthiscommandtodelete
theconfiguredOSPFv3virtualinterfaceidentifiedbyareaandneighbor.
Example
Thisexamplecreatesavirtualinterfaceforarea20andtheneighborwithrouterID2.2.2.2.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 vi r t ual - l i nk 2. 2. 2. 2
area virtual-link dead-interval
ThiscommandconfiguresthedeadintervalforthespecifiedOSPFv3virtualinterface.
Syntax
area areaid virtual-link neighborid dead-interval seconds
no area areaid virtual-link neighborid dead-interval
Parameters
Defaults
Thedefaultdeadintervalis40seconds.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
Usethenoformofthiscommandtoreturnaconfiguredvaluetothedefaultof40seconds.
Example
Thisexampleconfiguresadeadintervalof60secondsforthespecifiedvirtualinterface.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 vi r t ual - l i nk 2. 2. 2. 2 dead- i nt er val 60
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid SpecifiesthevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
seconds Specifiesthevalueofthedeadintervalinseconds.Therangeisfrom1
to65535seconds.
area virtual-link hello-interval
SecureStack C3 Configuration Guide 25-19
area virtual-link hello-interval
ThiscommandconfiguresthehellointervalforthespecifiedOSPFv3virtualinterface.
Syntax
area areaid virtual-link neighborid hello-interval seconds
no area areaid virtual-link neighborid hello-interval
Parameters
Defaults
Thedefaulthellointervalis10seconds.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
Usethenoformofthiscommandtoreturnaconfiguredvaluetothedefaultvalueof10seconds.
Example
Thisexampleconfiguresahellointervalof30secondsforthespecifiedOSPFv3virtualinterface.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 vi r t ual - l i nk 2. 2. 2. 2 hel l o- i nt er val 30
area virtual-link retransmit-interval
ThiscommandconfigurestheretransmitintervalforthespecifiedOSPFv3virtualinterface.
Syntax
area areaid virtual-link neighborid retransmit-interval seconds
no area areaid virtual-link neighborid retransmit-interval
Parameters
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid SpecifiesthevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
seconds Specifiesthevalueofthehellointervalinseconds.Therangeisfrom1
to65535seconds.
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid SpecifiesthevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
seconds Specifiesthevalueoftheretransmitintervalinseconds.Therangeis
from1to3600seconds.
area virtual-link transmit-delay
25-20 OSPFv3 Configuration
Defaults
Thedefaultretransmitintervalis5seconds.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
Usethenoformofthiscommandtoreturnaconfiguredvaluetothedefaultvalueof5seconds.
Example
Thisexamplesetstheretransmitintervalto10secondsforthespecifiedOSPFv3virtualinterface.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 vi r t ual - l i nk 2. 2. 2. 2 r et r ansmi t - i nt er val
10
area virtual-link transmit-delay
ThiscommandconfiguresthetransmitdelayforthespecifiedOSPFv3virtualinterface.
Syntax
area areaid virtual-link neighborid transmit-delay seconds
no area areaid virtual-link neighborid transmit-delay
Parameters
Defaults
Thedefaulttransmitdelayis1second.
Mode
RouterOSPFv3configuration:C3(su)>router(Configrouter)#
Usage
Usethenoformofthiscommandtoresetthetransmitdelaytothedefaultof1second.
Example
Thisexamplesetsthetransmitdelayto2secondsforthespecifiedOSPFv3virtualinterface.
C3( su) - >r out er ( Conf i g- r out er ) # ar ea 20 vi r t ual - l i nk 2. 2. 2. 2 t r ansmi t - del ay 2
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid SpecifiesthevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
seconds Specifiesthevalueofthetransmitdelayinseconds.Therangeisfrom1
to3600seconds.
Interface Configuration Commands
SecureStack C3 Configuration Guide 25-21
Interface Configuration Commands
Purpose
ThesecommandscanbeusedtoconfigureOSPFv3routinginterfaceparameters.
Commands
ipv6 ospf enable
ThiscommandenablesOSPFv3onarouterinterfaceoraloopbackinterface.
Syntax
ipv6 ospf enable
no ipv6 ospf enable
Parameters
None.
Defaults
OSPFv3isdisabledbydefault.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
UsethiscommandtoenableOSPFv3onarouterVLANinterfaceoronaloopbackinterface.Use
thenoformofthiscommandtodisableOSPFv3onaninterface.
For information about... Refer to page...
ipv6 ospf enable 25-21
ipv6 ospf areaid 25-22
ipv6 ospf cost 25-22
ipv6 ospf dead-interval 25-23
ipv6 ospf hello-interval 25-24
ipv6 ospf mtu-ignore 25-24
ipv6 ospf network 25-25
ipv6 ospf priority 25-26
ipv6 ospf retransmit-interval 25-26
ipv6 ospf transmit-delay 25-27
Note: In order for OSPFv3 to run on an interface, IPv6 must be explicitly enabled on the interface
using the ipv6 enable command.
ipv6 ospf areaid
25-22 OSPFv3 Configuration
Example
ThisexampleentersrouterinterfaceconfigurationmodeforVLAN7andthenenablesOSPFv3on
theinterface.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf enabl e
ipv6 ospf areaid
ThiscommandsetstheOSPFv3areatowhichtherouterinterfacebelongs.
Syntax
ipv6 ospf areaid areaid
no ipv6 ospf areaid areaid
Parameters
Defaults
None.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
TheareaIDuniquelyidentifiestheareatowhichtheinterfaceconnects.AssigninganareaID
whichdoesnotexistonaninterfacecausestheareatobecreatedwithdefaultvalues.
Usethenoformofthiscommandtoremoveanareafromtheinterface.
Examples
ThisexampleassignsVLAN7toarea20,expressedindottedquadformat.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf ar eai d 0. 0. 0. 20
ThisexampleassignsVLAN7toarea20,expressedasadecimalnumber.
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf ar eai d 20
ipv6 ospf cost
ThiscommandconfiguresthecostofsendingapacketonanOSPFv3interface.
Syntax
ipv6 ospf cost cost
no ipv6 ospf cost cost
areaid SpecifiestheareaIDineither32bitdottedquadformatorasadecimal
numberbetween0and4294967295.
ipv6 ospf dead-interval
SecureStack C3 Configuration Guide 25-23
Parameters
Defaults
Thedefaultcostis10.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Usethiscommandtoexplicitlyspecifythecostofsendingapacketontheinterfacebeing
configuredforOSPFv3.Usethenoformofthiscommandtoreturnthecosttothedefaultvalueof
10.
Example
ThisexampleconfiguresthecostforrouterinterfaceVLAN7to100.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf cost 100
ipv6 ospf dead-interval
ThiscommandsetstheOSPFv3deadintervalfortherouterinterface.
Syntax
ipv6 ospf dead-interval seconds
no ipv6 ospf dead-interval seconds
Parameters
Defaults
Thedefaultdeadintervalvalueis40seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
TheOSPFv3deadintervalisthelengthoftimeinsecondsthataroutersHellopacketshavenot
beenseenbeforeitsneighborroutersdeclarethattherouterisdown.Thevalueforthedead
intervalmustbethesameforallroutersattachedtoacommonnetwork,andshouldbesome
multipleofthehellointerval.
Usethenoformofthiscommandtoreturnthedeadintervaltothedefaultvalueof40seconds.
cost Specifiesthecostofsendingapacketonthisinterface.Thevaluecan
rangefrom1to65535.
seconds SpecifiestheOSPFv3deadintervalinseconds.Thevaluecanrange
from1to2147483647seconds.
ipv6 ospf hello-interval
25-24 OSPFv3 Configuration
Example
ThisexamplesetsthedeadintervalforrouterinterfaceVLAN7to60seconds.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf dead- i nt er val 60
ipv6 ospf hello-interval
ThiscommandsetstheOSPFv3hellointervalfortherouterinterface.
Syntax
ipv6 ospf hello-interval seconds
no ipv6 ospf hello-interval seconds
Parameters
Defaults
Thedefaulthellointervalis10seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
UsethiscommandtospecifytheintervalbetweenhellopacketsthatOSPFv3sendsonthe
interfacebeingconfigured.Theshorterthehellointerval,thefastertopologicalchangeswillbe
detected,butmoreroutingtrafficwillensue.Thehellointervalmustbethesameforallrouters
attachedtoacommonnetwork.
Usethenoformofthiscommandtoreturnthehellointervaltothedefaultvalueof10seconds.
Example
ThisexamplesetsthehellointervalforrouterinterfaceVLAN7to20seconds.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf hel l o- i nt er val 20
ipv6 ospf mtu-ignore
ThiscommanddisablesOSPFv3maximumtransmissionunit(MTU)mismatchdetection.
Syntax
ipv6 ospf mtu-ignore
no ipv6 ospf mtu-ignore
Parameters
None.
seconds SpecifiestheOSPFv3hellointervalinseconds.Thevaluecanrange
from1to65535seconds.
ipv6 ospf network
SecureStack C3 Configuration Guide 25-25
Defaults
Bydefault,MTUmismatchdetectionisenabled.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
OSPFDatabaseDescriptionpacketsspecifythesizeofthelargestIPpacketthatcanbesent
withoutfragmentationontheinterface.WhenarouterreceivesaDatabaseDescriptionpacket,it
examinestheMTUadvertisedbytheneighbor.Bydefault,iftheMTUislargerthantheroutercan
accept,theDatabaseDescriptionpacketisrejectedandtheOSPFadjacencyisnotestablished.
UsethiscommandtopreventtheOSPFv3routerprocessfromcheckingwhetherneighborsare
usingthesamemaximumtransmissionunit(MTU)onacommoninterfacewhenexchanging
DatabaseDescriptionpackets.
UsethenoformofthiscommandtoenableMTUmismatchdetection.
Example
ThisexampledisablesMTUmismatchdetectiononrouterinterfaceVLAN7.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf mt u- i gnor e
ipv6 ospf network
ThiscommandchangesthedefaultOSPFv3networktypefortherouterinterface.
Syntax
ipv6 ospf network {broadcast | point-to-point}
no ipv6 ospf network {broadcast | point-to-point}
Parameters
Defaults
Defaultnetworktypeisbroadcast.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Normally,thenetworktypeisdeterminedfromthephysicalIPnetworktype.Bydefault,all
EthernetnetworksareOSPFv3typebroadcast.Similarly,tunnelinterfacesdefaulttopointto
point.WhenanEthernetportisusedasasinglelargebandwidthIPnetworkbetweentworouters,
thenetworktypecanbepointtopointsincethereareonlytworouters.Usingpointtopointas
thenetworktypeeliminatestheoverheadoftheOSPFv3designatedrouterelection.Itisnormally
notusefultosetatunneltoOSPFv3networktypebroadcast.
broadcast Setsthenetworktypetobroadcast.
pointtopoint Setsthenetworktypetopointtopoint.
ipv6 ospf priority
25-26 OSPFv3 Configuration
Usethenoformofthiscommandtosetthenetworktypetothedefault.
Example
ThisexamplesetsthenetworktypetopointtopointforrouterinterfaceVLAN7.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf net wor k poi nt - t o- poi nt
ipv6 ospf priority
ThiscommandsetstheOSPFv3priorityfortherouterinterface.Routerpriorityhelpsdetermine
thedesignatedrouterforanOSPFv3link.
Syntax
ipv6 ospf priority priority
no ipv6 ospf priority
Parameters
Defaults
Defaultpriorityvalueis1.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Whentworoutersonthesamenetworkattempttobecomethedesignatedrouter,theonewiththe
higherrouterprioritytakesprecedence.Ifthereisatie,therouterwiththehigherrouterIDtakes
precedence.Arouterwitharouterprioritysettozeroisineligibletobecomethedesignatedrouter
orbackupdesignatedrouter.
Usethenoformofthiscommandtoreturnpriorityvaluetothedefaultof1.
Example
ThisexamplesetsthepriorityforrouterinterfaceVLAN7to5.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf pr i or i t y 5
ipv6 ospf retransmit-interval
ThiscommandconfigurestheOSPFv3retransmitintervalfortherouterinterface.
Syntax
ipv6 ospf retransmit-interval seconds
no ipv6 ospf retransmit-interval
priority Specifiesthepriorityvalue,whichcanrangefrom0to255.
ipv6 ospf transmit-delay
SecureStack C3 Configuration Guide 25-27
Parameters
Defaults
Defaultvalueis4seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Theretransmitintervalisthenumberofsecondsbetweenlinkstateadvertisement
retransmissionsforadjacenciesbelongingtothisrouterinterface.Thisvalueisalsousedwhen
retransmittingdatabasedescriptionandlinkstaterequestpackets.
Usethenoformofthiscommandtoresettheretransmitintervaltothedefaultvalueof4seconds.
Example
Thisexamplesetstheretransmitintervalto10secondsforrouterinterfaceVLAN7.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf r et r ansmi t - i nt er val 10
ipv6 ospf transmit-delay
ThiscommandsetstheOSPFv3transmitdelayfortherouterinterface.
Syntax
ipv6 ospf transmit-delay seconds
no ipv6 ospf transmit-delay
Parameters
Defaults
Defaultvalueis1second.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
Thetransmitdelay,specifiedinseconds,setstheestimatednumberofsecondsittakestotransmit
alinkstateupdatepacketoverthisinterface.
Usethenoformofthiscommandtoreturnthetransmitdelaytothedefaultvalueof1seconds.
seconds Specifiestheretransmitintervalvalue,whichcanrangefrom0to3600
seconds.
seconds Specifiesthetransmitdelay,whichcanrangefrom1to3600seconds.
ipv6 ospf transmit-delay
25-28 OSPFv3 Configuration
Example
Thisexamplesetsthetransmitdelayvalueto4secondsforrouterinterfaceVLAN7.
C3( su) - >r out er ( Conf i g) # i nt er f ace vl an 7
C3( su) - >r out er ( Conf i g- i f ( Vl an 7) ) # i pv6 ospf t r ansmi t - del ay 4
OSPFv3 Show Commands
SecureStack C3 Configuration Guide 25-29
OSPFv3 Show Commands
Purpose
ThesecommandsareusedtodisplayOSPFv3informationandstatistics.
Commands
show ipv6 ospf
ThiscommanddisplaysOSPFv3routerinformation.
Syntax
show ipv6 ospf
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleshowshowtodisplayOSPFv3routerinformation.
C3( su) - >r out er # show i pv6 ospf
Rout er I D 2. 2. 2. 2
OSPF Admi n Mode Enabl e
ASBR Mode Enabl e
For information about... Refer to page...
show ipv6 ospf 25-29
show ipv6 ospf area 25-31
show ipv6 ospf abr 25-32
show ipv6 ospf asbr 25-33
show ipv6 ospf database 25-34
show ipv6 ospf interface 25-38
show ipv6 ospf interface stats 25-40
show ipv6 ospf neighbor 25-42
show ipv6 ospf range 25-44
show ipv6 ospf stub table 25-45
show ipv6 ospf virtual-link 25-46
show ipv6 ospf
25-30 OSPFv3 Configuration
ABR St at us Enabl e
Exi t Over f l ow I nt er val 0
Ext er nal LSA Count 0
Ext er nal LSA Checksum 0
New LSAs Or i gi nat ed 89
LSAs Recei ved 177
Ext er nal LSDB Li mi t No Li mi t
Def aul t Met r i c Not Conf i gur ed
Maxi mumPat hs 4
Def aul t Rout e Adver t i se Di sabl ed
Al ways FALSE
Met r i c
Met r i c Type Ext er nal Type 2
Table 251providesanexplanationofthecommandoutput.
Note: Some of the information in Table 25-1 displays only if you enable OSPFv3 and configure
certain features.
Table 25-1 show ipv6 ospf Output Details
Output Field What It Displays...
Router ID A 32 bit integer in dotted decimal format identifying the router,
about which information is displayed. This is a configured value.
OSPF Admin Mode Whether the administrative mode of OSPF in the router is enabled
or disabled. This is a configured value.
ASBR Mode Whether the ASBR mode is enabled or disabled. Enable implies
that the router is an autonomous system border router. Router
automatically becomes an ASBR when it is configured to
redistribute routes learnt from other protocol. The possible values
for the ASBR status is enabled (if the router is configured to re-
distribute routes learnt by other protocols) or disabled (if the router
is not configured for the same).
ABR Status Whether the router is an OSPF Area Border Router.
Exit Overflow Interval The number of seconds that, after entering Overflow State, a
router will attempt to leave Overflow State.
External LSA Count The number of external (LS type 5) link-state advertisements in
the link-state database.
External LSA Checksum The sum of the LS checksums of external link-state
advertisements contained in the link-state database.
New LSAs Originated The number of new link-state advertisements that have been
originated.
LSAs Received The number of link-state advertisements received determined to
be new instantiations.
External LSDB Limit The maximum number of non-default AS-external-LSAs entries
that can be stored in the link-state database.
Default Metric Default value for redistributed routes.
Maximum Paths The maximum number of paths that OSPF can report for a given
destination.
Default Route Advertise Whether the default routes received from other source protocols
are advertised or not.
show ipv6 ospf area
SecureStack C3 Configuration Guide 25-31
show ipv6 ospf area
ThiscommanddisplaysinformationaboutthespecifiedOSPFv3area.
Syntax
show ipv6 ospf area areaid
Parameters
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleshowshowtodisplayOSPFv3informationforarea20.
C3( su) - >r out er >show i pv6 ospf ar ea 20
Ar eaI D 0. 0. 0. 20
Ext er nal Rout i ng I mpor t NSSAs
Spf Runs 7
Ar ea Bor der Rout er Count 0
Ar ea LSA Count 5
Ar ea LSA Checksum 188094
St ub Mode Di sabl e
Table 252 pr ovi des an expl anat i on of t he command out put .
Always Whether default routes are always advertised.
Metric The metric for the advertised default routes. If the metric is not
configured, this field is blank.
Metric Type Whether the routes are External Type 1 or External Type 2.
Table 25-1 show ipv6 ospf Output Details
Output Field What It Displays...
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
Table 25-2 show ipv6 ospf area Output Details
Output Field What It Displays...
AreaID Area ID of the requested OSPFv3 area.
External Routing The external routing capabilities for this area.
Spf Runs Number of times that the intra-area route table has been
calculated using this area's link-state database.
Area Border Router Count Total number of area border routers reachable within this area.
Area LSA Count Total number of link-state advertisements in this area's link-state
database, excluding AS External LSAs.
show ipv6 ospf abr
25-32 OSPFv3 Configuration
show ipv6 ospf abr
ThiscommanddisplaysOSPFv3routestoreachareaborderrouters.
Syntax
show ipv6 ospf abr
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleshowshowtodisplayOSPFv3areaborderrouterinformation.
C3( su) - >r out er # show i pv6 ospf abr
Type Rout er I d Cost Ar ea I D Next Hop Next Hop
I nt f
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I NTRA 82. 15. 0. 1 10 0. 0. 0. 10 FE80: : 200: 2DFF: FEE6: FB6B Vl an 48
Table 253providesanexplanationofthecommandoutput.
Area LSA Checksum Number representing the Area LSA Checksum for the specified
Area ID excluding the external (LS type 5) link-state
advertisements.
Stub Mode Whether the specified area is a stub area or not. The possible
values are enabled and disabled. This is a configured value.
Import Summary LSAs Whether to import summary LSAs (enabled or disabled).
OSPF Stub Metric Value Metric value of the stub area. This field displays only if the area is
a configured as a stub area.
Table 25-2 show ipv6 ospf area Output Details (Continued)
Output Field What It Displays...
Table 25-3 show ipv6 ospf abr Output Details
Output Field What It Displays...
Type The type of the route to the destination, which is one of the
following values:
INTRA Intra-area route
INTER Inter-area route
Router ID Router ID of the destination.
Cost Cost of using this route.
Area ID The area ID of the area from which this route is learned.
show ipv6 ospf asbr
SecureStack C3 Configuration Guide 25-33
show ipv6 ospf asbr
ThiscommanddisplaysOSPFv3routestoreachASborderrouters.
Syntax
show ipv6 ospf asbr
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleshowshowtodisplayOSPFv3ASborderrouterroutes.
C3( su) - >r out er # show i pv6 ospf asbr
Type Rout er I d Cost Ar ea I D Next Hop Next Hop
I nt f
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I NTER 1. 11. 1. 1 5 0. 0. 0. 20 FE80: : 100: 1111: FEE6: FB7A Vl an 35
Table 254providesanexplanationofthecommandoutput.
Next Hop Intf Address of the next hop toward the destination.
Next Hop Intf The outgoing router interface to use when forwarding traffic to the
next hop.
Table 25-3 show ipv6 ospf abr Output Details (Continued)
Output Field What It Displays...
Table 25-4 show ipv6 ospf asbr Output Details
Output Field What It Displays...
Type The type of the route to the destination, which is one of the
following values:
INTRA Intra-area route
INTER Inter-area route
Router ID Router ID of the destination.
Cost Cost of using this route.
Area ID The area ID of the area from which this route is learned.
Next Hop Address of the next hop toward the destination.
Next Hop Intf The outgoing router interface to use when forwarding traffic to the
next hop.
show ipv6 ospf database
25-34 OSPFv3 Configuration
show ipv6 ospf database
ThiscommanddisplaysinformationaboutthelinkstatedatabasewhenOSPFv3isenabled.
Syntax
show ipv6 ospf [ areaid] database [ {external | inter-area {prefix | router} | link |
network | nssa-external | prefix | router | unknown {area | as | link}}]
[ lsid] [ {adv-router [ rtrid] | self-originate | database-summary}]
Parameters
Defaults
Ifnoparametersareentered,LSAheadersforallareasaredisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
Ifyouexecutethiscommandwithoutanyparameters,LSAheadersforallareasaredisplayed.Use
theareaidparametertodisplaydatabaseinformationforaspecificarea.Theotheroptional
parameterscanbeusedtospecifyaparticulartypeoflinkstateadvertisementtodisplay.
Examples
ThisexampledisplaystheoutputwhenanareaIDisspecified.
C3( su) - >r out er #show i pv6 ospf 10 dat abase
I nt er Net wor k St at es ( Ar ea 0. 0. 0. 10)
areaid (Optional)Displaydatabaseinformationaboutaspecificarea.Enterthe
areaIDinIPaddressformat(dottedquad)orasadecimalvalue.
external (Optional)DisplayexternalLSAs.
interarea (Optional)DisplayinterareaLSAs.
prefix (Optional)DisplayintraareaPrefixLSAs.
router (Optional)DisplayrouterLSAs.
link (Optional)DisplaylinkLSAs.
network (Optional)DisplaynetworkLSAs.
nssaexternal (Optional)DisplayNSSAexternalLSAs.
unknown
{area|as|link}
(Optional)Displayunknownarea,unknownAS,orunknownlink
LSAs.
lsid (Optional)SpecifiesthelinkstateID.
advrouter[rtrid] (Optional)DisplaytheLSAsthatarerestrictedbytheadvertisingrouter.
Optionally,specifytherouterbyitsrouterID(rtrid),enteredasa32bit
dottedquadvalue.
selforiginate (Optional)DisplayLSAsthatareselforiginated.
databasesummary (Optional)DisplaysthenumberofeachtypeofLSAinthedatabaseand
thetotalnumberofLSAsinthedatabase.
show ipv6 ospf database
SecureStack C3 Configuration Guide 25-35
Adv Rout er Li nk I d Age Sequence CsumOpt i ons Rt r Opt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. 2. 2. 2 1 153 80000026 A8F2
I nt r a Pr ef i x St at es ( Ar ea 0. 0. 0. 10)
Adv Rout er Li nk I d Age Sequence CsumOpt i ons Rt r Opt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. 2. 2. 2 0 506 80000027 DD00
AS Ext er nal St at es
Adv Rout er Li nk I d Age Sequence CsumOpt i ons Rt r Opt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. 2. 2. 2 1 342 8000002C 0C20
Thisexampleshowspartialoutputofthiscommandwhennoparametersarespecified.
C3( su) - >r out er >show i pv6 ospf dat abase
r out er l i nks St at es ( Ar ea 0. 0. 0. 0)
Adv Rout er Li nk I d Age Sequence CsumOpt i ons Rt r Opt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. 2. 2. 2 0 1288 80000273 32A9 V6E- - R- - - - EB
3. 3. 3. 3 0 1098 80000251 7D11 V6E- - RD - - - - -
net wor k l i nks St at es ( Ar ea 0. 0. 0. 0)
Adv Rout er Li nk I d Age Sequence CsumOpt i ons Rt r Opt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. 3. 3. 3 3 1098 800001DB 8A7F V6E- - RD
Li nk St at es ( Ar ea 0. 0. 0. 0)
Adv Rout er Li nk I d Age Sequence CsumOpt i ons Rt r Opt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. 3. 3. 3 3 1098 800001DA 0F95 V6E- - RD
2. 2. 2. 2 426 1288 80000213 DFC0 V6E- - R-
- - Mor e- - or ( q) ui t
Thisexampleillustratestheoutputofthiscommandusingtheadvrouterparameter.
C3( su) - >r out er >show i pv6 ospf dat abase ext er nal adv- r out er
AS Ext er nal St at es
LS Age: 930
LS Type: AS- Ext er nal - LSA
LS I d: 1
Adver t i si ng Rout er : 2. 2. 2. 2
LS Seq Number : 0x80000006
Checksum: 0x3e4c
Lengt h: 36
Opt i ons: ( E- Bi t )
show ipv6 ospf database
25-36 OSPFv3 Configuration
Met r i c Type: 2
Met r i c: 20
I Pv6 Pr ef i x: 2301: : / 64 ( None)
Table 255providesanexplanationofthecommandoutput.
ThisexampleshowshowtodisplayOSPFdatabasesummaryinformation.
C3( su) - >r out er #show i pv6 ospf dat abase dat abase- summar y
OSPF Rout er wi t h I D ( 2. 2. 2. 2)
Ar ea 0. 0. 0. 0 Dat abase Summar y
Rout er 2
Net wor k 1
I nt er - ar ea Pr ef i x 1
I nt er - ar ea Rout er 0
Type- 7 Ext 0
Li nk 2
Table 25-5 show ipv6 ospf database Output Details
Output Field What It Displays...
Link Id Number that uniquely identifies an LSA that a router originates
from all other self originated LSAs of the same LS type.
Advertising Router The Advertising Router. Is a 32 bit dotted decimal number
representing the LSDB interface.
LS Age Number representing the age of the link state advertisement in
seconds.
LS Type The format and function of the specified LSA.
LS Seq Number Number that represents which LSA is more recent.
Checksum Total number LSA checksum.
Lenght Size of the LSA in bytes.
Options Option bits in LSA header. Refer to section A.2 in RFC 2740 for
more information. Possible values are:
V6 indicates status of V6 bit. If this bit is clear, the router/link
should be excluded from IPv6 routing calculations.
E indicates status of E-bit. This bit describes the way AS-
external-LSAs are flooded.
M indicates the status of MC-bit. This bit describes whether IP
multicast datagrams are forwarded.
N indicates the status of N-bit. This bit describes the handling of
Type-7 LSAs.
R indicates the status of R-bit. This bit (the `Router' bit)
indicates whether the originator is an active router.
D indicates the status of DC-bit. This bit describes the router's
handling of demand circuits.
Metric Type Whether the route specified is external type 1 or external type 2.
Metric The cost of using the specified router link.
IPv6 Prefix The IPv6 route with prefix mask being displayed.
show ipv6 ospf database
SecureStack C3 Configuration Guide 25-37
I nt r a- ar ea Pr ef i x 2
Li nk Unknown 0
Ar ea Unknown 0
AS Unknown 0
AS Unknown 0
Sel f Or i gi nat ed Type- 7 0
Subt ot al 8
Ar ea 0. 0. 0. 10 Dat abase Summar y
Rout er 2
Net wor k 1
I nt er - ar ea Pr ef i x 51
I nt er - ar ea Rout er 0
Type- 7 Ext 0
Li nk 2
I nt r a- ar ea Pr ef i x 2
Li nk Unknown 0
Ar ea Unknown 0
AS Unknown 0
AS Unknown 0
Sel f Or i gi nat ed Type- 7 0
Subt ot al 58
Rout er dat abase summar y
Rout er 4
Net wor k 2
I nt er - ar ea Pr ef i x 52
I nt er - ar ea Rout er 0
Type- 7 Ext 0
Li nk 4
I nt r a- ar ea Pr ef i x 4
Li nk Unknown 0
Ar ea Unknown 0
AS Unknown 0
Type- 5 Ext 0
Sel f - Or i gi nat ed Type- 5 Ext 0
Tot al 66
Table 256providesanexplanationofthedatabasesummarycommandoutput.
Table 25-6 show ipv6 ospf database database-summary Output Details
Output Field What It Displays...
Router Total number of router LSAs in the OSPFv3 link state database.
Network Total number of network LSAs in the OSPFv3 link state database.
Inter-area Prefix Total number of inter-area prefix LSAs in the OSPFv3 link state
database.
Inter-area Router Total number of inter-area router LSAs in the OSPFv3 link state
database.
Type-7 Ext Total number of NSSA external LSAs in the OSPFv3 link state
database.
Link Total number of link LSAs in the OSPFv3 link state database.
Intra-area Prefix Total number of intra-area prefix LSAs in the OSPFv3 link state
database.
show ipv6 ospf interface
25-38 OSPFv3 Configuration
show ipv6 ospf interface
ThiscommanddisplaysinformationaboutOSPFv3interfaces.
Syntax
show ipv6 ospf interface {vlan vlanid | tunnel tunnelid | loopback loopid}
Parameters
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Examples
ThisexampledisplaysinformationaboutOSPFv3routinginterfaceVLAN80.
C3( su) - >r out er >show i pv6 ospf i nt er f ace vl an 80
I Pv6 Addr ess FE80: : 211: 88FF: FE56: 5D8F
i f I ndex 430
OSPF Admi n Mode Enabl e
OSPF Ar ea I D 0. 0. 0. 20
Rout er Pr i or i t y 1
Ret r ansmi t I nt er val 5
Hel l o I nt er val 10
Dead I nt er val 40
LSA Ack I nt er val 1
I f t r ansi t Del ay I nt er val 1
Link Unknown Total number of link-source unknown LSAs in the OSPFv3 link
state database.
Area Unknown Total number of area unknown LSAs in the OSPFv3 link state
database.
AS Unknown Total number of as unknown LSAs in the OSPFv3 link state
database.
Self Originated Type-7 Total number of self-originated NSSA External Link-State
Advertisements in the OSPFv3 link state database.
Type-5 Ext Total number of AS external LSAs in the OSPFv3 link state
database.
Self-Originated Type-5 Total number of self originated AS external LSAs in the OSPFv3
link state database.
Total Total number of router LSAs in the OSPFv3 link state database.
Table 25-6 show ipv6 ospf database database-summary Output Details (Continued)
Output Field What It Displays...
vlanvlanid SpecifiestheVLANinterfacetodisplayinformationabout.
tunneltunnelid Specifiesthetunnelinterfacetodisplayinformationabout.
loopbackloopid Specifiestheloopbackinterfacetodisplayinformationabout.
show ipv6 ospf interface
SecureStack C3 Configuration Guide 25-39
Aut hent i cat i on Type None
Met r i c Cost 10 ( comput ed)
OSPF Mt u- i gnor e Di sabl e
OSPF I nt er f ace Type br oadcast
St at e desi gnat ed- r out er
Desi gnat ed Rout er 2. 2. 2. 2
Backup Desi gnat ed Rout er 0. 0. 0. 0
Number of Li nk Event s 2
Thisexampledisplaysinformationabouttunnelinterface0.Table 257onpage 2539explainsthe
contentoftheoutputfields.
