Documente Academic
Documente Profesional
Documente Cultură
Stackable Switches
Configuration Guide
Firmware Version 1.00.xx
P/N 9034313-02
Notice
EnterasysNetworksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthisdocumentand
itswebsitewithoutpriornotice.ThereadershouldinallcasesconsultEnterasysNetworkstodeterminewhetheranysuch
changeshavebeenmade.
Thehardware,firmware,orsoftwaredescribedinthisdocumentissubjecttochangewithoutnotice.
INNOEVENTSHALLENTERASYSNETWORKSBELIABLEFORANYINCIDENTAL,INDIRECT,SPECIAL,OR
CONSEQUENTIALDAMAGESWHATSOEVER(INCLUDINGBUTNOTLIMITEDTOLOSTPROFITS)ARISINGOUTOF
ORRELATEDTOTHISDOCUMENT,WEBSITE,ORTHEINFORMATIONCONTAINEDINTHEM,EVENIFENTERASYS
NETWORKSHASBEENADVISEDOF,KNEWOF,ORSHOULDHAVEKNOWNOF,THEPOSSIBILITYOFSUCH
DAMAGES.
EnterasysNetworks,Inc.
50MinutemanRoad
Andover,MA01810
2007EnterasysNetworks,Inc.Allrightsreserved.
PartNumber: 903431302 March2007
ENTERASYSNETWORKS,NETSIGHT,WEBVIEW,andanylogosassociatedtherewith,aretrademarksorregistered
trademarksofEnterasysNetworks,Inc.intheUnitedStatesandothercountries.
Allotherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksoftheirrespectivecompanies.
DocumentationURL:http://www.enterasys.com/support/manuals
DocumentacionURL:http://www.enterasys.com/support/manuals
DokumentationimInternet:http://www.enterasys.com/support/manuals
Version:
LICENSE. Youhavethenonexclusiveandnontransferablerighttouseonlytheone(1)copyoftheProgramprovidedin
thispackagesubjecttothetermsandconditionsofthisAgreement.
2.
RESTRICTIONS. ExceptasotherwiseauthorizedinwritingbyEnterasys,Youmaynot,normayYoupermitanythird
partyto:
(i)
Reverse engineer, decompile, disassemble or modify the Program, in whole or in part, including for reasons of error correction or
interoperability, except to the extent expressly permitted by applicable law and to the extent the parties shall not be permitted by
that applicable law, such rights are expressly excluded. Information necessary to achieve interoperability or correct errors is
available from Enterasys upon request and upon payment of Enterasys applicable fee.
(ii) Incorporate the Program, in whole or in part, in any other product or create derivative works based on the Program, in whole or in
part.
(iii) Publish, disclose, copy, reproduce or transmit the Program, in whole or in part.
(iv) Assign, sell, license, sublicense, rent, lease, encumber by way of security interest, pledge or otherwise transfer the Program, in
whole or in part.
(v) Remove any copyright, trademark, proprietary rights, disclaimer or warning notice included on or embedded in any part of the
Program.
3.
ii
APPLICABLELAW. ThisAgreementshallbeinterpretedandgovernedunderthelawsandinthestateandfederalcourts
oftheCommonwealthofMassachusettswithoutregardtoitsconflictsoflawsprovisions.Youacceptthepersonal
jurisdictionandvenueoftheCommonwealthofMassachusettscourts.Noneofthe1980UnitedNationsConventionon
ContractsfortheInternationalSaleofGoods,theUnitedNationsConventionontheLimitationPeriodintheInternational
SaleofGoods,andtheUniformComputerInformationTransactionsActshallapplytothisAgreement.
4.
EXPORTRESTRICTIONS. YouunderstandthatEnterasysanditsAffiliatesaresubjecttoregulationbyagenciesofthe
U.S.Government,includingtheU.S.DepartmentofCommerce,whichprohibitexportordiversionofcertaintechnical
productstocertaincountries,unlessalicensetoexporttheProgramisobtainedfromtheU.S.Governmentoranexception
fromobtainingsuchlicensemayberelieduponbytheexportingparty.
IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionCIVundertheU.S.Export
AdministrationRegulations,YouagreethatYouareacivilenduseroftheProgramandagreethatYouwillusetheProgram
forcivilendusesonlyandnotformilitarypurposes.
IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionTSRundertheU.S.Export
AdministrationRegulations,inadditiontotherestrictionontransfersetforthinSections1or2ofthisAgreement,Youagree
notto(i)reexportorreleasetheProgram,thesourcecodefortheProgramortechnologytoanationalofacountryin
CountryGroupsD:1orE:2(Albania,Armenia,Azerbaijan,Belarus,Bulgaria,Cambodia,Cuba,Estonia,Georgia,Iraq,
Kazakhstan,Kyrgyzstan,Laos,Latvia,Libya,Lithuania,Moldova,NorthKorea,thePeoplesRepublicofChina,Romania,
Russia,Rwanda,Tajikistan,Turkmenistan,Ukraine,Uzbekistan,Vietnam,orsuchothercountriesasmaybedesignatedby
theUnitedStatesGovernment),(ii)exporttoCountryGroupsD:1orE:2(asdefinedherein)thedirectproductofthe
Programorthetechnology,ifsuchforeignproduceddirectproductissubjecttonationalsecuritycontrolsasidentifiedon
theU.S.CommerceControlList,or(iii)ifthedirectproductofthetechnologyisacompleteplantoranymajorcomponent
ofaplant,exporttoCountryGroupsD:1orE:2thedirectproductoftheplantoramajorcomponentthereof,ifsuchforeign
produceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S.CommerceControlListorissubject
toStateDepartmentcontrolsundertheU.S.MunitionsList.
5.
UNITEDSTATESGOVERNMENTRESTRICTEDRIGHTS. TheenclosedProgram(i)wasdevelopedsolelyatprivate
expense;(ii)containsrestrictedcomputersoftwaresubmittedwithrestrictedrightsinaccordancewithsection52.22719
(a)through(d)oftheCommercialComputerSoftwareRestrictedRightsClauseanditssuccessors,and(iii)inallrespectsis
proprietarydatabelongingtoEnterasysand/oritssuppliers.ForDepartmentofDefenseunits,theProgramisconsidered
commercialcomputersoftwareinaccordancewithDFARSsection227.72023anditssuccessors,anduse,duplication,or
disclosurebytheGovernmentissubjecttorestrictionssetforthherein.
6.
DISCLAIMEROFWARRANTY. EXCEPTFORTHOSEWARRANTIESEXPRESSLYPROVIDEDTOYOUINWRITING
BYENTERASYS,ENTERASYSDISCLAIMSALLWARRANTIES,EITHEREXPRESSORIMPLIED,INCLUDINGBUTNOT
LIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITY,SATISFACTORYQUALITY,FITNESSFORA
PARTICULARPURPOSE,TITLEANDNONINFRINGEMENTWITHRESPECTTOTHEPROGRAM.IFIMPLIED
WARRANTIESMAYNOTBEDISCLAIMEDBYAPPLICABLELAW,THENANYIMPLIEDWARRANTIESARE
LIMITEDINDURATIONTOTHIRTY(30)DAYSAFTERDELIVERYOFTHEPROGRAMTOYOU.
7.
LIMITATIONOFLIABILITY. INNOEVENTSHALLENTERASYSORITSSUPPLIERSBELIABLEFORANY
DAMAGESWHATSOEVER(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFBUSINESS,PROFITS,
BUSINESSINTERRUPTION,LOSSOFBUSINESSINFORMATION,SPECIAL,INCIDENTAL,CONSEQUENTIAL,OR
RELIANCEDAMAGES,OROTHERLOSS)ARISINGOUTOFTHEUSEORINABILITYTOUSETHEPROGRAM,EVEN
IFENTERASYSHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THISFOREGOINGLIMITATION
SHALLAPPLYREGARDLESSOFTHECAUSEOFACTIONUNDERWHICHDAMAGESARESOUGHT.
THECUMULATIVELIABILITYOFENTERASYSTOYOUFORALLCLAIMSRELATINGTOTHEPROGRAM,IN
CONTRACT,TORTOROTHERWISE,SHALLNOTEXCEEDTHETOTALAMOUNTOFFEESPAIDTOENTERASYSBY
YOUFORTHERIGHTSGRANTEDHEREIN.
8.
AUDITRIGHTS. YouherebyacknowledgethattheintellectualpropertyrightsassociatedwiththeProgramareofcritical
valuetoEnterasysand,accordingly,Youherebyagreeto maintaincompletebooks,recordsandaccountsshowing(i)license
feesdueandpaid,and(ii)theuse,copyinganddeploymentoftheProgram.YoualsogranttoEnterasysanditsauthorized
representatives,uponreasonablenotice,therightto auditandexamineduringYournormalbusinesshours,Yourbooks,
records,accountsandhardwaredevicesuponwhichtheProgrammaybedeployedtoverifycompliancewiththis
Agreement,includingtheverificationofthelicensefeesdueandpaidEnterasysandtheuse,copyinganddeploymentof
theProgram.Enterasysrightofexamination shallbeexercisedreasonably,ingoodfaithandinamannercalculatedtonot
unreasonablyinterferewithYourbusiness.IntheeventsuchauditdiscoversnoncompliancewiththisAgreement,
includingcopiesoftheProgrammade,usedordeployedinbreachofthisAgreement,YoushallpromptlypaytoEnterasys
theappropriatelicensefees.Enterasys reservestheright,tobeexercisedinitssolediscretionandwithoutpriornotice,to
terminatethislicense,effectiveimmediately,forfailuretocomplywiththisAgreement.Uponanysuchtermination,You
shallimmediatelyceasealluseoftheProgramandshallreturntoEnterasystheProgramandallcopiesoftheProgram.
9.
OWNERSHIP. Thisisalicenseagreementandnotanagreementforsale.YouacknowledgeandagreethattheProgram
constitutestradesecretsand/orcopyrightedmaterialofEnterasysand/oritssuppliers.Youagreetoimplementreasonable
securitymeasurestoprotectsuchtradesecretsandcopyrightedmaterial.Allright,titleandinterestinandtotheProgram
shallremainwithEnterasysand/oritssuppliers.AllrightsnotspecificallygrantedtoYoushallbereservedtoEnterasys.
iii
iv
Contents
About This Guide
Using This Guide .......................................................................................................................................... xxvii
Structure of This Guide ................................................................................................................................. xxvii
Related Documents ....................................................................................................................................... xxix
Conventions Used in This Guide ................................................................................................................... xxix
Getting Help .................................................................................................................................................... xxx
Chapter 1: Introduction
SecureStack C3 CLI Overview ....................................................................................................................... 1-1
Switch Management Methods ........................................................................................................................ 1-2
Factory Default Settings ................................................................................................................................. 1-2
Using the Command Line Interface ................................................................................................................ 1-6
Starting a CLI Session ............................................................................................................................. 1-6
Logging In ................................................................................................................................................ 1-7
Navigating the Command Line Interface .................................................................................................. 1-8
vi
reset.................................................................................................................................................. 3-69
clear config ....................................................................................................................................... 3-70
Using and Configuring WebView .................................................................................................................. 3-71
Purpose .................................................................................................................................................. 3-71
Commands ............................................................................................................................................. 3-71
show webview .................................................................................................................................. 3-71
set webview ...................................................................................................................................... 3-72
show ssl............................................................................................................................................ 3-72
set ssl ............................................................................................................................................... 3-73
viii
ix
xi
xii
xiv
xv
xvi
xix
xxi
xxii
xxiii
Index
Figures
1-1
1-2
1-3
1-4
1-5
1-6
7-1
Tables
1-1
1-2
1-3
3-1
3-2
3-3
3-4
3-5
3-6
4-1
4-2
4-3
4-4
4-5
4-6
5-1
5-2
5-3
5-4
5-5
5-6
5-7
5-8
5-9
5-10
5-11
6-1
7-1
7-2
7-3
8-1
8-2
8-3
11-1
11-2
11-3
11-4
11-5
11-6
11-7
12-1
12-2
12-3
12-4
14-1
14-2
15-1
15-2
16-1
16-2
16-3
16-4
16-5
16-6
16-7
16-8
16-9
16-10
16-11
16-12
16-13
18-1
18-2
18-3
18-4
18-5
19-1
19-2
20-1
20-2
20-3
20-4
20-5
20-6
20-7
20-8
20-9
20-10
20-11
20-12
20-13
21-1
21-2
21-3
21-4
21-5
21-6
21-7
21-8
xxvi
Important Notice
Depending on the firmware version used in your C3 device, some features described in this
document may not be supported. Refer to the Release Notes shipped with your device to
determine which features are supported.
AccesstheSecureStackCLI.
UseCLIcommandstoperformnetworkmanagementanddeviceconfigurationoperations
EstablishandmanageVirtualLocalAreaNetworks(VLANs).
Establishandmanagestaticanddynamicallyassignedpolicyclassifications.
Establishandmanagepriorityclassification.
ConfigureIProutingandroutingprotocols,includingRIPversions1and2,OSPF,DVMRP,
IRDP,andVRRP.
ConfigureIPv6routing,includingOSPFv3.
Configuresecurityprotocols,including802.1XandRADIUS,SSHv2,PWA,MAClocking,and
MACauthentication.
Configureaccesscontrollists(ACLs).
xxvii
duplexmode,autonegotiation,flowcontrol,portmirroring,linkaggegationandbroadcast
suppression.
Chapter 5,SNMPConfiguration,describeshowtoconfigureSNMPusersandusergroups,access
rights,targetaddresses,andnotificationparameters.
Chapter 6,SpanningTreeConfiguration,describeshowtoreviewandsetSpanningTreebridge
parametersforthedevice,includingbridgepriority,hellotime,maximumagingtimeandforward
delay;andhowtoreviewandsetSpanningTreeportparameters,includingportpriorityandpath
costs.
Chapter 7,802.1QVLANConfiguration,describeshowtocreatestaticVLANs,selectthemodeof
operationforeachport,establishVLANforwarding(egress)lists,routeframesaccordingto
VLANID,displaythecurrentportsandporttypesassociatedwithaVLANandprotocol,createa
securemanagementVLAN,andconfigureportsonthedeviceasGVRPawareports.
Chapter 8,PolicyClassificationConfiguration,describeshowtocreate,changeorremoveuser
rolesorprofilesbasedonbusinessspecificuseofnetworkservices;howtopermitordenyaccess
tospecificservicesbycreatingandassigningclassificationruleswhichmapuserprofilestoframe
filteringpolicies;howtoclassifyframestoaVLANorClassofService(CoS);andhowtoassignor
unassignportstopolicyprofilessothatonlyportsactivatedforaprofilewillbeallowedto
transmitframesaccordingly.
Chapter 9,PortPriorityConfiguration,describeshowtosetthetransmitpriorityofeachportand
configurearatelimitforagivenportandlistofpriorities.
Chapter 10,IGMPConfiguration,describeshowtoconfigureInternetGroupManagement
Protocol(IGMP)settingsformulticastfiltering.
Chapter 11,LoggingandNetworkManagement,describeshowtoconfigureSyslog,howto
managegeneralswitchsettings,howtomonitornetworkeventsandstatus,andhowtoconfigure
SNTPandnodealiases.
Chapter 12,ConfiguringRMON,describeshowtouseRMON(RemoteNetworkMonitoring),
whichprovidescomprehensivenetworkfaultdiagnosis,planning,andperformancetuning
informationandallowsforinteroperabilitybetweenSNMPmanagementstationsandmonitoring
agents.
Chapter 13,ConfiguringDHCPServer,describeshowtoreviewandconfigureDHCPserver
parameters,howtoreviewandconfigureDHCPaddresspools,andhowtodisplayDHCPserver
information.
Chapter 14,PreparingforRouterMode,providesinformationaboutroutermodesandhowto
activatealicense.
Chapter 15,IPConfiguration,describeshowtoenableIProutingforroutermodeoperation,how
toconfigureIPinterfacesettings,howtoreviewandconfiguretheroutingARPtable,howto
reviewandconfigureroutingbroadcasts,howtoconfigurePIM,andhowtoconfigureIProutes.
Chapter 16,IPv4RoutingProtocolConfiguration,describeshowtoconfigureIPv4routingand
routingprotocols,includingRIP,OSPF,DVMRP,IRDP,andVRRP.
Chapter 17,IPv6Management,describesthecommandsusedtoconfigureIPv6attheswitch
level.
Chapter 18,IPv6Configuration,describesthecommandsusedtoconfigureIPv6attherouting
level.
Chapter 19,DHCPv6Configuration,describesthecommandsusedtoconfiguretheDynamic
HostConfigurationProtocolforIPv6.
Chapter 20,OSPFv3Configuration,describesthecommandsusedtoconfiguretheOpenShortest
PathFirstroutingprotocolforIPv6.
xxviii
Related Documents
Chapter 21,SecurityConfiguration,describeshowtoconfigure802.1Xauthenticationusing
EAPOL,howtoconfigureRADIUSserver,SecureShellserver,MACauthentication,MAC
locking,PortWebAuthentication,andIPaccesscontrollists(ACLs).
Related Documents
ThefollowingEnterasysNetworksdocumentsmayhelpyoutosetup,control,andmanagethe
SecureStackdevice:
EthernetTechnologyGuide
CablingGuide
SecureStackC3InstallationGuide(s)
SecureStackRedundantPowerSystemInstallationGuide
Documentslistedabove,canbeobtainedfromtheWorldWideWebinAdobeAcrobatPortable
DocumentFormat(PDF)atthefollowingwebsite:
http://www.enterasys.com/support/manuals/
Description
Bold font
italic font
Courier font
[]
{}
[x | y | z]
{x | y | z}
[x {y | z} ]
Thefollowingiconsareusedinthisguide:
Note: Calls the readers attention to any item of information that may be of special importance.
xxix
Getting Help
Getting Help
Foradditionalsupportrelatedtothisswitchordocument,contactEnterasysNetworksusingone
ofthefollowingmethods:
World Wide Web
http://www.enterasys.com/services/support
1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1000
Phone
Internet mail
To send comments or suggestions concerning this document to the Technical Publications Department:
techpubs@enterasys.com
Make sure to include the document Part Number in the email message.
BeforecallingEnterasysNetworks,havethefollowinginformationready:
xxx
YourEnterasysNetworksservicecontractnumber
Adescriptionofthefailure
Adescriptionofanyaction(s)alreadytakentoresolvetheproblem(forexample,changing
modeswitchesorrebootingtheunit)
TheserialandrevisionnumbersofallinvolvedEnterasysNetworksproductsinthenetwork
Adescriptionofyournetworkenvironment(forexample,layout,cabletype)
Networkloadandframesizeatthetimeoftrouble(ifknown)
Theswitchhistory(forexample,haveyoureturnedtheswitchbefore,isthisarecurring
problem?)
AnypreviousReturnMaterialAuthorization(RMA)numbers
1
Introduction
ThischapterprovidesanoverviewoftheSecureStackC3suniquefeaturesandfunctionality,an
overviewofthetasksthatmaybeaccomplishedusingtheCLIinterface,anoverviewofwaysto
managetheswitch,factorydefaultsettings,andinformationabouthowtousetheCommandLine
Interfacetoconfiguretheswitch.
For information about ...
1-1
1-2
1-2
1-6
UseCLIcommandstoperformnetworkmanagementandswitchconfigurationoperations.
Downloadanewfirmwareimage.
AssignIPaddressandsubnetmask.
Selectadefaultgateway.
EstablishandmanageVirtualLocalAreaNetworks(VLANs).
Establishandmanagepolicyprofilesandclassifications.
Establishandmanagepriorityclassification.
ConfigureIPv4routingandroutingprotocols,includingRIPversions1and2,OSPF,DVMRP,
IRDPandVRRP.
ConfigureIPv6routingandroutingprotocols,includingOSPFv3.
Configuresecurityprotocols,including802.1XandRADIUS,SSHv2,PWA,MAClocking,and
MACauthentication.
Configureaccesscontrollists(ACLs).
1-1
LocallyusingaVTtypeterminalconnectedtotheconsoleport.
RemotelyusingaVTtypeterminalconnectedthroughamodem.
RemotelyusinganSNMPmanagementstation.
InbandthroughaTelnetconnection.
InbandusingEnterasysNetworksNetSightmanagementapplication.
RemotelyusingWebView,EnterasysNetworksembeddedwebserverapplication.
TheInstallationGuideforyourSecureStackC3deviceprovidessetupinstructionsforconnectinga
terminalormodemtotheswitch.
Feature
Default Setting
Set to 00-00-00-00-00-00-00-00
CDP interval
Set to 60 seconds.
Community name
Public.
1-2
Introduction
DHCP server
Disabled.
EAPOL
Disabled.
EAPOL authentication
mode
GARP timer
GVRP
Globally enabled.
20 lines.
Disabled.
Table 1-1
Feature
Default Setting
IGMP snooping
Disabled. When enabled, query interval is set to 260 seconds and response
time is set to 10 seconds.
IP routes
Enabled.
Disabled.
Set to DIP-SIP.
Lockout
Set to disable Read-Write and Read-Only users, and to lockout the default
admin (Super User) account for 15 minutes, after 3 failed login attempts.
Logging
Syslog port set to UDP port number 514. Logging severity level set to 6
(significant conditions) for all applications.
MAC locking
Passwords
Set to an empty string for all default user accounts. User must press ENTER
at the password prompt to access CLI.
Password aging
Disabled.
Password history
Policy classification
Port auto-negotiation
Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch
ports
Port duplex mode
Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to
full duplex.
Port enable/disable
Enabled.
Port priority
Set to 0.
Port speed
Set to 10 Mbps, except for 1000BASE-X, which is set to 1000 Mbps, and
100BASE-FX, which is set to 100 Mbps.
Port trap
Priority classification
1-3
Table 1-1
1-4
Introduction
Feature
Default Setting
RADIUS client
Disabled.
RADIUS retries
RADIUS timeout
SNMP
Enabled.
SNTP
Disabled.
Spanning Tree
Edge port administrative status begins with the value set to false initially after
the device is powered up. If a Spanning Tree BDPU is not received on the
port within a few seconds, the status setting changes to true.
Enabled.
Set to 15 seconds.
Set to 2 seconds.
Set to 0.
Set to 20 seconds.
All ports with bridge priority are set to 128 (medium priority).
Enabled.
SSH
Disabled.
System contact
System location
System name
Terminal
Timeout
Set to 5 minutes.
User names
VLAN ID
Host VLAN
Table 1-2
Feature
Default Setting
None configured.
Area authentication
(OSPF)
Disabled.
Set to 1.
None configured.
None configured.
ARP table
ARP timeout
None configured.
None configured.
Set to 40 seconds.
No filters applied.
DVMRP
ICMP
IP-directed broadcasts
Disabled.
IP forward-protocol
IP interfaces
IRDP
MD5 authentication
(OSPF)
MTU size
OSPF
Disabled.
OSPF cost
OSPF network
None configured.
OSPF priority
Set to 1.
None configured.
Proxy ARP
1-5
Table 1-2
Feature
Default Setting
Set to 1 second.
Set to 5 seconds.
Set to version 1.
RIP offset
No value applied.
SNMP
Enabled.
Split horizon
None configured.
Telnet
Enabled.
Timers (OSPF)
Set to 1 second.
VRRP
Disabled.
1-6
Introduction
usingadefaultuseraccount,asdescribedinUsingaDefaultUserAccountonpage 17,or
usinganadministrativelyassigneduseraccountasdescribedinUsinganAdministratively
ConfiguredUserAccountonpage 18.
Figure 1-1
Username:admin
Password:
Enterasys SecureStack C3
Command Line Interface
Enterasys Networks, Inc.
50 Minuteman Rd.
Andover, MA 01810-1008 U.S.A.
Phone: +1 978 684 1000
E-mail: support@enterasys.com
WWW: http://www.enterasys.com
(c) Copyright Enterasys Networks, Inc. 2006
Chassis Serial Number:
Chassis Firmware Revision:
041800249041
1.00.xx
C3(su)->
TelnettotheswitchsIPaddress.
2.
Enterlogin(username)andpasswordinformationinoneofthefollowingways:
Iftheswitchsdefaultloginandpasswordsettingshavenotbeenchanged,followthe
stepslistedinUsingaDefaultUserAccountonpage 17,or
Enteranadministrativelyconfiguredusernameandpassword.
ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11.
ForinformationaboutconfiguringTelnetsettings,refertoStartingandConfiguringTelneton
page 343.
RefertotheinstructionsincludedwiththeTelnetapplicationforinformationaboutestablishinga
Telnetsession.
Logging In
Bydefault,theSecureStackC3switchisconfiguredwiththreeuserloginaccountsrofor
ReadOnlyaccess,rwforReadWriteaccess,andadminforsuperuseraccesstoallmodifiable
parameters.Thedefaultpasswordissettoablankstring.Forinformationonchangingthese
defaultsettings,refertoSettingUserAccountsandPasswordsonpage 32.
1-7
1.
Attheloginprompt,enteroneofthefollowingdefaultusernames:
roforReadOnlyaccess.
rwforReadWriteaccess.
adminforSuperUseraccess.
2.
PressENTER.ThePasswordpromptdisplays.
3.
LeavethisstringblankandpressENTER.Theswitchinformationandpromptdisplaysas
showninFigure 11.
Attheloginprompt,enteryouradministrativelyassignedusernameandpressENTER.
2.
AtthePasswordprompt,enteryourpasswordandpressENTER.
ThenoticeofauthorizationandthepromptdisplaysasshowninFigure 11.
Note: Users with Read-Write (rw) and Read-Only access can use the set password command
(page 3-4) to change their own passwords. Administrators with Super User (su) access can use
the set system login command (page 3-3) to create and change user accounts, and the set
password command to change any local account password.
Syntax
show port status [port-string]
Defaults
Ifportstringisnotspecified,statusinformationforallportswillbedisplayed
1-8
Introduction
Writeaccesswillbeabletomodifyallmodifiableparametersinsetandshowcommands,aswell
asviewReadOnlycommands.AdministratorsorSuperUserswillbeallowedallReadWriteand
ReadOnlyprivileges,andwillbeabletomodifylocaluseraccounts.TheSecureStackC3switch
indicateswhichmodeauserisloggedinasbydisplayingoneofthefollowingprompts:
Admin:C3(su)>
ReadWrite:C3(rw)>
ReadOnly:C3(ro)>
C3(su)->show snmp ?
community
notify
targetaddr
targetparams
SNMP
SNMP
SNMP
SNMP
v1/v2c
notify
target
target
Enteringaquestionmark(?)withoutaspaceafterapartialkeywordwilldisplayalistof
commandsthatbeginwiththepartialkeyword.Figure 14showshowtousethisfunctionforall
commandsbeginningwithco:
Figure 1-4
C3(rw)->co?
configure
C3(su)->co
copy
Note: At the end of the lookup display, the system will repeat the command you entered without the
?.
PressanykeyotherthanENTERtoadvancetheoutputonescreenatatime.
PressENTERtoadvancetheoutputonelineatatime.
TheexampleinFigure 15showshowtheshowmaccommandindicatesthatoutputcontinueson
morethanonescreen.
1-9
Figure 1-5
C3(su)->show mac
MAC Address
FID
Port
Type
---------------------------------------------------------00-00-1d-67-68-69
1
host
Management
00-00-02-00-00-00
1
fe.1.2
Learned
00-00-02-00-00-01
1
fe.1.3
Learned
00-00-02-00-00-02
1
fe.1.4
Learned
00-00-02-00-00-03
1
fe.1.5
Learned
00-00-02-00-00-04
1
fe.1.6
Learned
00-00-02-00-00-05
1
fe.1.7
Learned
00-00-02-00-00-06
1
fe.1.8
Learned
00-00-02-00-00-07
1
fe.1.9
Learned
00-00-02-00-00-08
1
fe.1.10
Learned
--More--
Abbreviating a Command
C3(su)->sh net
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
----- ------ ------ --------------------- --------------------TCP
0
0 10.21.73.13.23
134.141.190.94.51246
TCP
0
275 10.21.73.13.23
134.141.192.119.4724
TCP
0
0 *.80
*.*
TCP
0
0 *.23
*.*
UDP
0
0 10.21.73.13.1030
134.141.89.113.514
UDP
0
0 *.161
*.*
UDP
0
0 *.1025
*.*
UDP
0
0 *.123
*.*
State
------ESTABLISHED
ESTABLISHED
LISTEN
LISTEN
1-10
Introduction
Key Sequence
Command
Ctrl+A
Ctrl+B
Ctrl+D
Delete a character.
Ctrl+E
Ctrl+F
Ctrl+H
Ctrl+I or TAB
Complete word.
Table 1-3
Key Sequence
Command
Ctrl+K
Ctrl+N
Scroll to next command in command history (use the CLI history command to
display the history).
Ctrl+P
Ctr1+Q
Ctr1+S
Ctrl+T
Transpose characters.
Ctrl+U or Ctrl+X
Ctrl+W
Ctrl+Y
1-11
1-12
Introduction
2
Configuring Switches in a Stack
ThischapterprovidesinformationaboutconfiguringSecureStackC3switchesinastack.
For information about ...
2-1
2-2
2-3
2-3
2-4
2-5
2-5
2-6
Onceinstalledinastack,theswitchesbehaveandperformasasingleswitchproduct.Assuch,
youcanstartwithasingleunitandaddmoreunitsasyournetworkexpands.Youcanalsomix
differentproductsinthefamilyinasinglestacktoprovideadesiredcombinationofporttypes
andfunctionstomatchtherequirementsofindividualapplications.Inallcases,astackofunits
performsasonelargeproduct,andismanagedasasinglenetworkentity.
WhenswitchesareinstalledandconnectedasdescribedintheSecureStackC3InstallationGuides,
thefollowingoccursduringinitialization:
Theswitchthatwillmanagethestackisautomaticallyestablished.Thisisknownasthe
managerswitch.
Allotherswitchesareestablishedasmembersinthestack.
Thehierarchyoftheswitchesthatwillassumethefunctionofbackupmanagerisalso
determinedincasethecurrentmanagermalfunctions,ispowereddown,orisdisconnected
fromthestack.
2-1
Theconsoleportonthemanagerswitchremainsactiveforoutofband(local)switch
management,buttheconsoleportoneachmemberswitchisdeactivated.Thisenablesyouto
settheIPaddressandsystempasswordusingasingleconsoleport.Noweachswitchcanbe
configuredlocallyusingonlythemanagersconsoleport,orinbandusingaremotedeviceand
theCLIsetofcommandsdescribedinthissection.
Onceastackiscreated(morethanoneswitchisinterconnected),thefollowingprocedureoccurs:
1.
Bydefault,unitIDsarearbitrarilyassignedonafirstcome,firstservedbasis.
2.
UnitIDsaresavedagainsteachmodule.Then,everytimeaboardispowercycled,itwill
initializewiththesameunitID.Thisisimportantforportspecificinformation(forexample:
ge.4.12isthe12thGigabitEthernetportonUnit#4).
3.
Themanagementelectionprocessusesthefollowingprecedencetoassignamanagement
switch:
a.
Previouslyassigned/electedmanagementunit
b.
Managementassignedpriority(values115)
c.
Hardwarepreferencelevel
d. HighestMACAddress
Usethefollowingrecommendedprocedureswheninstallinganewstackablesystemoraddinga
newunittoanexistingstack.
Important
The following procedures assume that all units have a clean configuration from manufacturing. When adding
a new unit to an already running stack, it is also assumed that the new unit is using the same firmware image
version as other units in the stack.
Beforeapplyingpower,makeallphysicalconnectionswiththestackcablesasdescribedinthe
SecureStackC3InstallationGuides.
2.
Onceallofthestackcableshavebeenconnected,individuallypoweroneachunitfromtopto
bottom.
Notes: Ensure that each switch is fully operational before applying power to the next switch.
Since unit IDs are assigned on a first-come, first-served basis, this will ensure that unit IDs are
ordered sequentially.
Once unit IDs are assigned, they are persistent and will be retained during a power cycle to any or
all of the units.
2-2
3.
(Optional)Ifdesired,changethemanagementunitusingthesetswitchmovemanagement
commandasdescribedinsetswitchmovemanagementonpage211.
4.
Oncethedesiredmasterunithasbeenselected,resetthesystemusingtheresetcommandas
describedinresetonpage369.
5.
Afterthestackhasbeenconfigured,youcanusetheshowswitchunitcommand(show
switchonpage27)tophysicallyidentifyeachunit.Whenyouenterthecommandwitha
unitnumber,theMGRLEDofthespecifiedswitchwillblinkfor10seconds.Thenormalstate
ofthisLEDisoffformemberunitsandsteadygreenforthemanagerunit.
Stacktheunitsinthemethoddesired,andconnectthestackcables.
2.
Poweruponlytheunityouwishtobemanager.
3.
Oncethemanagementunitispoweredup,logintotheCLI,andusetheshowswitch
commandasdescribedinshowswitchonpage27todisplaystackinginformation.
4.
Clearanyswitcheswhicharelistedasunassignedusingtheclearswitchmember
commandasdescribedinclearswitchmemberonpage213.
5.
Powerupthememberofthestackyouwishtobecomeunit2.Oncethesecondunitisfully
powered,theCOMsessionoftheCLIwillstatethatanewCPUwasadded.
6.
Usetheshowswitchcommandtoredisplaystackinginformation.
a.
Ifthenewmemberdisplaysasunit2,youcanproceedtorepeatthisstepwiththenext
unit.
b.
Ifthenewmemberdisplaysadifferentunitnumber,youmust:
(1) Renumberthestackusingthesetswitchrenumbercommandasdescribedinset
switchonpage210,then
(2) Cleartheoriginalunitnumberusingtheclearswitchmembercommand.
7.
RepeatStep6untilallmembershavebeenrenumberedintheorderyoudesire.
8.
Afterthestackhasbeenreconfigured,youcanusetheshowswitchunitcommand(show
switchonpage27)tophysicallyconfirmtheidentityofeachunit.Whenyouenterthe
commandwithaunitnumber,theMGRLEDofthespecifiedswitchwillblinkfor10seconds.
ThenormalstateofthisLEDisoffformemberunitsandsteadygreenforthemanagerunit.
Ensurethatpowerisoffonthenewunitbeinginstalled.
2.
Useoneofthefollowingmethodstocompletestackcableconnections:
3.
Iftherunningstackusesadaisychaintopology,makethestackcableconnectionsfrom
thebottomofthestacktothenewunit(thatis,STACKDOWNportfromthebottomunit
oftherunningstacktotheSTACKUPportonthenewunit).
Iftherunningstackusesaringstacktopology,breaktheringandmakethestackcable
connectionstothenewunittoclosethering.
Applypowertothenewunit.
2-3
Displaythetypesofswitchessupportedinthestack,usingtheshowswitchswitchtype
command(page28).
2.
Usingtheoutputoftheshowswitchswitchtypecommand,determinetheswitchindex(SID)
ofthemodelofswitchbeingconfigured.
3.
Addthevirtualswitchtothestackusingthesetswitchmembercommand(page212).Use
theSIDoftheswitchmodel,determinedinthepreviousstep,andtheunitIDthatyouwantto
assigntothisswitchmember.
4.
Proceedtoconfiguretheportsofthevirtualswitchasyouwoulddoforphysicallypresent
devices.
ThefollowingexampleaddsaC3G12424modetoastackasunit2ofthestack.Thefirstporton
thatvirtualswitchisthenassociatedwithVLAN555.
C3(su)->show switch switchtype
SID
--1
2
3
4
5
6
7
8
9
10
11
12
Switch Model ID
-------------------------------C2G124-24
C2K122-24
C2G124-48
C2G124-48P
C2H124-48
C2H124-48P
C2G134-24P
C2G170-24
C3G124-24P
C3G124-48P
C3G124-48
C3G124-24
Mgmt
Pref
---1
1
1
1
1
1
1
1
1
1
1
1
Code
Version
--------0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
Code
Version
-------1.00.xx
00.00.00
2-4
UseclearconfigtoclearconfigparameterswithoutclearingstackunitIDs.Thiscommand
WILLNOTclearstackparametersortheIPaddressandavoidstheprocessofrenumbering
thestack.
Useclearconfigallwhenitisnecessarytoclearallconfigparameters,includingstackunit
IDsandswitchpriorityvalues.ThiscommandwillnotcleartheIPaddressnorwillitremove
anappliedadvancedfeaturelicense.
UseclearipaddresstoremovetheIPaddressofthestack.
Useclearlicensetoremoveanappliedlicensefromaswitch.
Configurationparametersandstackinginformationcanalsobeclearedonthemasterunitonly
byselectingtherestoreconfigurationtofactorydefaultsoptionfromthebootmenuonswitch
startup.Thisselectionwillleavestackingprioritiesonallotherunits.
Configuration
Common Firmware Version
MixedstackingisonlysupportedbySecureStackC2firmwareversion5.00.xxandhigher.Inorder
tomixSecureStackC3switcheswithC2switches,youmustinstalltheC2firmware(version
5.00.xxorhigher)ontheC3switch.YoucaninstalltheC2firmwarefirst,withtheC3switchin
standalonemode,oryoucanaddtheC3switchtothestackandthencopytheC2firmwaretothe
C3switchusingthesetswitchcopyfwcommand(page210).AftercopyingtheC2firmwareto
theC3switch,youmustresetthestack.
Switch Manager
ItisrecommendedthataSecureStackC3switchbemadethemanagerofamixedstack.Usetheset
switchmovemanagementcommand(page211)tochangethemanagerunit.
2-5
Commands
For information about...
2-6
Refer to page...
show switch
2-7
2-8
2-9
set switch
2-10
2-10
2-11
2-11
2-12
2-13
show switch
show switch
Usethiscommandtodisplayinformationaboutoneormoreunitsinthestack.
Syntax
show switch [status] [unit]
Parameters
status
(Optional)Displayspowerandadministrativestatusinformationforone
ormoreunitsinthestack.
unit
(Optional)Specifiestheunit(s)forwhichinformationwilldisplay.
Defaults
Ifnotspecified,statusandotherconfigurationinformationaboutallunitswillbedisplayed.
Mode
Switchcommand,readonly.
Usage
Afterastackhasbeenconfigured,youcanusethiscommandtophysicallyconfirmtheidentityof
eachunit.Whenyouenterthecommandwithaunitnumber,theMGRLEDofthespecified
switchwillblinkfor10seconds.ThenormalstateofthisLEDisoffformemberunitsandsteady
greenforthemanagerunit.
Examples
Thisexampleshowshowtodisplayinformationaboutallswitchunitsinthestack:
C3(rw)->show switch
Management
Switch
Status
------ -----------1
Mgmt Switch
2
Stack Member
3
Stack Member
4
Stack Member
5
Stack Member
6
Stack Member
7
Stack Member
8
Stack Member
Preconfig
Model ID
------------C3G124-24
C3G124-24
C3G124-24
C3G124-24
C3G124-24
C3G124-24
C3G124-24
C3G124-24
Plugged-in
Model ID
------------C3G124-24
C3G124-24
C3G124-24
C3G124-24
C3G124-24
C3G124-24
C3G124-24
C3G124-24
Switch
Status
--------------------OK
OK
OK
OK
OK
OK
OK
OK
Code
Version
-------01.00.xx
01.00.xx
01.00.xx
01.00.xx
01.00.xx
01.00.xx
01.00.xx
01.00.xx
Thisexampleshowshowtodisplayinformationaboutswitchunit1inthestack:
C3(ro)->show switch 1
Switch
Management Status
Hardware Management Preference
Admin Management Preference
Switch Type
Preconfigured Model Identifier
Plugged-in Model Identifier
Switch Status
Switch Description
Detected Code Version
1
Management Switch
Unassigned
Unassigned
C3G124-24
C3G124-24
C3G124-24
OK
Enterasys Networks, Inc. C3 -- Model
C3G124-24
01.00.xx
2-7
03.01.20
02.01.37
0 days 6 hrs 37 mins 54 secs
Thisexampleshowshowtodisplaystatusinformationforswitchunit1inthestack:
C3(ro)->show switch status 1
Switch
Switch Status
Admin State
Power State
Inserted Switch:
Model Identifier
Description
Configured Switch:
Model Identifier
Description
1
Full
C3G124-24
Enterasys Networks, Inc. C3 -- Model
C3G124-24
C3G124-24
Enterasys Networks, Inc. C3 -- Model
C3G124-24
Syntax
show switch switchtype [switchindex]
Parameters
switchindex
Specifiestheswitchindex(SID)oftheswitchtypetodisplay.
Defaults
None.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplayswitchtypeinformationaboutallswitchesinthestack:
C3(ro)->show switch switchtype
SID
--1
2
3
4
5
6
7
8
9
10
11
12
2-8
Switch Model ID
-------------------------------C2G124-24
C2K122-24
C2G124-48
C2G124-48P
C2H124-48
C2H124-48P
C2G134-24P
C2G170-24
C3G124-24P
C3G124-48P
C3G124-48
C3G124-24
Mgmt
Pref
---1
1
1
1
1
1
1
1
1
1
1
1
Code
Version
--------0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
0xa08245
ThisexampleshowshowtodisplayswitchtypeinformationaboutSID1:
C3(ro)->show switch switchtype 1
Switch Type
Model Identifier
Switch Description
Management Preference
Expected Code Version
0x56950200
C2G124-24
Enterasys Networks, Inc. C2 -Model C2G124-24
1
0xa08245
Supported Cards:
Slot
Card Index (CID)
Model Identifier
0
1
C2G124-24
Syntax
show switch stack-ports [unit]
Parameters
unit
SpecifiestheswitchunitID,anintegerrangingfrom1to8.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaydataanderrorinformationonstackports:
C3(ro)->show switch stack-ports
------------TX-------------- ------------RX----------Data
Error
Data
Error
Stacking
Rate
Rate
Total
Rate
Rate
Total
Switch
Port
(Mb/s) (Errors/s) Errors
(Mb/s) (Errors/s) Errors
------ ---------- ------ ---------- ---------- ------ ---------- -------1
Up
0
0
0
0
0
0
Down
0
0
0
0
0
0
2-9
set switch
set switch
UsethiscommandtoassignaswitchID,tosetaswitchspriorityforbecomingthemanagement
switchifthepreviousmanagementswitchfails,ortochangetheswitchunitIDforaswitchinthe
stack.
Syntax
set switch {unit [priority value | renumber newunit]}
Parameters
unit
Specifiesaunitnumberfortheswitch.Valuecanrangefrom1to8.
priorityvalue
Specifiesapriorityvaluefortheunit.Validvaluesare1to15withhigher
valuesassigninghigherpriority.
renumbernewunit
Specifiesanewnumberfortheunit.
Note: This number must be a previously unassigned unit ID number.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoassignpriority3toswitch5:
C3(su)->set switch 5 priority 3
Thisexampleshowshowtorenumberswitch5toswitch7:
C3(su)->set switch 5 renumber 7
Syntax
set switch copy-fw [destination-system unit]
Parameters
destinationsystem (Optional)Specifiestheunitnumberofunitonwhichtocopythe
unit
managementimagefile.
Defaults
Ifdestinationsystemisnotspecified,themanagementimagefilewillbereplicatedtoallswitches
inthestack.
2-10
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoreplicatethemanagementimagefiletoallswitchesinthestack:
C3(su)->set switch copy-fw
Are you sure you want to copy firmware? (y/n) y
Code transfer completed successfully.
Syntax
set switch description unit description
Parameters
unit
Specifiesaunitnumberfortheswitch.
description
Specifiesatextdescriptionfortheunit.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoassignthenameFirstUnittoswitchunit1inthestack:
C3(su)->set switch description 1 FirstUnit
Syntax
set switch movemanagement fromunit tounit
Parameters
fromunit
Specifiestheunitnumberofthecurrentmanagementswitch.
tounit
Specifiestheunitnumberofthenewlydesignatedmanagementswitch.
Defaults
None.
2-11
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtomovemanagementfunctionalityfromswitch1toswitch2:
C3(su)->set switch movemenagement 1 2
Moving stack management will unconfigure entire stack including all interfaces.
Are you sure you want to move stack management? (y/n) y
Syntax
set switch member unit switch-id
Parameters
unit
Specifiesaunitnumberfortheswitch.
switchid
SpecifiesaswitchID(SID)fortheswitch.SIDscanbedisplayedwiththe
showswitchswitchtypecommand.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
RefertoCreatingaVirtualSwitchConfigurationonpage24formoreinformationabouthowto
addavirtualswitchtoastack.
Example
Thisexampleshowshowtospecifyaswitchasunit1withaswitchIDof1:
C3(su)->set switch member 1 1
2-12
Syntax
clear switch member unit
Parameters
unit
Specifiestheunitnumberoftheswitch.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovetheswitch5entryfromthestack:
C3(su)->clear switch member 5
2-13
2-14
3
Basic Configuration
Atstartup,theSecureStackC3switchisconfiguredwithmanydefaultsandstandardfeatures.
Thischapterdescribeshowtocustomizebasicsystemsettingstoadapttoyourworkenvironment.
For information about ...
3-2
3-9
3-29
3-34
3-38
3-41
3-43
3-45
Configuring CDP
3-54
3-60
3-67
3-69
3-71
3-1
Commands
Thecommandsusedtoconfigureuseraccountsandpasswordsarelistedbelow.
For information about...
Refer to page...
3-2
3-3
3-4
set password
3-4
3-5
3-6
3-6
3-7
3-8
Syntax
show system login
Parameters
None.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtodisplayloginaccountinformation.Inthiscase,switchdefaultshave
notbeenchanged:
C3(su)->show system login
Password history size: 0
Password aging
: disabled
3-2
Basic Configuration
Username
Access
State
admin
ro
rw
super-user
read-only
read-write
enabled
enabled
enabled
Table 31providesanexplanationofthecommandoutput.
Table 3-1
Output
What It Displays...
Number of previously used user login passwords that will be checked for
duplication when the set password command is executed. Configured with set
system password history (page 3-6).
Password aging
Number of days user passwords will remain valid before aging out. Configured
with set system password aging (page 3-6).
Username
Access
State
Syntax
set system login username {super-user | read-write | read-only} {enable | disable}
Parameters
username
Specifiesaloginnameforaneworexistinguser.Thisstringcanbea
maximumof80characters,althoughamaximumof16charactersis
recommendedforproperviewingintheshowsystemlogindisplay.
superuser|
readwrite|
readonly
Specifiestheaccessprivilegesforthisuser.
enable|disable
Enablesordisablestheuseraccount.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtoenableanewuseraccountwiththeloginnamenetopswithsuper
useraccessprivileges:
C3(su)->set system login netops super-user enable
3-3
Syntax
clear system login username
Parameters
username
Specifiestheloginnameoftheaccounttobecleared.
Note: The default admin (su) account cannot be deleted.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtoremovethenetopsuseraccount:
C3(su)->clear system login netops
set password
UsethiscommandtochangesystemdefaultpasswordsortosetanewloginpasswordontheCLI.
Syntax
set password [username]
Parameters
username
(Onlyavailabletouserswithsuperuseraccess.)Specifiesasystemdefault
orauserconfiguredloginaccountname.Bydefault,theSecureStackC3
switchprovidesthefollowingaccountnames:
roforReadOnlyaccess.
rwforReadWriteaccess.
adminforSuperUseraccess.(ThisaccesslevelallowsReadWriteaccess
toallmodifiableparameters,includinguseraccounts.)
Defaults
None.
Mode
Switchcommand,readwrite.
Switchcommand,superuser.
3-4
Basic Configuration
Usage
ReadWriteuserscanchangetheirownpasswords.
SuperUsers(Admin)canchangeanypasswordonthesystem.
Examples
ThisexampleshowshowasuperuserwouldchangetheReadWritepasswordfromthesystem
default(blankstring):
C3(su)->set password rw
Please enter new password: ********
Please re-enter new password: ********
Password changed.
C3(su)->
ThisexampleshowshowauserwithReadWriteaccesswouldchangehispassword:
C3(su)->set password
Please enter old password: ********
Please enter new password: ********
Please re-enter new password: ********
Password changed.
C3(su)->
Syntax
set system password length characters
Parameters
characters
Specifiestheminimumnumberofcharactersforauseraccountpassword.
Validvaluesare0to40.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtosettheminimumsystempasswordlengthto8characters:
C3(su)->set system password length 8
3-5
Syntax
set system password aging {days | disable}
Parameters
days
Specifiesthenumberofdaysuserpasswordswillremainvalidbefore
agingout.Validvaluesare1to365.
disable
Disablespasswordaging.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtosetthesystempasswordagetimeto45days:
C3(su)->set system password aging 45
Syntax
set system password history size
Parameters
size
Specifiesthenumberofpasswordscheckedforduplication.Validvalues
are0to10.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtoconfigurethesystemtocheckthelast10passwordsforduplication
C3(su)->set system password history 10
3-6
Basic Configuration
Syntax
show system lockout
Parameters
None.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtodisplayuserlockoutsettings.Inthiscase,switchdefaultshavenot
beenchanged:
C3(su)->show system lockout
Lockout attempts: 3
Lockout time:
15 minutes.
Table 31providesanexplanationofthecommandoutput.Thesesettingsareconfiguredwiththe
setsystemlockoutcommand(setsystemlockoutonpage38).
Table 3-1
Output
What It Displays...
Lockout attempts
Lockout time
Number of minutes the default admin user account will be locked out after the
maximum login attempts.
3-7
Syntax
set system lockout {[attempts attempts] [time time]}
Parameters
attemptsattempts
Specifiesthenumberoffailedloginattemptsallowedbeforeareadwrite
orreadonlyusersaccountwillbedisabled.Validvaluesare1to10.
timetime
Specifiesthenumberofminutesthedefaultadminuseraccountwillbe
lockedoutafterthemaximumloginattempts.Validvaluesare0to60.
Defaults
None.
Mode
Switchcommand,superuser.
Example
Thisexampleshowshowtosetloginattemptsto5andlockouttimeto30minutes:
C3(su)->set system lockout attempts 5 time 30
3-8
Basic Configuration
Commands
Thecommandsusedtosetbasicsysteminformationarelistedbelow.
For information about...
Refer to page...
show ip address
3-10
set ip address
3-10
clear ip address
3-11
show ip protocol
3-11
set ip protocol
3-12
show system
3-12
3-13
3-14
3-15
show time
3-15
set time
3-16
show summertime
3-17
set summertime
3-17
3-18
3-18
clear summertime
3-19
set prompt
3-19
3-20
3-20
3-21
show version
3-21
3-22
3-24
3-24
set width
3-25
set length
3-25
show logout
3-26
set logout
3-26
3-9
show ip address
Refer to page...
show console
3-27
3-28
show ip address
UsethiscommandtodisplaythesystemIPaddressandsubnetmask.
Syntax
show ip address
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythesystemIPaddressandsubnetmask:
C3(su)->show ip address
Name
---------------host
Address
---------------10.42.13.20
Mask
---------------255.255.0.0
set ip address
UsethiscommandtosetthesystemIPaddress,subnetmaskanddefaultgateway.
Syntax
set ip address ip-address [mask ip-mask] [gateway ip-gateway]
Parameters
ipaddress
SetstheIPaddressforthesystem.ForSecureStackC3systems,thisisthe
IPaddressofthemanagementswitchasdescribedinAboutSecureStack
C3SwitchOperationinaStackonpage21.
maskipmask
(Optional)Setsthesystemssubnetmask.
gatewayipgateway
(Optional)Setsthesystemsdefaultgateway(nexthopdevice).
Defaults
Ifnotspecified,ipmaskwillbesettothenaturalmaskoftheipaddressandipgatewaywillbesetto
theipaddress.
3-10
Basic Configuration
clear ip address
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthesystemIPaddressto10.1.10.1withamaskof255.255.128.0and
adefaultgatewayof10.1.0.1:
C3(su)->set ip address 10.1.10.1 mask 255.255.128.0 gateway 10.1.10.1
clear ip address
UsethiscommandtoclearthesystemIPaddress.
Syntax
clearipaddress
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthesystemIPaddress:
C3(rw)->clear ip address
show ip protocol
UsethiscommandtodisplaythemethodusedtoacquireanetworkIPaddressforswitch
management.
Syntax
show ip protocol
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
3-11
set ip protocol
Example
ThisexampleshowshowtodisplaythemethodusedtoacquireanetworkIPaddress:
C3(su)->show ip protocol
System IP address acquisition method: dhcp
set ip protocol
UsethiscommandtospecifytheprotocolusedtoacquireanetworkIPaddressforswitch
management.
Syntax
set ip protocol {bootp | dhcp | none}
Parameters
bootp
SelectBOOTPastheprotocoltousetoacquirethesystemIPaddress.
dhcp
SelectDHCPastheprotocoltousetoacquirethesystemIPaddress.
none
NoprotocolwillbeusedtoacquirethesystemIPaddress.
Defaults
Thedefaultisnone.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthemethodusedtoacquireanetworkIPaddresstoDHCP.
C3(su)->set ip protocol dhcp
show system
Usethiscommandtodisplaysysteminformation,includingcontactinformation,powerandfan
traystatusanduptime.
Syntax
show system
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
3-12
Basic Configuration
Example
Thisexampleshowshowtodisplaysysteminformation:
C3(su)->show system
System contact:John Smith
System location:Bldg10 2nd floor East
System name:10-2-C3
Switch 1
-------PS1-Status
---------Ok
Fan1-Status
----------Ok
Uptime d,h:m:s
-------------2,19:57:39
PS2-Status
---------Not Installed and/or Not Operating
Fan2-Status
----------Ok
Logout
------5 min
Table 32providesanexplanationofthecommandoutput.
Table 3-2
Output
What It Displays...
System contact
Contact person for the system. Default of a blank string can be changed with the
set system contact command (set system contact on page 3-24).
System location
Where the system is located. Default of a blank string can be changed with the
set system location command (set system location on page 3-24).
System name
Name identifying the system. Default of a blank string can be changed with the
set system name command (set system name on page 3-22).
Fan Status
Uptime d,h:m:s
System uptime.
Logout
Time an idle console or Telnet CLI session will remain connected before timing
out. Default of 5 minutes can be changed with the set logout command (set
logout on page 3-26).
Syntax
show system hardware
Parameters
None.
Defaults
None.
SecureStack C3 Configuration Guide
3-13
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythesystemshardwareconfiguration.Pleasenotethatthe
informationyouseedisplayedmaydifferfromthisexample.
C3(su)->show system hardware
SLOT HARDWARE INFORMATION
-------------------Model:
Serial Number:
Vendor ID:
Base MAC Address:
Hardware Version:
FirmWare Version:
Boot Code Version:
C3G124-24
041800129041
0x0e10
00:01:F4:5F:1D:E0
BCM56504 REV 19
1.00.xx
01.00.17
Syntax
show system utilization {cpu | storage | process}
Parameters
cpu
Displayinformationabouttheprocessorrunningontheswitch.
storage
Displayinformationabouttheoverallmemoryusageontheswitch.
process
Displayinformationabouttheprocessesrunningontheswitch.
Defaults
None.
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplaythesystemsCPUutilization:
C3(ro)->show system utilization cpu
Total CPU Utilization:
Switch
CPU
5 sec
1 min
5 min
----------------------------------------------1
1
3%
1%
1%
Thisexampleshowshowtodisplaythesystemsoverallmemoryusage:
C3(ro)->show system utilization storage
3-14
Basic Configuration
Storage Utilization:
Type
Description
Size(Kb)
Available (Kb)
--------------------------------------------------------------RAM
RAM device
262144
97173
Flash
Images, Config, Other
31095
8094
Thisexampleshowshowtodisplayinformationabouttheprocessesrunningonthesystem.Only
partialoutputisshown.
C3(ro)->show system utilization process
TID
Name
5Sec
8d45148 captureTask
0.00%
8e264f8 poe_monitor
0.00%
8ea6d38 poe_read
0.80%
8eb7140 vlanDynEg
0.00%
8f0be10 tcdpSendTask
0.00%
8f1c0e8 tcdpTask
0.00%
...
1Min
0.00%
0.01%
0.22%
0.00%
0.00%
0.00%
5Min
0.00%
0.05%
0.20%
0.00%
0.00%
0.00%
Syntax
set system enhancedbuffermode {enable | disable}
Parameters
enable|disable
Enablesordisablesenhancedbuffermode.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableenhancedbuffermode:
C3(su)->set system enhancedbuffermode enable
Changes in the enhanced buffer mode will require reseting this unit.
Are you sure you want to continue? (y/n)
show time
Usethiscommandtodisplaythecurrenttimeofdayinthesystemclock.
3-15
set time
Syntax
showtime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythecurrenttime.Theoutputshowsthedayoftheweek,
month,day,andthetimeofdayinhours,minutes,andsecondsandtheyear:
C3(su)->show time
THU SEP 05 09:21:57 2002
set time
Usethiscommandtochangethetimeofdayonthesystemclock.
Syntax
settime[mm/dd/yyyy][hh:mm:ss]
Parameters
[mm/dd/yyyy]
[hh:mm:ss]
Setsthetimein:
month,day,yearand/or
24hourformat
Atleastonesetoftimeparametersmustbeentered.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemclockto7:50a.m:
C3(su)->set time 7:50:00
3-16
Basic Configuration
show summertime
show summertime
Usethiscommandtodisplaydaylightsavingstimesettings.
Syntax
show summertime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaydaylightsavingstimesettings:
C3(su)->show summertime
Summertime is disabled and set to ''
Start : SUN APR 04 02:00:00 2004
End
: SUN OCT 31 02:00:00 2004
Offset: 60 minutes (1 hours 0 minutes)
Recurring: yes, starting at 2:00 of the first Sunday of April and ending at 2:00
of the last Sunday of October
set summertime
Usethiscommandtoenableordisablethedaylightsavingstimefunction.
Syntax
set summertime {enable | disable} [zone]
Parameters
enable|disable
Enablesordisablesthedaylightsavingstimefunction.
zone
(Optional)Appliesanametothedaylightsavingstimesettings.
Defaults
Ifazonenameisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtoenabledaylightsavingstimefunction:
C3(su)->set summertime enable
3-17
Syntax
set summertime date start_month start_date start_year start_hr_min end_month
end_date end_year end_hr_min [offset_minutes]
Parameters
start_month
Specifiesthemonthoftheyeartostartdaylightsavingstime.
start_date
Specifiesthedayofthemonthtostartdaylightsavingstime.
start_year
Specifiestheyeartostartdaylightsavingstime.
start_hr_min
Specifiesthetimeofdaytostartdaylightsavingstime.Formatishh:mm.
end_month
Specifiesthemonthoftheyeartoenddaylightsavingstime.
end_date
Specifiesthedayofthemonthtoenddaylightsavingstime.
end_year
Specifiestheyeartoenddaylightsavingstime.
end_hr_min
Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm.
offset_minutes
(Optional)Specifiestheamountoftimeinminutestooffsetdaylight
savingstimefromthenondaylightsavingstimesystemsetting.Valid
valuesare11440.
Defaults
Ifanoffsetisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetadaylightsavingstimestartdateofApril4,2004at2a.m.andan
endingdateofOctober31,2004at2a.m.withanoffsettimeofonehour:
C3(su)->set summertime date April 4 2004 02:00 October 31 2004 02:00 60
Syntax
set summertime recurring start_week start_day start_month start_hr_min end_week
end_day end_month end_hr_min [offset_minutes]
Parameters
start_week
3-18
Basic Configuration
Specifiestheweekofthemonthtorestartdaylightsavingstime.Valid
valuesare:first,second,third,fourth,andlast.
clear summertime
start_day
Specifiesthedayoftheweektorestartdaylightsavingstime.
start_hr_min
Specifiesthetimeofdaytorestartdaylightsavingstime.Formatis
hh:mm.
end_week
Specifiestheweekofthemonthtoenddaylightsavingstime.
end_day
Specifiesthedayoftheweektoenddaylightsavingstime.
end_hr_min
Specifiesthetimeofdaytoenddaylightsavingstime.Formatishh:mm.
offset_minutes
(Optional)Specifiestheamountoftimeinminutestooffsetdaylight
savingstimefromthenondaylightsavingstimesystemsetting.Valid
valuesare11440.
Defaults
Ifanoffsetisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowsetdaylightsavingstimetorecurstartingonthefirstSundayofAprilat
2a.m.andendingthelastSundayofOctoberat2a.m.withanoffsettimeofonehour:
C3(su)->set summertime recurring first Sunday April 02:00 last Sunday October
02:00 60
clear summertime
Usethiscommandtoclearthedaylightsavingstimeconfiguration.
Syntax
clear summertime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthedaylightsavingstimeconfiguration:
C3(su)->clear summertime
set prompt
Usethiscommandtomodifythecommandprompt.
3-19
Syntax
set prompt prompt_string
Parameters
prompt_string
Specifiesatextstringforthecommandprompt.
Note: A prompt string containing a space in the text must be enclosed
in quotes as shown in the example below.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthecommandprompttoSwitch1:
C3(su)->set prompt Switch 1
Switch 1(su)->
Syntax
show banner motd
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythebannermessageoftheday:
C3(rw)->show banner motd
O Knights of Ni, you are just and
fair, and we will return with a shrubbery
-King Arthur
3-20
Basic Configuration
Syntax
setbannermotdmessage
Parameters
message
Specifiesamessageoftheday.Thisisatextstringthatneedstobein
doublequotesifanyspacesareused.Usea\nforanewlineand\tfora
tab(eightspaces).
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthemessageofthedaybannertoreadOKnightsofNi,youare
justandfair,andwewillreturnwithashrubberyKingArthur:
C3(rw)->set banner motd "O Knights of Ni, you are just and \n fair, and we will
return with a shrubbery \n \t -King Arthur"
Syntax
clear banner motd
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthemessageofthedaybannertoablankstring:
C3(rw)->clear banner motd
show version
Usethiscommandtodisplayhardwareandfirmwareinformation.RefertoDownloadingaNew
FirmwareImageonpage338forinstructionsonhowtodownloadafirmwareimage.
3-21
Syntax
show version
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayversioninformation.Pleasenotethatyoumayseedifferent
informationdisplayed,dependingonthetypeofhardwareinthestack.
C3(su)->show version
Copyright (c) 2004 by Enterasys Networks, Inc.
Model
-------------C3G124-48P
Serial #
----------------04370007900B
Versions
------------------Hw:BCM5695 REV 17
Bp:01.00.23
Fw:1.00.xx
BuFw:02.01.30
PoE:290_21
Table 33providesanexplanationofthecommandoutput.
Table 3-3
Output
What It Displays...
Model
Serial #
Versions
Syntax
setsystemname[string]
3-22
Basic Configuration
Parameters
string
(Optional)Specifiesatextstringthatidentifiesthesystem.
Note: A name string containing a space in the text must be enclosed in
quotes as shown in the example below.
Defaults
Ifstringisnotspecified,thesystemnamewillbecleared.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthesystemnametoInformationSystems:
C3(su)->set system name Information Systems
3-23
Syntax
set system location [string]
Parameters
string
(Optional)Specifiesatextstringthatindicateswherethesystemis
located.
Note: A location string containing a space in the text must be
enclosed in quotes as shown in the example below.
Defaults
Ifstringisnotspecified,thelocationnamewillbecleared.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemlocationstring:
C3(su)->set system location Bldg N32-04 Closet 9
Syntax
set system contact [string]
Parameters
string
(Optional)Specifiesatextstringthatcontainsthenameofthepersonto
contactforsystemadministration.
Note: A contact string containing a space in the text must be enclosed
in quotes as shown in the example below.
Defaults
Ifstringisnotspecified,thecontactnamewillbecleared.
Mode
Switchcommand,readwrite.
3-24
Basic Configuration
set width
Example
Thisexampleshowshowtosetthesystemcontactstring:
C3(su)->set system contact Joe Smith
set width
Usethiscommandtosetthenumberofcolumnsfortheterminalconnectedtotheswitchsconsole
port.
Syntax
set width screenwidth [default]
Parameters
screenwidth
Setsthenumberofterminalcolumns.Validvaluesare50to150.
default
(Optional)Makesthissettingpersistentforallfuturesessions(writtento
NVRAM).
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThenumberofrowsofCLIoutputdisplayedissetusingthesetlengthcommandasdescribedin
setlengthonpage325.
Example
Thisexampleshowshowtosettheterminalcolumnsto50:
C3(su)->set width 50
set length
UsethiscommandtosetthenumberoflinestheCLIwilldisplay.Thiscommandispersistent
(writtentoNVRAM).
Syntax
set length screenlength
3-25
show logout
Parameters
screenlength
SetsthenumberoflinesintheCLIdisplay.Validvaluesare0,which
disablesthescrollingscreenfeaturedescribedinDisplayingScrolling
Screensonpage19,andfrom5to512.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheterminallengthto50:
C3(su)->set length 50
show logout
Usethiscommandtodisplaythetime(inseconds)anidleconsoleorTelnetCLIsessionwill
remainconnectedbeforetimingout.
Syntax
show logout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheCLIlogoutsetting:
C3(su)->show logout
Logout currently set to: 10 minutes.
set logout
Usethiscommandtosetthetime(inminutes)anidleconsoleorTelnetCLIsessionwillremain
connectedbeforetimingout.
Syntax
set logout timeout
3-26
Basic Configuration
show console
Parameters
timeout
Setsthenumberofminutesthesystemwillremainidlebeforetimingout.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesystemtimeoutto10minutes:
C3(su)->set logout 10
show console
Usethiscommandtodisplayconsolesettings.
Syntax
show console [baud] [bits] [flowcontrol] [parity] [stopbits]
Parameters
baud
(Optional)Displaystheinput/outputbaudrate.
bits
(Optional)Displaysthenumberofbitspercharacter.
flowcontrol
(Optional)Displaysthetypeofflowcontrol.
parity
(Optional)Displaysthetypeofparity.
stopbits
(Optional)Displaysthenumberofstopbits.
Defaults
Ifnoparametersarespecified,allsettingswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayallconsolesettings:
C3(su)->show console
Baud
Flow
Bits
------ ------- ---9600
Disable 8
StopBits
---------1
Parity
-----none
3-27
Syntax
set console baud rate
Parameters
rate
Setstheconsolebaudrate.Validvaluesare:300,600,1200,2400,4800,5760,
9600,14400,19200,38400,and115200.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheconsoleportbaudrateto19200:
C3(su)->set console baud 19200
3-28
Basic Configuration
Thecontentsofthesixfields,fromtheleft,indicate:
Typethetypeoflicense.FortheSecureStackC3,thevalueinthisfieldisalways
INCREMENT.
Featuredescriptionofthefeaturebeinglicensed.Forexample,advrouterasshowninthe
characterstringabove.
Datebasedversion(DBV)adaterelatedstring.FortheSecureStackC3,thevalueinthis
fieldisnotsignificant.
Expirationtypeindicateswhetherthelicenseisapermanentoranevaluationlicense.Ifthe
licenseisanevaluationlicense,thisfieldwillcontaintheexpirationdateofthelicense.Ifthe
licenseisapermanentlicense,thisfieldwillcontainthewordpermanent.
Keythelicensekey.
HostIDtheserialnumberoftheswitchtowhichthislicenseapplies.
WhenactivatinglicensesonSecureStackdevices,werecommendthatyoucopyandpastethe
licensecharacterstring,ratherthanenteringthetextmanually.
ObtainvalidlicensesforallmembersofthestackfromtheEnterasysCustomerPortal.
2.
Optionally,notetheserialnumbersoftheswitchesinthestack.Youcanusetheshowsystem
hardwarecommand(page313)todisplaytheswitchserialnumbers.
Note: Since license keys are applied to the correct stack member switch automatically, based on
the switch serial number that is part of the license string, you should know the serial numbers of the
switches in order to enable the licenses of the member switches first, before the master unit.
3.
Enablethelicensesonthestackmembersfirst,beforeenablingthemasterunit,usingtheset
licensecommand(page331).Forexample:
C3(rw)->set license INCREMENT B2Policyadvrouterpolicy 2006.0127 27-jan-2011
0123456789AB 0123456789AB
3-29
4.
Enablethelicenseontheswitchmasterunitlast,usingthesetlicensecommand.
ObtainalicenseforthenewswitchfromtheEnterasysCustomerPortal.
2.
Addthenewunittothestack,followingtheprocedureinAddingaNewUnittoanExisting
Stackonpage23.
3.
Usethesetlicensecommandtoinstallandactivatethenewswitchslicense.Thenewswitch
willthenjointhestackanditsportswillbeattached.
Alternatively,youcaninstallandactivatethenewswitchslicensefirst,beforeaddingtheswitch
tothestack.
Commands
Thecommandsusedtoactivateandverifylicensedfeaturesarelistedbelow.
For information about...
3-30
Refer to page...
set license
3-31
show license
3-32
clear license
3-33
Basic Configuration
set license
set license
UsethiscommandtoactivatetheSecureStackC3licensedfeatures.
Syntax
set license type feature DBV expiration key hostid
Parameters
type
Specifiesthetypeoflicense.FortheSecureStackC3,thevalueinthisfield
isalwaysINCREMENT.
feature
Thenameofthefeaturebeinglicensed.
DBV
Adaterelatedstringgeneratedaspartofthelicense.
expiration
Indicateswhetherthelicenseisapermanentoranevaluationlicense.If
thelicenseisanevaluationlicense,thisfieldwillcontaintheexpiration
dateofthelicense.Ifthelicenseisapermanentlicense,thisfieldwill
containthewordpermanent.
key
Thelicensekey.
hostid
Theserialnumberoftheswitchtowhichthislicenseapplies.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Ifmultipleswitchesareusedinastack,anindividuallicenseisrequiredforeachstackmember.
RefertoLicensingProcedureinaStackEnvironmentonpage329formoreinformation.
Whenactivatinglicenseswiththiscommand,EnterasysNetworksrecommendsthatyoucopyand
pastetheentirelicensecharacterstring,ratherthanenterthetextmanually.Ifyouenterthe
characterstringmanually,ensurethatyouexactlymatchthecapitalizationofthecharacterstring
senttoyou.
Everylicenseisassociatedwithaspecifichardwareplatform,basedontheserialnumberofthe
hardwareplatform.Ifyouneedtomovealicensefromonehardwareplatformtoanother,you
mustcontactEnterasysCustomerSupporttoarrangeforrehostingofthelicense.
Example
Thisexampleshowshowtoactivateapermanentlicensekeyontheswitchwithserialnumber
045100039001.Inthisexample,theswitchisastandaloneunitsoitsunitnumberis1.
C3(rw)->set license INCREMENT advrouter 2006.0728 permanent 31173CAC6495
045100039001
Validating license on unit 1
License successfully validated and set on unit 1
C3(rw)->
3-31
show license
show license
Usethiscommandtodisplaylicensekeyinformationforswitcheswithactivatedlicenses.
Syntax
show license [unit number]
Parameters
unitnumber
(Optional)Specifiestheswitchinastackforwhichtodisplaylicense
information.
RefertoChapter 2,ConfiguringSwitchesinaStack,formore
informationaboutstackunitIDs,ornumbers.
Defaults
Ifnounitnumberisspecified,licensekeyinformationforallswitchesinthestackisdisplayed.
Mode
Switchcommand,readonly.
Usage
Licensescanbedisplayed,applied,andclearedonlywiththelicensecommandsdescribedinthis
chapter.Generalconfigurationcommandssuchasshowconfigorclearconfigdonotaffect
licenses.
Example
Thisexampleshowshowtodisplaylicensekeyinformatioinforswitchunit1inthestack.
C3(ro)->show license unit 1
unit 1
key: INCREMENT advrouter 2006.0728 permanent 31173CAC6495 045100039001
status: Active
3-32
Basic Configuration
clear license
clear license
Usethiscommandtoclearthelicensekeysettings.Ifmultipleswitchesareusedinthestack,you
canusetheallparametertoclearalltheswitchesatonce.
Syntax
clear license featureId feature {all | unit number}
Parameters
featureIDfeature
Thenameofthefeaturebeingcleared.
all
Clearsthelicensekeysettingsonallunitsinthestack.
unitnumber
Clearsthelicensekeysettingsonthespecifiedswitch.Unitnumbercan
rangefrom1to8.
RefertoChapter 2,ConfiguringSwitchesinaStackformore
informationaboutstackunitIDs,ornumbers.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Ifyouclearalicensefromamemberunitinastackwhilethemasterunithasanactivatedlicense,
thestatusofthememberunitwillchangetoConfigMismatchanditsportswillbedetached
fromthestack(thatis,willnotpasstraffic).
Ifyouclearalicensefromthemasterunitofastack,thememberunitswillremainattachedtothe
stackbutthelicensedfunctionalitywillnolongerbeavailabletothememberunits,evenifthey
havelicensesinstalled.
Licensescanbedisplayed,applied,andclearedonlywiththelicensecommandsdescribedinthis
chapter.Generalconfigurationcommandssuchasshowconfigorclearconfigdonotaffect
licenses.
Examples
ThisexampleshowshowtocleartheAdvancedRoutinglicensedfeatureonstackunit3.
C3(rw)->clear license featureId advrouter unit 3
ThisexampleshowshowtocleartheAdvancedRoutinglicensedfeatureonalltheunitsinastack:
C3(rw)->clear license featureId advrouter all
3-33
Purpose
ToreviewandsetPoEparameters,includingthepoweravailabletothesystem,theusage
thresholdforeachmodule,whetherornotSNMPtrapmessageswillbesentwhenpowerstatus
changes,andperportPoEsettings.
Commands
ThecommandsusedtoreviewandsetPoEportparametersarelistedbelow.
For information about...
3-34
Refer to page...
show inlinepower
3-35
3-35
3-36
3-36
3-37
Basic Configuration
show inlinepower
show inlinepower
UsethiscommandtodisplayswitchPoEproperties.
Syntax
show inlinepower
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayswitchPoEproperties.Inthiscase,units1,3,and5arePoE
modules,sotheirpowerconfigurationsdisplay:
C3(su)->show inlinepower
Unit
---2
4
8
Status
-----auto
auto
auto
Power(W)
-------360
360
360
Consumption(W)
-------------0.00
0.00
5.20
Usage(%)
-------0.00
0.00
1.44
Threshold(%)
-----------80
80
80
Trap
---enable
enable
enable
Syntax
set inlinepower threshold usage-threshold module-number
Parameters
usagethreshold
SpecifiesaPoEthresholdasapercentageoftotalsystempowerusage.
Validvaluesare11to100.
modulenumber
SpecifiestheunitonwhichtosetthePoEthreshold.
Defaults
None.
Mode
Switchcommand,readwrite.
3-35
Example
ThisexampleshowshowtosetthePoEthresholdto50onunit1:
C3(su)->set inlinepower threshold 50 1
Syntax
set inlinepower trap {disable | enable} module-number
Parameters
disable|enable
DisablesorenablesPoEtrapmessaging.
modulenumber
Specifiestheunitonwhichtodisableorenabletrapmessaging.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePoEtrapmessagingonunit1:
C3(su)->set inlinepower trap enable 1
Syntax
show port inlinepower [port-string]
Parameters
portstring
(Optional)DisplaysinformationforspecificPoEport(s).
Defaults
Ifnotspecified,informationforallPoEportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPoEinformationforFastEthernetports1through6inunit1.
Inthiscase,theportsadministrativestate,PoEpriorityandclasshavenotbeenchangedfrom
defaultvalues:
3-36
Basic Configuration
C3(su)->show port
Port
Admin
----------fe.1.1
auto
fe.1.2
auto
fe.1.3
auto
fe.1.4
auto
fe.1.5
auto
fe.1.6
auto
inlinepower fe.1.1-6
Oper
Priority
----------------------searching
low
searching
low
searching
low
searching
low
searching
low
searching
low
Class
----0
0
0
0
0
0
Syntax
set port inlinepower port-string {[admin {off | auto}] [priority {critical | high
| low}] [type type]}
Parameters
portstring
Specifiestheport(s)onwhichtoconfigurePoE.
adminoff|auto
SetsthePoEadministrativestatetooff(disabled)orauto(on).
prioritycritical|
high|low
Setstheport(s)priorityforthePoEallocationalgorithmtocritical
(highest),highorlow.
typetype
Specifiesastringdescribingthetypeofdeviceconnectedtoaport.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePoEonportfe.3.1withcriticalpriority:
C3(su)->set port inlinepower fe.3.1 admin auto priority critical
3-37
ViaTFTPdownload.ThisprocedureusesaTFTPserverconnectedtothenetworkand
downloadsthefirmwareusingtheTFTPprotocol.FordetailsonhowtoperformaTFTP
downloadusingthecopycommand,refertocopyonpage350.Forinformationonsetting
TFTPtimeoutandretryparameters,refertosettftptimeoutonpage351andsettftp
retryonpage352.
Viatheserial(console)port.Thisprocedureisanoutofbandoperationthatcopiesthe
firmwarethroughtheserialporttotheswitch.Itshouldbeusedincaseswhenyoucannot
connecttheswitchtoperformtheinbandcopydownloadprocedureviaTFTP.Serialconsole
downloadhasbeensuccessfullytestedwiththefollowingapplications:
HyperTerminalCopyright1999
TeraTermProVersion2.3
Anyotherterminalapplicationsmayworkbutarenotexplicitlysupported.
TheC3switchallowsyoutodownloadandstoredualimages.Thebackupimagecanbe
downloadedandselectedasthestartupimagebyusingthecommandsdescribedinthissection.
Ifyouhavenotalreadydoneso,settheswitchsIPaddressusingthesetipaddresscommand
asdetailedinsetipaddressonpage310.
2.
Downloadanewimagefileusingthecopycommandasdetailedincopyonpage350.
Withtheconsoleportconnected,poweruptheswitch.Thefollowingmessagedisplays:
Version 01.00.29 05-09-2005
Computing MD5 Checksum of operational code...
Select an option. If no selection in 2 seconds then
operational code will start.
1 - Start operational code.
2 - Start Boot Menu.
Select (1, 2):2
Password: *************
2.
Beforethebootupcompletes,type2toselectStartBootMenu.Useadministratorfor
thePassword.
Note: The above Boot Menu password administrator can be changed using boot menu option
11.
3-38
Basic Configuration
3.
Type2.Thefollowingbaudrateselectionscreendisplays:
1
2
3
4
5
6
7
8
0
4.
1200
2400
4800
9600
19200
38400
57600
115200
no change
Type8tosettheswitchbaudrateto115200.Thefollowingmessagedisplays:
Setting baud rate to 115200, you must change your terminal baud rate.
5.
Settheterminalbaudrateto115200andpressENTER.
6.
Fromthebootmenuoptionsscreen,type4toloadnewoperationalcodeusingXMODEM.
WhentheXMODEMtransferiscomplete,thefollowingmessageandheaderinformationwill
display:
[Boot Menu] 4
Ready to receive the file with XMODEM/CRC....
Ready to RECEIVE File xcode.bin in binary mode
Send several Control-X characters to cCKCKCKCKCKCKCK
XMODEM transfer complete, checking CRC....
Verified operational code CRC.
The following Enterasys Header is in the image:
MD5 Checksum....................fe967970996c4c8c43a10cd1cd7be99a
Boot File Identifier............0x0517
Header Version..................0x0100
Image Type......................0x82
Image Offset....................0x004d
Image length....................0x006053b3
Ident Strings Length............0x0028
Ident Strings...................
C2G124-24
C2G124-48
C2H124-48
C2K124_24
3-39
7.
Fromthebootmenuoptionsscreen,type2todisplaythebaudrateselectionscreenagain.
8.
Type4settheswitchbaudrateto9600.Thefollowingmessagedisplays:
Setting baud rate to 9600, you must change your terminal baud rate.
9.
Settheterminalbaudrateto9600andpressENTER.
10. Fromthebootmenuoptionsscreen,type1tostartthenewoperationalcode.Thefollowing
messagedisplays:
Operational Code Date: Tue Jun 29 08:34:05 2004
Uncompressing.....
3-40
Basic Configuration
Commands
Thecommandsusedtoreviewandselecttheswitchsbootimagefilearelistedbelow.
For information about...
Refer to page...
3-41
3-42
Syntax
show boot system
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheswitchsbootfirmwareimage:
C3(su)->show boot system
Current system image to boot: bootfile
3-41
Syntax
set boot system filename
Parameters
filename
Specifiesthenameofthefirmwareimagefile.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthebootfirmwareimagefiletonewimage:
C3(su)->set boot system newimage
3-42
Basic Configuration
Commands
Thecommandsusedtoenable,startandconfigureTelnetarelistedbelow.
For information about...
Refer to page...
show telnet
3-43
set telnet
3-44
telnet
3-44
show telnet
UsethiscommandtodisplaythestatusofTelnetontheswitch.
Syntax
show telnet
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayTelnetstatus:
C3(su)->show telnet
Telnet inbound is currently: ENABLED
Telnet outbound is currently: ENABLED
3-43
set telnet
set telnet
UsethiscommandtoenableordisableTelnetontheswitch.
Syntax
set telnet {enable | disable} [inbound | outbound | all]
Parameters
enable|disable
EnablesordisablesTelnetservices.
inbound|
outbound|all
(Optional)Specifiesinboundservice(theabilitytoTelnettothisswitch),
outboundservice(theabilitytoTelnettootherdevices),orall(both
inboundandoutbound).
Defaults
Ifnotspecified,bothinboundandoutboundTelnetservicewillbeenabledordisabled.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableinboundandoutboundTelnetservices:
C3(su)->set telnet disable all
Disconnect all telnet sessions and disable now (y/n)? [n]: y
All telnet sessions have been terminated, telnet is now disabled.
telnet
UsethiscommandtostartaTelnetconnectiontoaremotehost.TheSecureStackC3switchallows
atotaloffourinboundand/oroutboundTelnetsessiontorunsimultaneously.
Syntax
telnet host [port]
Parameters
host
SpecifiesthenameorIPaddressoftheremotehost.
port
(Optional)Specifiestheserverportnumber.
Defaults
Ifnotspecified,thedefaultportnumber23willbeused.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtostartaTelnetsessiontoahostat10.21.42.13:
C3(su)->telnet 10.21.42.13
3-44
Basic Configuration
Onastandaloneunit,theconfigurationischeckedeverytwominutesandsavediftherehas
beenachange.
Onastack,theconfigurationissavedacrossthestackevery30minutesiftherehasbeena
change.
IfyouwanttosavearunningconfigurationtoNVRAMmoreoftenthantheautomaticintervals,
executethesaveconfigcommandandwaitforthesystemprompttoreturn.Aftertheprompt
returns,theconfigurationwillbepersistent.
Youcanchangethepersistencemodefromautotomanualwiththesetsnmppersistmode
command.Ifthepersistencemodeissettomanual,configurationcommandswillnotbe
automaticallywrittentoNVRAM.Althoughtheconfigurationcommandswillactivelymodifythe
runningconfiguration,theywillnotpersistacrossaresetunlessthesaveconfigcommandhas
beenexecuted.
Purpose
TosetandviewthepersistencemodeforCLIconfigurationcommands,manuallysavethe
runningconfiguration,view,manage,andexecuteconfigurationfilesandimagefiles,andsetand
viewTFTPparameters.
Commands
For information about...
Refer to page...
3-46
3-46
save config
3-47
dir
3-47
show config
3-48
configure
3-49
copy
3-50
delete
3-50
3-51
3-51
3-52
3-52
3-53
3-45
Syntax
show snmp persistmode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheconfigurationpersistencemodesetting.Inthiscase,
persistencemodeissettomanual,whichmeansconfigurationchangesarenotbeing
automaticallysaved.
C3(su)->show snmp persistmode
persistmode is manual
Syntax
set snmp persistmode {auto | manual}
Parameters
auto
Setstheconfigurationpersistencemodetoautomatic.Thisisthedefault
state.
manual
Setstheconfigurationpersistencemodetomanual.Inordertomake
configurationchangespersistent,thesaveconfigcommandmustbe
issuedasdescribedinsaveconfigonpage347.Thismodeisusefulfor
revertingbacktooldconfigurations.
Defaults
None.
3-46
Basic Configuration
save config
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheconfigurationpersistencemodetomanual:
C3(su)->set snmp persistmade manual
save config
Usethiscommandtosavetherunningconfigurationonallswitchmembersinastack.
Syntax
save config
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosavetherunningconfigurationonallswitchmembersinastack:
C3(su)->save config
dir
Usethiscommandtolistconfigurationandimagefilesstoredinthefilesystem.
Syntax
dir [filename]
Parameters
filename
(Optional)Specifiesthefilenameordirectorytolist.
Defaults
Iffilenameisnotspecified,allfilesinthesystemwillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtolistalltheconfigurationandimagefilesinthesystem:
SecureStack C3 Configuration Guide
3-47
show config
C3(su)->dir
Images:
==================================================================
Filename:
C3-series_02.01.30
Version:
1.00.xx
Size:
6873088 (bytes)
Date:
Fri Apr 1 15:23:24 2005
CheckSum:
7eb3dd1118a8ef60cf2c7bb162ac07ee
Compatibility: C3G124-24, C3G124-48, C3H124-48, C3G124-48P, C3H124-48P
C3K122-24, C3G134-24P
Filename:
Version:
Size:
Date:
CheckSum:
Compatibility:
Files:
================================
configs:
Monday.cfg
admin1.cfg
logs:
current.log
Size
========
17509
3173
162833
show config
Usethiscommandtodisplaythesystemconfigurationorwritetheconfigurationtoafile.
Syntax
show config [all | facility] [outfile {configs/filename}]
Parameters
all
(Optional)Displaysdefaultandnondefaultconfigurationsettings.
facility
(Optional)Exactnameofonefacilityforwhichtoshowconfiguration.For
example,enterroutertoshowrouteronlyconfiguration.
outfile
(Optional)Specifiesthatthecurrentconfigurationwillbewrittentoatext
fileintheconfigs/directory.
configs/filename
Specifiesafilenameintheconfigs/directorytodisplay.
Defaults
Bydefault,showconfigwilldisplayallnondefaultconfigurationinformationforallfacilities.
Mode
Switchcommand,readonly.
3-48
Basic Configuration
configure
Usage
Theseparatefacilitiesthatcanbedisplayedbythiscommandareidentifiedinthedisplayofthe
currentconfigurationbya#precedingthefacilityname.Forexample,#portindicatesthefacility
nameport.
Examples
Thisexampleshowshowtowritethecurrentconfigurationtoafilenamedsave_config2:
C3(rw)->show config all outfile configs/save_config2
Thisexampleshowshowtodisplayconfigurationforthefacilityport:
C3(rw)->show config port
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
begin
!
#***** NON-DEFAULT CONFIGURATION *****
!
!
#port
set port jumbo disable ge.1.1
!
end
configure
Usethiscommandtoexecuteapreviouslydownloadedconfigurationfilestoredontheswitch.
Syntax
configure filename [append]
Parameters
filename
Specifiesthepathandfilenameoftheconfigurationfiletoexecute.
append
(Optional)Appendstheconfigurationfilecontentstothecurrent
configuration.Thisisequivalenttotypingthecontentsoftheconfigfile
directlyintotheCLIandcanbeused,forexample,tomakeincremental
adjustmentstothecurrentconfiguration.
Defaults
Ifappendisnotspecified,thecurrentrunningconfigurationwillbereplacedwiththecontentsof
theconfigurationfile,whichwillrequireanautomatedresetofthechassis.
Mode
Switchcommand,readwrite.
3-49
copy
Example
ThisexampleshowshowtoexecutetheJan1_2004.cfgconfigurationfile:
C3(su)->configure configs/Jan1_2004.cfg
copy
UsethiscommandtouploadordownloadanimageoraCLIconfigurationfile.
Syntax
copy source destination
Parameters
source
Specifieslocationandnameofthesourcefiletocopy.Optionsarealocalfile
pathintheconfigsdirectory,ortheURLofaTFTPserver.
destination
Specifieslocationandnameofthedestinationwherethefilewillbecopied.
Optionsareaslotlocationandfilename,ortheURLofaTFTPserver.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtodownloadanimageviaTFTP:
C3(su)->copy tftp://10.1.192.34/version01000 system:image
Thisexampleshowshowtodownloadaconfigurationfiletotheconfigsdirectory:
C3(su)->copy tftp://10.1.192.1/Jan1_2004.cfg configs/Jan1_2004.cfg
delete
UsethiscommandtoremoveanimageoraCLIconfigurationfilefromtheSecureStackC3system.
Syntax
delete filename
Parameters
filename
Defaults
None.
3-50
Basic Configuration
Specifiesthelocalpathnametothefile.Validdirectoriesare/imagesand
/configs.
Mode
Switchcommand,readwrite.
Usage
Usetheshowconfigcommandasdescribedonpage348todisplaycurrentimageand
configurationfilenames.
Example
ThisexampleshowshowtodeletetheJan1_2004.cfgconfigurationfile:
C3(su)->delete configs/Jan1_2004.cfg
Syntax
show tftp settings
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
TheTFTPtimeoutvaluecanbesetwiththesettftptimeoutcommand.TheTFTPretryvaluecan
besetwiththesettftpretrycommand.
Example
Thisexampleshowstheoutputofthiscommand.
C3(ro)->show tftp settings
TFTP packet timeout (seconds): 2
TFTP max retry: 5
Syntax
set tftp timeout seconds
3-51
Parameters
seconds
Specifiesthenumberofsecondstowaitforareply.Thevalidrangeis
from1to30seconds.Defaultvalueis2seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthetimeoutperiodto4seconds.
C3(rw)->set tftp timeout 4
Syntax
clear tftp timeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthetimeoutvaluetothedefaultof2seconds.
C3(rw)-> clear tftp timeout
Syntax
set tftp retry retry
3-52
Basic Configuration
Parameters
retry
Specifiesthenumberoftimesapacketwillberesent.The
validrangeisfrom1to1000.Defaultvalueis5retries.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetstheretrycountto3.
C3(rw)->set tftp retry 3
Syntax
clear tftp retry
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocleartheretryvaluetothedefaultof5retries.
C3(rw)-> clear tftp retry
3-53
Configuring CDP
Configuring CDP
Purpose
ToreviewandconfiguretheEnterasysCDPdiscoveryprotocol.Thisprotocolisusedtodiscover
networktopology.Whenenabled,thisprotocolallowsEnterasysdevicestosendperiodicPDUs
aboutthemselvestoneighboringdevices.
Commands
ThecommandsusedtoreviewandconfiguretheCDPdiscoveryprotocolarelistedbelow.
For information about...
Refer to page...
show cdp
3-54
3-56
3-56
3-57
3-58
clear cdp
3-58
show neighbors
3-59
show cdp
UsethiscommandtodisplaythestatusoftheCDPdiscoveryprotocolandmessageintervalon
oneormoreports.
Syntax
show cdp [port-string]
Parameters
portstring
(Optional)DisplaysCDPstatusforaspecificport.Foradetaileddescription
ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage41.
Defaults
Ifportstringisnotspecified,allCDPinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayCDPinformationforportsfe.1.1throughfe.1.9:
C3(su)->show cdp fe.1.1-9
CDP Global Status
:auto-enable
CDP Version Supported
:30 hex
3-54
Basic Configuration
show cdp
:180
:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 hex
:60
Port
Status
----------------fe.1.1
auto-enable
fe.1.2
auto-enable
fe.1.3
auto-enable
fe.1.4
auto-enable
fe.1.5
auto-enable
fe.1.6
auto-enable
fe.1.7
auto-enable
fe.1.8
auto-enable
fe.1.9
auto-enable
Table 34providesanexplanationofthecommandoutput.
Table 3-4
Output
What It Displays...
CDP Versions
Supported
Minimum time interval (in seconds) at which CDP configuration messages can be
set. The default of 180 seconds can be reset with the set cdp hold-time command.
For details, refer to set cdp hold-time on page 3-58.
CDP Authentication
Code
Authentication code for CDP discovery protocol. The default of 00-00-00-00-00-0000-00 can be reset using the set cdp auth command. For details, refer to set cdp
auth on page 3-56.
CDP Transmit
Frequency
Frequency (in seconds) at which CDP messages can be transmitted. The default of
60 seconds can be reset with the set cdp interval command. For details, refer to set
cdp interval on page 3-57.
Port
Status
3-55
Syntax
set cdp state {auto | disable | enable} [port-string]
Parameters
auto|disable|
enable
Autoenables,disablesorenablestheCDPprotocolonthespecifiedport(s).
Inautoenablemode,whichisthedefaultmodeforallports,aport
automaticallybecomesCDPenableduponreceivingitsfirstCDPmessage.
portstring
(Optional)EnablesordisablesCDPonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage41.
Defaults
Ifportstringisnotspecified,theCDPstatewillbegloballyset.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtogloballyenableCDP:
C3(su)->set cdp state enable
ThisexampleshowshowtoenabletheCDPforportfe.1.2:
C3(su)->set cdp state enable fe.1.2
ThisexampleshowshowtodisabletheCDPforportfe.1.2:
C3(su)->set cdp state disable fe.1.2
Syntax
set cdp auth auth-code
Parameters
authcode
Defaults
None.
3-56
Basic Configuration
SpecifiesanauthenticationcodefortheCDPprotocol.Thiscanbeupto16
hexadecimalvaluesseparatedbycommas.
Mode
Switchcommand,readwrite.
Usage
TheauthenticationcodevaluedeterminesaswitchsCDPdomain.Iftwoormoreswitcheshave
thesameCDPauthenticationcode,theywillbeenteredintoeachothersCDPneighbortables.If
theyhavedifferentauthenticationcodes,theyareindifferentdomainsandwillnotbeentered
intoeachothersCDPneighbortables.
Aswitchwiththedefaultauthenticationcode(16nullcharacters)willrecognizeallswitches,no
matterwhattheirauthenticationcode,andenterthemintoitsCDPneighbortable.
Example
ThisexampleshowshowtosettheCDPauthenticationcodeto1,2,3,4,5,6,7,8:
C3(su)->set cdp auth 1,2,3,4,5,6,7,8:
Syntax
set cdp interval frequency
Parameters
frequency
SpecifiesthetransmitfrequencyofCDPmessagesinseconds.Validvalues
arefrom5to900seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheCDPintervalfrequencyto15seconds:
C3(su)->set cdp interval 15
3-57
Syntax
set cdp hold-time hold-time
Parameters
holdtime
SpecifiestheholdtimevalueforCDPmessagesinseconds.Validvaluesare
from15to600.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetCDPholdtimeto60seconds:
C3(su)->set cdp hold-time 60
clear cdp
UsethiscommandtoresetCDPdiscoveryprotocolsettingstodefaults.
Syntax
clear cdp {[state] [port-state port-string] [interval] [hold-time] [auth-code]}
Parameters
state
(Optional)ResetstheglobalCDPstatetoautoenabled.
portstateportstring
(Optional)Resetstheportstateonspecificport(s)toautoenabled.
interval
(Optional)Resetsthemessagefrequencyintervalto60seconds.
holdtime
(Optional)Resetstheholdtimevalueto180seconds.
authcode
(Optional)Resetstheauthenticationcodeto16bytesof00(000000
0000000000).
Defaults
Atleastoneoptionalparametermustbeentered.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheCDPstatetoautoenabled:
C3(su)->clear cdp state
3-58
Basic Configuration
show neighbors
show neighbors
ThiscommanddisplaysNeighborDiscoveryinformationforeithertheCDPorCiscoDP
protocols.
Syntax
show neighbors [port-string]
Parameters
portstring
(Optional)SpecifiestheportorportsforwhichtodisplayNeighbor
Discoveryinformation.
Defaults
Ifnoportisspecified,allNeighborDiscoveryinformationisdisplayed.
Mode
Switchcommand,readonly.
Usage
ThiscommanddisplaysinformationdiscoveredbyboththeCDPandtheCiscoDPprotocols.
Example
ThisexampledisplaysNeighborDiscoveryinformationforallports.
C3(su)->show neighbors
Port
Device ID
Port ID
Type
Network Address
-----------------------------------------------------------------------------ge.1.1
00036b8b1587
12.227.1.176
ciscodp
12.227.1.176
ge.1.6
0001f496126f
140.2.3.1
ciscodp
140.2.3.1
ge.1.6
00-01-f4-00-72-fe
140.2.4.102
cdp
140.2.4.102
ge.1.6
00-01-f4-00-70-8a
140.2.4.104
cdp
140.2.4.104
ge.1.6
00-01-f4-c5-f7-20
140.2.4.101
cdp
140.2.4.101
ge.1.6
00-01-f4-89-4f-ae
140.2.4.105
cdp
140.2.4.105
ge.1.6
00-01-f4-5f-1f-c0
140.2.1.11
cdp
140.2.1.11
ge.1.19
0001f400732e
165.32.100.10
ciscodp
165.32.100.10
3-59
Commands
ThecommandsusedtoreviewandconfiguretheCiscodiscoveryprotocolarelistedbelow.Refer
alsotoshowneighborsonpage359.
For information about...
show ciscodp
3-60
3-61
3-62
3-63
3-63
3-64
clear ciscodp
3-65
show ciscodp
UsethiscommandtodisplayglobalCiscodiscoveryprotocolinformation.
Syntax
show ciscodp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayglobalCiscoDPinformation.
C3(su)->show ciscodp
CiscoDP :Enabled
Timer :5
Holdtime (TTl): 180
3-60
Refer to page...
Basic Configuration
Device ID : 001188554A60
Last Change : WED NOV 08 13:19:56 2006
Table 35providesanexplanationofthecommandoutput.
Table 3-5
Output
What It Displays...
CiscoDP
Whether Cisco DP is globally enabled or disabled. Auto indicates that Cisco DP will
be globally enabled only if Cisco DP PDUs are received.
Default setting of auto-enabled can be reset with the set ciscodp status command.
Timer
The number of seconds between Cisco discovery protocol PDU transmissions. The
default of 60 seconds can be reset with the set ciscodp timer command.
Holdtime
Number of seconds neighboring devices wil hold PDU transmissions from the
sending device. Default value of 180 can be changed with the set ciscodp holdtime
command.
Device ID
Last Change
Syntax
show ciscodp port info [port-string]
Parameters
portstring
(Optional)DisplaysCiscoDPinformationforaspecificport.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage41.
Defaults
Ifportstringisnotspecified,CiscoDPinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayCiscoDPinformationforGigabitEthernetport1inunit1.
C3(su)->show ciscodp port info ge.1.1
port
state
vvid
trusted
cos
---------------------------------------------ge.1.1
enable
none
yes
0
Table 36providesanexplanationofthecommandoutput.
3-61
Table 3-6
Output
What It Displays...
Port
State
v vid
Whether a voice VLAN ID has been set on this port. Default of none can be changed
using the set ciscodp port command.
trusted
The trust mode of the port. Default of trusted can be changed using the set ciscodp
port command.
cos
The Class of Service priority value for untrusted traffic. The default of 0 can be
changed using the set ciscodp port command.
Syntax
set ciscodp state {auto | disable | enable}
Parameters
auto
GloballyenableonlyifCiscoDPPDUsarereceived.
disable
GloballydisableCiscodiscoveryprotocol.
enable
GloballyenableCiscodiscoveryprotocol.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballyenableCiscoDP:
C3(su)->set ciscodp state enable
3-62
Basic Configuration
Syntax
set ciscodp timer seconds
Parameters
seconds
SpecifiesthenumberofsecondsbetweenCiscoDPPDUtransmissions.
Validvaluesarefrom5to254seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheCiscoDPtimerto120seconds.
C3(su)->set ciscodp timer 120
Syntax
set ciscodp holdtime hold-time
Parameters
holdtime
SpecifiesthetimetoliveforCiscoDPPDUs.Validvaluesarefrom10to255
seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetCiscoDPholdtimeto180seconds:
C3(su)->set ciscodp hold-time 180
3-63
Syntax
set ciscodp port { [status {disable | enable}] [ vvid {vlan-id | none | dot1p |
untagged}] [trusted {yes | no}] [cos value] } port-string
Parameters
status
SettheCiscoDPportoperationalstatus.
disable DonottransmitorprocessCiscoDPPDUs.
enable TransmitandprocessCiscoDPPDUs.
vvid
SettheportvoiceVLANforCiscoDPPDUtransmission.
vlanid SpecifytheVLANID,range14094.
none NovoiceVLANwillbeusedinCiscoDPPDUs.Thisisthedefault.
dot1p Instructattachedphonetosend802.1ptaggedframes.
untagged Instructattachedphonetosenduntaggedframes.
trusted
Settheextendedtrustmodeontheport.
yes Instructattachedphonetoallowthedeviceconnectedtoittotransmit
trafficcontaininganyCoSorLayer2802.1pmarking.Thisisthedefault
value.
no Instructattachedphonetooverwritethe802.1ptagoftraffic
transmittedbythedeviceconnectedtoitto0,bydefault,ortothevalue
configuredwiththecosparameter.
cosvalue
Instructattachedphonetooverwritethe802.1ptagoftraffic
transmittedbythedeviceconnectedtoitwiththespecifiedvalue,when
thetrustmodeoftheportissettountrusted.Valuecanrangefrom0to
7,with0indicatingthelowestpriority.
portstring
Specifiestheport(s)onwhichstatuswillbeset.
Defaults
Status:enabled
VoiceVLAN:none
Trustmode:trusted
CoSvalue:0
Mode
Switchmode,readwrite.
Usage
ThefollowingpointsdescribehowtheCiscoDPextendedtrustsettingsworkontheswitch.
3-64
ACiscoDPporttruststatusoftrustedoruntrustedisonlymeaningfulwhenaCiscoIPphone
isconnectedtoaswitchportandaPCorotherdeviceisconnectedtothebackoftheCiscoIP
phone.
Basic Configuration
clear ciscodp
ACiscoDPportstateoftrustedoruntrustedonlyaffectstaggedtraffictransmittedbythe
deviceconnectedtotheCiscoIPphone.Untaggedtraffictransmittedbythedeviceconnected
totheCiscoIPphoneisunaffectedbythissetting.
IftheswitchportisconfiguredtoaCiscoDPtruststateoftrusted(withthetrustedyes
parameterofthiscommand),thissettingiscommunicatedtotheCiscoIPphoneinstructingit
toallowthedeviceconnectedtoittotransmittrafficcontaininganyCoSorLayer2802.1p
marking.
IftheswitchportisconfiguredtoaCiscoDPtruststateofuntrusted(trustedno),thissetting
iscommunicatedtotheCiscoIPphoneinstructingittooverwritethe802.1ptagoftraffic
transmittedbythedeviceconnectedtoitto0,bydefault,ortothevaluespecifiedbythecos
parameterofthiscommand.
Thereisaonetoonecorrelationbetweenthevaluesetwiththecosparameterandthe802.1p
valueassignedtoingressedtrafficbytheCiscoIPphone.Avalueof0equatestoan802.1p
priorityof0.Therefore,avalueof7isgiventhehighestpriority.
Note: The Cisco Discovery Protocol must be globally enabled using the set ciscodp status
command before operational status can be set on individual ports.
Examples
ThisexampleshowshowtosettheCiscoDPportvoiceVLANIDto3onportfe.1.6andenablethe
portoperationalstate.
C3(rw)->set ciscodp port status enable vvid 3 fe.1.6
ThisexampleshowshowtosettheCiscoDPextendedtrustmodetountrustedonportfe.1.5and
settheCoSpriorityto1.
C3(rw)->set ciscodp port trusted no cos 1 fe.1.5
clear ciscodp
UsethiscommandtocleartheCiscodiscoveryprotocolbacktothedefaultvalues.
Syntax
clear ciscodp [status | timer | holdtime | port {status | vvid | trust | cos}
[port-string] } ]
Parameters
status
ClearglobalCiscoDPenablestatustodefaultofauto.
timer
ClearthetimebetweenCiscoDPPDUtransmissionstodefaultof60
seconds.
holdtime
ClearthetimetoliveforCiscoDPPDUdatatodefaultof180seconds.
port
CleartheCiscoDPportconfiguration.
status Cleartheindividualportoperationalstatustothedefaultofenabled.
vvid CleartheindividualportvoiceVLANforCiscoDPPDUtransmissionto
0.
trust Clearthetrustmodeconfigurationoftheporttotrusted.
cos CleartheCoSpriorityforuntrustedtrafficoftheportto0.
3-65
clear ciscodp
portstring (Optional)Specifiestheport(s)onwhichstatuswillbeset.
Defaults
Ifnoparametersareentered,allCiscoDPparametersareresettothedefaultsgloballyandforall
ports.
Mode
Switchmode,readwrite.
Examples
ThisexampleshowshowtoclearalltheCiscoDPparametersbacktothedefaultsettings.
C3(rw)->clear ciscodp
ThisexampleshowshowtocleartheCiscoDPstatusonportfe.1.5.
C3(rw)->clear ciscodp port status fe.1.5
3-66
Basic Configuration
Commands
ThecommandsusedtoclearandclosetheCLIsessionarelistedbelow.
For information about...
Refer to page...
cls
3-67
exit
3-68
Syntax
cls
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtocleartheCLIscreen:
C3(su)->cls
3-67
exit
exit
UseeitherofthesecommandstoleaveaCLIsession.
Syntax
exit
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Bydefault,switchtimeoutoccursafter15minutesofuserinactivity,automaticallyclosingyour
CLIsession.Usethesetlogoutcommand(page326)tochangethisdefault.
Example
ThisexampleshowshowtoexitaCLIsession:
C3(su)->exit
3-68
Basic Configuration
Commands
Thecommandsusedtoresettheswitchandcleartheconfigurationarelistedbelow.
For information about...
Refer to page...
reset
3-69
clear config
3-70
reset
Usethiscommandtoresettheswitchwithoutlosinganyuserdefinedconfigurationsettings.
Syntax
reset [unit]
Parameters
unit
(Optional)Specifiesaunittobereset.
Defaults
If no unit ID is specified, the entire system will be reset.
Mode
Switchcommand,readwrite.
Usage
ASecureStackC3switchcanalsoberesetwiththeRESETbuttonlocatedonitsfrontpanel.For
informationonhowtodothis,refertotheSecureStackC3InstallationGuideshippedwithyour
switch.
Examples
Thisexampleshowshowtoresetthesystem:
C3(su)->reset
Are you sure you want to reload the stack? (y/n) y
Saving Configuration to stacking members
Reloading all switches.
Thisexampleshowshowtoresetunit1inthestack:
C3(su)->reset 1
Are you sure you want to reload the switch? (y/n) y
3-69
clear config
Reloading switch 1.
This switch is manager of the stack.
STACK: detach 3 units
clear config
Usethiscommandtocleartheuserdefinedconfigurationparameters.
Syntax
clear config [all]
Parameters
all
(Optional)Clearsuserdefinedconfigurationparametersandstackunit
numbersandpriorities.
Defaults
Ifallisnotspecified,stackingconfigurationparameterswillnotbecleared.
Mode
Switchcommand,readwrite.
Usage
Whenusingtheclearconfigcommandtoclearconfigurationparametersinastack,itisimportant
torememberthefollowing:
UseclearconfigtoclearconfigurationparameterswithoutclearingstackunitIDs.This
commandWILLNOTclearstackparametersandavoidstheprocessofrenumberingthe
stack.
Useclearconfigallwhenitisnecessarytoclearallconfigurationparameters,includingstack
unitIDsandswitchpriorityvalues.
UsetheclearipaddresscommandtocleartheIPaddress.
Configurationparametersandstackinginformationcanalsobeclearedonthemasterunitonlyby
selectingoption10(restoreconfigurationtofactorydefaults)fromthebootmenuonswitch
startup.Thisselectionwillleavestackingprioritiesonallotherunits.
Example
Thisexampleshowshowtoclearconfigurationparametersincludingstackingparameters:
C3(su)->clear config all
3-70
Basic Configuration
Commands
ThecommandstoconfigureWebViewandSSLaredescribedbelow.
For information about...
Refer to page...
show webview
3-71
set webview
3-72
show ssl
3-72
set ssl
3-73
show webview
UsethiscommandtodisplayWebViewstatus.
Syntax
show webview
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayWebViewstatus:
C3(rw)->show webview
WebView is Enabled.
3-71
set webview
set webview
UsethiscommandtoenableordisableWebViewontheswitch.
Syntax
set webview {enable | disable}
Parameters
enable|disable
EnableordisableWebViewontheswitch.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ItisgoodpracticeforsecurityreasonstodisableHTTPaccessontheswitchwhenfinished
configuringwithWebView,andthentoonlyenableWebViewontheswitchwhenchangesneedto
bemade.
Example
ThisexampleshowshowtodisableWebViewontheswitch:
C3(rw)->set webview disable
show ssl
UsethiscommandtodisplaySSLstatus.
Syntax
showssl
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySSLstatus:
C3(rw)->show ssl
SSL status: Enabled
3-72
Basic Configuration
set ssl
set ssl
UsethiscommandtoenableordisabletheuseofWebViewoverSSLport443.Bydefault,SSLis
disabledontheswitch.Thiscommandcanalsobeusedtoreinitializethehostkeythatisusedfor
encryption.
Syntax
set ssl {enabled | disabled | reinitialize | hostkey reinitialize}
Parameters
enabled|disabled
EnableordisabletheabilitytouseWebViewoverSSL.
reinitialize
StopsandthenrestartstheSSLprocess.
hostkeyreinitialize
StopsSSL,regeneratesnewkeys,andthenrestartsSSL.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableSSL:
C3(rw)->set ssl enabled
3-73
set ssl
3-74
Basic Configuration
4
Port Configuration
ThischapterdescribesthePortConfigurationsetofcommandsandhowtousethem.
For information about...
Refer to page...
4-1
4-2
4-6
4-9
4-12
4-15
4-19
4-20
4-30
Port Mirroring
4-33
4-38
4-53
4-1
Portnumbercanbe:
148fortheC3G12448andC3G12448P
124fortheC3G12424,C3G13424P
Thehighestvalidportnumberisdependentonthenumberofportsinthedeviceandtheport
type.
Examples
Note: You can use a wildcard (*) to indicate all of an item. For example, fe.3.* would represent all
100Mbps Ethernet (fe) ports in unit 3 in the stack.
Thisexampleshowstheportstringsyntaxforspecifyingthe100MbpsEthernetports1through10
inunit1inthestack.
fe.1.1-10
Thisexampleshowstheportstringsyntaxforspecifyingthe1GigabitEthernetport14inunit3in
thestack.
ge.3.14
Thisexampleshowstheportstringsyntaxforspecifyingthefirst10GigabitEthernetportofunit3
inthestack.
tg.3.25
Thisexampleshowstheportstringsyntaxforspecifyingall1GigabitEthernetportsinunit3in
thestack.
ge.3.*
Thisexampleshowstheportstringsyntaxforspecifyingallports(ofanyinterfacetype)inallunits
inthestack.
*.*.*
Commands
Thecommandsusedtoreviewportstatusarelistedbelow.
For information about...
4-2
Refer to page...
show port
4-3
4-4
4-5
Port Configuration
show port
show port
Usethiscommandtodisplaywhetherornotoneormoreportsareenabledforswitching.
Syntax
show port [port-string]
Parameters
portstring
(Optional)Displaysoperationalstatusforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage41.
Defaults
Ifportstringisnotspecified,operationalstatusinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayoperationalstatusinformationforfe.3.14:
C3(su)->show port fe.3.14
Port fe.3.14 enabled
4-3
Syntax
show port status [port-string]
Parameters
portstring
(Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page41.
Defaults
Ifportstringisnotspecified,statusinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaystatusinformationforfe.3.14:
C3(su)->show port status fe.3.14
Port
Alias
(truncated)
------------ -------------fe.3.14
Oper
Status
------up
Admin
Status
------up
Speed
Duplex
Type
-------N/A
------- ------------N/A
BaseT RJ45
Table 41providesanexplanationofthecommandoutput.
Table 4-1
4-4
Output
What It Displays...
Port
Alias (truncated)
Alias configured for the port. For details on using the set port alias command, refer
to set port alias on page 4-9.
Oper Status
Admin Status
Whether the specified port is enabled (up) or disabled (down). For details on using
the set port disable command to change the default port status of enabled, refer to
set port disable on page 4-7. For details on using the set port enable command to
re-enable ports, refer to set port enable on page 4-8.
Speed
Operational speed in Mbps or Kbps of the specified port. For details on using the set
port speed command to change defaults, refer to set port speed on page 4-10.
Duplex
Duplex mode (half or full) of the specified port. For details on using the set port
duplex command to change defaults, refer to Setting Auto-Negotiation and
Advertised Ability on page 4-15.
Type
Port Configuration
Syntax
show port counters [port-string] [switch | mib2]
Parameters
portstring
(Optional)Displayscounterstatisticsforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage41.
switch|mib2
(Optional)DisplaysswitchorMIB2statistics.Switchstatisticsdetail
performanceoftheSecureStackC3device.MIB2interfacestatisticsdetail
performanceofallnetworkdevices.
Defaults
Ifportstringisnotspecified,counterstatisticswillbedisplayedforallports.
Ifmib2orswitcharenotspecified,allcounterstatisticswillbedisplayedforthespecifiedport(s).
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplayallcounterstatistics,includingMIB2networktrafficand
trafficthroughthedeviceforfe.3.1:
C3(su)->show port counters fe.3.1
Port: fe.3.1
MIB2 Interface: 1
No counter discontinuity time
----------------------------------------------------------------MIB2 Interface Counters
----------------------In Octets
In Unicast Pkts
In Multicast Pkts
In Broadcast Pkts
In Discards
In Errors
Out Octets
Out Unicasts Pkts
Out Multicast Pkts
Out Broadcast Pkts
Out Errors
0
0
0
0
0
0
0
0
0
0
0
0
0
4-5
Thisexampleshowshowtodisplayallfe.3.1portcounterstatisticsrelatedtotrafficthroughthe
device.
C3(su)->show port counters fe.3.1 switch
Port: fe.3.1
Bridge Port: 2
Frames Transmitted
Table 42providesanexplanationofthecommandoutput.
Table 4-2
Output
What It Displays...
Port
MIB2 Interface
Bridge Port
MIB2 Interface
Counters
802.1Q Switch
Counters
Commands
Thecommandsusedtoenable,disable,andnameportsarelistedbelow.
For information about...
4-6
Refer to page...
4-7
4-8
4-8
4-9
Port Configuration
Syntax
set port disable port-string
Parameters
portstring
Specifiestheport(s)todisable.Foradetaileddescriptionofpossibleport
stringvalues,refertoPortStringSyntaxUsedintheCLIonpage41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisablefe.1.1:
C3(su)->set port disable fe.1.1
4-7
Syntax
set port enable port-string
Parameters
portstring
Specifiestheport(s)toenable.Foradetaileddescriptionofpossibleport
stringvalues,refertoPortStringSyntaxUsedintheCLIonpage41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenablefe.1.3:
C3(su)->set port enable fe.1.3
Syntax
show port alias [port-string]
Parameters
portstring
(Optional)Displaysaliasname(s)forspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage41.
Defaults
Ifportstringisnotspecified,aliasesforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayaliasinformationforports13onunit3:
C3(rw)->show
Port ge.3.1
Port ge.3.2
Port ge.3.3
4-8
Port Configuration
Syntax
set port alias port-string [name]
Parameters
portstring
Specifiestheporttowhichanaliaswillbeassigned.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage41.
name
(Optional)Assignsanaliasnametotheport.Ifthealiasnamecontains
spaces,thetextstringmustbesurroundedbydoublequotes.Maximum
lengthis60characters.
Defaults
Ifnameisnotspecified,thealiasassignedtotheportwillbecleared.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoassignthealiasAdmintoge.3.3:
C3(rw)->set port alias ge.3.3 Admin
Thisexampleshowshowtoclearthealiasforge.3.3:
C3(rw)->set port alias ge.3.3
Commands
Thecommandsusedtoreviewandsetportspeedandduplexmodearelistedbelow.
For information about...
Refer to page...
4-10
4-10
4-9
Refer to page...
4-11
4-15
Syntax
show port speed [port-string]
Parameters
portstring
(Optional)Displaysdefaultspeedsetting(s)forspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage41.
Defaults
Ifportstringisnotspecified,defaultspeedsettingsforallportswilldisplay.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythedefaultspeedsettingfor1GigabitEthernetport14in
unit 3:
C3(su)->show port speed ge.3.14
default speed is 10 on port ge.3.14.
Syntax
set port speed port-string {10 | 100 | 1000}
Parameters
portstring
Specifiestheport(s)forwhichtoaspeedvaluewillbeset.Fora
detaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage41.
10|100|1000
Defaults
None.
4-10
Port Configuration
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetfe.3.3toaportspeedof10 Mbps:
C3(su)->set port speed fe.3.3 10
Syntax
show port duplex [port-string]
Parameters
portstring
(Optional)Displaysdefaultduplexsetting(s)forspecificport(s).
Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage41.
Defaults
Ifportstringisnotspecified,defaultduplexsettingsforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythedefaultduplexsettingforGigabitEthernetport14in
unit 3:
C3(su)->show port duplex ge.3.14
default duplex mode is full on port ge.3.14.
Syntax
set port duplex port-string {full | half}
Parameters
portstring
Specifiestheport(s)forwhichduplextypewillbeset.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage41.
full|half
Setstheport(s)tofullduplexorhalfduplexoperation.
4-11
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetFastEthernetport17inunit1tofullduplex:
C3(su)->set port duplex fe.1.17 full
Commands
Thecommandsusedtoreview,enableanddisablejumboframesupportarelistedbelow.
For information about...
Refer to page...
4-12
4-14
4-14
Syntax
show port jumbo [port-string]
Parameters
portstring
(Optional)Displaysthestatusofjumboframesupportforspecific
port(s).Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage41.
Defaults
Ifportstringisnotspecified,jumboframesupportstatusforallportswilldisplay.
Mode
Switchcommand,readonly.
4-12
Port Configuration
Example
Thisexampleshowshowtodisplaythestatusofjumboframesupportforge.1.1:
C3(su)->show port jumbo ge.1.1
Port Number
Jumbo Status
Max Frame Size
------------- --------------- -----------------ge.1.1
Enable
9216
4-13
Syntax
set port jumbo {enable | disable} [port-string]
Parameters
enable|disable
Enablesordisablesjumboframesupport.
portstring
(Optional)Specifiestheport(s)onwhichtodisableorenablejumbo
framesupport.Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage41.
Defaults
Ifportstringisnotspecified,jumboframesupportwillbeenabledordisabledonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablejumboframesupportforGigabitEthernetport14inunit3:
C3(su)->set port jumbo enable ge.3.14
Syntax
clear port jumbo [port-string]
Parameters
portstring
(Optional)Specifiestheport(s)onwhichtoresetjumboframe
supportstatustoenabled.Foradetaileddescriptionofpossible
portstringvalues,refertoPortStringSyntaxUsedintheCLIon
page41.
Defaults
Ifportstringisnotspecified,jumboframesupportstatuswillberesetonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetjumboframesupportstatusforGigabitEthernetport14in
unit 3:
C3(su)->clear port jumbo ge.3.14
4-14
Port Configuration
Commands
Thecommandsusedtoreviewandconfigureautonegotiationandadvertisedabilityarelisted
below:
For information about...
Refer to page...
4-15
4-16
4-16
4-17
4-18
Syntax
show port negotiation [port-string]
Parameters
portstring
(Optional)Displaysautonegotiationstatusforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage41.
Defaults
Ifportstringisnotspecified,autonegotiationstatusforallportswillbedisplayed.
Mode
Switchcommand,readonly.
SecureStack C3 Configuration Guide
4-15
Example
Thisexampleshowshowtodisplayautonegotiationstatusfor1GigabitEthernetport14in
unit 3:
C3(su)->show port negotiation ge.3.14
auto-negotiation is enabled on port ge.3.14.
Syntax
set port negotiation port-string {enable | disable}
Parameters
portstring
Specifiestheport(s)forwhichtoenableordisableautonegotiation.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage41.
enable|disable
Enablesordisablesautonegotiation.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisableautonegotiationon1GigabitEthernetport3inunit14:
C3(su)->set port negotiation ge.3.14 disable
Syntax
show port advertise [port-string]
Parameters
portstring
(Optional)Displaysadvertisedabilityforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage41.
Defaults
Ifportstringisnotspecified,advertisementforallportswillbedisplayed.
4-16
Port Configuration
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayadvertisementstatusforGigabitports13and14:
C3(su)->show port advertise ge.1.13-14
ge.1.13
capability
advertised
remote
------------------------------------------------10BASE-T
yes
yes
yes
10BASE-TFD
yes
yes
yes
100BASE-TX
yes
yes
yes
100BASE-TXFD
yes
yes
yes
1000BASE-T
no
no
no
1000BASE-TFD
yes
yes
yes
pause
yes
yes
no
ge.1.14
capability
advertised
remote
------------------------------------------------10BASE-T
yes
yes
yes
10BASE-TFD
yes
yes
yes
100BASE-TX
yes
yes
yes
100BASE-TXFD
yes
yes
yes
1000BASE-T
no
no
no
1000BASE-TFD
yes
yes
yes
pause
yes
yes
no
Syntax
set port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd
| pause}
Parameters
portstring
Selecttheportsforwhichtoconfigureadvertisements.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage41.
10t
Advertise10BASEThalfduplexmode.
10tfd
Advertise10BASETfullduplexmode.
100tx
Advertise100BASETXhalfduplexmode.
100txfd
Advertise100BASETXfullduplexmode.
1000t
Advertise1000BASEThalfduplexmode.
1000tfd
Advertise1000BASETfullduplexmode.
pause
AdvertisePAUSEforfullduplexlinks.
Defaults
None.
4-17
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoconfigureport1toadvertise1000BASETfullduplex:
C3(su)->set port advertise ge.1.1 1000tfd
Syntax
clear port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd
| pause}
Parameters
portstring
Clearadvertisementsforspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedinthe
CLIonpage41.
10t
Donotadvertise10BASEThalfduplexmode.
10tfd
Donotadvertise10BASETfullduplexmode.
100tx
Donotadvertise100BASETXhalfduplexmode.
100txfd
Donotadvertise100BASETXfullduplexmode.
1000t
Donotadvertise1000BASEThalfduplexmode.
1000tfd
Donotadvertise1000BASETfullduplexmode.
pause
DonotadvertisePAUSEforfullduplexlinks.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoconfigureport1tonotadvertise10MBcapabilityforauto
negotiation:
C3(su)->clear port advertise ge.1.1 10t 10tfd
4-18
Port Configuration
Commands
Thecommandsusedtoreviewandsetportflowcontrolarelistedbelow:
For information about...
Refer to page...
show flowcontrol
4-19
set flowcontrol
4-20
show flowcontrol
Usethiscommandtodisplaytheflowcontrolstate.
Syntax
show flowcontrol
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportflowcontrolstate:
C3(su)->show flowcontrol
Flow control status: enabled
4-19
set flowcontrol
set flowcontrol
Usethiscommandtoenableordisableflowcontrol.
Syntax
set flowcontrol {enable | disable}
Parameters
enable|disable
Enablesordisablesflowcontrolsettings.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableflowcontrol:
C3(su)->set flowcontrol enable
Commands
For information about...
4-20
Refer to page...
4-22
4-22
show linkflap
4-23
4-25
4-26
4-26
4-27
Port Configuration
Refer to page...
4-27
4-28
4-28
4-29
clear linkflap
4-29
4-21
Syntax
show port trap [port-string]
Parameters
portstring
(Optional)Displayslinktrapstatusforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage41.
Defaults
Ifportstringisnotspecified,thetrapstatusforallportswillbedisplayed.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisplaylinktrapstatusforfe.3.1through4:
C3(su)->show port trap fe.3.1-4
Link traps enabled on port fe.3.1.
Link traps enabled on port fe.3.2.
Link traps enabled on port fe.3.3.
Link traps enabled on port fe.3.4.
Syntax
set port trap port-string {enable|disable}
Parameters
portstring
Specifiestheport(s)forwhichtoenableordisableporttraps.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage41.
enable|disable
Enablesordisablessendingtrapmessageswhenlinkstatuschanges.
Defaults
Sendingtrapswhenlinkstatuschangesisenabledbydefault.
Mode
Switchcommand,readwrite.
4-22
Port Configuration
show linkflap
Example
ThefollowingexampledisablessendingtraponFastEthernetport1onunit3.
C3(su)->set port trap fe.3.1 disable
show linkflap
Usethiscommandtodisplaylinkflapdetectionstateandconfigurationinformation.
Syntax
show linkflap {globalstate | portstate | parameters | metrics | portsupported |
actsupported | maximum | downports | action | operstatus | threshold | interval]
| downtime | currentcount | totalcount | timelapsed | violations [port-string]}
Parameters
globalstate
Displaystheglobalenablestateoflinkflapdetection.
portstate
Displaystheportenablestateoflinkflapdetection.
parameters
Displaysthecurrentvalueofsettablelinkflapdetectionparameters.
metrics
Displayslinkflapdetectionmetrics.
portsupported
Displaysportswhichcansupportthelinkflapdetectionfunction.
actsupported
Displayslinkflapdetectionactionssupportedbysystemhardware.
maximum
Displaysthemaximumallowedlinkdownsper10secondssupported
bysystemhardware.
downports
Displaysportsdisabledbylinkflapdetectionduetoaviolation.
action
Displayslinkflapactionstakenonviolatingport(s).
operstatus
Displayswhetherlinkflaphasdeactivatedport(s).
threshold
Displaysthenumberofallowedlinkdowntransitionsbeforeactionis
taken.
interval
Displaysthetimeperiodforcountinglinkdowntransitions.
downtime
Displayshowlongviolatingport(s)aredeactivated.
currentcount
Displayshowmanylinkdowntransitionsareinthecurrentinterval.
totalcount
Displayshowmanylinkdowntransitionshaveoccurredsincethelast
reset.
timelapsed
Displaysthetimeperiodsincethelastlinkdowneventorreset.
violations
Displaysthenumberoflinkflapviolationssincethelastreset.
portstring
(Optional)Displaysinformationforspecificport(s).
Defaults
Ifnotspecified,informationaboutalllinkflapdetectionsettingswillbedisplayed.
Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchmode,readonly.
4-23
show linkflap
Usage
Thelinkflapdefaultconditionsareshowninthefollowingtable.
Linkflap Parameter
Default Condition
Disabled
Disabled
Linkflap action
None
Linkflap interval
20
Linkflap threshold
(number of allowed link down transitions before action is taken)
10
Examples
Thisexampleshowshowtodisplaytheglobalstatusofthelinktrapdetectionfunction:
C3(rw)->show linkflap globalstate
Linkflap feature globally disabled
Thisexampleshowshowtodisplayportsdisabledbylinkflapdetectionduetoaviolation:
C3(rw)->show linkflap downports
Ports currently held DOWN for Linkflap violations:
None.
Thisexampleshowshowtodisplaythelinkflapparameterstable:
C3(rw)->show linkflap parameters
Linkflap Port Settable Parameter Table (X
Port
LF Status Actions Threshold
-------- --------- ------- ---------ge.1.1
disabled
....... 10
ge.1.2
enabled
D..S..T 3
ge.1.3
disabled
...S..T 10
means error
Interval
---------5
5
5
occurred)
Downtime
---------300
300
300
Table 43providesanexplanationoftheshowlinkflapparameterscommandoutput.
Table 4-3
Output...
What it displays...
Port
Port designation.
LF Status
Actions
4-24
Threshold
Interval
Downtime
Interval (in seconds) port(s) will be held down after a link flap
violation.
Port Configuration
Thisexampleshowshowtodisplaythelinkflapmetricstable:
C3(rw)->show linkflap metrics
Port
LinkStatus
CurrentCount
-------- ----------- -----------ge.1.1
operational 0
ge.1.2
disabled
4
ge.1.3
operational 3
TotalCount
---------0
15
3
TimeElapsed Violations
----------- ------------241437
0
147
5
241402
0
Table 44providesanexplanationoftheshowlinkflapmetricscommandoutput.
Table 4-4
Output...
What it displays...
Port
Port designation.
LinkStatus
CurrentCount
TotalCount
TimeElapsed
Violations
Syntax
set linkflap globalstate {disable | enable}
Parameters
disable|enable
Globallydisablesorenablesthelinkflapdetectionfunction.
Defaults
Bydefault,thefunctionisdisabledgloballyandonallports.
Mode
Switchmode,readwrite.
Usage
Bydefault,thefunctionisdisabledgloballyandonallports.Ifdisabledgloballyafterperport
settingshavebeenconfiguredusingthelinkflapcommands,perportsettingswillberetained.
Example
Thisexampleshowshowtogloballyenablethelinktrapdetectionfunction.
C3(rw)->set linkflap globalstate enable
4-25
Syntax
set linkflap portstate {disable | enable} [port-string]
Parameters
disable|enable
Disablesorenablesthelinkflapdetectionfunction.
portstring
(Optional)Specifiestheportorportsonwhichtodisableorenable
monitoring.
Defaults
Ifportstringisnotspecified,allportsareenabledordisabled.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenablethelinktrapmonitoringonallports.
C3(rw)->set linkflap portstate enable
Syntax
set linkflap interval port-string interval-value
Parameters
portstring
Specifiestheport(s)onwhichtosetthelinkflapinterval.
intervalvalue
Specifiesanintervalinseconds.Avalueof0willsettheintervalto
forever.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthelinkflapintervalonportfe.1.4to1000seconds.
C3(rw)->set linkflap interval fe.1.4 1000
4-26
Port Configuration
Syntax
set linkflap action port-string {disableInterface | gensyslogentry | gentrap |
all}
Parameters
portstring
Specifiestheport(s)onwhichtosetthelinkflapaction.
disableInterface
Setsthereactionasdisablingtheinterface.
gensyslogentry
Setsthereactionasgeneratingasyslogentry.
gentrap
SetsthereactionasgeneratinganSNMPtrap.
all
Setsthereactionasalloftheabove.
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapviolationactiononportfe.1.4togeneratingaSyslog
entry.
C3(rw)->set linkflap action fe.1.4 gensyslogentry
Syntax
clear linkflap action [port-string] {disableInterface | gensyslogentry | gentrap
| all}
Parameters
portstring
(Optional)Specifiestheport(s)onwhichtoclearthelinkflapaction.
disableInterface
Clearsthereactionasdisablingtheinterface.
gensyslogentry
Clearsthereactionasgeneratingasyslogentry.
gentrap
ClearsthereactionasgeneratinganSNMPtrap.
all
Clearsthereactionasalloftheabove.
Defaults
Ifportstringisnotspecified,actionswillbeclearedonallports.
4-27
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtoclearthelinkflapviolationactiononportfe.1.4togeneratingaSyslog
entry.
C3(rw)->clear linkflap action fe.1.4 gensyslogentry
Syntax
set linkflap threshold port-string threshold-value
Parameters
portstring
Specifiestheport(s)onwhichtosetthelinkflapactiontriggercount.
thresholdvalue
Specifiesthenumberoflinkdowntransitionsnecessarytotriggerthe
linkflapaction.Aminimumof1mustbeconfigured.
Defaults
None.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapthresholdonportfe.1.4to5.
C3(rw)->set linkflap threshold fe.1.4 5
Syntax
set linkflap downtime port-string downtime-value
Parameters
portstring
Specifiestheport(s)onwhichtosetthelinkflapdowntime.
downtimevalue
Specifiesadowntimeinseconds.Avalueof0willsetthedowntimeto
forever.
Defaults
None.
4-28
Port Configuration
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtosetthelinkflapdowntimeonportfe.1.4to5000seconds.
C3(rw)->set linkflap downtime fe.1.4 5000
Syntax
clear linkflap down [port-string]
Parameters
portstring
(Optional)Specifiestheportstomakeoperational.
Defaults
Ifportstringisnotspecified,allportsdisabledbyalinkflapviolationwillbemadeoperational.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtomakedisabledportfe.1.4operational.
C3(rw)->clear linkflap down fe.1.4
clear linkflap
Usethiscommandtoclearalllinkflapoptionsand/orstatisticsononeormoreports.
Syntax
clear linkflap {all | stats [port-string] | parameter port-string {threshold |
interval | downtime | all}
Parameters
all|stats
Clearsalloptionsandstatistics,orclearsonlystatistics.
parameter
Clearslinkflapparameters.
threshold|interval| Clearslinkflapthreshold,interval,downtimeorallparameters.
downtime|all
portstring
(Optionalunlessparameterisspecified)Specifiestheport(s)onwhich
toclearsettings.
4-29
Defaults
Ifportstringisnotspecified,settingsand/orstatisticswillbeclearedonallports.
Mode
Switchmode,readwrite.
Example
Thisexampleshowshowtoclearalllinkflapoptionsonportfe.1.4.
C3(rw)->clear linkflap all fe.1.4
Commands
Thecommandsusedtoreviewandconfigureportbroadcastsuppressionarelistedbelow.
For information about...
Refer to page...
4-30
4-31
4-31
Syntax
show port broadcast [port-string]
Parameters
portstring
(Optional)Selecttheportsforwhichtoshowbroadcastsuppression
thresholds.Foradetaileddescriptionofpossibleportstringvalues,refer
toPortStringSyntaxUsedintheCLIonpage41.
Defaults
Ifportstringisnotspecified,broadcaststatusofallportswillbedisplayed.
4-30
Port Configuration
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythebroadcastsuppressionthresholdsforports1through4:
C3(su)->show port broadcast ge.1.1-4
Port
Total BC
Threshold
Packets
(pkts/s)
---------------------------------------ge.1.1
0
50
ge.1.2
0
50
ge.1.3
0
40
ge.1.4
0
14881
Syntax
set port broadcast port-string threshold-val
Parameters
portstring
Selecttheportsforwhichtoconfigurebroadcastsuppressionthresholds.
Foradetaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage41.
thresholdval
Setsthepacketspersecondthresholdonbroadcasttraffic.Maximum
valueis148810forFastEthernetportsand1488100forGigabitports.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfiguresports1through5withabroadcastlimitof50pps:
C3(su)->set port broadcast ge.1.1-5 50
Syntax
clear port broadcast port-string threshold
4-31
Parameters
portstring
Selecttheportsforwhichtoclearbroadcastsuppressionthresholds.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage41.
Defaults
None.
Mode
Switchcommand,readwrite.
4-32
Port Configuration
Port Mirroring
Example
Thisexampleclearsthebroadcastthresholdlimitto14881ppsforports1through5:
C3(su)->clear port broadcast ge.1.1-5 threshold
Port Mirroring
Caution: Port mirroring configuration should be performed only by personnel who are
knowledgeable about the effects of port mirroring and its impact on network operation.
TheSecureStackC3deviceallowsyoutomirror(orredirect)thetrafficbeingswitchedonaport
forthepurposesofnetworktrafficanalysisandconnectionassurance.Whenportmirroringis
enabled,oneportbecomesamonitorportforanotherportwithinthedevice.
Mirroring Features
TheSecureStackC3devicesupportsthefollowingmirroringfeatures:
Mirroringcanbeconfiguredinamanytooneconfigurationsothatonetarget(destination)
portcanmonitortrafficonuptosourceports.Onlyonemirrordestinationportcanbe
configuredperstack.
Bothtransmitandreceivetrafficwillbemirrored.
Amirroringsessionwhichisconfiguredtobeactive(enabled)willbeoperationallyactive
onlyifbothadestinationportandatleastonesourceporthavebeenconfigured.
Adestinationportwillonlyactasamirroringportwhenthesessionisoperationallyactive.If
themirroringsessionisnotoperationallyactive,thenthedestinationportwillactasanormal
portandparticipateinallnormaloperationwithrespecttotransmittingtrafficand
participatinginprotocols.
Remoteportmirroringinvolvesconfigurationofthefollowingportmirroringrelatedparameters:
1.
Configurationofnormalportmirroringsourceportsandonedestinationportonallswitches,
asdescribedabove.
2.
ConfigurationofamirrorVLAN,whichisauniqueVLANonwhichmirroredpackets
traverseacrossthenetwork.ThemirrorVLANhastobeconfiguredonALLswitchesacross
thenetworkalongwhichmirroredtraffictraverses,fromtheswitchwherethesourceports
residetotheswitchwherethemirroredpacketsaresniffedand/orcaptured.
Youmustensurethatswitchesinvolvedareproperlyconfiguredtofacilitatecorrectremoteport
mirroringoperation.Thefollowingpointsinparticularneedtobeobserved:
Onthesourceswitch,thecorrectdestinationportmustbechosentoensurethatthereisan
egresspathfromthatporttothedesiredremotedestination(s).
4-33
Port Mirroring
Allportsonthepathfromthesourceporttotheremotedestinationmustbemembersofthe
mirrorVLAN.
Onswitchesonthepathfromthesourceporttotheremotedestination,egresstagginghasto
beenabledonpotentialegressportsforthemirrorVLAN.
Withtheintroductionofremoteportmirroring:
ConfiguredmirrordestinationportswillNOTlosetheirswitchingorroutingpropertiesas
theydoonSecureStackA2,B2,orC2products.
OnswitcheswherethemirrorVLANhasbeenconfigured,anytrafficonthatVLANwillbe
floodedontheVLAN.Itwillneverbeunicast,evenifthesourceaddressofthetrafficasbeen
learnedontheswitch.
Purpose
Toreviewandconfigureportmirroringonthedevice.
Commands
Thecommandsusedtoreviewandconfigureportmirroringarelistedbelow.
For information about...
4-34
Refer to page...
4-35
4-36
4-37
4-37
4-38
Port Configuration
Syntax
show port mirroring
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayportmirroringinformation.Inthiscase,fe.1.4isconfiguredas
asourceportandfe.1.11isatargetandmirroringhasbeenenabledbetweentheseports:
C3(su)->show port mirroring
Port Mirroring
==============
Source Port = fe.1.4
Target Port = fe.1.11
Frames Mirrored = Rx and Tx
Port Mirroring status enabled.
4-35
Syntax
set port mirroring {create | disable | enable} source destination}
Parameters
create|disable|
enable
Creates,disablesorenablesmirroringsettingsonthespecifiedports.
source
Specifiesthesourceportdesignation.Thisistheportonwhichthetraffic
willbemonitored.Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage41.
destination
Specifiesthetargetportdesignation.Thisistheportthatwillduplicateor
mirrorallthetrafficonthemonitoredport.Onlyonedestinationport
canbeconfiguredperstack.
Foradetaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage41.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
NotethatLAGportsandtheirunderlyingphysicalports,asdescribedinLinkAggregation
ControlProtocol(LACP)onpage438,cannotbemirrored.
Example
Thisexampleshowshowtocreateandenableportmirroringwithfe.1.4asthesourceport,and
fe.1.11asthetargetport:
C3(su)->set port mirroring create fe.1.4 fe.1.11
C3(su)->set port mirroring enable fe.1.4 fe.1.11
4-36
Port Configuration
Syntax
clear port mirroring source destination
Parameters
source
Specifiesthesourceportofthemirroringconfigurationtobecleared.For
adetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage41.
destination
Specifiesthetargetportofthemirroringconfigurationtobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearportmirroringbetweensourceportfe.1.4andtargetportfe.1.11:
C3(su)->clear port mirroring fe.1.4 fe.1.11
Syntax
set mirror vlan vlan-id
Parameters
vlanid
SpecifiestheVLANtobeusedforremoteportmirroring.TheIDcan
rangefrom2to4093.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
RefertoRemotePortMirroringonpage433forinformationaboutconfiguringmirrorVLANs.
UsetheshowportmirroringcommandtodisplaytheVLANsconfiguredforremoteport
mirroring.
4-37
Example
ThefollowingexampleassignsaVLANformirroringtrafficandthenshowstheconfiguredport
mirroringwiththeshowportmirrorcommand.
C3(su)->set mirror vlan 2
C3(su)->show port mirroring
Port Mirroring
==============
Source Port
= ge.1.1
Target Port
= ge.1.10
Frames Mirrored = Rx and Tx
Port Mirroring status enabled
Mirror Vlan
= 2
Syntax
clear mirror vlan vlan-id
Parameters
vlanid
SpecifiestheVLANtobecleared.TheIDcanrangefrom2to4093.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThefollowingexampleclearsVLAN2frombeingusedforremoteportmirroring.
C3(su)->clear mirror vlan 2
Usingmultiplelinkssimultaneouslytoincreasebandwidthisadesirableswitchfeature,which
canbeaccomplishedifbothsidesagreeonasetofportsthatarebeingusedasaLinkAggregation
Group(LAG).OnceaLAGisformedfromselectedports,problemswithloopingcanbeavoided
sincetheSpanningTreecantreatthisLAGasasingleport.
Enabledbydefault,theLinkAggregationControlProtocol(LACP)logicallygroupsinterfaces
togethertocreateagreaterbandwidthuplink,orlinkaggregation,accordingtotheIEEE802.3ad
standard.ThisstandardallowstheswitchtodeterminewhichportsareinLAGsandconfigure
4-38
Port Configuration
themdynamically.SincetheprotocolisbasedontheIEEE802.3adspecification,anyswitchfrom
anyvendorthatsupportsthisstandardcanaggregatelinksautomatically.
802.3adLACPaggregationscanalsoberuntoendusers(thatis,aserver)ortoarouter.
Note: Earlier (proprietary) implementations of port aggregation referred to groups of aggregated
ports as "trunks".
LACP Operation
Foreachaggregatableportinthedevice,LACP:
Maintainsconfigurationinformation(reflectingtheinherentpropertiesoftheindividuallinks
aswellasthoseestablishedbymanagement)tocontrolaggregation.
ExchangesconfigurationinformationwithotherdevicestoallocatethelinktoaLink
AggregationGroup(LAG).
Note: A given link is allocated to, at most, one Link Aggregation Group (LAG) at a time. The
allocation mechanism attempts to maximize aggregation, subject to management controls.
AttachestheporttotheaggregatorusedbytheLAG,anddetachestheportfromthe
aggregatorwhenitisnolongerusedbytheLAG.
Usesinformationfromthepartnerdeviceslinkaggregationcontrolentitytodecidewhether
toaggregateports.
TheoperationofLACPinvolvesthefollowingactivities:
Checkingthatcandidatelinkscanactuallybeaggregated.
ControllingtheadditionofalinktoaLAG,andthecreationofthegroupifnecessary.
Monitoringthestatusofaggregatedlinkstoensurethattheaggregationisstillvalid.
RemovingalinkfromaLAGifitsmembershipisnolongervalid,andremovingthegroupifit
nolongerhasanymemberlinks.
InordertoallowLACPtodeterminewhetherasetoflinksconnecttothesamedevice,andto
determinewhetherthoselinksarecompatiblefromthepointofviewofaggregation,itis
necessarytobeabletoestablish
Agloballyuniqueidentifierforeachdevicethatparticipatesinlinkaggregation.
Ameansofidentifyingthesetofcapabilitiesassociatedwitheachportandwitheach
aggregator,asunderstoodbyagivendevice.
AmeansofidentifyingaLAGanditsassociatedaggregator.
LACP Terminology
Table 45defineskeyterminologyusedinLACPconfiguration.
Table 4-5
Term
Definition
Aggregator
Virtual port that controls link aggregation for underlying physical ports. Each
SecureStack C3 module provides 6 aggregator ports, which are designated in
the CLI as lag.0.1 through lag.0.6.
4-39
Table 4-5
Term
Definition
LAG
Link Aggregation Group. Once underlying physical ports (for example, fe.x.x,
or ge.x.x) are associated with an aggregator port, the resulting aggregation
will be represented as one LAG with a lag.x.x port designation.
SecureStack C3 LAGs can have up to associated physical ports.
LACPDU
An actor is the local device sending LACPDUs. Its protocol partner is the
device on the other end of the link aggregation. Each maintains current status
of the other via LACPDUs containing information about their ports LACP
status and operational state.
Admin Key
Value assigned to aggregator ports and physical ports that are candidates for
joining a LAG. The LACP implementation on SecureStack C3 devices will use
this value to form an oper key and will determine which underlying physical
ports are capable of aggregating by comparing oper keys. Aggregator ports
allow only underlying ports with oper keys matching theirs to join their LAG.
On SecureStack C3 devices, the default admin key value is 32768.
System Priority
4-40
Port Configuration
Anunderlyingphysicalportisattachedtoanotherportonthissameswitch(loopback).
show lacp
ThereisnoavailableaggregatorfortwoormoreportswiththesameLAGID.Thiscan
happeniftherearesimplynoavailableaggregators,orifnoneoftheaggregatorshavea
matchingadminkeyandsystempriority.
802.1xauthenticationisenabledusingtheseteapolcommand(page 2121)andportsthat
wouldotherwiseaggregatearenot802.1Xauthorized.
TheLACPimplementationontheSecureStackC3devicewillallowuptophysicalportsintoa
LAG.ThedevicewiththelowestLAGIDdetermineswhichunderlyingphysicalportsareallowed
intoaLAGbasedontheportsLAGportpriority.PortswiththelowestLAGportpriorityvalues
areallowedintotheLAGandallotherspeedgroupingsgointoastandbystate.
WhenanexistingdynamicallycreatedLAGisreducedtooneport,theSecureStackC3removes
theLAGfromitsVLANandaddstheremainingunderlyingporttotheVLAN.Forthisreason,
youshouldensurethattheLAGandalltheportsintheLAGareassignedtotheegresslistofthe
desiredVLAN.Otherwise,whentheLAGisremoved,theremainingportmaybeassignedtothe
wrongVLAN.Theotheroptionistoenablethesingleportlagfeatureasdescribedinsetlacp
singleportlagonpage447.
Note: To aggregate, underlying physical ports must be running in full duplex mode and must be of
the same operating speed.
Commands
ThecommandsusedtoreviewandconfigureLACParelistedbelow.
For information about...
Refer to page...
show lacp
4-41
set lacp
4-43
4-44
4-44
clear lacp
4-45
4-46
4-46
4-47
4-46
4-48
4-50
4-52
show lacp
Usethiscommandtodisplayinformationaboutoneormoreaggregatorports.
Syntax
show lacp [port-string]
4-41
show lacp
Parameters
portstring
(Optional)DisplaysLACPinformationforspecificLAGport(s).Valid
portdesignationsarelag.0.16.