C3( su) - >r out er #show i pv6 ospf i nt er f ace t unnel 0
I Pv6 Addr ess FE80: : 5000: 2
i f I ndex 456
OSPF Admi n Mode Enabl e
OSPF Ar ea I D 0. 0. 0. 0
Rout er Pr i or i t y 1
Ret r ansmi t I nt er val 5
Hel l o I nt er val 10
Dead I nt er val 40
LSA Ack I nt er val 1
I f t r ansi t Del ay I nt er val 1
Aut hent i cat i on Type None
Met r i c Cost 1 ( comput ed)
OSPF Mt u- i gnor e Di sabl e
OSPF I nt er f ace Type poi nt - t o- poi nt
St at e poi nt - t o- poi nt
Desi gnat ed Rout er 0. 0. 0. 0
Backup Desi gnat ed Rout er 0. 0. 0. 0
Number of Li nk Event s 1
Table 257providesanexplanationofthecommandoutput.
Table 25-7 show ipv6 ospf interface Command Output Details
Output Field What It Displays...
IPv6 Address The IPv6 address of the interface.
ifIndex The interface index number associated with the interface.
OSPF Admin Mode Whether the admin mode is enabled or disabled.
OSPF Area ID The area ID associated with this interface.
Router Priority The router priority. The router priority determines which router is
the designated router.
Retransmit Interval The frequency, in seconds, at which the interface sends LSA.
Hello Interval The frequency, in seconds, at which the interface sends Hello
packets.
Dead Interval The amount of time, in seconds, the interface waits before
assuming a neighbor is down.
LSA Ack Interval The amount of time, in seconds, the interface waits before sending
an LSA acknowledgement after receiving an LSA.
Iftransit Delay Interval The number of seconds the interface adds to the age of LSA
packets before transmission.
Authentication Type The type of authentication the interface performs on LSAs it
receives.
show ipv6 ospf interface stats
25-40 OSPFv3 Configuration
show ipv6 ospf interface stats
Thiscommanddisplaysstatisticsforaspecificinterface.StatisticsaredisplayedonlyifOSPFv3is
enabled.
Syntax
show ipv6 ospf interface stats vlan vlanid
Parameters
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleshowshowtodisplaystatisticsforVLAN80.
C3( su) - >r out er >show i pv6 ospf i nt er f ace st at s vl an 80
OSPFv3 Ar ea I D 0. 0. 0. 20
Spf Runs 7
Ar ea Bor der Rout er Count 0
AS Bor der Rout er Count 0
Ar ea LSA Count 5
I Pv6 Addr ess FE80: : 211: 88FF: FE56: 5D8F/ 128
OSPF I nt er f ace Event s 2
Vi r t ual Event s 0
Nei ghbor Event s 0
Ext er nal LSA Count 1
LSAs Recei ved 1903
Or i gi nat e New LSAs 4198
Sent Packet s 1053
Metric Cost The priority of the path. Low costs have a higher priority than high
costs.
OSPF MTU-ignore Whether to ignore MTU mismatches in database descriptor
packets sent from neighboring routers. The following information
only displays if OSPF is initialized on the interface:
OSPF Interface Type Broadcast LANs, such as Ethernet and IEEE 802.5, take the value
broadcast. Tunnel interfaces take the value point-to-point.
State The OSPF Interface States are: down, loopback, waiting, point-to-
point, designated router, and backup designated router.
Designated Router The router ID representing the designated router.
Backup Designated Router The router ID representing the backup designated router.
Number of Link Events The number of link events.
Table 25-7 show ipv6 ospf interface Command Output Details (Continued)
Output Field What It Displays...
vlanvlanid SpecifiestheVLANinterfaceforwhichtodisplaystatistics.
show ipv6 ospf interface stats
SecureStack C3 Configuration Guide 25-41
Recei ved Packet s 0
Di scar ds 0
Bad Ver si on 0
Vi r t ual Li nk Not Found 0
Ar ea Mi smat ch 0
I nval i d Dest i nat i on Addr ess 0
No Nei ghbor at Sour ce Addr ess 0
I nval i d OSPF Packet Type 0
Packet Type Sent Recei ved
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hel l o 1053 0
Dat abase Descr i pt i on 0 0
LS Request 0 0
LS Updat e 0 0
LS Acknowl edgement 0 0
Table 258providesanexplanationofthecommandoutput.
Table 25-8 show ipv6 ospf interface stats Output Details
Output Field What It Displays...
OSPFv3 Area ID The area ID of this OSPFv3 interface.
Spf Runs Is the number of times that the intra-area route table has been
calculated using this area's link-state database.
Area Border Router Count The total number of area border routers reachable within this area.
AS Border Router Count The total number of AS border routers reachable within this area.
Area LSA Count Total number of link-state advertisements in this areas link-state
database, excluding AS External LSAs.
IPv6 Address The IP address associated with this OSPFv3 interface.
OSPF Interface Events The number of times the specified OSPFv3 interface has changed
its state, or an error has occurred.
Virtual Events The number of state changes or errors that occurred on this virtual
link.
Neighbor Events The number of times this neighbor relationship has changed state,
or an error has occurred.
External LSA Count Total number of AS External link-state advertisements in this
areas link-state database.
LSAs Received Number of link-state advertisements received.
Originate New LSAs Number of LSAs originated.
Sent Packets The number of OSPFv3 packets sent on the interface.
Received Packets The number of OSPFv3 packets received on the interface.
Discards Number of packets discarded.
Bad Version Number of bad version packets received.
Virtual Link Not Found Number of virtual link not found packets received.
Area Mismatch Number of area mismatch packets received.
Invalid Destination Address Number of invalid destination address packets received.
No Neighbor at Source Address Number of no neighbor at source address packets received.
show ipv6 ospf neighbor
25-42 OSPFv3 Configuration
show ipv6 ospf neighbor
ThiscommanddisplaysinformationaboutOSPFv3neighbors.
Syntax
show ipv6 ospf neighbor [ interface {vlan vlanid | tunnel tunnelid}] [ neighborid]
Parameters
Defaults
Whennoparametersarespecified,informationaboutallneighborsisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
IfyoudonotspecifyaneighborrouterID,theoutputdisplayssummaryinformationinatable.If
youspecifyaninterfaceortunnel,onlytheinformationforthatinterfaceortunneldisplays.
WhenyouspecifyaneighborbyrouterID,detailedinformationabouttheneighbordisplays.
TheinformationisdisplayedonlyifOSPFv3isenabledandtheinterfacehasaneighbor.
Examples
Thisexampleillustratesthesummaryinformationdisplayedwhennoneighborisspecified.
C3( su) - >r out er #show i pv6 ospf nei ghbor
Rout er I D Pr i or i t y I nt f I nt er f ace St at e Dead
I D Ti me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. 3. 3. 3 1 3 Vl an 36 Ful l / DR 32
6. 6. 6. 6 1 456 Tunnel 0 Ful l / Pt P 31
Table 259providesanexplanationofthecommandoutput.
Invalid OSPF Packet Type Number of packets received with invalid packet type.
Packet Type / Sent / Received Columns listing packet types and number of packets sent and
received per type.
Table 25-8 show ipv6 ospf interface stats Output Details
Output Field What It Displays...
interface (Optional)Restrictstheoutputdisplaytoaspecificinterface.
vlanvlanid SpecifytheVLANinterfacetodisplayinformationabout.
tunneltunnelid Specifythetunnelinterfacetodisplay
neighborid (Optional)SpecifytheneighborbyitsrouterID,specifiedin32bit
dottedquadformat.
show ipv6 ospf neighbor
SecureStack C3 Configuration Guide 25-43
Thisexampledisplaystheoutputofthiscommandwhenaneighborisspecified.
C3( su) - >r out er #show i pv6 ospf nei ghbor 8. 8. 8. 8
I nt er f ace Vl an 45
Ar ea I d 0. 0. 0. 30
Opt i ons 0x2
Rout er Pr i or i t y 128
Dead t i mer due i n ( secs) 33
St at e Ful l / DR
Event s 6
Ret r ansmi ssi on Queue Lengt h 0
Table 2510providesanexplanationofthecommandoutput.
Table 25-9 show ipv6 ospf neighbor Output Details
Output Field What It Displays...
Router ID The 4-digit dotted-decimal number of the neighbor router.
Priority OSPFv3 priority for the specified interface. The priority of an
interface is a priority integer from 0 to 255. A value of '0' indicates
that the router is not eligible to become the designated router on
this network.
Intf ID Interface ID of the neighbor.
Interface Interface of the local router.
State State of the neighboring routers. Possible values are:
Down- initial state of the neighbor conversation - no recent
information has been received from the neighbor.
Attempt - no recent information has been received from the
neighbor but a more concerted effort should be made to
contact the neighbor.
Init - a Hello packet has recently been seen from the neighbor,
but bidirectional communication has not yet been established.
2 way - communication between the two routers is bidirectional.
This is the final state between two routers, both of which are
non-designated routers or back-up designated routers.
Exchange start - the first step in creating an adjacency between
the two neighboring routers, the goal is to decide which router
is the master and to decide upon the initial DD sequence
number.
Exchange - the router is describing its entire link state database
by sending Database Description packets to the neighbor.
Loading - Link State Request packets are sent to the neighbor
asking for the more recent LSAs that have been discovered
(but not yet received) in the Exchange state.
Full - the neighboring routers are fully adjacent and they will
now appear in router-LSAs and network-LSAs.
Dead Time Amount of time, in seconds, to wait before the router assumes the
neighbor is unreachable.
show ipv6 ospf range
25-44 OSPFv3 Configuration
show ipv6 ospf range
Thiscommanddisplaysinformationaboutthearearangesforthespecifiedarea.
Syntax
show ipv6 ospf range areaid
Parameters
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
Thisexampledisplaysrangeinformationforarea20.
C3( su) - >r out er #show i pv6 ospf r ange 20
Ar ea I D I Pv6 Pr ef i x/ Pr ef i x Lengt h Lsdb Type Adver t i sement
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0. 0. 0. 20 3345: 1234: : / 64 Summar y Li nk Enabl ed
Table 2511providesanexplanationofthecommandoutput.
Table 25-10 show ipv6 ospf neighbor routerid Output Details
Output Field What It Displays...
Interface Interface of the local router.
Area ID OSPFv3 area ID associated with the interface.
Options An integer value that indicates the optional OSPFv3 capabilities
supported by the neighbor. These are listed in its Hello packets.
This enables received Hello Packets to be rejected (that is,
neighbor relationships will not even start to form) if there is a
mismatch in certain crucial OSPFv3 capabilities.
Router Priority Router priority for the specified interface.
Dead Timer Due Amount of time, in seconds, to wait before the router assumes the
neighbor is unreachable.
State State of the neighboring routers.
Events Number of times this neighbor relationship has changed state, or
an error has occurred.
Retransmission Queue Length Integer representing the current length of the retransmission
queue of the specified neighbor router Id of the specified interface.
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
show ipv6 ospf stub table
SecureStack C3 Configuration Guide 25-45
show ipv6 ospf stub table
ThiscommanddisplaystheOSPFv3stubtable,ifOSPFv3isinitializedontheswitch.
Syntax
show ipv6 ospf stub table
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampledisplaystheOSPFv3stubtableinformation.
C3( su) - >r out er # show i pv6 ospf st ub t abl e
Ar eaI d Typeof Ser vi ce Met r i c Val I mpor t Summar yLSA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0. 0. 0. 20 Nor mal 1 Enabl e
Table 2512providesanexplanationofthecommandoutput.
Table 25-11 show ipv6 ospf range Output Details
Output Field What It Displays...
Area ID The area ID of the requested OSPFv3 area.
IPv6 Prefix/Prefix Length An IPv6 prefix and length which represents a configured area
range.
Lsdb Type The type of link advertisement associated with this area range.
Advertisement The status of the advertisement: enabled or disabled.
Table 25-12 show ipv6 ospf stub table Output Details
Output Field What It Displays...
Area ID A 32-bit identifier for the created stub area.
Type of Service Type of service associated with the stub metric. For this release,
Normal TOS is the only supported type.
Metric Val The metric value is applied based on the TOS. It defaults to the
least metric of the type of service among the interfaces to other
areas. The OSPFv3 cost for a route is a function of the metric
value.
Import Summary LSA Controls the import of summary LSAs into stub areas.
show ipv6 ospf virtual-link
25-46 OSPFv3 Configuration
show ipv6 ospf virtual-link
ThiscommanddisplaystheOSPFv3virtualinterfaceinformationforaspecificareaandneighbor.
Syntax
show ipv6 ospf virtual-link areaid neighborid
Parameters
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisinformationdisplaysvirtuallinkinformationforareaID10andtheneighborwithrouterID
of3.3.3.3.
C3( su) - >r out er ( Conf i g) #show i pv6 ospf vi r t ual - l i nk 10 3. 3. 3. 3
Ar ea I D 10
Nei ghbor I P Addr ess 3. 3. 3. 3
Hel l o I nt er val 10
Dead I nt er val 40
I f t r ansi t Del ay I nt er val 1
Ret r ansmi t I nt er val 5
St at e DOWN
Met r i c 0
Nei ghbor St at e DOWN
Table 2513providesanexplanationofthecommandoutput.
areaid SpecifiestheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid SpecifiestheneighborbyitsrouterID,specifiedin32bitdottedquad
format.
Table 25-13 show ipv6 ospf virtual-link Output Details
Output Field What It Displays...
Area ID The area id of the requested OSPFv3 area.
Neighbor Router ID The input neighbor Router ID.
Hello Interval The configured hello interval for the OSPFv3 virtual interface.
Dead Interval The configured dead interval for the OSPFv3 virtual interface.
Iftransit Delay Interval The configured transit delay for the OSPFv3 virtual interface.
Retransmit Interval The configured retransmit interval for the OSPFv3 virtual
interface.
State The OSPFv3 Interface States are: down, loopback, waiting, point-
to-point, designated router, and backup designated router. This is
the state of the OSPFv3 interface.
show ipv6 ospf virtual-link
SecureStack C3 Configuration Guide 25-47
Metric The metric of this virtual link.
Neighbor State The state of the neighbor. States are: down, loopback, waiting,
point-to-point, designated router, and backup designated router.
Table 25-13 show ipv6 ospf virtual-link Output Details (Continued)
Output Field What It Displays...
show ipv6 ospf virtual-link
25-48 OSPFv3 Configuration
SecureStack C3 Configuration Guide 26-1
26
Authentication and Authorization
Configuration
Thischapterdescribesthefollowingauthenticationandauthorizationcommandsandhowtouse
them.ForinformationaboutusingtheTACACS+authenticationmethodformanagement,see
Chapter 27,TACACS+Configuration.
Overview of Authentication and Authorization Methods
Thefollowingmethodsareavailableforcontrollingwhichusersareallowedtoaccess,monitor,
andmanagetheswitch.
LoginuseraccountsandpasswordsusedtologintotheCLIviaaTelnetconnectionorlocal
COMportconnection.Fordetails,refertoSettingUserAccountsandPasswordson
page 32.
HostAccessControlAuthentication(HACA)authenticatesuseraccessofTelnet
management,consolelocalmanagementandWebViewviaacentralRADIUSClient/Serveror
For information about... Refer to page...
Overview of Authentication and Authorization Methods 26-1
Setting the Authentication Login Method 26-4
Configuring RADIUS 26-6
Configuring 802.1X Authentication 26-15
Configuring MAC Authentication 26-25
Configuring Multiple Authentication Methods 26-37
Configuring User +IP Phone Authentication 26-48
Configuring VLAN Authorization (RFC 3580) 26-49
Configuring Policy Maptable Response 26-52
Configuring MAC Locking 26-57
Configuring Port Web Authentication (PWA) 26-68
Configuring Secure Shell (SSH) 26-80
Configuring Access Lists 26-82
Note: An Enterasys Networks Feature Guide document containing an in-depth discussion of
authentication and authorization configuration is located on the Enterasys Networks web site:
http://www.enterasys.com/support/manuals/
Overview of Authentication and Authorization Methods
26-2 Authentication and Authorization Configuration
TACACS+application.WhenRADIUSorTACACS+isenabled,thisessentiallyoverrideslogin
useraccounts.WhenHACAisactiveperavalidRADIUSorTACACS+configuration,theuser
namesandpasswordsusedtoaccesstheswitchviaTelnet,SSH,WebView,andCOMports
willbevalidatedagainsttheconfiguredRADIUSserver.OnlyinthecaseofaRADIUS
timeoutwillthosecredentialsbecomparedagainstcredentialslocallyconfiguredonthe
switch.Fordetails,refertoConfiguringRADIUSonpage 266.
SNMPuserorcommunitynamesallowsaccesstotheSecureStackC3switchviaanetwork
SNMPmanagementapplication.Toaccesstheswitch,youmustenteranSNMPuseror
communitynamestring.Thelevelofmanagementaccessisdependentontheassociated
accesspolicy.Fordetails,refertoChapter 8.
802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol)
providesamechanismviaaRADIUSserverforadministratorstosecurelyauthenticateand
grantappropriateaccesstoenduserdevicescommunicatingwithSecureStackC3ports.For
detailsonusingCLIcommandstoconfigure802.1X,refertoConfiguring802.1X
Authenticationonpage 2615.
MACAuthenticationprovidesamechanismforadministratorstosecurelyauthenticate
sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith
SecureStackC3ports.Fordetails,refertoConfiguringMACAuthenticationonpage 2625.
MultipleAuthenticationMethodsallowsuserstoauthenticateusingmultiplemethodsof
authenticationonthesameport.Fordetails,refertoConfiguringMultipleAuthentication
Methodsonpage 2637.
MultiUserAuthenticationallowsmultipleusersanddevicesonthesameportto
authenticateusinganysupportedauthenticationmethod.Eachuserordevicecanbemapped
tothesameordifferentrolesusingEnterasyspolicyforaccesscontrol,VLANauthorization,
trafficratelimiting,andqualityofservice.Thisisthemostflexibleandpreferredmethodto
useforVoIP(PCdaisychainedtoaphone).Fordetails,refertoAboutMultiUser
Authenticationonpage 2637.RefertoAppendix A,PolicyandAuthenticationCapacities,
foralistingofthenumberofusersperportsupportedbytheSecureStackC3.
User+IPPhone(Legacyfeature)TheUser+IPPhoneauthenticationfeatureprovides
legacysupportforauthenticationandauthorizationoftwodevices,specificallyaPCcascaded
withaVLANtaggingIPphone,onasingleportontheswi t ch.TheIPphonemust
authenticateusingMACor802.1Xauthentication,buttheusermayauthenticatebyany
method.ThisfeatureallowsboththeusersPCandIPphonetosimultaneouslyauthenticate
onasingleportandeachreceiveauniquelevelofnetworkaccess.Fordetails,referto
ConfiguringUser+IPPhoneAuthenticationonpage 2648.
RFC3580tunnelattributesprovideamechanismtocontainan802.1X,MAC,orPWA
authenticatedusertoaVLANregardlessofthePVID.Thisfeaturedynamicallyassignsa
VLANbasedontheRFC3580tunnelattributesreturnedintheRADIUSacceptmessage.Refer
toConfiguringVLANAuthorization(RFC3580)onpage 2649.
ConfiguringPolicyMaptableResponseallowsyoutodefinehowthesystemshouldhandle
allowinganauthenticateduserontoaportbasedonthecontentsoftheRADIUSserver
AccessAcceptreply.Therearethreepossibleresponsesettings:tunnelmode,policymode,or
Note: To configure EAP pass-through, which allows client authentication packets to be forwarded
through the switch to an upstream device, 802.1X authentication must be globally disabled with the
set dot1x command.
Note: User +IP Phone authentication is a legacy feature that should only be used if you have
already implemented User +IP Phone in your network with switches that do not support true
multi-user authentication.
Overview of Authentication and Authorization Methods
SecureStack C3 Configuration Guide 26-3
bothtunnelandpolicy,alsoknownashybridauthenticationmode.RefertoConfiguring
PolicyMaptableResponseonpage 2652.
MACLockinglocksaporttooneormoreMACaddresses,preventingtheuseof
unauthorizeddevicesandMACspoofingontheportFordetails,refertoConfiguringMAC
Lockingonpage 2657.
PortWebAuthentication(PWA)passesalllogininformationfromtheendstationtoa
RADIUSserverforauthenticationbeforeallowingausertoaccessthenetwork.PWAisan
alternativeto802.1XandMACauthentication.Fordetails,refertoConfiguringPortWeb
Authentication(PWA)onpage 2668.
SecureShell(SSH)providessecureTelnet.Fordetails,refertoConfiguringSecureShell
(SSH)onpage 2680.
IPAccessLists(ACLs)permitsordeniesaccesstoroutinginterfacesbasedonprotocoland
inboundand/oroutboundIPaddressrestrictionsconfiguredinaccesslists.Fordetails,referto
ConfiguringAccessListsonpage 2682.
TACACS+(TerminalAccessControllerAccessControlSystemPlus) asecurityprotocol
developedbyCiscoSystemsthatcanbeusedasanalternativetothestandardRADIUS
securityprotocol(RFC2865).TACACS+runsoverTCPandencryptsthebodyofeachpacket.
RefertoChapter 27,TACACS+Configuration,forinformationaboutthecommandsusedto
configureTACACS+.
RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment
IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,
youcanusetheRADIUSFilterIDattributetodynamicallyassignapolicyprofileand/or
managementleveltoauthenticatingusersand/ordevices.
TheRADIUSFilterIDattributeissimplyastringthatisformattedintheRADIUSAccessAccept
packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.
EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilterIDattribute
thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned
uponsuccessfulauthentication.Duringtheauthenticationprocess,whentheRADIUSserver
returnsaRADIUSAccessAcceptmessagethatincludesaFilterIDmatchingapolicyprofilename
configuredontheswitch,theswitchthendynamicallyappliesthepolicyprofiletothephysical
porttheuser/deviceisauthenticatingon.
Filter-ID Attribute Formats
Enterasys NetworkssupportstwoFilterIDformatsdecoratedandundecorated.The
decoratedformathasthreeforms:
Tospecifythepolicyprofiletoassigntotheauthenticatinguser(networkaccess
authentication):
Enterasys:version=1:policy=string
wherestringspecifiesthepolicyprofilename.Policyprofilenamesarecasesensitive.
Tospecifyamanagementlevel(managementaccessauthentication):
Enterasys:version=1:mgmt=level
wherelevelindicatesthemanagementlevel,eitherro,rw,orsu.
Tospecifybothmanagementlevelandpolicyprofile:
Enterasys:version=1:mgmt=level:policy=string
Setting the Authentication Login Method
26-4 Authentication and Authorization Configuration
Theundecoratedformatissimplyastringthatspecifiesapolicyprofilename.Theundecorated
formatcannotbeusedformanagementaccessauthentication.
DecoratedFilterIDsareprocessedfirstbytheswitch.IfnodecoratedFilterIDsarefound,then
undecoratedFilterIDsareprocessed.IfmultipleFilterIDsarefoundthatcontainconflicting
values,aSyslogmessageisgenerated.
Setting the Authentication Login Method
Purpose
Toconfiguretheauthenticationloginmethodtobeusedformanagement.
Commands
Thecommandsusedtoconfiguretheauthenticationloginmethodarelistedbelow.
show authentication login
Usethiscommandtodisplaythecurrentauthenticationloginmethodformanagement.
Syntax
show authentication login
Parameters
None.
Defaults
None.
Mode
Switchcommand,ReadOnly.
Example
Thisexampleshowshowtodisplaythecurrentauthenticationloginmethod.
C3( r w) - >show aut hent i cat i on l ogi n
Cur r ent aut hent i cat i on l ogi n i s any
set authentication login
Usethiscommandtosettheauthenticationloginmethod.
For information about... Refer to page...
show authentication login 26-4
set authentication login 26-4
clear authentication login 26-5
clear authentication login
SecureStack C3 Configuration Guide 26-5
Syntax
set authentication login {any | local | radius | tacacs}
Parameters
Defaults
None.
Mode
Switchcommand,ReadWrite.
Example
Thisexampleshowshowtosettheauthenticationloginmethodtousethelocalpasswordsettings:
C3( r w) - >set aut hent i cat i on l ogi n l ocal
clear authentication login
Usethiscommandtoresettheauthenticationloginmethodtothedefaultsettingofany.
Syntax
clear authentication login
Parameters
None.
Defaults
None.
Mode
Switchcommand,ReadWrite.
Example
Thisexampleshowshowtoresettheauthenticationloginmethod.
C3( r w) - >cl ear aut hent i cat i on l ogi n
any Specifiesthattheauthenticationprotocolwillbeselectedusingthe
followingprecedenceorder:
TACACS+
RADIUS
Local
local Specifiesthatthelocalnetworkpasswordsettingswillbeusedfor
authenticationlogin.
radius SpecifiesthatRADIUSwillbeusedforauthenticationlogin.
tacacs SpecifiesthatTACACS+willbeusedforauthenticationlogin.
Configuring RADIUS
26-6 Authentication and Authorization Configuration
Configuring RADIUS
Purpose
Toperformthefollowing:
ReviewtheRADIUSclient/serverconfigurationontheswitch.
EnableordisabletheRADIUSclient.
Setlocalandremoteloginoptions.
Setprimaryandsecondaryserverparameters,includingIPaddress,timeoutperiod,
authenticationrealm,andnumberofuserloginattemptsallowed.
ResetRADIUSserversettingstodefaultvalues.
ConfigureaRADIUSaccountingserver.
ConfiguretheinterfaceusedforthesourceIPaddressoftheRADIUSapplicationwhen
generatingRADIUSpackets.
Commands
show radius
UsethiscommandtodisplaythecurrentRADIUSclient/serverconfiguration.
Syntax
show radius [ status | retries | timeout | server [ index | all]]
Parameters
For information about... Refer to page...
show radius 26-6
set radius 26-7
clear radius 26-9
show radius accounting 26-10
set radius accounting 26-10
clear radius accounting 26-11
show radius interface 26-12
set radius interface 26-12
clear radius interface 26-13
status (Optional)DisplaystheRADIUSserversenablestatus.
retries (Optional)DisplaysthenumberofretryattemptsbeforetheRADIUSserver
timesout.
timeout (Optional)Displaysthemaximumamountoftime(inseconds)toestablish
contactwiththeRADIUSserverbeforeretryattemptsbegin.
set radius
SecureStack C3 Configuration Guide 26-7
Defaults
Ifnoparametersarespecified,allRADIUSconfigurationinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRADIUSconfigurationinformation:
C3( r w) - >show r adi us
RADI US st at us: Enabl ed
RADI US r et r i es: 3
RADI US t i meout : 20 seconds
RADI US Ser ver I P Addr ess Aut h- Por t Real m- Type
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10 172. 16. 20. 10 1812 management - access
Table 261providesanexplanationofthecommandoutput.
set radius
Usethiscommandtoenable,disable,orconfigureRADIUSauthentication.
Syntax
set radius {enable | disable} | {retries number-of-retries} | {timeout timeout} |
{server index ip-address port [ secret-value] [ realm {management-access | any |
network-access}} | {realm {management-access | any | network-access} {index| all}}
server (Optional)DisplaysRADIUSserverconfigurationinformation.
index|all Forusewiththeserverparametertoshowserverconfigurationforall
serversoraspecificRADIUSserverasdefinedbyanindex.
Table 26-1 show radius Output Details
Output Field What It Displays...
RADIUS status Whether RADIUS is enabled or disabled.
RADIUS retries Number of retry attempts before the RADIUS server times out. The default value of 3
can be reset using the set radius command as described in set radius on
page 26-7.
RADIUS timeout Maximum amount of time (in seconds) to establish contact with the RADIUS server
before retry attempts begin. The default value of 20 can be reset using the set
radius command as described in set radius on page 26-7.
RADIUS Server RADIUS servers index number, IP address, and UDP authentication port.
Realm-Type Realm defines who has to go through the RADIUS server for authentication.
Management-access: This means that anyone trying to access the switch (Telnet,
SSH, Local Management) has to authenticate through the RADIUS server.
Network-access: This means that all the users have to authenticate to a RADIUS
server before they are allowed access to the network.
Any-access: Means that both Management-access and Network-access have
been enabled.
set radius
26-8 Authentication and Authorization Configuration
Parameters
Defaults
Ifsecretvalueisnotspecified,nonewillbeapplied.
Ifrealmisnotspecified,theanyaccessrealmwillbeused.
Mode
Switchcommand,readwrite.
Usage
TheSecureStackC3deviceallowsupto10RADIUSserverstobeconfigured,withuptotwo
serversactiveatanygiventime.
TheRADIUSclientcanonlybeenabledontheswitchonceaRADIUSserverisonline,anditsIP
address(es)hasbeenconfiguredwiththesamepasswordtheRADIUSclientwilluse.
Examples
ThisexampleshowshowtoenabletheRADIUSclientforauthenticatingwithRADIUSserver1at
IPaddress192.168.6.203,UDPauthenticationport1812,andanauthenticationpasswordof
pwsecret.Aspreviouslynoted,theserversecretpasswordenteredheremustmatchthat
alreadyconfiguredastheReadWrite(rw)passwordontheRADIUSserver:
C3( su) - >set r adi us ser ver 1 192. 168. 6. 203 1812 pwsecr et
enable|disable EnablesordisablestheRADIUSclient.
retriesnumberof
retries
SpecifiesthenumberofretryattemptsbeforetheRADIUSservertimesout.
Validvaluesarefrom0to10.Defaultis3.
timeouttimeout Specifiesthemaximumamountoftime(inseconds)toestablishcontact
withtheRADIUSserverbeforeretryattemptsbegin.Validvaluesarefrom1
to30.Defaultis20seconds.
serverindex
ip_addressport
Specifiestheindexnumber,IPaddressandtheUDPauthenticationportfor
theRADIUSserver.
secretvalue (Optional)Specifiesanencryptionkeytobeusedforauthentication
betweentheRADIUSclientandserver.
realm
management
access|any|
networkaccess
RealmallowsyoutodefinewhohastogothroughtheRADIUSserverfor
authentication.
managementaccess:Thismeansthatanyonetryingtoaccesstheswitch
(Telnet,SSH,LocalManagement)hastoauthenticatethroughthe
RADIUSserver.
networkaccess:Thismeansthatalltheusershavetoauthenticatetoa
RADIUSserverbeforetheyareallowedaccesstothenetwork.
any:Meansthatbothmanagementaccessandnetworkaccesshave
beenenabled.
Note: If the management-access or any access realm has been configured, the
local admin account is disabled for access to the switch using the console, Telnet,
or Local Management. Only the network-access realm allows access to the local
admin account.
index|all Appliestherealmsettingtoaspecificserverortoallservers.
clear radius
SecureStack C3 Configuration Guide 26-9
ThisexampleshowshowtosettheRADIUStimeoutto5seconds:
C3( su) - >set r adi us t i meout 5
ThisexampleshowshowtosetRADIUSretriesto10:
C3( su) - >set r adi us r et r i es 10
Thisexampleshowshowtoforceanymanagementaccesstotheswitch(Telnet,web,SSH)to
authenticatethroughaRADIUSserver.Theallparameterattheendofthecommandmeansthat
anyofthedefinedRADIUSserverscanbeusedforthisAuthentication.
C3( r w) - >set r adi us r eal mmanagement - access al l
clear radius
UsethiscommandtoclearRADIUSserversettings.