Defaults
Ifportstringisnotspecified,linkaggregationinformationforallLAGswillbedisplayed.
Mode
Switchcommand,readonly.
Usage
EachSecureStackC3moduleprovides6virtuallinkaggregatorports,whicharedesignatedinthe
CLIaslag.0.1throughlag.0.6.Onceunderlyingphysicalports(thatis,fe.x.x,ge.x.x)areassociated
withanaggregatorport,theresultingaggregationwillberepresentedasoneLinkAggregation
Group(LAG)withalag.x.xportdesignation.
Example
Thisexampleshowshowtodisplaylacpinformationforlag.0.1:
C3(su)->show lacp lag.0.1
Global Link Aggregation state: enabled
Single Port LAGs:
disabled
Aggregator: lag.0.1
System Identifier:
System Priority:
Admin Key:
Oper Key:
Attached Ports:
Actor
00:01:F4:5F:1E:20
32768
32768
32768
ge.1.1
ge.1.3
Partner
00:11:88:11:74:F9
32768
0
Table 46providesanexplanationofthecommandoutput.
Table 4-6
4-42
Output
What It Displays...
Global Link
Aggregation state
Displays if the single port LAG feature has been enabled on the switch. See set lacp
singleportlag on page 4-47 for more about single port LAG.
Aggregator
Actor
Partner
System Identifier
Port Configuration
set lacp
Table 4-6
Output
What It Displays...
System Priority
System priority value which determines aggregation precedence. Only one LACP
system priority can be set on a SecureStack C3 device, using either the set lacp
asyspri command (page 4-44), or the set port lacp command (page 4-50).
Admin Key
Ports assigned key. SecureStack C3 devices provide a default admin key value of
32768 for all LAG ports (lag.0.1 though lag.0.6).
Oper Key
Ports operational key, derived from the admin key. Only underlying physical ports
with oper keys matching the aggregators will be allowed to aggregate.
Attached Ports
set lacp
UsethiscommandtodisableorenabletheLinkAggregationControlProtocol(LACP)onthe
device.
Syntax
set lacp {disable | enable}
Parameters
disable|enable
DisablesorenablesLACP.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableLACP:
C3(su)->set lacp disable
4-43
Syntax
set lacp asyspri value
Parameters
asyspri
SetsthesystemprioritytobeusedincreatingaLAG(LinkAggregation
Group)ID.Validvaluesare0to65535.
value
Specifiesasystempriorityvalue.Validvaluesare0to65535,with
precedencegiventolowervalues.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
LACPusesthisvaluetodetermineaggregationprecedence.Iftherearetwopartnerdevices
competingforthesameaggregator,LACPcomparestheLAGIDsforeachgroupingofports.The
LAGwiththelowerLAGIDisgivenprecedenceandwillbeallowedtousetheaggregator.
Example
ThisexampleshowshowtosettheLACPsystempriorityto1000:
C3(su)->set lacp asyspri 1000
Syntax
set lacp aadminkey port-string value
Parameters
portstring
SpecifiestheLAGport(s)onwhichtoassignanadminkey.
value
Specifiesanadminkeyvaluetoset.Validvaluesare0to65535.The
defaultadminkeyvalueis32768.
Defaults
None.
Mode
Switchcommand,readwrite.
4-44
Port Configuration
clear lacp
Usage
LACPwillusethisvaluetoformanoperkey.Onlyunderlyingphysicalportswithoperkeys
matchingthoseoftheiraggregatorswillbeallowedtoaggregate.Thedefaultadminkeyvaluefor
allLAGportsis32768.
Example
ThisexampleshowshowtosettheLACPadminkeyto2000forLAGport6:
C3(su)->set lacp aadminkey lag.0.6 2000
clear lacp
UsethiscommandtoclearLACPsystempriorityoradminkeysettings.
Syntax
clear lacp {[asyspri] [aadminkey port-string]}
Parameters
asyspri
Clearssystempriority.
aadminkeyportstring
Resetsadminkeysforoneormoreportstothedefaultvalueof32768.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheactoradminkeyforLAGport6:
C3(su)->clear lacp aadminkey lag.0.6
4-45
Syntax
set lacp static {disable | enable} | lagportstring [key] port-string
Parameters
disable|enable
Disablesorenablesstaticlinkaggregation.
lagportstring
SpecifiestheLAGaggregatorporttowhichnewportswillbeassigned.
key
(Optional)SpecifiesthenewmemberportandLAGportaggregator
adminkeyvalue.Onlyportswithmatchingkeysareallowedto
aggregate.Validvaluesare065535.
Note: This key value must be unique. If ports other than the desired
underlying physical ports share the same admin key value, aggregation
will fail or undesired aggregations will form.
portstring
Specifiesthememberport(s)toaddtotheLAG.Foradetaileddescription
ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage41.
Defaults
Ifnotspecified,akeywillbeassignedaccordingtothespecifiedaggregator.Forexampleakeyof4
wouldbeassignedtolag.0.4.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoaddportfe.1.6totheLAGofaggregatorport6:
C3(su)->set lacp static lag.0.6 fe.1.6
Syntax
clear lacp static lagportstring port-string
Parameters
4-46
lagportstring
SpecifiestheLAGaggregatorportfromwhichportswillberemoved.
portstring
Specifiestheport(s)toremovefromtheLAG.Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage41.
Port Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovefe.1.6fromtheLAGofaggregatorport6:
C3(su)->clear lacp static lag.0.6 fe.1.6
Syntax
set lacp singleportlag {enable | disable}
Parameters
disable|enable
EnablesordisablestheformationofsingleportLAGs.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
WhensingleportLAGsareenabled,LAGsaremaintainedwhenonlyoneportisreceiving
protocoltransmissionsfromapartner.IfsingleportLAGsarenotenabledandaLAGgoesdown
tooneport,theLAG(lag.x.x)willnotbeusedbutinsteadtheportssyntaxwillbeused(for
example,fe.3.24).ThiscouldcauseproblemsiftheLAGandtheporthavedifferentconfigurations
(theLAGandtheportmayhavedifferentVLANorPolicyconfigurations).
Example
ThisexampleshowshowtoenablesingleportLAGs:
C3(su)->set lacp singleportlag enable
4-47
Syntax
clear lacp singleportlag
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthesingleportLAGfunctionbacktodisabled:
C3(su)->clear lacp singleportlag
Syntax
show port lacp port port-string {[status {detail | summary}] | [counters]}
Parameters
portportstring
DisplaysLACPinformationforspecificport(s).Foradetaileddescription
ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage41.
statusdetail|
summary
DisplaysLACPstatusindetailedorsummaryinformation.
counters
DisplaysLACPcounterinformation.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Statedefinitions,suchasActorAdminStateandPartnerAdminState,areindicatedwithletter
abbreviations.Iftheshowportlacpcommanddisplaysoneormoreofthefollowingletters,it
meansthestateistruefortheassociatedactororpartnerports:
4-48
Port Configuration
E=Expired
F=Defaulted
D=Distributing(txenabled)
C=Collecting(rxenabled)
S=Synchronized(actorandpartneragree)
G=Aggregationallowed
S/l=Short/LongLACPtimeout
A/p=Active/PassiveLACP
Formoreinformationaboutthesestates,refertosetportlacp(page 450)andtheIEEE802.32002
specification.
Examples
ThisexampleshowshowtodisplaydetailedLACPstatusinformationforportfe.1.12:
C3(su)-> show port lacp port fe.1.12 status detail
Port Instance:
fe.1.12
ActorPort:
1411 PartnerAdminPort:
1411
ActorSystemPriority:
32768 PartnerOperPort:
1411
ActorPortPriority:
32768 PartnerAdminSystemPriority:
32768
ActorAdminKey:
32768 PartnerOperSystemPriority:
32768
ActorOperKey:
32768 PartnerAdminPortPriority:
32768
ActorAdminState:
-----GlA PartnerOperPortPriority:
32768
ActorOperState:
-F----lA PartnerAdminKey:
1411
ActorSystemID:
00-e0-63-9d-b5-87 PartnerOperKey:
1411
SelectedAggID:
none PartnerAdminState:
--DCSGlp
AttachedAggID:
none PartnerOperState:
--DC-Glp
MuxState:
Detached PartnerAdminSystemID: 00-00-00-00-00-00
DebugRxState:
port Disabled PartnerOperSystemID:
00-00-00-00-00-00
ThisexampleshowshowtodisplaysummarizedLACPstatusinformationforportfe.1.12:
C3(su)->show port lacp port fe.1.12 status summary
Port
Aggr
Actor System
Partner System
Pri:
System ID: Key:
Pri: System ID:
Key:
fe.1.12
none [(32768,00e0639db587,32768),(32768,000000000000, 1411)]
ThisexampleshowshowtodisplayLACPcountersforportfe.1.12:
C3(su)->show port lacp port fe.1.12 counters
Port Instance:
fe.1.12
LACPDUsRx:
11067
LACPDUsTx:
0
IllegalRx:
0
UnknownRx:
0
MarkerPDUsRx:
0
MarkerPDUsTx:
0
MarkerResponsePDUsRx:
0
MarkerResponsePDUsTx:
374
4-49
Syntax
set port lacp port port-string {[aadminkey aadminkey] [aadminstate {lacpactive |
lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}]
[aportpri aportpri] [asyspri asyspri] [enable | [disable] [padminkey padminkey]
[padminport padminport] [padminportpri padminportpri] [padminstate {lacpactive |
lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire}]
[padminsysid padminsysid] [padminsyspri padminsyspri]
Parameters
portportstring
Specifiesthephysicalport(s)onwhichtoconfigureLACP.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage41.
aadminkey
aadminkey
Setstheportsactoradminkey.LACPwillusethisvaluetoformanoper
keyandwilldeterminewhichunderlyingphysicalportsarecapableof
aggregatingbycomparingoperkeys.Aggregatorportsallowonly
underlyingportswithoperkeysmatchingtheirstojointheirLAG.Valid
valuesare165535.Thedefaultkeyvalueis32768.
aadminstate
lacpactive|
lacptimeout|
lacpagg|lacpsync
|lacpcollect|
lacpdist|lacpdef|
lacpexpire
SetstheportsactorLACPadministrativestatetoallowfor:
lacpactiveTransmittingLACPPDUs.
lacptimeoutTransmittingLACPPDUsevery1sec.vs30sec.(default).
lacpaggAggregationonthisport.
lacpsyncTransitiontosynchronizationstate.
lacpcollectTransitiontocollectionstate.
lacpdistTransitiontodistributionstate.
lacpdefTransitiontodefaultedstate.
lacpexpireTransitiontoexpiredstate.
aportpriaportpri
Setstheportsactorportpriority.Validvaluesare065535,withlower
valuesdesignatinghigherpriority.
asyspriasyspri
Setstheportsactorsystempriority.TheLACPimplementationonthe
SecureStackC3deviceusesthisvaluetodetermineaggregation
precedencewhentherearetwodevicescompetingforthesame
aggregator.Validvaluesare065535,withhigherprecedencegivento
lowervalues.
Note: Only one LACP system priority can be set on a SecureStack
C3 device, using either this command, or the set lacp asyspri
command (set lacp asyspri on page 4-44).
4-50
enable
(Optional)EnablesLACPDUprocessingonthisport.
disable
(Optional)DisablesLACPDUprocessingonthisport.
padminkey
padminkey
Setsadefaultvaluetouseastheportspartneradminkey.Onlyportswith
matchingadminkeysareallowedtoaggregate.Validvaluesare165535.
Port Configuration
padminport
padminport
Setsaadefaultvaluetouseastheportspartneradminvalue.Validvalues
are165535.
padminportpri
padminportpri
Setsaadefaultvaluetouseastheportspartnerportpriority.Validvalues
are065535,withlowervaluesgivenhigherpriority.
padminstate
SetsaportspartnerLACPadministrativestate.Seeaadminstateforvalid
lacpactive|
options.
lacptimeout|
lacpagg|lacpsync
|lacpcollect|
lacpdist|lacpdef|
lacpexpire
padminsysid
padminsysid
SetsadefaultvaluetouseastheportspartnersystemID.ThisisaMAC
address.
padminsyspri
padminsyspri
Setsadefaultvaluetouseastheportspartnerpriority.Validvaluesare0
65535,withlowervaluesgivenhigherpriority.
Defaults
Atleastoneparametermustbeenteredperportstring.
Ifenableordisablearenotspecified,port(s)willbeenabledwiththeLACPparametersentered.
Mode
Switchcommand,readwrite.
Usage
LACPcommandsandparametersbeginningwithana(suchasaadminkey)setactorvalues.
Correspondingcommandsandparametersbeginningwithap(suchaspadminkey)set
correspondingpartnervalues.ActorreferstothelocaldeviceparticipatinginLACPnegotiation,
whilepartnerreferstoitsremotedevicepartnerattheotherendofthenegotiation.Actorsand
partnersmaintaincurrentstatusoftheotherviaLACPDUscontaininginformationabouttheir
portsLACPstatusandoperationalstate.
Example
Thisexampleshowshowtosettheactoradminkeyto3555forportge.3.16:
C3(su)->set port lacp ge.3.16 aadminkey 3555
4-51
Syntax
clear port lacp port port-string {[aadminkey] [aportpri] [asyspri] [aadminstate
{lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef
| lacpexpire | all}] [padminsyspri] [padminsysid] [padminkey] [padminportpri]
[padminport] [padminstate {lacpactive | lacptimeout | lacpagg | lacpsync |
lacpcollect | lacpdist | lacpdef | lacpexpire | all}]}
Parameters
portportstring
Specifiesthephysicalport(s)onwhichLACPsettingswillbecleared.For
adetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage41.
aadminkey
Clearsaportsactoradminkey.
aportpri
Clearsaportsactorportpriority.
asyspri
Clearstheportsactorsystempriority.
Clearsaportsspecificactoradminstate,orallactoradminstate(s).For
aadminstate
descriptionsofspecificstates,refertothesetportlacpcommand(set
lacpactive|
portlacponpage450).
lacptimeout|
lacpagg|lacpsync
|lacpcollect|
lacpdist|lacpdef|
lacpexpire|all
padminsyspri
Clearstheportsdefaultpartnerpriorityvalue.
padminsysid
ClearstheportsdefaultpartnersystemID.
padminkey
Clearstheportsdefaultpartneradminkey.
padminportpri
Clearstheportsdefaultpartnerportpriority.
padminport
DeletesapartnerportfromtheLACPconfiguration.
padminstate
Clearstheportsspecificpartneradminstate,orallpartneradminstate(s).
lacpactive|
lacptimeout|
lacpagg|lacpsync
|lacpcollect|
lacpdist|lacpdef|
lacpexpire|all
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearalllinkaggregationparametersforportge.3.16:
C3(su)->clear port lacp port ge.3.16
4-52
Port Configuration
Commands
For information about...
Refer to page...
4-54
4-54
4-55
4-56
4-56
4-57
4-53
Syntax
set port protected port-string group-id
Parameters
portstring
Specifiestheportorportstobeprotected.
groupid
Specifiestheidofthegrouptowhichtheportsshouldbeassigned.Idcan
rangefrom0to2.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoassignportsge.1.1throughge.1.3toprotectedportgroup1:
C3(rw)->set port protected ge.1.1-3 1
Syntax
show port protected [port-string] | [group-id]
Parameters
portstring
(Optional)Specifiestheportorportsforwhichtodisplayinformation.
groupid
(Optional)Specifiestheidofthegroupforwhichtodisplayinformation.
Idcanrangefrom0to2.
Defaults
Ifnoparametersareentered,informationaboutallprotectedportsisdisplayed.
Mode
Readonly.
4-54
Port Configuration
Example
Thisexampleshowshowtodisplayinformationaboutallprotectedports:
C3(ro)->show port protected
Group id
Port
---------------------1
ge.1.1
1
ge.1.2
1
ge.1.3
Syntax
clear port protected [port-string] | [group-id]
Parameters
portstring
(Optional)Specifiestheportorportstoremovefromprotectedmode.
groupid
(Optional)Specifiestheidofthegrouptoremovefromprotectedmode.
Idcanrangefrom0to2.
Defaults
Ifnoparametersareentered,allprotectedportsandgroupsarecleared.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearprotectedportsge.1.1throughge.1.3:
C3(rw)->clear port protected ge.1.1-3
4-55
Syntax
set port protected name group-id name
Parameters
groupid
Specifiestheidofthisgroup.Idcanrangefrom0to2.
name
Specifiesanameforthegroup.Thenamecanbeupto32charactersin
length.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoassignthenamegroup1toprotectedportgroup1:
C3(rw)->set port protected name 1 group1
Syntax
show port protected name group-id
Parameters
groupid
Specifiestheidofthegrouptodisplay.Idcanrangefrom0to2.
Defaults
None.
Mode
Readonly.
Example
Thisexampleshowshowtoshowthenameofprotectedportgroup1:
C3(ro)->show port protected name 1
Group ID
Group Name
----------------------------1
group1
4-56
Port Configuration
Syntax
clear port protected name group-id
Parameters
groupid
Specifiestheidofthegroupforwhichtoclearthename.Idcanrange
from0to2.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthenameofprotectedportgroup1:
C3(rw)->clear port protected name 1
4-57
4-58
Port Configuration
5
SNMP Configuration
ThischapterdescribestheSimpleNetworkManagementProtocol(SNMP)setofcommandsand
howtousethem.
For information about...
Refer to page...
5-1
5-4
5-8
5-16
5-20
5-25
5-29
5-33
5-43
Version1(SNMPv1)ThisistheinitialimplementationofSNMP.RefertoRFC1157forafull
descriptionoffunctionality.
Version2(SNMPv2c)ThesecondreleaseofSNMP,describedinRFC1907,hasadditions
andenhancementstodatatypes,countersize,andprotocoloperations.
Version3(SNMPv3)ThisisthemostrecentversionofSNMP,andincludessignificant
enhancementstoadministrationandsecurity.SNMPv3isfullydescribedinRFC2571,
RFC 2572,RFC2573,RFC2574,andRFC2575.
Manageddevices(suchasaswitch).
SNMPagentsandMIBs,includingSNMPtraps,communitystrings,andRemoteMonitoring
(RMON)MIBs,whichrunonmanageddevices.
SecureStack C3 Configuration Guide
5-1
SNMPnetworkmanagementapplications,suchasEnterasysNetworksNetSightAtlas,which
communicatewithagentstogetstatisticsandalertsfromthemanageddevices.
SNMPv3
SNMPv3isaninteroperablestandardsbasedprotocolthatprovidessecureaccesstodevicesby
authenticatingandencryptingframesoverthenetwork.Theadvancedsecurityfeaturesprovided
inSNMPv3areasfollows:
MessageintegrityCollectsdatasecurelywithoutbeingtamperedwithorcorrupted.
AuthenticationDeterminesthemessageisfromavalidsource.
EncryptionScramblesthecontentsofaframetopreventitfrombeingseenbyan
unauthorizedsource.
UnlikeSNMPv1andSNMPv2c,inSNMPv3,theconceptofSNMPagentsandSNMPmanagersno
longerapply.TheseconceptshavebeencombinedintoanSNMPentity.AnSNMPentityconsists
ofanSNMPengineandSNMPapplications.AnSNMPengineconsistsofthefollowingfour
components:
DispatcherThiscomponentsendsandreceivesmessages.
MessageprocessingsubsystemThiscomponentacceptsoutgoingPDUsfromthe
dispatcherandpreparesthemfortransmissionbywrappingtheminamessageheaderand
returningthemtothedispatcher.Themessageprocessingsubsystemalsoacceptsincoming
messagesfromthedispatcher,processeseachmessageheader,andreturnstheenclosedPDU
tothedispatcher.
SecuritysubsystemThiscomponentauthenticatesandencryptsmessages.
AccesscontrolsubsystemThiscomponentdetermineswhichusersandwhichoperations
areallowedaccesstomanagedobjects.
5-2
Model
Security Level
Authentication
Encryption
How It Works
v1
NoAuthNoPriv
Community string
None
v2c
NoAuthNoPriv
Community string
None
SNMP Configuration
Table 5-1
Model
Security Level
Authentication
Encryption
How It Works
v3
NoAuthNoPriv
User name
None
AuthNoPriv
MD5 or SHA
None
authPriv
MD5 or SHA
DES
Example
ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
C3(su)->set snmp access powergroup security-model usm
Configuration Considerations
CommandsforconfiguringSNMPontheSecureStackC3deviceareindependentduringthe
SNMPsetupprocess.Forinstance,targetparameterscanbespecifiedwhensettingupoptional
notificationfilterseventhoughtheseparametershavenotyetbeencreatedwiththesetsnmp
targetparamscommand.
5-3
Commands
ThecommandsusedtoreviewSNMPstatisticsarelistedbelow.
For information about...
Refer to page...
5-4
5-5
Syntax
show snmp engineid
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPengineproperties:
C3(su)->show snmp engineid
EngineId: 80:00:15:f8:03:00:e0:63:9d:b5:87
Engine Boots
= 12
Engine Time
= 162181
Max Msg Size
= 2048
Table 52showsadetailedexplanationofthecommandoutput.
Table 5-2
5-4
Output
What It Displays...
EngineId
Engine Boots
SNMP Configuration
Table 5-2
Output
What It Displays...
Engine Time
Syntax
show snmp counters
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPcountervalues
C3(su)->show snmp counters
--- mib2 SNMP group counters:
snmpInPkts
= 396601
snmpOutPkts
= 396601
snmpInBadVersions
= 0
snmpInBadCommunityNames = 0
snmpInBadCommunityUses = 0
snmpInASNParseErrs
= 0
snmpInTooBigs
= 0
snmpInNoSuchNames
= 0
snmpInBadValues
= 0
snmpInReadOnlys
= 0
snmpInGenErrs
= 0
snmpInTotalReqVars
= 403661
snmpInTotalSetVars
= 534
snmpInGetRequests
= 290
snmpInGetNexts
= 396279
snmpInSetRequests
= 32
snmpInGetResponses
= 0
snmpInTraps
= 0
snmpOutTooBigs
= 0
snmpOutNoSuchNames
= 11
snmpOutBadValues
= 0
snmpOutGenErrs
= 0
snmpOutGetRequests
= 0
snmpOutGetNexts
= 0
snmpOutSetRequests
= 0
snmpOutGetResponses
= 396601
SecureStack C3 Configuration Guide
5-5
snmpOutTraps
snmpSilentDrops
snmpProxyDrops
= 0
= 0
= 0
=
=
=
=
=
=
0
0
0
0
0
0
Table 53showsadetailedexplanationofthecommandoutput.
Table 5-3
5-6
Output
What It Displays...
snmpInPkts
snmpOutPkts
snmpInBadVersions
snmpInBadCommunityNames
snmpInBadCommunityUses
snmpInASNParseErrs
snmpInTooBigs
Number of SNMP PDUs delivered to the SNMP protocol entity with the
value of the error-status field as "tooBig."
snmpInNoSuchNames
Number of SNMP PDUs delivered to the SNMP protocol entity with the
value of the error-status field as "noSuchName."
snmpInBadValues
Number of SNMP PDUs delivered to the SNMP protocol entity with the
value of the error-status field as "badValue."
snmpInReadOnlys
Number of valid SNMP PDUs delivered to the SNMP protocol entity with
the value of the error-status field as "readOnly."
snmpInGenErrs
Number of SNMP PDUs delivered to the SNMP protocol entity with the
value of the error-status field as "genErr."
snmpInTotalReqVars
snmpInTotalSetVars
snmpInGetRequests
snmpInGetNexts
snmpInSetRequests
SNMP Configuration
Table 5-3
Output
What It Displays...
snmpInGetResponses
snmpInTraps
snmpOutTooBigs
Number of SNMP PDUs generated by the SNMP protocol entity with the
value of the error-status field as "tooBig."
snmpOutNoSuchNames
Number of SNMP PDUs generated by the SNMP protocol entity with the
value of the error-status as "noSuchName."
snmpOutBadValues
Number of SNMP PDUs generated by the SNMP protocol entity with the
value of the error-status field as "badValue."
snmpOutGenErrs
Number of SNMP PDUs generated by the SNMP protocol entity with the
value of the error-status field as "genErr."
snmpOutGetRequests
snmpOutGetNexts
snmpOutSetRequests
snmpOutGetResponses
snmpOutTraps
snmpSilentDrops
Number of SNMP Get, Set, or Inform request error messages that were
dropped because the reply was larger than the requestors maximum
message size.
snmpProxyDrops
Number of SNMP Get, Set, or Inform request error messages that were
dropped because the reply was larger than the proxy targets maximum
message size.
usmStatsUnsupportedSec
Levels
usmStatsNotInTimeWindows
usmStatsUnknownUserNames
usmStatsUnknownEngineIDs
usmStatsWrongDigests
usmStatsDecriptionErrors
5-7
UserApersonregisteredinSNMPv3toaccessSNMPmanagement.
GroupAcollectionofuserswhosharethesameSNMPaccessprivileges.
CommunityAnameusedtoauthenticateSNMPv1andv2users.
Commands
ThecommandsusedtoreviewandconfigureSNMPusers,groups,andcommunitiesarelisted
below.
For information about...
5-8
Refer to page...
5-9
5-10
5-11
5-11
5-12
5-13
5-13
5-14
5-15
SNMP Configuration
Syntax
show snmp user [list] | [user] | [remote remote] [volatile | nonvolatile | readonly]
Parameters
list
(Optional)DisplaysalistofregisteredSNMPusernames.
user
(Optional)Displaysinformationaboutaspecificuser.
remoteremote
(Optional)DisplaysinformationaboutusersonaspecificremoteSNMP
engine.
volatile|nonvolatile (Optional)Displaysuserinformationforaspecifiedstoragetype.
|readonly
Defaults
Iflistisnotspecified,detailedSNMPinformationwillbedisplayed.
Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed.
Ifremoteisnotspecified,userinformationaboutthelocalSNMPenginewillbedisplayed.
Ifnotspecified,userinformationforallstoragetypeswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplayanSNMPuserlist:
(su)->show snmp user list
--- SNMP user information ----- List of registered users:
Guest
admin1
admin2
netops
ThisexampleshowshowtodisplayinformationfortheSNMPguestuser:
(su)->show snmp user guest
--- SNMP user information --EngineId: 00:00:00:63:00:00:00:a1:00:00:00:00
Username
= Guest
Auth protocol
= usmNoAuthProtocol
Privacy protocol
= usmNoPrivProtocol
Storage type
= nonVolatile
Row status
= active
Table 54showsadetailedexplanationofthecommandoutput.
5-9
Table 5-4
Output
What It Displays...
EngineId
Username
Auth protocol
Privacy protocol
Storage type
Row status
Syntax
set snmp user user [remote remoteid] [authentication {md5 | sha}] [authpassword]
[privacy privpassword] [volatile | nonvolatile]
Parameters
user
SpecifiesanamefortheSNMPv3user.
remoteremoteid
(Optional)RegisterstheuseronaspecificremoteSNMPengine.
authenticationmd5 (Optional)SpecifiestheauthenticationtyperequiredforthisuserasMD5
|sha
orSHA.
authpassword
(Optional)Specifiesapasswordforthisuserwhenauthenticationis
required.Minimumof8characters.
privacyprivpassword (Optional)Appliesencryptionandspecifiesanencryptionpassword.
Minimumof8character.s
volatile|
nonvolatile
(Optional)Specifiesastoragetypeforthisuserentry.
Defaults
Ifremoteisnotspecified,theuserwillberegisteredforthelocalSNMPengine.
Ifauthenticationisnotspecified,noauthenticationwillbeapplied.
Ifprivacyisnotspecified,noencryptionwillbeapplied.
Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanewSNMPusernamednetops.Bydefault,thisuserwillbe
registeredonthelocalSNMPenginewithoutauthenticationandencryption.Entriesrelatedtothis
userwillbestoredinpermanent(nonvolatile)memory:
C3(su)->set snmp user netops
5-10
SNMP Configuration
Syntax
clear snmp user user [remote remote]
Parameters
user
SpecifiesanSNMPv3usertoremove.
remoteremote
(Optional)RemovestheuserfromaspecificremoteSNMPengine.
Defaults
Ifremoteisnotspecified,theuserwillberemovedfromthelocalSNMPengine.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoremovetheSNMPusernamedbill:
C3(su)->clear snmp user bill
Syntax
show snmp group [groupname groupname] [user user] [security-model {v1 | v2c | usm}]
[volatile | nonvolatile | read-only]
Parameters
groupname
groupname
(Optional)DisplaysinformationforaspecificSNMPgroup.
useruser
(Optional)Displaysinformationaboutuserswithinthespecifiedgroup.
securitymodelv1| (Optional)Displaysinformationaboutgroupsassignedtoaspecific
v2c|usm
securitySNMPmodel.
volatile|
nonvolatile|read
only
(Optional)DisplaysSNMPgroupinformationforaspecifiedstoragetype.
Defaults
Ifgroupnameisnotspecified,informationaboutallSNMPgroupswillbedisplayed.
Ifuserisnotspecified,informationaboutallSNMPuserswillbedisplayed.
Ifsecuritymodelisnotspecified,userinformationaboutallSNMPversionswillbedisplayed.
Ifnotspecified,informationforallstoragetypeswillbedisplayed.
5-11
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPgroupinformation:
C3(su)->show snmp group
--- SNMP group information --Security model
= SNMPv1
Security/user name
= public
Group name
= Anyone
Storage type
= nonVolatile
Row status
= active
Security model
Security/user name
Group name
Storage type
Row status
=
=
=
=
=
SNMPv1
public.router1
Anyone
nonVolatile
active
Table 55showsadetailedexplanationofthecommandoutput.
Table 5-5
Output
What It Displays...
Security model
Security/user name
Group name
Storage type
Row status
Syntax
set snmp group groupname user user security-model {v1 | v2c | usm} [volatile |
nonvolatile]
Parameters
groupname
SpecifiesanSNMPgroupnametocreate.
useruser
SpecifiesanSNMPv3usernametoassigntothegroup.
securitymodelv1| SpecifiesanSNMPsecuritymodeltoassigntothegroup.
v2c|usm
volatile|
nonvolatile
(Optional)SpecifiesastoragetypeforSNMPentriesassociatedwiththe
group.
Defaults
Ifstoragetypeisnotspecified,nonvolatilestoragewillbeapplied.
5-12
SNMP Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanSNMPgroupcalledanyone,assignausernamedpublic
andassignSNMPv3securitytothegroup:
C3(su)->set snmp group anyone user public security-model usm
Syntax
clear snmp group groupname user [security-model {v1 | v2c | usm}]
Parameters
groupname
SpecifiestheSNMPgrouptobecleared.
user
SpecifiestheSNMPusertobecleared.
securitymodelv1| (Optional)Clearsthesettingsassociatedwithaspecificsecuritymodel.
v2c|usm
Defaults
If not specified, settings related to all security models will be cleared.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearallsettingsassignedtothepublicuserwithintheSNMPgroup
anyone:
C3(su)->clear snmp group anyone public
Syntax
show snmp community [name]
Parameters
name
(Optional)DisplaysSNMPinformationforaspecificcommunityname.
Defaults
Ifnameisnotspecified,informationwillbedisplayedforallSNMPcommunities.
5-13
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayinformationabouttheSNMPpubliccommunityname.For
adescriptionofthisoutput,refertosetsnmpcommunity(page514).
C3(su)->show snmp community public
--- Configured community strings --Name
Security name
Context
Transport tag
Storage type
Status
=
=
=
=
=
=
public
public
nonVolatile
active
Syntax
set snmp community community [securityname securityname] [context context]
[transport transport] [volatile | nonvolatile]
Parameters
community
Specifiesacommunitygroupname.
securityname
securityname
(Optional)SpecifiesanSNMPsecuritynametoassociatewiththis
community.
contextcontext
(Optional)Specifiesasubsetofmanagementinformationthiscommunity
willbeallowedtoaccess.Validvaluesarefullorpartialcontextnames.To
reviewallcontextsconfiguredforthedevice,usetheshowsnmpcontext
commandasdescribedinshowsnmpcontextonpage 522.
transporttransport
(Optional)SpecifiesthesetoftransportendpointsfromwhichSNMP
requestwiththiscommunitynamewillbeaccepted.Makesalinktoa
targetaddresstable.
volatile|
nonvolatile
(Optional)Specifiesthestoragetypefortheseentries.
Defaults
Ifsecuritynameisnotspecified,thecommunitynamewillbeused.
Ifcontextisnotspecified,accesswillbegrantedforthedefaultcontext.
Iftransporttagisnotspecified,nonewillbeapplied.
Ifstoragetypeisnotspecified,nonvolatilewillbeapplied.
Mode
Switchcommand,readwrite.
5-14
SNMP Configuration
Example
ThisexampleshowshowtosetanSNMPcommunitynamecalledvip
C3(su)->set snmp community vip
Syntax
clear snmp community name
Parameters
name
SpecifiestheSNMPcommunitynametoclear.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodeletethecommunitynamevip.
C3(su)->clear snmp community vip
5-15
Commands
ThecommandsusedtoreviewandconfigureSNMPaccessarelistedbelow.
For information about...
Refer to page...
5-16
5-18
5-19
Syntax
show snmp access [groupname] [security-model {v1 | v2c | usm}] [noauthentication
| authentication | privacy] [context context] [volatile | nonvolatile | read-only]
Parameters
groupname
(Optional)DisplaysaccessinformationforaspecificSNMPv3group.
securitymodelv1| (Optional)DisplaysaccessinformationforSNMPsecuritymodelversion
v2c|usm
1,2cor3(usm).
noauthentication|
authentication|
privacy
(Optional)Displaysaccessinformationforaspecificsecuritylevel.
contextcontext
(Optional)Displaysaccessinformationforaspecificcontext.Fora
descriptionofhowtospecifySNMPcontexts,refertoUsingSNMP
ContextstoAccessSpecificMIBsonpage 53.
volatile|
nonvolatile|read
only
(Optional)Displaysaccessentriesforaspecificstoragetype.
Defaults
Ifgroupnameisnotspecified,accessinformationforallSNMPgroupswillbedisplayed.
Ifsecuritymodelisnotspecified,accessinformationforallSNMPversionswillbedisplayed.
Ifnoauthentication,authenticationorprivacyarenotspecified,accessinformationforall
securitylevelswillbedisplayed.
Ifcontextisnotspecified,allcontextswillbedisplayed.
5-16
SNMP Configuration
Ifvolatile,nonvolatileorreadonlyarenotspecified,allentriesofallstoragetypeswillbe
displayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPaccessinformation:
C3(su)->show snmp
Group
=
Security model =
Security level =
Read View
=
Write View
=
Notify View
=
Context match
=
Storage type
=
Row status
=
access
SystemAdmin
USM
noAuthNoPriv
All
Group
Security model
Security level
Read View
Write View
Notify View
Context match
Storage type
Row status
NightOperator
USM
noAuthNoPriv
All
=
=
=
=
=
=
=
=
=
All
exact match
nonVolatile
active
All
exact match
nonVolatile
active
Table 56showsadetailedexplanationofthecommandoutput.
Table 5-6
Output
What It Displays...
Group
Security model
Security level
Read View
Name of the view that allows this group to view SNMP MIB objects.
Write View
Name of the view that allows this group to configure the contents of the
SNMP agent.
Notify View
Name of the view that allows this group to send an SNMP trap message.
Context match
Whether or not SNMP context match must be exact (full context name
match) or a partial match with a given prefix.
Storage type
Whether access entries for this group are stored in volatile, nonvolatile
or read-only memory.
Row status
5-17
Syntax
set snmp access groupname security-model {v1 | v2c | usm} [noauthentication |
authentication | privacy] [context context] [exact | prefix] [read read] [write
write] [notify notify] [volatile | nonvolatile]
Parameters
groupname
SpecifiesanameforanSNMPv3group.
securitymodelv1| SpecifiesSNMPversion1,2cor3(usm).
v2c|usm
noauthentication|
authentication|
privacy
(Optional)AppliesSNMPsecuritylevelasnoauthentication,
authentication(withoutprivacy)orprivacy.Privacyspecifiesthat
messagessentonbehalfoftheuserareprotectedfromdisclosure.
contextcontextexact (Optional)Setsthecontextforthisaccessconfigurationandspecifiesthat
|prefix
thematchmustbeexact(matchingthewholecontextstring)oraprefix
matchonly.ContextisasubsetofmanagementinformationthisSNMP
groupwillbeallowedtoaccess.Validvaluesarefullorpartialcontext
names.Toreviewallcontextsconfiguredforthedevice,usetheshow
snmpcontextcommandasdescribedinshowsnmpcontexton
page 522.
readread
(Optional)Specifiesareadaccessview.
writewrite
(Optional)Specifiesawriteaccessview.
notifynotify
(Optional)Specifiesanotifyaccessview.
volatile|
nonvolatile|read
only
(Optional)StoresassociatedSNMPentriesastemporaryorpermanent,or
readonly.
Defaults
Ifsecuritylevelisnotspecified,noauthenticationwillbeapplied.
Ifcontextisnotspecified,accesswillbeenabledforthedefaultcontext.Ifcontextisspecified
withoutacontextmatch,exactmatchwillbeapplied.
Ifreadviewisnotspecifiednonewillbeapplied.
Ifwriteviewisnotspecified,nonewillbeapplied.
Ifnotifyviewisnotspecified,nonewillbeapplied.
Ifstoragetypeisnotspecified,entrieswillbestoredaspermanentandwillbeheldthroughdevice
reboot.
Mode
Switchcommand,readwrite.
Example
ThisexamplepermitsthepowergrouptomanageallMIBsviaSNMPv3:
C3(su)->set snmp access powergroup security-model usm
5-18
SNMP Configuration
Syntax
clear snmp access groupname security-model {v1 | v2c | usm} [noauthentication |
authentication | privacy] [context context]
Parameters
groupname
SpecifiesthenameoftheSNMPgroupforwhichtoclearaccess.
securitymodelv1| SpecifiesthesecuritymodeltobeclearedfortheSNMPaccessgroup.
v2c|usm
noauthentication|
authentication|
privacy
(Optional)ClearsaspecificsecuritylevelfortheSNMPaccessgroup.
contextcontext
(Optional)ClearsaspecificcontextfortheSNMPaccessgroup.Enter//
toclearthedefaultcontext.
Defaults
Ifsecuritylevelisnotspecified,alllevelswillbecleared.
Ifcontextisnotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearSNMPversion3accessforthemisgroupviathe
authenticationprotocol:
C3(su)->clear snmp access mis-group security-model usm authentication
5-19
Commands
ThecommandsusedtoreviewandconfigureSNMPMIBviewsarelistedbelow.
For information about...
Refer to page...
5-20
5-22
5-23
5-24
Syntax
show snmp view [viewname] [subtree oid-or-mibobject] [volatile | nonvolatile |
read-only]
Parameters
viewname
(Optional)DisplaysinformationforaspecificMIBview.
subtreeoidormibobject
(Optional)DisplaysinformationforaspecificMIBsubtreewhen
viewnameisspecified.
volatile|nonvolatile|
readonly
(Optional)Displaysentriesforaspecificstoragetype.
Defaults
Ifnoparametersarespecified,allSNMPMIBviewconfigurationinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPMIBviewconfigurationinformation:
C3(su)->show snmp view
--- SNMP MIB View information --View Name
= All
Subtree OID
= 1
Subtree mask
=
View Type
= included
5-20
SNMP Configuration
Storage type
Row status
= nonVolatile
= active
View Name
Subtree OID
Subtree mask
View Type
Storage type
Row status
=
=
=
=
=
=
All
0.0
View Name
Subtree OID
Subtree mask
View Type
Storage type
Row status
=
=
=
=
=
=
Network
1.3.6.1.2.1
included
nonVolatile
active
included
nonVolatile
active
Table 57providesanexplanationofthecommandoutput.Fordetailsonusingthesetsnmpview
commandtoassignvariables,refertosetsnmpviewonpage 523.
Table 5-7
Output
What It Displays...
View Name
Subtree OID
Subtree mask
View Type
Whether or not subtree use must be included or excluded for this view.
Storage type
Row status
5-21
Syntax
show snmp context
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
AnSNMPcontextisacollectionofmanagementinformationthatcanbeaccessedbyanSNMP
agentorentity.ThedefaultcontextallowsallSNMPagentstoaccessallmanagementinformation
(MIBs).Whencreatedusingthesetsnmpaccesscommand(setsnmpaccessonpage 518),other
contextscanbeappliedtolimitaccesstoasubsetofmanagementinformation.
Example
ThisexampleshowshowtodisplayalistofallSNMPcontextsknowntothedevice:
C3(su)->show snmp context
--- Configured contexts:
default context (all mibs)
5-22
SNMP Configuration
Syntax
set snmp view viewname viewname subtree subtree [mask mask] [included | excluded]
[volatile | nonvolatile]
Parameters
viewnameviewname SpecifiesanameforaMIBview.
subtreesubtree
SpecifiesaMIBsubtreename.
maskmask
(Optional)Specifiesabitmaskforasubtree.
included|
excluded
(Optional)Specifiessubtreeuse(default)ornosubtreeuse.
volatile|
nonvolatile
(Optional)Specifiestheuseoftemporaryorpermanent(default)storage.
Defaults
Ifnotspecified,maskwillbesetto255.255.255.255
Ifnotspecified,subtreeusewillbeincluded.
Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetanSNMPMIBviewtopublicwithasubtreenameof1.3.6.1
included:
C3(su)->set snmp view viewname public subtree 1.3.6.1 included
5-23
Syntax
clear snmp view viewname subtree
Parameters
viewname
SpecifiestheMIBviewnametobedeleted.
subtree
SpecifiesthesubtreenameoftheMIBviewtobedeleted.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteSNMPMIBviewpublic:
C3(su)->clear snmp view public 1.3.6.1
5-24
SNMP Configuration
Commands
ThecommandsusedtoreviewandconfigureSNMPtargetparametersarelistedbelow.
For information about...
Refer to page...
5-25
5-27
5-28
Syntax
show snmp targetparams [targetParams] [volatile | nonvolatile | read-only]
Parameters
targetParams
(Optional)Displaysentriesforaspecifictargetparameter.
volatile|nonvolatile|
readonly
(Optional)Displaystargetparameterentriesforaspecificstorage
type.
Defaults
IftargetParamsisnotspecified,entriesassociatedwithalltargetparameterswillbedisplayed.
Ifnotspecified,entriesofallstoragetypeswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPtargetparametersinformation:
C3(su)->show snmp targetparams
--- SNMP TargetParams information --Target Parameter Name
= v1ExampleParams
Security Name
= public
Message Proc. Model
= SNMPv1
Security Level
= noAuthNoPriv
5-25
Storage type
Row status
= nonVolatile
= active
=
=
=
=
=
=
v2cExampleParams
public
SNMPv2c
noAuthNoPriv
nonVolatile
active
=
=
=
=
=
=
v3ExampleParams
CharlieDChief
USM
authNoPriv
nonVolatile
active
Table 58showsadetailedexplanationofthecommandoutput.
Table 5-8
5-26
Output
What It Displays...
Unique identifier for the parameter in the SNMP target parameters table.
Maximum length is 32 bytes.
Security Name
SNMP version.
Security Level
Storage type
Row status
SNMP Configuration
Syntax
set snmp targetparams paramsname user user security-model {v1 | v2c | usm} messageprocessing {v1 | v2c | v3} [noauthentication | authentication | privacy] [volatile
| nonvolatile]
Parameters
paramsname
SpecifiesanameidentifyingparametersusedtogenerateSNMPmessages
toaparticulartarget.
useruser
SpecifiesanSNMPv1orv2communitynameoranSNMPv3username.
Maximumlengthis32bytes.
securitymodelv1| SpecifiestheSNMPsecuritymodelappliedtothistargetparameteras
v2c|usm
version1,2cor3(usm).
message
SpecifiestheSNMPmessageprocessingmodelappliedtothistarget
processingv1|v2c parameterasversion1,2cor3.
|v3
noauthentication|
authentication|
privacy
(Optional)SpecifiestheSNMPsecuritylevelappliedtothistarget
parameterasnoauthentication,authentication(withoutprivacy)or
privacy.Privacyspecifiesthatmessagessentonbehalfoftheuserare
protectedfromdisclosure.
volatile|
nonvolatile
(Optional)Specifiesthestoragetypeappliedtothistargetparameter.
Defaults
None.
Ifnotspecified,securitylevelwillbesettonoauthentication.
Ifnotspecified,storagetypewillbesettononvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetSNMPtargetparametersnamedv1ExampleParamsforauser
namedfredusingversion3securitymodelandmessageprocessing,andauthentication:
C3(su)->set snmp targetparams v1ExampleParams user fred security-model usm
message-processing v3 authentication
5-27
Syntax
clear snmp targetparams targetParams
Parameters
targetParams
SpecifiesthenameoftheparameterintheSNMPtargetparameterstable
tobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearSNMPtargetparametersnamedv1ExampleParams:
C3(su)->clear snmp targetparams v1ExampleParams
5-28
SNMP Configuration
Commands
ThecommandsusedtoreviewandconfigureSNMPtargetaddressesarelistedbelow.
For information about...
Refer to page...
5-29
5-30
5-31
Syntax
show snmp targetaddr [targetAddr] [volatile | nonvolatile | read-only]
Parameters
targetAddr
(Optional)Displaysinformationforaspecifictargetaddressname.
volatile|nonvolatile (Optional)Whentargetaddressisspecified,displaystargetaddress
|readonly
informationforaspecificstoragetype.
Defaults
IftargetAddrisnotspecified,entriesforalltargetaddressnameswillbedisplayed.
Ifnotspecified,entriesofallstoragetypeswillbedisplayedforatargetaddress.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNMPtargetaddressinformation:
C3(su)->show snmp targetaddr
Target Address Name
= labmachine
Tag List
= v2cTrap
IP Address
= 10.2.3.116
UDP Port#
= 162
Target Mask
= 255.255.255.255
Timeout
= 1500
Retry count
= 4
5-29
Parameters
Storage type
Row status
= v2cParams
= nonVolatile
= active
Table 59showsadetailedexplanationofthecommandoutput.
Table 5-9
Output
What It Displays...
Tag List
IP Address
Target IP address.
UDP Port#
Target Mask
Timeout
Retry count
Parameters
Storage type
Row status
Syntax
set snmp targetaddr targetaddr ipaddr param param [udpport udpport] [mask mask]
[timeout timeout] [retries retries] [taglist taglist] [volatile | nonvolatile]
Parameters
5-30
targetaddr
SpecifiesauniqueidentifiertoindexthesnmpTargetAddrTable.
Maximumlengthis32bytes.
ipaddr
SpecifiestheIPaddressofthetarget.
paramparam
SpecifiesanentryintheSNMPtargetparameterstable,whichisused
whengeneratingamessagetothetarget.Maximumlengthis32bytes.
udpportudpport
(Optional)SpecifieswhichUDPportofthetargethosttouse.
maskmask
(Optional)SpecifiestheIPmaskofthetarget.
timeouttimeout
(Optional)Specifiesthemaximumroundtriptimeallowedto
communicatetothistargetaddress.Thisvalueisin.01secondsandthe
defaultis1500(15seconds.)
retriesretries
(Optional)Specifiesthenumberofmessageretriesallowedifaresponseis
notreceived.Defaultis3.
SNMP Configuration
taglisttaglist
(Optional)SpecifiesalistofSNMPnotifytagvalues.Thistagsalocation
tothetargetaddressasaplacetosendnotifications.Listmustbeenclosed
inquotesandtagvaluesmustbeseparatedbyaspace(forexample,
tag1tag2).
volatile|
nonvolatile
(Optional)Specifiestemporary(default),orpermanentstorageforSNMP
entries.
Defaults
Ifnotspecified,udpportwillbesetto162.
Ifnotspecified,maskwillbesetto255.255.255.255
Ifnotspecified,timeoutwillbesetto1500.
Ifnotspecified,numberofretrieswillbesetto3.
Iftaglistisnotspecified,nonewillbeset.
Ifnotspecified,storagetypewillbenonvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigureatrapnotificationcalledTrapSink.Thistrapnotification
willbesenttotheworkstation192.168.190.80(whichistargetaddresstr).Itwillusesecurity
andauthorizationcriteriacontainedinatargetparametersentrycalledv2cExampleParams.For
moreinformationonconfiguringabasicSNMPtrap,refertoCreatingaBasicSNMPTrap
Configurationonpage 543:
C3(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist
TrapSink
Syntax
clear snmp targetaddr targetAddr
Parameters
targetAddr
Specifiesthetargetaddressentrytodelete.
Defaults
None.
Mode
Switchcommand,readwrite.
5-31
Example
ThisexampleshowshowtoclearSNMPtargetaddressentrytr:
C3(su)->clear snmp targetaddr tr
5-32
SNMP Configuration
Purpose
ToconfigureSNMPnotificationparametersandoptionalfilters.Notificationsareentitieswhich
handlethegenerationofSNMPv1andv2trapsorSNMPv3informsmessagestoselect
managementtargets.Optionalnotificationfiltersidentifywhichtargetsshouldnotreceive
notifications.ForasampleSNMPtrapconfigurationshowinghowSNMPnotificationparameters
areassociatedwithsecurityandauthorizationcriteria(targetparameters)andmappedtoa
managementtargetaddress,refertoCreatingaBasicSNMPTrapConfigurationonpage 543.
Commands
ThecommandsusedtoconfigureSNMPnotificationparametersandfiltersarelistedbelow.
For information about...
Refer to page...
show newaddrtrap
5-34
set newaddrtrap
5-35
5-36
5-37
5-38
5-38
5-39
5-40
5-40
5-41
5-42
5-33
show newaddrtrap
show newaddrtrap
UsethiscommandtodisplaytheglobalandportspecificstatusoftheSNMPnewMACaddresses
trapfunction.
Syntax
show newaddrtrap [port-string]
Parameters
portstring
(Optional)DisplaysthestatusofthenewMACaddressestrapfunction
onspecificports.
Defaults
Ifportstringisnotspecified,thestatusofthenewMACaddressestrapfunctionwillbedisplayed
forallports.
Mode
Switchcommand,readonly.
Usage
Bydefault,thisfunctionisdisabledgloballyandperport.
Example
ThisexampledisplaysthestatusforGigabitEthernetports1through5onunit1.
C3(ro)->show newaddrtrap ge.1.1-5
New Address Traps Globally disabled
Port
--------ge.1.1
ge.1.2
ge.1.3
ge.1.4
ge.1.5
5-34
SNMP Configuration
Enable State
-----------disabled
disabled
disabled
disabled
disabled
set newaddrtrap
set newaddrtrap
UsethiscommandtoenableordisableSNMPtrapmessaging,globallyorononeormoreports,
whennewsourceMACaddressesaredetected.
Syntax
set newaddrtrap [port-string] { enable | disable }
Parameters
portstring
(Optional)EnableordisablethenewMACaddressestrapfunctionon
specificports.
enable|disable
EnableordisablethenewMACaddressestrapfunction.Ifentered
withouttheportstringparameter,enablesordisablethefunction
globally.Whenenteredwiththeportstringparameter,enablesor
disablesthefunctiononspecificports.
Defaults
Ifportstringisnotspecified,thetrapfunctionissetglobally.
Mode
Switchmode,readwrite.
Usage
ThiscommandenablesanddisablessendingSNMPtrapmessageswhenanewsourceMAC
addressisdetectedbyaport.IftheportisaCDPport,however,trapsfornewsourceMAC
addresseswillnotbesent.
Thedefaultmodeisdisabledgloballyandperport.
Example
ThisexampleenablesthetrapfunctiongloballyandthenonGigabitEthernetports1through5on
unit1.
C3(rw)->set newaddrtrap enable
C3(rw)->set newaddrtrap ge.1.1-5 enable
5-35
Syntax
show snmp notify [notify] [volatile | nonvolatile | read-only]
Parameters
notify
(Optional)Displaysnotifyentriesforaspecificnotifyname.
volatile|
nonvolatile|read
only
(Optional)Displaysnotifyentriesforaspecificstoragetype.
Defaults
Ifanotifynameisnotspecified,allentrieswillbedisplayed.
Ifvolatile,nonvolatileorreadonlyarenotspecified,allstoragetypeentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSNMPnotifyinformation:
C3(su)->show snmp notify
--- SNMP notifyTable information --Notify name
= 1
Notify Tag
= Console
Notify Type
= trap
Storage type
= nonVolatile
Row status
= active
Notify name
Notify Tag
Notify Type
Storage type
Row status
=
=
=
=
=
2
TrapSink
trap
nonVolatile
active
Table 510showsadetailedexplanationofthecommandoutput.
Table 5-10
5-36
Output
What It Displays...
Notify name
Notify Tag
Notify Type
Storage type
Row status
SNMP Configuration
Syntax
set snmp notify notify tag tag [trap | inform] [volatile | nonvolatile]
Parameters
notify
SpecifiesanSNMPnotifyname.
tagtag
SpecifiesanSNMPnotifytag.ThisbindsthenotifynametotheSNMP
targetaddresstable.
trap|inform
(Optional)SpecifiesSNMPv1orv2Trapmessages(default)orSNMPv3
InformRequestmessages.
volatile|
nonvolatile
(Optional)Specifiestemporary(default),orpermanentstorageforSNMP
entries.
Defaults
Ifnotspecified,messagetypewillbesettotrap.
Ifnotspecified,storagetypewillbesettononvolatile.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetanSNMPnotifyconfigurationwithanotifynameofhelloanda
notifytagofworld.Notificationswillbesentastrapmessagesandstoragetypewill
automaticallydefaulttopermanent:
C3(su)->set snmp notify hello tag world trap
5-37
Syntax
clear snmp notify notify
Parameters
notify
SpecifiesanSNMPnotifynametoclear.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNMPnotifyconfigurationforhello:
C3(su)->clear snmp notify hello
Syntax
show snmp notifyfilter [profile] [subtree oid-or-mibobject] [volatile |
nonvolatile | read-only]
Parameters
profile
(Optional)Displaysaspecificnotifyfilter.
subtreeoidor
mibobject
(Optional)Displaysanotifyfilterwithinaspecificsubtree.
volatile|
nonvolatile|read
only
(Optional)Displaysnotifyfilterentriesofaspecificstoragetype.
Defaults
Ifnoparametersarespecified,allnotifyfilterinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Usage
SeeAboutSNMPNotifyFiltersonpage 533formoreinformationaboutnotifyfilters.
5-38
SNMP Configuration
Example
ThisexampleshowshowtodisplaySNMPnotifyfilterinformation.Inthiscase,thenotifyprofile
pilot1insubtree1.3.6willnotreceiveSNMPnotificationmessages:
C3(su)->show snmp notifyfilter
--- SNMP notifyFilter information --Profile
= pilot1
Subtree
= 1.3.6
Filter type
= included
Storage type
= nonVolatile
Row status
= active
Syntax
set snmp notifyfilter profile subtree oid-or-mibobject [mask mask] [included |
excluded] [volatile | nonvolatile]
Parameters
profile
SpecifiesanSNMPfilternotifyname.
subtreeoidor
mibobject
SpecifiesaMIBsubtreeIDtargetforthefilter.
maskmask
(Optional)Appliesasubtreemask.
included|
excluded
(Optional)Specifiesthatsubtreeisincludedorexcluded.
volatile|
nonvolatile
(Optional)Specifiesastoragetype.
Defaults
Ifnotspecified,maskisnotset.
Ifnotspecified,subtreewillbeincluded.
Ifstoragetypeisnotspecified,nonvolatile(permanent)willbeapplied.
Mode
Switchcommand,readwrite.
Usage
SeeAboutSNMPNotifyFiltersonpage 533formoreinformationaboutnotifyfilters.
Example
ThisexampleshowshowtocreateanSNMPnotifyfiltercalledpilot1withaMIBsubtreeIDof
1.3.6:
C3(su)->set snmp notifyfilter pilot1 subtree 1.3.6
5-39
Syntax
clear snmp notifyfilter profile subtree oid-or-mibobject
Parameters
profile
SpecifiesanSNMPfilternotifynametodelete.
subtreeoidor
mibobject
SpecifiesaMIBsubtreeIDcontainingthefiltertobedeleted.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeletetheSNMPnotifyfilterpilot1:
C3(su)->clear snmp notifyfilter pilot1 subtree 1.3.6
Syntax
show snmp notifyprofile [profile] [targetparam targetparam] [volatile |
nonvolatile | read-only]
Parameters
profile
(Optional)Displaysaspecificnotifyprofile.
targetparam
targetparam
(Optional)Displaysentriesforaspecifictargetparameter.
volatile|
nonvolatile|read
only
(Optional)Displaysnotifyfilterentriesofaspecificstoragetype.
Defaults
Ifnoparametersarespecified,allnotifyprofileinformationwillbedisplayed.
Mode
Switchcommand,readonly.
5-40
SNMP Configuration
Example
ThisexampleshowshowtodisplaySNMPnotifyinformationfortheprofilenamedarea51:
C3(su)->show snmp notifyprofile area51
--- SNMP notifyProfile information --Notify Profile = area51
TargetParam
= v3ExampleParams
Storage type
= nonVolatile
Row status
= active
Syntax
set snmp notifyprofile profile targetparam targetparam [volatile | nonvolatile]
Parameters
profile
SpecifiesanSNMPfilternotifyname.
targetparam
targetparam
SpecifiesanassociatedentryintheSNMPTargetParamsTable.
volatile|
nonvolatile
(Optional)Specifiesastoragetype.
Defaults
If storage type is not specified, nonvolatile (permanent) will be applied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanSNMPnotifyprofilenamedarea51andassociateatarget
parametersentry.
C3(su)->set snmp notifyprofile area51 targetparam v3ExampleParams
5-41
Syntax
clear snmp notifyprofile profile targetparam targetparam
Parameters
profile
SpecifiesanSNMPfilternotifynametodelete.
targetparam
targetparam
SpecifiesanassociatedentryinthesnmpTargetParamsTable.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteSNMPnotifyprofilearea51:
C3(su)->clear snmp notifyprofile area51 targetparam v3ExampleParams
5-42
SNMP Configuration
CompleteanSNMPv2trapconfigurationonaSecureStackC3deviceasfollows:
1.
CreateacommunitynamethatwillactasanSNMPuserpassword.
2.
CreateanSNMPtargetparametersentrytoassociatesecurityandauthorizationcriteriatothe
usersinthecommunitycreatedinStep1.
3.
VerifyifanyapplicableSNMPnotificationentriesexist,orcreateanewone.Youwillusethis
entrytosendSNMPnotificationmessagestotheappropriatemanagementtargetscreatedin
Step 2.
4.
CreateatargetaddressentrytobindamanagementIPaddressto:
ThenotificationentryandtagnamecreatedinStep3and
ThetargetparametersentrycreatedinStep2.
Table 511showsthecommandsusedtocompleteanSNMPv2trapconfigurationona
SecureStackC3device.
Table 5-11
To do this ...
Example
Thisexampleshowshowto:
CreateanSNMPcommunitycalledmgmt.
ConfigureatrapnotificationcalledTrapSink.
5-43
Thistrapnotificationwillbesentwiththecommunitynamemgmttotheworkstation
192.168.190.80(whichistargetaddresstr).Itwillusesecurityandauthorizationcriteriacontained
inatargetparametersentrycalledv2cExampleParams.
C3(su)->set snmp community mgmt
C3(su)->set snmp targetparams v2cExampleParams user mgmt
security-model v2c message-processing v2c
C3(su)->set snmp notify entry1 tag TrapSink
C3(su)->set snmp targetaddr tr 192.168.190.80 param v2cExampleParams taglist
TrapSink
5-44
1.
Determinesifthekeysfortrapdoorsdoexist.Intheexampleconfigurationabove,the
keythatSNMPislookingforisthenotificationentrycreatedwiththesetsnmpnotify
commandwhich,inthiscase,isakeylabeledentry1.
2.
Searchesforthedoorsmatchingsuchakey.Forexample,theparameterssetfortheentry1key
showsthatitopensonlythedoorTrapSink.
3.
VerifiesthatthespecifieddoorTrapSinkis,infact,available.Inthiscaseitwasbuiltusingthe
setsnmptargetaddrcommand.Thiscommandalsospecifiesthatthisdoorleadstothe
managementstation192.168.190.80,andtheprocedure(targetparams)tocrossthedoorstep
iscalledv2ExampleParams.
4.
Verifiesthatthev2ExampleParamsdescriptionofhowtostepthroughthedooris,infact,
there.Theagentcheckstargetparamsentriesanddeterminesthisdescriptionwasmadewith
thesetsnmptargetparamscommand,whichtellsexactlywhichSNMPprotocoltouseand
whatcommunitynametoprovide.Inthiscase,thecommunitynameismgmt.
5.
Verifiesthatthemgmtcommunitynameisavailable.Inthiscase,ithasbeenconfiguredusing
thesetsnmpcommunitycommand.
6.
Sendsthetrapnotificationmessage.
SNMP Configuration
6
Spanning Tree Configuration
ThischapterdescribestheSpanningTreeConfigurationsetofcommandsandhowtousethem.
For information about...
Refer to page...
6-1
6-3
6-32
Caution: Spanning Tree configuration should be performed only by personnel who are very
knowledgeable about Spanning Trees and the configuration of the Spanning Tree Algorithm.
Otherwise, the proper operation of the network could be at risk.
RSTP
TheIEEE802.1wRapidSpanningProtocol(RSTP),anevolutionof802.1D,canachievemuch
fasterconvergencethanlegacySTPinaproperlyconfigurednetwork.RSTPsignificantlyreduces
thetimetoreconfigurethenetworksactivetopologywhenphysicaltopologyorconfiguration
parameterchangesoccur.ItselectsoneswitchastherootofaSpanningTreeconnectedactive
topologyandassignsportrolestoindividualportsontheswitch,dependingonwhetherthatport
ispartoftheactivetopology.
RSTPprovidesrapidconnectivityfollowingthefailureofaswitch,switchport,oraLAN.Anew
rootportandthedesignatedportontheothersideofthebridgetransitiontoforwardingthrough
anexplicithandshakebetweenthem.Bydefault,userportsareconfiguredtorapidlytransitionto
forwardinginRSTP.
MSTP
TheIEEE802.1sMultipleSpanningTreeProtocol(MSTP)buildsupon802.1DandRSTPby
optimizingutilizationofredundantlinksbetweenswitchesinanetwork.Whenredundantlinks
existbetweenapairofswitchesrunningsingleSTP,onelinkisforwardingwhiletheothersare
blockingforalltrafficflowingbetweenthetwoswitches.Theblockinglinksareeffectivelyused
6-1
onlyiftheforwardinglinkgoesdown.MSTPassignseachVLANpresentonthenetworktoa
particularSpanningTreeinstance,allowingeachswitchporttobeinadistinctstateforeachsuch
instance:blockingforoneSpanningTreewhileforwardingforanother.Thus,trafficassociated
withonesetofVLANscantraverseaparticularinterswitchlink,whiletrafficassociatedwith
anothersetofVLANscanbeblockedonthatlink.IfVLANsareassignedtoSpanningTrees
wisely,nointerswitchlinkwillbecompletelyidle,maximizingnetworkutilization.
FordetailsoncreatingSpanningTreeinstances,refertosetspantreemstionpage 612.
FordetailsonmappingSpanningTreeinstancestoVLANs,refertosetspantreemstmapon
page 613.
Note: MSTP and RSTP are fully compatible and interoperable with each other and with legacy
STP 802.1D.
CreatingasingleSpanningTreefromanyarrangementofswitchingorbridgingelements.
Compensatingautomaticallyforthefailure,removal,oradditionofanydeviceinanactive
datapath.
Achievingportchangesinshorttimeintervals,whichestablishesastableactivetopology
quicklywithminimalnetworkdisturbance.
Usingaminimumamountofcommunicationsbandwidthtoaccomplishtheoperationofthe
SpanningTreeProtocol.
Reconfiguringtheactivetopologyinamannerthatistransparenttostationstransmittingand
receivingdatapackets.
ManagingthetopologyinaconsistentandreproduciblemannerthroughtheuseofSpanning
TreeProtocolparameters.
Note: The term bridge is used as an equivalent to the term switch or device in this document.
6-2
Commands
ThecommandsusedtoreviewandsetSpanningTreebridgeparametersarelistedbelow.
For information about...
Refer to page...
6-5
set spantree
6-7
6-7
6-8
6-8
6-9
6-9
6-10
6-10
6-11
6-11
6-12
6-12
6-13
6-13
6-14
6-14
6-15
6-16
6-16
6-17
6-17
6-18
6-18
6-19
6-19
6-20
6-3
6-4
Refer to page...
6-20
6-21
6-21
6-22
6-22
6-23
6-24
6-24
6-25
6-25
6-26
6-26
6-27
6-27
6-28
6-28
6-29
6-29
6-30
6-30
6-31
6-31
Syntax
show spantree stats [port port-string] [sid sid] [active]
Parameters
portportstring
(Optional)Displaysinformationforthespecifiedport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
sidsid
(Optional)DisplaysinformationforaspecificSpanningTreeidentifier.If
notspecified,SID0isassumed.
active
(Optional)DisplaysinformationforportsthathavereceivedSTPBPDUs
sinceboot.
Defaults
Ifportstringisnotspecified,SpanningTreeinformationforallportswillbedisplayed.
Ifsidisnotspecified,informationforSpanningTree0willbedisplayed.
Ifactiveisnotspecifiedinformationforallportswillbedisplayedregardlessofwhetherornot
theyhavereceivedBPDUs.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythedevicesSpanningTreeconfiguration:
C3(su)->show spantree stats
Spanning tree status
Spanning tree instance
Designated Root MacAddr
Designated Root Priority
Designated Root Cost
Designated Root Port
Root Max Age
Root Hello Time
Root Forward Delay
Bridge ID MAC Address
Bridge ID Priority
Bridge Max Age
Bridge Hello Time
Bridge Forward Delay
Topology Change Count
Time Since Top Change
Max Hops
enabled
0
00-e0-63-9d-c1-c8
0
10000
lag.0.1
20 sec
2 sec
15 sec
00-01-f4-da-5e-3d
32768
20 sec
2 sec
15 sec
7
00 days 03:19:15
20
Table 61showsadetailedexplanationofcommandoutput.
6-5
Table 6-1
6-6
Output
What It Displays...
Interval (in seconds) at which the root device sends BPDU (Bridge Protocol
Data Unit) packets.
Amount of time (in seconds) the root device spends in listening or learning
mode.
Bridge ID Priority
Maximum time (in seconds) the bridge can wait without receiving a
configuration message (bridge hello) before attempting to reconfigure.
This is a default value, or is assigned using the set spantree maxage
command. For details, refer to set spantree maxage on page 6-19.
Amount of time (in seconds) the bridge sends BPDUs. This is a default
value, or is assigned using the set spantree hello command. For details,
refer to set spantree hello on page 6-18.
Amount of time (in days, hours, minutes and seconds) since the last
topology change.
Max Hops
set spantree
set spantree
UsethiscommandtogloballyenableordisabletheSpanningTreeprotocolontheswitch.
Syntax
set spantree {disable | enable}
Parameters
disable|enable
GloballydisablesorenablesSpanningTree.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableSpanningTreeonthedevice:
C3(su)->set spantree disable
Syntax
show spantree version
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySpanningTreeversioninformationforthedevice:
C3(su)->show spantree version
Force Version is mstp
6-7
Syntax
set spantree version {mstp | stpcompatible | rstp}
Parameters
mstp
SetstheversiontoSTP802.1scompatible.
stpcompatible
SetstheversiontoSTP802.1Dcompatible.
rstp
Setstheversionto802.1wcompatible.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Inmostnetworks,SpanningTreeversionshouldnotbechangedfromitsdefaultsettingofmstp
(MultipleSpanningTreeProtocol)mode.MSTPmodeisfullycompatibleandinteroperablewith
legacySTP802.1DandRapidSpanningTree(RSTP)bridges.Settingtheversiontostpcompatible
modewillcausethebridgetotransmitonly802.1DBPDUs,andwillpreventnonedgeportsfrom
rapidlytransitioningtoforwardingstate.
Example
ThisexampleshowshowtogloballychangetheSpanningTreeversionfromthedefaultofMSTP
toRSTP:
C3(su)->set spantree version rstp
Syntax
clear spantree version
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
6-8
Example
ThisexampleshowshowtoresettheSpanningTreeversion:
C3(su)->clear spantree version
Syntax
show spantree bpdu-forwarding
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanningTreeBPDUforwardingmode:
C3(su)->show spantree bpdu-forwarding
BPDU forwarding is disabled.
Syntax
set spantree bpdu-forwarding {disable | enable}
Parameters
disable|enable
DisablesorenablesBPDUforwarding;.
Defaults
BydefaultBPDUforwardingisdisabled.
Mode
Switchcommand,readwrite.
Usage
TheSpanningTreeprotocolmustbedisabled(setspantreedisable)forthisfeaturetotakeeffect.
6-9
Example
ThisexampleshowshowtoenableBPDUforwarding:
C3(rw)-> set spantree bpdu-forwarding enable
Syntax
show spantree bridgeprioritymode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheSpanningTreebridgeprioritymodesetting:
C3(rw)->show spantree bridgeprioritymode
Bridge Priority Mode is set to IEEE802.1t mode.
Syntax
set spantree bridgeprioritymode {8021d | 8021t}
Parameters
8021d
Setsthebridgeprioritymodetouse802.1D(legacy)values,whichare0
65535.
8021t
Setsthebridgeprioritymodetouse802.1tvalues,whichare0to61440,in
incrementsof4096.Valueswillautomaticallyberoundedupordown,
dependingonthe802.1tvaluetowhichtheenteredvalueisclosest.
Thisisthedefaultbridgeprioritymode.
Defaults
None
Mode
Switchcommand,readwrite.
6-10
Usage
Themodeaffectstherangeofpriorityvaluesusedtodeterminewhichdeviceisselectedasthe
SpanningTreerootasdescribedinsetspantreepriority(setspantreepriorityonpage 617).The
defaultfortheswitchistouse802.1tbridgeprioritymode.
Example
Thisexampleshowshowtosetthebridgeprioritymodeto802.1D:
C3(rw)->set spantree bridgeprioritymode 8021d
Syntax
clear spantree bridgeprioritymode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthebridgeprioritymodeto802.1t:
C3(rw)->clear spantree bridgeprioritymode
Syntax
show spantree mstilist
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
6-11
Example
ThisexampleshowshowtodisplayalistofMSTinstances.Inthiscase,SID2hasbeenconfigured:
C3(su)->show spantree mstilist
Configured Multiple Spanning Tree instances:
2
Syntax
set spantree msti sid sid {create | delete}
Parameters
sidsid
SetstheMultipleSpanningTreeID.Validvaluesare14094.
SecureStackC3deviceswillsupportupto4MSTinstances.
create|delete
CreatesordeletesanMSTinstance.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanMSTinstance2:
C3(su)->set spantree msti sid 2 create
Syntax
clear spantree msti [sid sid]
Parameters
sidsid
(Optional)DeletesaspecificmultipleSpanningTreeID.
Defaults
Ifsidisnotspecified,allMSTinstanceswillbecleared.
Mode
Switchcommand,readwrite.
6-12
Example
ThisexampleshowshowtodeleteallMSTinstances:
C3(su)->clear spantree msti
Syntax
show spantree mstmap [fid fid]
Parameters
fidfid
(Optional)DisplaysinformationforspecificFIDs.
Defaults
Iffidisnotspecified,informationforallassignedFIDswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySIDtoFIDmappinginformationforFID1.Inthiscase,no
newmappingshavebeenconfigured:
C3(su)->show spantree mstmap fid 1
FID:
SID:
1
0
Syntax
set spantree mstmap fid [sid sid]
Parameters
fid
SpecifiesoneormoreFIDstoassigntotheMST.Validvaluesare14093,
andmustcorrespondtoaVLANIDcreatedusingthesetvlancommand.
sidsid
(Optional)SpecifiesaMultipleSpanningTreeID.Validvaluesare14094,
andmustcorrespondtoaSIDcreatedusingthesetmsticommand.
Defaults
Ifsidisnotspecified,FID(s)willbemappedtoSpanningTree0.
6-13
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtomapFID3toSID2:
C3(su)->set spantree mstmap 3 sid 2
Syntax
clear spantree mstmap fid
Parameters
fid
SpecifiesoneormoreFIDstoresetto0.
Defaults
Iffidisnotspecified,allSIDtoFIDmappingswillbereset.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtomapFID2backtoSID0:
C3(su)->clear spantree mstmap 2
Syntax
show spantree vlanlist [vlan-list]
Parameters
vlanlist
(Optional)DisplaysSIDsassignedtospecificVLAN(s).
Defaults
Ifnotspecified,SIDassignmentwillbedisplayedforallVLANs.
Mode
Switchcommand,readonly.
6-14
Example
ThisexampleshowshowtodisplaytheSIDsmappedtoVLAN1.Inthiscase,SIDs2,16and42
aremappedtoVLAN1.Forthisinformationtodisplay,theSIDinstancemustbecreatedusingthe
setspantreemsticommandasdescribedinsetspantreemstionpage 612,andtheFIDsmust
bemappedtoSID 1usingthesetspantreemstmapcommandasdescribedinsetspantree
mstmaponpage 613:
C3(su)->show spantree vlanlist 1
The following SIDS are assigned to VLAN 1: 2 16 42
Syntax
show spantree mstcfgid
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheMSTconfigurationidentifierelements.Inthiscase,the
defaultrevisionlevelof0,andthedefaultconfigurationname(astringrepresentingthebridge
MACaddress)havenotbeenchanged.Forinformationonusingthesetspantreemstcfgid
commandtochangethesesettings,refertosetspantreemstcfgidonpage 616:
C3(su)->show spantree mstcfgid
MST Configuration Identifier:
Format Selector: 0
Configuration Name: 00:01:f4:89:51:94
Revision Level: 0
Configuration Digest: ac:36:17:7f:50:28:3c:d4:b8:38:21:d8:ab:26:de:62
6-15
Syntax
set spantree mstcfgid {cfgname name | rev level}
Parameters
cfgnamename
SpecifiesanMSTconfigurationname.
revlevel
SpecifiesanMSTrevisionlevel.Validvaluesare065535.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheMSTconfigurationnametomstconfig:
C3(su)->set spantree mstconfigid cfgname mstconfig
Syntax
clear spantree mstcfgid
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheMSTconfigurationidentifierelementstodefaultvalues:
C3(su)->clear spantree mstcfgid
6-16
Syntax
set spantree priority priority [sid]
Parameters
priority
Specifiesthepriorityofthebridge.Validvaluesarefrom0to61440(in
incrementsof4096),with0indicatinghighestpriorityand61440
lowestpriority.
sid
(Optional)SetsthepriorityonaspecificSpanningTree.Validvalues
are04094.Ifnotspecified,SID 0isassumed.
Defaults
Ifsidisnotspecified,prioritywillbesetonSpanningTree0.
Mode
Switchcommand,readwrite.
Usage
Thedevicewiththehighestpriority(lowestnumericalvalue)becomestheSpanningTreeroot
device.Ifalldeviceshavethesamepriority,thedevicewiththelowestMACaddresswillthen
becometherootdevice.Dependingonthebridgeprioritymode(setwiththesetspantree
bridgeprioritymodecommanddescribedinsetspantreebridgeprioritymodeonpage 610,
somepriorityvaluesmayberoundedupordown.
Example
Thisexampleshowshowtosetthebridgepriorityto4096onSID1:
C3(su)->set spantree priority 4096 1
Syntax
clear spantree priority [sid]
Parameters
sid
(Optional)ResetsthepriorityonaspecificSpanningTree.Validvalues
are04094.Ifnotspecified,SID 0isassumed.
Defaults
Ifsidisnotspecified,prioritywillberesetonSpanningTree0.
Mode
Switchcommand,readwrite.
SecureStack C3 Configuration Guide
6-17
Example
ThisexampleshowshowtoresetthebridgepriorityonSID1:
C3(su)->clear spantree priority 1
Syntax
set spantree hello interval
Parameters
interval
Specifiesthenumberofsecondsthesystemwaitsbeforebroadcastinga
bridgehellomessage(amulticastmessageindicatingthatthesystemis
active).Validvaluesare110.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballysettheSpanningTreehellotimeto10seconds:
C3(su)->set spantree hello 10
Syntax
clear spantree hello
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballyresettheSpanningTreehellotime:
C3(su)->clear spantree hello
6-18
Syntax
set spantree maxage agingtime
Parameters
agingtime
Specifiesthemaximumnumberofsecondsthatthesystemretainsthe
informationreceivedfromotherbridgesthroughSTP.Validvaluesare6
40.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thebridgemaximumagingtimeisthemaximumtime(inseconds)adevicecanwaitwithout
receivingaconfigurationmessage(bridgehello)beforeattemptingtoreconfigure.Alldevice
ports(exceptfordesignatedports)shouldreceiveconfigurationmessagesatregularintervals.
AnyportthatagesoutSTPinformationprovidedinthelastconfigurationmessagebecomesthe
designatedportfortheattachedLAN.Ifitisarootport,anewrootportisselectedfromamong
thedeviceportsattachedtothenetwork.
Example
Thisexampleshowshowtosetthemaximumagingtimeto25seconds:
C3(su)->set spantree maxage 25
Syntax
clear spantree maxage
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
6-19
Example
Thisexampleshowshowtogloballyresetthemaximumagingtime:
C3(su)->clear spantree maxage
Syntax
set spantree fwddelay delay
Parameters
delay
Specifiesthenumberofsecondsforthebridgeforwarddelay.Validvalues
are430.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Theforwarddelayisthemaximumtime(inseconds)therootdevicewillwaitbeforechanging
states(i.e.,listeningtolearningtoforwarding).Thisdelayisrequiredbecauseeverydevicemust
receiveinformationabouttopologychangesbeforeitstartstoforwardframes.Inaddition,each
portneedstimetolistenforconflictinginformationthatwouldmakeitreturntoablockingstate;
otherwise,temporarydataloopsmightresult.
Example
Thisexampleshowshowtogloballysetthebridgeforwarddelayto16seconds:
C3(su)->set spantree fwddelay 16
Syntax
clear spantree fwddelay
Parameters
None.
Defaults
None.
6-20
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtogloballyresetthebridgeforwarddelay:
C3(su)->clear spantree fwddelay
Syntax
show spantree backuproot [sid]
Parameters
sid
(Optional)DisplaybackuprootstatusforaspecificSpanningTree
identifier.Validvaluesare04094.Ifnotspecified,SID0isassumed.
Defaults
IfaSIDisnotspecified,thenstatuswillbeshownforSpanningTreeinstance0.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythestatusofthebackuprootfunctiononSID0:
C3(rw)->show spantree backuproot
Backup root is set to disable on sid 0
Syntax
set spantree backuproot sid {disable | enable}
Parameters
sid
SpecifiestheSpanningTreeinstanceonwhichtoenableordisablethe
backuprootfunction.Validvaluesare04094.
disable|enable
Enablesordisablesthebackuprootfunction.
Defaults
None.
6-21
Mode
Switchcommand,readwrite.
Usage
TheSpanningTreebackuprootfunctionisdisabledbydefaultontheSecureStackC3.Whenthis
featureisenabledandtheswitchisdirectlyconnectedtotherootbridge,staleSpanningTree
informationispreventedfromcirculatingiftherootbridgeislost.Iftherootbridgeislost,the
backuprootwilldynamicallyloweritsbridgeprioritysothatitwillbeselectedasthenewroot
overthelostrootbridge.
Example
ThisexampleshowshowtoenablethebackuprootfunctiononSID2:
C3(rw)->set spantree backuproot 2 enable
Syntax
clear spantree backuproot sid
Parameters
sid
SpecifiestheSpanningTreeonwhichtoclearthebackuproot
function.Validvaluesare04094.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthebackuprootfunctiontodisabledonSID2:
C3(rw)->clear spantree backuproot 2
Syntax
show spantree tctrapsuppress
Parameters
None.
6-22
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestatusoftopologychangetrapsuppression:
C3(rw)->show spantree tctrapsuppress
Topology change Trap Suppression is set to enabled
Syntax
set spantree tctrapsuppress {disable | enable}
Parameters
disable|enable
Disablesorenablestopologychangetrapsuppression.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Bydefault,RSTPnonedge(bridge)portsthattransitiontoforwardingorblockingcausethe
switchtoissueatopologychangetrap.Whentopologychangetrapsuppressionisenabled,which
isthedevicedefault,edgeports(suchasendstationPCs)arepreventedfromsendingtopology
changetraps.Thisisbecausethereisusuallynoneedfornetworkmanagementtomonitoredge
portSTPtransitionstates,suchaswhenPCsarepoweredon.Whentopologychangetrap
suppressionisdisabled,allports,includingedgeandbridgeports,willtransmittopologychange
traps.
Example
ThisexampleshowshowtoallowRapidSpanningTreeedgeportstotransmittopologychange
traps:
C3(rw)->set spantree tctrapsuppress disable
6-23
Syntax
clear spantree tctrapsuppress
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocleartopologychangetrapsuppressionsetting:
C3(rw)->clear spantree tctrapsuppress
Syntax
set spantree protomigration <port-string>
Parameters
portstring
Resettheprotocolstatemigrationmachineforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresettheprotocolstatemigrationmachineonport20:
C3(su)->set spantree protomigration ge.1.20
6-24
Syntax
show spantree spanguard
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythespanguardfunctionstatus:
C3(su)->show spantree spanguard
Spanguard is disabled
Syntax
set spantree spanguard {enable | disable}
Parameters
enable|disable
Enablesordisablesthespanguardfunction.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Spanguardisdesignedtodisable,orlockoutanedgeportwhenanunexpectedBPDUis
received.Theportcanbeconfiguredtobereenabledafterasettimeperiod,oronlyaftermanual
intervention.
Aportcanbedefinedasanedge(user)portusingthesetspantreeadminedgecommand,
describedinsetspantreeadminedgeonpage 638.Aportdesignatedasanedgeportis
expectedtobeconnectedtoaworkstationorotherendusertypeofdevice,andnottoanother
switchinthenetwork.WhenSpanguardisenabled,ifanonloopbackBPDUisreceivedonan
edgeport,theSpanningTreestateofthatportwillbechangedtoblockingandwillnolonger
forwardtraffic.Theportwillremaindisableduntiltheamountoftimedefinedbysetspantree
6-25
spanguardtimeout(setspantreespanguardtimeoutonpage 627)haspassedsincethelastseen
BPDU,theportismanuallyunlocked(setorclearspantreespanguardlock,clear/setspantree
spanguardlockonpage 628),theconfigurationoftheportischangedsoitisnotlongeranedge
port,orthespanguardfunctionisdisabled.
Spanguardisenabledanddisabledonlyonaglobalbasisacrossthestack.Bydefault,spanguard
isdisabledandspanguardtrapsareenabled.
Example
Thisexampleshowshowtoenablethespanguardfunction:
C3(rw)->set spantree spanguard enable
Syntax
clear spantree spanguard
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthestatusofthespanguardfunctiontodisabled:
C3(rw)->clear spantree spanguard
Syntax
show spantree spanguardtimeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
6-26
Example
Thisexampleshowshowtodisplaythespanguardtimeoutsetting:
C3(su)->show spantree spanguardtimeout
Spanguard timeout: 300
Syntax
set spantree spanguardtimeout timeout
Parameters
timeout
Specifiesatimeoutvalueinseconds.Validvaluesare0to65535.
Avalueof0willkeeptheportlockeduntilmanuallyunlocked.Thedefault
valueis300seconds.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthespanguardtimeoutto600seconds:
C3(su)->set spantree spanguardtimeout 600
Syntax
clear spantree spanguardtimeout
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
6-27
Example
Thisexampleshowshowtoresetthespanguardtimeoutto300seconds:
C3(rw)->clear spantree spanguardtimeout
Syntax
show spantree spanguardlock [port-string]
Parameters
portstring
(Optional)Specifiestheport(s)forwhichtoshowspanguardlockstatus.
Foradetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifnoportstringisspecified,thespanguardlockstatusforallportsisdisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythespanguardlockstatusforge.1.1:
C3(su)->show spantree spanguardlock ge.1.1
Port ge.1.1 is Unlocked
Syntax
clear spantree spanguardlock port-string
set spantree spanguardlock port-string
Parameters
portstring
Specifiesport(s)tounlock.Foradetaileddescriptionofpossibleportstring
values,refertoPortStringSyntaxUsedintheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
6-28
Example
Thisexampleshowshowtounlockportge.1.16:
C3(rw)->clear spantree spanguardlock ge.1.16
Syntax
show spantree spanguardtrapenable
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestateofthespanguardtrapfunction:
C3(ro)->show spantree spanguardtrapenable
Spanguard SNMP traps are enabled
Syntax
set spantree spanguardtrapenable {disable | enable}
Parameters
disable|enable
Disablesorenablessendingspanguardtraps.Bydefault,sendingtraps
isenabled.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodisablethespanguardtrapfunction:
C3(su)->set spantree spanguardtrapenable disable
SecureStack C3 Configuration Guide
6-29
Syntax
clear spantree spanguardtrapenable
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthespanguardtrapfunctiontoenabled:
C3(rw)->clear spantree spanguardtrapenable
Syntax
show spantree legacypathcost
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythedefaultSpanningTreepathcostsetting.
C3(su)->show spantree legacypathcost
Legacy Path Cost is disabled.
6-30
Syntax
set spantree legacypathcost {disable | enable}
Parameters
disable
Use802.1t2001valuestocalculatepathcost.
enable
Use802.1d1998valuestocalculatepathcost.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Bydefault,legacypathcostisdisabled.Enablingthedevicetocalculatelegacypathcostsaffects
therangeofvalidvaluesthatcanbeenteredinthesetspantreeadminpathcostcommand.
Example
Thisexampleshowshowtosetthedefaultpathcostvaluesto802.1D.
C3(rw)->set spantree adminpathcost enable
Syntax
clear spantree legacypathcost
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleclearsthelegacypathcostto802.1tvalues.
C3(rw)->clear spantree legacypathcost
6-31
Commands
ThecommandsusedtoreviewandsetSpanningTreeportparametersarelistedbelow.
For information about...
6-32
Refer to page...
6-33
6-33
6-34
6-34
6-35
6-35
6-36
6-37
6-37
6-38
6-38
6-39
Syntax
set spantree portadmin port-string {disable | enable}
Parameters
portstring
Specifiestheport(s)forwhichtoenableordisableSpanningTree.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
disable|enable
DisablesorenablesSpanningTree.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableSpanningTreeonfe.1.5:
C3(rw)->set spantree portadmin fe.1.5 disable
Syntax
clear spantree portadmin port-string
Parameters
portstring
Resetsthedefaultadminstatusonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthedefaultSpanningTreeadminstatetoenableonfe.1.12:
C3(rw)->clear spantree portadmin fe.1.12
6-33
Syntax
show spantree portadmin [port port-string]
Parameters
portportstring
(Optional)Displaysstatusforspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage 41.
Defaults
Ifportstringisnotspecified,statuswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplayportadminstatusforge.1.1:
C3(ro)->show spantree portadmin port ge.1.1
Port ge.1.1 has portadmin set to enabled
Syntax
show spantree portpri [port port-string] [sid sid]
Parameters
portportstring
(Optional)Specifiestheport(s)forwhichtodisplaySpanningTreepriority.
Foradetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
sidsid
(Optional)DisplaysportpriorityforaspecificSpanningTreeidentifier.
Validvaluesare04094.Ifnotspecified,SID0isassumed.
Defaults
Ifportstringisnotspecified,portprioritywillbedisplayedforallSpanningTreeports.
Ifsidisnotspecified,portprioritywillbedisplayedforSpanningTree0.
Mode
Switchcommand,readonly.
6-34
Example
Thisexampleshowshowtodisplaytheportpriorityforfe.2.7:
C3(su)->show spantree portpri port fe.2.7
Port fe.2.7 has a Port Priority of 128 on SID 0
Syntax
set spantree portpri port-string priority [sid sid]
Parameters
portstring
Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
priority
SpecifiesanumberthatrepresentsthepriorityofalinkinaSpanningTree
bridge.Validvaluesarefrom0to240(inincrementsof16)with0
indicatinghighpriority.
sidsid
(Optional)SetsportpriorityforaspecificSpanningTreeidentifier.Valid
valuesare04094.Ifnotspecified,SID0isassumed.
Defaults
Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthepriorityoffe.1.3to240onSID1
C3(su)->set spantree portpri fe.1.3 240 sid 1
Syntax
clear spantree portpri port-string [sid sid]
Parameters
portstring
Specifiestheport(s)forwhichtosetSpanningTreeportpriority.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
sidsid
(Optional)ResetstheportpriorityforaspecificSpanningTreeidentifier.
Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
6-35
Defaults
Ifsidisnotspecified,portprioritywillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthepriorityoffe.1.3to128onSID1
C3(su)->clear spantree portpri fe.1.3 sid 1
Syntax
show spantree adminpathcost [port port-string] [sid sid]
Parameters
portportstring
(Optional)Displaystheadminpathcostvalueforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
sidsid
(Optional)DisplaystheadminpathcostforaspecificSpanningTree
identifier.Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
Defaults
Ifportstringisnotspecified,adminpathcostforallSpanningTreeportswillbedisplayed.
Ifsidisnotspecified,adminpathcostforSpanningTree0willbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheadminpathcostforfe.3.4onSID1:
C3(su)->show spantree adminpathcost port fe.3.4 sid 1
Port fe.3.4 has a Port Admin Path Cost of 0 on SID 1
6-36
Syntax
set spantree adminpathcost port-string cost [sid sid]
Parameters
portstring
Specifiestheport(s)onwhichtosetanadminpathcost.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
cost
Specifiestheportpathcost.Va1idvaluesare0200000000.
sidsid
(Optional)SetstheadminpathcostforaspecificSpanningTreeidentifier.
Validvaluesare04094.Ifnotspecified,SID0willbeassumed.
Defaults
Ifsidisnotspecified,adminpathcostwillbesetforSpanningTree0.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheadminpathcostto200forfe.3.2onSID1:
C3(su)->set spantree adminpathcost fe.3.2 200 sid 1
Syntax
clear spantree adminpathcost port-string [sid sid]
Parameters
portstring
Specifiestheport(s)forwhichtoresetadminpathcost.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage 41.
sidsid
(Optional)ResetstheadminpathcostforspecificSpanningTree(s).
Validvaluesare04094.Ifnotspecified,SID0isassumed.
Defaults
Ifsidisnotspecified,adminpathcostwillberesetforSpanningTree0.
Mode
Switchcommand,readwrite.
6-37
Example
Thisexampleshowshowtoresettheadminpathcostto0forfe.3.2onSID1:
C3(su)->clear spantree adminpathcost fe.3.2 sid 1
Syntax
show spantree adminedge [port port-string]
Parameters
portstring
(Optional)Displaysedgeportadministrativestatusforspecific
port(s).Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage 41.
Defaults
IfportstringisnotspecifiededgeportadministrativestatuswillbedisplayedforallSpanningTree
ports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheedgeportstatusforfe.3.2:
C3(su)->show spantree adminedge port fe.3.2
Port fe.3.2 has a Port Admin Edge of Edge-Port
Syntax
set spantree adminedge port-string {true | false}
Parameters
portstring
Specifiestheedgeport.Foradetaileddescriptionofpossibleportstring
values,refertoPortStringSyntaxUsedintheCLIonpage 41.
true|false
Enables(true)ordisables(false)thespecifiedportasaSpanningTreeedge
port.
Defaults
None.
6-38
Mode
Switchcommand,readwrite.
Usage
Thedefaultbehavioroftheedgeportadministrativestatusbeginswiththevaluesettofalse
initiallyafterthedeviceispoweredup.IfaSpanningTreeBDPUisnotreceivedontheportwithin
afewseconds,thestatussettingchangestotrue.
Example
Thisexampleshowshowtosetfe.1.11asanedgeport:
C3(su)->set spantree adminedge fe.1.11 true
Syntax
clear spantree adminedge port-string
Parameters
portstring
Specifiesport(s)onwhichtoresetedgeportstatus.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetfe.1.11asanonedgeport:
C3(su)->clear spantree adminedge fe.1.11
6-39
6-40
7
802.1Q VLAN Configuration
ThischapterdescribestheSecureStackC3systemscapabilitiestoimplement802.1QvirtualLANs
(VLANs).
For information about...
Refer to page...
7-1
Viewing VLANs
7-3
7-5
7-8
7-14
7-20
7-23
7-1
IftheSecureStackC3deviceistobeconfiguredformultipleVLANs,itmaybedesirableto
configureamanagementonlyVLAN.ThisallowsastationconnectedtothemanagementVLAN
tomanagethedevice.Italsomakesmanagementsecurebypreventingconfigurationviaports
assignedtootherVLANs.
TocreateasecuremanagementVLAN,youmust:
Step
Task
Refer to page...
1.
7-5
2.
Set the PVID for the desired switch port to the VLAN created in Step 1.
7-9
3.
Add the desired switch port to the egress list for the VLAN created in
Step 1.
7-16
4.
7-21
5.
5-14
ThecommandsusedtocreateasecuremanagementVLANarelistedinTable 71.Thisexample
assumesthemanagementstationisattachedtofe.1.1andwantsuntaggedframes.
Theprocessdescribedherewouldberepeatedoneverydevicethatisconnectedinthenetworkto
ensurethateachdevicehasasecuremanagementVLAN.
Table 7-1
To do this...
7-2
Viewing VLANs
Viewing VLANs
Purpose
TodisplayalistofVLANscurrentlyconfiguredonthedevice,todeterminehowoneormore
VLANswerecreated,theportsallowedanddisallowedtotransmittrafficbelongingtoVLAN(s),
andifthoseportswilltransmitthetrafficwithaVLANtagincluded.
Commands
ThecommandusedtoviewVLANsislistedbelow.
For information about...
Refer to page...
show vlan
7-3
show vlan
UsethiscommandtodisplayallinformationrelatedtooneormoreVLANs.
Syntax
show vlan [static] [vlan-list] [portinfo [vlan vlan-list | vlan-name] [port portstring]]
Parameters
static
(Optional)DisplaysinformationrelatedtostaticVLANs.StaticVLANsare
manuallycreatedusingthesetvlancommand(setvlanonpage 75),
SNMPMIBs,ortheWebViewmanagementapplication.ThedefaultVLAN,
VLAN1,isalwaysstaticallyconfiguredandcantbedeleted.Onlyports
thatuseaspecifiedVLANastheirdefaultVLAN(PVID)willbedisplayed.
vlanlist
(Optional)DisplaysinformationforaspecificVLANorrangeofVLANs.
portinfo
(Optional)DisplaysVLANattributesrelatedtooneormoreports.
vlanvlanlist|
vlanname
(Optional)DisplaysportinformationforoneormoreVLANs.
portportstring
(Optional)Displaysportinformationforoneormoreports.
Defaults
Ifnooptionsarespecified,allinformationrelatedtostaticanddynamicVLANswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayinformationforVLAN1.Inthiscase,VLAN1isnamed
DEFAULTVLAN.PortsallowedtotransmitframesbelongingtoVLAN1arelistedasegress
ports.PortsthatwontincludeaVLANtagintheirtransmittedframesarelistedasuntagged
ports.Therearenoforbiddenports(preventedfromtransmittedframes)onVLAN1:
7-3
show vlan
C3(su)->show vlan 1
VLAN: 1
NAME: DEFAULT VLAN
VLAN Type: Default
Egress Ports
fe.1.1-10, ge.2.1-4, fe.3.1-7,
Forbidden Egress Ports
None.
Untagged Ports
fe.1.1-10, ge.2.1-4, fe.3.1-7,
Table 72providesanexplanationofthecommandoutput.
Table 7-2
7-4
Output
What It Displays...
VLAN
VLAN ID.
NAME
Status
VLAN Type
Egress Ports
Forbidden Egress
Ports
Untagged Ports
Commands
ThecommandsusedtocreateandnamestaticVLANsarelistedbelow.
For information about...
Refer to page...
set vlan
7-5
7-6
clear vlan
7-6
7-7
set vlan
UsethiscommandtocreateanewstaticIEEE802.1QVLAN,ortoenableordisableanexisting
VLAN.
Syntax
set vlan {create | enable | disable} vlan-list
Parameters
create|enable|
disable
Creates,enablesordisablesVLAN(s).
vlanlist
SpecifiesoneormoreVLANIDstobecreated,enabledordisabled.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
OnceaVLANiscreated,youcanassignitanameusingthesetvlannamecommanddescribedin
setvlannameonpage 76.
EachVLANIDmustbeunique.IfaduplicateVLANIDisentered,thedeviceassumesthatthe
AdministratorintendstomodifytheexistingVLAN.
EntertheVLANIDusingauniquenumberbetween1and4093.TheVLANIDsof0and4094and
highermaynotbeusedforuserdefinedVLANs.
7-5
Examples
ThisexampleshowshowtocreateVLAN3:
C3(su)->set vlan create 3
ThisexampleshowshowtodisableVLAN3:
C3(su)->set vlan disable 3
Syntax
set vlan name vlan-list vlan-name
Parameters
vlanlist
SpecifiestheVLANIDoftheVLAN(s)tobenamed.
vlanname
SpecifiesthestringusedasthenameoftheVLAN(1to32characters).
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthenameforVLAN7togreen:
C3(su)->set vlan name 7 green
clear vlan
UsethiscommandtoremoveastaticVLANfromthelistofVLANsrecognizedbythedevice.
Syntax
clear vlan vlan-list
Parameters
vlanlist
SpecifiestheVLANIDoftheVLAN(s)toberemoved.
Defaults
None.
Mode
Switchcommand,readwrite.
7-6
Example
ThisexampleshowshowtoremoveastaticVLAN9fromthedevicesVLANlist:
C3(su)->clear vlan 9
Syntax
clear vlan name vlan-list
Parameters
vlanlist
SpecifiestheVLANIDoftheVLAN(s)forwhichthenamewillbecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthenameforVLAN9:
C3(su)->clear vlan name 9
7-7
Commands
ThecommandsusedtoconfigureportVLANIDsandingressfilteringarelistedbelow.
For information about...
Refer to page...
7-8
7-9
7-10
7-10
7-11
7-12
7-13
Syntax
show port vlan [port-string]
Parameters
portstring
(Optional)DisplaysPVIDinformationforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifportstringisnotspecified,portVLANinformationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPVIDsassignedtoFastEthernetports1through6inunit2.In
thiscase,untaggedframesreceivedontheseportswillbeclassifiedtoVLAN1:
C3(su)->show port vlan fe.2.1-6
fe.2.1 is set to 1
fe.2.2 is set to 1
7-8
fe.2.3
fe.2.4
fe.2.5
fe.2.6
is
is
is
is
set
set
set
set
to
to
to
to
1
1
1
1
Syntax
set port vlan port-string pvid [modify-egress | no-modify-egress]
Parameters
portstring
Specifiestheport(s)forwhichtoconfigureaVLANidentifier.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
pvid
SpecifiestheVLANIDoftheVLANtowhichport(s)willbeadded.
modifyegress
(Optional)Addsport(s)toVLANsuntaggedegresslistandremovesthem
fromotheruntaggedegresslists.
nomodifyegress
(Optional)Doesnotpromptforormakeegresslistchanges.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThePVIDisusedtoclassifyuntaggedframesastheyingressintoagivenport.Ifthespecified
VLANhasnotalreadybeencreated,thiscommandwillcreateit.Itwillprompttheusertoaddthe
VLANtotheportsegresslistasuntagged,andtoremovethedefaultVLANfromtheportsegress
list.
Example
ThisexampleshowshowtoaddFastEthernetport10inunit1totheportVLANlistofVLAN4
(PVID4).SinceVLAN4isanewVLAN,itiscreated.Thenportfe.1.10isaddedtoVLAN4s
untaggedegresslist.TheportmustthenbeclearedfromtheegresslistofVLAN1(thedefault
VLAN)asshown:
C3(su)->set port vlan fe.1.10 4
C3(su)->set vlan 4 create
C3(su)->set vlan egress 4 fe.1.10 untagged
C3(su)->clear vlan egress 1 fe.1.10
7-9
Syntax
clear port vlan port-string
Parameters
portstring
Specifiestheport(s)toberesettothehostVLANID1.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetportsfe.1.3through11toaVLAN IDof1(HostVLAN):
C3(su)->clear port vlan fe.1.3-11
Syntax
show port ingress-filter [port-string]
Parameters
portstring
(Optional)Specifiestheport(s)forwhichtodisplayingressfilteringstatus.
Foradetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifportstringisnotspecified,ingressfilteringstatusforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheportingressfilterstatusforFastEthernetports10through
15inunit1.Inthiscase,theportsaredisabledforingressfiltering:
7-10
Syntax
set port ingress-filter port-string {disable | enable}
Parameters
portstring
Specifiestheport(s)onwhichtoenableofdisableingressfiltering.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
disable|enable
Disablesorenablesingressfiltering.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Wheningressfilteringisenabledonaport,theVLANIDsofincomingframesarecomparedtothe
portsegresslist.IfthereceivedVLANIDdoesnotmatchaVLANIDontheportsegresslist,then
theframeisdropped.
IngressfilteringisimplementedaccordingtotheIEEE802.1Qstandard.
Example
Thisexampleshowshowtoenableportingressfilteringonfe.1.3:
C3(su)->set port ingress-filter fe.1.3 enable
7-11
Syntax
show port discard [port-string]
Parameters
portstring
(Optional)Displaystheframediscardmodeforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
If port-string is not specified, frame discard mode will be displayed for all
ports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheframediscardmodeforFastEthernetport7inunit2.In
thiscase,theporthasbeensettodiscardalltaggedframes:
C3(su)->show port discard fe.2.7
Port
Discard Mode
------------ ------------fe.2.7
tagged
7-12
Syntax
set port discard port-string {tagged | untagged | both | none}
Parameters
portstring
Specifiestheport(s)forwhichtosetframediscardmode.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
tagged|
untagged|both|
none
TaggedDiscardallincoming(received)taggedpacketsonthedefined
port(s).
UntaggedDiscardallincominguntaggedpackets.
BothAlltrafficwillbediscarded(taggedanduntagged).
NoneNopacketswillbediscarded.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Theoptionsaretodiscardallincomingtaggedframes,allincominguntaggedframes,neither
(essentiallyallowalltraffic),orboth(essentiallydiscardingalltraffic).
Acommonpracticeistodiscardalltaggedpacketonuserports.TypicallyanAdministratordoes
notwanttheendusersdefiningwhatVLANtheyuseforcommunication.
Example
Thisexampleshowshowtodiscardalltaggedframesreceivedonportge.3.3:
C3(su)->set port discard ge.3.3 tagged
7-13
Commands
ThecommandsusedtoconfigureVLANegressanddynamicVLANegressarelistedbelow.
For information about...
7-14
Refer to page...
7-15
7-15
7-16
7-17
7-18
7-19
Syntax
show port egress [port-string]
Parameters
portstring
(Optional)DisplaysVLANmembershipforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifportstringisnotspecified,VLANmembershipwillbedisplayedforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowsyouhowtoshowVLANegressinformationforfe.1.1through3.Inthiscase,
allthreeportsareallowedtotransmitVLAN1framesastaggedandVLAN10framesas
untagged.BotharestaticVLANs:
C3(su)->show port egress fe.1.1-3
Port
Vlan
Egress
Registration
Number
Id
Status
Status
------------------------------------------------------fe.1.1
1
tagged
static
fe.1.1
10
untagged
static
fe.1.2
1
tagged
static
fe.1.2
10
untagged
static
fe.1.3
1
tagged
static
fe.1.3
10
untagged
static
Syntax
set vlan forbidden vlan-id port-string
Parameters
vlanid
SpecifiestheVLANforwhichtosetforbiddenport(s).
portstring
Specifiestheport(s)tosetasforbiddenforthespecifiedvlanid.
Defaults
None.
7-15
Mode
Switchcommand,readwrite.
Example
Thisexampleshowsyouhowtosetfe.1.3toforbiddenforVLAN6:
C3(su)->set vlan forbidden 6 fe.1.3
Syntax
set vlan egress vlan-list port-string [untagged | forbidden | tagged]
Parameters
vlanlist
Specifies the VLAN where a port(s) will be added to the egress list.
portstring
SpecifiesoneormoreportstoaddtotheVLANegresslistofthespecified
vlanlist.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 41.
untagged|
forbidden|
tagged
(Optional)Addsthespecifiedportsas:
untaggedCausestheport(s)totransmitframeswithoutanIEEE
802.1Qheadertag.
forbiddenInstructsthedevicetoignoredynamicrequests(either
throughGVRPordynamicegress)fromtheport(s)tojointheVLAN
anddisallowsegressonthatport.
taggedCausestheport(s)totransmit802.1Qtaggedframes.
Defaults
Ifuntagged,forbiddenortaggedisnotspecified,theportwillbeaddedtotheVLANegresslist
astagged.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoaddfe.1.5through10totheegresslistofVLAN7.Thismeansthat
theseportswilltransmitVLAN7framesastagged:
C3(su)->set vlan egress 7 fe.1.5-10
ThisexampleshowshowtoforbidFastEthernetports13through15inunit1fromjoiningVLAN
7anddisallowegressonthoseports:
C3(su)->set vlan egress 7 fe.1.13-15 forbidden
7-16
ThisexampleshowshowtoallowFastEthernetport2inunit1totransmitVLAN7framesas
untagged:
C3(su)->set vlan egress 7 fe.1.2 untagged
Syntax
clear vlan egress vlan-list port-string [forbidden]
Parameters
vlanlist
SpecifiesthenumberoftheVLANfromwhichaport(s)willberemoved
fromtheegresslist.
portstring
SpecifiesoneormoreportstoberemovedfromtheVLANegresslistofthe
specifiedvlanlist.Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage 41.
forbidden
(Optional)Clearstheforbiddensettingfromthespecifiedport(s)andresets
theport(s)asabletoegressframesifsoconfiguredbyeitherstaticor
dynamicmeans.
Defaults
Ifforbiddenisnotspecified,taggedanduntaggedsettingswillbecleared.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoremovefe.3.14fromtheegresslistofVLAN 9:
C3(su)->clear vlan egress 9 fe.3.14
ThisexampleshowshowtoremoveallFastEthernetportsinunit2fromtheegresslistofVLAN
4:
C3(su)->clear vlan egress 4 fe.2.*
7-17
Syntax
show vlan dynamicegress [vlan-list]
Parameters
vlanlist
(Optional)DisplaysdynamicegressstatusforspecificVLAN(s).
Defaults
Ifvlanlistisnotspecified,thedynamicegressstatusforallVLANswillbedisplayed.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisplaythedynamicegressstatusforVLANs5055:
C3(rw)->show vlan dynamicegress 50-55
VLAN 50 is disabled
VLAN 51 is disabled
VLAN 52 is disabled
VLAN 53 is enabled
VLAN 54 is enabled
VLAN 55 is enabled
7-18
Syntax
set vlan dynamicegress vlan-list {enable | disable}
Parameters
vlanlist
SpecifytheVLANsbyIDtoenableordisabledynamicegress.
enable|disable
Enablesordisablesdynamicegress.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
IfdynamicegressisenabledforaparticularVLAN,whenaportreceivesaframetaggedwiththat
VLANsID,theswitchwilladdthereceivingporttothatVLANsegresslist.Dynamicegressis
disabledontheSecureStackC3bydefault.
Forexample,assumeyouhave20AppleTalkusersonyournetworkwhoaremobileusers(thatis,
usedifferentportseveryday),butyouwanttokeeptheAppleTalktrafficisolatedinitsown
VLAN.YoucancreateanAppleTalkVLANwithaVLANIDof55withaclassificationrulethatall
AppleTalktrafficgetstaggedwithVLANID55.Then,youenabledynamicegressforVLAN55.
Now,whenanAppleTalkuserplugsintoportge.3.5andsendsanAppleTalkpacket,theswitch
willtagthepackettoVLAN55andalsoaddportge.3.5toVLAN55segresslist,whichallowsthe
AppleTalkusertoreceiveAppleTalktraffic.
Example
ThisexampleshowshowtoenabledynamicegressonVLAN55:
C3(rw)->set vlan dynamicegress 55 enable
7-19
Commands
ThecommandsneededtoconfigurehostVLANsarelistedbelow.
For information about...
show host vlan
7-20
7-21
7-22
Syntax
show host vlan
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythehostVLAN:
C3(su)->show host vlan
Host vlan is 7.
7-20
Refer to page...
Syntax
set host vlan vlan-id
Parameters
vlanid
SpecifiesthenumberoftheVLANtosetasthehostVLAN.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ThehostVLANshouldbeasecureVLANwhereonlydesignatedusersareallowedaccess.For
example,ahostVLANcouldbespecificallycreatedfordevicemanagement.Thiswouldallowa
managementstationconnectedtothemanagementVLANtomanageallportsonthedeviceand
makemanagementsecurebypreventingmanagementviaportsassignedtootherVLANs.
Note: Before you can designate a VLAN as the host VLAN, you must create a VLAN using the set
of commands described in Creating and Naming Static VLANs on page 7-5.
Example
ThisexampleshowshowtosetVLAN7asthehostVLAN:
C3(su)->set host vlan 7
7-21
Syntax
clear host vlan
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthehostVLANtothedefaultsetting:
C3(su)->clear host vlan
7-22
Overview
ThepurposeofGVRPistodynamicallycreateVLANsacrossaswitchednetwork.WhenaVLAN
isdeclared,theinformationistransmittedoutGVRPconfiguredportsonthedeviceinaGARP
formattedframeusingtheGVRPmulticastMACaddress.Aswitchthatreceivesthisframe,
examinestheframe,andextractstheVLANIDs.GVRPthencreatestheVLANsandaddsthe
receivingporttoitstaggedmemberlistfortheextractedVLANID(s).Theinformationisthen
transmittedouttheotherGVRPconfiguredportsofthedevice.Figure 71showsanexampleof
howVLANbluefromendstationAwouldbepropagatedacrossaswitchnetwork.
How It Works
InFigure 71onpage 724,Switch4,port1isregisteredasbeingamemberofVLANBlueand
thendeclaresthisfactoutallitsports(2and3)toSwitch1andSwitch 2.Thesetwodevices
registerthisintheportegresslistsoftheports(Switch1,port1andSwitch2,port1)thatreceived
theframeswiththeinformation.Switch2,whichisconnectedtoSwitch3andSwitch5declares
thesameinformationtothosetwodevicesandtheportegresslistofeachportisupdatedwiththe
newinformation,accordingly.
ConfiguringaVLANonan802.1QswitchcreatesastaticVLANentry.Theentrywillalways
remainregisteredandwillnottimeout.However,dynamicentrieswilltimeoutandtheir
registrationswillberemovedfromthememberlistiftheendstationAisremoved.Thisensures
that,ifswitchesaredisconnectedorifendstationsareremoved,theregisteredinformation
remainsaccurate.
TheendresultisthattheportegresslistofaportisupdatedwithinformationaboutVLANsthat
resideonthatport,eveniftheactualstationontheVLANisseveralhopsaway.
7-23
Figure 7-1
Switch 2
R 2D
Switch 1
2
End
Station A
D 3 D
R
D
Switch 4
R Switch 5
Purpose
TodynamicallycreateVLANsacrossaswitchednetwork.TheGVRPcommandsetisusedto
displayGVRPconfigurationinformation,thecurrentglobalGVRPstatesetting,individualport
settings(enableordisable)andtimersettings.Bydefault,GVRPisenabledgloballyonthedevice,
butdisabledonallports.
Commands
ThecommandsusedtoconfigureGVRParelistedbelow.
For information about...
7-24
Refer to page...
show gvrp
7-25
7-25
set gvrp
7-27
clear gvrp
7-27
7-28
show gvrp
show gvrp
UsethiscommandtodisplayGVRPconfigurationinformation.
Syntax
show gvrp [port-string]
Parameters
portstring
(Optional)DisplaysGVRPconfigurationinformationforspecificport(s).For
adetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifportstringisnotspecified,GVRPconfigurationinformationwillbedisplayedforallportsand
thedevice.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayGVRPstatusforthedeviceandforfw.2.1:
C3(su)->show gvrp fe.2.1
Global GVRP status is enabled.
Port Number
----------fe.2.1
GVRP status
----------disabled
Syntax
show garp timer [port-string]
Parameters
portstring
(Optional)DisplaysGARPtimerinformationforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifportstringisnotspecified,GARPtimerinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
7-25
Example
ThisexampleshowshowtodisplayGARPtimerinformationonFastEthernetports1through10
inunit1:
Note: For a functional description of the terms join, leave, and leaveall timers, refer to the
standard IEEE 802.1Q documentation, which is not supplied with this device.
C3(su)->show garp timer fe.1.1-10
Port based GARP Configuration: (Timer units are centiseconds)
Port Number
Join
Leave
Leaveall
----------- ---------- ---------- ---------fe.1.1
20
60
1000
fe.1.2
20
60
1000
fe.1.3
20
60
1000
fe.1.4
20
60
1000
fe.1.5
20
60
1000
fe.1.6
20
60
1000
fe.1.7
20
60
1000
fe.1.8
20
60
1000
fe.1.9
20
60
1000
fe.1.10
20
60
1000
Table 73providesanexplanationofthecommandoutput.Fordetailsonusingthesetgvrp
commandtoenableordisableGVRP,refertosetgvrponpage 727.Fordetailsonusingtheset
garptimercommandtochangedefaulttimervalues,refertosetgarptimeronpage 728.
Table 7-3
7-26
Output
What It Displays...
Port Number
Join
Leave
Leaveall
set gvrp
set gvrp
UsethiscommandtoenableordisableGVRPgloballyonthedeviceorononeormoreports.
Syntax
set gvrp {enable | disable} [port-string]
Parameters
disable|
enable
DisablesorenablesGVRPonthedevice.
portstring
(Optional)DisablesorenablesGVRPonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsedin
theCLIonpage 41.
Defaults
Ifportstringisnotspecified,GVRPwillbedisabledorenabledforallports.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoenableGVRPgloballyonthedevice:
C3(su)->set gvrp enable
ThisexampleshowshowtodisableGVRPgloballyonthedevice:
C3(su)->set gvrp disable
ThisexampleshowshowtoenableGVRPonfe.1.3:
C3(su)->set gvrp enable fe.1.3
clear gvrp
UsethiscommandtoclearGVRPstatusorononeormoreports.
Syntax
clear gvrp [port-string]
Parameters
portstring
(Optional)ClearsGVRPstatusonspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 41.
Defaults
Ifportstringisnotspecified,GVRPstatuswillbeclearedforallports.
Mode
Switchcommand,readwrite.
7-27
Example
ThisexampleshowshowtoclearGVRPstatusgloballyonthedevice:
C3(su)->clear gvrp
Syntax
set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]}
port-string
Parameters
jointimervalue
SetstheGARPjointimerincentiseconds(Referto802.1Qstandard.)
leavetimervalue
SetstheGARPleavetimerincentiseconds(Referto802.1Qstandard.)
leavealltimer
value
SetstheGARPleavealltimerincentiseconds(Referto802.1Qstandard.)
portstring
Specifiestheport(s)onwhichtoconfigureGARPtimersettings.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thesettingofthesetimersiscriticalandshouldonlybechangedbypersonnelfamiliarwiththe
802.1Qstandardsdocumentation,whichisnotsuppliedwiththisdevice.
Examples
ThisexampleshowshowtosettheGARPjointimervalueto100centisecondsforallports:
C3(su)->set garp timer join 100 *.*.*
Thisexampleshowshowtosettheleavetimervalueto300centisecondsforallports:
C3(su)->set garp timer leave 300 *.*.*
Thisexampleshowshowtosettheleavealltimervalueto20000centisecondsforallports:
C3(su)->set garp timer leaveall 20000 *.*.*
7-28
8
Policy Classification Configuration
ThischapterdescribesthePolicyClassificationsetofcommandsandhowtousethem.
Refer to page...
8-1
8-2
8-6
8-15
8-17
Create,changeorremovepolicyprofilesbasedonbusinessspecificuseofnetworkservices.
Permitordenyaccesstospecificservicesbycreatingandassigningclassificationruleswhich
mapuserprofilestoprotocolbasedframefilteringpoliciesconfiguredforaparticularVLAN
orClassofService(CoS).
Assignorunassignportstopolicyprofilessothatonlyportsactivatedforaprofilewillbe
allowedtotransmitframesaccordingly.
Note: It is recommended that you use Enterasys Networks NetSight Policy Manager as an
alternative to CLI for configuring policy classification on the SecureStack C3 devices.
8-1
Commands
Thecommandsusedtoreviewandconfigurepolicyprofilesarelistedbelow.
For information about...
Refer to page...
8-2
8-4
8-5
Syntax
show policy profile {all | profile-index [consecutive-pids] [-verbose]}
Parameters
all|profileindex
Displayspolicyinformationforallprofileindexesoraspecificprofileindex.
consecutivepids
(Optional)Displaysinformationforspecifiedconsecutiveprofileindexes.
verbose
(Optional)Displaysdetailedinformation.
Defaults
Ifoptionalparametersarenotspecified,summaryinformationwillbedisplayedforthespecified
indexorallindices.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaypolicyinformationforprofile11:
C3(su)->show policy profile 11
Profile Index
: 11
Profile Name
: MacAuth1
Row Status
: active
Port VID Status
: Enable
Port VID Override
: 11
CoS
: 0
CoS Status
: Disable
Egress Vlans
: none
Forbidden Vlans
: none
8-2
Untagged Vlans
Replace TCI Status
Rule Precedence
: none
: Disable
: 1-31
:MACSource(1),MACDest(2),Unknown(3),
:Unknown(4),Unknown(5),Unknown(6),
:Unknown(7),Unknown(8),Unknown(9),
:Unknown(10),Unknown(11),IPSource(12),
:IPDest(13),IPFrag(14),UDPSrcPort(15),
:UDPDestPort(16),TCPSrcPort(17),TCPDestPort(18),
:ICMPType(19),Unknown(20),IPTOS(21),
:IPProto(22),Unknown(23),Unknown(24),
:Ether(25),Unknown(26),VLANTag(27),
:Unknown(28),Unknown(29),Unknown(30),
:port(31)
: none
: none
: none
Table 81providesanexplanationofthecommandoutput.
Table 8-1
Output
What It Displays...
Profile Index
Profile Name
Row Status
Whether or not PVID override is enabled or disabled for this profile. If all
classification rules associated with this profile are missed, then this parameter, if
specified, determines default behavior.
CoS
CoS Status
Whether or not Class of Service override is enabled or disabled for this profile. If all
classification rules associated with this profile are missed, then this parameter, if
specified, determines default behavior.
Egress VLANs
VLAN(s) that ports to which the policy profile is assigned can use for tagged egress.
Forbidden VLANs
Untagged VLANs
VLAN(s) that ports to which the policy profile is assigned can use for untagged
egress.
Whether or not the TCI overwrite function is enabled or disabled for this profile.
Rule Precedence
Admin Profile Usage Ports administratively assigned to use this policy profile.
Oper Profile Usage
Dynamic Profile
Usage
8-3
Syntax
set policy profile profile-index [name name] [pvid-status {enable | disable}]
[pvid pvid] [cos-status {enable | disable}] [cos cos] [egress-vlans egress-vlans]
[forbidden-vlans forbidden-vlans] [untagged-vlans untagged-vlans] [append]
[clear] [tci-overwrite {enable | disable}] [precedence precedence-list]
Parameters
profileindex
Specifiesanindexnumberforthepolicyprofile.Validvaluesare1255.
namename
(Optional)Specifiesanameforthepolicyprofile.Thisisastringfrom1to
64characters.
pvidstatus
enable|disable
(Optional)EnablesordisablesPVIDoverrideforthisprofile.Ifall
classificationrulesassociatedwiththisprofilearemissed,thenthis
parameter,ifspecified,determinesdefaultbehavior.
pvidpvid
(Optional)SpecifiesthePVIDtopackets,ifPVIDoverrideisenabledand
invokedasdefaultbehavior.
cosstatusenable
|disable
(Optional)EnablesordisablesClassofServiceoverrideforthisprofile.Ifall
classificationrulesassociatedwiththisprofilearemissed,thenthis
parameter,ifspecified,determinesdefaultbehavior.
coscos
(Optional)SpecifiesaCoSvaluetoassigntopackets,ifCoSoverrideis
enabledandinvokedasdefaultbehavior.Validvaluesare0to7.
egressvlans
egressvlans
(Optional)Specifiesthattheporttowhichthispolicyprofileisapplied
shouldbeaddedtotheegresslistoftheVLANsdefinedbyegressvlans.
Packetswillbeformattedastagged.
forbiddenvlans
forbiddenvlans
(Optional)Specifiesthattheporttowhichthispolicyprofileisapplied
shouldbeaddedasforbiddentotheegresslistoftheVLANsdefinedby
forbiddenvlans.Packetsfromthisportwillnotbeallowedtoparticipatein
thelistedVLANs.
untaggedvlans
untaggedvlans
(Optional)Specifiesthattheporttowhichthispolicyprofileisapplied
shouldbeaddedtotheegresslistoftheVLANsdefinedbyuntaggedvlans.
Packetswillbeformattedasuntagged.
append
(Optional)Appendsthispolicyprofilesettingtosettingspreviously
specifiedforthispolicyprofilebytheegressvlans,forbiddenvlans,or
untaggedvlansparameters.
Ifappendisnotused,previousVLANsettingsarereplaced.
8-4
clear
(Optional)Appendsthispolicyprofilesettingfromsettingspreviously
specifiedforthispolicyprofilebytheegressvlans,forbiddenvlans,or
untaggedvlansparameters.
tcioverwrite
enable|disable
(Optional)EnablesordisablesTCI(tagcontrolinformation)overwritefor
thisprofile.Whenenabled,rulesconfiguredforthisprofileareallowedto
overwriteuserpriorityandotherclassificationinformationintheVLAN
tagsTCIfield.
precedence
precedencelist
(Optional)Assignsaruleprecedencetothisprofile.Lowervalueswillbe
givenhigherprecedence.
Defaults
Ifoptionalparametersarenotspecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocreateapolicyprofile1namednetadminwithPVIDoverride
enabledforPVID10,andClassofServiceoverrideenabledforCoS5.ThisprofilecanuseVLAN
10foruntaggedegress:
C3(su)->set policy profile 1 name netadmin pvid-status enable pvid 10 cos-status
enable cos 5 untagged-vlans 10
Syntax
clear policy profile profile-index
Parameters
profileindex
Specifiestheindexnumberoftheprofileentrytobedeleted.Validvalues
are1to255.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodeletepolicyprofile8:
C3(su)->clear policy profile 8
8-5
Commands
Thecommandsusedtoreview,assignandunassignclassificationrulestouserprofilesandports
arelistedbelow.
For information about...
Refer to page...
8-6
8-9
8-11
8-13
8-14
Syntax
show policy rule [all | admin-profile | profile-index] [ ipproto | ipdestsocket |
ipsourcesocket | iptos | port | tcpdestport | tcpsourceport | udpdestport |
udpsourceport] [data] [mask mask] [port-string port-string] [rule-status {active
| not-in-service | not-ready}] [storage-type {non-volatile | volatile}] [vlan
vlan] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid]
[-verbose] [usage-list] [display-if-used]
Parameters
8-6
all|admin
profile|profile
index
Displayspolicyclassificationrulesforallprofiles,profileID0(admin
profile),orforaspecificprofileindexnumber.Validvaluesare11023.
ipproto
DisplaysIPprotocolfieldinIPpacketrules.
ipdestsocket
DisplaysIPdestinationaddressrules.
ipsourcesocket
DisplaysIPsourceaddressrules.
iptos
DisplaysTypeofServicerules.
port
Displaysportrelatedrules.
tcpdestport
DisplaysTCPdestinationportrules.
tcpsourceport
DisplaysTCPsourceportrules.
udpdestport
DisplaysUDPdestinationportrules.
udpsourceport
DisplaysUDPsourceportrules.
data
Displaysrulesforapredefinedclassifier.Thisvalueisdependentonthe
classificationtypeentered.RefertoTable 83forvalidvaluesforeach
classificationtype.
maskmask
(Optional)Displaysrulesforaspecificdatamask.RefertoTable 83for
validvaluesforeachclassificationtypeanddatavalue.
portstringport
string
(Optional)Displaysrulesrelatedtoaspecificingressport.
rulestatusactive (Optional)Displaysrulesrelatedtoaspecificrulesstatus.
|notinservice|
notready
storagetypenon
volatile|volatile
(Optional)Displaysrulesconfiguredforeithernonvolatileorvolatile
storage.
vlanvlan
(Optional)DisplaysrulesforaspecificVLANID.
drop|forward
Displaysrulesbasedonwhethermatchingpacketswillbedroppedor
forwarded.
dynamicpid
dynamicpid
DisplaysrulesassociatedwithaspecificdynamicpolicyID.
coscos
(Optional)DisplaysrulesforaClassofServicevalue.
adminpid
adminpid
DisplaysrulesassociatedwithaspecificadministrativepolicyID[1..1023].
verbose
(Optional)Displaysdetailedinformation.
usagelist
(Optional)Ifselected,eachrulesusagelistshallbecheckedandshall
displayonlythoseportswhichhaveappliedthisrule.
displayifused
(Optional)Displaysrule(s)onlyiftheyareappliedtoatleastoneport.
Defaults
Ifverboseisnotspecified,summaryinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaypolicyclassificationinformationforadministrativerule1
C3(su)->show policy rule admin-pid 1
|Admin|Rule Type
|Rule Data
|admin|Port
|ge.1.1
|admin|Port
|ge.1.2
|admin|Port
|ge.1.3
|admin|Port
|ge.1.4
|admin|Port
|ge.1.5
|admin|Port
|ge.1.6
|admin|Port
|ge.1.7
|admin|Port
|ge.1.8
|admin|Port
|ge.1.9
|admin|Port
|ge.1.10
|admin|Port
|ge.1.11
|admin|Port
|ge.1.12
|Mk|PortStr
|16|ge.1.1
|16|ge.1.2
|16|ge.1.3
|16|ge.1.4
|16|ge.1.5
|16|ge.1.6
|16|ge.1.7
|16|ge.1.8
|16|ge.1.9
|16|ge.1.10
|16|ge.1.11
|16|ge.1.12
|RS|ST|dPID|aPID|U|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
| A|NV|
|
1|?|
Table 82providesanexplanationofthecommandoutput.
8-7
Table 8-2
8-8
Output
What It Displays...
PID
Profile index number. Assigned to this classification rule with the set policy profile
command (set policy profile on page 8-4).
Rule Type
Rule Data
Rule data value. Refer to Table 8-3 for valid values for each classification type.
Mk
Rule data mask. Refer to Table 8-3 for valid values for each classification data value.
PortStr
RS
Whether or not the status of this rule is active (A), not in service or not ready.
ST
Whether or not this rules storage type is non-volatile (NV) or volatile (V).
VLAN
VLAN ID to which this rule applies and whether or not matching packets will be
dropped or forwarded.
CoS
dPID
aPID
Syntax
show policy capability
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
Usethiscommandtodisplaydetailedpolicyclassificationcapabilitiessupportedbyyour
SecureStackC3device.Theoutputofthiscommandshowsatablelistingclassifiabletraffic
attributesandthetypeofactions,byruletype,thatcanbeexecutedrelativetoeachattribute.
Abovethetableisalistofalltheactionspossibleonthisdevice.
Theleftmostcolumnofthetablelistsallpossibleclassifiabletrafficattributes.Thenexttwo
columnsfromtheleftindicatehowpolicyprofilesmaybeassigned,eitheradministrativelyor
dynamically.Thenextfourcolumnsfromtheleftindicatetheactionsthatmaybeperformed.The
lastthreecolumnsindicateauditingoptions.
Anxinanactioncolumnforatrafficattributerowindicatesthatyoursystemhasthecapabilityto
performthatactionfortrafficclassifiedbythatattribute.
Example
Thisexampleshowshowtodisplaythedevicespolicyclassificationcapabilities.Refertoset
policyruleonpage 811foradescriptionoftheparametersdisplayed:
C3(su)->show policy capability
The following supports related to policy are supported in this device:
VLAN Forwarding
Priority
Permit
Deny
Precedence Reordering
TCI Overwrite
Rules Table
Rule-Use Notification
Longest Prefix Rules
=============================================================
|
| D |
|
|
|
| F |
|
| D |
|
| Y |
|
|
|
| O | S |
| I |
|
| N | A |
|
|
| R | Y |
| S |
|
| A | D | V |
| D | W | S | T | A |
|
| M | M | L | C | R | A | L | R | B |
|
| I | I | A | O | O | R | O | A | L |
| SUPPORTED RULE TYPES
| C | N | N | S | P | D | G | P | E |
=============================================================
|MAC source address
|
|
|
|
|
|
|
|
|
|
|MAC destination address |
|
|
|
|
|
|
|
|
|
|IPX source address
|
|
|
|
|
|
|
|
|
|
|IPX destination address |
|
|
|
|
|
|
|
|
|
|IPX source socket
|
|
|
|
|
|
|
|
|
|
SecureStack C3 Configuration Guide
8-9
8-10
Syntax
Thiscommandhastwoformsofsyntaxonetocreateanadminrule(forpolicyID0),andthe
othertocreateaclassificationruleandattachittoapolicyprofile.
set policy rule admin-profile {vlantag data [mask mask] admin-pid profile-index}
[port-string port-string]
set policy rule profile-index {ipproto | ipdestsocket | ipsourcesocket | iptos |
tcpdestport | tcpsourceport | udpdestport | udpsourceport} data [mask mask] [vlan
vlan] [cos cos] | [drop | forward]
Parameters
Thefollowingparametersapplytocreatinganadminrule.
adminprofile
SpecifiesthatthisisanadminruleforpolicyID0.
vlantagdata
ClassifiesbasedonVLANtagspecifiedbydata.Valueofdatacanrange
from1to4094or0xFFF.
maskmask
(Optional)Specifiesthenumberofsignificantbitstomatch,dependent
onthedatavalueentered.Valueofmaskcanrangefrom1to12.
RefertoTable 83forvalidvaluesforeachclassificationtypeanddata
value.
adminpid
profileindex
Associatesthisadminrulewithapolicyprofile,identifiedbyitsindex
number.Policyprofilesareconfiguredwiththesetpolicyprofile
commandasdescribedinsetpolicyprofileonpage 84.
Validprofileindexvaluesare1255.
portstringportstring
(Optional)Assignsthisruletothespecifiedpolicyprofileonspecific
ingressport(s).Rulewouldnotbeuseduntilpolicyisassignedtothe
specifiedport(s)usingthesetpolicyportcommandasdescribedinset
policyportonpage 815.
Thefollowingparametersapplytocreatingaclassificationrule.
profileindex
Specifiesapolicyprofilenumbertowhichthisrulewillbeassigned.
Policyprofilesareconfiguredwiththesetpolicyprofilecommandas
describedinsetpolicyprofileonpage 84.Validprofileindexvaluesare
1255.
ipproto
ClassifiesbasedonProtocolfieldinIPpacket.
ipdestsocket
ClassifiesbasedondestinationIPaddresswithoptionalpostfixedport.
ipsourcesocket
ClassifiesbasedonsourceIPaddress,withoptionalpostfixedport.
iptos
ClassifiesbasedonTypeofServicefieldinIPpacket.
tcpdestport
ClassifiesbasedonTCPdestinationport.
SecureStack C3 Configuration Guide
8-11
tcpsourceport
ClassifiesbasedonTCPsourceport.
udpdestport
ClassifiesbasedonUDPdestinationport.
udpsourceport
ClassifiesbasedonUDPsourceport.
data
Specifiesthecodeforapredefinedclassifier.Thisvalueisdependenton
theclassificationtypeentered.RefertoTable 83forvalidvaluesforeach
classificationtype.
maskmask
(Optional)Specifiesthenumberofsignificantbitstomatch,dependenton
thedatavalueentered.RefertoTable 83forvalidvaluesforeach
classificationtypeanddatavalue.
vlanvlan
ClassifiestoaVLANID.
coscos
SpecifiesthatthisrulewillclassifytoaClassofServiceID.Validvalues
are04095.Avalueof1indicatesthatnoCoSforwardingbehavior
modificationisdesired.
drop|forward
Specifiesthatpacketswithinthisclassificationwillbedroppedor
forwarded.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Table 83providesthesetpolicyruledatavaluesthatcanbeenteredforaparticularclassification
type,andthemaskbitsthatcanbeenteredforeachclassifierassociatedwiththatparameter.
Table 8-3
8-12
data value
mask bits
ipproto
1- 8
1 - 48
iptos
1- 8
1 - 16
1 - 16
vlantag
1 -12
Examples
ThisexampleshowshowtouseTable 83toassignaruletopolicyprofile5thatwillforwardUDP
framesfromsourceport45:
C3(su)->set policy rule 5 udpportsource 45 forward
ThisexampleshowshowtouseTable 83toassignaruletopolicyprofile1thatwilldropIP
sourcetrafficfromIPaddress1.2.3.4.Ifmask32isnotspecifiedasshown,adefaultmaskof48bits
(IPaddress+port)wouldbeapplied:
C3(su)->set policy rule 1 ipsourcesocket 1.2.3.4 mask 32 drop
Syntax
Thiscommandhastwoformsofsyntaxonetoclearanadminrule(forpolicyID0),andtheother
toclearaclassificationrule.
clear policy rule admin-profile {vlantag data [mask mask]
clear policy rule profile-index {all-pid-entries | { ipproto| ipdestsocket|
ipsourcesocket | iptos | tcpdestport | tcpsourceport | udpdestport |
udpsourceport} }
Parameters
Thefollowingparametersapplytodeletinganadminrule.
adminprofile
SpecifiesthattheruletobedeletedisanadminruleforpolicyID0.
vlantagdata
DeletestherulebasedonVLANtagspecifiedbydata.Valueofdatacan
rangefrom1to4094or0xFFF.
maskmask
(Optional)Specifiesthenumberofsignificantbitstomatch,dependent
onthedatavalueentered.Valueofmaskcanrangefrom1to12.
RefertoTable 83forvalidvaluesforeachclassificationtypeanddata
value.
Thefollowingparametersapplytodeletingaclassificationrule.
profileindex
Specifiesapolicyprofileforwhichtodeleteclassificationrules.Valid
profileindexvaluesare1255.
allpidentries
Deletesallentriesassociatedwiththespecifiedpolicyprofile.
ipproto
DeletesassociatedIPprotocolclassificationrule.
ipdestsocket
DeletesassociatedIPdestinationclassificationrule.
ipsourcesocket
DeletesassociatedIPsourceclassificationrule.
iptos
DeletesassociatedIPTypeofServiceclassificationrule.
tcpdestport
DeletesassociatedTCPdestinationportclassificationrule.
tcpsourceport
DeletesassociatedTCPsourceportclassificationrule.
udpdestport
DeletesassociatedUDPdestinationportclassificationrule.
8-13
udpsourceport
DeletesassociatedUDPsourceportclassificationrule.
Defaults
Whenapplicable,dataandmaskmustbespecifiedforindividualrulestobecleared.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovearulefrompolicyprofile5thatwillforwardUDPframes
fromsourceport45:
C3(su)->clear policy rule 5 udpportsource 45 forward
Syntax
clear policy all-rules
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovealladministrativeandpolicyindexrules:
C3(su)->clear policy all-rules
8-14
Commands
Thecommandsusedtoassignportstopolicyprofilesarelistedbelow.
For information about...
Refer to page...
8-15
8-16
Syntax
set policy port port-string profile-index
Parameters
portstring
Specifiestheport(s)toaddtothepolicyprofile.Foradetaileddescription
ofpossibleportstringvalues,refertoPortStringSyntaxUsedintheCLI
onpage 41.
profileindex
SpecifiestheIDofthepolicyprofile(role)towhichtheport(s)willbe
added.Thisvaluemustmatchtheprofileindexvalueassignedusingthe
setpolicyprofilecommand(setpolicyprofileonpage 84)inorderfor
apolicyprofiletobeactiveonthespecifiedport.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoallowGigabitEthernetports5through15inslot1totransmitframes
accordingtopolicyprofile1:
C3(su)->set policy port ge.1.5-15 1
8-15
Syntax
clear policy port port-string profile-index
Parameters
portstring
Specifiestheport(s)fromwhichtoremovethepolicyprofile.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
profileindex
SpecifiestheIDofthepolicyprofile(role)towhichtheport(s)willbe
added.Thisvaluemustmatchtheprofileindexvalueassignedusingthe
setpolicyprofilecommand(setpolicyprofileonpage 84)inorderfor
apolicyprofiletobeactiveonthespecifiedport.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoremovepolicyprofile10fromFastEthernetport21inslot1:
C3(rw)->clear policy port fe.1.21 10
8-16
TheSecureStackC3supportsClassofService(CoS),whichallowsyoutoassignmissioncritical
datatoahigherprioritythroughthedevicebydelayinglesscriticaltrafficduringperiodsof
congestion.Thehigherprioritytrafficgoingthroughthedeviceisservicedfirst(beforelower
prioritytraffic).TheClassofServicecapabilityofthedeviceisimplementedbyapriority
queueingmechanism.ClassofServiceisbasedontheIEEE802.1D(802.1p)standardspecification,
andallowsyoutodefineeightpriorities(07,with7grantedhighestpriority)andupto8transmit
queues(07)foreachport.
Bydefault,policybasedCoSisdisabledonthedevice,anddefaultoruserassignedportbased
802.1D(802.1p)settingsareusedtodeterminetransmitqueues.WhenpolicybasedCoSis
enabled,thedefaultanduserassignedpolicybasedsettingswilloverrideportbasedsettings
describedinChapter 9.
Commands
ThecommandsusedtoconfigurepolicybasedClassofServicearelistedbelow.
For information about...
Refer to page...
8-18
8-18
8-19
8-19
8-20
8-21
8-21
8-17
Syntax
set cos state {enable | disable}
Parameters
enable|disable
EnablesordisablesClassofServiceontheswitch.Defaultstateis
disabled.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheCoSstateisaglobalsettingwhichissettodisabledbydefault.WhenCoSisenabled,controls
configuredforCoSwillsupersedeportlevelcontrolforpriorityqueuemapping,portrate
limiting,andtransmitqueuemapping.Althoughportlevelsettingscanbeconfigured,theywill
havenoeffectwhileCoSisenabled.DisablingCoSwillrestoreanyexistingportlevelsettings.
Example
ThisexampleshowshowtoenableClassofService:
C3(rw)->set cos state enable
Syntax
show cos state
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoshowtheClassofServiceenablestate:
C3(rw)->show cos state
Class-of-Service application is enabled
8-18
Syntax
clear cos state
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheCoSstatebacktoitsdefaultsettingofdisabled:
C3(su)->clear cos state
Syntax
set cos settings cos-index priority priority [tos-value tos-value]
Parameters
cosindex
SpecifiesaClassofServiceentry.Validvaluesare0to255.
prioritypriority
Specifiesan802.1dpriorityvalue.Validvaluesare0to7,with0beingthe
lowestpriority.SeeUsagesectionbelowformoreinformation.
tosvaluetosvalue
(Optional)SpecifiesaTypeofServicevalue.Validvaluesare0to255.See
Usagesectionbelowformoreinformation.
Defaults
Ifnooptionalparametersarespecified,nonewillbeapplied.
Mode
Switchcommand,readwrite.
Usage
TheCoSsettingstabletakesindividualclassofservicefeaturesanddisplaysthemasbelongingto
aCoSentry.Essentially,itisusedforCoSfeatureassignment.Eachclassofserviceentryconsists
ofanindex,802.1ppriority,anoptionalToSvalue.
8-19
CoSIndex
IndexesareuniqueidentifiersforeachCoSsetting.CoSindexes0through7arecreatedby
defaultandmappeddirectlyto802.1ppriorityforbackwardscompatibility.Theseentries
cannotberemoved,and802.1ppriorityvaluescannotbechanged.WhenCoSisenabled,
indexesareassigned.Upto256CoSindexesorentriescanbeconfigured.
Priority
802.1pprioritycanbeappliedperCoSindex.ForeachnewCoSindexcreated,theuserhas
theoptiontoassignan802.1ppriorityvalue0to7fortheclassofservice.CoSindexes0
through7mapdirectlyto802.1pprioritiesandcannotbechangedastheyexistforbackward
compatibility.
ToS
Thisvaluecanbesetperclassofservice,butisnotrequired.Whenaframeisassignedtoa
classofserviceforwhichthisvalueisconfigured,theToSfieldoftheincomingIPpacketwill
beoverwrittentotheuserdefinedvalue.ToSbits0255canbeset,makingtheentireToSfield
rewritable.ToScanbesetforCoSindexes0through7.
Example
ThisexampleshowshowtocreateCoSentry8withapriorityvalueof3:
C3(rw)->set cos settings 8 priority 3
Syntax
clear cos settings cos-list {[all] | [priority] [tos-value]}
Parameters
coslist
SpecifiesaClassofServiceentrytoclear.
all
Clearsallsettingsassociatedwiththisentry.
priority
Clearsthepriorityvalueassociatedwiththisentry.
tosvalue
ClearstheTypeofServicevalueassociatedwiththisentry.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthepriorityforCoSentry8:
C3(rw)->clear cos settings 8 priority
8-20
Syntax
show cos settings [cos-list]
Parameters
coslist
(Optional)SpecifiesaClassofServiceentrytodisplay.
Defaults
Ifnotspecified,allCoSentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoshowallCoSsettings:
C3(su)->show cos settings
CoS Index Priority
ToS
IRL
--------- ---------- ------- ----0
0
*
*
1
1
*
*
2
2
*
*
3
3
*
*
4
4
*
*
5
5
*
*
6
6
*
*
7
7
*
*
Syntax
clear cos all-entries
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
8-21
Example
ThisexampleshowshowtocleartheCoSconfigurationforallentriesexceptentries07:
C3(su)->clear cos all-entries
8-22
9
Port Priority Configuration
ThischapterdescribesthePortPrioritysetofcommandsandhowtousethem.
For information about...
Refer to page...
9-1
9-2
9-5
9-8
9-1
DisplayorchangetheportdefaultClassofService(CoS)transmitpriority(0through7)of
eachportforframesthatarereceived(ingress)withoutpriorityinformationintheirtag
header.
Displaythecurrenttrafficclassmappingtopriorityofeachport.
Seteachporttotransmitframesaccordingto802.1D(802.1p)prioritysetintheframeheader.
Commands
Thecommandstoconfigureportpriorityarelistedbelow.
For information about...
Refer to page...
9-5
9-3
9-4
Syntax
show port priority [port-string]
Parameters
portstring
(Optional)Displayspriorityinformationforaspecificport.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
If port-string is not specified, priority for all ports will be displayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaytheportpriorityforthefe.2.1through5.
C3(su)->show port priority fe.2.1-5
fe.2.1 is set to 0
fe.2.2 is set to 0
fe.2.3 is set to 0
fe.2.4 is set to 0
fe.2.5 is set to 0
9-2
Syntax
set port priority port-string priority
Parameters
portstring
Specifiestheportforwhichtosetpriority.Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 41.
priority
Specifiesavalueof0to7tosettheCoSpriorityfortheportenteredinthe
portstring.Priorityvalueof0isthelowestpriority.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetadefaultpriorityof6onfe.1.3.Framesreceivedbythisport
withoutpriorityinformationintheirframeheaderaresettothedefaultsettingof6:
C3(su)->set port priority fe.1.3 6
9-3
Syntax
clear port priority port-string
Parameters
portstring
Specifiestheportforwhichtoclearpriority.Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetfe.1.11tothedefaultpriority:
C3(rw)->clear port priority fe.1.11
9-4
Viewthecurrentprioritytotransmitqueuemappingofeachphysicalport.
Configureeachporttoeithertransmitframesaccordingtotheportpriority,setusingtheset
portprioritycommanddescribedinsetportpriorityonpage 93,oraccordingtoapriority
basedonapercentageofporttransmissioncapacity,assignedtotransmitqueuesusingtheset
porttxqcommanddescribedinsetporttxqonpage 99.
Clearcurrentportpriorityqueuesettingsforoneormoreports.
Note: Priority to transmit queue mapping on an individual port basis can only be configured on
Gigabit Ethernet ports (ge.x.x). When you use the set port priority-queue command to configure
a Fast Ethernet port (fe.x.x), the mapping values are applied globally to all Fast Ethernet ports on
the stack.
Commands
Thecommandsusedinconfiguringtransmitpriorityqueuesarelistedbelow.
For information about...
Refer to page...
9-5
9-6
9-7
Syntax
show port priority-queue [port-string]
Parameters
portstring
(Optional)Displaysthemappingofprioritiestotransmitqueuesforone
ormoreports.
Defaults
If port-string is not specified, priority queue information for all ports will be
displayed.
Mode
Switchcommand,readonly.
9-5
Example
Thisexampleshowshowtodisplaypriorityqueueinformationforge.1.1.Inthiscase,frameswith
apriorityof0areassociatedwithtransmitqueue1;frameswith1or2priority,areassociatedwith
transmitqueue0;andsoforth:
C3(su)->show
Port
P0
--------- -ge.1.1
1
Syntax
set port priority-queue port-string priority queue
Parameters
portstring
Specifiestheport(s)forwhichtosetprioritytoqueuemappings.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
priority
Specifiesavalueof0through7(0isthelowestlevel)thatdetermines
whatpriorityframeswillbetransmittedonthetransmitqueueenteredin
thiscommand.
queue
Specifiesavalueof0through5(0isthelowestlevel)thatdeterminesthe
queueonwhichtotransmittheframeswiththeportpriorityenteredin
thiscommand.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Althoughthereareeightqueuesimplementedintheswitchhardware,onlysixareavailablefor
useinprioritizingvariousdataandcontroltraffic.The7thand8thqueuesarereservedfor
stackingandnetworkcontrolrelatedcommunications.RefertoConfiguringQualityofService
(QoS)onpage 98formoreinformationaboutconfiguringtheprioritymodeandweightforthese
queues.