Syntax
clear radius [ retries] | [ timeout] | [ server {index | all | realm {index | all}}]
Parameters
Mode
Switchcommand,readwrite.
Defaults
None.
Examples
ThisexampleshowshowtoclearallsettingsonallRADIUSservers:
C3( su) - >cl ear r adi us ser ver al l
ThisexampleshowshowtoresettheRADIUStimeouttothedefaultvalueof20seconds:
C3( su) - >cl ear r adi us t i meout
retries ResetsthemaximumnumberofattemptsausercancontacttheRADIUS
serverbeforetimingoutto3.
timeout ResetsthemaximumamountoftimetoestablishcontactwiththeRADIUS
serverbeforetimingoutto20seconds.
server Deletesserversettings.
index|all Forusewiththeserverparametertocleartheserverconfigurationforall
serversoraspecificRADIUSserverasdefinedbyanindex.
realm ResetstherealmsettingforallserversoraspecificRADIUSserveras
definedbyanindex.
show radius accounting
26-10 Authentication and Authorization Configuration
show radius accounting
UsethiscommandtodisplaytheRADIUSaccountingconfiguration.Thistransmitsaccounting
informationbetweenanetworkaccessserverandasharedaccountingserver.
Syntax
show radius accounting [ server] | [ counter ip-address] | [ retries] | [ timeout]
Parameters
Mode
Switchcommand,readonly.
Defaults
Ifnoparametersarespecified,allRADIUSaccountingconfigurationinformationwillbe
displayed.
Example
ThisexampleshowshowtodisplayRADIUSaccountingconfigurationinformation.Inthiscase,
RADIUSaccountingisnotcurrentlyenabledandglobaldefaultsettingshavenotbeenchanged.
Oneserverhasbeenconfigured.
FordetailsonenablingandconfiguringRADIUSaccounting,refertosetradiusaccountingon
page 2610:
C3( r o) - >show r adi us account i ng
RADI US account i ng st at us: Di sabl ed
RADI US Acct Ser ver I P Addr ess Acct - Por t Ret r i es Ti meout St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 172. 16. 2. 10 1856 3 20 Di sabl ed
set radius accounting
UsethiscommandtoconfigureRADIUSaccounting.
Syntax
set radius accounting {[ enable | disable] [ retries retries] [ timeout timeout]
[ server ip_address port [ server-secret]
Parameters
server (Optional)DisplaysoneorallRADIUSaccountingserverconfigurations.
counteripaddress (Optional)DisplayscountersforaRADIUSaccountingserver.
retries (Optional)Displaysthemaximumnumberofattemptstocontactthe
RADIUSaccountingserverbeforetimingout.
timeout (Optional)Displaysthemaximumamountoftimebeforetimingout.
enable|disable EnablesordisablestheRADIUSaccountingclient.
retriesretries SetsthemaximumnumberofattemptstocontactaspecifiedRADIUS
accountingserverbeforetimingout.Validretryvaluesare010.
clear radius accounting
SecureStack C3 Configuration Guide 26-11
Mode
Switchcommand,readwrite.
Defaults
None.
Examples
ThisexampleshowshowtoenabletheRADIUSaccountingclientforauthenticatingwiththe
accountingserveratIPaddress10.2.4.12,UDPauthenticationport1800.Aspreviouslynoted,the
serversecretpasswordenteredheremustmatchthatalreadyconfiguredastheReadWrite(rw)
passwordontheRADIUSaccountingserver:
C3( su) - >set r adi us account i ng ser ver 10. 2. 4. 12 1800
Ent er secr et :
Re- ent er secr et :
ThisexampleshowshowtosettheRADIUSaccountingtimeoutto30seconds:
C3( su) - >set r adi us account i ng t i meout 30
ThisexampleshowshowtosetRADIUSaccountingretriesto10:
C3( su) - >set r adi us account i ng r et r i es 10
clear radius accounting
UsethiscommandtoclearRADIUSaccountingconfigurationsettings.
Syntax
clear radius accounting {server ip-address | retries | timeout | counter}
Parameters
Mode
Switchcommand,readwrite.
timeouttimeout Setsthemaximumamountoftime(inseconds)toestablishcontactwitha
specifiedRADIUSaccountingserverbeforetimingout.Validtimeout
valuesare130.
serverip_address
portserversecret
Specifiestheaccountingservers:
IPaddress
UDPauthenticationport(065535)
serversecret(ReadWritepasswordtoaccessthisaccountingserver.
Devicewillpromptforthisentryuponcreatingaserverinstance,as
shownintheexamplebelow.)
serveripaddress Clearstheconfigurationononeormoreaccountingservers.
retries Resetstheretriestothedefaultvalueof3.
timeout Resetsthetimeoutto5seconds.
counter Clearscounters.
show radius interface
26-12 Authentication and Authorization Configuration
Defaults
None.
Example
ThisexampleshowshowtoresettheRADIUSaccountingtimeoutto5seconds.
C3( su) - >cl ear r adi us account i ng t i meout
show radius interface
UsethiscommandtodisplaytheinterfaceusedforthesourceIPaddressoftheRADIUS
applicationwhengeneratingRADIUSpackets.
Syntax
show radius interface
Parameters
None.
Defaults
None.
Mode
Switchmode,readonly.
Example
Thisexampledisplaystheoutputofthiscommand.Inthiscase,theIPaddressassignedto
loopbackinterface1willbeusedasthesourceIPaddressoftheRADIUSapplication.
C3( r w) - >show r adi us i nt er f ace
l oopback 1 192. 168. 10. 1
set radius interface
UsethiscommandtospecifytheinterfaceusedforthesourceIPaddressoftheRADIUS
applicationwhengeneratingRADIUSpackets.
Syntax
set radius interface {loopback loop-ID | vlan vlan-ID}
Parameters
Defaults
None.
loopbackloopID Specifiestheloopbackinterfacetobeused.ThevalueofloopIDcan
rangefrom0to7.
vlanvlanID SpecifiestheVLANinterfacetobeused.ThevalueofvlanIDcanrange
from1to4093.
clear radius interface
SecureStack C3 Configuration Guide 26-13
Mode
Switchcommand,readwrite.
Usage
ThiscommandallowsyoutoconfigurethesourceIPaddressusedforthesourceIPaddressofthe
RADIUSapplicationwhengeneratingRADIUSpackets.Anyofthemanagementinterfaces,
includingVLANroutinginterfaces,canbeconfiguredasthesourceIPaddressusedinpackets
generatedbytheRADIUSapplication.
AninterfacemusthaveanIPaddressassignedtoitbeforeitcanbesetbythiscommand.
Ifnointerfaceisspecified,thentheIPaddressoftheHostinterface,ifconfigured,willbeusedfor
boththesourceIPaddressandNASIP.IfnointerfaceisspecifiedandnoHostaddressis
configured,thesourceIPaddresswillbetheaddressoftheroutedinterfaceonwhichthepacket
egresses.Ifloopback0hasbeenconfigured,theNASIPwillbesettotheIPaddressofloopback0.
Otherwise,theNASIPwillbezero.
Example
ThisexampleconfiguresanIPaddressonVLANinterface100andthensetsthatinterfaceasthe
RADIUSapplicationsourceIPaddress.
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #i p addr ess 192. 168. 10. 1 255. 255. 255. 0
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #exi t
C3( r w) - >r out er ( Conf i g) #exi t
C3( r w) - >r out er #exi t
C3( r w) - >r out er >exi t
C3( r w) - >set r adi us i nt er f ace vl an 100
C3( r w) - >show r adi us i nt er f ace
vl an 100 192. 168. 10. 1
clear radius interface
UsethiscommandtocleartheinterfaceusedforthesourceIPaddressoftheRADIUSapplication
backtothedefaultoftheHostinterface,ifconfigured.IfnoHostaddressisconfigured,thesource
IPaddresswillbetheaddressoftheroutedinterfaceonwhichthepacketegresses.
Syntax
clear radius interface
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
clear radius interface
26-14 Authentication and Authorization Configuration
Example
ThiscommandreturnstheinterfaceusedforthesourceIPaddressoftheRADIUSapplication
backtothedefaultoftheHostinterface.
C3( r w) - >show r adi us i nt er f ace
vl an 100 192. 168. 10. 1
C3( r w) - >cl ear r adi us i nt er f ace
C3( r w) - >
Configuring 802.1X Authentication
SecureStack C3 Configuration Guide 26-15
Configuring 802.1X Authentication
Purpose
Toreviewandconfigure802.1XauthenticationforoneormoreportsusingEAPOL(Extensible
AuthenticationProtocol).802.1Xcontrolsnetworkaccessbyenforcinguserauthorizationon
selectedports,whichresultsinallowingordenyingnetworkaccessaccordingtoRADIUSserver
configuration.
Commands
show dot1x
Usethiscommandtodisplay802.1Xstatus,diagnostics,statistics,andreauthenticationor
initializationcontrolinformationforoneormoreports.
Syntax
show dot1x [ auth-diag] [ auth-stats] [ port [ init | reauth] ] [ port-string]
Parameters
Defaults
Ifnoparametersarespecified,802.1Xstatuswillbedisplayed.
Note: To configure EAP pass-through, which allows client authentication packets to be forwarded
through the switch to an upstream device, 802.1X authentication must be globally disabled with the
set dot1x command (set dot1x on page 26-18).
For information about... Refer to page...
show dot1x 26-15
show dot1x auth-config 26-17
set dot1x 26-18
set dot1x auth-config 26-19
clear dot1x auth-config 26-20
show eapol 26-21
set eapol 26-23
clear eapol 26-23
authdiag (Optional)Displaysauthenticationdiagnosticsinformation.
authstats (Optional)Displaysauthenticationstatistics.
portinit|reauth (Optional)Displaysthestatusofportinitializationandreauthentication
controlfortheport.
portstring (Optional)Displaysinformationforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
show dot1x
26-16 Authentication and Authorization Configuration
Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplay802.1Xstatus:
C3( su) - >show dot 1x
DOT1X i s di sabl ed.
Thisexampleshowshowtodisplayauthenticationdiagnosticsinformationforge.1.1:
C3( su) - >show dot 1x aut h- di ag ge. 1. 1
Por t : 1 Aut h- Di ag
Ent er Connect i ng: 0
EAP Logof f s Whi l e Connect i ng: 0
Ent er Aut hent i cat i ng: 0
Success Whi l e Aut hent i cat i ng 0
Ti meout s Whi l e Aut hent i cat i ng: 0
Fai l s Whi l e Aut hent i cat i ng: 0
ReAut hs Whi l e Aut hent i cat i ng: 0
EAP St ar t s Whi l e Aut hent i cat i ng: 0
EAP l ogof f Whi l e Aut hent i cat i ng: 0
Backend Responses: 0
Backend Access Chal l enges: 0
Backend Ot her s Request s To Supp: 0
Backend NonNak Responses Fr om: 0
Backend Aut h Successes: 0
Backend Aut h Fai l s: 0
Thisexampleshowshowtodisplayauthenticationstatisticsforge.1.1:
C3( su) - >show dot 1x aut h- st at s ge. 1. 1
Por t : 1 Aut h- St at s
EAPOL Fr ames Rx: 0
EAPOL Fr ames Tx: 0
EAPOL St ar t Fr ames Rx: 0
EAPOL Logof f Fr ames Rx: 0
EAPOL RespI d Fr ames Rx: 0
EAPOL Resp Fr ames Rx: 0
EAPOL Req Fr ames Tx: 0
EAP Lengt h Er r or Fr ames Rx: 0
Last EAPOL Fr ame Ver si on: 0
Last EAPOL Fr ame Sour ce: 00: 00: 00: 00: 00: 00
Thisexampleshowshowtodisplaythestatusofportreauthenticationcontrolforge.1.1through
ge.1.6:
C3( su) - >show dot 1x por t r eaut h ge. 1. 1- 6
Por t 1: Por t r eaut hent i cat e: FALSE
Por t 2: Por t r eaut hent i cat e: FALSE
Por t 3: Por t r eaut hent i cat e: FALSE
Por t 4: Por t r eaut hent i cat e: FALSE
Por t 5: Por t r eaut hent i cat e: FALSE
Por t 6: Por t r eaut hent i cat e: FALSE
show dot1x auth-config
SecureStack C3 Configuration Guide 26-17
show dot1x auth-config
Usethiscommandtodisplay802.1Xauthenticationconfigurationsettingsforoneormoreports.
Syntax
show dot1x auth-config [ authcontrolled-portcontrol] [ maxreq] [ quietperiod]
[ reauthenabled] [ reauthperiod] [ servertimeout] [ supptimeout] [ txperiod]
[ port-string]
Parameters
Defaults
Ifnoparametersarespecified,all802.1Xsettingswillbedisplayed.
Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplaytheEAPOLportcontrolmodeforge.1.1:
C3( su) - >show dot 1x aut h- conf i g aut hcont r ol l ed- por t cont r ol ge. 1. 1
Por t 1: Aut h cont r ol l ed por t cont r ol : Aut o
Thisexampleshowshowtodisplaythe802.1Xquietperiodsettingsforge.1.1:
C3( su) - >show dot 1x aut h- conf i g qui et per i od ge. 1. 1
Por t 1: Qui et per i od: 30
Thisexampleshowshowtodisplayall802.1Xauthenticationconfigurationsettingsforge.1.1:
C3( r o) - >show dot 1x aut h- conf i g ge. 1. 1
authcontrolled
portcontrol
(Optional)DisplaysthecurrentvalueofthecontrolledPortcontrol
parameterfortheport.
maxreq (Optional)Displaysthevaluesetformaximumrequestscurrentlyinuseby
thebackendauthenticationstatemachine.
quietperiod (Optional)Displaysthevaluesetforquietperiodcurrentlyinusebythe
authenticatorPAEstatemachine.
reauthenabled (Optional)Displaysthestateofreauthenticationcontrolusedbythe
ReauthenticationTimerstatemachine.
reauthperiod (Optional)Displaysthevalue,inseconds,setforthereauthentication
periodusedbythereauthenticationtimerstatemachine.
servertimeout (Optional)Displaystheservertimeoutvalue,inseconds,currentlyinuse
bythebackendauthenticationstatemachine.
supptimeout (Optional)Displaystheauthenticationsupplicanttimeoutvalue,in
seconds,currentlyinusebythebackendauthenticationstatemachine.
txperiod (Optional)Displaysthetransmissionperiodvalue,inseconds,currentlyin
usebytheauthenticatorPAEstatemachine.
portstring (Optional)Limitsthedisplayofdesiredinformationinformationtospecific
port(s).Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 71.
set dot1x
26-18 Authentication and Authorization Configuration
Por t : 1 Aut h- Conf i g
PAE st at e: I ni t i al i ze
Backend aut h st at e: I ni t i al i ze
Admi n cont r ol l ed di r ect i ons: Bot h
Oper cont r ol l ed di r ect i ons: Bot h
Aut h cont r ol l ed por t st at us: Aut hor i zed
Aut h cont r ol l ed por t cont r ol : Aut o
Qui et per i od: 60
Tr ansmi ssi on per i od: 30
Suppl i cant t i meout : 30
Ser ver t i meout : 30
Maxi mumr equest s: 2
Reaut hent i cat i on per i od: 3600
Reaut hent i cat i on cont r ol : Di sabl ed
set dot1x
Usethiscommandtoenableordisable802.1Xauthentication,toreauthenticateoneormoreaccess
entities,ortoreinitializeoneormoresupplicants.
Syntax
set dot1x {enable | disable | port {init | reauth} {true | false} [ port-string] }
Parameters
Defaults
Ifnoportsarespecified,thereinitializationorreauthenticationsettingwillbeappliedtoallports.
Mode
Switchcommand,readwrite.
Usage
Disabling802.1Xauthenticationglobally,bynotenteringaspecificportstringvalue,willenable
theEAPpassthroughfeature.EAPpassthroughallowsclientauthenticationpacketstobe
forwardedunmodifiedthroughtheswitchtoanupstreamdevice.
Examples
Thisexampleshowshowtoenable802.1X:
C3( su) - >set dot 1x enabl e
Thisexampleshowshowtoreinitializege.1.2:
C3( r w) - >set dot 1x por t i ni t t r ue ge. 1. 2
enable|disable Enablesordisables802.1X.
port Enableordisable802.1Xreauthenticationorinitializationcontrolononeor
moreports.
init|reauth Configureinitializationorreauthenticationcontrol.
true|false Enable(true)ordisable(false)reinitialization/reauthentication.
portstring (Optional)Specifiestheport(s)toreinitializeorreauthenticate.
set dot1x auth-config
SecureStack C3 Configuration Guide 26-19
set dot1x auth-config
Usethiscommandtoconfigure802.1Xauthentication.
Syntax
set dot1x auth-config {[ authcontrolled-portcontrol {auto | forced-auth |
forced-unauth}] [ maxreq value] [ quietperiod value] [ reauthenabled {false | true}]
[ reauthperiod value] [ servertimeout timeout] [ supptimeout timeout] [ txperiod
value] } [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,authenticationparameterswillbesetonallports.
Mode
Switchcommand,readwrite.
authcontrolled
portcontrol
auto|forcedauth|
forcedunauth
Specifiesthe802.1Xportcontrolmode.
autoSetportcontrolmodetoautocontrolledportcontrol.This
isthedefaultvalue.
forcedauthSetportcontrolmodetoForcedAuthorized
controlledportcontrol.
forcedunauthSetportcontrolmodetoForcedUnauthorized
controlledportcontrol.
maxreqvalue Specifiesthemaximumnumberofauthenticationrequestsallowed
bythebackendauthenticationstatemachine.Validvaluesare110.
Defaultvalueis2.
quietperiodvalue Specifiesthetime(inseconds)followingafailedauthentication
beforeanotherattemptcanbemadebytheauthenticatorPAEstate
machine.Validvaluesare065535.Defaultvalueis60seconds.
reauthenabledfalse|
true
Enables(true)ordisables(false)reauthenticationcontrolofthe
reauthenticationtimerstatemachine.Defaultvalueisfalse.
reauthperiodvalue Specifiesthetimelapse(inseconds)betweenattemptsbythe
reauthenticationtimerstatemachinetoreauthenticateaport.Valid
valuesare065535.Defaultvalueis3600seconds.
servertimeouttimeout Specifiesatimeoutperiod(inseconds)fortheauthenticationserver,
usedbythebackendauthenticationstatemachine.Validvaluesare1
300.Defaultvalueis30seconds.
supptimeouttimeout Specifiesatimeoutperiod(inseconds)fortheauthentication
supplicantusedbythebackendauthenticationstatemachine.Valid
valuesare1300.Defaultvalueis30seconds.
txperiodvalue Specifiestheperiod(inseconds)whichpassesbetweenauthenticator
PAEstatemachineEAPtransmissions.Validvaluesare065535.
Defaultvalueis30seconds.
portstring (Optional)Limitstheconfigurationofdesiredsettingstospecified
port(s).Foradetaileddescriptionofpossibleportstringvalues,refer
toPortStringSyntaxUsedintheCLIonpage 71.
clear dot1x auth-config
26-20 Authentication and Authorization Configuration
Examples
Thisexampleshowshowtoenablereauthenticationcontrolonportsge.1.13:
C3( su) - >set dot 1x aut h- conf i g r eaut henabl ed t r ue ge. 1. 1- 3
Thisexampleshowshowtosetthe802.1Xquietperiodto120secondsonportsge.1.13:
C3( su) - >set dot 1x aut h- conf i g qui et per i od 120 ge. 1. 1- 3
clear dot1x auth-config
Usethiscommandtoreset802.1Xauthenticationparameterstodefaultvaluesononeormore
ports.
Syntax
clear dot1x auth-config [ authcontrolled-portcontrol] [ maxreq] [ quietperiod]
[ reauthenabled] [ reauthperiod] [ servertimeout] [ supptimeout] [ txperiod] [ port-
string]
Parameters
Defaults
Ifnoparametersarespecified,allauthenticationparameterswillbereset.
Ifportstringisnotspecified,parameterswillbesetonallports.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoresetthe802.1Xportcontrolmodetoautoonallports:
C3( su) - >cl ear dot 1x aut h- conf i g aut hcont r ol l ed- por t cont r ol
Thisexampleshowshowtoresetreauthenticationcontroltodisabledonportsge.1.13:
C3( su) - >cl ear dot 1x aut h- conf i g r eaut henabl ed ge. 1. 1- 3
authcontrolled
portcontrol
(Optional)Resetsthe802.1Xportcontrolmodetoauto.
maxreq (Optional)Resetsthemaximumrequestsvalueto2.
quietperiod (Optional)Resetsthequietperiodvalueto60seconds.
reauthenabled (Optional)Resetsthereauthenticationcontrolstatetodisabled(false).
reauthperiod (Optional)Resetsthereauthenticationperiodvalueto3600seconds.
servertimeout (Optional)Resetstheservertimeoutvalueto30seconds.
supptimeout (Optional)Resetstheauthenticationsupplicanttimeoutvalueto30
seconds.
txperiod (Optional)Resetsthetransmissionperiodvalueto30seconds.
portstring (Optional)Resetssettingsonspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 71.
show eapol
SecureStack C3 Configuration Guide 26-21
Thisexampleshowshowtoresetthe802.1Xquietperiodto60secondsonportsge.1.13:
C3( su) - >cl ear dot 1x aut h- conf i g qui et per i od ge. 1. 1- 3
show eapol
UsethiscommandtodisplayEAPOLstatusorsettingsforoneormoreports.
Syntax
show eapol [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,onlyEAPOLenablestatuswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayEAPOLstatusforportsge.1.13:
C3( su) - >show eapol ge. 1. 1- 3
EAPOL i s di sabl ed.
Por t Aut hent i cat i on St at e Aut hent i cat i on Mode
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 I ni t i al i ze Aut o
ge. 1. 2 I ni t i al i ze Aut o
ge. 1. 3 I ni t i al i ze Aut o
Table 262providesanexplanationofthecommandoutput.Fordetailsonusingtheseteapol
commandtoenabletheprotocolandassignanauthenticationmode,refertoseteapolon
page 2623.
portstring (Optional)DisplaysEAPOLstatusforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
show eapol
26-22 Authentication and Authorization Configuration
Table 26-2 show eapol Output Details
Output Field What It Displays...
Port Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
Authentication State Current EAPOL authentication state for each port. Possible internal states for the
authenticator (switch) are:
initialize: A port is in the initialize state when:
authentication is disabled,
authentication is enabled and the port is not linked, or
authentication is enabled and the port is linked. (In this case very
little time is spent in this state, it immediately transitions to the
connecting state, via disconnected.
disconnected: The port passes through this state on its way to connected
whenever the port is reinitialized, via link state change, reauthentication failure, or
management intervention.
connecting: While in this state, the authenticator sends request/ID messages to
the end user.
authenticating: The port enters this state from connecting after receiving a
response/ID from the end user. It remains in this state until the entire
authentication exchange between the end user and the authentication server
completes.
authenticated: The port enters this state from authenticating state after the
exchange completes with a favorable result. It remains in this state until linkdown,
logoff, or until a reauthentication begins.
aborting: The port enters this state from authenticating when any event occurs
that interrupts the login exchange.
held: After any login failure the port remains in this state for the number of
seconds equal to quietPeriod (can be set using MIB).
forceAuth: Management is allowing normal, unsecured switching on this port.
forceUnauth: Management is preventing any frames from being forwarded to or
from this port.
Authentication Mode Mode enabling network access for each port. Modes include:
Auto: Frames are forwarded according to the authentication state of each port.
Forced Authorized Mode: Meant to disable authentication on a port. It is
intended for ports that support ISLs and devices that cannot authenticate, such
as printers and file servers. If a default policy is applied to the port via the policy
profile MIB, then frames are forwarded according to the configuration set by that
policy, otherwise frames are forwarded according to the current configuration for
that port. Authentication using 802.1X is not possible on a port in this mode.
Forced Unauthorized Mode: All frames received on the port are discarded by a
filter. Authentication using 802.1X is not possible on a port in this mode.
set eapol
SecureStack C3 Configuration Guide 26-23
set eapol
UsethiscommandtoenableordisableEAPOLportbaseduserauthenticationwiththeRADIUS
serverandtosettheauthenticationmodeforoneormoreports.
Syntax
set eapol [ enable | disable] [ auth-mode {auto | forced-auth | forced-unauth}
port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoenableEAPOL:
C3( su) - >set eapol enabl e
ThisexampleshowshowtoenableEAPOLwithforcedauthorizedmodeonportge.1.1:
C3( su) - >set eapol aut h- mode f or ced- aut h ge. 1. 1
clear eapol
UsethiscommandtogloballycleartheEAPOLauthenticationmode,ortoclearsettingsforoneor
moreports.
Syntax
clear eapol [ auth-mode] [ port-string]
enable|disable EnablesordisablesEAPOL.
authmode
auto|
forcedauth|
forcedunauth
Specifiestheauthenticationmodeas:
autoAutoauthorizationmode.Thisisthedefaultmodeandwill
forwardframesaccordingtotheauthenticationstateoftheport.For
detailsonthismode,refertoTable 262.
forcedauthForcedauthorizedmode,whichdisablesauthentication
ontheport.
forcedunauthForcedunauthorizedmode,whichfiltersanddiscards
allframesreceivedontheport.
portstring Specifiestheport(s)onwhichtosetEAPOLparameters.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
clear eapol
26-24 Authentication and Authorization Configuration
Parameters
Defaults
Ifauthmodeisnotspecified,allEAPOLsettingswillbecleared.
Ifportstringisnotspecified,settingswillbeclearedforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheEAPOLauthenticationmodeforportge.1.3:
C3( su) - >cl ear eapol aut h- mode ge. 1. 3
authmode (Optional)GloballyclearstheEAPOLauthenticationmode.
portstring Specifiestheport(s)onwhichtoclearEAPOLparameters.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
Configuring MAC Authentication
SecureStack C3 Configuration Guide 26-25
Configuring MAC Authentication
Purpose
Toreview,disable,enableandconfigureMACauthentication.Thisauthenticationmethodallows
thedevicetoauthenticatesourceMACaddressesinanexchangewithanauthenticationserver.
Theauthenticator(switch)selectsasourceMACseenonaMACauthenticationenabledportand
submitsittoabackendclientforauthentication.ThebackendclientusestheMACaddressstored
password,ifrequired,ascredentialsforanauthenticationattempt.Ifaccepted,astring
representinganaccesspolicyand/orVLANauthorizationmaybereturned.Ifpresent,theswitch
appliestheassociatedpolicyrulesandVLANsegmentation.
YoucanspecifyamasktoapplytoMACaddresseswhenauthenticatingusersthroughaRADIUS
server(seesetmacauthenticationsignificantbitsonpage 2635).Themostcommonuseof
significantbitmasksisforauthenticationofallMACaddressesforaspecificvendor.
Commands
show macauthentication
UsethiscommandtodisplayMACauthenticationinformationforoneormoreports.
Syntax
show macauthentication [ port-string]
For information about... Refer to page...
show macauthentication 26-25
show macauthentication session 26-27
set macauthentication 26-28
set macauthentication password 26-28
clear macauthentication password 26-29
set macauthentication port 26-29
set macauthentication portinitialize 26-30
set macauthentication portquietperiod 26-30
clear macauthentication portquietperiod 26-31
set macauthentication macinitialize 26-31
set macauthentication reauthentication 26-32
set macauthentication portreauthenticate 26-32
set macauthentication macreauthenticate 26-33
set macauthentication reauthperiod 26-33
clear macauthentication reauthperiod 26-34
set macauthentication significant-bits 26-35
clear macauthentication significant-bits 26-35
show macauthentication
26-26 Authentication and Authorization Configuration
Parameters
Defaults
Ifportstringisnotspecified,MACauthenticationinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMACauthenticationinformationforge.2.1through8:
C3( su) - >show macaut hent i cat i on ge. 2. 1- 8
MAC aut hent i cat i on: - enabl ed
MAC user passwor d: - NOPASSWORD
Por t user name si gni f i cant bi t s - 48
Por t Por t Reaut h Aut h Aut h Reaut hent i cat i ons
St at e Per i od Al l owed Al l ocat ed
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 2. 1 di sabl ed 3600 1 1 di sabl ed
ge. 2. 2 di sabl ed 3600 1 1 di sabl ed
ge. 2. 3 di sabl ed 3600 1 1 di sabl ed
ge. 2. 4 di sabl ed 3600 1 1 di sabl ed
ge. 2. 5 di sabl ed 3600 1 1 di sabl ed
ge. 2. 6 di sabl ed 3600 1 1 di sabl ed
ge. 2. 7 di sabl ed 3600 1 1 di sabl ed
ge. 2. 8 di sabl ed 3600 1 1 di sabl ed
Table 263providesanexplanationofthecommandoutput.
portstring (Optional)DisplaysMACauthenticationinformationforspecificport(s).
Foradetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
Table 26-3 show macauthentication Output Details
Output Field What It Displays...
MAC authentication Whether MAC authentication is globally enabled or disabled. Set using the set
macauthentication command as described in set macauthentication on
page 26-28.
MAC user password User password associated with MAC authentication on the device. Set using the set
macauthentication password command as described in set macauthentication
password on page 26-28.
Port username
significant bits
Number of significant bits in the MAC addresses to be used starting with the left-most
bit of the vendor portion of the MAC address. The significant portion of the MAC
address is sent as a user-name credential when the primary attempt to authenticate
the full MAC address fails. Any other failure to authenticate the full address, (i.e.,
authentication server timeout) causes the next attempt to start once again with a full
MAC authentication. Default value of 48 can be changed with the set
macauthentication significant-bits command.
Port Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
Port State Whether or not MAC authentication is enabled or disabled on this port.
show macauthentication session
SecureStack C3 Configuration Guide 26-27
show macauthentication session
UsethiscommandtodisplaytheactiveMACauthenticatedsessions.
Syntax
show macauthentication session
Parameters
None.
Defaults
Ifportstringisnotspecified,MACsessioninformationwillbedisplayedforallMAC
authenticationports.
Mode
Switchcommand,readonly.
Usage
ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot
affectcurrentsessions.Newsessionsdisplaythecorrectperiod.
Example
ThisexampleshowshowtodisplayMACsessioninformation:
C3( su) - >show macaut hent i cat i on sessi on
Por t MAC Addr ess Dur at i on Reaut h Per i od Reaut hent i cat i ons
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 2 00: 60: 97: b5: 4c: 07 0, 00: 52: 31 3600 di sabl ed
Table 264providesanexplanationofthecommandoutput.
Reauth Period Reauthentication period for this port. Default value of 30 can be changed using the
set macauthentication reauthperiod command (page 26-33).
Auth Allowed Number of concurrent authentications supported on this port.
Auth Allocated Maximum number of MAC authentications permitted on this port.
Reauthentications Whether or not reauthentication is enabled or disabled on this port. Set using the set
macauthentication reauthentication command (page 26-32).
Table 26-3 show macauthentication Output Details (Continued)
Output Field What It Displays...
Table 26-4 show macauthentication session Output Details
Output Field What It Displays...
Port Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
MAC Address MAC address associated with the session.
Duration Time this session has been active.
set macauthentication
26-28 Authentication and Authorization Configuration
set macauthentication
UsethiscommandtogloballyenableordisableMACauthentication.
Syntax
set macauthentication {enable | disable}
Parameters
Mode
Switchcommand,readwrite.
Defaults
None.