PrioritytotransmitqueuemappingonanindividualportbasiscanonlybeconfiguredonGigabit
Ethernetports(ge.x.x).WhenyouusethesetportpriorityqueuecommandtoconfigureaFast
Ethernetport(fe.x.x),themappingvaluesareappliedgloballytoallFastEthernetportsonthe
stack.
9-6
Example
Thisexampleshowshowtosetpriority5framesreceivedonge.2.12totransmitonqueue0.
C3(su)->set port priority-queue ge.2.12 5 0
Syntax
clear port priority-queue port-string
Parameters
portstring
Specifiestheportforwhichtoclearprioritytoqueuemappings.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthepriorityqueuesettingsonge.2.12:
C3(su)->clear port priority-queue ge.2.12
9-7
Command Descriptions
ThecommandstoconfiguretheQualityofServicearelistedbelow.
For information about...
Refer to page...
9-8
9-9
9-10
Syntax
show port txq [port-string]
Parameters
portstring
(Optional)Specifiesport(s)forwhichtodisplayQoSsettings.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Onlyphysicalportswillbedisplayed.LAGportshavenotransmitqueue
information.
Defaults
Iftheportstringisnotspecified,theQoSsettingofallphysicalportswillbedisplayed.
Mode
Switchcommand,readonly.
9-8
Example
Thisexampleshowshowtodisplaythecurrentalgorithmandtransmitqueueweightsconfigured
onportsge.1.10through24:
C3(su)->show port txq ge.1.10-24
Port
Alg Q0 Q1 Q2 Q3 Q4 Q5
------- --- --- --- --- --- --ge.1.10 WRR 2
10 15 20 24 29
ge.1.11 WRR 2
10 15 20 24 29
ge.1.12 WRR 2
10 15 20 24 29
ge.1.13 WRR 2
10 15 20 24 29
ge.1.14 WRR 2
10 15 20 24 29
ge.1.15 WRR 2
10 15 20 24 29
ge.1.16 WRR 2
10 15 20 24 29
ge.1.17 WRR 2
10 15 20 24 29
ge.1.18 WRR 2
10 15 20 24 29
ge.1.19 WRR 2
10 15 20 24 29
ge.1.20 WRR 2
10 15 20 24 29
ge.1.21 WRR 2
10 15 20 24 29
ge.1.22 WRR 2
10 15 20 24 29
ge.1.23 WRR 2
10 15 20 24 29
ge.1.24 WRR 2
10 15 20 24 29
Q6
--SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
Q7
--SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
SP
Syntax
set port txq port-string value0 value1 value2 value3 value4 value5
Parameters
portstring
Specifiesport(s)onwhichtosetqueuearbitrationvalues.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports
cannotbeconfigured.
value0value5
Specifiespercentagetoallocatetoaspecifictransmitqueue.Thevalues
musttotal100percent.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Eighttransmitqueuesareimplementedintheswitchhardwareforeachphysicalport,butonlysix
areavailableforuseinprioritizingvariousdataandcontroltraffic.Theseventhandeighthqueues
arereservedforstackingandnetworkcontrolrelatedcommunicationsandcannotbeconfigured.
9-9
Queuescanbesetforstrictpriority(SP)orweightedroundrobin(WRR).IfsetforWRRmode,
weightsmaybeassignedtothosequeueswiththiscommand.Weightsarespecifiedintherange
of0to100percent.Weightsspecifiedforqueues0through5onanyportmusttotal100percent.
Queues0through5canbechangedtostrictprioritybyconfiguringqueues0through4at0
percentandqueue5at100percent.QueuescanbechangedbacktoWRRbychangingtheweight
ofqueues0through5,orbyissuingtheclearporttxqcommand.
Examples
Thisexampleshowshowtochangethearbitrationvaluesforthesixtransmitqueuesbelongingto
ge.1.1:
C3(su)->set port txq ge.1.1 17 17 17 17 16 16
Thisexampleshowshowtochangethealgorithmtostrictpriorityforthesixtransmitqueues
belongingtoge.1.1:
C3(su)->set port txq ge.1.1 0 0 0 0 0 100
C3(su)->show port txq ge.1.1
Port
Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
------- --- --- --- --- --- --- --- --ge.1.1 STR SP SP SP SP SP SP SP SP
Syntax
clear port txq port-string
Parameters
portstring
Clearstransmitqueuevaluesonspecificport(s)backtotheirdefault
values.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 41.
Onlyphysicalportscanbeconfiguredwiththiscommand.LAGports
cannotbeconfigured.
Defaults
Bydefault,transmitqueuesaredefinedasfollows:
Queue
Mode
Weight
Queue
Mode
Weight
WRR
WRR
WRR
WRR
WRR
WRR
Mode
Switchcommand,readwrite.
9-10
Example
Thisexampleshowshowtocleartransmitqueuevaluesonge.1.1:
C3(su)->clear port txq ge.1.1
C3(su)->show port txq ge.1.1
Port
Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7
------- --- --- --- --- --- --- --- --ge.1.1 WRR 2
10 15 20 24 29 SP SP
9-11
9-12
10
IGMP Configuration
ThischapterdescribestheIGMPConfigurationsetofcommandsandhowtousethem.
For information about...
Refer to page...
IGMP Overview
10-1
10-2
10-11
IGMP Overview
About IP Multicast Group Management
TheInternetGroupManagementProtocol(IGMP)runsbetweenhostsandtheirimmediately
neighboringmulticastdevice.Theprotocolsmechanismsallowahosttoinformitslocaldevice
thatitwantstoreceivetransmissionsaddressedtoaspecificmulticastgroup.
Amulticastenableddevicecanperiodicallyaskitshostsiftheywanttoreceivemulticasttraffic.If
thereismorethanonedeviceontheLANperformingIPmulticasting,oneofthesedevicesis
electedquerierandassumestheresponsibilityofqueryingtheLANforgroupmembers.
BasedonthegroupmembershipinformationlearnedfromIGMP,adevicecandeterminewhich(if
any)multicasttrafficneedstobeforwardedtoeachofitsports.AtLayer3,multicastdevicesuse
thisinformation,alongwithamulticastroutingprotocol,tosupportIPmulticastingacrossthe
Internet.
IGMPprovidesthefinalstepinanIPmulticastpacketdeliveryservice,sinceitisonlyconcerned
withforwardingmulticasttrafficfromthelocaldevicetogroupmembersonadirectlyattached
subnetworkorLANsegment.
ThisdevicesupportsIPmulticastgroupmanagementbypassivelysnoopingontheIGMPquery
andIGMPreportpacketstransferredbetweenIPmulticastdevicesandIPmulticasthostgroupsto
learnIPmulticastgroupmembers.
ThepurposeofIPmulticastgroupmanagementistooptimizeaswitchednetworksperformance
somulticastpacketswillonlybeforwardedtothoseportscontainingmulticastgrouphostsor
multicastdevicesinsteadoffloodingtoallportsinthesubnet(VLAN).
InadditiontopassivelymonitoringIGMPqueryandreportmessages,theSecureStackC3canalso
activelysendIGMPquerymessagestolearnlocationsofmulticastdevicesandmemberhostsin
multicastgroupswithineachVLAN.
However,notethatIGMPneitheraltersnorroutesanyIPmulticastpackets.SinceIGMPisnot
concernedwiththedeliveryofIPmulticastpacketsacrosssubnetworks,anexternalIPmulticast
deviceisneededifIPmulticastpacketshavetoberoutedacrossdifferentsubnetworks.
SecureStack C3 Configuration Guide
10-1
About Multicasting
Multicastingisusedtosupportrealtimeapplicationssuchasvideoconferencesorstreaming
audio.Amulticastserverdoesnothavetoestablishaseparateconnectionwitheachclient.It
merelybroadcastsitsservicetothenetwork,andanyhoststhatwanttoreceivethemulticast
registerwiththeirlocalmulticastswitch/router.Althoughthisapproachreducesthenetwork
overheadrequiredbyamulticastserver,thebroadcasttrafficmustbecarefullyprunedatevery
multicastswitch/routeritpassesthroughtoensurethattrafficisonlypassedtothehoststhat
subscribedtothisservice.
TheSecureStackC3switchdeviceusesIGMP(InternetGroupManagementProtocol)toqueryfor
anyattachedhostswhowanttoreceiveaspecificmulticastservice.ThedevicelooksuptheIP
MulticastGroupusedforthisserviceandaddsanyportthatreceivedasimilarrequesttothat
group.Itthenpropagatestheservicerequestontoanyneighboringmulticastswitch/routerto
ensurethatitwillcontinuetoreceivethemulticastservice.
Commands
ThecommandsusedtoconfigureswitchrelatedIGMPsnoopingarelistedbelow.
For information about...
10-2
Refer to page...
show igmpsnooping
10-3
10-3
10-4
10-5
10-5
10-6
10-7
10-7
10-8
10-9
clear igmpsnooping
10-10
IGMP Configuration
show igmpsnooping
show igmpsnooping
UsethiscommandtodisplayIGMPsnoopinginformation.
Syntax
show igmpsnooping
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
ConfiguredinformationisdisplayedwhetherornotIGMPsnoopingisenabled.Status
informationisdisplayedonlywhenthefunctionisenabled.ForinformationonenablingIGMPon
thesystem,refertosetigmpsnoopingadminmodeonpage 103.Forinformationonenabling
IGMPononeormoreports,refertosetigmpsnoopinginterfacemodeonpage 104.
Example
ThisexampleshowshowtodisplayIGMPsnoopinginformation:
C3(su)->show igmpsnooping
Admin Mode.....................................
Group Membership Interval......................
Max Response Time..............................
Multicast Router Present Expiration Time.......
Interfaces Enabled for IGMP Snooping...........
Enable
260
100
0
fe.1.1,fe.1.2,fe.1.3
fe.1.4,fe.1.5,fe.1.6
Multicast Control Frame Count..................0
Data Frames Forwarded by the CPU...............0
Syntax
set igmpsnooping adminmode {enable | disable}
Parameters
enable|disable
EnablesordisablesIGMPsnoopingonthesystem.
Defaults
None.
10-3
Mode
Switchcommand,readwrite.
Usage
InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe
devicewiththiscommand,andthenenabledonaport(s)usingthesetigmpsnoopinginterface
modecommandasdescribedinsetigmpsnoopinginterfacemodeonpage 104.
Example
ThisexampleshowshowtoenableIGMPonthesystem:
C3(su)->set igmpsnooping adminmode enable
Syntax
set igmpsnooping interfacemode port-string {enable | disable}
Parameters
portstring
SpecifiesoneormoreportsonwhichtoenableordisableIGMP.
enable|disable
EnablesordisablesIGMP.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
InorderforIGMPsnoopingtobeenabledononeorallports,itmustbegloballyenabledonthe
deviceusingthesetigmpsnoopingadminmodecommandasdescribedinsetigmpsnooping
adminmodeonpage 103,andthenenabledonaport(s)usingthiscommand.
Example
ThisexampleshowshowtoenableIGMPonportsge.110:
C3(su)->set igmpsnooping interfacemode ge.1-10 enable
10-4
IGMP Configuration
Syntax
set igmpsnooping groupmembershipinterval time
Parameters
time
SpecifiestheIGMPgroupmembershipinterval.Validvaluesare23600
seconds.
Thisvalueworkstogetherwiththesetigmpsnoopingmaxresponsetime
commandtoremoveportsfromanIGMPgroupandmustbegreaterthan
themaxresponsetimevalue.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheIGMPgroupmembershipintervaltimesetsthefrequencyofhostqueryframetransmissions
andmustbegreaterthantheIGMPmaximumresponsetimeasdescribedinsetigmpsnooping
maxresponseonpage 105.
Example
ThisexampleshowshowtosettheIGMPgroupmembershipintervalto250seconds:
C3(su)->set igmpsnooping groupmembershipinterval 250
Syntax
set igmpsnooping maxresponse time
Parameters
time
SpecifiestheIGMPmaximumqueryresponsetime.Validvaluesare100
255seconds.Thedefaultvalueis100seconds.
Thisvalueworkstogetherwiththesetigmpsnooping
groupmembershipintervalcommandtoremoveportsfromanIGMPgroup
andmustbelesserthanthegroupmembershipintervalvalue.
Defaults
None.
10-5
Mode
Switchcommand,readwrite.
Usage
ThisvaluemustbelessthantheIGMPmaximumresponsetimedescribedinsetigmpsnooping
groupmembershipintervalonpage 105.
Example
ThisexampleshowshowtosettheIGMPmaximumresponsetimeto100seconds:
C3(su)->set igmpsnooping maxresponse 100
Syntax
set igmpsnooping mcrtrexpire time
Parameters
time
SpecifiestheIGMPmulticastrouterexpirationtime.Validvaluesare0
3600seconds.Avalueof0willconfigurethesystemwithaninfinite
expirationtime.Thedefaultvalueis0.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Thistimerisforexpiringtheswitchfromthemulticastdatabase.Ifthetimerexpires,andtheonly
addressleftisthemulticastswitch,thentheentrywillberemoved.
Example
ThisexampleshowshowtosettheIGMPmulticastrouterexpirationtimetoinfinity:
C3(su)->set igmpsnooping mcrtrexpiretime 0
10-6
IGMP Configuration
Syntax
set igmpsnooping add-static group vlan-list [modify] [port-string]
Parameters
group
SpecifiesthemulticastgroupIPaddressfortheentry.
vlanlist
SpecifiestheVLANsonwhichtoconfiguretheentry.
modify
(Optional)Addsthespecifiedportorportstoanexistingentry.
portstring
(Optional)Specifiestheportorportstoaddtotheentry.
Defaults
Ifnoportsarespecified,allportsareaddedtotheentry.
Ifmodifyisnotspecified,anewentryiscreated.
Mode
Switchcommand,readwrite.
Usage
UsethiscommandtocreateandconfigureLayer2IGMPentries.
Example
ThisexamplecreatesanIGMPentryforthemulticastgroupwithIPaddressof233.11.22.33
configuredonVLAN20configuredwiththeportge.1.1.
C3(su)->set igmpsnooping add-static 233.11.22.33 20 ge.1.1
Syntax
set igmpsnooping remove-static group vlan-list [modify] [port-string]
Parameters
group
SpecifiesthemulticastgroupIPaddressoftheentry.
vlanlist
SpecifiestheVLANsonwhichtheentryisconfigured.
modify
(Optional)Removesthespecifiedportorportsfromanexistingentry.
portstring
(Optional)Specifiestheportorportstoremovefromtheentry.
Defaults
Ifnoportsarespecified,allportsareremovedfromtheentry.
10-7
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesportge.1.1fromtheentryforthemulticastgroupwithIPaddressof
233.11.22.33configuredonVLAN20.
C3(su)->set igmpsnooping remove-static 233.11.22.33 20 ge.1.1
Syntax
show igmpsnooping static vlan-list [group group]
Parameters
vlanlist
SpecifiestheVLANforwhichtodisplaystaticIGMPports.
groupgroup
(Optional)SpecifiestheIGMPgroupforwhichtodisplaystaticIGMP
ports.
Defaults
Ifnogroupisspecified,informationforallgroupsisdisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampledisplaysthestaticIGMPportsforVLAN20.
120.8.10.1(su)->show igmpsnooping static 20
-------------------------------------------------------------------------------Vlan Id
= 20
Static Multicast Group Address = 233.11.22.33
Type = IGMP
IGMP Port List = ge.1.1
10-8
IGMP Configuration
Syntax
show igmpsnooping mfdb [stats]
Parameters
stats
(Optional)DisplaysMFDBstatistics.
Defaults
Ifstatsisnotspecified,allMFDBtableentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplaymulticastforwardingdatabaseentries:
C3(su)->show igmpsnooping mfdb
MAC Address
Type
Description
Interfaces
----------------------- ------- ---------------- ------------------------00:14:01:00:5E:02:CD:B0 Dynamic Network Assist
Fwd: ge.1.1,ge.3.1,ge.4.1,
ge.5.1,ge.6.2,ge.6.3, ge.7.1,ge.8.1
00:32:01:00:5E:37:96:D0 Dynamic Network Assist
Fwd: ge.4.7
00:32:01:00:5E:7F:FF:FA Dynamic Network Assist
Fwd: ge.4.7
Thisexampleshowshowtodisplaymulticastforwardingdatabasestatistics:
C3(su)->show igmpsnooping mfdb stats
Max MFDB Table Entries......................... 256
Most MFDB Entries Since Last Reset............. 1
Current Entries................................ 0
10-9
clear igmpsnooping
clear igmpsnooping
UsethiscommandtoclearallIGMPsnoopingentries.
Syntax
clear igmpsnooping
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearallIGMPsnoopingentries:
C3(su)->clear igmpsnooping
Are you sure you want to clear all IGMP snooping entries? (y/n)y
IGMP Snooping Entries Cleared.
10-10
IGMP Configuration
Purpose
ToconfigureIGMPonroutinginterfaces.
Commands
For information about...
Refer to page...
ip igmp
10-12
ip igmp enable
10-12
ip igmp version
10-13
10-13
10-14
ip igmp query-interval
10-15
ip igmp query-max-response-time
10-15
ip igmp startup-query-interval
10-16
ip igmp startup-query-count
10-16
ip igmp last-member-query-interval
10-17
ip igmp last-member-query-count
10-18
ip igmp robustness
10-18
10-11
ip igmp
ip igmp
UsethiscommandtoenableIGMPontherouter.ThenoformofthiscommanddisablesIGMPon
therouter.
Syntax
ip igmp
no ip igmp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtoenableIGMPontherouter:
C3(su)->router(Config)#ip igmp
ip igmp enable
UsethiscommandtoenableIGMPonaninterface.ThenoformofthiscommanddisablesIGMP
onaninterface.
Syntax
ip igmp enable
no ip igmp enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableIGMPontheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp enable
10-12
IGMP Configuration
ip igmp version
ip igmp version
UsethiscommandtosettheversionofIGMPrunningontherouter.Thenoformofthiscommand
resetsIGMPtothedefaultversionof2(IGMPv2).
Syntax
ip igmp version version
no ip igmp
Parameters
version
SpecifiestheIGMPversionnumbertorunontherouter.Validvaluesare
1,2,or3.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPversiontoversion1onVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp version 1
Syntax
show ip igmp interface [vlan vlan-id]
Parameters
vlanvlanid
(Optional)DisplaysinformationforoneormoreVLANs.
Defaults
Ifnotspecified,informationwillbedisplayedforallVLANsconfiguredforIGMProuting.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayIGMProutinginformationforVLAN1:
C3(su)->router#show ip igmp interface vlan 1
Vlan 1 is Admin UP
Vlan 1 is Oper UP
IGMP is configured via the Switch
IGMP ACL currently not supported
10-13
Syntax
show ip igmp groups
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayinformationaboutIGMPgroups:
C3(su)->router#show ip igmp groups
REGISTERED MULTICAST GROUP DETAILS
Multicast
IP Address
Last Reporter
Up Time Expiry Time Host Timer
--------------- --------------- ------- ------------ -----------228.1.1.1
12.12.12.2
27
10-14
IGMP Configuration
Version1
----------
ip igmp query-interval
ip igmp query-interval
UsethiscommandtosettheIGMPqueryintervalonaroutinginterface.Thenoformofthis
commandresetstheIGMPqueryintervaltothedefaultvalueof125seconds.
Syntax
ip igmp query-interval time
no ip igmp query-interval
Parameters
time
SpecifiestheIGMPqueryinterval.Validvaluesarefrom1to3600
seconds.Defaultis125seconds.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPqueryintervalto1800secondsonVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp query-interval 1800
ip igmp query-max-response-time
UsethiscommandtosetthemaximumresponsetimeintervaladvertisedinIGMPv2queries.The
no form of this command resets the IGMP maximum response time to the default value of 100
(one tenth of a second).
Syntax
ip igmp query-max-response-time time
no ip igmp query-max-response-time
Parameters
time
SpecifiestheIGMPmaximumresponsetimeinterval.Validvaluesare
from0to255tenthsofasecond.The default value is 100 (one tenth of a
second).
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
10-15
ip igmp startup-query-interval
Example
ThisexampleshowshowtosettheIGMPquerymaximumresponsetimeintervalto200(2tenths
ofasecond)onVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp query-max-response-time 200
ip igmp startup-query-interval
UsethiscommandtosettheintervalbetweengeneralIGMPqueriessentonstartup.Thenoform
ofthiscommandresetstheIGMPstartupqueryintervaltothedefaultvalueof31seconds.
Syntax
ip igmp startup-query-interval time
no ip igmp startup-query-interval
Parameters
time
SpecifiestheIGMPstartupqueryinterval.Validvaluesarefrom1to300
seconds.Thedefaultvalueis31seconds.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPstartupqueryintervalto100secondsonVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp startup-query-interval 100
ip igmp startup-query-count
UsethiscommandtosetthenumberofIGMPqueriessentoutonstartup,separatedbythe
startupqueryinterval(asdescribedinipigmpstartupqueryintervalonpage 1016).Theno
formofthiscommandresetstheIGMPstartupquerycounttothedefaultvalueof2.
Syntax
ip igmp startup-query-count count
no ip igmp startup-query-count
Parameters
count
Defaults
None.
10-16
IGMP Configuration
SpecifiesthenumberofIGMPstartupqueries.Validvaluesarefrom1to
20.Thedefaultvalueis2.
ip igmp last-member-query-interval
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPstartupquerycountto10onVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp startup-query-count 10
ip igmp last-member-query-interval
Usethiscommandtosetthemaximumresponsetimebeinginsertedintogroupspecificqueries
sentinresponsetoleavegroupmessages.ThenoformofthiscommandresetstheIGMPlast
memberqueryintervaltothedefaultvalueof1second.
Syntax
ip igmp last-member-query-interval time
no ip igmp last-member-query-interval
Parameters
time
SpecifiestheIGMPlastmemberqueryinterval.Validvaluesarefrom0to
255seconds.Thedefaultvalueis1second.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPlastmemberqueryintervalto10secondsonVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp last-member-query-interval 10
10-17
ip igmp last-member-query-count
ip igmp last-member-query-count
Usethiscommandtosetthenumberofgroupspecificqueriessentbeforeassumingthereareno
localmembers.ThenoformofthiscommandresetstheIGMPlastmemberquerycounttothe
defaultvalueof2.
Syntax
ip igmp last-member-query-count count
no ip igmp last-member-query-count
Parameters
count
SpecifiesthenumberofIGMPstartupqueries.Validvaluesarefrom1to
20.Thedefaultvalueis2.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIGMPlastmemberquerycountto10onVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp last-member-query-count 10
ip igmp robustness
UsethiscommandtoconfiguretherobustnesstuningforexpectedpacketlossonanIGMP
routinginterface.ThenoformofthiscommandresetstheIGMProbustnessvaluetothedefaultof
2.
Syntax
ip igmp robustness robustness
no ip igmp robustness
Parameters
robustness
SpecifiestheIGMProbustnessvalue.Validvaluesarefrom1to255.The
defaultvalueis2.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
10-18
IGMP Configuration
ip igmp robustness
Usage
ThisvaluedetermineshowmanytimesIGMPmessageswillbesent.Ahighernumberwillmean
thatendstationswillbemorelikelytoseethepacket.Aftertherobustnessvalueisreached,IGMP
willassumethereisnoresponsetoqueries.
Example
ThisexampleshowshowtosettheIGMProbustnessvalueto5onVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip igmp robustness 5
10-19
ip igmp robustness
10-20
IGMP Configuration
11
Logging and Network Management
Thischapterdescribesswitchrelatedloggingandnetworkmanagementcommandsandhowto
usethem.
Note: The commands in this chapter pertain to network management of the SecureStack C3
device from the switch CLI only. For information on router-related network management tasks,
including reviewing router ARP tables and IP traffic, refer to Chapter 15.
For information about...
Refer to page...
11-1
11-12
11-17
11-27
11-34
Commands
Commandstoconfiguresystemloggingarelistedbelow.
For information about...
Refer to page...
11-2
11-3
11-4
11-4
11-5
11-6
11-7
11-1
Refer to page...
11-8
11-9
11-9
11-10
11-10
11-11
Syntax
show logging server [index]
Parameters
index
(Optional)DisplaysSysloginformationpertainingtoaspecificserver
tableentry.Validvaluesare18.
Defaults
Ifindexisnotspecified,allSyslogserverinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySyslogserverconfigurationinformation:
C3(ro)->show logging server
IP Address
Facility Severity
Description
Port Status
------------------------------------------------------------------------1 132.140.82.111 local4 warning(5)
default
514 enabled
2 132.140.90.84 local4 warning(5)
default
514 enabled
Table 111providesanexplanationofthecommandoutput.
Table 11-1
11-2
Output
What It Displays...
IP Address
Syslog servers IP address. For details on setting this using the set logging server
command, refer to set logging server on page 11-3.
Facility
Syslog facility that will be encoded in messages sent to this server. Valid values are:
local0 to local7.
Severity
Description
Table 11-1
Output
What It Displays...
Port
Status
Syntax
set logging server index [ip-addr ip-addr] [facility facility] [severity severity]
[descr descr] [port port] [state {enable | disable}]
Parameters
index
Specifiestheservertableindexnumberforthisserver.Validvaluesare1
8.
ipaddripaddr
(Optional)SpecifiestheSyslogmessageserversIPaddress.
facilityfacility
(Optional)Specifiestheserversfacilityname.Validvaluesare:local0to
local7.
severityseverity
(Optional)Specifiestheseveritylevelatwhichtheserverwilllog
messages.Validvaluesandcorrespondinglevelsare:
1emergencies(systemisunusable)
2alerts(immediateactionrequired)
3criticalconditions
4errorconditions
5warningconditions
6notifications(significantconditions)
7informationalmessages
8debuggingmessages
descrdescr
(Optional)Specifiesatextualstringdescriptionofthisfacility/server.
portport
(Optional)SpecifiesthedefaultUDPporttheclientusestosendtothe
server.
stateenable|
disable
(Optional)Enablesordisablesthisfacility/serverconfiguration.
Defaults
Ifipaddrisnotspecified,anentryintheSyslogservertablewillbecreatedwiththespecified
indexnumberandamessagewilldisplayindicatingthatnoIPaddresshasbeenassigned.
Ifnotspecified,facility,severityandportwillbesettodefaultsconfiguredwiththesetlogging
defaultcommand(setloggingdefaultonpage 115).
Ifstateisnotspecified,theserverwillnotbeenabledordisabled.
11-3
Mode
Switchcommand,readwrite.
Example
ThiscommandshowshowtoenableaSyslogserverconfigurationforindex1,IPaddress
134.141.89.113,facilitylocal4,severitylevel3onport514:
C3(su)->set logging server 1 ip-addr 134.141.89.113 facility local4 severity 3
port 514 state enable
Syntax
clear logging server index
Parameters
index
Specifiestheservertableindexnumberfortheservertoberemoved.
Validvaluesare18.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThiscommandshowshowtoremovetheSyslogserverwithindex1fromtheservertable:
C3(su)->clear logging server 1
Syntax
show logging default
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
11-4
Example
ThiscommandshowshowtodisplaytheSyslogserverdefaultvalues.Foranexplanationofthe
commandoutput,referbacktoTable 111onpage 112.
C3(su)->show logging default
Defaults:
Facility
Severity
Port
----------------------------------------local4
warning(5)
514
Syntax
set logging default {[facility facility] [severity severity] port port]}
Parameters
facilityfacility
Specifiesthedefaultfacilityname.Validvaluesare:local0tolocal7.
severityseverity
Specifiesthedefaultloggingseveritylevel.Validvaluesand
correspondinglevelsare:
1emergencies(systemisunusable)
2alerts(immediateactionrequired)
3criticalconditions
4errorconditions
5warningconditions
6notifications(significantconditions)
7informationalmessages
8debuggingmessages
portport
SpecifiesthedefaultUDPporttheclientusestosendtotheserver.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSyslogdefaultfacilitynametolocal2andtheseveritylevelto4
(errorlogging):
C3(su)->set logging default facility local2 severity 4
11-5
Syntax
clear logging default {[facility] [severity] [port]}
Parameters
facility
(Optional)Resetsthedefaultfacilitynametolocal4.
severity
(Optional)Resetsthedefaultloggingseveritylevelto6(notificationsof
significantconditions).
port
(Optional)ResetsthedefaultUDPporttheclientusestosendtotheserver
to514.
Defaults
Atleastoneoptionalparametermustbeentered.
Allthreeoptionalkeywordsmustbeenteredtoresetallloggingvaluestodefaults.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresettheSyslogdefaultseveritylevelto6:
C3(su)->clear logging default severity
11-6
Syntax
show logging application [mnemonic | all]
Parameters
mnemonic
(Optional)Displaysseveritylevelforoneapplicationconfiguredfor
logging.Mnemonicswillvarydependingonthenumberandtypesof
applicationsrunningonyoursystem.Samplemnemonicsandtheir
correspondingapplicationsarelistedinTable 113onpage 118.
Note: Mnemonic values are case sensitive and must be typed as they appear in
Table 11-3.
all
(Optional)Displaysseveritylevelforallapplicationsconfiguredfor
logging.
Defaults
Ifnoparameterisspecified,informationforallapplicationswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaysystemlogginginformationpertainingtotheSNMP
application.Table 112describestheoutputofthiscommand.
C3(ro)->show logging application SNMP
Application
Current Severity Level
--------------------------------------------90
SNMP
6
1(emergencies)
4(errors)
7(information)
Table 11-2
2(alerts)
5(warnings)
8(debugging)
3(critical)
6(notifications)
Output...
What it displays...
Application
11-7
Syntax
set logging application {[mnemonic | all]} [level level]
Parameters
mnemonic
Specifiesacasesensitivemnemonicabbreviationofanapplicationtobe
logged.Thisparameterwillvarydependingonthenumberandtypesof
applicationsrunningonyoursystem.Todisplayacompletelist,usethe
showloggingapplicationcommandasdescribedinshowlogging
applicationonpage 117.Samplemnemonicsandtheircorresponding
applicationsarelistedinTable 113onpage 118.
Note: Mnemonic values are case sensitive and must be typed as they appear in
Table 11-3.
all
Setstheloggingseveritylevelforallapplications.
levellevel
(Optional)Specifiestheseveritylevelatwhichtheserverwilllog
messagesforapplications.Validvaluesandcorrespondinglevelsare:
1emergencies(systemisunusable)
2alerts(immediateactionrequired)
3criticalconditions
4errorconditions
5warningconditions
6notifications(significantconditions)
7informationalmessages
8debuggingmessages
Table 11-3
Mnemonic
Application
CLIWEB
SNMP
STP
Driver
Hardware drivers
System
Stacking
Stacking management
UPN
Router
Router
Defaults
Iflevelisnotspecified,nonewillbeapplied.
11-8
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheseveritylevelforSNMPto4sothaterrorconditionswillbe
loggedforthatapplication.
C3(rw)->set logging application SNMP level 4
Syntax
clear logging application {mnemonic | all}
Parameters
mnemonic
Resetstheseveritylevelforaspecificapplicationto6.Validmnemonic
valuesandtheircorrespondingapplicationsarelistedinTable 113on
page 118.
all
Resetstheseveritylevelforallapplicationsto6.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresettheloggingseveritylevelto6forSNMP.
C3(rw)->clear logging application SNMP
Syntax
show logging local
Parameters
None.
Defaults
None.
11-9
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythestateofmessagelogging.Inthiscase,loggingtothe
consoleisenabledandloggingtoapersistentfileisdisabled.
C3(su)->show logging local
Syslog Console Logging enabled
Syslog File Logging disabled
Syntax
set logging local console {enable | disable} file {enable | disable}
Parameters
consoleenable|disable
Enablesordisablesloggingtotheconsole.
fileenable|disable
Enablesordisablesloggingtoapersistentfile.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thiscommandshowshowtoenableloggingtotheconsoleanddisableloggingtoapersistentfile:
C3(su)->set logging local console enable file disable
Syntax
clear logging local
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
11-10
Example
Thisexampleshowshowtoclearlocallogging:
C3(su)->clear logging local
Syntax
show logging buffer
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowsaportionoftheinformationdisplayedwiththeshowloggingbuffer
command:
C3(su)->show logging buffer
<165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.122 (telnet)
<165>Sep 4 07:43:24 10.42.71.13 CLI[5]User: debug failed login from 10.4.1.100
(telnet)
11-11
Commands
Commandstomonitorswitchnetworkeventsandstatusarelistedbelow.
For information about...
Refer to page...
history
11-12
show history
11-13
set history
11-13
ping
11-14
show users
11-15
disconnect
11-15
history
Usethiscommandtodisplaythecontentsofthecommandhistorybuffer.Thecommandhistory
bufferincludesalltheswitchcommandsentereduptoamaximumof100,asspecifiedintheset
historycommand(sethistoryonpage 1113).
Syntax
history
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythecontentsofthecommandhistorybuffer.Itshowsthereare
fivecommandsinthebuffer:
C3(su)->history
1 hist
2 show gvrp
3 show vlan
4 show igmp
5 show ip address
11-12
show history
show history
Usethiscommandtodisplaythesize(inlines)ofthehistorybuffer.
Syntax
showhistory
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaythesizeofthehistorybuffer:
C3(su)->show history
History buffer size: 20
set history
Usethiscommandtosetthesizeofthehistorybuffer.
Syntax
sethistorysize[default]
Parameters
size
Specifiesthesizeofthehistorybufferinlines.Validvaluesare1to100.
default
(Optional)Makesthissettingpersistentforallfuturesessions.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosetthesizeofthecommandhistorybufferto30lines:
C3(su)->set history 30
11-13
ping
ping
UsethiscommandtosendICMPechorequestpacketstoanothernodeonthenetworkfromthe
switchCLI.
Syntax
pinghost
Parameters
host
SpecifiestheIPaddressofthedevicetowhichthepingwillbesent.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtopingIPaddress134.141.89.29.Inthiscase,thishostisalive:
C3(su)->ping 134.141.89.29
134.141.89.29 is alive
Inthisexample,thehostatIPaddressisnotresponding:
C3(su)->ping 134.141.89.255
no answer from 134.141.89.255
11-14
show users
show users
UsethiscommandtodisplayinformationabouttheactiveconsoleportorTelnetsession(s)logged
intotheswitch.
Syntax
showusers
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtousetheshowuserscommand.Inthisoutput,therearetwoTelnet
usersloggedinwithReadWriteaccessprivilegesfromIPaddresses134.141.192.119and
134.141.192.18:
C3(su)->show users
Session User Location
-------- ----- -------------------------* telnet
rw
134.141.192.119
telnet
rw
134.141.192.18
disconnect
UsethiscommandtocloseanactiveconsoleportorTelnetsessionfromtheswitchCLI.
Syntax
disconnect{ipaddr|console}
Parameters
ipaddr
SpecifiestheIPaddressoftheTelnetsessiontobedisconnected.This
addressisdisplayedintheoutputshowninshowusersonpage 1215.
console
Closesanactiveconsoleport.
Defaults
None.
Mode
Switchcommand,readwrite.
11-15
disconnect
Examples
ThisexampleshowshowtocloseaTelnetsessiontohost134.141.192.119:
C3(su)->disconnect 134.141.192.119
Thisexampleshowshowtoclosethecurrentconsolesession:
C3(su)->disconnect console
11-16
Commands
Commandstomanageswitchnetworkaddressesandroutesarelistedbelow.
For information about...
Refer to page...
show arp
11-17
set arp
11-18
clear arp
11-19
traceroute
11-19
show mac
11-20
11-22
11-22
11-23
11-23
11-24
11-24
11-25
11-25
show arp
UsethiscommandtodisplaytheswitchsARPtable.
Syntax
showarp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
11-17
set arp
Example
ThisexampleshowshowtodisplaytheARPtable:
C3(su)->show arp
LINK LEVEL ARP TABLE
IP Address
Phys Address
Flags
Interface
----------------------------------------------------10.20.1.1
00-00-5e-00-01-1
S
host
134.142.21.194
00-00-5e-00-01-1
S
host
134.142.191.192 00-00-5e-00-01-1
S
host
134.142.192.18
00-00-5e-00-01-1
S
host
134.142.192.119 00-00-5e-00-01-1
S
host
-----------------------------------------------------
Table 114providesanexplanationofthecommandoutput.
Table 11-4
Output
What It Displays...
IP Address
Phys Address
Flags
set arp
UsethiscommandtoaddmappingentriestotheswitchsARPtable.
Syntax
set arp ip-address mac-address
Parameters
ipaddress
SpecifiestheIPaddresstomaptotheMACaddressandaddtotheARP
table.
macaddress
SpecifiestheMACaddresstomaptotheIPaddressandaddtotheARP
table.TheMACaddresscanbeformattedasxx:xx:xx:xx:xx:xxorxxxx
xxxxxxxx.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtomapIPaddress192.168.219.232toMACaddress00000c400fbc:
C3(su)->set arp 192.168.219.232 00-00-0c-40-0f-bc
11-18
clear arp
clear arp
UsethiscommandtodeleteaspecificentryorallentriesfromtheswitchsARPtable.
Syntax
cleararp{ipaddress|all}
Parameters
ipaddress|all
SpecifiestheIPaddressintheARPtabletobecleared,orclearsallARP
entries.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtodeleteentry10.1.10.10fromtheARPtable:
C3(su)->clear arp 10.1.10.10
traceroute
UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa
specificdestinationhost.ThreeUDPorICMPprobeswillbetransmittedforeachhopbetweenthe
sourceandthetraceroutedestination.
traceroute [-w waittime] [-f first-ttl] [-m max-ttl] [-p port] [-q nqueries] [-r]
[-d] [-n] [-v] host
Parameters
wwaittime
(Optional)Specifiestimeinsecondstowaitforaresponsetoaprobe.
ffirstttl
(Optional)Specifiesthetimetolive(TTL)ofthefirstoutgoingprobe
packet.
mmaxttl
(Optional)Specifiesthemaximumtimetolive(TTL)usedinoutgoing
probepackets.
pport
(Optional)SpecifiesthebaseUDPportnumberusedinprobes.
qnqueries
(Optional)Specifiesthenumberofprobeinquiries.
(Optional)Bypassesthenormalhostroutingtables.
(Optional)Setsthedebugsocketoption.
(Optional)Displayshopaddressesnumerically.(Supportedinafuture
release.)
(Optional)Displaysverboseoutput,includingthesizeanddestinationof
eachresponse.
host
SpecifiesthehosttowhichtherouteofanIPpacketwillbetraced.
11-19
show mac
Defaults
Ifnotspecified,waittimewillbesetto5seconds.
Ifnotspecified,firstttlwillbesetto1second.
Ifnotspecified,maxttlwillbesetto30seconds.
Ifnotspecified,portwillbesetto33434.
Ifnotspecified,nquerieswillbesetto3.
Ifrisnotspecified,normalhostroutingtableswillbeused.
Ifdisnotspecified,thedebugsocketoptionwillnotbeused.
Ifvisnotspecified,summaryoutputwillbedisplayed.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.167.252.17.In
thiscase,hop1istheSecureStackC3switch,hop2is14.1.0.45,andhop3isbacktothehostIP
address.RoundtriptimesforeachofthethreeUDPprobesaredisplayednexttoeachhop:
C3(su)->traceroute 192.167.252.17
traceroute to 192.167.252.17 (192.167.252.17), 30 hops max, 40 byte packets
1 matrix.enterasys.com (192.167.201.40) 20.000 ms 20.000 ms 20.000 ms
2 14.1.0.45 (14.1.0.45) 40.000 ms 10.000 ms 20.000 ms
3 192.167.252.17 (192.167.252.17) 50.000 ms 0.000 ms 20.000 ms
show mac
UsethiscommandtodisplayMACaddressesintheswitchsfilteringdatabase.Theseare
addresseslearnedonaportthroughtheswitchingprocess.
Syntax
showmac[addressmacaddress][fidfid][portportstring][type{other|learned|self|mgmt}]
Parameters
addressmacaddress
(Optional)DisplaysaspecificMACaddress(ifitisknownbythe
device).
fidfid
(Optional)DisplaysMACaddressesforaspecificfilterdatabase
identifier.
portportstring
(Optional)DisplaysMACaddressesforspecificport(s).
typeother|learned|
self|mgmt
(Optional)Displaysinformationrelatedtoother,learned,selfor
mgmt(management)addresstype.
Defaults
Ifnoparametersarespecified,allMACaddressesforthedevicewillbedisplayed.
Mode
Switchcommand,readonly.
11-20
show mac
Examples
ThisexampleshowshowtodisplayMACaddressinformationforge.3.1:
C3(su)->show mac port ge.3.1
MAC Address
FID Port
Type
----------------- ---- ------------- -------00-09-6B-0F-13-E6 15
ge.3.1
Learned
MAC Address
VLAN Port
Type
Status Egress Ports
----------------- ---- ------------- ------- ------- --------------------------01-01-23-34-45-56 20
any
mcast
perm
ge.3.1
Table 115providesanexplanationofthecommandoutput.
Table 11-5
Output
What It Displays...
MAC Address
FID
Port
Port designation.
Type
VLAN
Status
Egress Ports
The ports which have been added to the egress ports list.
11-21
Syntax
show mac agetime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaytheMACtimeoutperiod:
C3(su)->show mac agetime
Aging time: 300 seconds
Syntax
set mac agetime time
Parameters
time
SpecifiesthetimeoutperiodinsecondsforagoninglearnedMAC
addresses.Validvaluesare10to1,000,000seconds.Defaultvalueis300
seconds.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtosettheMACtimeoutperiod:
C3(su)->set mac agetime 250
11-22
Syntax
clear mac agetime
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtoresettheMACtimeoutperiodtothedefaultvalueof300seconds.
C3(su)->clear mac agetime
Syntax
set mac algorithm {mac-crc16-lowerbits | mac-crc16-upperbits |
mac-crc32-lowerbits | mac-crc32-upperbits}
Parameters
maccrc16lowerbits
SelecttheMACCRC16lowerbitsalgorithmforhashing.
maccrc16upperbits
SelecttheMACCRC16upperbitsalgorithmforhashing.
maccrc32lowerbits
SelecttheMACCRC32lowerbitsalgorithmforhashing.
maccrc32upperbits
SelecttheMACCRC32upperbitsalgorithmforhashing.
Defaults
ThedefaultMACalgorithmismaccrc16upperbits.
Mode
Switchcommand,readwrite.
Usage
EachalgorithmisoptimizedforadifferentspreadofMACaddresses.Whenchangingthismode,
theswitchwilldisplayawarningmessageandpromptyoutorestartthedevice.
ThedefaultMACalgorithmismaccrc16upperbits.
SecureStack C3 Configuration Guide
11-23
Example
Thisexamplesetsthehashingalgorithmtomaccrc32upperbits.
C3(rw)->set mac algorithm mac-crc32-upperbits
Syntax
show mac algorithm
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowstheoutputofthiscommand.
C3(su)->show mac algorithm
Mac hashing algorithm is mac-crc16-upperbits.
Syntax
clear mac algorithm
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleresetstheMAChashingalgorithmtothedefaultvalue.
C3(su)->clear mac algorithm
11-24
Syntax
set mac multicast mac-address vlan-id [port-string] [{append | clear} port-string]
Parameters
macaddress
SpecifythemulticastMACaddress.TheMACaddresscanbeformatted
asxx:xx:xx:xx:xx:xxorxxxxxxxxxxxx.
vlanid
SpecifytheVLANIDcontainingtheports.
portstring
SpecifytheportorrangeofportsthemulticastMACaddresscanbe
learnedonorfloodedto.
append|clear
Appendorcleartheportorrangeofportsfromtheegressportlist.
Defaults
Ifnoportstringisdefined,thecommandwillapplytoallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleconfiguresmulticastMACaddress010122334455forVLAN24.
C3(su)->set mac multicast 01-01-22-33-44-55 24
Syntax
clear mac address mac-address [vlan-id]
Parameters
macaddress
SpecifythemulticastMACaddresstobecleared.TheMACaddresscan
beformattedasxx:xx:xx:xx:xx:xxorxxxxxxxxxxxx.
vlanid
(Optional)SpecifytheVLANIDfromwhichtoclearthestaticmulticast
MACaddress..
Defaults
Ifnovlanidisspecified,themulticastMACaddressisclearedfromallVLANs.
Mode
Switchcommand,readwrite.
11-25
Example
ThisexampleclearsmulticastMACaddress010122334455fromVLAN24.
C3(su)->clear mac multicast 01-01-22-33-44-55 24
11-26
Commands
For information about...
Refer to page...
show sntp
11-27
11-29
11-29
11-30
11-30
11-31
11-31
11-32
11-32
11-33
11-33
show sntp
UsethiscommandtodisplaySNTPclientsettings.
Syntax
show sntp
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySNTPclientsettings:
C3(su)->show sntp
SNTP Version: 3
Current Time: TUE SEP 09 16:13:33 2003
11-27
show sntp
Table 116providesanexplanationofthecommandoutput.
Table 11-6
Output
What It Displays...
SNTP Version
Current Time
Timezone
Time zone name and amount it is offset from UTC (Universal Time).
Client Mode
Whether SNTP client is operating in unicast or broadcast mode. Set using set sntp
client command (set sntp client on page 11-29).
Broadcast Count
Poll Interval
Interval between SNTP unicast requests. Default of 512 seconds can be reset using
the set sntp poll-interval command (set sntp poll-interval on page 11-31).
Poll Retry
Number of poll retries to a unicast SNTP server. Default of 1 can be reset using the
set sntp poll-retry command (set sntp poll-retry on page 11-32).
Poll Timeout
11-28
SNTP-Server
Precedence
Status
Syntax
set sntp client {broadcast | unicast | disable}
Parameters
broadcast
EnablesSNTPinbroadcastclientmode.
unicast
EnablesSNTPinunicast(pointtopoint)clientmode.Inthismode,the
clientmustsupplytheIPaddressfromwhichtoretrievethecurrenttime.
disable
DisablesSNTP.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableSNTPinbroadcastmode:
C3(su)->set sntp client broadcast
Syntax
clear sntp client
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNTPclientsoperationalmode:
C3(su)->clear sntp client
11-29
Syntax
set sntp server ip-address [precedence]
Parameters
ipaddress
SpecifiestheSNTPserversIPaddress.
precedence
(Optional)SpecifiesthisSNTPserversprecedenceinrelationtoitspeers.
Validvaluesare1(highest)to10(lowest).
Defaults
Ifprecedenceisnotspecified,1willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheserveratIPaddress10.21.1.100 asan SNTPserver:
C3(su)->set sntp server 10.21.1.100
Syntax
clear sntp server {ip-address | all}
Parameters
ipaddress
SpecifiestheIPaddressofaservertoremovefromtheSNTPserverlist.
all
RemovesallserversfromtheSNTPserverlist.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoremovetheserveratIPaddress10.21.1.100 fromtheSNTPserverlist:
C3(su)->clear sntp server 10.21.1.100
11-30
Syntax
set sntp poll-interval interval
Parameters
interval
Specifiesthepollintervalinseconds.Validvaluesare16to16284.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSNTPpollintervalto30seconds:
C3(su)->set sntp poll-interval 30
Syntax
clear sntp poll-interval
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNTPpollinterval:
C3(su)->clear sntp poll-interval
11-31
Syntax
set sntp poll-retry retry
Parameters
retry
Specifiesthenumberofretries.Validvaluesare0to10.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthenumberofSNTPpollretriesto5:
C3(su)->set sntp poll-retry 5
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthenumberofSNTPpollretries:
C3(su)->clear sntp poll-retry
11-32
Parameters
timeout
Specifiesthepolltimeoutinseconds.Validvaluesare1to30.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheSNTPpolltimeoutto10seconds:
C3(su)->set sntp poll-timeout 10
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheSNTPpolltimeout:
C3(su)->clear sntp poll-timeout
11-33
Commands
For information about...
Refer to page...
11-34
set nodealias
11-35
11-36
Syntax
show nodealias config [port-string]
Parameters
portstring
(Optional)Displaysnodealiasconfigurationsettingsforspecificport(s).
Defaults
Ifportstringisnotspecified,nodealiasconfigurationswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaynodealiasconfigurationsettingsforportsfe.2.1through9:
C3(rw)->show nodealias config fe.2.1-9
Port Number
Max Entries
--------------------fe.2.1
16
fe.2.2
47
fe.2.3
47
fe.2.4
47
fe.2.5
47
fe.2.6
47
fe.2.7
47
fe.2.8
47
fe.2.9
4000
Used Entries
-----------0
0
2
0
0
2
0
0
1
Table 117providesanexplanationofthecommandoutput.
11-34
Status
-----Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
Enable
set nodealias
Table 11-7
Output
What It Displays...
Port Number
Port designation.
Max Entries
Used Entries
Number of alias entries (out of the maximum amount configured) already used by
this port.
Status
Whether or not a node alias agent is enabled (default) or disabled on this port.
set nodealias
Usethiscommandtoenableordisableanodealiasagentononeormoreports,orsetthe
maximumnumberofaliasentriesperport.
Syntax
set nodealias {enable | disable | maxentries maxentries} port-string
Parameters
enable|disable
Enablesordisablesanodealiasagent.
maxentriesmaxentries
Setthemaximumnumberofaliasentriesperports.Validrangeis0to
4096.Thedefaultvalueis32.
portstring
Specifiestheport(s)onwhichtoenable/disablenodealiasagentorset
amaximumnumberofentries.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Uponpacketreception,nodealiasesaredynamicallyassignedtoportsenabledwithanalias
agent,whichisthedefaultsettingonSecureStackC3devices.Nodealiasescannotbestatically
created,butcanbedeletedusingtheclearnodealiascommandasdescribedinclearnodealias
configonpage 1136.
Example
Thisexampleshowshowtodisablethenodealiasagentonfe.1.3:
C3(su)->set nodealias disable fe.1.3
11-35
Syntax
clear nodealias config port-string
Parameters
portstring
Specifiestheport(s)onwhichtoresetthenodealiasconfiguration.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoresetthenodealiasconfigurationonfe.1.3:
C3(su)->clear nodealias config fe.1.3
11-36
12
Configuring RMON
ThischapterdescribesthecommandsusedtoconfigureRMONonaSecureStackC3switch.
For information about...
Refer to page...
12-1
12-3
12-7
12-10
12-15
12-19
12-24
What It Monitors...
CLI Command(s)
Records statistics
measured by the RMON
probe for each monitored
interface on the device.
12-1
Table 12-1
RMON
Group
History
What It Monitors...
CLI Command(s)
Alarm
Event
Periodically gathers
statistical samples from
variables in the probe and
compares them with
previously configured
thresholds. If the monitored
variable crosses a
threshold, an event is
generated.
Filter
Allows packets to be
matched by a filter
equation. These matched
packets form a data stream
or channel that may be
captured.
Packet
Capture
Allows packets to be
captured upon a filter
match.
12-2
Configuring RMON
Commands
For information about...
Refer to page...
12-3
12-5
12-6
Syntax
show rmon stats [port-string]
Parameters
portstring
(Optional)DisplaysRMONstatisticsforspecificport(s).
Defaults
Ifportstringisnotspecified,RMONstatswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONstatisticsforGigabitEthernetport1inswitch1.
C3(su)->show rmon stats ge.1.1
:
Port: ge.1.1
------------------------------------Index
= 1
Owner
= monitor
Data Source
= ifIndex.1
Drop Events
Collisions
Jabbers
Broadcast Pkts
Multicast Pkts
CRC Errors
Undersize Pkts
Oversize Pkts
Fragments
=
=
=
=
=
=
=
=
=
0
0
0
0
0
0
0
0
0
Packets
Octets
0
64
65
- 127
128 - 255
256 - 511
512 - 1023
1024 - 1518
Octets
Octets
Octets
Octets
Octets
Octets
=
=
=
=
=
=
=
=
0
0
0
0
0
0
0
0
12-3
Table 122providesanexplanationofthecommandoutput.
Table 12-2
12-4
Output
What It Displays...
Port
Port designation.
Owner
Data Source
Drop Events
Total number of times that the switch was forced to discard frames due to lack of
available switch device resources. This does not display the number of frames
dropped, only the number of times the switch was forced to discard frames.
Collisions
Jabbers
Total number of frames that were greater than 1518 bytes and had either a bad FCS
or a bad CRC.
Packets
Total number of frames (including bad frames, broadcast frames, and multicast
frames) received on this interface.
Broadcast Pkts
Total number of good frames that were directed to the broadcast address. This value
does not include multicast frames.
Multicast Pkts
Total number of good frames that were directed to the multicast address. This value
does not include broadcast frames.
CRC Errors
Number of frames with bad Cyclic Redundancy Checks (CRC) received from the
network. The CRC is a 4-byte field in the data frame that ensures that the data
received is the same as the data that was originally sent.
Undersize Pkts
Number of frames received containing less than the minimum Ethernet frame size of
64 bytes (not including the preamble) but having a valid CRC.
Oversize Pkts
Number of frames received that exceeded 1518 data bytes (not including the
preamble) but had a valid CRC.
Fragments
Number of received frames that are not the minimum number of bytes in length, or
received frames that had a bad or missing Frame Check Sequence (FCS), were less
than 64 bytes in length (excluding framing bits, but including FCS bytes) and had an
invalid CRC. It is normal for this value to increment since fragments are a normal
result of collisions in a half-duplex network.
Packets
Octets
Total number of octets (bytes) of data, including those in bad frames, received on this
interface.
0 64 Octets
Total number of frames, including bad frames, received that were 64 bytes in length
(excluding framing bits, but including FCS bytes).
65 127 Octets
Total number of frames, including bad frames, received that were between 65 and
127 bytes in length (excluding framing bits, but including FCS bytes).
Total number of frames, including bad frames, received that were between 128 and
255 bytes in length (excluding framing bits, but including FCS bytes).
Total number of frames, including bad frames, received that were between 256 and
511 bytes in length (excluding framing bits, but including FCS bytes).
Total number of frames, including bad frames, received that were between 512 and
1023 bytes in length (excluding framing bits, but including FCS bytes).
Total number of frames, including bad frames, received that were between 1024 and
1518 bytes in length (excluding framing bits, but including FCS bytes).
Configuring RMON
Syntax
set rmon stats index port-string [owner]
Parameters
index
Specifiesanindexforthisstatisticsentry.
portstring
Specifiesport(s)towhichthisentrywillbeassigned.
owner
(Optional)Assignsanownerforthisentry.
Defaults
Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigureRMONstatisticsentry2forge.1.20:
C3(rw)->set rmon stats 2 ge.1.20
12-5
Syntax
clear rmon stats {index-list | to-defaults}
Parameters
indexlist
Specifiesoneormorestatsentriestobedeleted,causingthemtodisappear
fromanyfutureRMONqueries.
todefaults
Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto
reappearinRMONqueries.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteRMONstatisticsentry2:
C3(rw)->clear rmon stats 2
12-6
Configuring RMON
Commands
For information about...
Refer to page...
12-7
12-8
12-9
Syntax
show rmon history [port-string]
Parameters
portstring
(Optional)DisplaysRMONhistoryentriesforspecificport(s).
Defaults
Ifportstringisnotspecified,informationaboutallRMONhistoryentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONhistoryentriesforGigabitEthernetport1inswitch1.
Acontrolentrydisplaysfirst,followedbyactualentriescorrespondingtothecontrolentry.Inthis
case,thedefaultsettingsforentryowner,samplinginterval,andmaximumnumberofentries.
(buckets)havenotbeenchangedfromtheirdefaultvalues.Foradescriptionofthetypesof
statisticsshown,refertoTable 122.
C3(su)->show rmon history ge.1.1
:
Port: ge.1.1
------------------------------------Index 1
Owner
= monitor
Status
= valid
Data Source
= ifIndex.1
Interval
= 30
Buckets Requested = 50
Buckets Granted
= 10
SecureStack C3 Configuration Guide
12-7
Sample 2779
Drop Events
Octets
Packets
Broadcast Pkts
Multicast Pkts
CRC Align Errors
=
=
=
=
=
=
Syntax
set rmon history index [port-string] [buckets buckets] [interval interval] [owner
owner]
Parameters
indexlist
Specifiesanindexnumberforthisentry.
portstring
(Optional)Assignsthisentrytoaspecificport.
bucketsbuckets
(Optional)Specifiesthemaximumnumberofentriestomaintain.
intervalinterval
(Optional)Specifiesthesamplingintervalinseconds.
ownerowner
(Optional)Specifiesanownerforthisentry.
Defaults
Ifbucketsisnotspecified,themaximumnumberofentriesmaintainedwillbe50.
Ifnotspecified,intervalwillbesetto30seconds.
Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowconfigureRMONhistoryentry1onportfe.2.1tosampleevery20
seconds:
C3(rw)->set rmon history 1 fe.2.1 interval 20
12-8
Configuring RMON
Syntax
clear rmon history {index-list | to-defaults}
Parameters
indexlist
Specifiesoneormorehistoryentriestobedeleted,causingthemto
disappearfromanyfutureRMONqueries.
todefaults
Resetsallhistoryentriestodefaultvalues.Thiswillcauseentriesto
reappearinRMONqueries.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodeleteRMONhistoryentry1:
C3(rw)->clear rmon history 1
12-9
Commands
For information about...
Refer to page...
12-10
12-11
12-13
12-14
Syntax
show rmon alarm [index]
Parameters
index
(Optional)DisplaysRMONalarmentriesforaspecificentryindexID.
Defaults
Ifindexisnotspecified,informationaboutallRMONalarmentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONalarmentry3:
C3(rw)->show rmon alarm 3
Index 3
--------------------Owner
=
Status
=
Variable
=
Sample Type
=
Interval
=
Rising Threshold
=
Rising Event Index =
Manager
valid
1.3.6.1.4.1.5624.1.2.29.1.2.1.0
delta
Startup Alarm
30
Value
1
Falling Threshold
2
Falling Event Index
Table 123providesanexplanationofthecommandoutput.
12-10
Configuring RMON
=
=
=
=
rising
0
0
0
Table 12-3
Output
What It Displays...
Index
Owner
Status
Variable
Sample Type
Startup Alarm
Whether alarm generated when this entry is first enabled is rising, falling, or either.
Interval
Rising Threshold
Falling Threshold
Index number of the RMON event to be triggered when the rising threshold is
crossed.
Index number of the RMON event to be triggered when the falling threshold is
crossed.
Syntax
set rmon alarm properties index [interval interval] [object object] [type
{absolute | delta}] [startup {rising | falling | either}] [rthresh rthresh]
[fthresh fthresh] [revent revent] [fevent fevent] [owner owner]
Parameters
index
Specifiesanindexnumberforthisentry.Maximumnumberorentriesis
50.Maximumvalueis65535.
intervalinterval
(Optional)Specifiesaninterval(inseconds)forRMONtoconductsample
monitoring.
objectobject
(Optional)SpecifiesaMIBobjecttobemonitored.
Note: This parameter is not mandatory for executing the command, but
must be specified in order to enable the alarm entry configuration.
typeabsolute|
delta
(Optional)Specifiesthemonitoringmethodas:samplingtheabsolute
valueoftheobject,orthedifference(delta)betweenobjectsamples.
12-11
startuprising|
falling|either
(Optional)Specifiesthetypeofalarmgeneratedwhenthiseventisfirst
enabledas:
RisingSendsalarmwhenanRMONeventreachesamaximum
thresholdconditionisreached,forexample,morethan30collisions
persecond.
FallingSendsalarmwhenRMONeventfallsbelowaminimum
thresholdcondition,forexamplewhenthenetworkisbehaving
normallyagain.
EitherSendsalarmwheneitherarisingorfallingthresholdis
reached.
rthreshrthresh
(Optional)Specifiesaminimumthresholdforcausingarisingalarm.
fthreshfthresh
Specifiesamaximumthresholdforcausingafallingalarm.
reventrevent
SpecifiestheindexnumberoftheRMONeventtobetriggeredwhenthe
risingthresholdiscrossed.
feventfevent
SpecifiestheindexnumberoftheRMONeventtobetriggeredwhenthe
fallingthresholdiscrossed.
ownerowner
(Optional)Specifiesthenameoftheentitythatconfiguredthisalarm
entry.
Defaults
interval3600seconds
typeabsolute
startuprising
rthresh0
fthresh0
revent0
fevent0
ownermonitor
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoconfigurearisingRMONalarm.Thisentrywillconductmonitoring
ofthedeltabetweensamplesevery30seconds:
C3(rw)->set rmon alarm properties 3 interval 30 object
1.3.6.1.4.1.5624.1.2.29.1.2.1.0 type delta rthresh 1 revent 2 owner Manager
12-12
Configuring RMON
Syntax
set rmon alarm status index enable
Parameters
index
Specifiesanindexnumberforthisentry.Maximumnumberorentriesis
50.Maximumvalueis65535.
enable
Enablesthisalarmentry.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
AnRMONalarmentrycanbecreatedusingthiscommand,configuredusingthesetrmonalarm
propertiescommand(setrmonalarmpropertiesonpage 1211),thenenabledusingthis
command.AnRMONalarmentrycanbecreatedandconfiguredatthesametimebyspecifying
anunusedindexwiththesetrmonalarmpropertiescommand.
Example
ThisexampleshowshowtoenableRMONalarmentry3:
C3(rw)->set rmon alarm status 3 enable
12-13
Syntax
clear rmon alarm index
Parameters
index
Specifiestheindexnumberofentrytobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONalarmentry1:
C3(rw)->clear rmon alarm 1
12-14
Configuring RMON
Commands
For information about...
Refer to page...
12-15
12-16
12-17
12-18
Syntax
show rmon event [index]
Parameters
index
(Optional)DisplaysRMONpropertiesandlogentriesforaspecificentry
indexID.
Defaults
Ifindexisnotspecified,informationaboutallRMONentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONevententry3:
C3(rw)->show rmon event 3
Index 3
---------------Owner
=
Status
=
Description
=
Type
=
Community
=
Last Time Sent =
Manager
valid
STP Topology change
log-and-trap
public
0 days 0 hours 0 minutes 37 seconds
Table 124providesanexplanationofthecommandoutput.
12-15
Table 12-4
Output
What It Displays...
Index
Owner
Status
Description
Type
Whether the event notification will be a log entry, and SNMP trap, both, or none.
Community
Syntax
set rmon event properties index [description description] [type {none | log | trap
| both}] [community community] [owner owner]
Parameters
index
Specifiesanindexnumberforthisentry.Maximumnumberofentriesis
100.Maximumvalueis65535.
description
description
(Optional)Specifiesatextstringdescriptionofthisevent.
typenone|log|
trap|both
(Optional)SpecifiesthetypeofRMONeventnotificationas:none,alog
tableentry,anSNMPtrap,orbothalogentryandatrapmessage.
community
community
(Optional)SpecifiesanSNMPcommunitynametouseifthemessage
typeissettotrap.FordetailsonsettingSNMPtrapsandcommunity
names,refertoCreatingaBasicSNMPTrapConfigurationon
page 543.
ownerowner
(Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
Defaults
Ifdescriptionisnotspecified,nonewillbeapplied.
Ifnotspecified,typenonewillbeapplied.
Ifownerisnotspecified,monitorwillbeapplied.
Mode
Switchcommand,readwrite.
12-16
Configuring RMON
Example
ThisexampleshowshowtocreateandenableanRMONevententrycalledSTPtopology
changethatwillsendbothalogentryandanSNMPtrapmessagetothepubliccommunity:
C3(rw)->set rmon event properties 2 description "STP topology change" type both
community public owner Manager
Syntax
set rmon event status index enable
Parameters
index
Specifiesanindexnumberforthisentry.Maximumnumberofentriesis
100.Maximumvalueis65535.
enable
Enablesthisevententry.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
AnRMONevententrycanbecreatedusingthiscommand,configuredusingthesetrmonevent
propertiescommand(setrmoneventpropertiesonpage 1216),thenenabledusingthis
command.AnRMONevententrycanbecreatedandconfiguredatthesametimebyspecifyingan
unusedindexwiththesetrmoneventpropertiescommand.
Example
ThisexampleshowshowtoenableRMONevententry1:
C3(rw)->set rmon event status 1 enable
12-17
Syntax
clear rmon event index
Parameters
index
Specifiestheindexnumberoftheentrytobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONevent1:
C3(rw)->clear rmon event 1
12-18
Configuring RMON
Onechannelatatimecanbesupported,withuptothreefilters.Configuredchannel,filter,and
buffercontrolinformationwillbesavedacrossresets,butcapturedframeswillnot.
Thisfunctioncannotbeusedconcurrentlywithportmirroring.Thesystemwillchecktoprevent
concurrentlyenablingbothfunctions,andawarningwillbegeneratedintheCLIifattempted.
Commands
For information about...
Refer to page...
12-19
12-20
12-21
12-21
12-22
12-23
Syntax
show rmon channel [port-string]
Parameters
portstring
(Optional)DisplaysRMONchannelentriesforaspecificport(s).
Defaults
Ifportstringisnotspecified,informationaboutallchannelswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONchannelinformationforfe.2.12:
12-19
Syntax
set rmon channel index port-string [accept {matched | failed}] [control {on | off}]
[description description] [owner owner]
Parameters
index
Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe
createdifanunusedindexnumberischosen.Maximumnumberof
entriesis2.Maximumvalueis65535.
portstring
Specifiestheportonwhichtrafficwillbemonitored.
acceptmatched|
failed
(Optional)Specifiestheactionofthefiltersonthischannelas:
matchedPacketswillbeacceptedonfiltermatches
failedPacketswillbeacceptediftheyfailamatch
controlon|off
(Optional)Enablesordisablescontroloftheflowofdatathroughthe
channel.
description
description
(Optional)Specifiesadescriptionforthischannel.
ownerowner
(Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
Defaults
Ifanactionisnotspecified,packetswillbeacceptedonfiltermatches.
Ifnotspecified,controlwillbesettooff.
Ifadescriptionisnotspecified,nonewillbeapplied.
Ifownerisnotspecified,itwillbesettomonitor.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateanRMONchannelentry:
C3(rw)->set rmon channel 54313 fe.2.12 accept failed control on description
"capture all"
12-20
Configuring RMON
Syntax
clear rmon channel index
Parameters
index
Specifiesthechannelentrytobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONchannelentry2:
C3(rw)->clear rmon channel 2
Syntax
show rmon filter [index index | channel channel]
Parameters
indexindex|
channelchannel
(Optional)Displaysinformationaboutaspecificfilterentry,oraboutall
filterswhichbelongtoaspecificchannel.
Defaults
Ifnooptionsarespecified,informationforallfilterentrieswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayallRMONfilterentriesandchannelinformation:
C3(rw)->show rmon filter
Index= 55508
Channel Index= 628
EntryStatus= valid
---------------------------------------------------------Data Offset
0
PktStatus
0
PktStatusMask
0
PktStatusNotMask
0
Owner
ETS,NAC-D
-----------------------------
12-21
Data
ff ff ff ff ff ff
----------------------------DataMask
ff ff ff ff ff ff
----------------------------DataNotMask
00 00 00 00 00 00
Syntax
set rmon filter index channel-index [offset offset] [status status] [smask smask]
[snotmask snotmask] [data data] [dmask dmask] [dnotmask dnotmask] [owner owner]
Parameters
index
Specifiesanindexnumberforthisentry.Anentrywillautomaticallybe
createdifanunusedindexnumberischosen.Maximumnumberof
entriesis10.Maximumvalueis65535.
channelindex
Specifiesthechanneltowhichthisfilterwillbeapplied.
offsetoffset
(Optional)Specifiesanoffsetfromthebeginningofthepackettolookfor
matches.
statusstatus
(Optional)Specifiespacketstatusbitsthataretobematched.
smasksmask
(Optional)Specifiesthemaskappliedtostatustoindicatewhichbitsare
significant.
snotmasksnotmask
(Optional)Specifiestheinversionmaskthatindicateswhichbitsshould
besetornotset
datadata
(Optional)Specifiesthedatatobematched.
dmaskdmask
(Optional)Specifiesthemaskappliedtodatatoindicatewhichbitsare
significant.
dnotmaskdnotmask
(Optional)Specifiestheinversionmaskthatindicateswhichbitsshould
besetornotset.
owner
(Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
Defaults
Ifownerisnotspecified,itwillbesettomonitor.
Ifnootheroptionsarespecified,none(0)willbeapplied.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateRMONfilter1andapplyittochannel9:
C3(rw)->set rmon filter 1 9 offset 30 data 0a154305 dmask ffffffff
12-22
Configuring RMON
Syntax
clear rmon filter {index index | channel channel}
Parameters
indexindex|
channelchannel
Clearsaspecificfilterentry,orallentriesbelongingtoaspecificchannel.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONfilterentry1:
C3(rw)->clear rmon filter index 1
12-23
Purpose
TodisplayRMONcaptureentries,configure,enable,ordisablecaptureentries,andclearcapture
entries.
Commands
For information about...
Refer to page...
12-24
12-25
12-26
Syntax
show rmon capture [index [nodata]]
Parameters
index
(Optional)Displaysthespecifiedbuffercontrolentryandallcaptured
packetsassociatedwiththatentry.
nodata
(Optional)Displaysonlythebuffercontrolentryspecifiedbyindex.
Defaults
Ifnooptionsarespecified,allbuffercontrolentriesandassociatedcapturedpacketswillbe
displayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRMONcaptureentriesandassociatedbufferentries:
C3(rw)->show rmon capture
Buf.control= 28062 Channel= 38283
EntryStatus= valid
---------------------------------------------------------FullStatus
avail
FullAction
lock
Captured packets
251
Capture slice
1518
Download size
100
Download offset
0
Max Octet Requested 50000
Max Octet Granted
50000
Start time
1 days 0 hours 51 minutes 15 seconds
12-24
Configuring RMON
Owner
monitor
captureEntry= 1
Buff.control= 28062
-------------------------------------------Pkt ID
9
Pkt time
1 days 0 hours 51 minutes 15 seconds
Pkt Length 93
Pkt status 0
Data:
00 00 5e 00 01 01 00 01 f4 00 7d ce 08 00 45 00
00 4b b4 b9 00 00 40 11 32 5c 0a 15 43 05 86 8d
bf e5 00 a1 0e 2b 00 37 cf ca 30 2d 02 01 00 04
06 70 75 62 6c 69 63 a2 20 02 02 0c 92 02 01 00
02 01 00 30 14 30 12 06 0d 2b 06 01 02 01 10 07
01 01 0b 81 fd 1c 02 01 01 00 11 0b 00
Syntax
set rmon capture index {channel [action {lock}] [slice slice] [loadsize loadsize]
[offset offset] [asksize asksize] [owner owner]}
Parameters
index
Specifiesabuffercontrolentry.
channel
Specifiesthechanneltowhichthiscaptureentrywillbeapplied.
actionlock
(Optional)Specifiestheactionofthebufferwhenitisfullas:
lockPacketswillceasetobeaccepted
sliceslice
(Optional)Specifiesthemaximumoctetsfromeachpackettobesavedin
abuffer.(default:1518)
loadsizeloadsize
(Optional)Specifiesthemaximumoctetsfromeachpackettobe
downloadedfromthebuffer(default:100)
offsetoffset
(Optional)Specifiesthatthefirstoctetfromeachpacketthatwillbe
retrieved.
asksizeasksize
(Optional)Specifiestherequestedmaximumoctetstobesavedinthis
buffer.
owner
(Optional)Specifiesthenameoftheentitythatconfiguredthisentry.
Defaults
Ifnotspecified,actiondefaultstolock.
Ifnotspecified,offsetdefaultsto0.
Ifnotspecified,asksizedefaultsto1(whichwillrequestasmanyoctetsaspossible)
Ifsliceisnotspecified,1518willbeapplied.
Ifloadsizeisnotspecified,100willbeapplied.
Ifownerisnotspecified,itwillbesettomonitor.
12-25
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocreateRMONcaptureentry1tolistenonchannel628:
C3(rw)->set rmon capture 1 628
Syntax
clear rmon capture index
Parameters
index
Specifiesthecaptureentrytobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearRMONcaptureentry1:
C3(rw)->clear rmon capture 1
12-26
Configuring RMON
13
Configuring DHCP Server
ThischapterdescribesthecommandstoconfiguretheIPv4DHCPserverfunctionalityona
SecureStackC3switch.
For information about...
Refer to page...
DHCP Overview
13-1
13-3
13-11
DHCP Overview
DynamicHostConfigurationProtocol(DHCP)forIPv4isanetworklayerprotocolthat
implementsautomaticormanualassignmentofIPaddressesandotherconfigurationinformation
toclientdevicesbyservers.ADHCPservermanagesauserconfiguredpoolofIPaddressesfrom
whichitcanmakeassignmentsuponclientrequests.ArelayagentpassesDHCPmessages
betweenclientsandserverswhichareondifferentphysicalsubnets.