Example
ThisexampleshowshowtogloballyenableMACauthentication:
C3( su) - >set macaut hent i cat i on enabl e
set macauthentication password
UsethiscommandtosetaMACauthenticationpassword.
Syntax
set macauthentication password password
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Reauth Period Reauthentication period for this port, set using the set macauthentication
reauthperiod command described in set macauthentication reauthperiod on
page 26-33.
Reauthentications Whether or not reauthentication is enabled or disabled on this port. Set using the set
macauthentication reauthentication command described in set
macauthentication reauthentication on page 26-32.
Table 26-4 show macauthentication session Output Details (Continued)
Output Field What It Displays...
enable|disable GloballyenablesordisablesMACauthentication.
password SpecifiesatextstringMACauthenticationpassword.
clear macauthentication password
SecureStack C3 Configuration Guide 26-29
Example
ThisexampleshowshowtosettheMACauthenticationpasswordtomacauth:
C3( su) - >set macaut hent i cat i on passwor d macaut h
clear macauthentication password
UsethiscommandtocleartheMACauthenticationpassword.
Syntax
clear macauthentication password
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheMACauthenticationpassword:
C3( su) - >cl ear macaut hent i cat i on passwor d
set macauthentication port
UsethiscommandtoenableordisableoneormoreportsforMACauthentication.
Syntax
set macauthentication port {enable | disable} port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
enable|disable EnablesordisablesMACauthentication.
portstring Specifiesport(s)onwhichtoenableordisableMACauthentication.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
set macauthentication portinitialize
26-30 Authentication and Authorization Configuration
Usage
Enablingport(s)forMACauthenticationrequiresgloballyenablingMACauthenticationonthe
switchasdescribedinsetmacauthenticationonpage 2628,andthenenablingitonaportby
portbasis.Bydefault,MACauthenticationisgloballydisabledanddisabledonallports.
Example
ThisexampleshowshowtoenableMACauthenticationonge.2.1though5:
C3( su) - >set macaut hent i cat i on por t enabl e ge. 2. 1- 5
set macauthentication portinitialize
UsethiscommandtoforceoneormoreMACauthenticationportstoreinitializeandremoveany
currentlyactivesessionsonthoseports.
Syntax
set macauthentication portinitialize port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoforcege.2.1through5toinitialize:
C3( su) - >set macaut hent i cat i on por t i ni t i al i ze ge. 2. 1- 5
set macauthentication portquietperiod
Thissetsthenumberofsecondsfollowingafailedauthenticationbeforeanotherattemptmaybe
madeontheport.
Syntax
set macauthentication portquietperiod time port-string
Parameters
portstring SpecifiestheMACauthenticationport(s)toreinitialize.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
time Periodinsecondstowaitafterafailedauthentication.Bydefault,thisis30
seconds.
portstring Specifiestheportsforwhichthequitperiodistobeapplied.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
clear macauthentication portquietperiod
SecureStack C3 Configuration Guide 26-31
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsport1towait5secondsafterafailedauthenticationattemptbeforeanew
attemptcanbemade:
C3( su) - >set macaut hent i cat i on por t qui et per i od 5 ge. 1. 1
clear macauthentication portquietperiod
Thissetsthequietperiodbacktothedefaultvalueof30seconds.
Syntax
clear macauthentication portquietperiod [ port-string]
Parameters
Defaults
Ifaportstringisnotspecifiedthenallportswillbesettothedefaultportquietperiod.
Mode
Switchcommand,readwrite.
Example
Thisexampleresetsthedefaultquietperiodonport1:
C3( su) - >cl ear macaut hent i cat i on por t qui et per i od ge. 1. 1
set macauthentication macinitialize
UsethiscommandtoforceacurrentMACauthenticationsessiontoreinitializeandremovethe
session.
Syntax
set macauthentication macinitialize mac-addr
Parameters
portstring (Optional)Specifiestheportsforwhichthequietperiodistobereset.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
macaddr SpecifiestheMACaddressofthesessiontoreinitialize.
set macauthentication reauthentication
26-32 Authentication and Authorization Configuration
Mode
Switchcommand,readwrite.
Defaults
None.
Example
ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07
toreinitialize:
C3( su) - >set macaut hent i cat i on maci ni t i al i ze 00- 60- 97- b5- 4c- 07
set macauthentication reauthentication
UsethiscommandtoenableordisablereauthenticationofallcurrentlyauthenticatedMAC
addressesononeormoreports.
Syntax
set macauthentication reauthentication {enable | disable} port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableMACreauthenticationonge.4.1though5:
C3( su) - >set macaut hent i cat i on r eaut hent i cat i on enabl e ge. 4. 1- 5
set macauthentication portreauthenticate
Usethiscommandtoforceanimmediatereauthenticationofthecurrentlyactivesessionsonone
ormoreMACauthenticationports.
Syntax
set macauthentication portreauthenticate port-string
enable|disable EnablesordisablesMACreauthentication.
portstring Specifiesport(s)onwhichtoenableordisableMACreauthentication.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
set macauthentication macreauthenticate
SecureStack C3 Configuration Guide 26-33
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoforcege.2.1though5toreauthenticate:
C3( su) - >set macaut hent i cat i on por t r eaut hent i cat i on ge. 2. 1- 5
set macauthentication macreauthenticate
UsethiscommandtoforceanimmediatereauthenticationofaMACaddress.
Syntax
set macauthentication macreauthenticate mac-addr
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07
toreauthenticate:
C3( su) - >set macaut hent i cat i on macr eaut hent i cat e 00- 60- 97- b5- 4c- 07
set macauthentication reauthperiod
UsethiscommandtosettheMACreauthenticationperiod(inseconds).Thisisthetimelapse
betweenattemptstoreauthenticateanycurrentMACaddressauthenticatedtoaport.
Syntax
set macauthentication reauthperiod time port-string
portstring SpecifiesMACauthenticationport(s)tobereauthenticated.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
macaddr SpecifiestheMACaddressofthesessiontoreauthenticate.
clear macauthentication reauthperiod
26-34 Authentication and Authorization Configuration
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot
affectcurrentsessions.Newsessionswillusethecorrectperiod.
Example
ThisexampleshowshowtosettheMACreauthenticationperiodto7200seconds(2hours)on
ge.2.1through5:
C3( su) - >set macaut hent i cat i on r eaut hper i od 7200 ge. 2. 1- 5
clear macauthentication reauthperiod
UsethiscommandtocleartheMACreauthenticationperiodononeormoreports.
Syntax
clear macauthentication reauthperiod [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,thereauthenticationperiodwillbeclearedonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballycleartheMACreauthenticationperiod:
C3( su) - >cl ear macaut hent i cat i on r eaut hper i od
time Specifiesthenumberofsecondsbetweenreauthenticationattempts.Valid
valuesare14294967295.
portstring Specifiestheport(s)onwhichtosettheMACreauthenticationperiod.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
portstring (Optional)ClearstheMACreauthenticationperiodonspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
set macauthentication significant-bits
SecureStack C3 Configuration Guide 26-35
set macauthentication significant-bits
UsethiscommandtosetthenumberofsignificantbitsoftheMACaddresstousefor
authentication.
Syntax
set macauthentication significant-bits number
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThiscommandallowsyoutospecifyamasktoapplytoMACaddresseswhenauthenticating
usersthroughaRADIUSserver.Themostcommonuseofsignificantbitmasksisfor
authenticationofallMACaddressesforaspecificvendor.
OnswitchesusingMACauthentication,theMACaddressofauserattemptingtologinissentto
theRADIUSserverastheusername.Ifaccessisdenied,andifasignificantbitmaskhasbeen
configured(otherthan48)withthiscommand,theswitchwillapplythemaskandresendthe
maskedaddresstotheRADIUSserver.Forexample,ifauserwithMACaddressof0016CF12
3456isdeniedaccess,anda32bitmaskhasbeenconfigured,theswitchwillapplythemaskand
resendaMACaddressof0016CF120000totheRADIUSserver.
Touseasignificantbitsmaskforauthenticationofdevicesbyaparticularvendor,specifya24bit
mask,tomaskouteverythingexceptthevendorportionoftheMACaddress.
Example
ThisexamplesetstheMACauthenticationsignificantbitsmaskto24.
C3( su) - >set macaut hent i cat i on si gni f i cant - bi t s 24
clear macauthentication significant-bits
UsethiscommandtoresetthenumberofsignificantbitsoftheMACaddresstousefor
authenticationtothedefaultof48.
Syntax
clear macauthentication significant-bits
Parameters
None.
Defaults
None.
number Specifiesthenumberofsignificantbitstobeusedforauthentication.
clear macauthentication significant-bits
26-36 Authentication and Authorization Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleresetstheMACauthenticationsignificantbitsto48.
C3( su) - >cl ear macaut hent i cat i on si gni f i cant - bi t s
Configuring Multiple Authentication Methods
SecureStack C3 Configuration Guide 26-37
Configuring Multiple Authentication Methods
About Multiple Authentication Types
Whenenabled,multipleauthenticationtypesallowsausertoauthenticateusingmorethanone
methodonthesameport.Inorderformultipleauthenticationtofunctiononthedevice,each
possiblemethodofauthentication(MACauthentication,802.1X,PWA)mustbeenabledglobally
andconfiguredappropriatelyonthedesiredportswithitscorrespondingcommandsetdescribed
inthischapter.Theprecedenceconfiguredfortheauthenticationmethodsdetermineswhich
authenticationmethodisactuallyappliedtotheuser,device,orport.
Multipleauthenticationmodemustbegloballyenabledonthedeviceusingthesetmultiauth
modecommand.Authenticationprecedencecanbeconfiguredwiththesetmultiauthprecedence
command.
About Multi-User Authentication
Multiuserauthenticationreferstotheabilitytoauthenticatemorethanoneuserordeviceonthe
sameport,witheachuserordevicebeingprovidedtheappropriatelevelofnetworkresources
basedonpolicy.
Whenasinglesupplicantconnectedtoanaccesslayerportauthenticates,apolicyprofilecanbe
dynamicallyappliedtoalltrafficontheport.Whenmultiuserauthenticationisnotimplemented,
andmorethanonesupplicantisconnectedtoaport,thefirmwaredoesnotprovisionnetwork
resourcesonaperuserorperdevicebasis,eventhoughdifferentusersordevicesmayrequirea
differentsetofnetworkresources.
Inordertosupportprovisioningnetworkresourcesonaperuserbasis,byapplyingthepolicy
configuredintheRADIUSfilterIDorRFC3580tunnelattributesforagivenuserordevice,the
switchmustbethepointofauthenticationfortheattacheddevices.TheRADIUSfilterIDand
tunnelattributesarepartoftheRADIUSuseraccountandareincludedintheRADIUSaccess
acceptmessageresponsereceivedbytheswitchfromtheauthenticationserver.
Themaximumnumberofmultipleuserssupportedperportdependsonyourplatform.Referto
Appendix A,PolicyandAuthenticationCapacitiesforadescriptionofthemultiusercapacities
forthisdevice.Bydefault,thenumberofallowedusersperportissetto1.Toconfigurethe
numberofallowedusersperport,usethesetmultiauthportnumuserscommand.Usetheshow
multiauthportcommandtodisplaythecurrentvaluesofMaxusersandAllowedusersper
port.
Commands
For information about... Refer to page...
show multiauth 26-38
set multiauth mode 26-39
clear multiauth mode 26-39
set multiauth precedence 26-40
clear multiauth precedence 26-40
show multiauth port 26-41
set multiauth port 26-41
show multiauth
26-38 Authentication and Authorization Configuration
show multiauth
Usethiscommandtodisplaymultipleauthenticationsystemconfiguration.
Syntax
show multiauth
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaymultipleauthenticationsystemconfiguration:
C3( r w) - >show mul t i aut h
Mul t i pl e aut hent i cat i on syst emconf i gur at i on
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Suppor t ed t ypes : dot 1x, pwa, mac
Maxi mumnumber of user s : 768
Cur r ent number of user s : 2
Syst emmode : mul t i
Def aul t pr ecedence : dot 1x, pwa, mac
Admi n pr ecedence : dot 1x, pwa, mac
Oper at i onal pr ecedence : dot 1x, pwa, mac
clear multiauth port 26-42
show multiauth station 26-43
show multiauth session 26-43
show multiauth idle-timeout 26-44
set multiauth idle-timeout 26-45
clear multiauth idle-timeout 26-46
show multiauth session-timeout 26-46
set multiauth session-timeout 26-47
clear multiauth session-timeout 26-48
For information about... Refer to page...
set multiauth mode
SecureStack C3 Configuration Guide 26-39
set multiauth mode
Usethiscommandtosetthesystemauthenticationmodetoallowmultipleauthenticators
simultaneously(802.1x,PWA,andMACAuthentication)onasingleport,ortostrictlyadhereto
802.1xauthentication.
Syntax
set multiauth mode {multi | strict}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
MultiauthmultimoderequiresthatMAC,PWA,and802.1Xauthenticationbeenabledglobally,
andconfiguredappropriatelyonthedesiredportsaccordingtotheircorrespondingcommand
setsdescribedinthischapter.RefertoConfiguring802.1XAuthenticationonpage 2615and
ConfiguringMACAuthenticationonpage 2625andConfiguringPortWebAuthentication
(PWA)onpage 2668.
Example
Thisexampleshowshowtoenablesimultaneousmultipleauthentications:
C3( r w) - >set mul t i aut h mode mul t i
clear multiauth mode
Usethiscommandtoclearthesystemauthenticationmode.
Syntax
clear multiauth mode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
multi Allowsthesystemtousemultipleauthenticatorssimultaneously(802.1x,
PWA,andMACAuthentication)onaport.Thisisthedefaultmode.
strict Usermustauthenticateusing802.1xauthenticationbeforenormaltraffic
(anythingotherthanauthenticationtraffic)canbeforwarded.
set multiauth precedence
26-40 Authentication and Authorization Configuration
Example
Thisexampleshowshowtoclearthesystemauthenticationmode:
C3( r w) - >cl ear mul t i aut h mode
set multiauth precedence
Usethiscommandtosetthesystemsmultipleauthenticationadministrativeprecedence.
Syntax
set multiauth precedence {[ dot1x] [ mac] [ pwa] }
Parameters
Defaults
Defaultprecedenceorderisdot1x,pwa,mac.
Mode
Switchcommand,readwrite.
Usage
Whenauserissuccessfullyauthenticatedbymorethanonemethodatthesametime,the
precedenceoftheauthenticationmethodswilldeterminewhichRADIUSreturnedfilterIDwillbe
processedandresultinanappliedtrafficpolicyprofile.
Example
ThisexampleshowshowtosetprecedenceforMACauthentication:
C3( r w) - >set mul t i aut h pr ecedence mac dot 1x
clear multiauth precedence
Usethiscommandtoclearthesystemsmultipleauthenticationadministrativeprecedencetothe
defaultprecedenceorder.
Syntax
clear multiauth precedence
Parameters
None.
Defaults
None.
dot1x Setsprecedencefor802.1Xauthentication.
mac SetsprecedenceforMACauthentication.
pwa Setsprecedenceforportwebauthentication
show multiauth port
SecureStack C3 Configuration Guide 26-41
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthemultipleauthenticationprecedence:
C3( r w) - >cl ear mul t i aut h pr ecedence
show multiauth port
Usethiscommandtodisplaymultipleauthenticationpropertiesforoneormoreports.
Syntax
show multiauth port [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,multipleauthenticationinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaymultipleauthenticationinformationforportsge.3.14.The
numberofMaxusersshownbythiscommandvariesdependingontheplatform.
C3( r w) - >show mul t i aut h por t ge. 3. 1- 4
Por t Mode Max Al l owed Cur r ent
user s user s user s
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 3. 1 aut h- opt n 1 0
ge. 3. 2 aut h- opt n 1 0
ge. 3. 3 aut h- opt n 1 0
ge. 3. 4 aut h- opt n 1 0
set multiauth port
Usethiscommandtosetmultipleauthenticationpropertiesforoneormoreports.
Syntax
set multiauth port mode {auth-opt | auth-reqd | force-auth | force-unauth} |
numusers numusers port-string
portstring (Optional)Displaysmultipleauthenticationinformationforspecificport(s).
clear multiauth port
26-42 Authentication and Authorization Configuration
Parameters
Defaults
Defaultvalueforthenumberofusersallowedtoauthenticateonaportis1.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtosettheportmultipleauthenticationmodetorequiredonge.3.14:
C3( r w) - >set mul t i aut h por t mode aut h- r eqd ge. 3. 14
Thisexampleshowshowtosetthenumberofusersallowedtoauthenticateonportge.3.14to2:
C3( r w) - >set mul t i aut h por t numuser s 2 ge. 3. 14
clear multiauth port
Usethiscommandtoclearmultipleauthenticationpropertiesforoneormoreports.
Syntax
clear multiauth port {mode | numusers} port-string
Parameters
Defaults
None.
mode
authopt|
authreqd|
forceauth|
forceunauth
Specifiestheport(s)multipleauthenticationmodeas:
authoptAuthenticationoptional(nonstrictbehavior).Ifauser
doesnotattempttoauthenticateusing802.1x,orif802.1x
authenticationfails,theportwillallowtraffictobeforwarded
accordingtothedefineddefaultVLAN.
authreqdAuthenticationisrequired.
forceauthAuthenticationconsidered.
forceunauthAuthenticationdisabled.
numusers
numusers
Specifiesthenumberofusersallowedauthenticationonport(s).Valid
valuesdependonyourspecificplatform.RefertoAppendix A,Policyand
AuthenticationCapacitiesforinformationaboutmultiusercapacities.
portstring Specifiestheport(s)onwhichtosetmultipleauthenticationproperties.
mode Clearsthespecifiedportsmultipleauthenticationmode.
numusers Clearsthevaluesetforthenumberofusersallowedauthenticationonthe
specifiedport.
portstring Specifiestheportorportsonwhichtoclearmultipleauthentication
properties.
show multiauth station
SecureStack C3 Configuration Guide 26-43
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtocleartheportmultipleauthenticationmodeonportge.3.14:
C3( r w) - >cl ear mul t i aut h por t mode ge. 3. 14
Thisexampleshowshowtoclearthenumberofusersonportge.3.14:
C3( r w) - >cl ear mul t i aut h por t numuser s ge. 3. 14
show multiauth station
Usethiscommandtodisplaymultipleauthenticationstation(enduser)entries.
Syntax
show multiauth station [ mac address] [ port port-string]
Parameters
Mode
Switchcommand,readonly.
Defaults
Ifnooptionsarespecified,multipleauthenticationstationentrieswillbedisplayedforallMAC
addressesandports.
Example
Thisexampleshowshowtodisplaymultipleauthenticationstationentries.Inthiscase,twoend
userMACaddressesareshown:
C3( r w) - >show mul t i aut h st at i on
Por t Addr ess t ype Addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 20 mac 00- 10- a4- 9e- 24- 87
ge. 2. 16 mac 00- b0- d0- e5- 0c- d0
show multiauth session
Usethiscommandtodisplaymultipleauthenticationsessionentries.
Syntax
show multiauth session [ all] [ agent {dot1x | mac | pwa}] [ mac address]
[ port port-string]
macaddress (Optional)Displaysmultipleauthenticationstationentriesforaspecific
MACaddress.
portportstring (Optional)Displaysmultipleauthenticationstationentriesforoneormore
ports.
show multiauth idle-timeout
26-44 Authentication and Authorization Configuration
Parameters
Defaults
Ifnooptionsarespecified,multipleauthenticationsessionentrieswillbedisplayedforall
sessions,authenticationtypes,MACaddresses,andports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaymultipleauthenticationsessioninformationforportge.1.1.
C3( su) - >show mul t i aut h sessi on por t ge. 1. 1
__________________________________________
Por t | ge. 1. 1 St at i on addr ess | 00- 01- 03- 86- 0A- 87
Aut h st at us | success Last at t empt | FRI MAY 18 11: 16: 36 2007
Agent t ype | dot 1x Sessi on appl i ed | t r ue
Ser ver t ype | r adi us VLAN- Tunnel - At t r | none
Pol i cy i ndex | 0 Pol i cy name | Admi ni st r at or
Sessi on t i meout | 0 Sessi on dur at i on | 0, 00: 00: 25
I dl e t i meout | 5 I dl e t i me | 0, 00: 00: 00
Ter mi nat i on t i me | Not Ter mi nat ed
show multiauth idle-timeout
Usethiscommandtodisplaythetimeoutvalue,inseconds,foranidlesessionforall
authenticationmethods.
Syntax
show multiauth idle-timeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
all (Optional)Displaysinformationaboutallsessions,includingthosewith
terminatedstatus.
agentdot1x|mac|
pwa
(Optional)Displays802.1X,orMAC,orportwebauthenticationsession
information.
macaddress (Optional)Displaysmultipleauthenticationsessionentriesforspecific
MACaddress(es).
portportstring (Optional)Displaysmultipleauthenticationsessionentriesforthe
specifiedportorports.
set multiauth idle-timeout
SecureStack C3 Configuration Guide 26-45
Example
Thisexampleshowshowtodisplaytimeoutvaluesforanidlesessionforallauthenticationtypes.
C3( su) - >show mul t i aut h i dl e- t i meout
Aut hent i cat i on t ype Ti meout ( sec)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
dot 1x 0
pwa 0
mac 0
set multiauth idle-timeout
Usethiscommandtosetthemaximumnumberofconsecutivesecondsanauthenticatedsession
maybeidlebeforeterminationofthesession.
Syntax
set multiauth idle-timeout [ dot1x | mac | pwa] timeout
Parameters
Defaults
Ifnoauthenticationmethodisspecified,theidletimeoutvalueissetforallauthentication
methods.
Mode
Switchmode,readwrite.
Usage
Ifyousetanidletimeoutvalue,aMACuserwhoseMACaddresshasagedoutoftheforwarding
databasewillbeunauthenticatedifnotraffichasbeenseenfromthataddressforthespecifiedidle
timeoutperiod.
Avalueofzeroindicatesthatnoidletimeoutwillbeappliedunlessanidletimeoutvalueis
providedbytheauthenticatingserver.Forexample,ifasessionisauthenticatedbyaRADIUS
server,thatservermayencodeaIdleTimeoutAttributeinitsauthenticationresponse.
Example
Thisexamplesetstheidletimeoutvalueforallauthenticationmethodsto300seconds.
C3( su) - >set mul t i aut h i dl e- t i meout 300
dot1x (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol
authenticationmethodforwhichtosetthetimeoutvalue.
mac (Optional)SpecifiestheEnterasysMACauthenticationmethodfor
whichtosetthetimeoutvalue.
pwa (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor
whichtosetthetimeoutvalue.
timeout Specifiesthetimeoutvalueinseconds.Thevaluecanrangefrom0to
65535.Avalueof0meansthatnoidletimeoutwillbeappliedunlessan
idletimeoutvalueisprovidedbytheauthenticatingserver.
clear multiauth idle-timeout
26-46 Authentication and Authorization Configuration
clear multiauth idle-timeout
Usethiscommandtoresetthemaximumnumberofconsecutivesecondsanauthenticatedsession
maybeidlebeforeterminationofthesessiontoitsdefaultvalueof0.
Syntax
clear multiauth idle-timeout [ dot1x | mac | pwa]
Parameters
Defaults
Ifnoauthenticationmethodisspecified,theidletimeoutvalueisresettoitsdefaultvalueof0for
allauthenticationmethods.
Mode
Switchmode,readwrite.
Example
Thisexampleresetstheidletimeoutvalueforallauthenticationmethodsto0seconds.
C3( su) - >cl ear mul t i aut h i dl e- t i meout
show multiauth session-timeout
Usethiscommandtodisplaythesessiontimeoutvalue,inseconds,forallauthenticationmethods.
Syntax
show multiauth session-timeout
Parameters
None.
Defaults
None.
Mode
Switchmode,readonly.
dot1x (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol
authenticationmethodforwhichtoresetthetimeoutvaluetoits
default.
mac (Optional)SpecifiestheEnterasysMACauthenticationmethodfor
whichtoresetthetimeoutvaluetoitsdefault.
pwa (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor
whichtoresetthetimeoutvaluetoitsdefault.
set multiauth session-timeout
SecureStack C3 Configuration Guide 26-47
Example
Thisexampledisplaysthesessiontimeoutvaluesforallauthenticationmethods.
C3( su) - >show mul t i aut h sessi on- t i meout
Aut hent i cat i on t ype Ti meout ( sec)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
dot 1x 0
pwa 0
mac 0
set multiauth session-timeout
Usethiscommandtosetthemaximumnumberofsecondsanauthenticatedsessionmaylast
beforeterminationofthesession.
Syntax
set multiauth session-timeout [ dot1x | mac | pwa] timeout
Parameters
Defaults
Ifnoauthenticationmethodisspecified,thesessiontimeoutvalueissetforallauthentication
methods.
Mode
Switchmode,readwrite.
Usage
Avalueofzeromaybesupersededbyasessiontimeoutvalueprovidedbytheauthenticating
server.Forexample,ifasessionisauthenticatedbyaRADIUSserver,thatservermayencodea
SessionTimeoutAttributeinitsauthenticationresponse.
Example
ThisexamplesetsthesessiontimeoutvaluefortheIEEE802.1Xauthenticationmethodto300
seconds.
C3( su) - >set mul t i aut h sessi on- t i meout dot 1x 300
dot1x (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol
authenticationmethodforwhichtosetthesessiontimeoutvalue.
mac (Optional)SpecifiestheEnterasysMACauthenticationmethodfor
whichtosetthesessiontimeoutvalue.
pwa (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor
whichtosetthesessiontimeoutvalue.
timeout Specifiesthetimeoutvalueinseconds.Thevaluecanrangefrom0to
65535.Avalueof0meansthatnosessiontimeoutwillbeappliedunless
asessiontimeoutvalueisprovidedbytheauthenticatingserver.
clear multiauth session-timeout
26-48 Authentication and Authorization Configuration
clear multiauth session-timeout
Usethiscommandtoresetthemaximumnumberofconsecutivesecondsanauthenticatedsession
maylastbeforeterminationofthesessiontoitsdefaultvalueof0.
Syntax
clear multiauth session-timeout [ dot1x | mac | pwa]
Parameters
Defaults
Ifnoauthenticationmethodisspecified,thesessiontimeoutvalueisresettoitsdefaultvalueof0
forallauthenticationmethods.
Mode
Switchmode,readwrite.
Example
ThisexampleresetsthesessiontimeoutvaluefortheIEEE802.1Xauthenticationmethodto0
seconds.
C3( su) - >cl ear mul t i aut h sessi on- t i meout dot 1x
Configuring User + IP Phone Authentication
User+IPphoneauthenticationisalegacyfeaturethatallowsauserandtheirIPphonetobothuse
asingleportontheswi t ch buttohaveseparatepolicyroles.TheusersPCandtheirIPphoneare
daisychainedtogetherwithasingleconnectiontothenetwork.
Thisspecialapplicationofmultiuserauthenticationwasinheritedfromlegacyplatforms(suchas
theB2andC2)thatcouldnotnativelysupportmultipleusersperport.TheSecureStackC3can
supportmultipleusersperportsotheUser+IPphoneapplicationshouldonlybeusedifyouare
integratingSecureStackC3sintoalegacydeployment.
WithUser+IPPhoneauthentication,thepolicyrolefortheIPphoneisstaticallymappedusing
apolicyadminrulewhichassignsanypacketsreceivedwithaVLANtagsettoaspecificVID(for
example,VoiceVLAN)toanspecifiedpolicyrole(forexample,IPPhonepolicyrole).Therefore,it
isrequiredthattheIPphonebeconfiguredtosendVLANtaggedpacketstaggedfortheVoice
VLAN.RefertotheUsagesectionforthecommandsetpolicyruleonpage 1110foradditional
informationaboutconfiguringapolicyadminrulethatmapsaVLANtagtoapolicyrole.
NotethatiftheIPphoneauthenticatestothenetwork,theRADIUSacceptmessagemustreturn
nullvaluesforRFC3580tunnelattributesandtheFilterID.
dot1x (Optional)SpecifiestheIEEE802.1Xportbasednetworkaccesscontrol
authenticationmethodforwhichtoresetthetimeoutvaluetoits
default.
mac (Optional)SpecifiestheEnterasysMACauthenticationmethodfor
whichtoresetthetimeoutvaluetoitsdefault.
pwa (Optional)SpecifiestheEnterasysPortWebAuthenticationmethodfor
whichtoresetthetimeoutvaluetoitsdefault.
Configuring VLAN Authorization (RFC 3580)
SecureStack C3 Configuration Guide 26-49
Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole
ontheportordynamicallyassignedthroughauthenticationtothenetwork(usingaRADIUS
FilterID).Whenthedefaultpolicyroleisassignedonaport,theVLANsetastheportsPVIDis
mappedtothedefaultpolicyrole.Whenapolicyroleisdynamicallyappliedtoauserastheresult
ofasuccessfullyauthenticatedsession,theauthenticatedVLANismappedtothepolicyroleset
intheFilterIDreturnedfromtheRADIUSserver.TheauthenticatedVLANmayeitherbethe
PVIDoftheport,ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedin
thePVIDOverrideifthePVIDOverrideisenabled.
Configuring VLAN Authorization (RFC 3580)
Purpose
RFC3580TunnelAttributesprovideamechanismtocontainan802.1X,MAC,orPWA
authenticatedusertoaVLANregardlessofthePVID.ThisisreferredtoasdynamicVLAN
assignment.
Pleaseseesection331ofRFC3580fordetailsonconfiguringaRADIUSservertoreturnthe
desiredtunnelattributes.AsstatedinRFC3580,...itmaybedesirabletoallowaporttobeplaced
intoaparticularVirtualLAN(VLAN),definedin[IEEE8021Q],basedontheresultofthe
authentication.
TheRADIUSservertypicallyindicatesthedesiredVLANbyincludingtunnelattributeswithinits
AccessAcceptparameters.However,theIEEE802.1XorMACauthenticatorcanalsobe
configuredtoinstructtheVLANtobeassignedtothesupplicantbyincludingtunnelattributes
withinAccessRequestparameters.
ThefollowingtunnelattributesareusedinVLANauthorizationassignment:
TunnelTypeVLAN(13)
TunnelMediumType802
TunnelPrivateGroupIDVLANID
InordertoauthenticateRFC3580users,policymaptableresponsemustbesettotunnelas
describedinConfiguringPolicyMaptableResponseonpage 2652.
Commands
Note: A policy license, if applicable, is not required to deploy RFC 3580 dynamic VLAN
assignment.
For information about... Refer to page...
set vlanauthorization 26-50
set vlanauthorization egress 26-50
clear vlanauthorization 26-51
show vlanauthorization 26-51
set vlanauthorization
26-50 Authentication and Authorization Configuration
set vlanauthorization
EnableordisabletheuseoftheRADIUSVLANtunnelattributetoputaportintoaparticular
VLANbasedontheresultofauthentication.
Syntax
set vlanauthorization {enable | disable} [ port-string]
Parameters
Defaults
VLANauthenticationisdisabledbydefault.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoenableVLANauthenticationforallGigabitEthernetports:
C3( r w) - > set vl anaut hor i zat i on enabl e ge. *. *
ThisexampleshowshowtodisableVLANauthenticationforallGigabitEthernetportsonswitch
unit/module 3:
C3( r w) - > set vl anaut hor i zat i on di sabl e ge. 3. *
set vlanauthorization egress
ControlsthemodificationofthecurrentVLANegresslistof802.1xauthenticatedportsforthe
VLANsreturnedintheRADIUSauthorizationfilteridstring.
Syntax
set vlanauthorization egress {none | tagged | untagged} port-string
Parameters
enable|disable Enablesordisablesvlanauthorization/tunnelattributes.
portstring (Optional)SpecifieswhichportstoenableordisabletheuseofVLAN
tunnelattributes/authorization.Foradetaileddescriptionofpossibleport
stringvalues,refertoPortStringSyntaxUsedintheCLIonpage 71.
none Specifiesthatnoegressmanipulationwillbemade.
tagged Specifiesthattheauthenticatingportwillbeaddedtothecurrenttagged
egressfortheVLANIDreturned.
untagged Specifiesthattheauthenticatingportwillbeaddedtothecurrent
untaggedegressfortheVLANIDreturned(default).
portstring Specifiesthattheportorlistofports.towhichthiscommandwillapply.
Foradetaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage 71.
clear vlanauthorization
SecureStack C3 Configuration Guide 26-51
Defaults
Bydefault,administrativeegressissettountagged.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenabletheinsertionoftheRADIUSassignedVLANtoan802.1qtag
foralloutboundframesforports10through15onunit/modulenumber3.
C3( r w) - >set vl anaut hor i zat i on egr ess t agged ge. 3. 10- 15
clear vlanauthorization
Usethiscommandtoreturnport(s)tothedefaultconfigurationofVLANauthorizationdisabled,
egressuntagged.
Syntax
clear vlanauthorization [ port-string]
Parameters
Defaults
Ifnoportstringisentered,allportsawillberesettodefaultconfigurationwithVLAN
authorizationdisabledandegressframesuntagged.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowhowtoclearVLANauthorizationforallportsonslots3,4,and5:
C3( r w) - >cl ear vl anaut hor i zat i on ge. 3- 5. *
show vlanauthorization
DisplaystheVLANauthenticationstatusandconfigurationinformationforthespecifiedports.
Syntax
show vlanauthorization [ port-string]
portstring (Optional)Specifieswhichportsaretoberestoredtodefault
configuration.Ifnoportstringisentered,theactionwillbeaglobal
setting.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 71.
Configuring Policy Maptable Response
26-52 Authentication and Authorization Configuration
Parameters
Defaults
Ifnoportstringisentered,thestatusforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThiscommandshowshowtodisplayVLANauthorizationstatusforge.1.1:
C3( su) - >show vl anaut hor i zat i on ge. 1. 1
Vl an Aut hor i zat i on: - enabl ed
por t st at us admi ni st r at i ve oper at i onal aut hent i cat ed vl an i d
egr ess egr ess mac addr ess
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 enabl ed unt agged
Table 265providesanexplanationofcommandoutput.Fordetailsonenablingandassigning
protocolandegressattributes,refertosetvlanauthorizationonpage 2650andset
vlanauthorizationegressonpage 2650.
Configuring Policy Maptable Response
Thepolicymaptableresponsefeatureallowsyoutodefinehowthesystemshouldhandle
allowinganauthenticateduserontoaportbasedonthecontentsoftheRADIUSserverAccess
Acceptreply.Therearethreepossibleresponsesettings:tunnelmode,policymode,orbothtunnel
andpolicy,alsoknownashybridauthenticationmode.
Whenthemaptableresponseissettotunnelmode,thesystemwillusethetunnelattributesinthe
RADIUSreplytoapplyaVLANtotheauthenticatinguserandwillignoreanyFilterIDattributes
intheRADIUSreply.Onthisplatform,whentunnelmodeisconfigured,noVLANtopolicy
mappingwilloccur.WhenusingVLANauthorization,thepolicymaptableresponseshouldbeset
totunnel(seeConfiguringVLANAuthorization(RFC3580)onpage 2649).
portstring (Optional)DisplaysVLANauthenticationstatusforthespecifiedports.If
noportstringisentered,thentheglobalstatusofthesettingisdisplayed.
Foradetaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage 71.
Table 26-5 show vlanauthorization Output Details
Output Field What It Displays...
port Port identification
status Port status as assigned by set vlanauthorization command
administrative
egress
Port status as assigned by the set vlanauthorization egress command
operational egress Port operational status of vlanauthorization egress.
authenticated mac
address
If authentication has succeeded, displays the MAC address assigned for egress.
vlan id If authentication has succeeded, displays the assigned VLAN id for ingress.
Configuring Policy Maptable Response
SecureStack C3 Configuration Guide 26-53
Whenthemaptableresponseissettopolicymode,thesystemwillusetheFilterIDattributesin
theRADIUSreplytoapplyapolicytotheauthenticatinguserandwillignoreanytunnel
attributesintheRADIUSreply.Onthisplatform,whenpolicymodeisconfigured,noVLANto
policymappingwilloccur.
Whenthemaptableresponseissettoboth,orhybridauthenticationmode,bothFilterID
attributes(dynamicpolicyassignment)andtunnelattributes(dynamicVLANassignment)sentin
RADIUSserverAccessAcceptrepliesareusedtodeterminehowtheswitchshouldhandle
authenticatingusers.Onthisplatform,whenhybridauthenticationmodeisconfigured,VLANto
policymappingcanoccur,asdescribedbelowinWhenPolicyMaptableResponseisBothon
page 2653.
UsinghybridauthenticationmodeeliminatesthedependencyonhavingtoassignVLANs
throughpolicyrolesVLANscanbeassignedbymeansofthetunnelattributeswhilepolicy
rolescanbeassignedbymeansoftheFilterIDattributes.Alternatively,VLANtopolicymapping
canbeusedtomappoliciestousersusingtheVLANspecifiedbythetunnelattributes,without
havingtoconfigureFilterIDattributesontheRADIUSserver.Thisseparationgives
administratorsmoreflexibilityinsegmentingtheirnetworksbeyondtheplatformshardware
policyrolelimits.
RefertoRADIUSFilterIDAttributeandDynamicPolicyProfileAssignmentonpage 263for
moreinformationaboutFilterIDattributesandConfiguringVLANAuthorization(RFC3580)
onpage 2649formoreinformationabouttunnelattributes.
Operational Description
When Policy Maptable Response is Both
HybridauthenticationmodeusesbothFilterIDattributesandtunnelattributes.Toenablehybrid
authenticationmode,usethesetpolicymaptablecommandandsettheresponseparameterto
both.Whenconfiguredtousebothsetsofattributes:
IfboththeFilterIDandtunnelattributesarepresentintheRADIUSreply,thenthepolicy
profilespecifiedbytheFilterIDisappliedtotheauthenticatinguser,andifVLAN
authorizationisenabledgloballyandontheauthenticatingusersport,theVLANspecifiedby
thetunnelattributesisappliedtotheauthenticatinguser.
IfVLANauthorizationisnotenabled,theVLANspecifiedbythepolicyprofileisapplied.See
ConfiguringVLANAuthorization(RFC3580)onpage 2649forinformationaboutenabling
VLANauthorizationgloballyandonspecificports.
IftheFilterIDattributesarepresentbutthetunnelattributesarenotpresent,thepolicy
profilespecifiedbytheFilterIDisapplied,alongwiththeVLANspecifiedbythepolicy
profile.
IfthetunnelattributesarepresentbuttheFilterIDattributesarenotpresentorareinvalid,
andifVLANauthorizationisenabledgloballyandontheauthenticatingusersport,thenthe
switchwillchecktheVLANtopolicymappingtable(configuredwiththesetpolicy
maptablecommand):
IfanentrymappingthereceivedVLANIDtoavalidpolicyprofileisfound,thenthat
policyprofile,alongwiththeVLANspecifiedbythepolicyprofile,willbeappliedtothe
authenticatinguser.
Ifnomatchingmappingtableentryisfound,theVLANspecifiedbythetunnelattributes
willbeappliedtotheauthenticatinguser.
IftheVLANtopolicymappingtableisinvalid,thenthe
etsysPolicyRFC3580MapInvalidMappingMIBisincrementedandtheVLANspecifiedby
thetunnelattributeswillbeappliedtotheauthenticatinguser.
show policy maptable
26-54 Authentication and Authorization Configuration
IfVLANauthorizationisnotenabled,thetunnelattributesareignored.
When Policy Maptable Response is Policy
WhentheswitchisconfiguredtouseonlyFilterIDattributes,bysettingthesetpolicymaptable
commandresponseparametertopolicy:
IftheFilterIDattributesarepresent,thespecifiedpolicyprofilewillbeappliedtothe
authenticatinguser.IfnoFilterIDattributesarepresent,orifthepolicyIDisunknownor
invalid,thedefaultpolicy(ifitexists)willbeapplied.
Ifthetunnelattributesarepresent,theyareignored.NoVLANtopolicymappingwilloccur.
Onswitchesthatsupportpolicy,thedefaultmaptableresponsemodeispolicy.Onswitchesthat
donotsupportpolicy,thedefaultmaptableresponsemodeistunnel.
When Policy Maptable Response is Tunnel
Whentheswitchisconfiguredtouseonlytunnelattributes,bysettingthesetpolicymaptable
commandresponseparametertotunnel,andifVLANauthorizationisenabledbothgloballyand
ontheauthenticatingusersport:
Ifthetunnelattributesarepresent,thespecifiedVLANwillbeappliedtotheauthenticating
user.NoVLANtopolicymappingwilloccur.
Ifthetunnelattributesarenotpresent,thedefaultpolicyVLANwillbeappliedifitexists.
Otherwise,theportVLANwillbeapplied.
IftheFilterIDattributesarepresent,theyareignored.
IfVLANauthorizationisnotenabled,theuserwillbeallowedontotheportwiththedefault
policy,ifitexists.Ifnodefaultpolicyexists,theportVLANwillbeapplied.
Onswitchesthatsupportpolicy,thedefaultmaptableresponsemodeispolicy.Onswitchesthat
donotsupportpolicy,thedefaultmaptableresponsemodeistunnel.
Commands
show policy maptable
UsethiscommandtodisplayinformationaboutthecurrentVLANtopolicymappingtableand
theswitchspolicymaptableresponsesetting.
Syntax
show policy maptable [ vlan-list]
Parameters
For information about... Refer to page...
show policy maptable 26-54
set policy maptable 26-55
clear policy maptable 26-56
vlanlist (Optional)SpecifiestheVLANorlistofVLANsforwhichtodisplaythe
VLANtopolicysettings.
set policy maptable
SecureStack C3 Configuration Guide 26-55
Defaults
IfnoVLANlistisspecified,allentriesintheVLANtopolicymappingtablearedisplayed.
Mode
Switchcommand,readonly.
Usage
Thiscommanddisplaysboththepolicymaptableresponsesetting,andtheentriesintheVLAN
topolicymappingtableforoneormultipleVLANs.RefertoOperationalDescriptionon
page 2653forinformationabouthowtheVLANtopolicymappingtableisused.
Example
ThisexampleshowshowtodisplaythepolicymaptableresponseandalltheentriesintheVLAN
topolicymappingtable.Inthisexample,hybridauthenticationmodeisenabled(becausethe
policymaptableresponseisboth).
C3( r w) - >show pol i cy mapt abl e
Pol i cy map r esponse : bot h
Pol i cy map l ast change : 1 days 00: 23: 57
VLAN I D Pol i cy Pr of i l e
144 4 ( St udent s)
160 7 ( Facul t y)
set policy maptable
UsethiscommandtoconfiguretheVLANtopolicymappingtableandalsotheswitchsmaptable
responsesettingthatis,whethertheswitchisintunnelmode,policymode,orhybrid
authenticationmode.
Syntax
set policy maptable {vlan-list policy-index | response {both | policy | tunnel}}
Parameters
vlanlistpolicyindex SpecifiesanentryintheVLANtopolicymappingtable,whichrelatesa
policyprofilewithaVLANIDorrangeofIDs.vlanlistcanrangefrom1
to4093.policyindexcanrangefrom1to1023.
response Indicatesthatthiscommandisconfiguringthepolicymaptable
response.
both SetsthemaptableresponsetolookatboththeFilterIDandtunnel
attributesinaRADIUSAccessAcceptreplytodeterminehowto
handleanauthenticatinguser.Thisisequivalenttoenablinghybrid
authenticationmode.
policy Setsthemaptableresponsetopolicymode.Thesystemwilllookatonly
theFilterIDattributesinaRADIUSAccessAcceptreplytodetermine
howtohandleanauthenticatinguser.
tunnel Setsthemaptableresponsetotunnelmode.Thesystemwilllookat
onlythetunnelattributesinaRADIUSAccessAcceptreplyto
determinehowtohandleanauthenticatinguser.
clear policy maptable
26-56 Authentication and Authorization Configuration
Defaults
Nomappingtableentriesareconfigured.
Thedefaultpolicymaptableresponsesettingispolicymode.
Mode
Switchcommand,readwrite.
Usage
ThiscommandcanbeusedtocreateentriesintheVLANtopolicymappingtableandalsotoset
theswitchsmaptableresponse.RefertoOperationalDescriptiononpage 2653formore
informationabouttheswitchsoperationsforallmaptableresponseparameters.
WhenyouareusingVLANauthorizationfordynamicVLANassignment,youshouldsetthe
policymaptableresponsetotunnel.SeeConfiguringVLANAuthorization(RFC3580)on
page 2649.
Examples
Thisexampleshowshowtosetthepolicymaptableresponsetoboth,orhybridauthentication
mode:
C3( r w) - >set pol i cy mapt abl e r esponse bot h
ThisexampleshowshowtoconfigureapolicymappingentrythatwillmapVLAN144topolicy
profile4.
C3( r w) - >set pol i cy mapt abl e 144 4
clear policy maptable
UsethiscommandtoclearaVLANtopolicymappingtableentryortoresetthemaptable
responsetothedefaultvalueofpolicymode.
Syntax
clear policy maptable {vlan-list | response}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThiscommandcanbeusedtoremoveanentryintheVLANtopolicymappingtableortochange
themaptableresponsebacktothedefaultvalueofpolicymode.
vlanlist ClearsthepolicyprofilemappingforthespecifiedVLANIDorrangeof
VLANs.
response Resetsthemaptableresponsetopolicy.
Configuring MAC Locking
SecureStack C3 Configuration Guide 26-57
Example
ThisexampleremovestheentryinthemappingtableforVLAN144.
C3( r w) - >show pol i cy mapt abl e
Pol i cy map r esponse : bot h
Pol i cy map l ast change : 1 days 17: 23: 57
VLAN I D Pol i cy Pr of i l e
144 4 ( St udent s)
160 7 ( Facul t y)
C3( r w) - >cl ear pol i cy mapt abl e 144
C3( r w) - >show pol i cy mapt abl e
Pol i cy map r esponse : bot h
Pol i cy map l ast change : 1 days 17: 24: 01
VLAN I D Pol i cy Pr of i l e
160 7 ( Facul t y)
Configuring MAC Locking
ThisfeaturelocksaMACaddresstooneormoreports,preventingconnectionofunauthorized
devicesthroughtheport(s).WhensourceMACaddressesarereceivedonspecifiedports,the
switchdiscardsallsubsequentframesnotcontainingtheconfiguredsourceaddresses.Theonly
framesforwardedonalockedportarethosewiththelockedMACaddress(es)forthatport.
TherearetwomethodsoflockingaMACtoaport:firstarrivalandstatic.Thefirstarrivalmethod
isdefinedtobelockingthefirstnnumberofMACswhicharriveonaportconfiguredwithMAC
lockingenabled.Thevaluenisconfiguredwiththesetmaclockfirstarrivalcommand.
ThestaticmethodisdefinedtobestaticallyprovisioningaMACportlockusingthesetmaclock
command.ThemaximumnumberofstaticMACaddressesallowedforMAClockingonaport
canbeconfiguredwiththesetmaclockstaticcommand.
YoucanconfiguretheswitchtoissueaviolationtrapifapacketarriveswithasourceMAC
addressdifferentfromanyofthecurrentlylockedMACaddressesforthatport.
MACsareunlockedasaresultof:
Alinkdownevent
WhenMAClockingisdisabledonaport
WhenaMACisagedoutoftheforwardingdatabasewhenFirstArrivalagingisenabled
Whenproperlyconfigured,MAClockingisanexcellentsecuritytoolasitpreventsMACspoofing
onconfiguredports.AlsoifaMACweretobesecuredbysomethinglikeDragonDynamic
IntrusionDetection,MAClockingwouldmakeitmoredifficultforahackertosendpacketsinto
thenetworkbecausethehackerwouldhavetochangetheirMACaddressandmovetoanother
port.Inthemeantimethesystemadministratorwouldbereceivingamaclocktrapnotification.
Purpose
Toreview,disable,enable,andconfigureMAClocking.
show maclock
26-58 Authentication and Authorization Configuration
Commands
show maclock
UsethiscommandtodisplaythestatusofMAClockingononeormoreports.
Syntax
show maclock [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,MAClockingstatuswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMAClockinginformationforge.1.1.
C3( su) - >show macl ock ge. 1. 1
MAC l ocki ng i s gl obal l y enabl ed
Por t Por t Tr ap Agi ng Max St at i c Max Fi r st Ar r i val Last Vi ol at i ng
Number St at us St at us St at us Al l ocat ed Al l ocat ed MAC Addr ess
For information about... Refer to page...
show maclock 26-58
show maclock stations 26-59
set maclock enable 26-60
set maclock disable 26-61
set maclock 26-61
clear maclock 26-62
set maclock static 26-63
clear maclock static 26-63
set maclock firstarrival 26-64
clear maclock firstarrival 26-65
set maclock agefirstarrival 26-65
clear maclock agefirstarrival 26-66
set maclock move 26-66
set maclock trap 26-67
portstring (Optional)DisplaysMAClockingstatusforspecifiedport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
show maclock stations
SecureStack C3 Configuration Guide 26-59
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 enabl ed di sabl ed enabl ed 20 1 00: a0: c9: 39: 5c: b4
Table 266providesanexplanationofthecommandoutput.
show maclock stations
UsethiscommandtodisplayMAClockinginformationaboutendstationsconnectedtothe
switch.
Syntax
show macl ock st at i ons [ f i r st ar r i val | st at i c] [ port-string]
Parameters
Defaults
Ifnoparametersarespecified,MAClockinginformationwillbedisplayedforallendstations.
Mode
Switchcommand,readonly.
Table 26-6 show maclock Output Details
Output Field What It Displays...
Port Number Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
Port Status Whether MAC locking is enabled or disabled on the port. MAC locking is globally
disabled by default. For details on enabling MAC locking on the switch and on one or
more ports, refer to set maclock enable on page 26-60 and set maclock on
page 26-61.
Trap Status Whether MAC lock trap messaging is enabled or disabled on the port. For details
on setting this status, refer to set maclock trap on page 26-67.
Aging Status Whether aging of FirstArrival MAC addresses is enabled or disabled on the port.
Refer to set maclock agefirstarrival on page 26-65.
Max Static Allocated The maximum static MAC addresses allowed locked to the port. For details on
setting this value, refer to set maclock static on page 26-63.
Max FirstArrival
Allocated
The maximum end station MAC addresses allowed locked to the port. For details on
setting this value, refer to set maclock firstarrival on page 26-64.
Last Violating MAC
Address
Most recent MAC address(es) violating the maximum static and first arrival value(s)
set for the port.
firstarrival (Optional)DisplaysMAClockinginformationaboutendstationsfirst
connectedtoMAClockedports.
static (Optional)DisplaysMAClockinginformationaboutstatic(management
defined)endstationsconnectedtoMAClockedports.
portstring (Optional)Displaysendstationinformationforspecifiedport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
set maclock enable
26-60 Authentication and Authorization Configuration
Example
ThisexampleshowshowtodisplayMAClockinginformationfortheendstationsconnectedtoall
GigabitEthernetportsinunit/module2:
C3( su) - >show macl ock st at i ons ge. 2. *
Por t Number MAC Addr ess St at us St at e Agi ng
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 2. 1 00: a0: c9: 39: 5c: b4 act i ve f i r st ar r i val t r ue
ge. 2. 7 00: a0: c9: 39: 1f : 11 act i ve st at i c f al se
Table 267providesanexplanationofthecommandoutput.
set maclock enable
UsethiscommandtoenableMAClockinggloballyorononeormoreports.
Syntax
setmaclockenable[portstring]
Parameters
Defaults
Ifportstringisnotspecified,MAClockingwillbeenabledglobally.
Mode
Switchcommand,readwrite.
Usage
Whenenabledandconfigured,MAClockingdefineswhichMACaddresses,aswellashowmany
MACaddressesarepermittedtousespecificport(s).
Table 26-7 show maclock stations Output Details
Output Field What It Displays...
Port Number Port designation. For a detailed description of possible port-string values, refer to
Port String Syntax Used in the CLI on page 7-1.
MAC address MAC address of the end station(s) locked to the port.
Status Whether the end stations are active or inactive.
State Whether the end station locked to the port is a first arrival or static connection.
Aging When true, FirstArrival MACs that have aged out of the forwarding database will be
removed for the associated port lock.
Note: MAC locking needs to be enabled globally and on appropriate ports for it to function.
portstring (Optional)EnablesMAClockingonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
set maclock disable
SecureStack C3 Configuration Guide 26-61
MAClockingisdisabledbydefaultatdevicestartup.ConfiguringoneormoreportsforMAC
lockingrequiresgloballyenablingitonthedeviceandthenenablingitonthedesiredports.
Example
ThisexampleshowshowtoenableMAClockingonge.2.3:
C3( su) - >set macl ock enabl e ge. 2. 3
set maclock disable
UsethiscommandtodisableMAClockinggloballyorononeormoreports.
Syntax
set maclock disable [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,MAClockingwillbedisabledgloballyontheswitch.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableMAClockingonge.2.3:
C3( su) - >set macl ock di sabl e ge. 2. 3
set maclock
UsethiscommandtocreateastaticMACaddresstoportlocking,andtoenableordisableMAC
lockingforthespecifiedMACaddressandport.
Syntax
set maclock mac-address port-string {create | enable | disable}
Parameters
portstring (Optional)DisablesMAClockingonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
macaddress SpecifiestheMACaddressforwhichMAClockingwillbecreated,
enabledordisabled.
portstring Specifiestheportonwhichtocreate,enableordisableMAClockingfor
thespecifiedMAC.Foradetaileddescriptionofpossibleportstring
values,refertoPortStringSyntaxUsedintheCLIonpage 71.
clear maclock
26-62 Authentication and Authorization Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ConfiguringaportforMAClockingrequiresgloballyenablingitontheswitchfirstusingtheset
maclockenablecommandasdescribedinsetmaclockenableonpage 2660.
StaticMAClockingauseronmultipleportsisnotsupported.
StaticallyMAClockedaddresseswilldisplayintheshowmacoutput(asdescribedonpage1422)
asaddresstypeotherandwillnotremovethemonlinkdown.
Example
ThisexampleshowshowtocreateaMAClockingassociationbetweenMACaddress0e03efd8
4455andportge.3.2:
C3( r w) - >set macl ock 0e- 03- ef - d8- 44- 55 ge. 3. 2 cr eat e
clear maclock
UsethiscommandtoremoveastaticMACaddresstoportlockingentry.
Syntax
clear maclock mac-address port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
create EstablishesaMAClockingassociationbetweenthespecifiedMAC
addressandport.CreateautomaticallyenablesMAClockingbetweenthe
specifiedMACaddressandport.
enable|disable EnablesordisablesMAClockingbetweenthespecifiedMACaddressand
port.
macaddress SpecifiestheMACaddressthatwillberemovedfromthelistofstatic
MACsallowedtocommunicateontheport.
portstring SpecifiestheportonwhichtocleartheMACaddress.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
set maclock static
SecureStack C3 Configuration Guide 26-63
Usage
TheMACaddressthatisclearedwillnolongerbeabletocommunicateontheportunlessthefirst
arrivallimithasbeensettoavaluegreaterthan0andthislimithasnotyetbeenmet.
Forexample,ifuserBsMACisremovedfromthestaticMACaddresslistandthefirstarrival
limithasbeensetto0,thenuserBwillnotbeabletocommunicateontheport.IfuserAsMACis
removedfromthestaticMACaddresslistandthefirstarrivallimithasbeensetto10,butonlyhas
7entries,userAwillbecomethe8thentryandallowedtocommunicateontheport.
Example
ThisexampleshowshowtoremoveaMACfromthelistofstaticMACsallowedtocommunicate
onportge.3.2:
C3( r w) - >cl ear macl ock 0e- 03- ef - d8- 44- 55 ge. 3. 2
set maclock static
UsethiscommandtosetthemaximumnumberofstaticMACaddressesallowedperport.Static
MACsareadministrativelydefined.
Syntax
set maclock static port-string value
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthemaximumnumberofallowablestaticMACsto2onge.3.1:
C3( r w) - >set macl ock st at i c ge. 3. 1 2
clear maclock static
UsethiscommandtoresetthenumberofstaticMACaddressesallowedperporttothedefault
valueof20.
Syntax
clear maclock static port-string
portstring SpecifiestheportonwhichtosetthemaximumnumberofstaticMACs
allowed.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 71.
value SpecifiesthemaximumnumberofstaticMACaddressesallowedper
port.Validvaluesare0to20.
set maclock firstarrival
26-64 Authentication and Authorization Configuration
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthenumberofallowablestaticMACsonge.2.3:
C3( r w) - >cl ear macl ock st at i c ge. 2. 3
set maclock firstarrival
UsethiscommandtorestrictMAClockingonaporttoamaximumnumberofendstation
addressesfirstconnectedtothatport.
Syntax
set maclock firstarrival port-string value
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Themaclockfirstarrivalcountresetswhenthelinkgoesdown.Thisfeatureisbeneficialifyou
haveroamingusersthefirstarrivalcountwillbereseteverytimeausermovestoanotherport,
butwillstillprotectagainstconnectingmultipledevicesonasingleportandwillprotectagainst
MACaddressspoofing.
portstring SpecifiestheportonwhichtoresetnumberofstaticMACaddresses
allowed.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 71.
portstring SpecifiestheportonwhichtolimitMAClocking.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
value SpecifiesthenumberoffirstarrivalendstationMACaddressestobe
allowedconnectionstotheport.Validvaluesare0to600.
Note: Setting a ports first arrival limit to 0 does not deny the first MAC address learned on the port
from passing traffic.
clear maclock firstarrival
SecureStack C3 Configuration Guide 26-65
Example
ThisexampleshowshowtorestrictMAClockingto6MACaddressesonge.2.3:
C3( su) - >set macl ock f i r st ar r i val ge. 2. 3 6
clear maclock firstarrival
UsethiscommandtoresetthenumberoffirstarrivalMACaddressesallowedperporttothe
defaultvalueof600.
Syntax
clear maclock firstarrival port-string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetMACfirstarrivalsonge.2.3:
C3( su) - >cl ear macl ock f i r st ar r i val ge. 2. 3
set maclock agefirstarrival
UsethiscommandtoenableordisabletheagingoffirstarrivalMACaddresses.Whenenabled,
firstarrivalMACaddressesthatareagedoutoftheforwardingdatabasewillberemovedfromthe
associatedportMAClock.
Syntax
set maclock agefirstarrival port-string {enable | disable}
Parameters
Defaults
None.
portstring Specifiestheportonwhichtoresetthefirstarrivalvalue.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
portstring Specifiestheport(s)onwhichtoenableordisablefirstarrivalaging.For
adetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
enable|disable Enableordisablefirstarrivalaging.Bydefault,firstarrivalagingis
disabled.
clear maclock agefirstarrival
26-66 Authentication and Authorization Configuration
Mode
Switchmode,readwrite.
Example
Thisexampleenablesfirstarrivalagingonportge.1.1.
C3( su) - > set macl ock agef i r st ar r i val ge. 1. 1 enabl e
clear maclock agefirstarrival
Usethiscommandtoresetfirstarrivalagingononeormoreportstoitsdefaultstateofdisabled.
Syntax
clear maclock agefirstarrival port-string
Parameters
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampledisablesfirstarrivalagingonportge.1.1.
C3( su) - > cl ear macl ock agef i r st ar r i val ge. 1. 1 enabl e
set maclock move
UsethiscommandtomoveallcurrentfirstarrivalMACstostaticentries.
Syntax
set maclock move port-string
Parameters
Defaults
None.
portstring Specifiestheport(s)onwhichtodisablefirstarrivalaging.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
portstring SpecifiestheportonwhichMACwillbemovedfromfirstarrivalMACs
tostaticentries.Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage 71.
set maclock trap
SecureStack C3 Configuration Guide 26-67
Mode
Switchcommand,readwrite.
Usage
IftherearemorefirstarrivalMACsthantheallowedmaximumstaticMACs,thenonlythelatest
firstarrivalMACswillbemovedtostaticentries.Forexample,ifyousetthemaximumnumberof
staticMACsto2withthesetmaclockstaticcommand,andthenexecutedthesetmaclockmove
command,eventhoughtherewerefiveMACsinthefirstarrivaltable,onlythetwomostrecent
MACentrieswouldbemovedtostaticentries.
Example
ThisexampleshowshowtomoveallcurrentfirstarrivalMACstostaticentriesonportsge.3.140:
C3( r w) - >set macl ock move ge. 3. 1- 40
set maclock trap
UsethiscommandtoenableordisableMAClocktrapmessaging.
Syntax
set maclock trap port-string {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Whenenabled,thisfeatureauthorizestheswitchtosendanSNMPtrapmessageifanendstation
isconnectedthatexceedsthemaximumvaluesconfiguredusingthesetmaclockfirstarrivaland
setmaclockstaticcommands.ViolatingMACaddressesaredroppedfromthedevices(orstacks)
filteringdatabase.
Example
ThisexampleshowshowtoenableMAClocktrapmessagingonge.2.3:
C3( su) - >set macl ock t r ap ge. 2. 3 enabl e
portstring SpecifiestheportonwhichMAClocktrapmessagingwillbeenabledor
disabled.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 71.
enable|disable EnablesordisablesMAClocktrapmessaging.
Configuring Port Web Authentication (PWA)
26-68 Authentication and Authorization Configuration
Configuring Port Web Authentication (PWA)
About PWA
PWAprovidesawayofauthenticatingusersthroughaWebportalbeforeallowinggeneralaccess
tothenetwork.
TologonusingPWA,theusermakesarequestthroughawebbrowserforthePWAwebpageoris
automaticallyredirectedtothisloginpageafterrequestingaURLinabrowser.
Dependingupontheauthenticatedstateoftheuser,aloginpageoralogoutpagewilldisplay.
Whenausersubmitsusernameandpassword,theswitchthenauthenticatestheuserviaa
preconfiguredRADIUSserver.Iftheloginissuccessful,thentheuserwillbegrantedfullnetwork
accessaccordingtotheuserspolicyconfigurationontheswitch.
Purpose
Toreview,enable,disable,andconfigurePortWebAuthentication(PWA).
Commands
For information about... Refer to page...
show pwa 26-69
set pwa 26-70
show pwa banner 26-71
set pwa banner 26-71
clear pwa banner 26-72
set pwa displaylogo 26-72
set pwa ipaddress 26-73
set pwa protocol 26-73
set pwa guestname 26-74
clear pwa guestname 26-74
set pwa guestpassword 26-75
set pwa gueststatus 26-75
set pwa initialize 26-76
set pwa quietperiod 26-76
set pwa maxrequest 26-77
set pwa portcontrol 26-77
show pwa session 26-78
set pwa enhancedmode 26-79
show pwa
SecureStack C3 Configuration Guide 26-69
show pwa
Usethiscommandtodisplayportwebauthenticationinformationforoneormoreports.