DHCP Server
DHCPserverfunctionalityallowstheSecureStackC3switchtoprovidebasicIPconfiguration
informationtoaclientonthenetworkwhorequestssuchinformationusingtheDHCPprotocol.
DHCPprovidesthefollowingmechanismsforIPaddressallocationbyaDHCPserver:
AutomaticDHCPserverassignsanIPaddresstoaclientforalimitedperiodoftime(or
untiltheclientexplicitlyrelinquishestheaddress)fromadefinedpoolofIPaddresses
configuredontheserver.
ManualAclientsIPaddressisassignedbythenetworkadministrator,andDHCPisused
simplytoconveytheassignedaddresstotheclient.Thisismanagedbymeansofstatic
addresspoolsconfiguredontheserver.
13-1
DHCP Overview
TheamountoftimethataparticularIPaddressisvalidforasystemiscalledalease.The
SecureStackC3maintainsaleasedatabasewhichcontainsinformationabouteachassignedIP
address,theMACaddresstowhichitisassigned,theleaseexpiration,andwhethertheaddress
assignmentisdynamic(automatic)orstatic(,manual).TheDHCPleasedatabaseisstoredinflash
memory.
InadditiontoassigningIPaddresses,theDHCPservercanalsobeconfiguredtoassignthe
followingtorequestingclients:
Defaultrouter(s)
DNSserver(s)anddomainname
NetBIOSWINSserver(s)andnodename
Bootfile
DHCPoptionsasdefinedbyRFC2132
Note: A total of 16 address pools, dynamic and/or static, can be configured on the SecureStack C3.
ConfiguringIPaddresspoolsfordynamicIPaddressassignment.Theonlyrequiredstepsare
tonamethepoolanddefinethenetworknumberandmaskforthepool.Forexample:
set dhcp pool auto-pool network 192.168.1.0 255.255.255.0
2.
Youcanlimitthescopeofaddressesassignedtoapoolfordynamicaddressassignmentwith
thesetdhcpexcludecommand.Upto128nonoverlappingaddressrangescanbeexcluded
ontheSecureStackC3.Forexample:
set dhcp exclude 192.168.1.88 192.168.1.100
3.
Configuringstaticaddresspoolsformanualaddressassignment.Theonlyrequiredstepsareto
namethepool,configureeitherthehardwareaddressoftheclientortheclientidentifier,and
configuretheIPaddressandmaskforthemanualbinding.Forexample:
set dhcp pool static-pool hardware-address 0011.2233.4455
set dhcp pool static-pool host 192.168.1.200 255.255.255.0
4.
SettingotherDHCPserverparameterssuchasthenumberofpingpacketstobesentbefore
assigninganIPaddress,orenablingconflictlogging.
5.
EnablingtheDHCPserver.
ConfiguringGeneralDHCPServerParametersonpage 133describesthecommandsusedto
enable/disabletheDHCPserver,configureexcludedaddressranges,andsetotherserver
parameters.
ConfiguringIPAddressPoolsonpage 1311describesthecommandsusedtoconfigureand
displayaddresspools.
13-2
Commands
CommandstoconfigureDHCPserverparametersandtodisplayandclearDHCPserver
informationarelistedbelow.
For information about...
Refer to page...
set dhcp
13-3
13-4
13-4
13-5
13-5
13-6
13-7
13-7
13-8
13-8
13-9
13-9
13-10
set dhcp
UsethiscommandtoenableordisabletheDHCPserverfunctionalityontheSecureStackC3.
Syntax
set dhcp {enable | disable}
Parameters
enable|disable
EnableordisableDHCPserverfunctionality.Bydefault,DHCPserveris
disabled.
Defaults
None.
Mode
Switchcommand,readwrite.
SecureStack C3 Configuration Guide
13-3
Example
ThisexampleenablesDHCPserverfunctionality.
C3(rw)->set dhcp enable
Syntax
set dhcp bootp {enable | disable}
Parameters
enable|disable
EnableordisableaddressallocationforBOOTPclients.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesaddressallocationforBOOTPclients.
C3(rw)->set dhcp bootp enable
Syntax
set dhcp conflict logging
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleenablesDHCPconflictlogging.
C3(rw)->set dhcp conflict logging
13-4
Syntax
show dhcp conflict [address]
Parameters
address
[Optional]Specifiestheaddressforwhichtodisplayconflictinformation.
Defaults
Ifnoaddressisspecified,conflictinformationforalladdressesisdisplayed.
Mode
Readonly.
Example
Thisexampledisplaysconflictinformationforalladdresses.Notethatpingistheonlydetection
methodused.
C3(ro)->show dhcp conflict
IP address
----------192.0.0.2
192.0.0.3
192.0.0.4
192.0.0.12
Detection Method
----------------Ping
Ping
Ping
Ping
Detection Time
--------------0 days 19h:01m:23s
0 days 19h:00m:46s
0 days 19h:01m:25s
0 days 19h:01m:26s
Syntax
clear dhcp conflict {logging | ip-address| *}
Parameters
logging
Disableconflictlogging.
ipaddress
CleartheconflictinformationforthespecifiedIPaddress.
CleartheconflictinformationforallIPaddresses.
Defaults
None.
Mode
Switchcommand,readwrite.
13-5
Examples
ThisexampledisablesDHCPconflictlogging.
C3(rw)->clear dhcp conflict logging
ThisexampleclearstheconflictinformationfortheIPaddress192.0.0.2.
C3(rw)->clear dhcp conflict 192.0.0.2
Syntax
set dhcp exclude low-ipaddr [high-ipaddr]
Parameters
lowipaddr
SpecifiesthefirstIPaddressintheaddressrangetobeexcludedfrom
assignment.
highipaddr
(Optional)SpecifiesthelastIPaddressintheaddressrangetobe
excluded.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplefirstconfigurestheaddresspoolnamedauto1with255addressesfortheClassC
network172,20.28.0,withthesetdhcppoolnetworkcommand.Then,theexamplelimitsthe
scopeoftheaddressesthatcanbeassignedbyaDHCPserverbyexcludingaddresses172.20.28.80
100,withthesetdhcpexcludecommand.
C3(rw)set dhcp pool auto1 network 172.20.28.0 24
C3(rw)->set dhcp exclude 172.20.28.80 172.20.28.100
13-6
Syntax
clear dhcp exclude low-ipaddr [high-ipaddr]
Parameters
lowipaddr
SpecifiesthefirstIPaddressintheaddressrangetobecleared.
highipaddr
(Optional)SpecifiesthelastIPaddressintheaddressrangetobecleared.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearsthepreviouslyexcludedrangeofIPaddressesbetween192.168.1.88through
192.168.1.100.
C3(rw)->clear dhcp exclude 192.168.1.88 192.168.1.100
Syntax
set dhcp ping packets number
Parameters
packetsnumber
Specifiesthenumberofpingpacketstobesent.Thevalueofnumbercan
be0,orrangefrom2to10.Entering0disablesthisfunction.Thedefault
valueis2packets.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthenumberofpingpacketssentto3.
C3(rw)->set dhcp ping packets 3
13-7
Syntax
clear dhcp ping packets
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleresetsthenumberofpingpacketssentbacktothedefaultvalue.
C3(rw)->clear dhcp ping packets
Syntax
show dhcp binding [ip-address]
Parameters
ipaddress
(Optional)SpecifiestheIPaddressforwhichtodisplaybinding
information.
Defaults
IfnoIPaddressisspecified,bindinginformationforalladdressesisdisplayed.
Mode
Readonly.
Example
Thisexampledisplaysbindinginformationaboutalladdresses.
C3(rw)->show dhcp binding
IP address
Hardware Address
--------------------------192.0.0.6
00:33:44:56:22:39
192.0.0.8
00:33:44:56:22:33
192.0.0.10
00:33:44:56:22:34
192.0.0.11
00:33:44:56:22:35
192.0.0.12
00:33:44:56:22:36
13-8
Lease Expiration
----------------00:11:02
00:10:22
00:09:11
00:10:05
00:10:30
Type
----Automatic
Automatic
Automatic
Automatic
Automatic
192.0.0.13
00:33:44:56:22:37
192.0.0.1400:33:44:56:22:38
infinite
infinite
Manual
Manual
Syntax
clear dhcp binding {ip-addr | *}
Parameters
ipaddr
SpecifiestheIPaddressforwhichtoclear/deletetheDHCPbinding.
Deletealladdressbindings.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampledeletestheDHCPaddressbindingforIPaddress192.168.1.1.
C3(rw)->clear dhcp binding 192.168.1.1
Syntax
show dhcp server statistics
Parameters
None.
Defaults
None.
Mode
Readonly.
Example
Thisexampledisplaysserverstatistics.
C3(ro)->show dhcp server statistics
Automatic Bindings
Expired Bindings
Malformed Bindings
36
6
0
SecureStack C3 Configuration Guide
13-9
Messages
---------DHCP DISCOVER
DHCP REQUEST
DHCP DECLINE
DHCP RELEASE
DHCP INFORM
Received
---------382
3855
0
67
1
Messages
---------DHCP OFFER
DHCP ACK
DHCP NACK
Syntax
clear dhcp server statistics
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleclearsallDHCPservercounters.
C3(rw)->clear dhcp server statistics
13-10
Sent
-----381
727
2
ThesubnetoftheIPaddressbeingissuedshouldbeonthesamesubnetastheingress
interface(thatis,thesubnetofthehostIPaddressoftheswitch,orifroutinginterfacesare
configured,thesubnetoftheroutinginterface).
Amanualpoolcanbeconfiguredusingeithertheclientshardwareaddress(setdhcppool
hardwareaddress)ortheclientsclientidentifier(setdhcppoolclientidentifier),butusing
bothisnotrecommended.
IftheincomingDHCPrequestpacketcontainsaclientidentifier,thenamanualpool
configuredwiththatclientidentifiermustexistontheswitchinorderfortherequesttobe
processed.Thehardwareaddressisnotchecked.
Ifamanualpoolisconfiguredwithaclientidentifier,thentheincomingDHCPrequestpacket
fromthatclientmustincludethatclientidentifierinorderfortherequesttobeprocessed.The
hardwareaddressisnotchecked.
Ahardwareaddressandtype(EthernetorIEEE802)configuredinamanualpoolischecked
onlywhenaclientidentifierisnotalsoconfiguredforthepoolandtheincomingDHCP
requestpacketdoesnotincludeaclientidentifieroption.
Purpose
ToconfigureandclearDHCPaddresspoolparameters,andtodisplayaddresspoolconfiguration
information.
Note: A total of 16 address pools, dynamic and/or static, can be configured on the SecureStack C3.
Commands
CommandstoconfigureDHCPdynamic(automatic)andstatic(manual)addresspoolsandto
displayDHCPaddresspoolconfigurationsarelistedbelow.
For information about...
Refer to page...
13-13
13-13
13-14
13-14
13-15
13-16
13-16
13-17
13-17
13-18
13-11
13-12
Refer to page...
13-19
13-19
13-20
13-20
13-21
13-21
13-22
13-22
13-23
13-24
13-24
13-25
13-25
13-26
13-26
13-27
13-27
13-28
13-28
13-29
13-30
Syntax
set dhcp pool poolname
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplecreatesanaddresspoolnamedauto1.
C3(rw)->set dhcp pool auto1
Syntax
clear dhcp pool poolname
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheaddresspoolnamedauto1.
C3(rw)->clear dhcp pool auto1
13-13
Syntax
set dhcp pool poolname network number {mask | prefix-length}
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
number
SpecifiesanIPsubnetfortheaddresspool.
mask
Specifiesthesubnetmaskindottedquadnotation.
prefixlength
Specifiesthesubnetmaskasaninteger.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
UsethiscommandtoconfigureasetofIPaddressestobeassignedbytheDHCPserverusingthe
specifiedaddresspool.Inordertolimitthescopeoftheaddressesconfiguredwiththiscommand,
usethesetdhcpexcludecommanddescribedonpage136.
Examples
ThisexampleconfigurestheIPsubnet172.20.28.0withaprefixlengthof24fortheautomatic
DHCPpoolnamedauto1.Alternatively,themaskcouldhavebeenspecifiedas255.255.255.0.
C3(rw)set dhcp pool auto1 network 172.20.28.0 24
Thisexamplelimitsthescopeof255addressescreatedfortheClassCnetwork172,20.28.0bythe
previousexample,byexcludingaddresses172.20.28.80100.
C3(rw)set dhcp exclude 172.20.28.80 172.20.28.100
Syntax
clear dhcp pool poolname network
Parameters
poolname
13-14
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletesthenetworkandmaskfromtheaddresspoolnamedauto1.
C3(rw)->clear dhcp pool auto1 network
Syntax
set dhcp pool poolname hardware-address hw-addr [type]
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
hwaddr
SpecifiestheMACaddressoftheclientshardwareplatform.Thisvalue
canbeenteredusingdottedhexadecimalnotationorcolons.
type
(Optional)Specifiestheprotocolofthehardwareplatform.Validvalues
are1forEthernetor6forIEEE802.Defaultvalueis1,Ethernet.
Defaults
Ifnotypeisspecified,Ethernetisassumed.
Mode
Switchcommand,readwrite.
Example
Thisexamplespecifies0001.f401.2710astheEthernetMACaddressforthemanualaddresspool
namedmanual1.Alternatively,theMACaddresscouldhavebeenteredas00:01:f4:01:27:10.
C3(rw)->set dhcp pool manual1 hardware-address 0001.f401.2710
13-15
Syntax
clear dhcp pool poolname hardware-address
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclienthardwareaddressfromtheaddresspoolnamedmanual1.
C3(rw)->clear dhcp pool manual1 hardware-address
Syntax
set dhcp pool poolname host ip-address [mask | prefix-length]
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
ipaddress
SpecifiestheIPaddressformanualbinding.
mask
(Optional)Specifiesthesubnetmaskindottedquadnotation.
prefixlength
(Optional)Specifiesthesubnetmaskasaninteger.
Defaults
Ifamaskorprefixisnotspecified,theclassA,B,orCnaturalmaskwillbeused.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress
pool.First,thehardwareaddressoftheclientshardwareplatformisconfigured,followedby
configurationoftheaddresstobeassignedtothatclientmanually.
13-16
Syntax
clear dhcp pool poolname host
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampledeletesthehostIPaddressfromtheaddresspoolnamedmanual1.
C3(rw)->clear dhcp pool manual1 host
Syntax
set dhcp pool poolname client-identifier id
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
id
Specifiestheuniqueclientidentifierforthisclient.Thevaluemustbe
enteredinxx:xx:xx:xx:xx:xxformat.
Defaults
None.
Mode
Switchcommand,readwrite.
13-17
Usage
TheclientidentifierisformedbyconcatenatingthemediatypeandtheMACaddress.For
example,iftheclienthardwaretypeisEthernetandtheclientMACaddressis00:01:22:33:44:55,
thentheclientidentifierconfiguredwiththiscommandmustbe01:00:01:22:33:44:55.
Example
Thisexampleshowshowtoconfiguretheminimumrequirementsforamanualbindingaddress
pool,usingaclientidentifierratherthanthehardwareaddressoftheclientshardwareplatform.
C3(rw)->set dhcp pool manual2 client-identifier 01:00:01:22:33:44:55
C3(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0
Syntax
clear dhcp pool poolname client-identifier
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclientidentifierfromtheaddresspoolnamedmanual1.
C3(rw)->clear dhcp pool manual1 client-identifier
13-18
Syntax
set dhcp pool poolname client-name name
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
name
Specifiesthenametobeassignedtothisclient.Clientnamesmaybeupto
31charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfigurestheclientnameappsvr1tothemanualbindingpoolmanual2.
C3(rw)->set dhcp pool manual2 client-identifier 01:22:33:44:55:66
C3(rw)->set dhcp pool manual2 host 10.12.1.10 255.255.255.0
C3(rw)->set dhcp pool manual2 client-name appsvr1
Syntax
clear dhcp pool poolname client-name
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampledeletestheclientnamefromthemanualbindingpoolmanual2.
C3(rw)->clear dhcp pool manual2 client-name
13-19
Syntax
set dhcp pool poolname bootfile filename
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
filename
Specifiesthebootimagefilename.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsthebootimagefilenameforaddresspoolnamedauto1.
C3(rw)->set dhcp pool auto1 bootfile image1.img
Syntax
clear dhcp pool poolname bootfile
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthebootimagefilenamefromaddresspoolnamedauto1.
C3(rw)->clear dhcp pool auto1 bootfile
13-20
Syntax
set dhcp pool poolname next-server ip-address
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
ipaddress
SpecifiestheIPaddressofthefileservertheDHCPclientshouldcontact
toloadthedefaultbootimage.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplespecifiesthefileserverfromwhichclientsbeingservedbyaddresspoolauto1
shoulddownloadthebootimagefileimage1.img.
C3(rw)->set dhcp pool auto1 bootfile image1.img
C3(rw)->set dhcp pool auto1 next-server 10.1.1.10
Syntax
clear dhcp pool poolname next-server
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthefileserverfromaddresspoolauto1.
C3(rw)->clear dhcp pool auto1 next-server
13-21
Syntax
set dhcp pool poolname lease {days [hours [minutes]] | infinite}
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
days
Specifiesthenumberofdaysanaddressleasewillremainvalid.Valuecan
rangefrom0to59.
hours
(Optional)Whenadaysvaluehasbeenassigned,specifiesthenumberof
hoursanaddressleasewillremainvalid.Valuecanrangefrom0to1439.
minutes
(Optional)Whenadaysvalueandanhoursvaluehavebeenassigned,
specifiesthenumberofminuteanaddressleasewillremainvalid.Value
canrangefrom0to86399.
infinite
Specifiesthatthedurationoftheleasewillbeunlimited.
Defaults
Ifnoleasetimeisspecified,aleasedurationof1dayisconfigured.
Mode
Switchcommand,readwrite.
Example
Thisexampleconfiguresaleasedurationof12hoursfortheaddresspoolbeingconfigured.Note
thattoconfigurealeasetimelessthanoneday,enter0fordays,thenthenumberofhoursand
minutes.
C3(rw)->set dhcp pool auto1 lease 0 12
Syntax
clear dhcp pool poolname lease
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
Clearstheleasetimeforthisaddresspooltothedefaultvalueofoneday.
13-22
Mode
Switchcommand,readwrite.
Example
Thisexamplerestoresthedefaultleasedurationofonedayforaddresspoolauto1.
C3(rw)->clear dhcp pool auto1 lease
Syntax
set dhcp pool poolname default-router address [address2 ... address8]
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
address
SpecifiestheIPaddressofadefaultrouter.
address2...address8
(Optional)Specifies,inorderofpreference,upto7additionaldefault
routeraddresses.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleassignsadefaultrouterat10.10.10.1totheaddresspoolnamedauto1.
C3(rw)->set dhcp pool auto1 default-router 10.10.10.1
13-23
Syntax
clear dhcp pool poolname default-router
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthedefaultrouterfromtheaddresspoolauto1.
C3(rw)->clear dhcp pool auto1 default-router
Syntax
set dhcp pool poolname dns-server address [address2 ... address8]
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
address
SpecifiestheIPaddressofaDNSserver.
address2...address8
(Optional)Specifies,inorderofpreference,upto7additionalDNS
serveraddresses.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleassignsaDNSserverat10.14.10.1totheaddresspoolauto1.
C3(rw)->set dhcp pool auto1 dns-server 10.14.10.1
13-24
Syntax
clear dhcp pool poolname dns-server
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheDNSserverlistfromtheaddresspoolauto1.
C3(rw)->clear dhcp pool auto1 dns-server
Syntax
set dhcp pool poolname domain-name domain
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
domain
Specifiesthedomainnamestring.Thedomainnamecanbeupto255
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleassignsthemycompany.comdomainnametotheaddresspoolauto1.
C3(rw)->set dhcp pool auto1 domain-name mycompany.com
13-25
Syntax
clear dhcp pool poolname domain-name
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesthedomainnamefromtheaddresspoolauto1.
C3(rw)->clear dhcp pool auto1 domain-name
Syntax
set dhcp pool poolname netbios-name-server address [address2 ... address8]
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
address
SpecifiestheIPaddressofaNetBIOSnameserver.
address2...address8
(Optional)Specifies,inorderofpreference,upto7additionalNetBIOS
nameserveraddresses.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleassignsaNetBIOSnameserverat10.15.10.1totheaddresspoolbeingconfigured.
C3(rw)->set dhcp pool auto1 netbios-name-server 10.15.10.1
13-26
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheNetBIOSnameserverlistfromtheaddresspoolauto1.
C3(rw)->clear dhcp pool auto1 netbios-name-server
Syntax
set dhcp pool poolname netbios-node-type {b-node | h-node | p-node | m-node}
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
bnode
SpecifiestheNetBIOsnodetypetobebroadcast(noWINS).
hnode
SpecifiestheNetBIOsnodetypetobehybrid(WINS,thenbroadcast).
pnode
SpecifiestheNetBIOsnodetypetobepeer(WINSonly).
mnode
SpecifiestheNetBIOsnodetypetobemixed(broadcast,thenWINS).
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexamplespecifieshybridastheNetBIOSnodetypefortheaddresspoolauto1.
C3(rw)->set dhcp pool auto1 netbios-node-type h-node
SecureStack C3 Configuration Guide
13-27
Syntax
clear dhcp pool poolname netbios-node-type
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleremovestheNetBIOSnodetypefromtheaddresspoolauto1.
C3(rw)->clear dhcp pool auto1 netbios-node-type
Syntax
set dhcp pool poolname option code {ascii string | hex string-list | ip addresslist}
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
code
SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange
from1to254.
asciistring
SpecifythedatainASCIIformat.AnASCIIcharacterstringcontaininga
spacemustbeenclosedinquotations.
hexstringlist
SpecifythedatainHEXformat.Upto8HEXstringscanbeentered.
ipaddresslist
SpecifythedatainIPaddressformat.Upto8IPaddressescanbeentered.
Defaults
None.
Mode
Switchcommand,readwrite.
13-28
Examples
ThisexampleconfiguresDHCPoption19,whichspecifieswhethertheclientshouldconfigureits
IPlayerforpacketforwarding.Inthiscase,IPforwardingisenabledwiththe01value.
C3(rw)->set dhcp pool auto1 option 19 hex 01
ThisexampleconfiguresDHCPoption72,whichassignsoneormoreWebserversforDHCP
clients.Inthiscase,twoWebserveraddressesareconfigured.
C3(rw)->set dhcp pool auto1 option 72 ip 168.24.3.252 168.24.3.253
Syntax
clear dhcp pool poolname option code
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
code
SpecifiestheDHCPoptioncode,asdefinedinRFC2132.Valuecanrange
from1to254.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleremovesoption19fromaddresspoolauto1.
C3(rw)->clear dhcp pool auto1 option 19
13-29
Syntax
show dhcp pool configuration {poolname | all}
Parameters
poolname
Specifiesthenameoftheaddresspool.Poolnamesmaybeupto31
charactersinlength.
Defaults
None.
Mode
Readonly.
Example
Thisexampledisplaysconfigurationinformationforalladdresspools.
C3(rw)->show dhcp pool configuration all
13-30
Pool: Atg_Pool
Pool Type
Network
Lease Time
Default Routers
Dynamic
192.0.0.0 255.255.255.0
1 days 0 hrs 0 mins
192.0.0.1
Pool: static1
Pool Type
Client Name
Client Identifier
Host
Lease Time
Option
Manual
appsvr1
01:00:01:f4:01:27:10
10.1.1.1 255.0.0.0
infinite
19 hex 01
Pool: static2
Pool Type
Hardware Address
Hardware Address Type
Host
Lease Time
Manual
00:01:f4:01:27:10
ieee802
192.168.10.1 255.255.255.0
infinite
14
Preparing for Router Mode
Thischapterdescribeshowtopreparetheswitchforrouting.
For information about ...
14-1
14-3
StartinguptheCLI.(UsingtheCommandLineInterfaceonpage16)
Settingthesystempassword.(setpasswordonpage34)
Configuringbasicplatformsettings,suchashostname,systemclock,andterminaldisplay
settings.(SettingBasicSwitchPropertiesonpage39)
SettingthesystemIPaddress.(setipaddressonpage310)
CreatingandenablingVLANs.(Chapter 7)
Filemanagementtasks,includinguploadingordownloadingflashortextconfigurationfiles,
anddisplayingdirectoryandfilecontents.(ManagingSwitchConfigurationandFileson
page345)
Configuringtheswitchtoruninroutermode.(EnablingRouterConfigurationModeson
page143)
Note: The command prompts used as examples in Table 14-1 and throughout this guide show
switch operation for a user in admin (su) access mode, and a system where the VLAN 1 interface
has been configured for routing. The prompt changes depending on your current configuration
mode, your specific SecureStack switch, and the interface types and numbers configured for routing
on your system.
14-1
Table 14-1
At this prompt...
Step 1
router
Switch:
C3(su)->
Step 2
enable
Router:
C3(su)->router>
Step 3
configure
Router:
C3(su)->router#
Step 4
Enable interface
configuration mode using the
routing VLAN or loopback id.
Router:
C3(su)>router(Config)#
interface on
page 15-3
Step 5
Router:
C3(su)->router (Config-if
(Vlan 1))#
interface on
page 15-3
Step 6
no shutdown
Router:
C3(su)->router(Config-if
(Vlan 1))#
no shutdown on
page 15-7
Example
ThefollowingexampleshowshowtoconfigureVLAN1onIPaddress182.127.63.1255.255.255.0
asaroutinginterface.
C3(su)->router
C3(su)->router>enable
C3(su)->router#configure
Enter configuration commands:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip address 182.127.63.1 255.255.255.0
C3(su)->router(Config-if(Vlan 1))#no shutdown
14-2
To...
Access method...
Resulting Prompt...
Privileged EXEC
Mode
C3(su)->router>
Show configuration
parameters
Type enable.
C3(su)->router#
Save/copy
configurations
Global Configuration
Mode
Set system-wide
parameters.
C3(su)->router (Config)#
Interface
Configuration Mode
Configure router
interfaces.
C3(su)->router(Config-if
(Vlan 1))#
C3(su)->router(Config-router)#
Router Configuration
Mode
Set IP protocol
parameters.
C3(su)->router(Config-if
(Lpbk 1))#
Note: To jump to a lower configuration mode, type exit at the command prompt. To revert back to
switch CLI, type exit from Privileged EXEC router mode.
14-3
14-4
15
IP Configuration
ThischapterdescribestheInternetProtocol(IP)configurationsetofcommandsandhowtouse
them.
Router: Unless otherwise noted, the commands covered in this chapter can be executed only
when the device is in router mode. For details on how to enable router configuration modes, refer
to Enabling Router Configuration Modes on page 14-3.
For information about...
Refer to page...
15-1
15-8
15-12
15-17
15-19
Commands
Thecommandsusedtoreviewandconfigureinterfacesettingsarelistedbelow:
For information about...
Refer to page...
show interface
15-2
interface
15-3
show ip interface
15-4
ip address
15-5
15-1
show interface
Refer to page...
show running-config
15-6
no shutdown
15-7
no ip routing
15-7
show interface
Usethiscommandtodisplayinformationaboutoneormoreinterfaces(VLANsorloopbacks)
configuredontherouter.
Syntax
show interface [vlan vlan-id ] [loopback loop-id]
Parameters
vlanvlanid
(Optional)DisplaysinterfaceinformationforaspecificVLANinterface.
ThisinterfacemustbeconfiguredforIProutingasdescribedinPre
RoutingConfigurationTasksonpage 141.
loopbackloopid
(Optional)Displaysinterfaceinformationforaspecificloopbackinterface.
Defaults
Ifinterfacetypeisnotspecified,informationforallroutinginterfaceswillbedisplayed.
Mode
Anyroutermode.
Examples
Thisexampleshowshowtodisplayinformationforallinterfacesconfiguredontherouter.Fora
detaileddescriptionofthisoutput,refertoTable 151:
C3(su)->router#show interface
Vlan 1 is Administratively DOWN
Vlan 1 is Operationally DOWN
Mac Address is: 0001.f4da.2cba
The name of this device is Vlan 1
The MTU is 1500 bytes
The bandwidth is 10000 Mb/s
Encapsulation ARPA, Loopback not set
ARP type: ARPA, ARP Timeout: 14400 seconds
Thisexampleshowshowtodisplayinformationforloopbackinterface1.
C3(su)->router#show interface loopback 1
Loopback 1 is Administratively UP
Loopback 1 is Operationally UP
Internet Address is 10.1.192.100 , Subnet Mask is
The name of this device is Loopback 1
The MTU is 1500 bytes
15-2
IP Configuration
255.255.255.0
interface
interface
UsethiscommandtoconfigureinterfacesforIProuting.
Syntax
interface vlan vlan-id | loopback loop-id
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANinterfacetobeconfiguredforrouting.
ThisinterfacemustbeconfiguredforIProutingasdescribedinPre
RoutingConfigurationTasksonpage 141.
loopbackloopid
Specifiesthenumberoftheloopbackinterfacetobeconfiguredforrouting.
Thevalueofloopidcanrangefrom0to7.
Defaults
None.
Mode
Routerglobalconfigurationmode:C3(su)>router(Config)#
Usage
Thiscommandenablesinterfaceconfigurationmodefromglobalconfigurationmode,and,ifthe
interfacehasnotpreviouslybeencreated,thiscommandcreatesanewroutinginterface.For
detailsonconfigurationmodessupportedbytheSecureStackC3deviceandtheiruses,referto
Table 142inEnablingRouterConfigurationModesonpage 143.
VLANsmustbecreatedfromtheswitchCLIbeforetheycanbeconfiguredforIProuting.For
detailsoncreatingVLANsandconfiguringthemforIP,refertoEnablingRouterConfiguration
Modesonpage 143.
EachVLANinterfacemustbeconfiguredforroutingseparatelyusingtheinterfacecommand.To
endconfigurationononeinterfacebeforeconfiguringanother,typeexitatthecommandprompt.
Enablinginterfaceconfigurationmodeisrequiredforcompletinginterfacespecificconfiguration
tasks.Foranexampleofhowthesecommandsareused,refertoPreRoutingConfiguration
Tasksonpage 141.
Aloopbackinterfaceisalwaysexpectedtobeup.Thisinterfacecanprovidethesourceaddressfor
sentpacketsandcanreceivebothlocalandremotepackets.Theloopbackinterfaceistypically
usedbyroutingprotocols.
EachSecureStackC3systemcansupportupto256routinginterfaces.Eachinterfacecanbe
configuredfortheRIPand/orOSPFroutingprotocols.
Note: For information about configuring tunnel interfaces, see Configuring Tunnel Interfaces on
page 15-8.
Examples
ThisexampleshowshowtoenterconfigurationmodeforVLAN1:
C3(su)->router#configure
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#
15-3
show ip interface
Thisexampleshowshowtoenterconfigurationmodeforloopback1:
C3(su)->router#configure
C3(su)->router(Config)#interface loopback 1
C3(su)->router(Config-if(Lpbk 1))#
show ip interface
Usethiscommandtodisplayinformation,includingadministrativestatus,IPaddress,MTU
(MaximumTransmissionUnit)sizeandbandwidth,andACLconfigurations,forinterfaces
configuredforIP.
Syntax
show ip interface [vlan vlan-id] [loopback loop-id]
Parameters
vlanvlanid
(Optional)DisplaysinformationforaspecificVLANinterface.This
interfacemustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage 141.
loopbackloopid
(Optional)Displaysinterfaceinformationforaspecificloopbackinterface.
Defaults
Ifinterfacetypeisnotspecified,statusinformationforallroutinginterfaceswillbedisplayed.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayconfigurationinformationforVLAN1:
C3(su)->router#show ip interface vlan 1
Vlan 1 is Admin DOWN
Vlan 1 is Oper DOWN
Primary IP Address is 192.168.10.1
Frame Type Ethernet
MAC-Address 0001.F45C.C993
Incoming Accesslist is not set
Outgoing AccessList is not set
MTU is 6145 bytes
ARP Timeout is 1 seconds
Direct Broadcast Disabled
Proxy ARP is Disabled
Mask
255.255.255.0
Table 151providesanexplanationofthecommandoutput.
Table 15-1
15-4
Output
What It Displays...
Vlan N
IP Address
Interfaces IP address and mask. Set using the ip address command as described in
ip address on page 15-5.
IP Configuration
ip address
Table 15-1
Output
What It Displays...
Frame Type
Encapsulation type used by this interface. Set using the arp command as described
in arp on page 15-14.
MAC-Address
Incoming Access
List
Whether or not an access control list (ACL) has been configured for ingress on this
interface using the commands described in Configuring Access Lists on
page 21-70.
Outgoing Access
List
Not applicable.
MTU
ARP Timeout
Duration for entries to stay in the ARP table before expiring. Set using the arp
timeout command as described in arp timeout on page 15-15.
Direct Broadcast
Proxy Arp
Whether or not proxy ARP is enabled or disabled for this interface. Set using the ip
proxy arp command as described in ip proxy-arp on page 15-15.
ip address
Usethiscommandtoset,remove,ordisableaprimaryorsecondaryIPaddressforaninterface.
ThenoformofthiscommandremovesthespecifiedIPaddressanddisablestheinterfaceforIP
processing.
Syntax
ip address ip-address ip-mask [secondary]
no ip address ip-address ip-mask
Parameters
ipaddress
SpecifiestheIPaddressoftheinterfacetobeaddedorremoved.
ipmask
SpecifiesthemaskfortheassociatedIPsubnet.
secondary
(Optional)SpecifiesthattheconfiguredIPaddressisasecondaryaddress.
Defaults
Ifsecondaryisnotspecified,theconfiguredaddresswillbetheprimaryaddressfortheinterface.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
EachSecureStackC3systemsupportsupto256routinginterfaces,withupto50secondary
addresses(200maximumperrouter)allowedforeachprimaryIPaddress.
15-5
show running-config
Example
ThisexamplesetstheIPaddressto192.168.1.1andthenetworkmaskto255.255.255.0forVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip address 192.168.1.1 255.255.255.0
show running-config
Usethiscommandtodisplaythenondefault,usersuppliedcommandsenteredwhileconfiguring
thedevice.
Syntax
show running-config
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
Thisexampleshowshowtodisplaythecurrentrouteroperatingconfiguration:
C3(su)->router#show running-config
!
interface vlan 10
ip address 99.99.2.10 255.255.255.0
no shutdown
!
router ospf 1
network 99.99.2.0
0.0.0.255 area 0.0.0.0
network 192.168.100.1 0.0.0.0
area 0.0.0.0
15-6
IP Configuration
no shutdown
no shutdown
UsethiscommandtoenableaninterfaceforIProutingandtoallowtheinterfacetoautomatically
beenabledatdevicestartup.
Syntax
no shutdown
shutdown
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
TheshutdownformofthiscommanddisablesaninterfaceforIProuting.
Example
ThisexampleshowshowtoenableVLAN1forIProuting:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#no shutdown
no ip routing
UsethiscommandtodisableIProutingonthedeviceandremovetheroutingconfiguration.By
default,IProutingisenabledwheninterfacesareconfiguredforitasdescribedinConfiguring
RoutingInterfaceSettingsonpage 151.
Syntax
no ip routing
Parameters
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Defaults
None.
Example
This example shows how to disable IP routing on the device:
C3(su)->router(Config)#no ip routing
SecureStack C3 Configuration Guide
15-7
Commands
For information about...
Refer to page...
interface tunnel
15-8
tunnel source
15-9
tunnel destination
15-9
tunnel mode
15-10
15-11
interface tunnel
Usethiscommandtoconfigureatunnelinterface.
Syntax
interface tunnel tunnel-id
no interface tunnel tunnel-id
Parameters
tunnelid
Specifiesthenumberofthetunnelinterfacetobeconfiguredfor
routing.Thevalueoftunnelidcanrangefrom0to7.
Defaults
None.
Mode
Routerglobalconfigurationmode:C3(su)>router(Config)#
Usage
Thiscommandenablestunnelinterfaceconfigurationmodefromglobalconfigurationmode,and,
iftheinterfacehasnotpreviouslybeencreated,thiscommandcreatesanewtunnelrouting
interface.
15-8
IP Configuration
tunnel source
Thenoformofthiscommandremovesthetunnelinterfaceandassociatedconfiguration
parameters.
Example
Thisexamplecreatesaconfiguredtunnelinterface1.
C3(su)->router(Config)# interface tunnel 1
C3(su)->router(Config-if(Tnnl 1))#
tunnel source
ThiscommandspecifiestheIPv4sourcetransportaddressofthetunnel.
Syntax
tunnel source {ipv4-addr | interface vlan vlan-id}
no tunnel source
Parameters
ipv4addr
TheIPv4sourceaddressofthetunnel.
interfacevlanvlanid
Specifyaninterfacetousealinklocaladdress.TheVLANmustbe
configuredinswitchmode.
Defaults
None.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Tnnl1))#
Usage
ThenoformofthiscommandremovesthesourceIPv4addressforthetunnelinterfacebeing
configured.
Example
ThefollowingexampleconfiguresthesourceIPv4addressfortunnel1.
C3(su)->router(Config)# interface tunnel 1
C3(su)->router(Config-if(Tnnl 1))#
C3(su)->router(Config-if(Tnnl 1))# tunnel source 192.168.10.10
tunnel destination
ThiscommandspecifiestheIPv4destinationtransportaddressofthetunnel.
Syntax
tunnel destination ipv4-addr
no tunnel destination
Parameters
ipv4addr
TheIPv4destinationaddressofthetunnel.
SecureStack C3 Configuration Guide
15-9
tunnel mode
Defaults
None.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Tnnl1))#
Usage
ThenoformofthiscommandremovesthedestinationIPv4addressforthetunnelinterfacebeing
configured.
Example
ThefollowingexampleconfiguresthedestinationIPv4addressfortunnel1.
C3(su)->router(Config)# interface tunnel 1
C3(su)->router(Config-if(Tnnl 1))#
C3(su)->router(Config-if(Tnnl 1))# tunnel destination 192.168.10.20
tunnel mode
Thiscommandspecifiesthemodeofthetunnelinterface.
Syntax
tunnel mode ipv6ip
no tunnel mode ipv6ip
Parameters
ipv6ip
SpecifiesthatthetunnelmodeisIPv6overIPv4
Defaults
None.
Mode
Routerinterfaceconfiguration:C3(su)>router(Configif(Tnnl1))#
Usage
Thenoformofthiscommandremovesthemodeofthetunnel.
Example
ThisexamplesetsthetunnelmodetoIPv6overIPv4.
C3(su)->router(Config)# interface tunnel 1
C3(su)->router(Config-if(Tnnl 1))#
C3(su)->router(Config-if(Tnnl 1))# tunnel mode ipv6ip
15-10
IP Configuration
Syntax
show interface tunnel tunnel-id
Parameters
tunnelid
Specifiesthetunnelforwhichtodisplayinformation.
Defaults
None.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Routerprivilegedexec:C3(su)>router#
Usage
Usethiscommandtodisplaygeneralinterfaceinformation.RefertoQueryCommandson
page 1822inChapter 18,IPv6Configurationforadescriptionoftheshowipv6interfacetunnel
command.
Example
Thisexampleshowstheoutputofthiscommand.
C3(su)->router(Config)#show interface tunnel 1
Tunnel 1 is Operationally DOWN
The name of this device is Tunnel 1
The MTU is 1480 bytes
15-11
Commands
ThecommandsusedtoreviewandconfiguretheARPtablearelistedbelow:
For information about...
Refer to page...
show ip arp
15-12
arp
15-14
ip proxy-arp
15-15
arp timeout
15-15
clear arp-cache
15-16
show ip arp
UsethiscommandtodisplayentriesintheARP(AddressResolutionProtocol)table.ARP
convertsanIPaddressintoaphysicaladdress.
Syntax
show ip arp [ip-address] [vlan vlan-id] [output-modifier]
Parameters
ipaddress
(Optional)DisplaysARPentriesrelatedtoaspecificIPaddress.
vlanvlanid
(Optional)DisplaysonlyARPentrieslearnedthroughaspecificVLAN
interface.ThisVLANmustbeconfiguredforIProutingasdescribedin
PreRoutingConfigurationTasksonpage 141.
outputmodifier
(Optional)DisplaysARPentrieswithinaspecificrange.Optionsare:
|beginipaddressDisplaysonlyARPentriesthatbeginwiththe
specifiedIPaddress.
|excludeipaddressExcludesARPentriesmatchingthespecified
IPaddress.
|includeipaddressIncludesARPentriesmatchingthespecified
IPaddress.
Defaults
Ifnoparametersarespecified,allentriesintheARPcachewillbedisplayed.
Mode
Anyroutermode.
15-12
IP Configuration
show ip arp
Example
Thisexampleshowshowtousetheshowiparpcommand:
C3(su)->router#show ip arp
Protocol
Address
Type
Interface
-----------------------------------------------------------------------------Internet
134.141.235.251
0003.4712.7a99
ARPA
Vlan1
Internet
134.141.235.165
0002.1664.a5b3
ARPA
Vlan1
Internet
134.141.235.167
00d0.cf00.4b74
ARPA
Vlan2
Address
Age (min)
Interface
-----------------------------------------------------------------------------Internet
134.141.235.165
0002.1664.a5b3
ARPA
Vlan2
Address
Interface
-----------------------------------------------------------------------------Internet
134.141.235.251
0003.4712.7a99 ARPA
Vlan2
Table 152providesanexplanationofthecommandoutput.
Table 15-2
Output
What It Displays...
Protocol
Address
Age (min)
Interval (in minutes) since the entry was entered in the table.
Hardware Addr
Type
Interface
15-13
arp
arp
Usethiscommandtoaddorremovepermanent(static)ARPtableentries.Upto1,000staticARP
entriesaresupportedperSecureStackC3system.AmulticastMACaddresscanbeusedinastatic
ARPentry.ThenoformofthiscommandremovesthespecifiedpermanentARPentry:
Syntax
arp ip-address mac-address arpa
no arp ip-address
Parameters
ipaddress
SpecifiestheIPaddressofadeviceonthenetwork.ValidvaluesareIP
addressesindotteddecimalnotation.
macaddress
Specifiesthe48bithardwareaddresscorrespondingtotheipaddress
expressedinhexadecimalnotation.
arpa
SpecifiesARPAasthetypeofARPmapping.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtoaddapermanentARPentryfortheIPaddress130.2.3.1andMAC
address0003.4712.7a99:
C3(su)->router(Config)#arp 130.2.3.1 0003.4712.7a99 arpa
15-14
IP Configuration
ip proxy-arp
ip proxy-arp
UsethiscommandtoenableproxyARPonaninterface.Thenoformofthiscommanddisables
proxyARP.
Syntax
ip proxy-arp
no ip proxy-arp
Parameters
None.
Defaults
Disabled.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
ThisvariationoftheARPprotocolallowstheroutertosendanARPresponseonbehalfofanend
nodetotherequestinghost.ProxyARPcanbeusedtoresolveroutingissuesonendstationsthat
areunabletorouteinthesubnettedenvironment.TheSecureStackC3willanswertoARPrequests
onbehalfoftargetedendstationsonneighboringnetworks.Itisdisabledbydefault.
Example
ThisexampleshowshowtoenableproxyARPonVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip proxy-arp
arp timeout
Usethiscommandtosettheduration(inseconds)fordynamicallylearnedentriestoremaininthe
ARPtablebeforeexpiring.Thenoformofthiscommandrestoresthedefaultvalueof14,400
seconds.
arp timeout seconds
no arp timeout
Parameters
seconds
SpecifiesthetimeinsecondsthatanentryremainsintheARPcache.Valid
valuesare065535.Avalueof0specifiesthatARPentrieswillneverbe
agedout.
Defaults
14,400seconds.
Mode
Globalconfiguration:C3(su)>router(Config)#
15-15
clear arp-cache
Example
ThisexampleshowshowtosettheARPtimeoutto7200seconds:
C3(su)->router(Config)#arp timeout 7200
clear arp-cache
Usethiscommandtodeleteallnonstatic(dynamic)entriesfromtheARPtable.
clear arp-cache
Parameters
None.
Mode
PrivilegedEXEC:C3(su)>router#
Defaults
None.
Example
ThisexampleshowshowtodeletealldynamicentriesfromtheARPtable:
C3(su)->router#clear arp-cache
15-16
IP Configuration
Commands
ThecommandsusedtoconfigureIPbroadcastsettingsarelistedbelow:
For information about...
Refer to page...
ip directed-broadcast
15-17
ip helper-address
15-18
ip directed-broadcast
UsethiscommandtoenableordisableIPdirectedbroadcastsonaninterface.Thenoformofthis
commanddisablesIPdirectedbroadcastglobally.
Syntax
ip directed-broadcast
no ip directed-broadcast
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>Router1(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableIPdirectedbroadcastsonVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip directed-broadcast
15-17
ip helper-address
ip helper-address
UsethiscommandtoenableDHCP/BOOTPrelayandtheforwardingoflocalUDPbroadcasts
specifyinganewdestinationaddressonaroutinginterface.Upto3IPhelperaddressesmaybe
configuredperinterface.
ThenoformofthiscommanddisablestheforwardingofUDPdatagramstothespecifiedaddress.
Syntax
ip helper-address address
no ip helper-address address
Parameters
address
AddressofthehostwhereUDPbroadcastpacketsshouldbeforwarded.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>Router1(Configif(Vlan1))#
Usage
About DHCP/BOOTP Relay
DHCP/BOOTPrelayfunctionalityisappliedwiththehelpofIPbroadcastforwarding.Atypical
situationoccurswhenahostrequestsanIPaddresswithnoDHCPserverlocatedonthatsegment.
AroutercanforwardtheDHCPrequesttoaserverlocatedonanothernetworkiftheaddressof
theDHCPserverisconfiguredasahelperaddressonthereceivinginterfaceoftherouter
forwardingtherequest,usingthiscommand(iphelperaddress).
TheDHCP/BOOTPrelayfunctionwilldetecttheDHCPrequestandmakethenecessarychanges
totheheader,replacingthedestinationaddresswiththeaddressoftheserver,andthesourcewith
itsownaddress,andsendittotheserver.Whentheresponsecomesfromtheserver,theDHCP/
BOOTPrelayfunctionsendsittothehost.
Example
ThisexampleshowshowtoforwardDHCP/BOOTPbroadcaststoaDHCP/BOOTPserverwithan
IPaddressof191.168.1.23onVLAN1:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip helper-address 192.168.1.28
15-18
IP Configuration
Commands
ThecommandsusedtoreviewIPtrafficandconfigureroutesarelistedbelow:
For information about...
Refer to page...
show ip route
15-19
ip route
15-20
ping
15-21
traceroute
15-22
show ip route
UsethiscommandtodisplayinformationaboutIProutes.
Syntax
show ip route [destination-prefix destination-prefix-mask longer-prefixes |
connected | ospf | rip | static | summary]
Parameters
destinationprefix
destinationprefix
masklonger
prefixes
(Optional)Convertsthespecifiedaddressandmaskintoaprefixand
displaysanyroutesthatmatchtheprefix.
connected
(Optional)Displaysconnectedroutes.
ospf
(Optional)DisplaysroutesconfiguredfortheOSPFroutingprotocol.For
detailsonconfiguringOSPF,refertoConfiguringOSPFonpage 1612.
rip
(Optional)DisplaysroutesconfiguredfortheRIProutingprotocol.For
detailsonconfiguringRIP,refertoConfiguringRIPonpage 162.
static
(Optional)Displaysstaticroutes.
summary
(Optional)DisplaysasummaryoftheIProutingtable.
Defaults
Ifnoparametersarespecified,allIProuteinformationwillbedisplayed.
Mode
Anyroutermode.
15-19
ip route
Usage
RoutesaremanagedbytheRTM(RouteTableManager),andarecontainedintheRIB(Route
InformationBase).Thisdatabasecontainsalltheactivestaticroutes,alltheRIProutes,andupto
threebestroutestoeachnetworkasdeterminedbyOSPF.
TheRTMselectsuptothreeofthebestroutestoeachnetworkandinstallstheseroutesintheFIB
(ForwardingInformationBase).
Example
ThisexampleshowshowtodisplayallIProuteinformation.Inthiscase,thereareroutesdirectly
connectedtoVLANs1and2,twostaticroutesconnectedtoVLAN1(oneindirectly,andonevia
anothernetworkIP),andoneRIProute.Distance/costisdisplayedas[x/y]:
C3(su)->router#show ip route
Codes: C connected, S static, R RIP, O OSPF, IA OSPF inter area, N1
OSPF NSSA external type 1, N2 OSPF NSSA external type 2, E1 OSPF external
type 1, E2 OSPF external type 2, * - candidate default, U per user static route
C
C
S
S
R
192.168.27.0/24
192.168.32.0/24
2.0.0.0/8
3.0.0.0/8
1.0.0.0/8
[
[
[
[
[
0/0001]
0/0001]
65/0001]
0/0001]
70/0002]
ip route
UsethiscommandtoaddorremoveastaticIProute.Thenoformofthiscommandremovesthe
staticIProute.
ip route prefix mask dest-addr [distance]
no ip route prefix mask forward-addr
Parameters
prefix
SpecifiesadestinationIPaddressprefix.
mask
Specifiesadestinationprefixmask.
destaddr
Specifiesaforwarding(gateway)IPaddress.
distance
(Optional)Specifiesanadministrativedistancemetricforthisroute.Valid
valuesare1(default)to255.Routeswithlowervaluesreceivehigher
preferenceinrouteselection.
Defaults
Ifdistanceisnotspecified,thedefaultvalueof1willbeapplied.
Mode
Globalconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtosetIPaddress10.1.2.3asthenexthopgatewaytodestinationaddress
10.0.0.0:
C3(su)->router(Config)#ip route 10.0.0.0 255.0.0.0 10.1.2.3
15-20
IP Configuration
ping
ping
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ip-address
Parameters
ipaddress
SpecifiestheIPaddressofthesystemtoping.
Defaults
None.
Mode
PrivilegedEXEC:C3(su)>router#
Usage
Thiscommandisalsoavailableinswitchmode.
Examples
ThisexampleshowsoutputfromasuccessfulpingtoIPaddress182.127.63.23:
C3(su)->router#ping 182.127.63.23
182.127.63.23 is alive
ThisexampleshowsoutputfromanunsuccessfulpingtoIPaddress182.127.63.24:
C3(su)->router#ping 182.127.63.24
no answer from 182.127.63.24
15-21
traceroute
traceroute
UsethiscommandtodisplayahopbyhoppaththroughanIPnetworkfromthedevicetoa
specificdestinationhost.ThreeICMPprobeswillbetransmittedforeachhopbetweenthesource
andthetraceroutedestination.
Syntax
traceroute host
Parameters
host
SpecifiesahosttowhichtherouteofanIPpacketwillbetraced.
Defaults
None.
Mode
PrivilegedEXEC:C3(su)>router#
Usage
Thereisalsoatraceroutecommandavailableinswitchmode.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost192.141.90.183.
C3(su)->router#traceroute 192.141.90.183
Traceroute to 192.141.90.183, 30 hops max, 40 byte packets
1 10.1.56.1
0.000 ms
0.000 ms
2 10.1.48.254
10.000 ms
0.000 ms
3 10.1.0.2
0.000 ms
0.000 ms
4 192.141.89.17
0.000 ms
0.000 ms
5 192.141.100.13
0.000 ms
10.000 ms
6 192.141.100.6
0.000 ms
0.000 ms
7 192.141.90.183
0.000 ms
0.000 ms
15-22
IP Configuration
0.000
0.000
0.000
10.000
0.000
10.000
0.000
ms
ms
ms
ms
ms
ms
ms
16
IPv4 Routing Protocol Configuration
ThischapterdescribestheIPv4RoutingProtocolConfigurationsetofcommandsandhowtouse
them.
Router: The commands covered in this chapter can be executed only when the device is in router
mode. For details on how to enable router configuration modes, refer to Enabling Router
Configuration Modes on page 14-3.
For information about...
Refer to page...
16-1
Configuring RIP
16-2
Configuring OSPF
16-12
Configuring DVMRP
16-36
Configuring IRDP
16-40
Configuring VRRP
16-45
Configuring PIM-SM
16-54
16-1
Configuring RIP
Configuring RIP
Purpose
ToenableandconfiguretheRoutingInformationProtocol(RIP).
16-2
To do this...
router rip
router rip
UsethiscommandtoenableordisableRIPconfigurationmode.Thenoformofthiscommand
disablesRIP.
Syntax
router rip
no router rip
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
YoumustexecutetherouterripcommandtoenabletheprotocolbeforecompletingmanyRIP
specificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 142in
EnablingRouterConfigurationModesonpage143.
Example
ThisexampleshowshowtoenableRIP:
C3(su)->router#configure
C3(su)->router(Config)#router rip
C3(su)->router(Config-router)#
ip rip enable
UsethiscommandtoenableRIPonaninterface.ThenoformofthiscommanddisablesRIPonan
interface:
Syntax
ip rip enable
no ip rip enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
16-3
distance
Example
ThisexampleshowshowtoenableRIPontheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip rip enable
distance
UsethiscommandtoconfiguretheadministrativedistanceforRIProutes.Thenoformofthis
commandresetsRIPadministrativedistancetothedefaultvalueof120.
Syntax
distance weight
no distance [weight]
Parameters
weight
SpecifiesanadministrativedistanceforRIProutes.Validvaluesare1255.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
Ifseveralroutes(comingfromdifferentprotocols)arepresentedtotheSecureStackC3Route
TableManager(RTM),theprotocolwiththelowestadministrativedistancewillbechosenfor
routeinstallation.Bydefault,RIPadministrativedistanceissetto120.Thedistancecommandcan
beusedtochangethisvalue,resettingRIPsroutepreferenceinrelationtootherroutesasshown
inthetablebelow.
Route Source
Default Distance
Connected
Static
OSPF
110
RIP
120
Example
ThisexampleshowshowtochangethedefaultadministrativedistanceforRIPto1001:
C3(su)->router(Config)#router rip
C3(su)->router(Config-router)#distance 100
16-4
Syntax
ip rip send version {1 | 2 | r1compatible}
no ip rip send version
Parameters
1
SpecifiesRIPversion1.
SpecifiesRIPversion2.Thisisthedefaultsetting.
r1compatible
Specifiesthatpacketsbesentasversion2packets,buttransmitstheseas
broadcastpacketsratherthanmulticastpacketssothatsystemswhichonly
understandRIPversion1canreceivethem.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheRIPsendversionto2forpacketstransmittedontheVLAN1
interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip rip send version 2
Syntax
ip rip receive version {1 | 2 | 1 2 | none}
no ip rip receive version
Parameters
1
SpecifiesRIPversion1.
SpecifiesRIPversion2.Thisisthedefaultsetting.
12
SpecifiesRIPversions1and2.
none
SpecifiesthatnoRIProuteswillbeprocessedonthisinterface.
16-5
ip rip authentication-key
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Defaults
None.
Example
ThisexampleshowshowtosettheRIPreceiveversionto2forupdatepacketsreceivedonthe
VLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip rip receive version 2
ip rip authentication-key
UsethiscommandtoenableordisableaRIPauthenticationkey(password)foruseonan
interface.ThenoformofthiscommandpreventsRIPfromusingauthentication.
Syntax
ip rip authentication-key name
no ip rip authentication key
Parameters
name
SpecifiesthepasswordtoenableordisableforRIPauthentication.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Examples
ThisexampleshowshowtosettheRIPauthenticationkeychaintopasswordontheVLAN1
interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip rip authentication-key password
16-6
ip rip message-digest-key
ip rip message-digest-key
UsethiscommandtoenableordisableaRIPMD5authenticationkey(password)foruseonan
interface.ThenoformofthiscommandpreventsRIPfromusingauthentication.
Syntax
ip rip message-digest-key keyid md5 key
no ip rip message-digest-key keyid
Parameters
keyid
SpecifiesthekeyIDtoenableordisableforRIPauthentication.Validvalues
are1to255.
md5
SpecifiesuseoftheMD5algorithm.
key
SpecifiestheRIPauthenticationpassword.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Defaults
None.
Examples
ThisexampleshowshowtosettheMD5authenticationIDto5fortheRIPauthenticationkeyset
ontheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip rip message-digest-key 5 md5 password
16-7
no auto-summary
no auto-summary
Usethiscommandtodisableautomaticroutesummarization.
Syntax
no auto-summary
auto-summary
Parameters
None.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
Bydefault,RIPversion2supportsautomaticroutesummarization,whichsummarizes
subprefixestotheclassfulnetworkboundarywhencrossingnetworkboundaries.Disabling
automaticroutesummarizationenablesCIDR,allowingRIPtoadvertiseallsubnetsandhost
routinginformationontheSecureStackC3device.Toverifywhichroutesaresummarizedforan
interface,usetheshowiproutecommandasdescribedinshowiprouteonpage1519.The
reverseofthecommandreenablesautomaticroutesummarization.
Note: This command is necessary for enabling CIDR for RIP on the SecureStack C3 device.
Example
ThisexampleshowshowtodisableRIPautomaticroutesummarization:
C3(su)->router(Config)#router rip
C3(su)->router(Config-router)#no auto-summary
16-8
split-horizon poison
split-horizon poison
UsethiscommandtoenableordisablesplithorizonpoisonreversemodeforRIPpackets.Theno
formofthiscommanddisablessplithorizonpoisonreverse.
Syntax
split-horizon poison
no split-horizon poison
Parameters
None.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
Splithorizonpreventspacketsfromexitingthroughthesameinterfaceonwhichtheywere
received.Poisonreverseexplicitlyindicatesthatanetworkisunreachable,ratherthanimplyingit
bynotincludingthenetworkinroutingupdates.
Example
ThisexampleshowshowtodisablesplithorizonpoisonreverseforRIPpacketstransmittedon
theVLAN1interface:
C3(su)->router(Config)#router rip
C3(su)->Router1(Config-router)#no split-horizon poison
passive-interface
UsethiscommandtopreventRIPfromtransmittingupdatepacketsonaninterface.Thenoform
ofthiscommanddisablespassiveinterface.
Syntax
passive-interface vlan vlan-id
no passive-interface vlan vlan-id
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANtomakeapassiveinterface.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage141.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
SecureStack C3 Configuration Guide
16-9
receive-interface
Usage
ThiscommanddoesnotpreventRIPfrommonitoringupdatesontheinterface.
Example
ThisexampleshowshowtosetVLAN2asapassiveinterface.NoRIPupdateswillbetransmitted
onVLAN2:
C3(su)->router(Config)#router rip
C3(su)->router(Config-router)#passive-interface vlan 2
receive-interface
UsethiscommandtoallowRIPtoreceiveupdatepacketsonaninterface.Thenoformofthis
commanddeniesthereceptionofRIPupdates.
Syntax
receive-interface vlan vlan-id
no receive-interface vlan vlan-id
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANtomakeareceiveinterface.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage141.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
ThiscommanddoesnotaffectthesendingofRIPupdatesonthespecifiedinterface.
Example
ThisexampleshowshowtodenythereceptionofRIPupdatesonVLAN2:
C3(su)->router(Config)#router rip
C3(su)->router(Config-router)#no receive-interface vlan 2
16-10
redistribute
redistribute
UsethiscommandtoallowroutinginformationdiscoveredthroughnonRIPprotocolstobe
distributedinRIPupdatemessages.Thenoformofthiscommandclearsredistribution
parameters.
Syntax
redistribute {connected | ospf process-id | static} [metric metric value]
[subnets]
no redistribute {connected | ospf process-id | static}
Parameters
connected
SpecifiesthatnonRIProutinginformationdiscoveredviadirectly
connectedinterfaceswillberedistributed.
ospf
SpecifiesthatOSPFroutinginformationwillberedistributedinRIP.
processid
SpecifiestheprocessID,aninternallyusedidentificationnumberforeach
instanceoftheOSPFroutingprocessrunonarouter.Validvaluesare1to
65535.
static
SpecifiesthatnonRIProutinginformationdiscoveredviastaticrouteswill
beredistributed.Staticroutesarethosecreatedusingtheiproute
commanddetailediniprouteonpage1520.
metricmetricvalue
(Optional)Specifiesametricfortheconnected,OSPForstatic
redistributionroute.Thisvalueshouldbeconsistentwiththedesignation
protocol.
subnets
(Optional)Specifiesthatconnected,OSPForstaticroutesthatare
subnettedwillberedistributed.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Defaults
Ifmetricvalueisnotspecified,1willbeapplied.
Ifsubnetsisnotspecified,onlynonsubnettedrouteswillberedistributed.
Example
ThisexampleshowshowtoredistributeroutinginformationdiscoveredthroughOSPFprocessID
1nonsubnettedroutesintoRIPupdatemessages:
C3(su)->router(Config)#router rip
C3(su)->router(Config-router)#redistribute ospf 1
16-11
Configuring OSPF
Configuring OSPF
* Advanced License Required *
OSPF is an advanced routing feature that must be enabled with a license key. If you have purchased an
advanced license key, and have enabled routing on the device, you must activate your license as described in
Activating Licensed Features on page 3-29 in order to enable the OSPF command set. If you wish to
purchase an advanced routing license, contact Enterasys Networks Sales.
Purpose
ToenableandconfiguretheOpenShortestPathFirst(OSPF)routingprotocol.
To do this...
16-12
Configuring OSPF
Table 16-2
To do this...
16-13
router id
router id
UsethiscommandtosettheOSPFrouterIDforthedevice.ThisIPaddressmustbesetmanually
inordertorunOSPF.ThenoformofthiscommandremovestherouterIDforthedevice.
Syntax
router id ip-address
no router id
Parameters
ipaddress
SpecifiestheIPaddressthatOSPFwilluseastherouterID.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowtosettheOSPFrouterIDtoIPaddress182.127.62.1:
C3(su)->router(Config-router)#router id 182.127.62.1
router ospf
UsethiscommandtoenableordisableOpenShortestPathFirst(OSPF)configurationmode.The
noformofthiscommanddisablesOSPFconfigurationmode.
Syntax
router ospf process-id
no router ospf process-id
Parameters
processid
SpecifiestheprocessID,aninternallyusedidentificationnumberforan
OSPFroutingprocessrunonarouter.OnlyoneOSPFprocessisallowedper
stack.Validvaluesare1to65535.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
YoumustexecutetherouterospfcommandtoenabletheprotocolbeforecompletingmanyOSPF
specificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 142in
EnablingRouterConfigurationModesonpage143.
OnlyoneOSPFprocess(processid)isallowedperSecureStackC3router.
16-14
1583compatibility
Example
ThisexampleshowshowtoenableroutingforOSPFprocess1:
C3(su)->router#conf terminal
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#
1583compatibility
UsethiscommandtoenableRFC1583compatibilityonOSPFinterfaces.Thenoformofthis
commanddisablesRFC1583compatibilityonOSPFinterfaces.
Syntax
1583compatability
no 1583compatability
Parameters
None.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowtoenableRFC1583compatibility:
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#1583compatability
16-15
ip ospf enable
ip ospf enable
UsethiscommandtoenableOSPFonaninterface.ThenoformofthiscommanddisablesOSPFon
aninterface.
Syntax
ip ospf enable
no ip ospf enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableOSPFontheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf enable
ip ospf areaid
UsethiscommandtoconfigureareaIDsforOSPFinterfaces.IfOSPFisenabledonaninterfaceas
describedinipospfenableonpage1616,theOSPFareawilldefaultto0.0.0.0.Thenoformof
thiscommandremovesOSPFroutingfortheinterfaces.
Syntax
ip ospf areaid area-id
no ip ospf areaid
Parameters
areaid
SpecifiestheareaidtobeassociatedwiththeOSPFinterface.Validvalues
aredecimalvaluesorIPaddresses.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoconfiguretheVLAN1interfaceasarea0.0.0.31:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf areaid 0.0.0.31
16-16
ip ospf cost
ip ospf cost
UsethiscommandtosetthecostofsendinganOSPFpacketonaninterface.Thenoformofthis
commandresetstheOSPFcosttothedefaultof10.
Syntax
ip ospf cost cost
no ip ospf cost
Parameters
cost
Specifiesthecostofsendingapacket.Validvaluesrangefrom1to65535.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
EachrouterinterfacethatparticipatesinOSPFroutingisassignedadefaultcost.Thiscommand
overwritesthedefaultof10.
Example
ThisexampleshowshowtosettheOSPFcostto20fortheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf cost 20
ip ospf priority
UsethiscommandtosettheOSPFpriorityvalueforrouterinterfaces.Thenoformofthis
commandresetsthevaluetothedefaultof1.
Syntax
ip ospf priority number
no ip ospf priority
Parameters
number
SpecifiestheroutersOSPFpriorityinarangefrom0to255.Defaultvalueis
1.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
16-17
timers spf
Usage
Thepriorityvalueiscommunicatedbetweenroutersbymeansofhellomessagesandinfluences
theelectionofadesignatedrouter.
Example
ThisexampleshowshowtosettheOSPFpriorityto20fortheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf priority 20
timers spf
UsethiscommandtochangeOSPFtimervaluestofinetunetheOSPFnetwork.Thenoformof
thiscommandrestoresthedefaulttimervalues(5secondsfordelayand10secondsforholdtime).
Syntax
timers spf spf-delay spf-hold
no timers spf
Parameters
spfdelay
Specifiesthedelay,inseconds,betweenthereceiptofanupdateandtheSPF
execution.Validvaluesare0to4294967295.
spfhold
Specifiestheminimumamountoftime,inseconds,betweentwo
consecutiveOSPFcalculations.Validvaluesare0to4294967295.Avalueof
0meansthattwoconsecutiveOSPFcalculationsareperformedone
immediatelyaftertheother.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowtosetSPFdelaytimeto7secondsandholdtimeto3:
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#timers spf 7 3
16-18
ip ospf retransmit-interval
ip ospf retransmit-interval
Usethiscommandtosettheamountoftimebetweenretransmissionsoflinkstateadvertisements
(LSAs)foradjacenciesthatbelongtoaninterface.Thenoformofthiscommandresetsthe
retransmitintervalvaluetothedefault,5seconds.
Syntax
ip ospf retransmit-interval seconds
no ip ospf retransmit-interval
Parameters
seconds
Specifiestheretransmittimeinseconds.Validvaluesare1to65535.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheOSPFretransmitintervalfortheVLAN1interfaceto20:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf retransmit-interval 20
ip ospf transmit-delay
Usethiscommandtosettheamountoftimerequiredtotransmitalinkstateupdatepacketonan
interface.Thenoformofthiscommandresetstheretransmitintervalvaluetothedefault,1
second.
Syntax
ip ospf transmit-delay seconds
no ip ospf transmit-delay
Parameters
seconds
Specifiesthetransmitdelayinseconds.Validvaluesarefrom1to65535.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
16-19
ip ospf hello-interval
Example
Thisexampleshowshowtosetthetimerequiredtotransmitalinkstateupdatepacketonthe
VLAN1interfaceat20seconds:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf transmit-delay 20
ip ospf hello-interval
Usethiscommandtosetthenumberofsecondsaroutermustwaitbeforesendingahellopacket
toneighborroutersonaninterface.Thenoformofthiscommandsetsthehellointervalvalueto
thedefaultvalueof10seconds.
Syntax
ip ospf hello-interval seconds
no ip ospf hello-interval
Parameters
seconds
Specifiesthehellointervalinseconds.Hellointervalmustbethesameon
neighboringrouters(onaspecificsubnet),butcanvarybetweensubnets.
Thisparameterisanunsignedintegerwithvalidvaluesbetween1and
65535.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthehellointervalto5fortheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf hello-interval 5
16-20
ip ospf dead-interval
ip ospf dead-interval
Usethiscommandtosetthenumberofsecondsaroutermustwaittoreceiveahellopacketfrom
itsneighborbeforedeterminingthattheneighborisoutofservice.Thenoformofthiscommand
setsthedeadintervalvaluetothedefaultvalueof40seconds.
Syntax
ip ospf dead-interval seconds
no ip ospf dead-interval
Parameters
seconds
Specifiesthenumberofsecondsthataroutermustwaittoreceiveahello
packetbeforedeclaringtheneighborasdeadandremovingitfromthe
OSPFneighborlist.Deadintervalmustbethesameonneighboringrouters
(onaspecificsubnet),butcanvarybetweensubnets.Thisparameterisan
unsignedintegerrangingfrom1to65535.Defaultvalueis40seconds.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthedeadintervalto20fortheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf dead-interval 20
ip ospf authentication-key
UsethiscommandtoassignapasswordtobeusedbyneighboringroutersusingOSPFssimple
passwordauthentication.ThenoformofthiscommandremovesanOSPFauthentication
passwordonaninterface.
Syntax
ip ospf authentication-key password
no ip ospf authentication-key
Parameters
password
SpecifiesanOSPFauthenticationpassword.Validvaluesarealphanumeric
stringsupto8charactersinlength.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
16-21
Usage
ThispasswordisusedasakeythatisinserteddirectlyintotheOSPFheaderinroutingprotocol
packets.AseparatepasswordcanbeassignedtoeachOSPFnetworkonaperinterfacebasis.
Allneighboringroutersonthesamenetworkmusthavethesamepasswordconfiguredtobeable
toexchangeOSPFinformation.
Example
ThisexampleshowshowtoenablesanOSPFauthenticationkeyontheVLAN1interfacewiththe
passwordyourpass:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf authentication-key yourpass
Syntax
ip ospf message-digest-key keyid md5 key
no ip ospf message-digest-key keyid
Parameters
keyid
SpecifiesthekeyidentifierontheinterfacewhereMD5authenticationis
enabled.Validvaluesareintegersfrom1to255.
key
SpecifiesapasswordforMD5authenticationtobeusedwiththekeyid.Valid
valuesarealphanumericstringsofupto16characters.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableOSPFMD5authenticationontheVLAN1interface,setthekey
identifierto20,andsetthepasswordtopassone:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip ospf message-digest-key 20 md5 passone
16-22
distance ospf
distance ospf
UsethiscommandtoconfiguretheadministrativedistanceforOSPFroutes.Thenoformofthis
commandresetsOSPFadministrativedistancetothedefaultvalues.
Syntax
distance ospf {external | inter-area | intra-area}weight
no distance ospf {external | inter-area | intra-area}
Parameters
external|inter
area|intraarea
Appliesthedistancevaluetoexternal(type5andtype7),tointerarea,orto
intraarearoutes.
Note: The value for intra-area distance must be less than the value for
inter-area distance, which must be less than the value for external distance.
weight
SpecifiesanadministrativedistanceforOSPFroutes.Validvaluesare1
255.
Defaults
Ifroutetypeisnotspecified,thedistancevaluewillbeappliedtoallOSPFroutes.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
Ifseveralroutes(comingfromdifferentprotocols)arepresentedtotheSecureStackC3Route
TableManager(RTM),theprotocolwiththelowestadministrativedistancewillbechosenfor
routeinstallation.Bydefault,OSPFadministrativedistanceissetto110.Thedistanceospf
commandcanbeusedtochangethisvalue,resettingOSPFsroutepreferenceinrelationtoother
routesasshowninthetablebelow.
Route Source
Default Distance
Connected
Static
OSPF
RIP
15
Example
ThisexampleshowshowtochangethedefaultadministrativedistanceforexternalOSPFroutesto
100:
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#distance ospf external 100
16-23
area range
area range
UsethiscommandtodefinetherangeofaddressestobeusedbyAreaBorderRouters(ABRs)
whentheycommunicateroutestootherareas.EachSecureStackC3stackcansupportupto4
OSPFareas.Thenoformofthiscommandstopstheroutesfrombeingsummarized.
Syntax
area area-id range ip-address ip-mask [advertise | no-advertise]
no area area-id range ip-address ip-mask
Parameters
areaid
Specifiestheareafromwhichroutesaretobesummarized.Thisisa
decimalvaluefrom0to429496295.
ipaddress
SpecifiestheIPaddressassociatedwiththeareaID.
ipmask
SpecifiesthemaskfortheIPaddress.
advertise|no
advertise
(Optional)Entersaddressrangeinadvertisemode,ordonotadvertise
mode.
Defaults
Ifnotspecified,advertisemodewillbeset.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
Thisexampleshowshowtodefinetheaddressrangeas172.16.0.0/16forsummarizedroutesfrom
area0.0.0.8:
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#area 0.0.0.8 range 172.16.0.0 255.255.0.0
area stub
UsethiscommandtodefineanOSPFareaasastubarea.ThisisanareaintowhichAutonomous
SystemexternalASAswillnotbeflooded.Thenoformofthiscommandchangesthestubbackto
aplainarea.