Syntax
show pwa [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,PWAinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPWAinformationforge.2.1:
C3( su) - >show pwa ge. 2. 1
PWA St at us - enabl ed
PWA I P Addr ess - 192. 168. 62. 99
PWA Pr ot ocol - PAP
PWA Enhanced Mode - N/ A
PWA Logo - enabl ed
PWA Guest Net wor ki ng St at us - di sabl ed
PWA Guest Name - guest
PWA Redi r ect Ti me - N/ A
Por t Mode Aut hSt at us Qui et Per i od MaxReq
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 2. 1 di sabl ed di sconnect ed 60 16
Table 268providesanexplanationofthecommandoutput.
portstring (Optional)DisplaysPWAinformationforspecificport(s).
Table 26-8 show pwa Output Details
Output Field What It Displays...
PWA Status Whether or not port web authentication is enabled or disabled. Default state of
disabled can be changed using the set pwa command as described in set pwa on
page 26-70.
PWA IP Address IP address of the end station from which PWA will prevent network access until the
user is authenticated. Set using the set pwa ipaddress command as described in
set pwa ipaddress on page 26-73.
PWA Protocol Whether PWA protocol is CHAP or PAP. Default setting of PAP can be changed
using the set pwa protocol command as described in set pwa protocol on
page 26-73.
PWA Enhanced
Mode
Whether PWA enhanced mode is enabled or disabled. Default state of disabled can
be changed using the set pwa enhancedmode command as described in set pwa
enhancedmode on page 26-79.
set pwa
26-70 Authentication and Authorization Configuration
set pwa
Usethiscommandtoenableordisableportwebauthentication.
Syntax
set pwa {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableportwebauthentication:
C3( su) - >set pwa enabl e
PWA Logo Whether the Enterasys logo will be displayed or hidden at user login. Default state of
enabled (displayed) can be changed using the set pwa displaylogo command as
described in set pwa displaylogo on page 26-72.
PWA Guest
Networking Status
Whether PWA guest user status is disabled or enabled with RADIUS or no
authentication. Default state of disabled can be changed using the set pwa
gueststatus command as described in set pwa gueststatus on page 26-75.
PWA Guest Name Guest user name for PWA enhanced mode networking. Default value of guest can
be changed using the set pwa guestname command as described in set pwa
guestname on page 26-74.
PWA Guest
Password
Guest users password. Default value of an empty string can be changed using the
set pwa guestpassword command as described in set pwa guestpassword on
page 26-75.
PWA Redirect Time Time in seconds after login success before the user is redirected to the PWA home
page.
Port PWA port designation.
Mode Whether PWA is enabled or disabled on his port.
Auth Status Whether or not the port state is disconnected, authenticating, authenticated, or held
(authentication has failed).
Quiet Period Amount of time a port will be in the held state after a user unsuccessfully attempts to
log on to the network. Default value of 60 can be changed using the set pwa
quietperiod command as described in set pwa quietperiod on page 26-76.
MaxReq Maximum number of log on attempts allowed before transitioning the port to a held
state. Default value of 2 can be changed using the set pwa maxrequests command
as described in set pwa maxrequest on page 26-77.
Table 26-8 show pwa Output Details (Continued)
Output Field What It Displays...
enable|disable Enablesordisablesportwebauthentication.
show pwa banner
SecureStack C3 Configuration Guide 26-71
show pwa banner
Usethiscommandtodisplaytheportwebauthenticationloginbannerstring.
Syntax
show pwa banner
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythePWAloginbanner:
C3( su) - >show pwa banner
Wel come t o Ent er asys Net wor ks
set pwa banner
UsethiscommandtoconfigureastringtobedisplayedasthePWAloginbanner.
Syntax
set pwa banner string
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAloginbannertoWelcometoEnterasys Networks:
C3( su) - >set pwa banner Wel come t o Ent er asys Net wor ks
string SpecifiesthePWAloginbanner.
clear pwa banner
26-72 Authentication and Authorization Configuration
clear pwa banner
UsethiscommandtoresetthePWAloginbannertoablankstring.
Syntax
clear pwa banner
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthePWAloginbannertoablankstring
C3( su) - >cl ear pwa banner
set pwa displaylogo
UsethiscommandtosetthedisplayoptionsfortheEnterasys Networkslogo.
Syntax
set pwa displaylogo {display | hide}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtohidetheEnterasys Networkslogo:
C3( su) - >set pwa di spl ayl ogo hi de
display|hide DisplaysorhidestheEnterasys NetworkslogowhenthePWAwebsite
displays.
set pwa ipaddress
SecureStack C3 Configuration Guide 26-73
set pwa ipaddress
UsethiscommandtosetthePWAIPaddress.ThisistheIPaddressoftheendstationfromwhich
PWAwillpreventnetworkaccessuntiltheuserisauthenticated.
Syntax
set pwa ipaddress ip-address
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetaPWAIPaddressof1.2.3.4:
C3( su) - >set pwa i paddr ess 1. 2. 3. 4
set pwa protocol
Usethiscommandtosettheportwebauthenticationprotocol.
Syntax
set pwa protocol {chap | pap}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetathePWAprotocoltoCHAP:
C3( su) - >set pwa pr ot ocol chap
ipaddress SpecifiesagloballyuniqueIPaddress.Thissamevaluemustbe
configuredintoeveryauthenticatingswitchinthedomain.
chap|pap SetsthePWAprotocolto:
CHAP(PPPChallengeHandshakeProtocol)encryptstheusername
andpasswordbetweentheendstationandtheswitchport.
PAP(PasswordAuthenticationProtocoldoesnotprovideany
encryptionbetweentheendstationtheswitchport.
set pwa guestname
26-74 Authentication and Authorization Configuration
set pwa guestname
UsethiscommandtosetaguestusernameforPWAnetworking.PWAwillusethisnametogrant
networkaccesstoguestswithoutestablishedloginnamesandpasswords.
Syntax
set pwa guestname name
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAguestusernametoguestuser:
C3( su) - >set pwa guest name guest user
clear pwa guestname
UsethiscommandtoclearthePWAguestusername.
Syntax
clear pwa guestname
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthePWAguestusername
C3( su) - >cl ear pwa guest name
name Specifiesaguestusername.
set pwa guestpassword
SecureStack C3 Configuration Guide 26-75
set pwa guestpassword
UsethiscommandtosettheguestuserpasswordforPWAnetworking.
Syntax
set pwa guestpassword
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
PWAwillusethispasswordandtheguestusernametograntnetworkaccesstoguestswithout
establishedloginnamesandpasswords.
Example
ThisexampleshowshowtosetthePWAguestuserpasswordname:
C3( su) - >set pwa guest passwor d
Guest Passwor d: *********
Ret ype Guest Passwor d: *********
set pwa gueststatus
Usethiscommandtoenableordisableguestnetworkingforportwebauthentication.
Syntax
set pwa gueststatus {authnone | authradius | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
authnone Enablesguestnetworkingwithnoauthenticationmethod.
authradius EnablesguestnetworkingwithRADIUSauthentication.Uponsuccessful
authenticationfromRADIUS,PWAwillapplythepolicyreturnedfrom
RADIUStothePWAport.
disable Disablesguestnetworking.
set pwa initialize
26-76 Authentication and Authorization Configuration
Usage
PWAwilluseaguestpasswordandguestusernametograntnetworkaccesswithdefaultpolicy
privilegestouserswithoutestablishedloginnamesandpasswords.
Example
ThisexampleshowshowtoenablePWAguestnetworkingwithRADIUSauthentication:
C3( su) - >set pwa guest net wor ki ng aut hr adi us
set pwa initialize
UsethiscommandtoinitializeaPWAporttoitsdefaultunauthenticatedstate.
Syntax
set pwa initialize [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,allportswillbeinitialized.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoinitializeportsge.1.57:
C3( su) - >set pwa i ni t i al i ze ge. 1. 5- 7
set pwa quietperiod
Usethiscommandtosettheamountoftimeaportwillremainintheheldstateafterauser
unsuccessfullyattemptstologontothenetwork.
Syntax
set pwa quietperiod time [ port-string]
Parameters
portstring (Optional)Initializesspecificport(s).Foradetaileddescriptionofpossible
portstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 71.
time Specifiesquiettimeinseconds.
portstring (Optional)Setsthequietperiodforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
set pwa maxrequest
SecureStack C3 Configuration Guide 26-77
Defaults
Ifportstringisnotspecified,quietperiodwillbesetforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAquietperiodto30secondsforportsge.1.57:
C3( su) - >set pwa qui et per i od 30 ge. 1. 5- 7
set pwa maxrequest
Usethiscommandtosetthemaximumnumberoflogonattemptsallowedbeforetransitioning
thePWAporttoaheldstate.
Syntax
set pwa maxrequests requests [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,maximumrequestswillbesetforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAmaximumrequeststo3forallports:
C3( su) - >set pwa maxr equest s 3
set pwa portcontrol
ThiscommandenablesordisablesPWAauthenticationonselectports.
Syntax
set pwa portcontrol {enable | disable} [ port-string]
maxrequests Specifiesthemaximumnumberoflogonattempts.
portstring (Optional)Setsthemaximumrequestsforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
show pwa session
26-78 Authentication and Authorization Configuration
Parameters
Defaults
Ifportstringisnotspecified,PWAwillenabledonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePWAonports122:
C3( su) - >set pwa por t cont r ol enabl e ge. 1. 1- 22
show pwa session
UsethiscommandtodisplayinformationaboutcurrentPWAsessions.
Syntax
show pwa session [ port-string]
Parameters
Defaults
Ifportstringisnotspecified,sessioninformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPWAsessioninformation:
C3( su) - >show pwa sessi on
Por t MAC I P User Dur at i on St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 2. 19 00- c0- 4f - 20- 05- 4b 172. 50. 15. 121 pwachap10 0, 14: 46: 55 act i ve
ge. 2. 19 00- c0- 4f - 24- 51- 70 172. 50. 15. 120 pwachap1 0, 15: 43: 30 act i ve
ge. 2. 19 00- 00- f 8- 78- 9c- a7 172. 50. 15. 61 pwachap11 0, 14: 47: 58 act i ve
enable|disable EnablesordisablesPWAonspecifiedports.
portstring (Optional)Setsthecontrolmodeonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 71.
portstring (Optional)DisplaysPWAsessioninformationforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 71.
set pwa enhancedmode
SecureStack C3 Configuration Guide 26-79
set pwa enhancedmode
ThiscommandenablesPWAURLredirection.TheswitchinterceptsallHTTPpacketsonport80
fromtheenduser,andsendstheenduserarefreshpagedestinedforthePWAIPAddress
configured.
Syntax
set pwa enhancedmode {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePWAenhancedmode:
C3( su) - >set pwa enhancedmode enabl e
enable|disable EnablesordisablesPWAenhancedmode.
Configuring Secure Shell (SSH)
26-80 Authentication and Authorization Configuration
Configuring Secure Shell (SSH)
Purpose
Toreview,enable,disable,andconfiguretheSecureShell(SSH)protocol,whichprovidessecure
Telnet.
Commands
show ssh status
UsethiscommandtodisplaythecurrentstatusofSSHontheswitch.
Syntax
show ssh status
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySSHstatusontheswitch:
C3( su) - >show ssh st at us
SSH Ser ver st at us: Di sabl ed
set ssh
Usethiscommandtoenable,disableorreinitializeSSHserverontheswitch.Bydefault,theSSH
serverisdisabled.
Syntax
set ssh {enable | disable | reinitialize}
For information about... Refer to page...
show ssh status 26-80
set ssh 26-80
set ssh hostkey 26-81
set ssh hostkey
SecureStack C3 Configuration Guide 26-81
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableSSH:
C3( su) - >set ssh di sabl e
set ssh hostkey
UsethiscommandtoreinitializenewSSHauthenticationkeys.
Syntax
set ssh hostkey reinitialize
Parameters
Defaults
None
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoregenerateSSHkeys:
C3( su) - >set ssh host key r ei ni t i al i ze
enable|disable EnablesordisablesSSH,orreinitializestheSSHserver.
reinitialize ReinitializestheSSHserver.
reinitialize Reinitializestheserverhostauthenticationkeys.
Configuring Access Lists
26-82 Authentication and Authorization Configuration
Configuring Access Lists
Purpose
Toreviewandconfiguresecurityaccesscontrollists(ACLs),whichpermitordenyaccessto
routinginterfacesbasedonprotocolandIPaddressrestrictions.
Commands
show access-lists
UsethiscommandtodisplayconfiguredIPaccesslistswhenoperatinginroutermode.
Syntax
showaccesslists[number]
Parameters
Defaults
Ifnumberisnotspecified,theentiretableofaccesslistswillbedisplayed.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayIPaccesslistnumber145.Thisisanextendedaccesslist,
whichpermitsordeniesICMP,UDPandIPframesbasedonrestrictionsconfiguredwithoneof
theaccesslistcommands.Fordetailsonconfiguringstandardaccesslists,refertoaccesslist
(standard)onpage 2683.Fordetailsonconfiguringextendedaccesslists,refertoaccesslist
(extended)onpage 2684.
Router: These commands can be executed when the device is in router mode only. For details
on how to enable router configuration modes, refer to Enabling Router Configuration Modes on
page 18-2.
Note: Refer to the Release Notes for your product for any limitations that may apply to access
control lists.
For information about... Refer to page...
show access-lists 26-82
access-list (standard) 26-83
access-list (extended) 26-84
ip access-group 26-86
accesslist
number
(Optional)Displaysaccesslistinformationforaspecificaccesslistnumber.
Validvaluesarebetween1and199.
access-list (standard)
SecureStack C3 Configuration Guide 26-83
C3( su) - >r out er #show access- l i st s 145
Ext ended I P access l i st 145
1: per mi t i cmp host 88. 255. 255. 254 any
2: per mi t i cmp any host 11. 11. 16. 16
3: deny i cmp any any
4: per mi t t cp host 88. 255. 255. 254 any eq 22
5: per mi t udp 88. 255. 128. 0 0. 0. 127. 255 eq 161 any
6: per mi t t cp any host 230. 10. 230. 10 eq 1234
7: deny t cp any any eq 23
8: per mi t i p 88. 255. 128. 0 0. 0. 127. 255 any
9: deny i p any 224. 0. 0. 0 31. 0. 0. 0
access-list (standard)
UsethiscommandtodefineastandardIPaccesslistbynumberwhenoperatinginroutermode.
Thenoformofthiscommandremovesthedefinedaccesslistorentry.
Syntax
To create an ACL entry:
access-list access-list-number {deny | permit} source [ source-wildcard]
no access-list access-list-number [ entryno [ entryno] ]
To insert or replace an ACL entry:
access-list access-list-number insert | replace entryno {deny | permit} source
[ source-wildcard]
To move entries within an ACL:
access-list access-list-number move destination source1 [ source2]
Parameters
accesslistnumber
[entryno[entryno]]
Specifiesastandardaccesslistnumber.Validvaluesarefrom1to99.
Whenusingthenoaccesslistcommand,youcandeleteawholeaccesslist,
oronlyspecificentriesinthelistwiththeoptionalentrynoparameter.
Specifyarangeofentriesbyenteringthestartandendentrynumbers.
deny|permit Deniesorpermitsaccessifspecifiedconditionsaremet.
source Specifiesthenetworkorhostfromwhichthepacketwillbesent.Valid
optionsforexpressingsourceare:
IPaddressorrangeofaddresses(A.B.C.D)
anyAnysourcehost
hostsourceIPaddressofasinglesourcehost
sourcewildcard (Optional)Specifiesthebitstoignoreinthesourceaddress.
access-list (extended)
26-84 Authentication and Authorization Configuration
Defaults
Ifinsert,replaceormovearenotspecified,thenewentrywillbeappendedtotheaccesslist.
Ifsource2isnotspecifiedwithmove,onlyoneentrywillbemoved.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
ValidaccesslistnumbersforstandardACLsare1to99.ForextendedACLs,validvaluesare100
to199.
Accesslistsareappliedtointerfacesbyusingthe ipaccessgroupcommand(page2686).
Allaccesslistshaveanimplicitdenyanyanystatmentastheirlastentry.
Examples
Thisexampleshowshowtocreateaccesslist1withthreeentriesthatallowaccesstoonlythose
hostsonthethreespecifiednetworks.Thewildcardbitsapplytothehostportionsofthenetwork
addresses.Anyhostwithasourceaddressthatdoesnotmatchtheaccesslistentrieswillbe
rejected:
C3( su) - >r out er ( Conf i g) #access- l i st 1 per mi t 192. 5. 34. 0 0. 0. 0. 255
C3( su) - >r out er ( Conf i g) #access- l i st 1 per mi t 128. 88. 0. 0 0. 0. 255. 255
C3( su) - >r out er ( Conf i g) #access- l i st 1 per mi t 36. 0. 0. 0 0. 255. 255. 255
Thisexamplemovesentry16tothebeginningofACL22:
C3( su) - >r out er ( Conf i g) #access- l i st 22 move 1 16
access-list (extended)
UsethiscommandtodefineanextendedIPaccesslistbynumberwhenoperatinginroutermode.
Thenoformofthiscommandremovesthedefinedaccesslistorentry:
Syntax
To create an extended ACL entry:
access-list access-list-number {deny | permit} protocol source [ source-wildcard]
[ eq port] destination [ destination-wildcard] [ eq port]
no access-list access-list-number [ entryno [ entryno] ]
To insert or replace an ACL entry:
access-list access-list-number insert | replace entryno {deny | permit} protocol
source [ source-wildcard] [ eq port] destination [ destination-wildcard] [ eq port]
insert|replace
entryno
(Optional)InsertsthisnewentrybeforeaspecifiedentryinanexistingACL,
orreplacesaspecifiedentrywiththisnewentry.
movedestination
source1source2
(Optional)Movesasequenceofaccesslistentriesbeforeanotherentry.
Destinationisthenumberoftheexistingentrybeforewhichthisnewentry
willbemoved.Source1isasingleentrynumberorthefirstentrynumberin
therangetobemoved.Source2(optional)isthelastentrynumberinthe
rangetobemoved.Ifsource2isnotspecified,onlythesource1entrywillbe
moved.
access-list (extended)
SecureStack C3 Configuration Guide 26-85
To move entries within an ACL:
access-list access-list-number move destination source1 [ source2]
Parameters
Defaults
Ifinsert,replace,ormovearenotspecified,thenewentrywillbeappendedtotheaccesslist.
Ifsource2isnotspecifiedwithmove,onlyoneentrywillbemoved.
accesslistnumber
[entryno[entryno]]
Specifiesanextendedaccesslistnumber.Validvaluesarefrom100to199.
Whenusingthenoaccesslistcommand,youcandeleteawholeaccesslist,
oronlyspecificentriesinthelistwiththeoptionalentrynoparameter.
Specifyarangeofentriesbyenteringthestartandendentrynumbers.
deny|permit Deniesorpermitsaccessifspecifiedconditionsaremet.
protocol SpecifiesanIPprotocolforwhichtodenyorpermitaccess.Validvalues
andtheircorrespondingprotocolsare:
ipAnyInternetprotocol
udpUserDatagramProtocol
tcpTransmissionControlProtocol
icmpInternetControlMessageProtocol
source Specifiesthenetworkorhostfromwhichthepacketwillbesent.Valid
optionsforexpressingsourceare:
IPaddressorrangeofaddresses(A.B.C.D)
anyAnysourcehost
hostsourceIPaddressofasinglesourcehost
sourcewildcard (Optional)Specifiesthebitstoignoreinthesourceaddress.
eqport (Optional)AppliesaccessrulestoTCPorUDPsourceand/ordestination
portnumbersequaltothespecifiedportnumber.
Portnumberscanrangefrom0to65535.
Note: This parameter is not available when you specify the icmp protocol.
destination Specifiesthenetworkorhosttowhichthepacketwillbesent.Validoptions
forexpressingdestinationare:
IPaddress(A.B.C.D)
anyAnydestinationhost
hostsourceIPaddressofasingledestinationhost
destinationwildcard (Optional)Specifiesthebitstoignoreinthedestinationaddress.
insert|replace
entryno
(Optional)Insertsthisnewentrybeforeaspecifiedentryinanexisting
ACL,orreplacesaspecifiedentrywiththisnewentry.
movedestination
source1source2
(Optional)Movesasequenceofaccesslistentriesbeforeanotherentry.
Destinationisthenumberoftheexistingentrybeforewhichthisnewentry
willbemoved.Source1isasingleentrynumberorthefirstentrynumberin
therangetobemoved.Source2(optional)isthelastentrynumberinthe
rangetobemoved.Ifsource2isnotspecified,onlythesource1entrywillbe
moved.
ip access-group
26-86 Authentication and Authorization Configuration
Ifeqportisnotspecified,TCP/UDPportsarenotusedforfiltering.Onlytheprotocol,source,and
destinationareusedforapplyingtherule.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
Accesslistsareappliedtointerfacesbyusingtheipaccessgroupcommandasdescribedinip
accessgrouponpage 2686.
ValidaccesslistnumbersforextendedACLsare100to199.ForstandardACLs,validvaluesare1
to99.
Allaccesslistshaveanimplicitdenyanyanystatmentastheirlastentry.
Examples
Thisexampleshowshowtodefineaccesslist145todenyICMPtransmissionsfromanysource
andforanydestination:
C3( su) - >r out er ( Conf i g) #access- l i st 145 deny I CMP any any
Thisexampleappendstoaccesslist145apermitstatementthatallowsthehostwithIPaddress
88.255.255.254todoanSSHremotelogintoanydestinationonTCPport22.
C3( su) - >r out er ( Conf i g) #access- l i st 145 per mi t t cp host 88. 255. 255. 254 any eq 22
Thisexampleappendstoaccesslist145apermitstatementthatallowsSNMPcontroltraffic(from
UDPport161)tobesentfromIPaddresseswithintherangedefinedby88.255.128.00.0.127.255
toanydestination.
C3( su) - >r out er ( Conf i g) #access- l i st 145 per mi t udp 88. 255. 128. 0 0. 0. 127. 255 eq 161
any
ip access-group
Usethiscommandtoapplyaccessrestrictionstoinboundframesonaninterfacewhenoperating
inroutermode.Thenoformofthiscommandremovesthespecifiedaccesslist.
Syntax
ip access-group access-list-number in
no ip access-group access-list-number in
Parameters
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan<vlan_id>))#
accesslistnumber Specifiesthenumberoftheaccesslisttobeappliedtotheaccesslist.This
isadecimalnumberfrom1to199.
in Filtersinboundframes.
ip access-group
SecureStack C3 Configuration Guide 26-87
Usage
ACLsmustbeappliedperroutinginterface.Anaccesslistcanbeappliedtoinboundtrafficonly.
AccesslistscannowbeappliedtoroutedVLANswhichincorporateLAGs.
Example
Thisexampleshowshowtoapplyaccesslist1forallinboundframesontheVLAN1interface.
Throughthedefinitionofaccesslist1,onlyframeswithasourceaddressonthe192.5.34.0/24
networkwillberouted.AlltheframeswithothersourceaddressesreceivedontheVLAN1
interfacearedropped:
C3( su) - >r out er ( Conf i g) #access- l i st 1 per mi t 192. 5. 34. 0 0. 0. 0. 255
C3( su) - >r out er ( Conf i g) #i nt er f ace vl an 1
C3( su) - >r out er ( Conf i g- i f ( Vl an 1) ) #i p access- gr oup 1 i n
ip access-group
26-88 Authentication and Authorization Configuration
SecureStack C3 Configuration Guide 27-1
27
TACACS+ Configuration
ThischapterprovidesinformationaboutthecommandsusedtoconfigureandmonitorTACACS+
(TerminalAccessControllerAccessControlSystemPlus).
TACACS+isasecurityprotcolthatprovidesservicesforsecureauthentication,CLIcommand
authorization,andCLIauditingforadministrativeaccess.Itcanbeusedasanalternativetothe
standardRADIUSsecurityprotocol(RFC2865).TACACS+runsoverTCPandencryptsthebody
ofeachmanagementpacket.
BasedonthenowobsoleteTACACSprotocol(definedinRFC1492),TACACS+isdefinedinan
unpublishedandexpiredInternetDraftdraftgranttacacs02.txt,TheTACACS+Protocol
Version1.78,January,1997.
FordetailedinformationaboutusingTACACS+inyournetwork,refertotheEnterasysFeature
GuideTACACS+ConfigurationlocatedontheEnterasyswebsite:
http://www.enterasys.com/support/manuals/f.html#M
For information about... Refer to page...
show tacacs 27-2
set tacacs 27-3
show tacacs server 27-3
set tacacs server 27-4
clear tacacs server 27-5
show tacacs session 27-6
set tacacs session 27-7
clear tacacs session 27-8
show tacacs command 27-9
set tacacs command 27-9
show tacacs singleconnect 27-10
set tacacs singleconnect 27-10
show tacacs interface 27-11
set tacacs interface 27-11
clear tacacs interface 27-12
TACACS+Configuration show tacacs
27-2
show tacacs
UsethiscommandtodisplaythecurrentTACACS+configurationinformationandstatus.
Syntax
show tacacs [ state]
Parameters
Defaults
Ifstateisnotspecified,allTACACS+configurationinformationwillbedisplayed.
Mode
Switchcommand,ReadOnly.
Example
ThisexampleshowshowtodisplayallTACACSconfigurationinformation.
C3( r o) - >show t acacs
TACACS+ st at us: Di sabl ed
TACACS+ sessi on account i ng st at e: di sabl e
TACACS+ command aut hor i zat i on st at e: di sabl e
TACACS+ command auccount i ng st at e: di sabl e
TACACS+ si ngl e connect st at e: Di sabl ed
TACACS+ ser vi ce: exec
TACACS+ sessi on aut hor i zat i on A- V pai r s:
access- l evel at t r i but e val ue
r ead- onl y pr i v- l vl 0
r ead- wr i t e pr i v- l vl 1
super - user pr i v- l vl 15
TACACS+ Ser ver I P addr ess Por t Ti meout
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 192. 168. 10. 1 49 10
Table 271providesanexplanationofthecommandoutput.
state (Optional)DisplaysonlytheTACACS+clientstatus.
Table 27-1 show tacacs Output Details
Output... What it displays...
TACACS+status Whether the TACACS+client is enabled or disabled.
TACACS+session accounting
state
Whether TACACS+session accounting is enabled or disabled.
TACACS+command
authorization state
Whether TACACS+command authorization is enabled or disabled.
TACACS+command accounting
state
Whether TACACS+command accounting is enabled or disabled.
set tacacs TACACS+Configuration
SecureStack C3 Configuration Guide 27-3
set tacacs
UsethiscommandtoenableordisabletheTACACS+client.
Syntax
set tacacs {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,ReadWrite.
Usage
TheTACACS+clientcanbeenabledontheswitchanytime,withorwithoutaTACACS+server
online.IftheTACACS+serverisofflineandTACACS+isenabled,theloginauthenticationis
switchedtoRADIUSorlocal,ifenabled.
Examples
ThisexampleshowshowtoenabletheTACACS+client.
C3( r w) - >set t acacs enabl e
show tacacs server
UsethiscommandtodisplaythecurrentTACACS+serverconfiguration.
Syntax
show tacacs server {index | all}
TACACS+singleconnect state Whether TACACS+singleconnect is enabled or disabled.
When enabled, the TACACS+client sends multiple requests over a
single TCP connection.
TACACS+service The name of the service that is requested by the TACACS+client for
session authorization. exec is the default service name.
TACACS+session authorization
A-V pairs
Displays the attribute value pairs that are mapped to the read-only,
read-write, and super-user access privilege levels for the service
requested for session authorization.
The attribute names and values shown in the example above are the
default values.
TACACS+Server Displays the TACACS+server information used by the TACACS+
client.
Table 27-1 show tacacs Output Details (Continued)
Output... What it displays...
enable|disable EnablesordisablestheTACACSclient.
TACACS+Configuration set tacacs server
27-4
Parameters
Defaults
None.
Mode
Switchcommand,ReadOnly.
Example
ThisexampledisplaysconfigurationinformationforTACACS+server1.
C3( r o) - >show t acacs ser ver 1
TACACS+ Ser ver I P addr ess Por t Ti meout
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 192. 168. 10. 1 49 10
set tacacs server
UsethiscommandtoconfiguretheTACACS+server(s)tobeusedbytheTACACS+client.Youcan
configurethetimeoutvalueforallconfiguredserversorasingleserver,oryoucanconfigurethe
IPaddress,TCPport,andsecretforasingleserver.Forsimplicity,twosyntaxstatementsare
shown.
Syntax
set tacacs server {all | index} timeout seconds
set tacacs server index address port secret
Parameters
Defaults
NoTACACS+serversareconfiguredbydefault.
WhenyoudoconfigureaTACACS+server,thedefaulttimeoutvalueis10seconds.
index DisplaytheconfigurationoftheTACACS+serveridentifiedbyindex.
Thevalueofindexcanrangefrom1to2,147,483,647.
all DisplaytheconfigurationforallconfiguredTACACS+servers.
all SpecifythetimeoutvalueforallconfiguredTACACS+servers.
index ConfiguretheTACACS+serveridentifiedbyindex.Thevalueofindex
canrangefrom1to2,147,483,647.
timeoutseconds Setthetimeoutvalueforthespecifiedserver(s)inseconds.Thevalueof
secondscanrangefrom1to180seconds.
Thedefaulttimeoutvalueis10seconds.
address SpecifytheIPaddressoftheTACACS+server.
port SpecifytheTCPportfortheTACACS+server.Thevalueofportcan
rangefrom0to65535,buttypically,port49isspecified.
secret Specifythesecret(sharedpassword)fortheTACACS+server.
clear tacacs server TACACS+Configuration
SecureStack C3 Configuration Guide 27-5
Mode
Switchcommand,ReadWrite.
Usage
Upto5TACACS+serverscanbeconfigured,withtheindexvalueof1havingthehighestpriority.
Ifyouwanttochangethedefaulttimeoutvalueforaspecificserverorallservers,youmustenter
thecommandusingthetimeoutparameter.
Whenatleastonebackupserverhasbeenconfiguredandtheswitchlosescontactwiththe
primaryserver,theswitchwillcontactthenextserverinpriority.Iftheswitchwastryingto
authenticateauserwhentheconnectionwaslost,orifthedefaultloginaccess(readonly
permissions)hadbeenreceived,theswitchwilltrytoauthenticateagain.
Ifauserhadalreadybeenauthenticatedandauthorized,thenthebackupserveriscontacted
withoutrequiringanyauthentication.Thebackupserverwilljustauthorizeoraccountforthe
packetscominginforthatuser.SinceataskIDisassociatedwitheachaccountingsession,ifthere
isafailovertoabackupserver,theaccountinginformationwillstillbeassociatedwiththecorrect
sessionusingthetaskID.
Whenafailovertoabackupserveroccurs,syslogmessagesaregeneratedcontainingthereason
forthefailure.
Example
ThisexampleconfiguresTACACS+server1.Then,thedefaulttimeoutvalueof10secondsis
changedto20seconds.
C3( r w) - >set t acacs ser ver 1 192. 168. 10. 10 49 mysecr et
C3( r w) - >set t acacs ser ver 1 t i meout 20
clear tacacs server
UsethiscommandtoremoveoneorallconfiguredTACACS+servers,ortoreturnthetimeout
valuetoitsdefaultvalueforoneorallconfiguredTACACS+servers.
Syntax
clear tacacs server {all | index} [ timeout]
Parameters
Defaults
Iftimeoutisnotspecified,theaffectedTACACS+serverswillberemoved.
Mode
Switchcommand,ReadWrite.
all SpecifiesthatallconfiguredTACACS+serversshouldbeaffected.
index SpecifiesoneTACACS+servertobeaffected.
timeout (Optional)Returnthetimeoutvaluetoitsdefaultvalueof10seconds.
TACACS+Configuration show tacacs session
27-6
Examples
ThisexampleremovesTACACS+server1.
C3( r w) - >cl ear t acacs ser ver 1
Thisexampleresetsthetimeoutvaluetoitsdefaultvalueof10secondsforallconfigured
TACACS+servers.
C3( r w) - >cl ear t acacs ser ver al l t i meout
show tacacs session
UsethiscommandtodisplaythecurrentTACACS+clientsessionsettings.
Syntax
show tacacs session {authorization | accounting}
Parameters
Defaults
None.
Mode
Switchcommand,ReadOnly.
Examples
Thisexampleshowshowtodisplayclientsessionauthorizationinformation:
C3( r o) - >show t acacs sessi on aut hor i zat i on
TACACS+ ser vi ce: exec
TACACS+ sessi on aut hor i zat i on A- V pai r s:
access- l evel at t r i but e val ue
r ead- onl y pr i v- l vl 0
r ead- wr i t e pr i v- l vl 1
super - user pr i v- l vl 15
Thisexampleshowshowtodisplayclientsessionaccountingstate.
C3( r o) - >show t acacs sessi on account i ng
TACACS+ sessi on account i ng st at e: enabl ed
authorization Displayclientsessionauthorizationsettings.
accounting Displayclientsessionaccountingsettings.
set tacacs session TACACS+Configuration
SecureStack C3 Configuration Guide 27-7
set tacacs session
UsethiscommandtoenableordisableTACACS+sessionaccounting,ortoconfigureTACACS+
sessionauthorizationparameters.Forsimplicity,separatesyntaxformatsareshownfor
configuringsessionaccountingandsessionauthorization.
Syntax
set tacacs session accounting {enable | disable}
set tacacs session authorization {service name | read-only attribute value |
read-write attribute value | super-user attribute value}
Parameters
Defaults
None.
Mode
Switchcommand,ReadWrite.
Usage
Whensessionaccountingisenabled,theTACACS+serverwilllogaccountinginformation,suchas
startandstoptimes,IPaddressoftheclient,andsoforth,foreachauthorizedclientsession.
WhentheTACACS+clientisenabledontheswitch(withthesettacacsenablecommand),the
sessionauthorizationparametersconfiguredwiththiscommandaresentbytheclienttothe
TACACS+serverwhenasessionisinitiatedontheswitch.Theparametervaluesmustmatcha
serviceandaccesslevelattributevaluepairsconfiguredontheserverforthesessiontobe
authorized.Iftheparametervaluesdonotmatch,thesessionwillnotbeallowed.
accounting SpecifiesthatTACACS+sessionaccountingisbeingconfigured.
enable|disable EnablesordisablesTACACS+sessionaccounting.
authorization SpecifiesthatTACACS+sessionauthorizationisbeingconfigured.
servicename SpecifiesthenameoftheservicethattheTACACS+clientwillrequest
fromtheTACACS+server.Thenamespecifiedheremustmatchthe
nameofaserviceconfiguredontheserver.Thedefaultservicenameis
exec.
readonlyattribute
value
Specifiesthatthereadonlyaccessprivilegelevelshouldbematchedto
aprivilegelevelconfiguredontheTACACS+serverbymeansofan
attributevaluepairspecifiedbyattributeandvalue.
Bydefault,attributeisprivlvlandvalueis0.
readwriteattribute
value
Specifiesthatthereadwriteaccessprivilegelevelshouldbematchedto
aprivilegelevelconfiguredontheTACACS+serverbymeansofan
attributevaluepairspecifiedbyattributeandvalue.
Bydefault,attributeisprivlvlandvalueis1.
superuserattribute
value
Specifiesthatthesuperuseraccessprivilegelevelshouldbematchedto
aprivilegelevelconfiguredontheTACACS+serverbymeansofan
attributevaluepairspecifiedbyattributeandvalue.
Bydefault,attributeisprivlvlandvalueis15.
TACACS+Configuration clear tacacs session
27-8
Theservicenameandattributevaluepairscanbeanycharacterstring,andaredeterminedby
yourTACACS+serverconfiguration.
SinceataskIDisassociatedwitheachaccountingsession,ifthereisafailovertoabackupserver,
theaccountinginformationwillstillbeassociatedwiththecorrectsessionusingthetaskID.
Examples
ThisexampleconfigurestheservicerequestedbytheTACACS+clientastheservicenamebasic.
C3( r w) - >set t acacs sessi on aut hor i zat i on ser vi ce basi c
Thisexamplemapsthereadwriteaccessprivilegeleveltoanattributenamedprivlvlwiththe
valueof5configuredontheTACACS+server.
C3( r w) - >set t acacs sessi on aut hor i zat i on r ead- wr i t e pr i v- l vl 5
ThisexampleenablesTACACS+sessionaccounting.
C3( r w) - >set t acacs sessi on account i ng enabl e
clear tacacs session
UsethiscommandtoreturntheTACACS+sessionauthorizationsettingstotheirdefaultvalues.
Syntax
clear tacacs session authorization {[ service] | [ read-only] | [ read-write] |
[ super-user] }
Parameters
Defaults
Atleastoneofthesessionauthorizationparametersmustbespecified.
Mode
Switchcommand,ReadWrite.
Examples
Thisexampleshowshowtoreturntheservicenametothedefaultofexec.
C3( r w) - >cl ear t acacs sessi on aut hor i zat i on ser vi ce
Thisexampleshowshowtoreturnallthesessionauthorizationparameterstotheirdefaultvalues.
C3( r w) - >cl ear t acacs sessi on aut hor i zat i on ser vi ce r ead- onl y r ead- wr i t e super -
user
authorization ClearstheTACACS+sessionauthorizationparameters.
service ClearstheTACACS+sessionauthorizationservicenametothedefault
valueofexec.
readonly ClearstheTACACS+sessionauthorizationreadonlyattributevalue
pairtotheirdefaultvaluesofprivlvland0.
readwrite ClearstheTACACS+sessionauthorizationreadwriteattributevalue
pairtotheirdefaultvaluesofprivlvland1.
superuser ClearstheTACACS+sessionauthorizationsuperuserattributevalue
pairtotheirdefaultvaluesofprivlvland15.
show tacacs command TACACS+Configuration
SecureStack C3 Configuration Guide 27-9
show tacacs command
Usethiscommandtodisplaythestatus(enabledordisabled)ofTACACS+accountingor
authorizationonapercommandbasis.
Syntax
show tacacs command {accounting | authorization}
Parameters
Defaults
None.
Mode
Switchcommand,ReadWrite.
Example
ThisexampleshowshowtodisplaythestateoftheTACACS+clientscommandauthorization.
C3( r w) - >show t acacs command aut hor i zat i on
TACACS+ command aut hor i zat i on st at e: enabl ed
set tacacs command
UsethiscommandtoenableordisableTACACS+accountingorauthorizationonapercommand
basis.
Syntax
set tacacs command {accounting | authorization} {enable | disable}
Parameters
Defaults
None.
Mode
Switchcommand,ReadWrite.
Usage
InorderforpercommandaccountingorauthorizationbyaTACACS+servertotakeplace,the
commandmustbeexecutedwithinanauthorizedsession.
accounting DisplaythestatusofTACACS+accountingonapercommandbasis.
authorization DisplaythestatusofTACACS+authorizationonapercommandbasis.
accounting|
authorization
SpecifieseitherTACACS+accountingorauthorizationtobeenabledor
disabled.
enable|disable Enableordisableaccountingorauthorizationonapercommandbasis.
TACACS+Configuration show tacacs singleconnect
27-10
Whenpercommandaccountingisenabled,theTACACS+serverwilllogaccountinginformation,
suchasstartandstoptimes,IPaddressoftheclient,andsoforth,foreachcommandexecuted
duringthesession.
Whenpercommandauthorizationisenabled,theTACACS+serverwillcheckwhethereach
commandispermittedforthatauthorizedsessionandreturnasuccessorfail.Iftheauthorization
fails,thecommandisnotexecuted.
Example
ThisexampleshowshowtoenableTACACS+authorizationonacommandbasis.
C3( r w) - >set t acacs command aut hor i zat i on enabl e
show tacacs singleconnect
UsethiscommandtodisplaythecurrentstatusoftheTACACS+clientsabilitytosendmultiple
requestsoverasingleTCPconnection.
Syntax
show tacacs singleconnect
Parameters
None.
Defaults
None.
Mode
Switchcommand,ReadWrite.
Example
ThisexampleshowshowtodisplaythestateoftheTACACS+clientsabilitytosendmultiple
requestsoverasingleconnection.
C3( r w) - >show t acacs si ngl econnect
TACACS+ si ngl e- connect st at e: enabl ed
set tacacs singleconnect
UsethiscommandtoenableordisabletheabilityoftheTACACS+clienttosendmultiplerequests
overasingleTCPconnection.Whenenabled,theTACACS+clientwilluseasingleTCP
connectionforallrequeststoagivenTACACS+server.
Syntax
set tacacs singleconnect {enable | disable}
Parameters
enable|disable EnableordisabletheabilitytosendmultiplerequestsoverasingleTCP
connection.
show tacacs interface TACACS+Configuration
SecureStack C3 Configuration Guide 27-11
Defaults
None.
Mode
Switchcommand,ReadWrite.
Examples
Thisexampleshowshowtodisablesendingmultiplerequestsoverasingleconnection.
C3( r w) - >set t acacs si ngl econnect di sabl e
show tacacs interface
UsethiscommandtodisplaytheinterfaceusedforthesourceIPaddressoftheTACACS+packets
generatedbytheswitch.
Syntax
show tacacs interface
Parameters
None.
Defaults
None.
Mode
Switchmode,readonly.
Example
Thisexampledisplaystheoutputofthiscommand.Inthiscase,theIPaddressassignedto
loopbackinterface1willbeusedasthesourceIPaddressoftheTACACS+packetsgeneratedby
theswitch.
C3( r w) - >show t acacs i nt er f ace
l oopback 1 192. 168. 10. 1
set tacacs interface
UsethiscommandtospecifytheinterfaceusedforthesourceIPaddressoftheTACACS+packets
generatedbytheswitch.
Syntax
set tacacs interface {loopback loop-ID | vlan vlan-ID}
Parameters
loopbackloopID Specifiestheloopbackinterfacetobeused.ThevalueofloopIDcan
rangefrom0to7.
TACACS+Configuration clear tacacs interface
27-12
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThiscommandallowsyoutoconfigurethesourceIPaddressusedbytheTACACS+application
ontheswitchwhengeneratingpacketsformanagementpurposes.Anyofthemanagement
interfaces,includingVLANroutinginterfaces,canbeconfiguredasthesourceIPaddressusedin
packetsgeneratedbytheTACACS+client.
AninterfacemusthaveanIPaddressassignedtoitbeforeitcanbesetbythiscommand.
Ifnointerfaceisspecified,thentheIPaddressoftheHostinterfacewillbeused.
Ifanonloopbackinterfaceisconfiguredwiththiscommand,applicationpacketegressis
restrictedtothatinterfaceiftheservercanbereachedfromthatinterface.Otherwise,thepackets
aretransmittedoverthefirstavailableroute.Packetsfromtheapplicationserverarereceivedon
theconfiguredinterface.
Ifaloopbackinterfaceisconfigured,andtherearemultiplepathstotheapplicationserver,the
outgoinginterface(gateway)isdeterminedbasedonthebestroutelookup.Packetsfromthe
applicationserverarethenreceivedonthesendinginterface.Ifrouteredundancyisrequired,
therefore,aloopbackinterfaceshouldbeconfigured.
Example
ThisexampleconfiguresanIPaddressonVLANinterface100andthensetsthatinterfaceasthe
TACACS+clientsourceIPaddress.
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #i p addr ess 192. 168. 10. 1 255. 255. 255. 0
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #exi t
C3( r w) - >r out er ( Conf i g) #exi t
C3( r w) - >r out er #exi t
C3( r w) - >r out er >exi t
C3( r w) - >set t acacs i nt er f ace vl an 100
C3( r w) - >show t acacs i nt er f ace
vl an 100 192. 168. 10. 1
clear tacacs interface
UsethiscommandtocleartheinterfaceusedforthesourceIPaddressoftheTACACS+clientback
tothedefaultoftheHostinterface.
Syntax
clear tacacs interface
Parameters
vlanvlanID SpecifiestheVLANinterfacetobeused.ThevalueofvlanIDcanrange
from1to4093.
clear tacacs interface TACACS+Configuration
SecureStack C3 Configuration Guide 27-13
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThiscommandreturnstheinterfaceusedforthesourceIPaddressoftheTACACS+clientbackto
thedefaultoftheHostinterface.
C3( r w) - >show t acacs i nt er f ace
vl an 100 192. 168. 10. 1
C3( r w) - >cl ear t acacs i nt er f ace
C3( r w) - >
TACACS+Configuration clear tacacs interface
27-14
SecureStack C3 Configuration Guide 28-1
28
sFlow Configuration
ThischapterprovidesinformationaboutthecommandsusedtoconfigureandmonitorthesFlow
system.
Overview
sFlowisamethodformonitoringhighspeedswitchedandroutednetworks.sFlowtechnologyis
builtintonetworkequipmentandgivesvisibilityintonetworkactivity,enablingeffective
managementandcontrolofnetworkresources.
AnsFlowsolutionconsistsofansFlowAgent,embeddedinthenetworkdevicesuchasaswitch
orrouter,andansFlowCollector.ThesFlowAgentusessamplingtechnologytocapturetraffic
statisticsfromthedeviceitismonitoringandimmediatelyforwardsthesampledtrafficstatistics
toansFlowCollectorforanalysisinsFlowdatagrams.
ThesFlowAgentusestwoformsofsamplingstatisticalpacketbasedsamplingofswitchedor
routedPacketFlows,andtimebasedsamplingofcounters.
Version5ofsFlowisdescribedindetailinthedocumententitledsFlowVersion5availablefrom
sFlow.org(http://www.sflow.org).
Using sFlow in Your Network
TheadvantagesofusingsFlowinclude:
sFlowmakesitpossibletomonitorportsofaswitch,withnoimpactonthedistributed
switchingperformance.(SeeUsageNotesonpage 283formoreinformation.)
sFlowrequiresverylittlememoryorCPUusage.Samplesarenotaggregatedintoaflow
tableontheswitchtheyareforwardedimmediatelyoverthenetworktothesFlow
Collector.
Thesystemistoleranttopacketlossinthenetwork.(Thestatisticalmodelmeanslossis
equivalenttoaslightchangeinthesamplingrate.)
ThesFlowCollectorcanreceivedatafrommultipleswitches,providingarealtime
synchronizedviewofthewholenetwork.
ThesFlowCollectorcananalyzetrafficpatternsforwhateverprotocolsarefoundinthe
packetheaders(forexample,TCP/IP,IPX,Ethernet,AppleTalk).Thereisnoneedforthelayer
2switchtodecodeandunderstandallprotocols.
For information about... Refer to page...
Overview 28-1
Commands 28-4
sFlow Configuration Overview
28-2
Definitions
ThefollowingtabledescribessomeofthemainsFlowtermsandconcepts.
sFlow Agent Functionality
PacketflowsamplingandcountersamplingareperformedbysFlowInstancesassociatedwith
individualDataSourceswithinthesFlowAgent.Packetflowsamplingandcountersamplingare
designedaspartofanintegratedsystem.BothtypesofsamplesarecombinedinsFlowdatagrams.
Packetflowsamplingwillcauseasteady,butrandom,streamofsFlowdatagramstobesenttothe
sFlowCollector.Countersamplesmaybetakenopportunisticallyinordertofillthesedatagrams.
Inordertoperformpacketflowsampling,ansFlowSamplerInstanceisconfiguredwitha
samplingrate.Thepacketflowsamplingprocessresultsinthegenerationofpacketflowrecords.
Inordertoperformcountersampling,ansFlowPollerInstanceisconfiguredwithapolling
interval.Thecountersamplingprocessresultsinthegenerationofcounterrecords.ThesFlow
AgentcollectscounterrecordsandpacketflowrecordsandsendsthemintheformofsFlow
datagramstosFlowCollectors.
Sampling Mechanisms
TwoformsofsamplingareperformedbythesFlowAgent:statisticalpacketbasedsamplingof
switchedorroutedpacketflows,andtimebasedsamplingofcounters.
Table 28-1 sFlow Definitions
Term Definition
Data Source A Data Source refers to a location within a Network Device that
can make traffic measurements. Possible Data Sources include
interfaces, physical entities within the device such as the
backplane, and VLANs.
Packet Flow A Packet Flow is defined as the path or trajectory that a packet
takes through a Network Device (That is, the path that a packet
takes as it is received on one interface, is subjected to a switching/
routing decision, and is then sent on another interface).
Packet Flow Sampling Packet Flow Sampling refers to the random selection of a fraction
of the Packet Flows observed at a Data Source.
Sampling Rate The Sampling Rate specifies the ratio of packets observed at the
Data Source to the samples generated.
Sampling Interval The time period between successive Counter Samples.
sFlow Instance An sFlow Instance refers to a measurement process associated
with a Data Source.
sFlow Agent The sFlow Agent provides an interface for configuring the sFlow
Instances within a device.
sFlow Collector An sFlow Collector receives sFlow Datagrams from one or more
sFlow Agents. The sFlow Collector may also configure sFlow
Instances using the configuration mechanisms provided by the
sFlow Agent.
sFlow Datagram An sFlow Datagram is a UDP datagram that contains the
measurement data, and information about the measurement
source and process.
Overview sFlow Configuration
SecureStack C3 Configuration Guide 28-3
Packet Flow Sampling
ThepacketflowsamplingmechanismcarriedoutbyeachsFlowInstanceensuresthatanypacket
observedataDataSourcehasanequalchanceofbeingsampled,irrespectiveofthepacketflow(s)
towhichitbelongs.
Packetflowsamplingisaccomplishedasfollows:
1. Whenapacketarrivesonaninterface,theNetworkDevicemakesafilteringdecisionto
determinewhetherthepacketshouldbedropped.
2. Ifthepacketisnotfiltered(dropped),adestinationinterfaceisassignedbytheswitching/
routingfunction.
3. Atthispoint,adecisionismadeonwhetherornottosamplethepacket.Themechanism
involvesacounterthatisdecrementedwitheachpacket.Whenthecounterreacheszeroa
sampleistaken.
4. Whenasampleistaken,thecounterindicatinghowmanypacketstoskipbeforetakingthe
nextsampleisreset.Thevalueofthecounterissettoarandomintegerwherethesequenceof
randomintegersusedovertimeistheSamplingRate.
PacketflowsamplingresultsinthegenerationofPacketFlowRecords.APacketFlowRecord
containsinformationabouttheattributesofapacketflow,including:
Informationonthepacketitselfapacketheader,packetlength,andpacketencapsulation.
Informationaboutthepaththepackettookthroughthedevice,includinginformationrelating
totheselectionoftheforwardingpath.
Counter Sampling
Theprimaryobjectiveofthecountersamplingisto,inanefficientway,periodicallyexport
countersassociatedwithDataSources.AmaximumsamplingintervalisassignedtoeachsFlow
InstanceassociatedwithaDataSource.
Countersamplingisaccomplishedasfollows:
1. ThesFlowAgentkeepalistofcountersourcesbeingsampled.
2. WhenaPacketFlowSampleisgenerated,thesFlowAgentexaminesthelistofcounter
sourcesandaddscounterstothesampledatagram,leastrecentlysampledfirst.
Countersareonlyaddedtothedatagramifthesourcesarewithinashortperiod,5seconds
say,offailingtomeettherequiredsamplinginterval.
3. Periodically,sayeverysecond,thesFlowAgentexaminesthelistofcountersourcesandsends
anycountersthatneedtobesenttomeetthesamplingintervalrequirement.
ThesetofcountersisafixedsetdefinedinSection5ofthedocumententitledsFlowVersion5
availablefromsFlow.org(http://www.sflow.org).
Usage Notes
Althoughtheswitchhardwarehasthecapabilitytosamplepacketsonanyport,toensurethat
CPUutilitizationisnotcompromised,thenumberofsFlowsamplersthatcanbeconfiguredper
switchorstackofswitchesislimitedtoamaximumof32.Thereisnolimitationonthenumberof
pollersthatcanbeconfigured.
Undercertaincircumstances,theswitchwilldroppacketsamplesthatthesFlowimplementation
isnotabletocountandthereforecannotcorrectlyreportsample_poolanddropsfieldsofflow
samplessenttothesFlowCollector.Underheavyload,thissamplelosscouldbesignificantand
couldthereforeaffecttheaccuracyofthesamplinganalysis.
sFlow Configuration Commands
28-4
sFlowisdisabledbydefaultonSecureStackandGSeriesdevices.
Example Configuration
ThegeneralprocedureforconfiguringsFlowincludes:
1. ConfigureyoursFlowCollectorinformationtobeusedbythesFlowAgentontheswitch.Up
toeightCollectorscanbeconfigured.TheinformationisstoredinthesFlowReceiverTable.
2. EnableandconfiguresFlowpacketflowsamplinginstancesoneachport.
3. EnableandconfiguresFlowcountersamplingpollerinstancesoneachport.
ThefollowingisanexampleofthecommandsusedtoconfiguresFlow:
# conf i gur e sFl ow Col l ect or 1
# accept def aul t s f or dat agr amsi ze and por t
set sf l ow r ecei ver 1 owner ent er asys t i meout 180000
set sf l ow r ecei ver 1 i p 192. 168. 16. 91
#
#conf i gur e packet sampl i ng i nst ances on por t s 1 t hr ough 12
#assi gn t o sFl ow Col l ect or 1
set sf l ow por t ge. 1. 1- 12 sampl er 1
set sf l ow por t ge. 1. 1- 12 sampl er maxheader si ze 256
set sf l ow por t ge. 1. 1- 12 sampl er r at e 2048
#
#conf i gur e count er pol l er i nst ances on por t s 1 t hr ough 12
#assi gn t o sFl ow Col l ect or 1
set sf l ow por t ge. 1. 1- 12 pol l er 1
set sf l ow por t ge. 1. 1- 12 pol l er i nt er val 20
Commands
For information about... Refer to page...
show sflow receivers 28-5
set sflow receiver owner 28-7
set sflow receiver ip 28-7
set sflow receiver maxdatagram 28-8
set sflow receiver port 28-9
clear sflow receiver 28-9
set sflow port poller 28-10
show sflow pollers 28-11
clear sflow port poller 28-12
set sflow port sampler 28-12
show sflow samplers 28-13
clear sflow port sampler 28-14
show sflow receivers sFlow Configuration
SecureStack C3 Configuration Guide 28-5
show sflow receivers
UsethiscommandtodisplaythecontentsofthesFlowReceiversTable,ortodisplayinformation
aboutaspecificsFlowCollectorlistedinthetable.
Syntax
show sflow receivers [ index]
Parameters
Defaults
ThecontentsofthesFlowReceiversTableisdisplayed.
Mode
Switchcommand,readonly.
Usage
ExecutingthiscommandwithoutspecifyinganindexintothesFlowReceiversTabledisplays
informationaboutalltheCollectorsconfiguredontheswitch.
IfyouspecifyanindividualCollectorbyitsindexnumber,additionalinformationisdisplayedfor
thatCollector.
Examples
ThisexampledisplaysthesFlowReceiversTable.
C3( su) - >show sf l ow r ecei ver s
Recei ver Owner Ti me out Max Dat agr amPor t I P Addr ess
I ndex St r i ng Si ze
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 et s1 17766 1400 6343 10. 1. 2. 117
2 0 1400 6343 0. 0. 0. 0
3 0 1400 6343 0. 0. 0. 0
4 0 1400 6343 0. 0. 0. 0
5 0 1400 6343 0. 0. 0. 0
6 0 1400 6343 0. 0. 0. 0
7 0 1400 6343 0. 0. 0. 0
8 0 1400 6343 0. 0. 0. 0
set sflow interface 28-14
show sflow interface 28-15
clear sflow interface 28-16
show sflow agent 28-17
For information about... Refer to page...
index (Optional)SpecifiesaspecificCollectortodisplayinformationabout.
sFlow Configuration show sflow receivers
28-6
ThisexampledisplaysinformationabouttheCollectorwithindex1.
C3( su) - >show sf l ow r ecei ver s 1
Recei ver I ndex 1
Owner St r i ng et s1
Ti me out 17758
I P Addr ess: 10. 1. 2. 117
Addr ess Type I Pv4
Por t 6343
Dat agr amVer si on 5
Maxi mumDat agr amSi ze 1400
Thefollowingtabledescribestheoutputfields.
Table 28-2 show sflow receivers Output Descriptions
Output... What it displays...
Receiver Index Index number of a specific Collector entry in the sFlow Receivers
Table. Up to 8 Collectors may be configured.
Owner String Identity string of the Collector. An empty string indicates that the
entry is unclaimed and cannot be assigned to a sampler or poller
instance. The owner string is configured with the set sflow receiver
owner command.
Time Out The time remaining, in seconds, before the sampler or poller is
released and stops sending samples to this receiver/Collector.
The timeout value is configured with the set sflow receiver owner
command.
IP Address The IP address of this receiver/Collector. The IP address is
configured with the set sflow receiver ip command.
Address Type Whether the Collector IP address is IPv4 or IPv6.
Port The UDP port number on this receiver/Collector to which sample
datagrams should be sent. The default value is 6343, which can
be changed with the set sflow receiver port command.
Datagram Version Specifies the sFlow version used for formatting the sample
datagrams.
Max Datagram Size The maximum number of data bytes that can be sent in a single
sample datagram to this receiver/Collector. The default value is
1400 bytes, which can be changed with the set sflow receiver
maxdatagram command.
set sflow receiver owner sFlow Configuration
SecureStack C3 Configuration Guide 28-7
set sflow receiver owner
UsethiscommandtoconfiguretheowneridentitystringandtimeoutvalueforansFlowCollector
intheswitchssFlowReceiversTable.
Syntax
set sflow receiver index owner owner-string timeout timeout
Parameters
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
InorderforansFlowCollectortobeassignedtoreceivesampledatagramsfromthesFlowAgent
ontheswitch,anentryforthatCollectormustbeconfiguredintheswitchssFlowReceiversTable.
Anentrymustcontainanowneridentitystring,anonzerotimeoutvalue,andtheIPaddressof
theCollector.ConfiguretheIPaddresswiththesetsflowreceiveripcommand.
Anentrywithoutanowneridentitystringisconsideredunclaimedandcannotbeassignedasa
receivertosamplerorpollerinstances.
Oncethetimersetbythiscommandexpires,thereceiver/Collectorandallthesamplersand
pollersassociatedwiththisCollectorexpireandareremovedfromtheswitchsconfiguration.In
ordertostartsendingsampledatatotheCollectoragain,theCollectormustbereconfiguredwith
anewtimeoutvalueandsamplersandpollersmustbeconfiguredagain.Therefore,youshould
considersettingthetimeoutvaluetothelargestvaluethatisreasonableforyourenvironment.
Example
Thisexampleconfiguresanentryforindex1inthesFlowReceiversTable.
C3( su) - >set sf l ow r ecei ver 1 owner et s1 t i meout 180000
set sflow receiver ip
UsethiscommandtoconfiguretheIPaddressofansFlowCollectorintheswitchssFlow
ReceiversTable.
Syntax
set sflow receiver index ip ipaddr
index IndexnumberinthesFlowReceiversTableforthereceiver/Collector
beingconfigured.Theindexcanrangefrom1to8.
ownerownerstring Theidentitystringofthereceiver/Collectorbeingconfigured.
Thestringcanbeupto127charactersinlength.
timeouttimeout Thetime,inseconds,remainingbeforethereceiver/Collectorbeing
configuredandallassociatedsamplersandpollersexpire.
Thevaluecanrangefrom0to4294967295seconds.
sFlow Configuration set sflow receiver maxdatagram
28-8
Parameters
Defaults
ThedefaultIPaddressis0.0.0.0.
Mode
Switchcommand,readwrite.
Usage
InorderforansFlowCollectortobeassignedtoreceivesampledatagramsfromthesFlowAgent
ontheswitch,anentryforthatCollectormustbeconfiguredintheswitchssFlowReceiversTable.
Anentrymustcontainanowneridentitystring,anonzerotimeoutvalue,andtheIPaddressof
theCollector.Configuretheowneridentitystringandtimeoutvaluewiththesetsflowreceiver
ownercommand.
SampledatagramswillnotbesenttoaCollectorwhoseentryinthesFlowReceiversTablehasan
IPaddressof0.0.0.0.
Example
ThisexampleconfiguresanIPaddressof10.10.10.10toindexentry1.
C3( su) - >set sf l ow r ecei ver 1 i p 10. 10. 10. 10
set sflow receiver maxdatagram
Usethiscommandtosetthemaximumnumberofdatabytesthatcanbesentinasinglesample
datagram.
Syntax
set sflow receiver index maxdatagram bytes
Parameters
Defaults
Defaultmaximumdatagramsizeis1400bytes.
index IndexnumberinthesFlowReceiversTableforthereceiver/Collector
beingconfigured.Theindexcanrangefrom1to8.
ipipaddr TheIPaddressofthereceiver/Collectorbeingconfigured.AnIP
addressof0.0.0.0meansthatnosampledatagramswillbesenttothe
Collector.
index IndexnumberinthesFlowReceiversTableforthereceiver/Collector
beingconfigured.Theindexcanrangefrom1to8.
maxdatagrambytes Specifiesthemaximumnumberofdatabytesthatcanbesentinasingle
sampledatagram.Thissizeshouldbesettoavoidfragmentationofthe
sFlowdatagrams.
Thevalueofbytescanrangefrom200to9116.Thedefaultis1400.
set sflow receiver port sFlow Configuration
SecureStack C3 Configuration Guide 28-9
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthemaximumdatagramsizeto2800bytesforindexentry1.
C3( su) - >set sf l ow r ecei ver 1 maxdat agr am2800
set sflow receiver port
UsethiscommandtoconfiguretheUDPportonthesFlowControllertowhichtheswitchwill
sendsampledatagrams.
Syntax
set sflow receiver index port port
Parameters
Defaults
Thedefaultportvalueis6343.
Mode
Switchcommand,readwrite.
Example
ThisexamplechangesthesFlowreceiverportontheCollectorto1234.
C3( su) - >set sf l ow r ecei ver 1 por t 1234
clear sflow receiver
Usethiscommandtodeleteareceiver/CollectorfromthesFlowReceiversTable,ortoreturn
certainparameterstotheirdefaultvaluesforthespecifiedCollector.
Syntax
clear sflow receiver index [ ip | maxdatagram | owner [ timeout] | port]
Parameters
index IndexnumberinthesFlowReceiversTableforthereceiver/Collector
beingconfigured.Theindexcanrangefrom1to8.
portport SpecifiestheUDPportonthereceiver/Collectortowhichthesample
datagramsshouldbesent.Bydefault,theportis6343.
index IndexnumberinthesFlowReceiversTableforthereceiver/Collector
beingconfigured.Theindexcanrangefrom1to8.
ip (Optional)CleartheIPaddressto0.0.0.0.Sampledatagramsarenotsent
toCollectorswithanIPaddressof0.0.0.0.
maxdatagram (Optional)Returnthemaximumdatagramsizeto1400bytes.
sFlow Configuration set sflow port poller
28-10
Defaults
Ifnooptionalparametersarespecified,theentireentryiscleared.