Syntax
area area-id stub [no-summary]
no area area-id stub [no-summary]
Parameters
16-24
areaid
Specifiesthestubarea.Validvaluesaredecimalvaluesoripaddresses.
nosummary
(Optional)PreventsanAreaBorderRouter(ABR)fromsendingLinkState
Advertisements(LSAs)intothestubarea.Whenthisparameterisused,it
meansthatalldestinationsoutsideofthestubareaarerepresentedby
meansofadefaultroute.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Defaults
Ifnosummaryisnotspecified,thestubareawillbeabletoreceiveLSAs.
Example
ThefollowingexampleshowshowtodefineOSPFarea10asastubarea:
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#area 10 stub
Syntax
area area-id default-cost cost
no area area-id default-cost
Parameters
areaid
Specifiesthestubarea.ValidvaluesaredecimalvaluesorIPaddresses.
cost
Specifiesacostvalueforthesummaryroutethatissentintoastubareaby
default.Validvaluesare24bitnumbers,from0to16777215.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
TheuseofthiscommandisrestrictedtoABRsattachedtostubandNSSAareas.
Example
Thisexampleshowshowtosetthecostvalueforstubarea10to99:
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#area 10 default-cost 99
16-25
area nssa
area nssa
UsethiscommandtoconfigureanareaasaNotSoStubbyArea(NSSA).Thenoformofthis
commandchangestheNSSAbacktoaplainarea.
Syntax
area area-id nssa [default-information-originate]
no area area-id nssa [default-information-originate]
Parameters
areaid
SpecifiestheNSSAarea.ValidvaluesaredecimalvaluesorIPaddresses.
default
information
originate
(Optional)GeneratesadefaultofType7intotheNSSA.Thisisusedwhen
therouterisanNSSAABR.
Defaults
Ifdefaultinformationoriginateisnotspecified,nodefaulttypewillbegenerated.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
AnNSSAallowssomeexternalroutesrepresentedbyexternalLinkStateAdvertisements(LSAs)
tobeimportedintoit.Thisisincontrasttoastubareathatdoesnotallowanyexternalroutes.
ExternalroutesthatarenotimportedintoanNSSAcanberepresentedbymeansofadefault
route.ThisconfigurationisusedwhenanOSPFinternetworkisconnectedtomultiplenonOSPF
routingdomains.
Example
Thisexampleshowshowtoconfigurearea10asanNSSAarea:
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#area 10 nssa default-information-originate
16-26
area virtual-link
area virtual-link
UsethiscommandtodefineanOSPFvirtuallink,whichrepresentsalogicalconnectionbetween
thebackboneandanonbackboneOSPFarea.Thenoformofthiscommandremovesthevirtual
linkand/oritsassociatedsettings.
Syntax
area area-id virtual-link router-id
no area area-id virtual-link router-id
Inadditiontothesyntaxabove,theoptionsforusingthiscommandare:
area area-id virtual-link router-id authentication-key key
no area area-id virtual-link router-id authentication-key key
area area-id virtual-link router-id dead-interval seconds
no area area-id virtual-link router-id dead-interval seconds
area area-id virtual-link router-id hello-interval seconds
no area area-id virtual-link router-id hello-interval seconds
area area-id virtual-link router-id retransmit-interval seconds
no area area-id virtual-link router-id retransmit-interval seconds
area area-id virtual-link router-id transmit-delay seconds
no area area-id virtual-link router-id transmit-delay seconds
Parameters
areaid
Specifiesthetransitareaforthevirtuallink.Validvaluesaredecimalvalues
orIPaddresses.Atransitareaisanareathroughwhichavirtuallinkis
established.
routerid
SpecifiestherouterIDofthevirtuallinkneighbor.
authentication
keykey
Specifiesapasswordtobeusedbythevirtuallink.Validvaluesare
alphanumericstringsofupto8characters.Neighborvirtuallinkrouterson
anetworkmusthavethesamepassword.
deadinterval
seconds
Specifiesthenumberofsecondsthataroutermustwaittoreceiveahello
packetbeforedeclaringtheneighborasdeadandremovingitfromthe
OSPFneighborlist.Thisvaluemustbethesameforallvirtuallinksattached
toacertainsubnet,anditisavaluerangingfrom1to8192.
hellointerval
seconds
Specifiesthenumberofsecondsbetweenhellopacketsonthevirtuallink.
Thisvaluemustbethesameforallvirtuallinksattachedtoanetworkandit
isavaluerangingfrom1to8192.
retransmit
intervalseconds
Specifiesthenumberofsecondsbetweensuccessiveretransmissionsofthe
sameLSAs.Validvaluesaregreaterthantheexpectedamountoftime
requiredfortheupdatepackettoreachandreturnfromtheinterface,and
rangefrom1to8192.Defaultis5seconds.
transmitdelay
seconds
Specifiestheestimatednumberofsecondsbeforealinkstateupdatepacket
ontheinterfacetobetransmitted.Validvaluesrangefrom1to8192.Default
is1second.
Defaults
None.
16-27
redistribute
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
Thisexampleshowshowtoconfigureavirtuallinkovertransitionarea0.0.0.2torouterID
192.168.7.2:
C3(su)->router(Config)#router ospf 1
C3(su)->router(Config-router)#area 0.0.0.2 virtual-link 192.168.7.2
redistribute
UsethiscommandtoallowroutinginformationdiscoveredthroughnonOSPFprotocolstobe
distributedinOSPFupdatemessages.Thenoformofthiscommandclearsredistribution
parameters.
Syntax
redistribute {connected | rip | static} [metric metric value] [metric-type typevalue] [subnets]
no redistribute {connected | rip | static}
Parameters
connected
SpecifiesthatnonOSPFinformationdiscoveredviadirectlyconnected
interfaceswillberedistributed.
rip
SpecifiesthatRIProutinginformationwillberedistributedinOSPF.
static
SpecifiesthatnonOSPFinformationdiscoveredviastaticrouteswillbe
redistributed.Staticroutesarethosecreatedusingtheiproutecommand
detailediniprouteonpage1520.
metricmetricvalue
(Optional)Specifiesametricfortheconnected,RIPorstaticredistribution
route.Thisvalueshouldbeconsistentwiththedesignationprotocol.
metrictypetype
value
(Optional)Specifiestheexternallinktypeassociatedwiththedefault
connected,RIPorstaticrouteadvertisedintotheOSPFroutingdomain.
Validvaluesare1fortype1externalroute,and2fortype2externalroute.
subnets
(Optional)Specifiesthatconnected,RIP,orstaticroutesthataresubnetted
routeswillberedistributed.
Defaults
Ifmetricvalueisnotspecified,0willbeapplied.
Iftypevalueisnotspecified,type2(externalroute)willbeapplied.
Ifsubnetsisnotspecified,onlytheshortestprefixmatchingrouteswillberedistributed.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
16-28
show ip ospf
Example
ThisexampleshowshowtoredistributeRIProutinginformationtononsubnettedroutesinOSPF
routes:
C3(su)->router(Config)#router ospf
C3(su)->router(Config-router)#redistribute rip
show ip ospf
UsethiscommandtodisplayOSPFinformation.
Syntax
show ip ospf
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayOSPFinformation:
C3(su)->router#show ip ospf
Routing process "ospf 1" with ID 155.155.155.155
Supports only Normal TOS route.
It is not an area border router and is an autonomous system boundary router.
Redistributing External Routes from static
Number of areas in this router is 2
Area 0.0.0.0
SPF algorithm executed 0 times
Area ranges are
Link State Age Interval is 10
Area 0.0.0.8
SPF algorithm executed 302 times
Area ranges are
Link State Age Interval is 10
16-29
Syntax
show ip ospf database
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayallOSPFlinkstatedatabaseinformation.Thisisaportionof
thecommandoutput:
C3(su)->router#show ip ospf database
OSPF Router with ID(155.155.155.155)
Displaying Ipnet Sum Link States(Area 0.0.0.0)
LinkID
ADV Router
Age
Seq#
192.168.16.0
155.155.155.155 1751
0x80000036
LinkID
191.2.2.0
191.3.3.3
191.3.3.4
191.3.3.5
191.3.3.6
191.3.3.7
191.3.3.8
191.3.3.9
191.4.0.0
Checksum
0x9096
0x5bc6
0x51cf
0x47d8
0x3de1
0x33ea
0x29f3
0x1ffc
0x8e98
Checksum
0xb6f9
0x6e96
Checksum
0x59ab
0xc07c
0xb586
0xaa90
LinkID
0.0.0.0
8.1.1.0
8.1.2.0
16-30
Checksum
0x18a
Checksum
0x311d
0x3de1
0x32eb
8.1.3.0
8.1.4.0
3.3.3.3
3.3.3.3
1502
1512
0x80000003
0x80000003
0x27f5
0x1c00
Table 163providesanexplanationofthecommandoutput.
Table 16-3
Output
What It Displays...
Link ID
Link ID, which varies as a function of the link state record type, as follows:
Net Link States - Shows the interface IP address of the designated router to the
broadcast network.
Router Link States - Shows the ID of the router originating the record.
Summary Link States - Shows the summary network prefix.
ADV Router
Age
Seq#
Checksum
Field in the link state record used to verify the contents upon receipt by another
router.
LinkCount
Link count of router link state records. This number is equal to, or greater than, the
number of active OSPF interfaces on the originating router.
16-31
Syntax
show ip ospf interface [vlan vlan-id]
Parameters
vlanvlanid
(Optional)DisplaysOSPFinformationforaspecificVLAN.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage141.
Defaults
Ifvlanidisnotspecified,OSPFstatisticswillbedisplayedforallVLANs.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayallOSPFrelatedinformationfortheVLAN6interface:
C3(su)->router#show ip ospf interface vlan 6
Vlan 6
Internet Address 192.168.6.2 Mask 255.255.255.0 , Area 0.0.0.0
Router ID 3.3.3.3 , Cost: 10 (computed)
Transmit Delay is 1 sec , State designated-router , Priority 1
Designated Router id 3.3.3.3 , Interface Addr 192.168.6.2
Backup Designated Router id 2.2.2.2 ,
Timer intervals configured ,
Hello 10 , Dead 40 , Retransmit 5
Table 164providesanexplanationofthecommandoutput.
Table 16-4
16-32
Output
What It Displays...
Vlan
VLAN ID
Internet Address
Area
Area ID
Router ID
Cost
OSPF interface cost, which is either default, or assigned with the ip ospf cost
command. For details, refer to ip ospf cost on page 16-17.
Transmit Delay
The number (in seconds) added to the LSA (Link State Advertisement) age field.
State
The interface state (versus the state between neighbors). Valid values include
Backup Designated Router, Designated Router, and Err for error.
Priority
The interface priority value, which is either default, or assigned with the ip ospf
priority command. For details, refer to ip ospf priority on page 16-17.
Designated Router
id
The router ID of the designated router on this subnet, if one exists, in which case Err
will be displayed.
Table 16-4
Output
What It Displays...
Interface Addr
Backup Designated
Router id
IP address of the backup designated router on this interface, if one exists, in which
case Err will be displayed.
Timer intervals
configured
OSPF timer intervals. These are either default, or configured with the ip ospf
retransmit-interval (ip ospf retransmit-interval on page 16-19), the ip ospf hellointerval (ip ospf hello-interval on page 16-20), the ip ospf retransmit-delay (ip
ospf transmit-delay on page 16-19) and the ip ospf dead interval (ip ospf deadinterval on page 16-21) commands.
Syntax
show ip ospf neighbor [detail] [ip-address] [vlan vlan-id]
Parameters
detail
(Optional)Displaysdetailedinformationabouttheneighbors,includingthe
areainwhichtheyareneighbors,whothedesignatedrouter/backup
designatedrouterisonthesubnet,ifapplicable,andthedecimalequivalent
oftheEbitvaluefromthehellopacketoptionsfield.
ipaddress
(Optional)DisplaysOSPFneighborsforaspecificIPaddress.
vlanvlanid
(Optional)DisplaysOSPFneighborsforaspecificVLAN.ThisVLANmust
beconfiguredforIProutingasdescribedinPreRoutingConfiguration
Tasksonpage141.
Defaults
Ifdetailisnotspecified,summaryinformationwillbedisplayed.
Ifipaddressisnotspecified,OSPFneighborswillbedisplayedforallIPaddressesconfiguredfor
routing.
Ifvlanidisnotspecified,OSPFneighborswillbedisplayedforallVLANsconfiguredforrouting.
Mode
Anyroutermode.
Example
Thisexampleshowshowtousetheshowospfneighborcommand:
C3(su)->router#show ip ospf neighbor
ID
Pri
State
Dead-Int
182.127.62.1
1
FULL
40
Address
182.127.63.1
Interface
vlan1
Table 165providesanexplanationofthecommandoutput.
16-33
Table 16-5
Output
What It Displays...
ID
Pri
State
Dead-Int
Interval (in seconds) this router will wait without receiving a Hello packet from a
neighbor before declaring the neighbor is down.
Address
Neighbors IP address.
Interface
Syntax
show ip ospf virtual-links
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayOSPFvirtuallinksinformation:
C3(su)->router#show ip ospf virtual-links
Neighbor ID 155.155.155.155
Transit area 0.0.0.8
Transmit delay is 1 sec State point-to-point
Timer intervals configured:
Hello 10, Dead 40, Retransmit 5
Adjacency State Full
Table 166providesanexplanationofthecommandoutput.
Table 16-6
16-34
Output
What It Displays...
Neighbor ID
ID of the virtual link neighbor, and the virtual link status, which is up or down.
Transit area
Transmit delay
State
Table 16-6
Output
What It Displays...
Timer intervals
configured
Timer intervals configured for the virtual link, including Hello, Wait, and Retransmit
intervals.
Adjacency State
State of adjacency between this router and the virtual link neighbor of this router.
Syntax
clear ip ospf process process-id
Parameters
processid
SpecifiestheprocessID,aninternallyusedidentificationnumberforeach
instanceoftheOSPFroutingprocessrunonarouter.Validvaluesare1to
65535.
Defaults
None.
Mode
PrivilegedEXEC:C3(su)>router#
Example
ThisexampleshowshowtoresetOSPFprocess1:
C3(su)->router#clear ip ospf process 1
16-35
Configuring DVMRP
Configuring DVMRP
* Advanced License Required *
DVMRP is an advanced routing feature that must be enabled with a license key. If you have purchased an
advanced license key, and have enabled routing on the device, you must activate your license as described in
Activating Licensed Features on page 3-29 in order to enable the DVMRP command set. If you wish to
purchase an advanced routing license, contact Enterasys Networks Sales.
Purpose
ToenableandconfiguretheDistanceVectorMulticastRoutingProtocol(DVMRP)onaninterface.
DVMRProutesmulticasttrafficusingatechniqueknownasReversePathForwarding.Whena
routerreceivesapacket,itfloodsthepacketoutofallpathsexcepttheonethatleadsbacktothe
packetssource.DoingsoallowsadatastreamtoreachallVLANs(possiblymultipletimes).Ifa
routerisattachedtoasetofVLANsthatdonotwanttoreceivefromaparticularmulticastgroup,
theroutercansendaprunemessagebackupthedistributiontreetostopsubsequentpackets
fromtravelingwheretherearenomembers.DVMRPwillperiodicallyrefloodinordertoreach
anynewhoststhatwanttoreceivefromaparticulargroup.
Note: IGMP must be enabled on all VLANs running DVMRP, and must also be globally enabled
on the SecureStack C3 stack. For details on enabling IGMP, refer to Chapter 10.
Commands
ThecommandsusedtoenableandconfigureDVMRParelistedbelow:
For information about...
16-36
Refer to page...
ip dvmrp
16-37
ip dvmrp enable
16-37
ip dvmrp metric
16-38
show ip dvmrp
16-38
ip dvmrp
ip dvmrp
UsethiscommandtoenabletheDVMRPprocess.Thenoformofthiscommanddisablesthe
DVMRPprocess:
Syntax
ip dvmrp
no ip dvmrp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtoenabletheDVMRPprocess:
C3(su)->router(Config)#ip dvmrp
ip dvmrp enable
UsethiscommandtoenableDVMRPonaninterface.Thenoformofthiscommanddisables
DVMRPonaninterface:
Syntax
ip dvmrp enable
no ip dvmrp enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableDVMRPontheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip dvmrp enable
16-37
ip dvmrp metric
ip dvmrp metric
UsethiscommandtoconfigurethemetricassociatedwithasetofdestinationsforDVMRP
reports.
Syntax
ip dvmrp metric metric
Parameters
metric
SpecifiesametricassociatedwithasetofdestinationsforDVMRP
reports.Validvaluesarefrom1to31.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Usage
ToresettheDVMRPmetricbacktothedefaultvalueof1,enteripdvmrpmetric1.
Example
ThisexampleshowshowtosetaDVMRPof16ontheVLAN1interface:
C3(su)->router(Config-if(Vlan 1))#ip dvmrp metric 16
show ip dvmrp
UsethiscommandtodisplayDVMRProutinginformation.
Syntax
show ip dvmrp [route | neighbor | status]
Parameters
route|neighbor|
status
(Optional)Displays,DVMRProutinginformation,neighborinformation,
orDVMRPenablestatus.
Defaults
Ifnooptionalparametersarespecified,statusinformationwillbedisplayed.
Mode
Anyroutermode.
16-38
show ip dvmrp
Example
ThisexampleshowshowtodisplayDVMRPstatusinformation:
C3(su)->router#show ip dvmrp
Vlan Id
Metric
Admin Status
-----------------------10
Enabled
18
Enabled
20
Enabled
25
Enabled
32
Enabled
500
Enabled
Oper. Status
-----------Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
16-39
Configuring IRDP
Configuring IRDP
Purpose
ToenableandconfiguretheICMPRouterDiscoveryProtocol(IRDP)onaninterface.Thisprotocol
enablesahosttodeterminetheaddressofarouteritcanuseasadefaultgateway.Itisdisabledby
default.
Commands
ThecommandsusedtoenableandconfigureIRDParelistedbelow:
For information about...
Refer to page...
ip irdp enable
16-40
ip irdp maxadvertinterval
16-41
ip irdp minadvertinterval
16-41
ip irdp holdtime
16-42
ip irdp preference
16-42
ip irdp broadcast
16-43
show ip irdp
16-44
ip irdp enable
UsethiscommandtoenableIRDPonaninterface.ThenoformofthiscommanddisablesIRDPon
aninterface.
Syntax
ip irdp enable
no ip irdp enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenableIRDPontheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip irdp enable
16-40
ip irdp maxadvertinterval
ip irdp maxadvertinterval
UsethiscommandtosetthemaximumintervalinsecondsbetweenIRDPadvertisements.Theno
formofthiscommandresetsthemaximumadvertisementintervaltothedefaultvalueof600
seconds.
Syntax
ip irdp maxadvertinterval interval
no irdp maxadvertinterval
Parameters
interval
Specifiesamaximumadvertisementintervalinseconds.Validvaluesare
4to1800.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosetthemaximumIRDPadvertisementintervalto1000secondsonthe
VLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip irdp maxadvertinterval 1000
ip irdp minadvertinterval
UsethiscommandtosettheminimumintervalinsecondsbetweenIRDPadvertisements.Theno
formofthiscommanddeletesthecustomholdtimesetting,andresetstheminimum
advertisementintervaltothedefaultvalueofthreefourthsofthemaxadvertintervalvalue,which
isequalto450seconds.
Syntax
ip irdp minadvertinterval interval
no irdp minadvertinterval
Parameters
interval
Specifiesaminimumadvertisementintervalinseconds.Validvaluesare3
to1800.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
16-41
ip irdp holdtime
Example
ThisexampleshowshowtosettheminimumIRDPadvertisementintervalto500secondsonthe
VLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip irdp minadvertinterval 500
ip irdp holdtime
UsethiscommandtosetthelengthoftimeinsecondsIRDPadvertisementsareheldvalid.Theno
formofthiscommandresetstheholdtimetothedefaultvalueofthreetimesthe
maxadvertintervalvalue,whichisequalto1800seconds.
Syntax
ip irdp holdtime holdtime
no irdp holdtime
Parameters
holdtime
Specifiestheholdtimeinseconds.Validvaluesare0to
9000.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosettheIRDPholdtimeto4000secondsontheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip irdp holdtime 4000
ip irdp preference
UsethiscommandtosettheIRDPpreferencevalueforaninterface.ThisvalueisusedbyIRDPto
determinetheinterfacesselectionasadefaultgatewayaddress.Thenoformofthiscommand
resetstheinterfacesIRDPpreferencevaluetothedefaultof0.
Syntax
ip irdp preference preference
no irdp preference
Parameters
preference
Specifiesthevaluetoindicatetheinterfacesuseasadefaultrouter
address.Validvaluesare2147483648to2147483647.
Theminimumvalueindicatesthattheaddress,eventhoughitmaybe
advertised,isnottobeusedbyneighboringhostsasadefaultrouter
address.
16-42
ip irdp broadcast
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtosetIRDPpreferenceontheVLAN1interfacesothattheinterfaces
addressmaystillbeadvertised,butcannotbeusedbyneighboringhostsasadefaultrouter
address:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip irdp preference -2147483648
ip irdp broadcast
UsethiscommandtoconfigureIRDPtousethelimitedbroadcastaddressof255.255.255.255.The
defaultismulticastwithaddress224.0.0.1.ThenoformofthiscommandresetsIRDPtouse
multicastonIPaddress224.0.0.1.
Syntax
ip irdp broadcast
no ip irdp broadcast
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenablebroadcastforIRDPontheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip irdp broadcast
16-43
show ip irdp
show ip irdp
UsethiscommandtodisplayIRDPinformation.
Syntax
show ip irdp [vlan vlan-id]
Parameters
vlanvlanid
(Optional)DisplaysIRDPinformationforaspecificVLAN.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage141.
Defaults
Ifvlanvlanidisnotspecified,IRDPinformationforallinterfaceswillbedisplayed.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtodisplayIRDPinformationfortheVLAN1interface:
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(vlan 1))#show ip irdp vlan 1
Interface vlan 1 has router discovery enabled
Advertisements will occur between 450 and 600 seconds
Advertisements are sent with broadcasts
Advertisements are valid for 1800 seconds
Default preference will be 0
16-44
Configuring VRRP
Configuring VRRP
* Advanced License Required *
VRRP is an advanced routing feature that must be enabled with a license key. If you have purchased an
advanced license key, and have enabled routing on the device, you must activate your license as described in
Activating Licensed Features on page 3-29 in order to enable the VRRP command set. If you wish to
purchase an advanced routing license, contact Enterasys Networks Sales.
Purpose
ToenableandconfiguretheVirtualRouterRedundancyProtocol(VRRP).Thisprotocoleliminates
thesinglepointoffailureinherentinthestaticdefaultroutedenvironmentbytransferringthe
responsibilityfromoneroutertoanotheriftheoriginalroutergoesdown.VRRPenabledrouters
decidewhowillbecomemasterandwhowillbecomebackupintheeventthemasterfails.
Commands
ThecommandsusedtoenableandconfigureVRRParelistedbelow:
For information about...
Refer to page...
router vrrp
16-46
create
16-47
address
16-48
priority
16-49
advertise-interval
16-50
preempt
16-51
enable
16-52
show ip vrrp
16-53
16-45
router vrrp
router vrrp
UsethiscommandtoenableordisableVRRPconfigurationmode.Thenoformofthiscommand
removesallVRRPconfigurationsfromtherunningconfiguration.
Syntax
router vrrp
no router vrrp
Parameters
None.
Defaults
None.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
Youmustexecutetheroutervrrpcommandtoenabletheprotocolbeforecompletingother
VRRPspecificconfigurationtasks.Fordetailsonenablingconfigurationmodes,refertoTable 142
inEnablingRouterConfigurationModesonpage143.
Example
ThisexampleshowshowenableVRRPconfigurationmode:
C3(su)->router#configure
C3(su)->router(Config)#router vrrp
C3(su)->router(Config-router)#
16-46
create
create
UsethiscommandtocreateaVRRPsession.EachSecureStackC3systemsupportsupto20VRRP
sessions.ThenoformofthiscommanddisablestheVRRPsession.
Syntax
create vlan vlan-id vrid
no create vlan vlan-id vrid
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANonwhichtocreateaVRRPsession.This
VLANmustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage141.
vrid
SpecifiesauniqueVirtualRouterID(VRID)toassociatewiththerouting
interface.
Defaults
None.
Mode
Router configuration: C3(su)->router(Config-router)#
Usage
ThiscommandmustbeexecutedtocreateaninstanceofVRRPonaroutinginterface(VLAN)
beforeanyotherVRRPsettingscanbeconfigured.
Example
ThisexampleshowshowtocreateaVRRPsessionontheVLAN1interfacewithaVRIDof1:
C3(su)->router(Config)#router vrrp
C3(su)->router(Config-router)#create vlan 1 1
16-47
address
address
UsethiscommandtoconfigureavirtualrouterIPaddress.Thenoformofthiscommandclears
theVRRPaddressconfiguration.
Syntax
address vlan vlan-id vrid ip-address owner
no address vlan vlan-id vrid ip-address owner
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANonwhichtoconfigureavirtualrouter
address.ThisVLANmustbeconfiguredforIProutingasdescribedinPre
RoutingConfigurationTasksonpage141.
vrid
SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting
interface.
ipaddress
SpecifiesthevirtualrouterIPaddresstoassociatewiththerouter.
owner
SpecifiesavaluetoindicateiftherouterownstheIPaddressasoneofits
interfaces.Validvaluesare:
1toindicatetherouterownstheaddress.
0toindicatetherouterdoesnotowntheaddress.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
IfthevirtualrouterIPaddressisthesameastheinterface(VLAN)addressownedbyaVRRP
router,thentherouterowningtheaddressbecomesthemaster.Themastersendsan
advertisementtoallotherVRRProutersdeclaringitsstatusandassumesresponsibilityfor
forwardingpacketsassociatedwithitsvirtualrouterID(VRID).
IfthevirtualrouterIPaddressisnotownedbyanyoftheVRRProuters,thentherouterscompare
theirprioritiesandthehigherpriorityownerbecomesthemaster.Ifpriorityvaluesarethesame,
thentheVRRProuterwiththehigherIPaddressisselectedmaster.Fordetailsonusingthe
prioritycommand,refertopriorityonpage1649.
Example
Thisexampleshowshowtoconfigureavirtualrouteraddressof182.127.62.1ontheVLAN1
interface,VRID1,andtosettherouterconnectedtotheVLANviathisinterfaceasthemaster:
C3(su)->router(Config)#router vrrp
C3(su)->router(Config-router)#address vlan 1 1 182.127.62.1 1
16-48
priority
priority
UsethiscommandtosetapriorityvalueforaVRRProuter.Thenoformofthiscommandclears
theVRRPpriorityconfiguration.
Syntax
priority vlan vlan-id vrid priority-value
no priority vlan vlan-id vrid priority-value
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANonwhichtoconfigureVRRPpriority.
ThisVLANmustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage141.
vrid
SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting
interface.Validvaluesarefrom1to255.
priorityvalue
SpecifiestheVRRPpriorityvaluetoassociatewiththevrid.Validvaluesare
from1to254,withthehighestvaluesettingthehighestpriority.Priority
valueof255isreservedfortheVRRProuterthatownstheIPaddress
associatedwiththevirtualrouter.Priority0isreservedforsignalingthatthe
masterhasstoppedworkingandthebackuproutermusttransitionto
masterstate.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowsetaVRRPpriorityof200ontheVLAN1interface,VRID1:
C3(su)->router(Config)#router vrrp
C3(su)->router(Config-router)#priority vlan 1 1 200
16-49
advertise-interval
advertise-interval
UsethiscommandtosettheintervalinsecondsbetweenVRRPadvertisements.Thenoformof
thiscommandclearstheVRRPadvertiseintervalvalue.
Syntax
advertise-interval vlan vlan-id vrid interval
no advertise-interval vlan vlan-id vrid interval
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANonwhichtoconfiguretheVRRP
advertisementinterval.ThisVLANmustbeconfiguredforIProutingas
describedinPreRoutingConfigurationTasksonpage141.
vrid
SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting
interface.Validvaluesarefrom1to255.
interval
SpecifiesaVRRPadvertisementintervaltoassociatewiththevrid.Valid
valuesarefrom1to255seconds.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
VRRPadvertisementsaresentbythemasterroutertootherroutersparticipatingintheVRRP
masterselectionprocess,informingthemofitsconfiguredvalues.Oncethemasterisselected,
thenadvertisementsaresenteveryadvertisingintervaltoletotherVRRProutersinthisVLAN/
VRIDknowtherouterisstillactingasmasteroftheVLAN/VRID.
AllrouterswiththesameVRIDshouldbeconfiguredwiththesameadvertisementinterval.
Example
Thisexampleshowshowsetanadvertiseintervalof3secondsontheVLAN1interface,VRID1:
C3(su)->router(Config)#router vrrp
C3(su)->router(Config-router)#advertise-interval vlan 1 1 3
16-50
preempt
preempt
UsethiscommandtoenableordisablepreemptmodeonaVRRProuter.Thenoformofthis
commanddisablespreemptmode.
Syntax
preempt vlan-id vrid
no preempt vlan-id vrid
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANonwhichtosetpreemptmode.This
VLANmustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage141.
vrid
SpecifiesauniqueVirtualRouterID(VRID)associatedwiththerouting
interface.Validvaluesarefrom1to255.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Usage
PreemptisenabledonVRRProutersbydefault,whichallowsahigherprioritybackuprouterto
preemptalowerprioritymaster.
TherouterthatownsthevirtualrouterIPaddressalwayspreemptsotherrouters,regardlessof
thissetting.
Example
ThisexampleshowshowtodisablepreemptmodeontheVLAN1interface,VRID1:
C3(su)->router(Config)#router vrrp
C3(su)->router(Config-router)#no preempt vlan 1 1
16-51
enable
enable
UsethiscommandtoenableVRRPonaninterface.ThenoformofthiscommanddisablesVRRP
onaninterface.
Syntax
enable vlan vlan-id vrid
no enable vlan vlan-id vrid
Parameters
vlanvlanid
SpecifiesthenumberoftheVLANonwhichtoenableVRRP.ThisVLAN
mustbeconfiguredforIProutingasdescribedinPreRouting
ConfigurationTasksonpage141.
vrid
SpecifiestheVirtualRouterID(VRID)associatedwiththevlanid.Valid
valuesarefrom1to255.
Defaults
None.
Mode
Routerconfiguration:C3(su)>router(Configrouter)#
Example
ThisexampleshowshowtoenableVRRPontheVLAN1interface,VRID1:
C3(su)->router(Config)#router vrrp
C3(su)->router(Config-router)#enable vlan 1 1
16-52
show ip vrrp
show ip vrrp
UsethiscommandtodisplayVRRProutinginformation.
Syntax
show ip vrrp
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayVRRPinformation
C3(su)->router(Config)#show ip vrrp
-----------VRRP CONFIGURATION----------Vlan
Vrid
State
Owner AssocIpAddr
2
1
Initialize
0 25.25.2.1
Priority
100
16-53
Configuring PIM-SM
Configuring PIM-SM
* Advanced License Required *
PIM is an advanced routing feature that must be enabled with a license key. If you have purchased an
advanced license key, and have enabled routing on the device, you must activate your license as described in
Activating Licensed Features on page 3-29 in order to enable the PIM command set. If you wish to purchase
an advanced routing license, contact Enterasys Networks Sales.
Purpose
ToenableandconfigureProtocolIndependentMulticastinSparseMode(PIMSM).Thisprotocol
providesthemeansofdynamicallylearninghowtoforwardmulticasttrafficinanenvironment
wheregroupmembersaresparselylocatedthroughoutthenetworkandbandwidthislimited.In
situationswheremembersaredenselylocatedandbandwidthisplentiful,DVMRPwouldsuffice
(seeConfiguringDVMRPonpage1636.)
PIMSMdeterminesthenetworktopologyusingtheunderlyingunicastroutingprotocoltobuild
aMulticastRoutingInformationBase(MRIB).
Note: IGMP must be enabled on all VLANs running PIM-SM, and must also be globally enabled
on the SecureStack C3 stack. For details on enabling IGMP, refer to Chapter 10.
Commands
ThecommandsusedtoenableandconfigureVRRParelistedbelow:
For information about...
Refer to page...
16-55
ip pimsm staticrp
16-55
16-56
ip pimsm query-interval
16-57
Display commands
16-54
show ip pimsm
16-57
16-58
16-59
16-61
show ip pimsm rp
16-62
16-63
16-63
ip pimsm
ip pimsm
ThiscommandsetsadministrativemodeofPIMSMmulticastroutingacrosstherouterto
enabled.IGMPmustbeenabledbeforePIMSMcanbeenabled.Bydefault,bothIGMPandPIM
aregloballydisabled.ThenoformofthiscommanddisablesPIMacrosstheentirestack.
Syntax
ip pimsm
no ip pimsm
Parameters
None.
Defaults
None.
Mode
Globalrouterconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtogloballyenableanddisablePIM:
C3(su)->router(Config)# ip pimsm
C3(su)->router(Config)# no ip pimsm
ip pimsm staticrp
ThiscommandisusedtocreateamanualRendezvousPointIPaddressforthePIMSMrouter.
ThenoformofthiscommandremovesapreviouslyconfiguredRP.
Syntax
ip pimsm staticrp ipaddress groupadress groupmask
no ip pimsm staticrp ipaddress groupadress groupmask
Parameters
ipaddress
TheIPaddressoftheRendezvousPoint
groupadress
ThegroupaddresssupportedbytheRendezvousPoint
groupmask
Thegroupmaskforthegroupaddress
Defaults
None.
Mode
GlobalRouterconfiguration:C3(su)>router(Config)#
Example
ThisexampleshowshowtosetanRPforaspecificmulticastgroup.
C3(su)->router(Config)#
16-55
ip pimsm enable
ip pimsm enable
ThiscommandsetstheadministrativemodeofPIMSMmulticastroutingonaroutinginterfaceto
enabled.Bydefault,PIMisdisabledonallIPinterfaces.Thenoformofthiscommanddisables
PIMonthespecificinterface.
Syntax
ip pimsm enable
no ip pimsm enable
Parameters
None.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
ThisexampleshowshowtoenablePIMonIPinterfaceforVLAN1.
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip pimsm enable
16-56
ip pimsm query-interval
ip pimsm query-interval
Thiscommandconfiguresthetransmissionfrequencyofhellomessagesinsecondsbetween
PIMenabledneighbors.Thenoformofthiscommandresetsthehellointervaltothedefault,30
seconds.
Syntax
ip pimsm query-interval seconds
no ip pimsm query-interval
Parameters
seconds
Thisfieldhasarangeof10to3600seconds.Defaultis30.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan1))#
Example
Thisexampleshowshowtosetthehellointervalrateto100seconds.
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip pimsm
query-interval 100
show ip pimsm
UsethiscommandtodisplaysystemwidePIMSMroutinginformation.
Syntax
show ip pimsm
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayPIMinformation.
C3(su)->router# show ip pimsm
Admin Mode Enable
Join/Prune Interval (secs) 60
16-57
Protocol State
---------------Non-Operational
Operational
Operational
Operational
Operational
Non-Operational
Non-Operational
Non-Operational
Table 167providesanexplanationofthecommandoutput.
Table 16-7
Output
What it displays
Admin Mode
Join/Prune Interval
(secs)
This field shows the interval at which periodic PIM-SM Join/Prune messages are to
be sent.
VlanId
Interface Mode
This field indicates whether PIM-SM is enabled or disabled on the interface. This is a
configured value.
Protocol State
This field indicates the current state of the PIM-SM protocol on the interface.
Possible values are Operational or Non-Operational.
Syntax
show ip pimsm componenttable
Parameters
None.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayPIMrouterinformation:
C3(su)->router> show ip pimsm componenttable
16-58
COMPONENT TABLE
Component
Index
Component
BSR Address
Component
BSR Expiry Time
(hh:mm:ss)
--------------- --------------192.168.30.2
00:02:10
---------1
Component
CRP Hold Time
(hh:mm:ss)
------------00:00:00
Table 168providesanexplanationofthecommandoutput.
Table 16-8
Output
What it displays
Component Index
Component BSR
Address
This field displays the IP address of the bootstrap router (BSR) for the local PIM
region.
Component BSR
Expiry Time
This field displays the minimum time remaining before the BSR in the local domain
will be declared down.
Component CRP
Hold Time
This field displays the hold time of the component when it is a candidate rendezvous
point.
Syntax
show ip pimsm interface {vlan vlan-id | stats {vlan-id | all}}
Parameters
vlanvlanid
DisplayPIMSMinformationforthespecifiedIPinterfaceenabledfor
PIM.
stats
DisplayPIMSMinterfacestatistics.
vlanid|all
DisplaystatisticsforaspecificVLANorallVLANs.
Defaults
None.
Mode
Anyroutermode.
Examples
ThisexampleshowshowtodisplayPIMinterfaceinformation.
C3(su)->router> show ip pimsm interface vlan 30
.
VLAN ID
IP Address
Subnet Mask
30
192.168.30.1
255.255.255.0
16-59
Mode
Hello Interval (secs)
CBSR Preference
CRP Preference
CBSR Hash Mask Length
enable
30 secs
-1
-1
30
Table 169providesanexplanationoftheshowippimsminterfacevlancommandoutput.
Table 16-9
Output
What it displays
IP Address
Subnet Mask
Mode
Hello Interval
Indicates the frequency at which PIM hello messages are transmitted on this
interface. This is a configured value. By default, the value is 30 seconds
CBSR Preference
The preference value for the local interface as a candidate bootstrap router.
CRP Preference
ThisexampleshowshowtodisplayPIMinterfacestatistics.
C3(su)->router> show ip pimsm interface stats all
.
Vlan ID
--------6
7
8
30
IP Address
--------------192.168.6.2
192.168.7.1
192.168.8.1
192.168.30.1
Subnet Mask
--------------255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Neighbor
Designated Router count
----------------- ---------0.0.0.0
0
192.168.7.1
0
0.0.0.0
0
192.168.30.2
1
Table 1610providesanexplanationoftheshowippimsminterfacestatscommandoutput.
Table 16-10
16-60
Output
What it displays
IP Address
Subnet Mask
Designated Router
Neighbor Count
Syntax
show ip pimsm neighbor [vlan-id]
Parameters
vlanid
(Optional)DisplayallneighborsdiscoveredonaspecificInterface.
Mode
Anyroutermode.
Defaults
IftheVLANidisomitted,allneighborsoffallinterfaceswillbedisplayed.
Example
ThisexampleshowshowtodisplayPIMinformation:
C3(su)->router> show ip pimsm neighbor
Vlan ID
--------30
6
NEIGHBOR TABLE
IP Address
Up Time
(hh:mm:ss)
---------------- ---------192.168.30.2
01:36:41
192.168.6.1
01:36:41
Expiry Time
(hh:mm:ss)
-----------00:01:25
00:01:25
Table 1611providesanexplanationofthecommandoutput.
Table 16-11
Output
What it displays
Vlan ID
IP Address
Up Time
The time since this neighbor has become active on this interface.
Expiry Time
16-61
show ip pimsm rp
show ip pimsm rp
ThiscommanddisplaysthePIMinformationforcandidateRendezvousPoints(RPs)forallIP
multicastgroupsorforaspecificgroupaddress.Theinformationinthetableisdisplayedforeach
IPmulticastgroup.
Syntax
show ip pimsm rp {group-address group-mask | all | candidate}
Parameters
groupaddress
ThemulticastgroupIPaddress.
groupmask
Themulticastgroupaddresssubnetmask.
all
Forallknowngroupaddresses.
candidate
DisplayPIMSMcandidateRPtableinformation.
Defaults
None.
Mode
Anyroutermode.
Examples
ThisexampleshowshowtodisplaytheRPsetforaspecificgroupaddress.
C3(su)->router> show ip pimsm rp 224.0.0.0 240.0.0.0
RP SET TABLE
Group
Address
Group Mask
Address
Table 1612providesanexplanationofthecommandoutput.
Table 16-12
Output
What it displays
Group Address
Group Mask
Address
Hold Time
Expiry Time
Component
C-RP Priority
ThisexampleshowshowtodisplaythecandidateRPsforeachgroupaddress.
16-62
Syntax
show ip pimsm rphash group-address
Parameters
groupaddress
TheGroupAddressfortheRP.
Defaults
None.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayRPthatwillbeselectedforgroupaddress224.0.0.0:
C3(su)->router> show ip pimsm rphash 224.0.0.0
192.168.129.223
Syntax
show ip pimsm staticrp
Parameters
None.
Mode
Anyroutermode.
Defaults
None.
16-63
Example
ThisexampleshowshowtodisplayPIMinformation.
C3(su)->router# show ip pimsm staticrp
STATIC RP TABLE
Address
Group Address
Group Mask
--------------- --------------- --------------123.231.111.121 234.0.0.0
255.0.0.0
192.168.129.223 224.0.0.0
240.0.0.0
Table 1613providesanexplanationofthecommandoutput.
Table 16-13
16-64
Output
What it displays
Address
Group Address
Group Mask
17
IPv6 Management
ThischapterdescribestheswitchmodesetofcommandsusedtomanageIPv6.
Purpose
ToenableordisabletheIPv6managementfunction,toconfigureanddisplaytheIPv6host
addressandIPv6gatewayfortheswitch,andtodisplayIPv6statusinformation.
Commands
For information about...
Refer to page...
17-2
set ipv6
17-2
17-3
17-4
17-5
17-6
17-7
17-7
17-8
ping ipv6
17-9
traceroute ipv6
17-10
17-1
Syntax
show ipv6 status
Parameters
None.
Defaults
None.
Mode
Switchmode,readonly.
Example
ThisexampleshowshowtodisplayIPv6managementfunctionstatus.
C3(ro)->show ipv6 status
IPv6 Administrative Mode: Disabled
set ipv6
UsethiscommandtogloballyenableordisabletheIPv6managementfunction.
Syntax
set ipv6 {enable|disable}
Parameters
enable|disable
EnableordisabletheIPv6managementfunction.
Defaults
Bydefault,IPv6managementisdisabled.
Mode
Switchmode,readwrite.
Usage
WhenyouenableIPv6managementontheswitch,thesystemautomaticallygeneratesalinklocal
hostaddressfortheswitchfromthehostMACaddress.YoucansetadifferenthostIPv6address
withthesetipv6addresscommand.
Example
ThisexampleshowshowtoenableIPv6management.
C3(su)-> set ipv6 enable
C3(su)->show ipv6 status
17-2
IPv6 Management
Syntax
set ipv6 address ipv6-addr/prefix-length [eui64]
Parameters
ipv6addr
TheIPv6addressorprefixtobeconfigured.Thisparametermustbeinthe
formdocumentedinRFC4291,withtheaddressspecifiedinhexadecimal
using16bitvaluesbetweencolons.
prefixlength
ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlengthisa
decimalnumberindicatingthenumberofhighordercontiguousbitsofthe
addressthatcomprisethenetworkportionoftheaddress.
eui64
(Optional)FormulatetheIPv6addressusinganEUI64IDinthelower
order64bitsoftheaddress.
Defaults
NoglobalunicastIPv6addressisdefinedbydefault.
Mode
Switchmode,readwrite.
Usage
UsethiscommandtomanuallyconfigureaglobalunicastIPv6addressforIPv6management.You
canspecifytheaddresscompletely,oryoucanusetheoptionaleui64parametertoallowthe
switchtogeneratethelowerorder64bitsoftheaddress.
Whenusingtheeui64parameter,youspecifyonlythenetworkprefixandlength.
Examples
ThisexampleshowshowtocompletelyspecifyanIPv6addressbyenteringall128bitsandthe
prefix:
C3(su)->set ipv6 address 2001:0db8:1234:5555::9876:2/64
C3(su)->show ipv6 address
Name
IPv6 Address
--------------------------------------------------host
FE80::201:F4FF:FE5C:2880/64
host
2001:DB8:1234:5555::9876:2/64
Thisexampleshowshowtousetheeui64parametertoconfigurethelowerorder64bits:
C3(su)->set ipv6 address 2001:0db8:1234:5555::/64 eui64
17-3
Syntax
show ipv6 address
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Usage
ThiscommanddisplaystheIPv6addressesconfiguredautomaticallyandwiththesetipv6
addressandsetipv6gatewaycommands.
Example
ThisexampledisplaysthreeIPv6managementaddressesconfiguredfortheswitch.
C3(su)->show ipv6 address
Name
IPv6 Address
--------------------------------------------------host
FE80::201:F4FF:FE5C:2880/64
host
2001:DB8:1234:5555:201:F4FF:FE5C:2880/64
gateway
FE80::201:F4FF:FE5D:1234
17-4
IPv6 Management
Syntax
clear ipv6 [address {all|ipv6-addr/prefix-length}]
Parameters
ipv6addr
TheIPv6addresstobecleared.Thisparametermustbeintheform
documentedinRFC4291,withtheaddressspecifiedinhexadecimalusing
16bitvaluesbetweencolons.
prefixlength
ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlengthisa
decimalnumberindicatingthenumberofhighordercontiguousbitsofthe
addressthatcomprisethenetworkportionoftheaddress.
all
DeletesallIPv6globaladdresses.
Defaults
Ifaddressisnotentered,allmanuallyconfiguredglobalIPv6addressesarecleared.
Mode
Switchmode,readwrite.
Usage
Thiscommandclearsaddressesmanuallyconfiguredwiththesetipv6addresscommand.Usethe
clearipv6gatewaycommandtocleartheIPv6gatewayaddress.
Example
ThisexampleillustratesthatthiscommandclearsonlythoseIPv6addressesconfiguredwiththe
setipv6addresscommand.Thelinklocaladdressforthehostinterfaceandthegatewayaddress
arenotremovedwiththiscommand.
C3(su)->show ipv6 address
Name
IPv6 Address
--------------------------------------------------host
FE80::201:F4FF:FE5C:2880/64
host
2001:DB8:1234:5555:201:F4FF:FE5C:2880/64
host
2001:DB8:1234:5555::9876:2/64
gateway
FE80::201:F4FF:FE5D:1234
C3(su)->clear ipv6 address all
C3(su)->show ipv6 address
Name
IPv6 Address
--------------------------------------------------host
FE80::201:F4FF:FE5C:2880/64
gateway
FE80::201:F4FF:FE5D:1234
17-5
Syntax
set ipv6 gateway ipv6-addr
Parameters
ipv6addr
TheIPv6addresstobeconfigured.Theaddresscanbeaglobalunicastor
linklocalIPv6address,intheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Defaults
None.
Mode
Switchmode,readwrite.
Usage
ThiscommandconfigurestheIPv6gatewayaddress.OnlyoneIPv6gatewayaddresscanbe
configuredfortheswitch,soexecutingthiscommandwhenagatewayaddresshasalreadybeen
configuredwilloverwritethepreviouslyconfiguredaddress.
Usetheshowipv6addresscommandtodisplayaconfiguredIPv6gatewayaddress.
Example
ThisexampleshowshowtoconfigureanIPv6gatewayaddressusingalinklocaladdress.
C3(su)->set ipv6 gateway fe80::201:f4ff:fe5d:1234
C3(su)->show ipv6 address
Name
IPv6 Address
--------------------------------------------------host
FE80::201:F4FF:FE5C:2880/64
gateway
FE80::201:F4FF:FE5D:1234
17-6
IPv6 Management
Syntax
clear ipv6 gateway
Parameters
None.
Defaults
None.
Mode
Switchmode,readwrite.
Example
ThisexampleshowshowtoremoveaconfiguredIPv6gatewayaddress.
C3(su)->show ipv6 address
Name
IPv6 Address
--------------------------------------------------host
FE80::201:F4FF:FE5C:2880/64
gateway
FE80::201:F4FF:FE5D:1234
C3(su)->clear ipv6 gateway
C3(su)->show ipv6 address
Name
IPv6 Address
--------------------------------------------------host
FE80::201:F4FF:FE5C:2880/64
Syntax
show ipv6 neighbors
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowsexampleoutputofthiscommand.
SecureStack C3 Configuration Guide
17-7
Syntax
show ipv6 netstat
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowstheoutputofthiscommand.
C3(su)->show ipv6 netstat
Prot Local
Address
Foreign Address
---- -------------------------------------------TCP 3333::211:88FF:FE59:4424.22
2020::D480:1384:F58C:B114.1049
TCP 3333::211:88FF:FE59:4424.443
2020::D480:1384:F58C:B114.1056
TCP ::.23
::.*
TCP 3333::211:88FF:FE59:4424.22
2020::D480:1384:F58C:B114.1050
TCP 3333::211:88FF:FE59:4424.22
3333::2117:F1C0:90B:910D.1045
TCP ::.80
::.*
TCP ::.22
::.*
TCP 3333::211:88FF:FE59:4424.80
2020::D480:1384:F58C:B114.1053
TCP 3333::211:88FF:FE59:4424.80
2020::D480:1384:F58C:B114.1054
TCP ::.443
::.*
TCP 3333::211:88FF:FE59:4424.22
2020::D480:1384:F58C:B114.1048
TCP 3333::211:88FF:FE59:4424.443
2020::D480:1384:F58C:B114.1055
17-8
IPv6 Management
State
----------ESTABLISHED
TIME_WAIT
LISTEN
ESTABLISHED
ESTABLISHED
LISTEN
LISTEN
ESTABLISHED
ESTABLISHED
LISTEN
ESTABLISHED
TIME_WAIT
ping ipv6
ping ipv6
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ipv6-addr [size num]
Parameters
ipv6addr
SpecifiestheIPv6addressofthesystemtoping.Entertheaddressinthe
formdocumentedinRFC4291,withtheaddressspecifiedinhexadecimal
using16bitvaluesbetweencolons.
sizenum
(Optional)Specifiesthesizeofthedatagrampacket.Thevalueofnumcan
rangefrom48to2048bytes.
Defaults
None.
Mode
Switchmode,readwrite.
Usage
Thiscommandisalsoavailableinroutermode.
Examples
ThisexampleshowsoutputfromasuccessfulpingtoIPv6address2001:0db8:1234:5555::1234:1.
C3(su)->ping ipv6 2001:0db8:1234:5555::1234:1
2001:DB8:1234:5555::1234:1 is alive
ThisexampleshowsoutputfromanunsuccessfulpingtoIPv6address
2001:0db8:1234:5555::1234:1.
C3(su)->ping ipv6 2001:0db8:1234:5555::1234:1
no answer from 2001:DB8:1234:5555::1234:1
17-9
traceroute ipv6
traceroute ipv6
Usethiscommandtodiscovertheroutesthatpacketsactuallytakewhentravelingtotheir
destinationthroughthenetworkonahopbyhopbasis.
Syntax
traceroute ipv6 ipv6-addr [port]
Parameters
ipv6addr
SpecifiesahosttowhichtherouteofanIPv6packetwillbetraced.Enterthe
addressintheformdocumentedinRFC4291,withtheaddressspecifiedin
hexadecimalusing16bitvaluesbetweencolons.
port
(Optional)SpecifiestheUDPportusedasthedestinationofpacketssentas
partofthetraceroute.Thisportshouldbeanunusedportonthedestination
system.Thevalueofportcanrangefrom0to65535.Defaultvalueis33434.
Defaults
None.
Mode
Switchmode,readwrite.
Usage
Thiscommandisalsoavailableinroutermode.
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost
2001:0db8:1234:5555::1.
C3(su)->router#traceroute ipv6 2001:0db8:1234:5555::1
Traceroute to 2001:0db8:1234:5555::1, 30 hops max, 40 byte packets
1 2001:0db8:1234:5555::1
1.000000e+00 ms 1.000000e+00 ms 1.000000e+00 ms
17-10
IPv6 Management
18
IPv6 Configuration
* IPv6 Routing License Required *
IPv6 routing must be enabled with a license key. If you have purchased an IPv6 routing license key, and have
enabled routing on the device, you must activate your license as described in Activating Licensed Features
on page 3-29 in order to enable the IPv6 routing configuration command set. If you wish to purchase an IPv6
routing license, contact Enterasys Networks Sales.
ThecommandsinthischapterperformconfigurationofIPv6parametersontheSecureStackC3.
ForinformationaboutspecificIPv6routingprotocols,suchasOSFPv3,refertotheappropriate
chapters.ForinformationaboutmanagingIPv6functionalityattheswitchlevel,referto
Chapter 17,IPv6Management.
For information about...
Refer to page...
18-3
18-10
18-14
Query Commands
18-22
Overview
IPv6andIPv4coexistontheSecureStackC3.AswithIPv4,IPv6routingcanbeenabledonVLAN
interfaces.EachLayer3routinginterfacecanbeusedforIPv4,IPv6,orboth.
TheSecureStackC3supportsallIPv6addressformats,includingglobalunicastaddresses,link
localunicast,globalmulticast,scopedmulticast(includinglocalscopedmulticast),IPv4
compatibleaddresses,unspecifiedaddresses,loopbackaddresses,andanycastaddresses.
RefertothefollowingRFCsformoreinformationaboutIPv6addressformats:
RFC4291,IPVersion6AddressingArchitecture
RFC3587,IPv6GlobalUnicastAddressFormat
RFC4007,IPv6ScopedAddressArchitecture
ThebasicIPv6protocolspecifiesPDUoptionsoftwoclasses,bothofwhicharesupported:hop
byhopoptionsanddestinationoptions.Whilenewoptionscanbedefinedinthefuture,the
followingarecurrentlysupported:routing(forsourcerouting),fragment,routeralertandpad.
Jumbogramsarenotsupported.InIPv6,onlysourcenodesfragment.PathMTUdiscoveryis
thereforearequirement.Flowlabelsareignored.
NeighborDiscoveryistheIPv6replacementforARP.TheSecureStackC3supportsneighbor
advertiseandsolicit,duplicateaddressdetection,andunreachabilitydetection.Router
AdvertisementispartoftheNeighborDiscoveryprocessandisrequiredforIPv6.Stateless
SecureStack C3 Configuration Guide
18-1
Overview
autoconfigurationispartofRouterAdvertisementandtheSecureStackC3cansupportboth
statelessandstatefulautoconfigurationofendnodes.TheSecureStackC3supportsbothEUI64
interfaceidentifiersandmanuallyconfiguredinterfaceIDs.
RefertothefollowingRFCsformoreinformationaboutNeighborDiscoveryandstatelessaddress
autoconfiguration:
RFC2461,NeighborDiscoveryforIPVersion6
RFC2462,IPv6StatelessAddressAutoconfiguration
ForICMPv6,errorPDUgenerationissupported,asarepathMTU,echo,andredirect.
RouterAdvertisementisanintegralpartofIPv6andissupported.Numerousoptionsare
availableincludingstateless/statefuladdressconfiguration,routerandaddresslifetimes,and
NeighborDiscoverytimercontrol.PingandtracerouteapplicationsforIPv6areprovided.
ManagementofIPv6featuresisprovidedbymeansofCLIcommandsandSNMP.SeeChapter 17,
IPv6ManagementfordescriptionsoftheCLIcommands.
Default Conditions
ThefollowingtableliststhedefaultIPv6conditions.
Condition
Default Value
IPv6 forwarding
Enabled
IPv6 unicast-routing
Disabled
IPv6 enable
Disabled
IPv6 mtu
1500
IPv6 nd managed-config-flag
False
IPv6 nd ns-interval
IPv6 nd other-config-flag
False
IPv6 nd ra-interval
600
IPv6 nd ra-lifetime
1800
IPv6 nd reachable-time
IPv6 nd suppress-ra
Disabled
IPv6 nd prefix
Valid-lifetime 604800
Preferred-lifetime 2592000
Autoconfig enabled
On-link enabled
18-2
IPv6 Configuration
Refer to page...
ipv6 forwarding
18-3
ipv6 hop-limit
18-4
ipv6 route
18-4
18-5
ipv6 unicast-routing
18-6
ping ipv6
18-7
18-8
traceroute ipv6
18-9
ipv6 forwarding
ThiscommandenablesordisablesIPv6forwardingontherouter.
Syntax
ipv6 forwarding
no ipv6 forwarding
Parameters
None.
Defaults
IPv6forwardingisenabled.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
ThenoformofthiscommanddisablesIPv6forwardingontherouter.
Example
ThisexampledisablesIPv6forwarding.
C3(su)->router(Config)# no ipv6 forwarding
18-3
ipv6 hop-limit
ipv6 hop-limit
ThiscommandsetsthemaximumnumberofIPv6hopsusedinIPv6packetsandrouter
advertisementsgeneratedbythisdevice.
Syntax
ipv6 hop-limit hops
no ipv6 hop-limit
Parameters
hops
SpecifiesthemaximumnumberofIPv6hopsusedinIPv6packetsand
routeradvertisementsgeneratedbythisdevice.Valuecanrangefrom1
to255.Thedefaultvalueis64.
Defaults
64.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
ThiscommandsetsthevalueofthehoplimitfieldinIPv6packetsoriginatedbythisdevice.This
valueisalsoplacedintheCurHopLimitfieldofrouteradvertisementsgeneratedbythisrouter.
Usethenoformofthiscommandtoresetthelimittothedefaultvalue.
Example
Thisexamplesetsthehoplimitto50.
C3(su)->router(Config)# ipv6 hop-limit 50
ipv6 route
ThiscommandconfiguresstaticIPv6routes.
Syntax
ipv6 route ipv6-prefix/prefix-length {next-hop-globaladdr [pref]| interface slot/
port next-hop-lladdr [pref]}
no ipv6 route ipv6-prefix/prefix-length [{next-hop-globaladdr [pref]| interface
slot/port next-hop-lladdr [pref]}]
Parameters
ipv6prefix/prefixlength
TheIPv6networkprefixthatisthedestinationofthestaticroute,and
theprefixlength.
TheprefixmustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Theprefixlengthisadecimalnumberindicatingthenumberofhigh
ordercontiguousbitsoftheaddressthatcomprisethenetwork
portionoftheaddress.
18-4
IPv6 Configuration
nexthopglobaladdr
TheIPv6globaladdressofthenexthopthatcanbeusedtoreachthe
specifiednetwork.Thisaddresscannotbealinklocaladdress.
interfaceslot/port
Usedtoidentifydirectstaticroutesfrompointtopointandbroadcast
interfaces,andmustbespecifiedwhenusingalinklocaladdressas
thenexthop.
nexthoplladdr
Linklocaladdressoftheinterface.
pref
(Optional)Specifiesthepreferencevaluetherouterusestocompare
thisroutewithroutesfromotherroutesourcesthathavethesame
destination.
Thevalueofprefcanrangefrom1to255.Thedefaultvalueis1,which
givesstaticroutesprecedenceoveranyothertypeofrouteexcept
connectedroutes.
Aroutewithapreferenceof255cannotbeusedtoforwardtraffic.
Defaults
Defaultpreferenceoradministrativedistanceis1.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
Usethenoformofthiscommandtoremoveastaticroute.Ifyoudonotspecifyanexthopaddress
withthenoform,allstaticroutestothespecifieddestinationwillberemoved.
Example
ThiscommandcreatesastaticIPv6routetonetwork2001:0DB8:2222:4455::/64bywayofinterface
VLAN6andgivesitapreferenceof5.
C3(su)->router(Config)# ipv6 route 2001:0DB8:2222:4455::/64 interface vlan 6
fe80::1234:5678:2dd:1 5
Syntax
ipv6 route distance pref
no ipv6 route distance
Parameters
pref
Adistancevalueusedwhennodistanceisspecifiedwhenastatic
routeisconfigured.
Thevaluecanrangefrom1to255.Lowerroutedistancevaluesare
preferredwhendeterminingthebestroute.
Defaults
Defaultpreferenceoradministrativedistanceis1.
18-5
ipv6 unicast-routing
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
Thedefaultdistanceisusedwhennodistanceisspecifiedintheipv6routecommand.Changing
thedefaultdistancedoesnotupdatethedistanceofexistingstaticroutes,eveniftheywere
assignedtheoriginaldefaultdistance.Thenewdefaultdistancewillonlybeappliedtostatic
routescreatedafterinvokingtheipv6routedistancecommand.
Usethenoformofthiscommandtoreturnthedefaultdistanceto1.
Example
Thiscommandsetsthedefaultdistancevalueto3.
C3(su)->router(Config)# ipv6 route distance 3
ipv6 unicast-routing
Thiscommandenables/disablesforwardingofIPv6unicastdatagrams.
Syntax
ipv6 unicast-routing
no ipv6 unicast-routing
Parameters
None.
Defaults
Disabled.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtoenableforwardingofIPv6unicastdatagramsontheSecureStackC3.Usethe
noformofthecommandtodisableforwardingofIPv6unicastdatagrams.
Example
ThiscommandenablesforwardingofIPv6unicastdatagramsontherouter.
C3(su)->router(Config)# ipv6 unicast-routing
18-6
IPv6 Configuration
ping ipv6
ping ipv6
UsethiscommandtotestroutingnetworkconnectivitybysendingIPpingrequests.
Syntax
ping ipv6 ipv6-addr [size num]
Parameters
ipv6addr
SpecifiestheglobalIPv6addressofthesystemtoping.Entertheaddressin
theformdocumentedinRFC4291,withtheaddressspecifiedin
hexadecimalusing16bitvaluesbetweencolons.
sizenum
(Optional)Specifiesthesizeofthedatagrampacket.Thevalueofnumcan
rangefrom48to2048bytes.
Defaults
None.
Mode
Routerprivilegedexec:C3(su)>router#
Routeruserexec:C3(su)>router>
Usage
Usethiscommandtodeterminewhetheranothercomputerisonthenetwork.Tousethis
command,configuretheswitchfornetwork(inband)connection.Thesourceandtargetdevices
musthavethepingutilityenabledandrunningontopofTCP/IP.
TheswitchcanbepingedfromanyIPworkstationwithwhichtheswitchisconnectedthroughthe
defaultVLAN(VLAN1),aslongasthereisaphysicalpathbetweentheswitchandthe
workstation.Theterminalinterfacesendsthreepingstothetargetstation.
Examples
ThisexampleshowsoutputfromasuccessfulpingtoIPv6address2001:0db8:1234:5555::1234:1.
C3(su)->router#ping ipv6 2001:0db8:1234:5555::1234:1
Send count=3, Receive count=3 from 2001:DB8:1234:5555::1234:1
Average round trip time = 1.00 ms
ThisexampleshowsoutputfromanunsuccessfulpingtoIPv6address
2001:0db8:1234:5555::1234:1.
C3(su)->ping ipv6 2001:0db8:1234:5555::1234:1
no answer from 2001:DB8:1234:5555::1234:1
18-7
Syntax
ping ipv6 interface {vlan vlan-id | tunnel tunnel-id | loopback loop-id}
{link-local-address ipv6-lladdr | ipv6-addr} [size num]
Parameters
vlanvlanid
SpecifiesaVLANinterfaceasthesource.
tunneltunnelid
Specifiesatunnelinterfaceasthesource.
loopbackloopid
Specifiesaloopbackinterfaceasthesource.
linklocaladdress
ipv6lladdr
SpecifiesalinklocalIPv6addresstoping.
ipv6addr
SpecifiestheglobalIPv6addressofthesystemtoping.Entertheaddress
intheformdocumentedinRFC4291,withtheaddressspecifiedin
hexadecimalusing16bitvaluesbetweencolons.
sizenum
(Optional)Specifiesthesizeofthedatagrampacket.Thevalueofnumcan
rangefrom48to2048bytes.
Defaults
None.
Mode
Routerprivilegedexec:C3(su)>router#
Usage
UsethiscommandtopinganinterfacebyusingthelinklocaladdressortheglobalIPv6address
oftheinterface.Youcanusealoopback,tunnel,orlogicalinterfaceasthesource.Thesourceand
targetdevicesmusthavethepingutilityenabledandrunningontopofTCP/IP.
TheswitchcanbepingedfromanyIPworkstationwithwhichtheswitchisconnectedthroughthe
defaultVLAN(VLAN1),aslongasthereisaphysicalpathbetweentheswitchandthe
workstation.Theterminalinterfacesendsthreepingstothetargetstation.
Example
Thisexampleshowsoutputfromasuccessfulpingtolinklocaladdressfe80::211:88ff:fe55:4a7f.
C3(su)->router#ping ipv6 interface vlan 6 link-local-address
fe80::211:88ff:fe55:4a7f
Send count=3, Receive count=3 from fe80::211:88ff:fe55:4a7f
Average round trip time = 1.00 ms
18-8
IPv6 Configuration
traceroute ipv6
traceroute ipv6
Usethiscommandtodiscovertheroutesthatpacketsactuallytakewhentravelingtotheir
destinationthroughthenetworkonahopbyhopbasis.
Syntax
traceroute ipv6 ipv6-addr [port]
Parameters
ipv6addr
SpecifiesahosttowhichtherouteofanIPv6packetwillbetraced.Enterthe
addressintheformdocumentedinRFC4291,withtheaddressspecifiedin
hexadecimalusing16bitvaluesbetweencolons.
port
(Optional)SpecifiestheUDPportusedasthedestinationofpacketssentas
partofthetraceroute.Thisportshouldbeanunusedportonthedestination
system.Thevalueofportcanrangefrom0to65535.Defaultvalueis33434.
Defaults
None.
Mode
Routerprivilegedexec:C3(su)>router#
Example
Thisexampleshowshowtousetraceroutetodisplayaroundtrippathtohost
2001:0db8:1234:5555::1.
C3(su)->router#traceroute ipv6 2001:0db8:1234:5555::1
Traceroute to 2001:0db8:1234:5555::1, 30 hops max, 40 byte packets
1 2001:0db8:1234:5555::1
1.000000e+00 ms 1.000000e+00 ms 1.000000e+00 ms
18-9
Refer to page...
ipv6 address
18-10
ipv6 enable
18-11
ipv6 mtu
18-12
ipv6 address
ThiscommandconfiguresaglobalIPv6addressonaninterface,includingVLAN,tunnel,and
loopbackinterfaces,andenablesIPv6processingontheinterface.
Syntax
ipv6 address {ipv6-addr/prefix-length | ipv6-prefix/prefix-length eui64}
no ipv6 address [ipv6-addr/prefix-length | ipv6-prefix/prefix-length eui64]
Parameters
ipv6addr
TheIPv6addresstobeconfiguredontheinterface.
ThisparametermustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
prefixlength
ThelengthoftheIPv6prefixforthisaddress.Thevalueofprefixlength
isadecimalnumberindicatingthenumberofhighordercontiguous
bitsoftheaddressthatcomprisethenetworkportionoftheaddress.
Iftheeui64parameterisused,thisvaluemustbe64bits.
ipv6prefix
TheIPv6prefixtobeconfiguredontheinterface.
ThisparametermustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
eui64
ConfiguresanIPv6addressforaninterfaceusinganEUI64interfaceID
intheloworder64bitsoftheaddressandenablesIPv6processingon
theinterface.
Defaults
NoIPv6addressesaredefinedforanyinterface.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
UsethiscommandtomanuallyconfigureaglobalIPv6addressonaninterface.Youcanenterthe
complete128bitaddressandprefix,orusetheeui64parametertoconfigureaglobalIPv6address
usinganEUI64identifierintheloworder64bitsoftheaddress.Whenusingtheeui64parameter,
youspecifyonlythenetworkprefixandlength,andtheSecureStackC3generatestheloworder64
bits.
ThehexadecimallettersintheIPv6addressesarenotcasesensitive.
18-10
IPv6 Configuration
ipv6 enable
ThiscommandalsoenablesIPv6processingontheinterfaceandautomaticallygeneratesalink
localaddress.
Youcanassignmultiplegloballyreachableaddressestoaninterfacewiththiscommand.
Usethenoipv6addresscommandwithoutanyparameterstoremoveallmanuallyconfigured
IPv6addressesfromtheinterface.
Example
ThisexampleconfiguresanIPv6addressbyusingtheeui64parameter.Then,theshowipv6
interfaceisexecutedtodisplaytheconfiguration.Notethatalinklocaladdresshasalso
automaticallybeengenerated.
C3(su)->router(config-if(Vlan 7))# ipv6 address 3FFE:501:FFFF:101/64 eui64
C3(su)->router>show ipv6 interface vlan 7
Vlan
Vlan
IPv6
IPv6
7 Administrative Mode
7 IPv6 Routing Operational Mode
is
Prefix is
Enabled
Enabled
Enabled
FE80::211:88FF:FE55:4A7F/128
3FFE:501:FFFF:101:211:88FF:FE55:4A7F/64
Routing Mode
Enabled
Interface Maximum Transmit Unit
1500
Router Duplicate Address Detection Transmits
1
Router Advertisement NS Interval
0
Router Lifetime Interval
1800
Router Advertisement Reachable Time
0
Router Advertisement Interval
600
Router Advertisement Managed Config Flag
Disabled
Router Advertisement Other Config Flag
Disabled
Router Advertisement Suppress Flag
Disabled
ipv6 enable
ThiscommandenablesIPv6routingonaninterfacethathasnotbeenconfiguredwithanexplicit
IPv6address.
Syntax
ipv6 enable
no ipv6 enable
Parameters
None.
Defaults
IPv6isdisabled.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Whenthiscommandisexecuted,anIPv6linklocalunicastaddressisconfiguredontheinterface
andIPv6processingisenabled.YoudonotneedtousethiscommandifyouconfiguredanIPv6
globaladdressonaninterfacewiththeipv6addresscommand.
18-11
ipv6 mtu
Thenoipv6enablecommanddisablesIPv6routingonaninterfacethathasbeenenabledwiththe
ipv6enablecommand,butitdoesnotdisableIPv6processingonaninterfacethatisconfigured
withanexplicitIPv6address.
Example
ThisexampleenablesIPv6processingonVLAN7.Notethatalinklocaladdresshasbeen
automaticallyconfigured.
C3(su)->router(config-if(Vlan 7))# ipv6 enable
C3(su)->router>show ipv6 interface vlan 7
Vlan 7 Administrative Mode
Vlan 7 IPv6 Routing Operational Mode
IPv6 is
IPv6 Prefix is
Routing Mode
Interface Maximum Transmit Unit
Router Duplicate Address Detection Transmits
Router Advertisement NS Interval
Router Lifetime Interval
Router Advertisement Reachable Time
Router Advertisement Interval
Router Advertisement Managed Config Flag
Router Advertisement Other Config Flag
Router Advertisement Suppress Flag
Enabled
Enabled
Enabled
FE80::211:88FF:FE55:4A7F/128
Enabled
1500
1
0
1800
0
600
Disabled
Disabled
Disabled
ipv6 mtu
Thiscommandconfiguresthemaximumtransmissionunit(MTU)sizeofIPv6packetsthatcanbe
sentonaninterface.
Syntax
ipv6 mtu bytes
no ipv6 mtu
Parameters
bytes
SpecifiestheMTUvalueinbytes.Thevaluecanrangefrom1280to1500
bytes.TheMTUcannotbelargerthanthevaluesupportedbythe
underlyinginterface.
Defaults
1480bytes
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Themaximumtransmissionunitisthelargestpossibleunitofdatathatcanbesentonagiven
physicalmedium.UsethiscommandtosettheMTUforanIPv6interface.Thenoformofthis
commandresetstheMTUtothedefaultvalueof1480bytes.
Usetheshowipv6interfacetodisplaythecurrentsettingforthisinterface.
18-12
IPv6 Configuration
ipv6 mtu
Note: All interfaces attached to the same physical medium must be configured with the same MTU
to operate properly.
Example
ThisexamplesetstheMTUvalueto1500bytes.
C3(su)->router(configif(Vlan 1))# ipv6 mtu 1500
18-13
Refer to page...
18-14
18-15
ipv6 nd ns-interval
18-16
ipv6 nd reachable-time
18-16
ipv6 nd managed-config-flag
18-17
ipv6 nd other-config-flag
18-18
ipv6 nd ra-interval
18-18
ipv6 nd ra-lifetime
18-19
ipv6 nd suppress-ra
18-19
ipv6 nd prefix
18-20
Syntax
clear ipv6 neighbor [vlan vlan-id]
Parameters
vlanvlanid
(Optional)Clearonlytheentriesonthespecifiedinterface.
Defaults
None.
Mode
Routerprivilegedexec:C3(su)>router#
Usage
ToclearalldynamicallylearnedNeighborCacheentries,usethiscommandwithoutany
parameters.
Example
Thisexampleclearsalldynamicallylearnedcacheentries.
C3(su)->router#clear ipv6 neighbors
18-14
IPv6 Configuration
Syntax
ipv6 nd dad attempts number
no ipv6 nd dad attempts
Parameters
number
SpecifiesthenumberofconsecutiveNeighborSolicitationmessage
transmittedontheinterface,whenDuplicateAddressDetection(DAD)
isperformedonaunicastIPv6addressassignedtotheinterface.
Thevaluecanrangefrom0to600.Avalueof0disablesDuplicate
AddressDetectionontheinterface.Avalueof1,whichisthedefault,
specifiesasingletransmissionwithnofollowuptransmissions.