Mode
Switchcommand,readwrite.
Usage
YoucancleartheIPaddress,maximumdatagramsize,orUDPportwithoutdeletinganentry
fromthesFlowReceiversTable.Ifyoucleartheownerortimeout,theentireentryiscleared.Ifyou
enteronlyanentryindexandnoneoftheoptionalparameters,theentireentryiscleared.
Onceanentryiscleared,allpollersandsamplersassociatedwiththatreceiverarealsoremoved
fromtheswitchconfiguration.
Example
Thisexamplereturnsthemaximumdatagramsizetothedefaultof1400bytesfortheCollector
withindex1.
C3( su) - >cl ear sf l ow r ecei ver 1 maxdat agr am
set sflow port poller
Usethiscommandtoconfigurepollerinstancesonports,ordatasources.
Syntax
set sflow port port-string poller {index | interval seconds}
Parameters
Defaults
Thedefaultintervalvalueis0seconds,whichdisablescountersampling.
Mode
Switchcommand,readwrite.
owner (Optional)Cleartheowneridentitystring.EntriesinthesFlowReceiver
Tablewithoutanidentitystringareconsideredunclaimed.
timeout (Optional)Clearthetimeoutvalueofthespecifiedentry.
portport (Optional)CleartheUDPportonthereceiver/Collectortowhichthe
sampledatagramsshouldbesent.Thevalueisresettothedefaultof
6343.
portstring Specifiestheportorports(datasources)onwhichthepollerinstanceis
beingconfigured.
index IndexnumberinthesFlowReceiversTableforthereceiver/Collector
withwhichthepollerinstanceisassociated.Theindexcanrangefrom1
to8.
intervalseconds Specifiesthepollinginterval,whichcanrangefrom0to86400seconds.
Avalueof0disablescountersampling.
show sflow pollers sFlow Configuration
SecureStack C3 Configuration Guide 28-11
Usage
Apollerinstanceperformscountersamplingonthedatasourcetowhichitisconfigured.Referto
SamplingMechanismsonpage 282formoreinformation.
Youmustfirstassociateareceiver/CollectorinthesFlowReceiversTablewiththepollerinstance,
beforeconfiguringthepollinginterval.
WhenareceivertimesoutorisclearedfromthesFlowReceiversTable,allpollerandsampler
instancesassociatedwiththatreceiverarealsoclearedfromtheswitchsconfiguration.
Example
Thefollowingexampleconfigurespollerinstancesonportsge.1.1throughge.1.8andassociates
themwithreceiver1.Then,apollingintervalof240secondsisconfigured.
C3( su) - >set sf l ow por t ge. 1. 1- 8 pol l er 1
C3( su) - >set sf l ow por t ge. 1. 1- 8 pol l er i nt er val 240
show sflow pollers
Usethiscommandtodisplayinformationaboutconfiguredpollerinstances.
Syntax
show sflow pollers
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampledisplaystheoutputofthiscommand.
C3( su) - >show sf l ow pol l er s
Pol l er Recei ver Pol l er
Dat a Sour ce I ndex I nt er val
- - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 1 240
ge. 1. 2 1 240
ge. 1. 3 1 240
ge. 1. 4 1 240
ge. 1. 5 1 240
ge. 1. 6 1 240
ge. 1. 7 1 240
ge. 1. 8 1 240
sFlow Configuration clear sflow port poller
28-12
clear sflow port poller
Usethiscommandtochangethepollerintervalortoremovepollerinstances.
Syntax
clear sflow port port-string poller [ interval]
Parameters
Defaults
Ifintervalisnotspecified,thepollerinstanceiscleared.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthepollerinstanceonportge.1.1.
C3( su) - >cl ear sf l ow por t ge. 1. 1 pol l er
set sflow port sampler
Usethiscommandtoconfiguresamplerinstancesonports,ordatasources.
Syntax
set sflow port port-string sampler {index | maxheadersize bytes | rate rate}
Parameters
portstring Specifiestheportorportsonwhichthepollerinstanceisbeingcleared.
interval (Optional)Specifiesthatthepollingintervalshouldbeclearedto0.A
valueof0disablescountersampling.
portstring Specifiestheportorports(datasources)onwhichthesamplerinstance
isbeingconfigured.
index IndexnumberinthesFlowReceiversTableforthereceiver/Collector
withwhichthesamplerinstanceisassociated.Theindexcanrangefrom
1to8.
maxheadersizebytes Specifiesthemaximumnumberofbytesthatshouldbecopiedfromthe
samplerpacket.Thevaluecanrangefrom20to256bytes.Thedefaultis
128bytes.
raterate Specifiesthestatisticalsamplingrateforsamplingfromthisdata
source.Thevalueofratespecifiesthenumberofincomingpacketsfrom
whichonepacketwillbesampled.Forexample,iftherateis1024,one
packetwillbesampledfromevery1024ingressingpacketsonthisdata
source.
Theratecanrangefrom1024to65536.Avalueof0disablessampling.
Thedefaultvalueis0.
show sflow samplers sFlow Configuration
SecureStack C3 Configuration Guide 28-13
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Asamplerinstanceperformspacketflowsamplingonthedatasourcetowhichitisconfigured.
RefertoSamplingMechanismsonpage 282formoreinformation.
Youmustfirstassociateareceiver/CollectorinthesFlowReceiversTablewiththesampler
instance,beforeconfiguringthesamplingrateormaximumnumberofbytescopiedfromsampled
packets.
WhenareceivertimesoutorisclearedfromthesFlowReceiversTable,allpollerandsampler
instancesassociatedwiththatreceiverarealsoclearedfromtheswitchsconfiguration.
Amaximumof32samplerinstancescanbeconfiguredperswitchorstackofswitches.
Example
Thefollowingexampleconfiguressamplerinstancesonportsge.1.1throughge.1.8andassociates
themwithreceiver1.Then,asamplingrateof1024isconfigured.Thedefaultmaxheadersizeof
128bytesisused.
C3( su) - >set sf l ow por t ge. 1. 1- 8 sampl er 1
C3( su) - >set sf l ow por t ge. 1. 1- 8 sampl er r at e 1024
show sflow samplers
Usethiscommandtodisplayinformationaboutconfiguredsamplerinstances.
Syntax
show sflow samplers
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampledisplaystheoutputofthiscommand.
C3( su) - >show sf l ow sampl er s
Sampl er Recei ver Packet Max Header
Dat a Sour ce I ndex Sampl i ng Rat e Si ze
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ge. 1. 1 1 1024 128
sFlow Configuration clear sflow port sampler
28-14
ge. 1. 2 1 1024 128
ge. 1. 3 1 1024 128
ge. 1. 4 1 1024 128
ge. 1. 5 1 1024 128
ge. 1. 6 1 1024 128
ge. 1. 7 1 1024 128
ge. 1. 8 1 1024 128
clear sflow port sampler
Usethiscommandtochangethesamplerrateormaximumheadersize,ortoremovesampler
instances.
Syntax
clear sflow port port-string sampler [ maxheadersize | rate]
Parameters
Defaults
Ifneitheroptionalparameterisspecified,thesamplerinstanceiscleared.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthesamplerinstanceonportge.1.1.
C3( su) - >cl ear sf l ow por t ge. 1. 1 sampl er
set sflow interface
UsethiscommandtospecifytheinterfaceusedforthesourceIPaddressofthesFlowAgentwhen
sendingsamplingdatagramstothesFlowCollector.
Syntax
set sflow interface {loopback loop-ID | vlan vlan-ID}
Parameters
portstring Specifiestheportorportsonwhichthesamplerinstanceisbeing
cleared.
maxheadersize (Optional)Specifiesthatthemaximumheadersizeshouldbeclearedto
thedefaultvalueof128bytes.
rate (Optional)Specifiesthatthesamplingrateshouldbeclearedtothe
defaultvalueof0,whichdisablessamplingbytheinstance.
loopbackloopID Specifiestheloopbackinterfacetobeused.ThevalueofloopIDcan
rangefrom0to7.
show sflow interface sFlow Configuration
SecureStack C3 Configuration Guide 28-15
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThiscommandallowsyoutoconfigurethemanagementinterfaceusedbythesFlowAgentwhen
sendingsamplingdatagramstothesFlowCollector.Anyoftheinterfaces,includingVLAN
routinginterfaces,canbeconfiguredasthemanagementinterface.
AninterfacemusthaveanIPaddressassignedtoitbeforeitcanbesetbythiscommand.
Ifnointerfaceisspecified,thentheHostVLANwillbeusedasthemanagementinterface.
Ifanonloopbackinterfaceisconfiguredwiththiscommand,applicationpacketegressis
restrictedtothatinterfaceiftheservercanbereachedfromthatinterface.Otherwise,thepackets
aretransmittedoverthefirstavailableroute.Packetsfromtheapplicationserverarereceivedon
theconfiguredinterface.
Ifaloopbackinterfaceisconfigured,andtherearemultiplepathstotheapplicationserver,the
outgoinginterface(gateway)isdeterminedbasedonthebestroutelookup.Packetsfromthe
applicationserverarethenreceivedonthesendinginterface.Ifrouteredundancyisrequired,
therefore,aloopbackinterfaceshouldbeconfigured.
Example
ThisexampleconfiguresanIPaddressonVLANinterface100andthensetsthatinterfaceasthe
managementinterfaceforthesFlowAgent.
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #i p addr ess 192. 168. 10. 1 255. 255. 255. 0
C3( r w) - >r out er ( Conf i g- i f ( Vl an 100) ) #exi t
C3( r w) - >r out er ( Conf i g) #exi t
C3( r w) - >r out er #exi t
C3( r w) - >r out er >exi t
C3( r w) - >set sf l ow i nt er f ace vl an 100
C3( r w) - >show sf l ow i nt er f ace
vl an 100 192. 168. 10. 1
show sflow interface
UsethiscommandtodisplaytheinterfaceusedbythesFlowAgentwhensendingsampling
datagramstothesFlowCollector.
Syntax
show sflow interface
Parameters
vlanvlanID SpecifiestheVLANinterfacetobeused.ThevalueofvlanIDcanrange
from1to4093.
sFlow Configuration clear sflow interface
28-16
None.
Defaults
None.
Mode
Switchmode,readonly.
Example
Thisexampledisplaystheoutputofthiscommand.Inthiscase,theIPaddressassignedto
loopbackinterface1willbeusedasthesourceIPaddressofthesFlowAgent.
C3( r w) - >show sf l ow i nt er f ace
l oopback 1 192. 168. 10. 1
clear sflow interface
UsethiscommandtoclearthemanagementinterfaceusedbythesFlowAgentbacktothedefault
oftheHostVLAN.
Syntax
clear sflow interface
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThiscommandreturnsthemanagmentinterfaceusedbythesFlowAgentbacktothedefaultof
theHostVLAN.
C3( r w) - >show sf l ow i nt er f ace
vl an 100 192. 168. 10. 1
C3( r w) - >cl ear sf l ow i nt er f ace
C3( r w) - >
show sflow agent sFlow Configuration
SecureStack C3 Configuration Guide 28-17
show sflow agent
UsethiscommandtodisplayinformationaboutthesFlowAgent.
Syntax
show sflow agent
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampledisplaystheoutputofthiscommand.
C3( r w) - >show sf l ow agent
sFl ow Ver si on 1. 3; Br oadcomCor p. ; 06. 03. 00. 0001T
I P Addr ess 192. 168. 1. 6
sFlow Configuration show sflow agent
28-18
SecureStack C3 Configuration Guide A-1
A
Policy and Authentication Capacities
ThisappendixliststhepolicyandauthenticationcapacitiesoftheSecureStackC3asofthedate
thisdocumentwaspublished.PleaserefertotheReleaseNotesforyourfirmwareversionforthe
latestcapacityinformation.
Policy Capacities
RefertotheConfiguringPolicyFeatureGuideforanindepthdiscussionofPolicy
configuration.ThisFeatureGuideislocatedontheEnterasysNetworkswebsite:
http://www.enterasys.com/support/manuals/
Table A-1 Policy Capacities
Feature Capacity
Maximum policy roles (profiles) per system 15
Maximum number of unique rules per system 768
Maximum number of ether type rules 128
Maximum number of MAC rules 128
Maximum number of Layer 3/4 rules 512
Maximum number of rules per single role 100
Maximum number of masks No limit
CoS rate limiting (IRL) support Yes
Priority-based rate limiting No
Rule-based rate limiting No
Role-based rate limiting Yes
Fixed rule precedence Yes
Supported rule types
ether type (numuser =1)
1
vlan/cos/drop/fwd (max 7 vlan rules per profile)
mac dest/mac source cos/drop/fwd
ip protocol
1
cos/drop/fwd
ip dest socket/ip source socket cos/drop/fwd
ip tos
1
cos/drop/fwd
tcp dest port/ tcp source port cos/drop/fwd
Policy and Authentication Capacities Authentication Capacities
A-2
Authentication Capacities
RefertotheConfiguringUserAuthenticationFeatureGuideforanindepthdiscussionof
authenticationconfiguration.ThisFeatureGuideislocatedontheEnterasysNetworkswebsite:
http://www.enterasys.com/support/manuals/
udp dest port/udp source port cos/drop/fwd
icmp type
1
No
1. These rules cannot be masked.
Table A-1 Policy Capacities (Continued)
Feature Capacity
Table A-2 Authentication Capacities
Authentication Feature Capacity
IEEE 802.1x (dot1x) authentication Supported
MAC-based authentication Supported
Port Web Authentication (PWA) Supported
RFC 3580 dynamic VLAN assignment based on
authentication response
Supported, for 802.1x, MAC-based, and PWA
authentication methods
Multi-user authentication maximum users per port
when policy maptable response is:
policy mode 3
both, hybrid mode 3
tunnel mode 6
User +IP phone
(Configured with a policy admin rule)
Multiauth numusers set to 2
Supported
Index -1
Index
Numerics
802.1D 9-1
802.1p 11-17, 12-1
802.1Q 10-1
802.1s 9-2
802.1w 9-1
802.1x 26-7, 26-23
A
Access Groups 26-86
Access Lists 26-83 to 26-84
Addresses
MAC, adding entries to routing
table 19-5
setting the router ID address 20-12
Advertised Ability 7-16
AES encryption protocol 8-10
Alias
node 14-40
Area Border Routers (ABRs) 20-21
ARP
dynamic inspection 17-15
entries, adding in routing
mode 19-13
proxy, enabling 19-14
timeout 19-15
Authentication
EAPOL 26-23
MAC 26-25
MD5 20-20
OSPF
MD5 20-20
simple password 20-19
Port web 26-68
RADIUS server 26-7, 26-10
SSH 26-81
Auto-negotiation 7-16
B
banner motd 3-25
Baud Rate 3-31
Broadcast
settings for IP routing 19-16
suppression, enabling on ports 7-33
C
CDP Discovery Protocol 6-1
CIDR 20-7
Cisco Discovery Protocol 6-7
Class of Service 11-7, 11-11,
11-17 to 11-23, 12-1
Class of Service (CoS) 11-17
Classification Policies 11-1
Clearing NVRAM 3-51
CLI
closing 3-49
scrolling screens 1-9
starting 1-6
Command History Buffer 14-14, 14-15
Command Line Interface. See also CLI
Configuration
clearing switch parameters 3-51
modes for router operation 18-2
Configuration Files
copying 3-45
deleting 3-46
displaying 3-43
executing 3-44
show running config 3-46
show running-config 19-6
Contexts (SNMP) 8-3
Copying Configuration or Image
Files 3-45
CoS
flood control 11-19
rate limiting 11-17
Cost
area default 20-23
OSPF 20-15, 20-23
Spanning Tree port 9-40
D
Defaults
CLI behavior, described 1-8
factory installed 1-2
DES encryption protocol 8-10
DHCP server, configuring 16-1
DHCP snooping
basic configuration 17-3
database 17-2
overview 17-1
DHCP/BOOTP Relay 16-1
DHCPv6
about 24-1
configuring 24-1
DVMRP 20-33
Dynamic ARP inspection
basic configuration 17-18
overview 17-15
Dynamic policy profile
assignment 26-3
E
EAP pass-through 26-2, 26-18
EAPOL 26-23
encryption protocol
SNMP 8-9
F
Flood control, via CoS 11-19
Flow Control 7-22
Forbidden VLAN port 10-14
G
Getting help xxxvii
GVRP
enabling and disabling 10-23
purpose of 10-20
timer 10-24
H
Hardware
show system 3-14, 3-26
Hello Packets 20-18
Help
keyword lookups 1-8
Host VLAN 10-18
hostprotect, configuring 3-56
hybrid authentication, about 26-52
I
ICMP 14-16
IGMP 13-1
enabling and disabling 13-2, 13-10
Image File
copying 3-45
downloading 3-32
Ingress Filtering 10-8, 10-11
Interface Configuration Mode 19-3
Interface(s)
configuring OSPF parameters 20-11
configuring settings for IP 19-1
loopback, configuring 22-10
RIP passive 20-8
RIP receive 20-9
RIP send 20-4
tunnel, configuring 19-8, 22-10
IP
access lists 26-83 to 26-84
address, setting for a routing
interface 19-5
routes, adding in router mode 19-21
routes, managing in switch
mode 14-19
IPv6
about 22-1
addresses, configuring 22-10
addresses, setting 21-3
configuration defaults 22-2
default router, setting 21-5
DHCPv6, configuring 24-1
displaying information 22-22
gateway, setting 21-5
general configuration
commands 22-3
interface configuration
commands 22-10
management 21-1
Neighbor Discovery Protocol
Index - 2
about 22-1
configuring 22-14
displaying cache 21-6
OSPFv3, configuring 25-1
IPv6 proxy routing 23-1
IRDP 20-37
J
J umbo Frame Support 7-14
K
Keyword Lookups 1-8
L
License key
advanced routing 20-1
licenses
license key field descriptions 4-1
procedure for stack environment 4-1
Line Editing Commands 1-10
Link Layer Discovery Protocol (LLDP)
configuring 6-13
Link State Advertisements
displaying 20-27
retransmit interval 20-17
transmit delay 20-17
LLDP
configuring 6-13
LLDP-MED
configuring 6-14
Lockout
set system 3-7
Logging 14-1
Login
administratively configured 1-7
default 1-7
setting accounts 3-2
via Telnet 1-7
Loopback interfaces,
configuring 22-10
M
MAC Addresses
displaying 14-22
MAC Authentication 26-25
MAC Locking 26-57
maximum static entries 26-63
static 26-63
Management VLAN 10-2
maptable response 26-52
MD5 Authentication 20-20
motd 3-25
Multicast 20-49
Multicast Filtering 13-1, 13-2
Multiple Spanning Tree Protocol
(MSTP) 9-2
N
Name
setting for a VLAN 10-6
setting for the system 3-27
Neighbor Discovery Protocol
configuring 22-14
Neighbors
OSPF 20-30
Network Management
addresses and routes 14-19
monitoring switch events and
status 14-14
Networks
OSPF 20-14
Node Alias 14-40
NSSA Areas 20-23
NVRAM
clearing 3-51
O
OSPF
Area Border Routers (ABRs) 20-21
areas, defining NSSAs 20-23
areas, defining range 20-21
areas, defining stub 20-22
configuration mode, enabling 20-13
configuration tasks 20-11
cost 20-15, 20-23
hello packet intervals 20-18
information,
displaying 20-26 to 20-31
link state advertisements 20-27
neighbors 20-30
networks 20-14
priority 20-15
redistribute 20-25
retransmit interval 20-17
timers 20-16
transmit delay 20-17
virtual links 20-24, 20-31
OSPFv3
about 25-1
area configuration commands 25-10
configuration defaults 25-2
configuring 25-1
displaying information 25-29
global configuration commands 25-3
interface configuration
commands 25-21
P
Password
aging 3-6
history 3-6, 3-7
set new 3-5
setting the login 3-5
PIM-SM 20-49
Ping 14-16, 19-21
Policy Management
assigning ports 11-15
classifying to a VLAN or Class of
Service 11-7, 11-11
dynamic assignment of profiles 26-3
profiles 11-2, 11-17
policy maptable response,
about 26-52
Port Mirroring 7-36
Port Priority
configuring 12-2
Port String
syntax used in the CLI 7-1
Port Trunking 7-42
Port web authentication
configuring 26-68
Port(s)
alias 7-9
assignment scheme 7-1
auto-negotiation and advertised
ability 7-16
broadcast suppression 7-33
counters, reviewing statistics 7-4
duplex mode, setting 7-11
flow control 7-22
link flap
about 7-24
configuration defaults 7-26
configuring 7-25
link traps, configuring 7-24
MAC lock 26-60
priority, configuring 12-2
speed, setting 7-11
status, reviewing 7-2
Power over Ethernet (PoE),
configuring 5-1
Priority
OSPF 20-15
VRRP 20-45
Priority to Transmit Queue
Mapping 12-4
Prompt
in router mode 18-2
set 3-24
Protocol Independant Multicast 20-49
PWA 26-68
R
RADIUS 26-6
realm 26-8
RADIUS Filter-ID 26-3
attribute formats 26-3
RADIUS server 26-7, 26-10
Rapid Spanning Tree Protocol
(RSTP) 9-1
Rate limiting, via CoS 11-17
Redistribute 20-9, 20-25
Related Manuals xxxv
remote port mirroring
configuring 7-40
Reset 3-50
RFC 3580 26-49
RIP
CIDR 20-7
configuration mode, enabling 20-2
configuration tasks 20-2
passive interface 20-8
redistribute 20-9
Router Mode(s)
Index -3
enabling 18-2
Routing Interfaces
configuring 19-3
Routing Protocol Configuration
DVMRP 20-33
IRDP 20-37
OSPF 20-11
OSPFv3 25-1
RIP 20-2
VRRP 20-42
S
Scrolling Screens 1-9
Secure Shell (SSH) 26-80
enabling 26-80
regenerating new keys 26-81
Security
methods, overview of 26-1
Serial Port
downloading upgrades via 3-32
sFlow configuration 28-1
show system utilization cpu 3-15
SNMP
access rights 8-15
accessing in router mode 8-3
enabling on the switch 8-18
encryption protocols 8-10
MIB views 8-19
notification parameters 8-29
notify filters 8-29
security models and levels 8-2
statistics 8-3
target addresses 8-26
target parameters 8-23
trap configuration example 8-37
users, groups and communities 8-8
SNTP 14-29
Spanning Tree 9-2
backup root 9-21, 9-22
bridge parameters 9-3
features 9-2
port parameters 9-34
Rapid Spanning Tree Protocol
(RSTP) 9-1
Split Horizon 20-7
SSL WebView 3-54
stacks
installing units 2-2
operation 2-1
virtual switch configuration 2-3
Stub Areas 20-22
Syslog 14-1
System Information
displaying basic 3-13
setting basic 3-9
T
TACACS+configuration 27-1
Technical Support xxxvii
Telnet
disconnecting 14-17
enabling in switch mode 3-37
Terminal Settings 3-29
TFTP
downloading firmware upgrades
via 3-32
Timeout
ARP 19-15
CLI, system 3-30
RADIUS 26-7
Timers
OSPF 20-16
Traceroute
in router mode 19-22
Trap
SNMP configuration example 8-37
Tunnel Attributes
RFC 3580 RADIUS attributes 26-49
Tunnel interfaces
about 19-8
configuring 22-10
U
User Accounts
default 1-7
setting 3-2
V
Version
RIP receive 20-5
RIP send 20-4
Version Information 3-26
Virtual Links 20-24, 20-31
virtual switch, configuring 2-3
VLANs
assigning ingress filtering 10-11
assigning port VLAN IDs 10-8
authentication 26-49, 26-51
classifying to 11-7, 11-11
creating static 10-5
dynamic egress 10-17
egress lists 10-13, 26-50
enabling GVRP 10-20
forbidden ports 10-14
host, setting 10-18
ingress filtering 10-8
naming 10-6
RADIUS 26-49
secure management, creating 10-2
VRRP
configuration mode, enabling 20-42
creating a session 20-43
enabling on an interface 20-47
priority 20-45
virtual router address 20-44
W
WebView 1-2, 3-52
WebView SSL 3-54
Index - 4
También podría gustarte
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeDe EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeCalificación: 4 de 5 estrellas4/5 (5794)
- Tier 1 Bridge Heavy Load Assessment Criteria - 2013 (Main Road)Documento85 páginasTier 1 Bridge Heavy Load Assessment Criteria - 2013 (Main Road)yyanan1118Aún no hay calificaciones
- The Yellow House: A Memoir (2019 National Book Award Winner)De EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Calificación: 4 de 5 estrellas4/5 (98)
- Ms Excel MCQ Set 1Documento7 páginasMs Excel MCQ Set 1Sachin KmrAún no hay calificaciones
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryDe EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryCalificación: 3.5 de 5 estrellas3.5/5 (231)
- SSL PT Manual 2011 ExternalDocumento11 páginasSSL PT Manual 2011 ExternalkmabdAún no hay calificaciones
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceDe EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceCalificación: 4 de 5 estrellas4/5 (895)
- Upfs11 p4 Uefi Gop AmdDocumento30 páginasUpfs11 p4 Uefi Gop Amd張佑民Aún no hay calificaciones
- The Little Book of Hygge: Danish Secrets to Happy LivingDe EverandThe Little Book of Hygge: Danish Secrets to Happy LivingCalificación: 3.5 de 5 estrellas3.5/5 (400)
- Cracking in Asphalt Pavements PDFDocumento30 páginasCracking in Asphalt Pavements PDFKreen132100% (1)
- Shoe Dog: A Memoir by the Creator of NikeDe EverandShoe Dog: A Memoir by the Creator of NikeCalificación: 4.5 de 5 estrellas4.5/5 (537)
- Dual WAN Connection On Cisco With Policy-Based Routing (PBR) Pierky's BlogDocumento9 páginasDual WAN Connection On Cisco With Policy-Based Routing (PBR) Pierky's BlogeciscoAún no hay calificaciones
- Never Split the Difference: Negotiating As If Your Life Depended On ItDe EverandNever Split the Difference: Negotiating As If Your Life Depended On ItCalificación: 4.5 de 5 estrellas4.5/5 (838)
- Asus x751nv Rev2.1Documento65 páginasAsus x751nv Rev2.1vasul.denusAún no hay calificaciones
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureDe EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureCalificación: 4.5 de 5 estrellas4.5/5 (474)
- Principled PerformanceDocumento5 páginasPrincipled PerformanceAbdul SyukurAún no hay calificaciones
- Grit: The Power of Passion and PerseveranceDe EverandGrit: The Power of Passion and PerseveranceCalificación: 4 de 5 estrellas4/5 (588)
- NNM Release Notes 9.00Documento22 páginasNNM Release Notes 9.00Mohan RajAún no hay calificaciones
- MGT613 Quiz 1Documento11 páginasMGT613 Quiz 1Himansu Sekhar KisanAún no hay calificaciones
- The Emperor of All Maladies: A Biography of CancerDe EverandThe Emperor of All Maladies: A Biography of CancerCalificación: 4.5 de 5 estrellas4.5/5 (271)
- ATV32 Programming Manual EN S1A28692 03 PDFDocumento339 páginasATV32 Programming Manual EN S1A28692 03 PDFМиланAún no hay calificaciones
- On Fire: The (Burning) Case for a Green New DealDe EverandOn Fire: The (Burning) Case for a Green New DealCalificación: 4 de 5 estrellas4/5 (74)
- 5fbbd35140cbe PVR 50Documento10 páginas5fbbd35140cbe PVR 50Wil TimpoAún no hay calificaciones
- Team of Rivals: The Political Genius of Abraham LincolnDe EverandTeam of Rivals: The Political Genius of Abraham LincolnCalificación: 4.5 de 5 estrellas4.5/5 (234)
- Master Auditing Document Draft With Secondary Responses - SQF Level IIDocumento95 páginasMaster Auditing Document Draft With Secondary Responses - SQF Level IIFloreid100% (1)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaDe EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaCalificación: 4.5 de 5 estrellas4.5/5 (266)
- CookiesDocumento83 páginasCookiesShEikh AzlanAún no hay calificaciones
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersDe EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersCalificación: 4.5 de 5 estrellas4.5/5 (344)
- Polaris 1996 SLT780 Owner's Manual 02Documento90 páginasPolaris 1996 SLT780 Owner's Manual 02Scott Spectra BriteAún no hay calificaciones
- Rise of ISIS: A Threat We Can't IgnoreDe EverandRise of ISIS: A Threat We Can't IgnoreCalificación: 3.5 de 5 estrellas3.5/5 (137)
- A085hydraulicactuators PDFDocumento2 páginasA085hydraulicactuators PDFCesar PomposoAún no hay calificaciones
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyDe EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyCalificación: 3.5 de 5 estrellas3.5/5 (2259)
- Presentación TDEDocumento35 páginasPresentación TDEleogilrAún no hay calificaciones
- En 10224 PDFDocumento62 páginasEn 10224 PDFdayioglub100% (1)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreDe EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreCalificación: 4 de 5 estrellas4/5 (1090)
- Argus IntroDocumento12 páginasArgus IntroJuan HernandezAún no hay calificaciones
- 03 - Introduction To TrixboxDocumento25 páginas03 - Introduction To TrixboxduyluanAún no hay calificaciones
- Kiloskar DG SetDocumento4 páginasKiloskar DG SetUmang JainAún no hay calificaciones
- The Unwinding: An Inner History of the New AmericaDe EverandThe Unwinding: An Inner History of the New AmericaCalificación: 4 de 5 estrellas4/5 (45)
- BS0-1 (1981) PDFDocumento12 páginasBS0-1 (1981) PDFKobe ZhuAún no hay calificaciones
- B450M DS3H: User's ManualDocumento42 páginasB450M DS3H: User's ManualIsmael ZamoranoAún no hay calificaciones
- FDocumento42 páginasFSteawardAún no hay calificaciones
- Nokia EPCDocumento23 páginasNokia EPCabdollahseyedi2933Aún no hay calificaciones
- Junior EngineerDocumento4 páginasJunior EngineerRinchen DorjiAún no hay calificaciones
- Grundfosliterature 5235944 PDFDocumento324 páginasGrundfosliterature 5235944 PDFĐạt TrầnAún no hay calificaciones
- Energy Utilization Index and Benchmarking For A Government HospitalDocumento7 páginasEnergy Utilization Index and Benchmarking For A Government HospitalAlit PutraAún no hay calificaciones
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)De EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Calificación: 4.5 de 5 estrellas4.5/5 (121)
- List of CodesDocumento4 páginasList of CodesAmey GudigarAún no hay calificaciones
- IATA Guidance Material On Standard Into-Plane Fuelling ProceduràDocumento208 páginasIATA Guidance Material On Standard Into-Plane Fuelling Proceduràwfbaskoro83% (12)
- The Perks of Being a WallflowerDe EverandThe Perks of Being a WallflowerCalificación: 4.5 de 5 estrellas4.5/5 (2104)
- Her Body and Other Parties: StoriesDe EverandHer Body and Other Parties: StoriesCalificación: 4 de 5 estrellas4/5 (821)