Defaults
Duplicateaddressdetectionenabled,for1attempt.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
IPv6DuplicateAddressDetectionisdescribedinRFC2462.DuplicateAddressDetectionuses
NeighborSolicitationandNeighborAdvertisementmessagestoverifytheuniquenessofan
address.DuplicateAddressDetectionmustbeperformedonunicastaddressespriortoassigning
themtoaninterface.AnaddressremainsinatentativestatewhileDuplicateAddressDetectionis
beingperformed.Ifatentativeaddressisfoundtobeaduplicate,anerrormessageisreturned
andtheaddressisnotassignedtotheinterface.
UsethiscommandtochangethenumberofNeighborSolicitationmessagesthatcanbesentfor
DuplicateAddressDetectionfromthedefaultvalueof1.Thenoformofthecommandreturnsthe
valuetothedefaultof1.Avalueof0disablesDuplicateAddressDetectionontheinterface.
Theshowipv6interfacecommanddisplaysthecurrentDADattemptsetting.
Example
ThisexamplechangesthenumberofconsecutiveNeighborSolicitationmessagessentforDADto
3onthisinterface.
C3(su)->router(configif(Vlan 1))# ipv6 nd dad attempts 3
18-15
ipv6 nd ns-interval
ipv6 nd ns-interval
ThiscommandconfigurestheintervalbetweenNeighborSolicitationssentonaninterface.
Syntax
ipv6 nd ns-interval { msec | 0 }
no ipv6 nd ns-interval
Parameters
msec
SetstheintervalinmillisecondsbetweenretransmissionsofNeighbor
Solicitationmessagesontheinterface.Thevaluecanrangefrom1000
(onesecond)to3,600,000(onehour)milliseconds.
Anadvertisedvalueof0meanstheintervalisunspecified.
Defaults
Bydefault,avalueof0isadvertisedinRAmessages.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
TheNSintervalisusedtodeterminethetimebetweenretransmissionsofneighborsolicitation
messagestoaneighborwhenresolvingaunicastaddress(DAD)orwhenprobingthereachability
ofaneighbor.ThisvalueisalsoadvertisedinRouterAdvertisement(RA)messagessentonthe
interface.
Usethenoformofthiscommandtosettheintervaltothedefaultof0.
Example
ThisexamplesetstheNSintervalto2seconds.
C3(su)->router(configif(Vlan 1))# ipv6 nd ns-interval 2000
ipv6 nd reachable-time
Thiscommandconfiguresthelengthoftimewithinwhichsomereachabilityconfirmationmustbe
receivedfromaneighborfortheneighbortobeconsideredreachable.
Syntax
ipv6 nd reachable-time msec
no ipv6 nd reachable-time
Parameters
msec
TheamountoftimeinmillisecondsthataremoteIPv6nodeis
consideredreachable.Thevaluecanrangefrom0to4,294,967,295
milliseconds.
Thedefaultvalueis0,whichmeansthatthetimeisunspecified.
Defaults
Bydefault,avalueof0isadvertisedinRAmessages.
18-16
IPv6 Configuration
ipv6 nd managed-config-flag
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
ThistimerallowstheC3todetectunavailableneighbors.Theshorterthetime,themorequickly
unavailableneighborsaredetected.Veryshortconfiguredtimesarenotrecommendedinnormal
IPv6operation,however,becauseshortertimesconsumemoreIPv6networkbandwidthand
processingresources.
ThisvalueisalsoincludedinallRouterAdvertisementsmessagessentoutontheinterface.By
default,avalueof0,indicatingthattheconfiguredtimeisunspecifiedbythisrouter,issentoutin
RAmessages.
Usethenoformofthiscommandtoresetthisvaluetothedefault.
Theshowipv6interfacecommanddisplaysthecurrentreachabletimesetting.
Example
Thisexamplesetsthereachabletimeto60seconds.
C3(su)->router(configif(Vlan 1))# ipv6 nd reachable-time 60000
ipv6 nd managed-config-flag
Thiscommandsetsthemanagedaddressconfigurationflaginrouteradvertisementssenton
thisinterfacetotrue.
Syntax
ipv6 nd managed-config-flag
no ipv6 nd managed-config-flag
Parameters
None.
Defaults
Flagissettofalsebydefault.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Whenthevalueofthemanagedaddressconfigurationflagistrue,endnodesusestateful
autoconfiguration(DHCPv6).Whenthevalueisfalse,endnodesautomaticallyconfigure
addresses.RefertoRFC2462,IPv6StatelessAddressAutoconfiguration,formoreinformation.
Usethenoformofthiscommandtoresettheflagtofalse.
Example
Thisexamplesetsthemanagedaddressconfigurationflagtotrue.
C3(su)->router(configif(Vlan 1))# ipv6 nd managed-config-flag
18-17
ipv6 nd other-config-flag
ipv6 nd other-config-flag
Thiscommandsetstheotherstatefulconfigurationflaginrouteradvertisementssentonthis
interfacetotrue.
Syntax
ipv6 nd other-config-flag
no ipv6 nd other-config-flag
Parameters
None.
Defaults
Flagissettofalsebydefault.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Whenthevalueoftheotherstatefulconfigurationflagistrue,endnodesshouldusestateful
autoconfiguration(DHCPv6)toobtainadditionalinformation(excludingaddresses).Whenthe
valueisfalse,endnodesdonot.RefertoRFC2462,IPv6StatelessAddressAutoconfiguration,
formoreinformation.
Usethenoformofthiscommandtoresettheflagtofalse.
Example
Thisexamplesetstheotherstatefulconfigurationflagtotrue.
C3(su)->router(configif(Vlan 1))# ipv6 nd managed-config-flag
ipv6 nd ra-interval
Thiscommandsetsthetransmissionintervalbetweenrouteradvertisements.
Syntax
ipv6 nd ra-interval sec
no ipv6 nd ra-interval
Parameters
sec
Specifiesthevalueinsecondsoftherouteradvertisementtransmission
interval.Thevaluecanrangefrom4to1800seconds.
Defaults
600seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
18-18
IPv6 Configuration
ipv6 nd ra-lifetime
Usage
Thenoformofthiscommandresetstheintervalvaluetothedefaultof600seconds.
Example
Thisexamplesetstherouteradvertisementtransmissionintervalto120seconds.
C3(su)->router(configif(Vlan 1))# ipv6 nd ra-interval 120
ipv6 nd ra-lifetime
Thiscommandsetsthevalue,inseconds,thatisplacedintheRouterLifetimefieldofrouter
advertisementssentfromthisinterface.
Syntax
ipv6 nd ra-lifetime sec | 0
no ipv6 nd ra-lifetime
Parameters
sec
SpecifiesthevalueoftheRouterLifetimeinseconds.Thevaluemustbe
0,oranintegerbetweenthevalueoftherouteradvertisementinterval
and9000seconds.
Avalueof0meansthatthisrouterisnottobeusedasthedefaultrouter.
Defaults
1800seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Thenoformofthiscommandresetsthelifetimevaluetothedefaultof1800seconds.
Example
Thisexamplesetstherouteradvertisementlifetimevalueto3600seconds.
C3(su)->router(configif(Vlan 1))# ipv6 nd ra-lifetime 3600
ipv6 nd suppress-ra
Thiscommandsuppressesrouteradvertisementtransmissiononthisinterface.
Syntax
ipv6 nd suppress-ra
no ipv6 nd suppress-ra
Parameters
None.
18-19
ipv6 nd prefix
Defaults
Suppressiondisabled.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Bydefault,transmissionofrouteradvertisementsisenabled.Thiscommanddisablessuch
transmissions.Usethenoformofthiscommandtoreenabletransmission.
Example
Thisexampledisablesrouteradvertisementtransmission.
C3(su)->router(configif(Vlan 1))# ipv6 nd suppress-ra
ipv6 nd prefix
ThiscommandconfigurestheIPv6prefixestobeincludedinrouteradvertisementssentbythis
interface.
Syntax
ipv6 nd prefix {ipv6-prefix/prefix-length} [{valid-lifetime | infinite}
{preferred-lifetime | infinite}] [no-autoconfig] [off-link]
no ipv6 nd prefix {ipv6-prefix/prefix-length}
Parameters
ipv6prefix/prefixlength TheIPv6networkprefixandtheprefixlengthbeingconfigured.
TheprefixmustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Theprefixlengthisadecimalnumberindicatingthenumberofhigh
ordercontiguousbitsoftheaddressthatcomprisethenetworkportion
oftheaddress.
validlifetime|infinite
(Optional)Specifiesthelengthoftimeinseconds(relativetothetime
thepacketissent)thattheprefixisvalidforthepurposeofonlink
determination.
Thelifetimevaluecanrangefrom0to4,294,967,295.
Specifyinginfinitemeansthattheprefixisalwaysvalid.
preferredlifetime|
infinite
(Optional)Specifiesthelengthoftimeinseconds(relativetothetime
thepacketissent)thataddressesgeneratedfromtheprefixbymeansof
statelessaddressautoconfigurationremainpreferred.
Thelifetimevaluecanrangefrom0to4,294,967,295.
Specifyinginfinitemeansthattheprefixisalwayspreferred.
noautoconfig
18-20
IPv6 Configuration
Unsetstheautonomousaddressconfigurationflag.Whennotset,
meansthatthisprefixcannotbeusedforautonomousaddress
configuration.Bydefault,theautonomousaddressconfigurationflagis
set/enabled.
ipv6 nd prefix
offlink
Unsetstheonlinkflag.Whennotset,meansthatthisprefixcannotbe
usedforonlinkdetermination.Bydefault,theonlinkflagisset/
enabled.
Defaults
Validlifetime604800
Preferredlifetime2592000
Autoconfigenabled
Onlinkenabled
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
RefertoRFC2461,NeighborDiscoveryforIPVersion6,formoreinformationaboutrouter
advertisements.
Routeradvertisementscontainalistofprefixesusedforonlinkdeterminationand/or
autonomousaddressconfiguration.Flagsassociatedwiththeprefixesspecifytheintendedusesof
aparticularprefix.Hostsusetheadvertisedonlinkprefixestobuildandmaintainalistthatis
usedindecidingwhenapacketsdestinationisonlinkorbeyondarouter.Hostscanusethe
advertisedautoconfigurationprefixestoperformautonomous(stateless)addressconfiguration,if
statelessconfigurationisallowed(seeipv6ndmanagedconfigflag).
Thenoformofthiscommandremovestheprefixfromthelistofprefixesadvertisedinrouter
advertisementsbythisinterface.
Example
Thisexampleconfiguresaprefixthatcanbeusedforbothonlinkdeterminationand
autoconfiguration,usingthedefaultvaluesforvalidlifetimeandpreferredlifetime.
C3(su)->router(configif(Vlan 1))# ipv6 nd prefix 2001:0db8:4444:5555/64
18-21
Query Commands
Query Commands
TheshowcommandsthatdisplayIPv6informationare:
For information about...
Refer to page...
show ipv6
18-22
18-23
18-24
18-25
18-27
18-28
18-29
18-35
show ipv6
ThiscommanddisplaysthestatusofIPv6forwardingmodeandunicastroutingmode.
Syntax
show ipv6
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
TheoutputofthiscommanddisplayswhetherIPv6forwardingmodeandunicastroutingmode
areenabledordisabled.
Example
ThisexampledisplaysinformationaboutIPv6modes.
C3(su)>router# show ipv6
IPv6 Forwarding Mode
IPv6 Unicast Routing Mode
18-22
IPv6 Configuration
Enabled
Enabled
Syntax
show ipv6 interface [vlan vlan-id | tunnel tunnel-id | loopback loop-id]
Parameters
vlanvlanid
(Optional)Displayinformationonlyaboutthespecifiedinterface.
tunneltunnelid
loopbackloopid
Defaults
Ifnointerfaceisspecified,informationaboutallIPv6interfacesisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtodisplaytheusabilitystatusofIPv6interfaces.
IfanIPv6prefixisconfiguredonaninterface,thefollowinginformationalsodisplays:
TheIPv6prefixandlength
Theconfiguredpreferredlifetimevalue
Theconfiguredvalidlifetimevalue
Thestatusoftheonlinkflag,eitherenabledordisabled
Thestatusoftheautonomousaddressconfigurationflag(autoconfig),eitherenabledor
disabled.
Examples
ThisexampledisplaysinformationaboutIPv6interfaceVLAN7.
C3(su)->router>show ipv6 interface vlan 7
Vlan
Vlan
IPv6
IPv6
7 Administrative Mode
7 IPv6 Routing Operational Mode
is
Prefix is
Enabled
Enabled
Enabled
FE80::211:88FF:FE55:4A7F/128
3FFE:501:FFFF:101:211:88FF:FE55:4A7F/64
3FFD::211:88FF:FE55:4A7F/64
Routing Mode
Enabled
Interface Maximum Transmit Unit
1500
Router Duplicate Address Detection Transmits
1
Router Advertisement NS Interval
0
Router Lifetime Interval
1800
Router Advertisement Reachable Time
0
Router Advertisement Interval
600
Router Advertisement Managed Config Flag
Enabled
Router Advertisement Other Config Flag
Enabled
Router Advertisement Suppress Flag
Disabled
SecureStack C3 Configuration Guide
18-23
ThisexampledisplaysinformationaboutIPv6interfacetunnel1.
C3(su)->router>show ipv6 interface tunnel 1
Tunnel 1 Administrative Mode
Tunnel 1 IPv6 Routing Operational Mode
Mode for IPv6 Tunnel
Source Address for IPv6 Tunnel
Destination Address for IPv6 Tunnel
Routing Mode
Interface Maximum Transmit Unit
Router Duplicate Address Detection Transmits
Router Advertisement NS Interval
Router Lifetime Interval
Router Advertisement Reachable Time
Router Advertisement Interval
Router Advertisement Managed Config Flag
Router Advertisement Other Config Flag
Router Advertisement Suppress Flag
Enabled
Disabled
IPv6OVER4
192.168.1.2
192.168.8.1
Enabled
1480
1
0
1800
0
600
Disabled
Disabled
Disabled
Syntax
show ipv6 neighbors
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
UsethiscommandtodisplaythecontentsoftheNeighborCache.
Example
Thisexampledisplaystheneighborsinthecache.Table 181followingtheexampledescribesthe
contentsofthefields.
C3(su)->router>show ipv6 neighbors
IPv6 Address
Interface
-------------------------------------FE80::200:FF:FE00:A0A0
Vlan 6
FE80::2D0:B7FF:FE2C:7697
Vlan 6
FE80::2D0:B7FF:FE2C:7698
Vlan 6
FE80::2D0:B7FF:FE2C:7699
18-24
IPv6 Configuration
MAC Address
Neighbor Last
isRtr State
Updated
1095
1096
1155
Vlan 6
FE80::2D0:B7FF:FE2C:769E
Vlan 6
FE80::2D0:B7FF:FE2C:76AA
Vlan 6
FE80::2D0:B7FF:FE2C:76AB
Vlan 6
FE80::2D0:B7FF:FE2C:76AC
Vlan 6
FE80::2D0:B7FF:FE2C:76B4
Vlan 6
Table 18-1
1461
1540
1553
1566
1903
Output field...
What it displays...
IPv6 Address
Interface
MAC Address
isRtr
Neighbor State
Last Updated
Shows the system uptime when the information for the neighbor
was last updated.
Syntax
show ipv6 route [{ipv6-addr [protocol] | {{ipv6-prefix/prefix-length | interface}
[protocol] | protocol | summary} [all] | all} ]
Parameters
ipv6addr
SpecifiesaspecificIPv6addressforwhichthebestmatchingroute
shoudbedisplayed.
ipv6prefix/prefixlength TheIPv6networkprefixoftheroutetodisplay,andtheprefixlength.
TheprefixmustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Theprefixlengthisadecimalnumberindicatingthenumberofhigh
ordercontiguousbitsoftheaddressthatcomprisethenetworkportion
oftheaddress.
interface
Specifiesthattherouteswithnexthopsonthisinterfaceshouldbe
displayed.Interfacecanbeoftheform:
vlanvlanid
tunneltunnelid
loopbackloopid
18-25
protocol
Specifiestheprotocolthatinstalledtheroutes.Protocolcanbeoneofthe
followingkeywords:
connected
static
ospf
all
SpecifiesthatallIPv6routesshouldbedisplayed,includingbestand
nonbestroutes.Otherwise,onlythebestroutesaredisplayed.
Note: If you specify the connected keyword, the all option is not available
because there will be no best or non-best routes.
Defaults
Ifnoparametersareentered,informationaboutallactiveIPv6routesisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Routeruserexecution:C3(su)>router>
Usage
UsethiscommandtodisplayIPv6routingtableinformationforactiveroutes.
Example
ThisexampledisplaysallactiveIPv6routes.
C3(su)->router>show ipv6 route
IPv6 Routing Table - 5 entries
Codes: C - connected, S - static
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF Ext 1, OE2 - OSPF Ext 2
ON1 - OSPF NSSA Ext Type 1, ON2 - OSPF NSSA Ext Type 2
S
C
C
C
S
::/0 [1/0]
via FE80::2D0:B7FF:FE2C:7694,
Vlan 6
3FFE:501:FFFF:100::/64 [0/0]
via ::,
Vlan 6
3FFE:501:FFFF:101::/64 [0/0]
via ::,
Vlan 7
3FFE:501:FFFF:108::/64 [0/0]
via ::,
Vlan 6
3FFE:501:FFFF:109::/64 [1/0]
via 3FFE:501:FFFF:100:200:FF:FE00:A1A1,
via FE80::200:FF:FE00:A1A1,
Vlan 6
Vlan 6
Table 182describestheoutputoftheshowipv6routecommand.
Table 18-2
18-26
Output...
What it displays...
Codes:
Displays the key for the routing protocol codes that might appear
in the Codes column of the routing table output.
Codes column
The code for the routing protocol that created this routing entry.
IPv6 Configuration
Table 18-2
Output...
What it displays...
IPv6 prefix/prefix-length
The IPv6 prefix and prefix length of the destination IPv6 network
corresponding to this route.
[ Preference / Metric ]
Tag
via Next-hop
Interface
Syntax
show ipv6 route preference
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Routeruserexecution:C3(su)>router>
Usage
Lowernumbershaveagreaterpreference.Aroutewithapreferenceof255cannotbeusedto
forwardtraffic.
Thedefaultpreferencevalueforstaticroutescanbesetwiththeipv6routedistancecommand.
Thedistanceforaspecificstaticroutecanbesetwiththeipv6routecommand.
Note: The configuration of NSSA preferences is not supported in this release.
Example
Thefollowingexampleshowstheoutputofthiscommand.Table 183describesthefieldsofthe
output.
C3(su)->router#show ipv6 route preferences
Local
Static
OSPF Intra
0
1
8
18-27
OSPF
OSPF
OSPF
OSPF
OSPF
Inter
Ext T1
Ext T2
NSSA T1
NSSA T2
Table 18-3
10
13
150
14
151
Output...
What it displays...
Local
Static
OSPF Intra
OSPR Inter
OSPR Ext T1
OSPR Est T2
OSPR NSSA T1
OSPR NSS! T2
Syntax
show ipv6 route summary [all]
Parameters
all
(Optional)Displaythecountsummaryforallroutes,includingbestand
nonbestroutes.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Routeruserexecution:C3(su)>router>
Usage
Usethecommandwithoutparameterstodisplaythecountsummaryforonlythebestroutes.Use
alltodisplaythecountsummaryforallroutes,includingbestandnonbestroutes.
Example
Thisexampleillustratesthesummaryinformationdisplayedbythiscommand.Table 184
describestheoutputofthiscommand.
C3(su)->router>show ipv6 route summary all
18-28
IPv6 Configuration
3
3
0
0
0
0
0
6
Number of Prefixes:
/0: 1, /64: 5
Table 18-4
Output...
What it displays...
Connected Routes
Static Routes
OSPF Routes
Number of Prefixes
Total Routes
Syntax
show ipv6 traffic [interface]
Parameters
interface
(Optional)Specifiestheinterfaceforwhichtrafficinformationshouldbe
displayed.Interfacecanbeoftheform:
vlanvlanid
tunneltunnelid
loopbackloopid
Defaults
Ifnointerfaceisspecified,informationabouttrafficonallinterfacesisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
Specifyalogical,loopback,ortunnelinterfacetoviewinformationabouttrafficonaspecific
interface.Ifyoudonotspecifyaninterface,thecommanddisplaysinformationabouttrafficonall
interfaces.
18-29
Example
Thefollowingexampledisplaystheoutputofthiscommand.Table 185describestheoutput
fields.
18-30
116
116
0
0
0
0
0
0
0
0
0
0
0
876
0
0
0
0
17
547
ICMPv6 STATISTICS
Total ICMPv6 Messages Received............................
ICMPv6 Messages With Errors Received......................
ICMPv6 Destination Unreachable Messages Received..........
ICMPv6 Messages Prohibited Administratively Received......
ICMPv6 Time Exceeded Messages Received....................
ICMPv6 Parameter Problem Messages Received................
ICMPv6 Packet Too Big Messages Received...................
ICMPv6 Echo Request Messages Received.....................
ICMPv6 Echo Reply Messages Received.......................
ICMPv6 Router Solicit Messages Received...................
ICMPv6 Router Advertisement Messages Received.............
ICMPv6 Neighbor Solicit Messages Received.................
ICMPv6 Neighbor Advertisement Messages Received...........
ICMPv6 Redirect Messages Received.........................
ICMPv6 Group Membership Query Messages Received...........
ICMPv6 Group Membership Response Messages Received........
ICMPv6 Group Membership Reduction Messages Received.......
Total ICMPv6 Messages Transmitted.........................
ICMPv6 Messages Not Transmitted Due To Error..............
ICMPv6 Destination Unreachable Messages Transmitted.......
ICMPv6 Messages Prohibited Administratively Transmitted...
ICMPv6 Time Exceeded Messages Transmitted.................
ICMPv6 Parameter Problem Messages Transmitted.............
ICMPv6 Packet Too Big Messages Transmitted................
ICMPv6 Echo Request Messages Transmitted..................
ICMPv6 Echo Reply Messages Transmitted....................
ICMPv6 Router Solicit Messages Transmitted................
ICMPv6 Router Advertisement Messages Transmitted..........
ICMPv6 Neighbor Solicit Messages Transmitted..............
ICMPv6 Neighbor Advertisement Messages Transmitted........
ICMPv6 Redirect Messages Transmitted......................
ICMPv6 Group Membership Query Messages Transmitted........
116
4
0
0
0
0
0
52
0
0
5
31
28
0
0
0
0
876
0
0
0
0
0
0
157
52
0
7
625
27
0
0
IPv6 Configuration
Table 185describestheoutputfieldsofthiscommand.
Table 18-5
Output...
What it displays...
Total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP). This counter increments at the
interface to which these datagrams were addressed, which might
not necessarily be the input interface for some of the datagrams.
18-31
Table 18-5
18-32
Output...
What it displays...
Datagrams Forwarded
Fragments Created
IPv6 Configuration
Table 18-5
Output...
What it displays...
Number of ICMP messages which this interface did not send due
to problems discovered within ICMP such as a lack of buffers. This
value should not include errors discovered outside the ICMP layer
such as the inability of IPv6 to route the resultant datagram. In
some implementations there may be no types of error which
contribute to this counter's value.
18-33
Table 18-5
18-34
Output...
What it displays...
IPv6 Configuration
Syntax
clear ipv6 statistics [interface]
Parameters
interface
(Optional)Specifiestheinterfaceforstatisticsshouldbecleared.
Interfacecanbeoftheform:
vlanvlanid
tunneltunnelid
loopbackloopid
Defaults
Ifnointerfaceisspecified,statisticsarecleared(resetto0)forallinterfaces.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
IPv6statisticsaredisplayedwiththeshowipv6trafficcommand.Ifnointerfaceisspecified,the
countersforallIPv6trafficstatisticsareresettozerowhenthiscommandisexecuted.
Example
ThisexampleclearsthestatisticsforVLAN6.
C3(su)->router# clear ipv6 statistics vlan 6
18-35
18-36
IPv6 Configuration
19
DHCPv6 Configuration
* IPv6 Routing License Required *
IPv6 routing must be enabled with a license key in order to use this feature. If you have purchased an IPv6
routing license key, and have enabled routing on the device, you must activate your license as described in
Activating Licensed Features on page 3-29 in order to enable the DHCPv6 configuration command set. If
you wish to purchase an IPv6 routing license, contact Enterasys Networks Sales.
ThecommandsdescribedinthischapterperformconfigurationoftheDynamicHost
ConfigurationProtocolforIPv6(DHCPv6)ontheSecureStackC3.
For information about...
Refer to page...
19-2
19-6
19-10
19-13
Overview
DHCPisgenerallyusedbetweenclients(forexample,hosts)andservers(forexample,routers)for
thepurposeofassigningIPaddresses,gateways,andothernetworkingdefinitionssuchasDNS,
NTP,and/orSIPparameters.However,IPv6nativelyprovidesforautoconfigurationofIP
addressesthroughtheIPv6NeighborDiscoveryProtocol(NDP)andtheuseofRouter
Advertisementmessages.Thus,theroleofDHCPv6withinthenetworkisdifferentfromDHCPv4
inthatitislessrelieduponforIPaddressassignment.
DHCPv6serverandclientinteractionsaredescribedbyRFC3315.Therearemanysimilarities
betweenDHCPv6andDHCPv4interactionsandoptions,butthemessagesandoptiondefinitions
aresufficientlydifferent.ThereisnomigrationorinteroperabilityfromDHCPv4toDHCPv6.
DHCPv6incorporatesthenotionofthestatelessserver,whereDHCPv6isnotusedforIPaddress
assignmenttoaclient.Instead,itonlyprovidesothernetworkinginformationsuchasDNS,NTP,
and/orSIPinformation.ThestatelessserverbehaviorisdescribedbyRFC3736,whichsimply
containsdescriptionsoftheportionsofRFC3315thatarenecessaryforstatelessserverbehavior.
InorderforaroutertodriveaDHCPv6clienttoutilizestatelessDHCPv6,theotherstateful
configurationoptionmustbeconfiguredforneighbordiscoveryonthecorrespondingIPv6
routerinterface.ThisinturncausesDHCPv6clientstosendtheDHCPv6InformationRequest
messageinresponse.ADHCPv6serverthenrespondsbyprovidingonlynetworkingdefinitions
suchasDNSdomainnameandserverdefinitions,NTPserverdefinitions,and/orSIPdefinitions.
19-1
RFC3315alsodescribesDHCPv6RelayAgentinteractions,whichareverymuchlikeDHCPv4
RelayAgent.RFC3046describestheDHCPv6RelayAgentInformationOption,whichemploys
verysimilarcapabilitiesasthosedescribedbyDHCPv4RelayAgentOptioninRFC2132.
WiththelargeraddressspaceinherenttoIPv6,addresseswithinanetworkcanbeallocatedmore
effectivelyinahierarchicalfashion.DHCPv6introducesthenotionofprefixdelegationas
describedinRFC3633asawayforrouterstocentralizeanddelegateIPaddressassignment.
Default Conditions
ThefollowingtableliststhedefaultDHCPv6conditions.
Condition
Default Value
IPv6 DHCP
Disabled
32
2592000 seconds
604800 seconds
Commands
For information about...
19-2
Refer to page...
19-3
19-3
19-4
19-4
DHCPv6 Configuration
Syntax
ipv6 dhcp enable
no ipv6 dhcp enable
Parameters
None.
Defaults
Bydefault,DHCPv6isdisabled.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtoenableDHCPv6ontherouter.Usethenoformofthiscommandtodisable
DHCPv6afterithasbeenenabled.
Example
ThisexampleenablesDHCPv6.
C3(su)->router(Config)# ipv6 dhcp enable
Syntax
ipv6 dhcp relay-agent-info-opt option
Parameters
option
Thevalueofoptionmayrangefrom32to65535.Thedefaultvalueis32.
Defaults
ThedefaultvalueoftheDHCPv6RelayAgentInformationOptionis32.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
TheDHCPv6RelayAgentInformationOptionallowsforvarioussuboptionstobeattachedto
messagesthatarebeingrelayedbythelocalroutertoarelayserver.Therelayservermayinturn
usethisinformationindetermininganaddresstoassigntoaDHCPv6client.RefertoRFC3046for
moreinformation.
19-3
Example
ThisexamplesetstheRelayAgentInformationOptionvalueto82.
C3(su)->router(Config)# ipv6 dhcp relay-agent-info-opt 82
Syntax
ipv6 dhcp relay-agent-info-remote-id-subopt option
Parameters
option
Thevalueofoptionmayrangefrom1to65535.Thedefaultvalueis1.
Defaults
ThedefaultvalueoftheDHCPv6RelayAgentRemoteIDsuboptionis1.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
ThissuboptionmaybeaddedbyDHCPrelayagentswhichterminateswitchedorpermanent
circuitsandhavemechanismstoidentifytheremotehostendofthecircuit.RefertoRFC3046for
moreinformation.
Example
ThisexamplesetstheRelayAgentRemoteIDsuboptionvalueto2.
C3(su)->router(Config)# ipv6 dhcp relay-agent-info-remote-id-subopt 2
Syntax
ipv6 dhcp pool pool-name
no ipv6 dhcp pool pool-name
Parameters
poolname
Defaults
None.
19-4
DHCPv6 Configuration
Specifiesthenameofthepooltobeconfigured.Poolnamesmustbeless
than31alphanumericcharacters.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
DHCPv6poolsareusedtospecifyinformationfortheDHCPv6servertodistributetoDHCPv6
clients.ThesepoolsaresharedbetweenmultipleinterfacesoverwhichDHCPv6server
capabilitiesareconfigured.
Afterexecutingthiscommandandenteringpoolconfigurationmode,youcanreturntoglobal
configurationmodebyexecutingtheexitcommand.Poolconfigurationcommandsaredescribed
inthesectionAddressPoolConfigurationCommandsonpage 196.
Usethenoformofthiscommandtoremoveaspecifiedpool.
Example
ThisexampleentersDHCPpoolconfigurationmodetoconfigurethepoolnamedPoolA.
C3(su)->router(Config)# ipv6 dhcp pool PoolA
C3(su)->router(Config-dhcp6s-pool)#
19-5
Commands
For information about...
Refer to page...
domain-name
19-6
dns-server
19-7
prefix-delegation
19-7
exit
19-8
domain-name
ThiscommandsetstheDNSdomainnamewhichisprovidedtoDHCPv6clientsbytheDHCPv6
server.
Syntax
domain-name name
no domain-name name
Parameters
name
SpecifiestheDNSdomainnameforthepoolbeingconfigured.The
namecanconsistofnomorethan31alphanumericcharacters.
Defaults
None.
Mode
RouterDHCPv6poolconfigurationmode:C3(su)>router(Configdhcp6spool)#
Usage
ADNSdomainnameisconfiguredforstatelessserversupport.ADHCPv6poolcanhaveupto8
domainnamesconfiguredforit.
ThenoformofthiscommandwillremovethedomainnamefromtheDHCPv6poolbeing
configured.
Example
Thisexamplespecifiesthedomainnameenterasys.comforthepoolnamedPoolA.
C3(su)->router(Config)# ipv6 dhcp pool PoolA
C3(su)->router(Config-dhcp6s-pool)# domain-name enterasys.com
19-6
DHCPv6 Configuration
dns-server
dns-server
ThiscommandsetstheIPv6DNSserveraddresswhichisprovidedtoDHCPv6clientsbythe
DHCPv6server.
Syntax
dns-server server-address
no dns-server server-address
Parameters
serveraddress
TheIPv6addressoftheDNSserver.
ThisparametermustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Defaults
None.
Mode
RouterDHCPv6poolconfigurationmode:C3(su)>router(Configdhcp6spool)#
Usage
ADNSserveraddressisconfiguredforstatelessserversupport.ADHCPv6poolcanhaveupto8
DNSserveraddressesconfiguredforit.
ThenoformofthiscommandwillremovetheDHCPv6serveraddressfromtheDHCPv6pool
beingconfigured.
Example
ThisexampleconfiguresaDNSserveraddressforthepoolnamedPoolA.
C3(su)->router(Config)# ipv6 dhcp pool PoolA
C3(su)->router(Config-dhcp6s-pool)# dns-server 2001:0db8:1234:5678::A
prefix-delegation
Thiscommandconfiguresanumericprefixtobedelegatedtoaspecifiedprefixdelegationclient.
Syntax
prefix-delegation prefix/prefix-length DUID [name hostname] [valid-lifetime {secs
| infinite}] [preferred-lifetime {secs | infinite}]
no prefix-delegation prefix/prefix-length DUID
Parameters
prefix/prefixlength
ThisprefixmustbeintheformdocumentedinRFC4291,withthe
addressspecifiedinhexadecimalusing16bitvaluesbetweencolons.
Thevalueofprefixlengthisadecimalnumberindicatingthenumberof
highordercontiguousbitsoftheaddressthatcomprisetheprefix.
19-7
exit
DUID
TheDHCPUniqueIdentifier(DUID)oftheprefixdelegationclient,as
describedinRFC3315.
namehostname
(Optional)Thenameoftheprefixdelegationclient,consistingofupto
31alphanumericcharacters.Thisnameisusedforloggingand/or
tracingonly.
validlifetimesecs|
infinite
(Optional)Thevalidlifetimeoftheprefix,specifiedassecondsoras
infinite.Thevalueofsecscanrangefrom0to4294967295.
preferredlifetime
secs|infinite
(Optional)Thepreferredlifetimeoftheprefix,specifiedassecondsoras
infinite.Thevalueofsecscanrangefrom0to4294967295.
Defaults
Defaultvalueofvalidlifetimeofprefix:604,800
Defaultvalueofpreferredlifetimeofprefix:2,592,000
Mode
RouterDHCPv6poolconfigurationmode:C3(su)>router(Configdhcp6spool)#
Usage
UsethiscommandtomanuallyconfigureanIPv6addressprefixtobedelegatedtoaspecific
client,identifiedbytheirDHCPuniqueidentifier.RefertoRFC3633,IPv6PrefixOptionsfor
DynamicHostConfigurationProtocol(DHCP)version6,formoreinformationaboutprefix
delegation.
Usethenoformofthiscommandtoremoveaconfiguredprefix.
Example
Thisexampleconfiguresaprefixtobedelegatedtotheprefixdelegationclientidentifiedbythe
DUID00:02:00:00:00:11:0A:C0:89:D3:03:00:09:AA.Thedefaultlifetimevaluesareused.
C3(su)->router(Config)# ipv6 dhcp pool PoolA
C3(su)->router(Config-dhcp6s-pool)# prefix-delegation 2001:0db8:10::/48
00:02:00:00:00:11:0A:C0:89:D3:03:00:09:AA
exit
ThiscommandexitsfromDHCPv5poolconfigurationmodeandreturnstoglobalconfiguration
mode.
Syntax
exit
Parameters
None.
Defaults
None.
19-8
DHCPv6 Configuration
exit
Mode
RouterDHCPv6poolconfigurationmode:C3(su)>router(Configdhcp6spool)#
Example
ThisexampleillustrateshowtoexitDHCPv6poolconfigurationmode.
C3(su)->router(Config-dhcp6s-pool)# exit
C3(su)->router(Config)#
19-9
Commands
For information about...
Refer to page...
19-10
19-11
Syntax
ipv6 dhcp server pool-name [rapid-commit} [preference pref]
no ipv6 dhcp server pool-name
Parameters
poolname
Specifiesthepoolcontainingstatelessand/orprefixdelegation
parametersthatshouldbeusedbytheDHCPv6server.Referto
AddressPoolConfigurationCommandsonpage 196forthe
commandstoconfigureanaddresspool.
rapidcommit
(Optional)SpecifythattheservershouldusetheRapidCommitoption
thatallowsforanabbreviatedexchangebetweenDHCPv6clientand
server.RefertoRFC3315formoreinformation.
preferencepref
(Optional)SpecifiesthevalueoftheserversPreferenceoption.This
value,whichcanrangefrom0to4,294,967,295,isusedbyclientsto
determinepreferenceamongmultipleDHCPv6servers.
Defaults
Bydefault,DHCPv6functionalityisdisabled.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
UsethiscommandtoconfigureDHCPv6serverparameterswhenaninterfacewillactasa
DHCPv6server.AddresspoolsareconfiguredusingthecommandsdescribedinsectionAddress
PoolConfigurationCommandsonpage 196.
AninterfacecanbeconfiguredaseitheraDHCPv6serveroraDHCPv6relayagent,butnotboth.
UsethenoformofthiscommandtoremoveDHCPv6serverfunctionalityfromaninterface.
19-10
DHCPv6 Configuration
Example
ThisexampleconfiguresroutinginterfaceVLAN7tobeaDHCPv6server,usingtheaddresspool
namedPoolA.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 dhcp server PoolA
Syntax
ipv6 dhcp relay {destination dest-addr interface intf | interface intf} [remote-id
{duid-ifid | user-defined-string}]
no ipv6 dhcp relay {destination dest-addr interface intf | interface intf}
Parameters
destinationdestaddr
SpecifiestheIPv6addressofaDHCPv6relayserver.ThisIPv6address
canbeaglobaladdress,amulticastaddress,oralinklocaladdress.
Iftheaddressisamulticastorlinklocaladdress,thenyoumustspecify
theinterfacetobeusedtocontacttherelayserverwiththeinterface
parameter.
interfaceintf
Specifiestheinterfacetobeusedtocontacttherelayserver.The
interfaceisidentifiedbyporttype.unitnumber.portnumber.For
example,ge.3.1.
Ifdestinationdestaddrisnotspecified,thenaninterfacemustbe
specifiedandtheDHCPV6ALLAGENTSmulticastaddress(FF02::1:2)
isusedtorelayDHCPv6messagestotherelayserver.
remoteid{duidifid| (Optional)SpecifiesthattheRelayAgentInformationOption
userdefinedstring}
RemoteIDsuboptionistobeaddedtorelayedmessages.
SpecifyingduidifidcausestheremoteIDtobederivedfromtherelay
agentsDUIDandtherelayinterfacenumber.Alternatively,youcan
specifytheremoteIDasauserdefinedstringofalphanumeric
characters.RefertoRFC3046andRFC4649formoreinformationabout
theRemoteIDoption.
Defaults
Ifremoteidisnotspecified,theRelayAgentInformationOptionRemoteIDsuboptionisnot
addedtorelayedmessages.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
UsethiscommandtoconfigurearoutinginterfaceasaDHCPv6relayagent.
AninterfacecanbeconfiguredaseitheraDHCPv6serveroraDHCPv6relayagent,butnotboth.
UsethenoformofthiscommandtoremoveDHCPv6relayagentfunctionalityfromaninterface.
19-11
Examples
ThisexampleconfiguresinterfaceVLAN8asaDHCPv6relayagentthatrelaysDHCPv6
messagestotheDHCPv6serverattheglobaladdress2001:0db8:1234:5555::122:10.
C3(su)->router(Config)# interface vlan 8
C3(su)->router(config-if(Vlan 8))# ipv6 dhcp relay destination
2001:0db8:1234:5555::122:10/64
ThisexampleconfiguresinterfaceVLAN8asaDHCPv6relayagentbyconfiguringtheinterface
throughwhichtherelayagentrelaysmessagesusingtheDHCPV6ALLAGENTSmulticast
address.
C3(su)->router(Config)# interface vlan 8
C3(su)->router(config-if(Vlan 8))# ipv6 dhcp relay interface g3.3.1
19-12
DHCPv6 Configuration
Commands
For information about...
Refer to page...
19-13
19-14
19-16
19-17
19-18
19-19
Syntax
show ipv6 dhcp
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleillustratestheoutputofthiscommandwhenDHCPv6isenabledontheswitch.
C3(su)->router# show ipv6 dhcp
DHCPv6 is enabled
Server DUID: 00:01:00:06:90:83:57:c7:00:11:88:56:5d:58
19-13
Syntax
show ipv6 dhcp vlan vlan-id [statistics]
Parameters
vlanvlanid
SpecifiestheIDoftheroutinginterfaceforwhichtodisplayDHCPv6
information.
statistics
(Optional)SpecifiesthatDHCPv6statisticsforthespecifiedinterface
shouldbedisplayed.
Defaults
Ifstatisticsisnotspecified,configurationinformationabouttheinterfaceisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
WhenyoudisplayDHCPv6configurationinformation,theinformationdisplayedisdifferent
dependingonwhethertheinterfacehasbeenconfiguredasaDHCPv6serverorrelayagent.
Examples
ThisexampledisplaysDHCPv6configurationinformationaboutVLAN80,whichwasconfigured
asaDHCPv6server.TheoutputfieldsaredescribedinTable 191onpage 1914.
C3(su)->router# show ipv6 dhcp interface vlan 80
IPv6 Interface
Vlan 80
Mode
Server
Pool Name
newpool
Server Preference
5
Option Flags
Rapid Commit
ThisexampledisplaysDHCPv6configurationinformationaboutVLAN10,whichwasconfigured
asarelayagent.TheoutputfieldsaredescribedinTable 191onpage 1914.
C3(su)->router# show ipv6 dhcp interface vlan 10
IPv6 Interface
Vlan 10
Mode
Relay
Relay Address
5006:4567::100:1
Relay Interface Number
Relay Remote ID
Option Flags
Table 19-1
19-14
Output...
What it displays...
IPv6 Interface
Mode
DHCPv6 Configuration
Table 19-1
Output...
What it displays...
Pool Name
Server Preference
Option Flags
Relay Address
Relay Remote ID
Option Flags
ThisexampledisplaystheDHCPv6statisticsforVLAN80.Theoutputfieldsaredescribedin
Table 192onpage 1916.
C3(su)->router# show ipv6 dhcp interface vlan 80 statistics
DHCPv6 Interface Vlan 80 Statistics
-----------------------------------DHCPv6 Solicit Packets Received
DHCPv6 Request Packets Received
DHCPv6 Confirm Packets Received
DHCPv6 Renew Packets Received
DHCPv6 Rebind Packets Received
DHCPv6 Release Packets Received
DHCPv6 Decline Packets Received
DHCPv6 Inform Packets Received
DHCPv6 Relay-forward Packets Received
DHCPv6 Relay-reply Packets Received
DHCPv6 Malformed Packets Received
Received DHCPv6 Packets Discarded
Total DHCPv6 Packets Received
DHCPv6 Advertisement Packets Transmitted
DHCPv6 Reply Packets Transmitted
DHCPv6 Reconfig Packets Transmitted
DHCPv6 Relay-reply Packets Transmitted
DHCPv6 Relay-forward Packets Transmitted
Total DHCPv6 Packets Transmitted
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
19-15
Syntax
show ipv6 dhcp statistics
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
Thisexampledisplaystheoutputofthiscommand.Table 192onpage 1916describestheoutput
fields.
C3(su)->router# show ipv6 dhcp statistics
DHCPv6 Interface Global Statistics
-----------------------------------DHCPv6 Solicit Packets Received
DHCPv6 Request Packets Received
DHCPv6 Confirm Packets Received
DHCPv6 Renew Packets Received
DHCPv6 Rebind Packets Received
DHCPv6 Release Packets Received
DHCPv6 Decline Packets Received
DHCPv6 Inform Packets Received
DHCPv6 Relay-forward Packets Received
DHCPv6 Relay-reply Packets Received
DHCPv6 Malformed Packets Received
Received DHCPv6 Packets Discarded
Total DHCPv6 Packets Received
DHCPv6 Advertisement Packets Transmitted
DHCPv6 Reply Packets Transmitted
DHCPv6 Reconfig Packets Transmitted
DHCPv6 Relay-reply Packets Transmitted
DHCPv6 Relay-forward Packets Transmitted
Total DHCPv6 Packets Transmitted
Table 19-2
19-16
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Output...
What it displays...
DHCPv6 Configuration
Table 19-2
Output...
What it displays...
Syntax
clear ipv6 dhcp statistics [vlan vlan-id]
Parameters
vlanvlanid
(Optional)SpecifiestheinterfaceforwhichtoclearDHCPv6statistics.
Defaults
Ifnointerfaceisspecified,IPv6DHCPstatisticsforallinterfacesarecleared.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampleclearsDHCPv6statisticsforVLAN80.
C3(su)->router# clear ipv6 dhcp statistics vlan 80
19-17
Syntax
show ipv6 dhcp pool pool-name
Parameters
poolname
Thenameoftheconfiguredaddresspoolforwhichtodisplay
information.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
Theinformationdisplayedbythiscommanddiffers,dependingontheconfigurationparameters
ofthepool.
Examples
ThisexampledisplaystheoutputforPoolAthatwasnotconfiguredforprefixdelegation.
C3(su)->router# show ipv6 dhcp pool PoolA
DHCPv6 Pool: PoolA
DNS Server: 2001:db8:1234:5678::A
Domain Name: enterasys.com
ThisexampledisplaystheoutputforPoolBthatwasconfiguredforprefixdelegation.
C3(su)->router# show ipv6 dhcp pool PoolB
DHCPv6 Pool: PoolB
Client DUID: 00:02:00:00:00:11:0A:C0:89:D3:03:00:09:AA
Host:
Prefix/Prefix Length: 2001:db8:10::/48
Preferred Lifetime: 2592000
Valid Lifetime: 604800
DNS Server:
Domain Name:
19-18
DHCPv6 Configuration
Syntax
show ipv6 dhcp binding [ipv6-addr]
Parameters
ipv6addr
(Optional)SpecifiestheIPv6addressoftheDHCPprefixdelegation
clientforwhichtodisplaybindinginformation.
Defaults
IfnoIPv6addressisspecified,allbindingsaredisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampledisplaysallbindingsfortheclientwiththeIPv6addressFE80::111:FCF1:DEA5:10.
C3(su)->router# show ipv6 dhcp binding FE80::111:FCF1:DEA5:10
DHCP Client Address: FE80::111:FCF1:DEA5:10
DUID: 000300010002FCA5DC1C
IA ID: 0x00040001, T1 0, T2 0
Prefix/Prefix Length: 3FFE:C00:C18:11::/68
Prefix Type: IPPD
Expiration: 12320 seconds
Valid Lifetime: 12345
Preferred Lifetime: 180
19-19
19-20
DHCPv6 Configuration
20
OSPFv3 Configuration
* IPv6 Routing License Required *
IPv6 routing must be enabled with a license key in order to use this feature. If you have purchased an IPv6
routing license key, and have enabled routing on the device, you must activate your license as described in
Activating Licensed Features on page 3-29 in order to enable the OSPFv3 protocol configuration command
set. If you wish to purchase an IPv6 routing license, contact Enterasys Networks Sales.
ThecommandsinthischapterperformconfigurationoftheOSPFv3routingprotocolonthe
SecureStackC3.ForinformationaboutgeneralIPv6configuration,refertoChapter 18,IPv6
Configuration.ForinformationaboutmanagingIPv6hostfunctionalityattheswitchlevel,refer
toChapter 17,IPv6Management.
For information about...
Refer to page...
20-3
20-10
20-22
20-30
Overview
OSPFv3istheOpenShortestPathFirstroutingprotocolforIPv6.ItissimilartoOSPFv2inits
conceptofalinkstatedatabase,intra/interareaandASexternalroutesandvirtuallinks.OSPFv3
alsodiffersfromOSPFv2inanumberofrespects:
Peeringisdonevialinklocaladdresses
Theprotocolislinkratherthannetworkcentric
AddressingsemanticshavebeenmovedtoleafLSAs,whicheventuallywillallowitsusefor
bothIPv4andIPv6
TwonewLSAshavebeenintroduced:thelinkLSAandtheintraareaLSA.
Pointtopointlinksissupportedinordertoenableoperationovertunnels.OSPFv3views
IPv6overIPv4tunnelsasapointtopointinterfacewithalinklocaladdressandpossibly,aglobal
unicastaddress.OSPFv3usesthereportedMTUfortunnelinterfaces.
OSPFv3supportsECMProutes.OSPFv3includesNSSAandASexternalLSAoverflowlimit
support.RFC1583compatibilitydoesnotapplytoOSPFv3.OSPFv3authenticationusestheIPv6
stackIPSECmechanisms.BecausetheinitialreleaseofIPv6ontheSecureStackC3willprovideno
IPSEC,OSPFv3supportsnoauthenticationmechanisms.OSPFv3doesnotsupportMOSPF.
20-1
Overview
LSAformatsarechanged,andthetype3and4summaryLSAsarerenamedinterareaprefix
andinterarearouterLSAs.AlsonotethatOSPFv3LSAidentifierscontainnoaddressing
semantics.LSAscopeisgeneralizedtolink,area,andASscope.OSPFv3specifiestheprocessing
ofunsupportedLSAs.UnsupportedLSAsaremaintainedinthedatabaseandfloodedaccording
toscope.InOSPFv3,routerswith100ormoreinterfacesgeneratemorethanonerouterLSA.A
newlinkLSAhasbeencreated.AddressesinLSAsarespecifiedas[prefix,prefixlength].
AreaIDandRouterIDremain32bitidentifiers.OSPFv3identifiesNeighborsbyrouterIDinstead
oftheinterfaceaddressusedinOSPFv2.
NotethatbothOSPFv3andOSPFv2canbeenabledandrunontheSecureStackC3.
Default Conditions
ThefollowingtableliststhedefaultOSPFv3conditions.
20-2
Condition
Default Value
IPv6 OSPF
Disabled
10
40 seconds
10 seconds
Enabled
Broadcast
Enabled
40
10
Default-information originate
Metric unspecified
Type 2
Distance OSPF
Intra 8
Inter 10
Type-1 13
Type-2 50
Enabled
Exit-overflow-interval
External-lsdb-limit
-1
Maximum-paths
Redistribute
Metric unspecified
Type 2
Tag 0
Trapflags
Enabled
OSPFv3 Configuration
Command
For information about...
Refer to page...
ipv6 router id
20-3
20-4
default-information originate
20-4
default-metric
20-5
distance ospf
20-6
exit-overflow-interval
20-7
external-lsdb-limit
20-7
maximum-paths
20-8
redistribute
20-9
ipv6 router id
Thiscommandconfiguresa32bitinteger,enteredin32bitdottedquadnotation,usedto
uniquelyidentifythisOSPFv3router.
Syntax
ipv6 router id ip-address
Parameters
ipaddress
SpecifiestheIDoftheOSPFv3router,in32bitdottedquadnotation.
Defaults
None.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtoconfiguretheOSPFv3routerID.
Example
ThisexampleillustratesconfiguringtheOSPFv3routerIDas2.2.2.2.
C3(su)->router(Config)# ipv6 router id 2.2.2.2
SecureStack C3 Configuration Guide
20-3
Syntax
ipv6 router ospf
Parameters
None.
Defaults
None.
Mode
Routerglobalconfiguration:C3(su)>router(Config)#
Usage
UsethiscommandtoenterOSPFv3configurationmodesoyoucanconfigureglobalOSPFv3
parameters.
Example
ThisexampleillustratesenteringrouterOSPFv3configurationmode.
C3(su)->router(Config)# ipv6 router ospf
C3(su)->router(Config-router)#
default-information originate
Thiscommandisusedtocontroltheadvertisementofdefaultroutes.
Syntax
default-information originate [always] [metric value] [metric-type type]
no default-information originate [metric] [metric-type]
Parameters
always
(Optional)Alwaysadvertisethedefaultrouteinformation.
metricvalue
(Optional)Specifiesthemetricofthedefaultroute.Themetricvaluecan
rangefrom0to16777214.
metrictypetype
(Optional)Specifiesthemetrictypeofthedefaultroute.Themetrictype
canbe1,whichspecifiestype1externalroute,or2,whichspecifiestype
2externalroute.
Defaults
Adefaultexternalrouteisnotgenerated.
Thedefaultmetricisunspecified.
Thedefaulttypeistype2.
20-4
OSPFv3 Configuration
default-metric
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
UsethiscommandtogenerateadefaultexternalrouteintoanOSPFv3routingdomain.Usetheno
formofthiscommandtostopthegenerationofadefaultexternalroute.
Example
Thisexamplespecifiesametricof100forthedefaultrouteredistributedintotheOSPFv3routing
domain,andanexternalmetrictypeof1.
C3(su)->router(Config-router)# default-information originate metric 100
metric-type 1
default-metric
ThiscommandsetsadefaultmetricforroutesredistributedfromanotherprotocolintoOSPFv3.
Syntax
default-metric metric
no default-metric
Parameters
metric
Thevalueofmetriccanrangefrom1to16777214.
Defaults
Nodefaultmetricisconfigured.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Usethiscommandtocausethesamemetricvaluetobeusedforallredistributedroutes.
Usethenoformofthiscommandtoremoveaconfigureddefaultmetric.
Example
Thisexampleconfiguresametricof100tobeusedforallredistributedroutes.
C3(su)->router(Config-router)# default-metric 100
20-5
distance ospf
distance ospf
ThiscommandsetstheroutepreferencevalueofOSPFv3.
Syntax
distance ospf {intra | inter | type1 | type2} preference
no distance ospf {intra | inter | type1 | type2}
Parameters
intra
Specifiesthepreferenceforintraarearoutes(allrouteswithinanarea)
inter
Specifiesthepreferenceforinterarearoutes(allroutesbetweenareas)
type1
SpecifiesthepreferenceforType1externalroutes(routeslearnedby
redistributionfromotherroutingdomains)
type2
SpecifiesthepreferenceforType2externalroutes(routeslearnedby
redistributionfromotherroutingdomains)
preference
Thepreferencerangeisfrom1to255.
Defaults
Thedefaultpreferencevaluesare:
Intraarea=8
Interarea=10
Type1=13
Type2=50
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Lowerroutepreferencevaluesarepreferredwhendeterminingthebestroute.TheOSPFv3
specification(RFC2328)requiresthatpreferencesmustbegiventotherouteslearnedviaOSPFv3
inthefollowingorder:intraarea<interarea<Type1<Type2.
Aroutewithapreferenceof255cannotbeusedtoforwardtraffic.
Usethenoformofthiscommandtoresetthepreferencevaluesbacktothedefaults.
Example
Thefollowingexamplesettheintraareapreferenceto5.
C3(su)->router(Config-router)# distance ospf intra 5
20-6
OSPFv3 Configuration
exit-overflow-interval
exit-overflow-interval
ThiscommandconfigurestheexitoverflowintervalforOSPFv3.
Syntax
exit-overflow-interval seconds
no exit-overflow-interval
Parameters
seconds
Therangeforsecondsisfrom0to2147483647.
Defaults
Thedefaultintervalvalueis0.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
TheexitoverflowintervalisthenumberofsecondsafterenteringOverflowstatethatarouterwill
waitbeforeattemptingtoleavetheOverflowState.Thisallowstheroutertoagainoriginate
nondefaultASexternalLSAs.Whensetto0,therouterwillnotleaveOverflowStateuntil
restarted.
Thenoformofthiscommandresetstheintervaltothedefaultof0.
Example
Thisexamplesetstheexitoverflowintervalto10seconds.
C3(su)->router(Config-router)# exit-overflow-interval 10
external-lsdb-limit
ThiscommandconfigurestheexternalLSDBlimitforOSPFv3.
Syntax
external-lsdb-limit limit
no external-lsdb-limit
Parameters
limit
Therangeforlimitisfrom1to2147483647.Avalueof1meansthat
thereisnolimit.
Defaults
Thedefaultvalueis1.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
20-7
maximum-paths
Usage
WhenthenumberofnondefaultASexternalLSAsinarouterslinkstatedatabasereachesthe
externalLSDBlimit,therouterentersoverflowstate.Therouterneverholdsmorethanthe
externalLSDBlimitnondefaultASexternalLSAsinitdatabase.TheexternalLSDBlimitMUST
besetidenticallyinallroutersattachedtotheOSPFv3backboneand/oranyregularOSPFv3area.
Thenoformofthiscommandresetsthelimittothedefaultvalueof1,meaningnolimit.
Example
ThisexamplesetstheexternalLSDBlimitto1000.
C3(su)->router(Config-router)# external-lsdb-limit 1000
maximum-paths
ThiscommandsetsthenumberofpathsthatOSPFv3canreportforagivendestination.
Syntax
maximum-paths maxpaths
no maximum-paths
Parameters
maxpaths
Therangeformaxpathsisfrom1to4.
Defaults
Thedefaultvalueis4.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Usethenoformofthiscommandtoresetthemaximumnumberofpathstothedefaultvalueof4.
Example
Thisexamplesetsthemaximumnumberofpathsforagivendestinationto3.
C3(su)->router(Config-router)# maximum-paths 3
20-8
OSPFv3 Configuration
redistribute
redistribute
ThiscommandconfigurestheOSPFv3protocoltoallowredistributionofroutesfromthespecified
sourceprotocol/routers.
Syntax
redistribute {connected | static} [metric value] [metric-type type] [tag tag]
no redistribute {connected | static} [metric] [metric-type] [tag]
Parameters
connected|static
Specifiesthesourceprotocoltoredistribute.
metricvalue
(Optional)Specifiestherouteredistributionmetric.Themetricvaluecan
rangefrom0to16777214.
metrictypetype
(Optional)Specifiestherouteredistributionmetrictype.Themetrictype
canbe1,whichspecifiestype1externalroute,or2,whichspecifiestype
2externalroute.
tagtag
(Optional)Specifiesarouteredistributiontag.Thevalueoftagcan
rangefrom0to4294967295.
Defaults
Thedefaultvaluesare:
Metric=unspecified
Metrictype=Type2
Tag=0
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
ThenoformofthiscommandconfigurestheOSPFv3protocoltoprohibitredistributionofroutes
fromthespecifiedsourceprotocol/routers.
Example
Thisexampleconfiguresrouteredistributionofstaticroutesandappliesametricof10
C3(su)->router(Config-router)# redistribute static metric 10
20-9
Commands
For information about...
Refer to page...
area default-cost
20-10
area nssa
20-11
20-12
20-12
20-13
20-14
20-15
area range
20-15
area stub
20-16
20-17
area virtual-link
20-18
20-18
20-19
20-20
20-20
area default-cost
Thiscommandconfiguresthedefaultcostforthesummarydefaultroutegeneratedbythearea
borderrouterintothestuborNSSAarea.
Syntax
area areaid default-cost cost
no area areaid default-cost
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
cost
Therangeofcostisbetween1and16777215.
Defaults
None.
20-10
OSPFv3 Configuration
area nssa
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
UsethiscommandtosetthecostvalueforthedefaultroutethatissentintoastubareaorNSSA
byanAreaBorderRouter(ABR).Thenoformofthiscommandremovesthecostvaluefromthe
summaryroutethatissentintothestubarea.
Example
Thisexamplesetsthedefaultroutecostto50forarea20.
C3(su)->router(Config-router)# area 20 default-cost 50
area nssa
Thiscommandconfiguresthespecifiedareatofunctionasanotsostubbyarea(NSSA).
Syntax
area areaid nssa
no area areaid nssa
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
AnNSSAallowssomeexternalroutesrepresentedbyexternalLinkStateAdvertisements(LSAs)
tobeimportedintoit.Thisisincontrasttoastubareathatdoesnotallowanyexternalroutes.
ExternalroutesthatarenotimportedintoanNSSAcanberepresentedbymeansofadefault
route.ThisconfigurationisusedwhenanOSPFv3internetworkisconnectedtomultiplenon
OSPFroutingdomains.
ThenoformofthiscommandchangestheNSSAbacktoaplainarea.
Example
Thisexampleshowshowtoconfigurearea20asanNSSA.
C3(su)->router(Config-router)# area 20 nssa
20-11
Syntax
area areaid nssa default-info-originate [metric] [comparable | non-comparable]
no area areaid nssa default-info-originate
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
metric
(Optional)Specifiesthemetricofthedefaultroute,intherangeof1to
16777214.
comparable|
noncomparable
(Optional)Specifiesthemetrictype:
comparablenssaexternal1
noncomparablenssaexternal2
Defaults
Defaultmetricvalueis10.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Usethiscommandtoallowadefaultroutetobeadvertisedwithinthearea.Thisoptionshouldbe
configuredonlyonareaborderrouters(ABRs).
Usethenoformofthiscommandtopreventadefaultroutetobeadvertisedwithinthearea.
Example
ThisexampleconfiguresNSSAarea20toadvertiseadefaultroute.
C3(su)->router(Config-router)# area 20 nssa default-info-originate
Syntax
area areaid no-redistribute
no area areaid no-redistribute
Parameters
areaid
20-12
OSPFv3 Configuration
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
UsethiscommandtopreventredistributionoflearnedexternalroutestotheNSSAbythisarea
borderrouter(ABR).Usethenoformofthiscommandtoenableredistributionoflearnedexternal
routestotheNSSA.
Example
ThisexampleconfigurestheroutertonotredistributelearnedexternalroutesintoNSSA20.
C3(su)->router(Config-router)# area 20 no-redistribute
Syntax
area areaid nssa no-summary
no area areaid nssa no-summary
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
UsethiscommandtopreventtheadvertisingofsummaryroutesintothespecifiedNSSAbythis
router.UsethenoformofthiscommandtoenableadvertisingofsummaryroutesintotheNSSA.
Example
ThisexampletheroutertonotadvertisesummaryroutesintoNSSA20.
C3(su)->router(Config-router)# area 20 nssa no-summary
20-13
Syntax
area areaid nssa translator-role {always | candidate}
no area areaid nssa translator-role
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
always
Specifiesthattherouterwillalwaysassumetheroleofthetranslatorthe
instantisbecomesaborderrouter.
candidate
Specifiesthattherouterwillparticipateinthetranslatorelection
processwhenitbecomesaborderrouter.
Defaults
Bydefault,thetranslatorroleisdisabled.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
TheNSSATranslatorRolespecifieswhetherornotanNSSArouterwillunconditionallytranslate
Type7LSAstoType5LSAswhenactingasanNSSAborderrouter.
Whenthealwaysparameterisspecifiedwiththiscommand,therouterwillalwaystranslateType
7LSAs,regardlessofthetranslatorstateofotherNSSAborderrouters.Whenthecandidate
parameterisspecified,theNSSArouterwillparticipateinthetranslatorelectionprocess
describedinRFC3101,TheOSPFNotSoStubbyArea(NSSA)Option.
Usethenoformofthiscommandtoreturntheconfiguredtranslatorroletothedefaultof
disabled.
Example
Thisexampleconfigurestheroutertoalwaysassumethetranslatorrolewhenitbecomesanarea
borderrouterforNSSA20.
C3(su)->router(Config-router)# area 20 nssa translator-role always
20-14
OSPFv3 Configuration
Syntax
area areaid translator-stab-intv interval
no area areaid translator-stab-intv
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
interval
Specifiesthestabilityintervalinseconds.Thevalueofintervalcanrange
from0to3600seconds.
Defaults
Thedefaultintervalis40seconds.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Thestabilityintervalistheperiodoftimethatanelectedtranslatorcontinuestoperformitsduties
afteritdeterminesthatitstranslatorstatushasbeendeposedbyanotherrouter.
Example
Thisexamplesetsthetranslatorstabilityintervalto60secondsforNSSA20.
C3(su)->router(Config-router)# area 20 nssa translator-stab-intv 60
area range
ThiscommandcreatesanaddressrangeforthespecifiedNSSA.
Syntax
area areaid range ipv6-prefix/prefix-length {summarylink | nssaexternallink}
[advertise | not-advertise]
no area areaid range ipv6-prefix/prefix-length
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
ipv6prefix/prefixlength TheIPv6prefixandthelengthoftheIPv6prefixfortheaddressrange.
Theprefixmustbespecifiedinhexadecimalusing16bitvaluesbetween
colons.
Thevalueofprefixlengthisadecimalnumberindicatingthenumberof
highordercontiguousbitsthatcomprisetheprefix.
summarylink
SpecifiesthatroutesummarizationshouldbebasedonsummaryLSAs.
20-15
area stub
nssaexternallink
SpecifiesthatroutesummarizationshouldbebasedonexternalLSAs
Type7.
advertise|
notadvertise
(Optional)Specifieswhetherornottheroutesshouldbeadvertised.If
neitherparameterisspecifies,thedefaultisadvertise.
Defaults
Areaaddressrangesarenotconfiguredbydefault.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Addressrangescontroltheadvertisementofroutesacrossareaboundaries.Routinginformation
issummarized,oraggregated,atareaboundaries.Externaltothearea,atmostasinglerouteis
advertised(viaaninterareaprefixLSA)foreachaddressrange.Arouteisadvertisedifandonly
iftheaddressrangesstatusissettoadvertise.Thedefaultconditionistoadvertise.
ForABRsconfiguredforNSSA,routesummarization/aggregationcanbeimplementedbasedon
LSAtypeeithersummaryLSAs(specifiedwiththesummarylinkparameter),orNSSAexternal
LSAsType7(specifiedwiththenssaexternallinkparameter).
Youcanconfiguremultipleaddressrangeswiththiscommand.
Usethenoformofthiscommandtoremoveaconfiguredaddressrange.
Example
Thisexampleconfiguresanaddressrangetobeconsolidatedandadvertisedbasedonsummary
LSAs.
C3(su)->router(Config-router)# area 20 range 3FFe:501::/32 summarylink
area stub
ThiscommandcreatesastubareaforthespecifiedareaID.
Syntax
area areaid stub
no area areaid stub
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
20-16
OSPFv3 Configuration
Usage
AstubareaischaracterizedbythefactthatASexternalLSAsarenotpropagatedintothearea.
RemovingASexternalLSAsandsummaryLSAscansignificantlyreducethelinkstatedatabaseof
routerswithinthestubarea.
Usethenoformofthecommandtodeleteastubarea.
Example
ThisexamplecreatesastubareawiththeIDof30.
C3(su)->router(Config-router)# area 30 stub
Syntax
area areaid stub no-summary
no area areaid stub no-summary
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
UsethenoformofthiscommandtosetthesummaryLSAimportmodetothedefaultforthe
specifiedstubarea.
Example
TheexampledisablestheimportofsummaryLSAsintostubarea30.
C3(su)->router(Config-router)# area 30 stub no-summary
20-17
area virtual-link
area virtual-link
ThiscommandcreatestheOSPFv3virtualinterfaceforthespecifiedareaandneighbor.
Syntax
area areaid virtual-link neighborid
no area areaid virtual-link neighborid
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid
SpecifythevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
Defaults
None.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
ThevirtuallinkneighborisidentifiedbyitsrouterID.Usethenoformofthiscommandtodelete
theconfiguredOSPFv3virtualinterfaceidentifiedbyareaandneighbor.
Example
Thisexamplecreatesavirtualinterfaceforarea20andtheneighborwithrouterID2.2.2.2.
C3(su)->router(Config-router)# area 20 virtual-link 2.2.2.2
Syntax
area areaid virtual-link neighborid dead-interval seconds
no area areaid virtual-link neighborid dead-interval
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid
SpecifythevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
seconds
Thevalueofthedeadintervalinseconds.Therangeisfrom1to65535
seconds.
Defaults
Thedefaultdeadintervalis40seconds.
20-18
OSPFv3 Configuration
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Usethenoformofthiscommandtoreturnaconfiguredvaluetothedefaultof40seconds.
Example
Thisexampleconfiguresadeadintervalof60secondsforthespecifiedvirtualinterface.
C3(su)->router(Config-router)# area 20 virtual-link 2.2.2.2 dead-interval 60
Syntax
area areaid virtual-link neighborid hello-interval seconds
no area areaid virtual-link neighborid hello-interval
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid
SpecifythevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
seconds
Thevalueofthehellointervalinseconds.Therangeisfrom1to65535
seconds.
Defaults
Thedefaulthellointervalis10seconds.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Usethenoformofthiscommandtoreturnaconfiguredvaluetothedefaultvalueof10seconds.
Example
Thisexampleconfiguresahellointervalof30secondsforthespecifiedOSPFv3virtualinterface.
C3(su)->router(Config-router)# area 20 virtual-link 2.2.2.2 hello-interval 30
20-19
Syntax
area areaid virtual-link neighborid retransmit-interval seconds
no area areaid virtual-link neighborid retransmit-interval
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid
SpecifythevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
seconds
Thevalueoftheretransmitintervalinseconds.Therangeisfrom1to
3600seconds.
Defaults
Thedefaultretransmitintervalis5seconds.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Usethenoformofthiscommandtoreturnaconfiguredvaluetothedefaultvalueof5seconds.
Example
Thisexamplesetstheretransmitintervalto10secondsforthespecifiedOSPFv3virtualinterface.
C3(su)->router(Config-router)# area 20 virtual-link 2.2.2.2 retransmit-interval
10
Syntax
area areaid virtual-link neighborid transmit-delay seconds
no area areaid virtual-link neighborid transmit-delay
Parameters
20-20
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid
SpecifythevirtuallinkneighborbymeansofitsrouterID.Therouter
IDmustbeenteredin32bitdottedquadnotation.
seconds
Thevalueofthetransmitdelayinseconds.Therangeisfrom1to3600
seconds.
OSPFv3 Configuration
Defaults
Thedefaulttransmitdelayis1second.
Mode
RouterOSPFv3configuration:C3(su)->router(Config-router)#
Usage
Usethenoformofthiscommandtoresetthetransmitdelaytothedefaultof1second.
Example
Thisexamplesetsthetransmitdelayto2secondsforthespecifiedOSPFv3virtualinterface.
C3(su)->router(Config-router)# area 20 virtual-link 2.2.2.2 transmit-delay 2
20-21
Commands
For information about...
Refer to page...
20-22
20-23
20-24
20-24
20-25
20-26
20-26
20-27
20-28
20-28
Syntax
ipv6 ospf enable
no ipv6 ospf enable
Parameters
None.
Defaults
OSPFv3isdisabledbydefault.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
UsethiscommandtoenableOSPFv3onarouterVLANinterfaceoronaloopbackinterface.Use
thenoformofthiscommandtodisableOSPFv3onaninterface.
Note: In order for OSPFv3 to run on an interface, IPv6 must be explicitly enabled on the interface
using the ipv6 enable command.
20-22
OSPFv3 Configuration
Example
ThisexampleentersrouterinterfaceconfigurationmodeforVLAN7andthenenablesOSPFv3on
theinterface.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf enable
Syntax
ipv6 ospf areaid areaid
no ipv6 ospf areaid areaid
Parameters
areaid
SpecifytheareaIDineither32bitdottedquadformatorasadecimal
numberbetween0and4294967295.
Defaults
None.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
TheareaIDuniquelyidentifiestheareatowhichtheinterfaceconnects.AssigninganareaID
whichdoesnotexistonaninterfacecausestheareatobecreatedwithdefaultvalues.
Usethenoformofthiscommandtoremoveanareafromtheinterface.
Examples
ThisexampleassignsVLAN7toarea20,expressedindottedquadformat.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf areaid 0.0.0.20
ThisexampleassignsVLAN7toarea20,expressedasadecimalnumber.
C3(su)->router(config-if(Vlan 7))# ipv6 ospf areaid 20
20-23
Syntax
ipv6 ospf cost cost
no ipv6 ospf cost cost
Parameters
cost
Specifythecostofsendingapacketonthisinterface.Thevaluecan
rangefrom1to65535.
Defaults
Thedefaultcostis10.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Usethiscommandtoexplicitlyspecifythecostofsendingapacketontheinterfacebeing
configuredforOSPFv3.Usethenoformofthiscommandtoreturnthecosttothedefaultvalueof
10.
Example
ThisexampleconfiguresthecostforrouterinterfaceVLAN7to100.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf cost 100
Syntax
ipv6 ospf dead-interval seconds
no ipv6 ospf dead-interval seconds
Parameters
seconds
SpecifytheOSPFv3deadintervalinseconds.Thevaluecanrangefrom
1to2147483647seconds.
Defaults
Thedefaultdeadintervalvalueis40seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
20-24
OSPFv3 Configuration
Usage
TheOSPFv3deadintervalisthelengthoftimeinsecondsthataroutersHellopacketshavenot
beenseenbeforeitsneighborroutersdeclarethattherouterisdown.Thevalueforthedead
intervalmustbethesameforallroutersattachedtoacommonnetwork,andshouldbesome
multipleofthehellointerval.
Usethenoformofthiscommandtoreturnthedeadintervaltothedefaultvalueof40seconds.
Example
ThisexamplesetsthedeadintervalforrouterinterfaceVLAN7to60seconds.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf dead-interval 60
Syntax
ipv6 ospf hello-interval seconds
no ipv6 ospf hello-interval seconds
Parameters
seconds
SpecifytheOSPFv3hellointervalinseconds.Thevaluecanrangefrom
1to65535seconds.
Defaults
Thedefaulthellointervalis10seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
UsethiscommandtospecifytheintervalbetweenhellopacketsthatOSPFv3sendsonthe
interfacebeingconfigured.Theshorterthehellointerval,thefastertopologicalchangeswillbe
detected,butmoreroutingtrafficwillensue.Thehellointervalmustbethesameforallrouters
attachedtoacommonnetwork.
Usethenoformofthiscommandtoreturnthehellointervaltothedefaultvalueof10seconds.
Example
ThisexamplesetsthehellointervalforrouterinterfaceVLAN7to20seconds.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf hello-interval 20
20-25
Syntax
ipv6 ospf mtu-ignore
no ipv6 ospf mtu-ignore
Parameters
None.
Defaults
Bydefault,MTUmismatchdetectionisenabled.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
OSPFDatabaseDescriptionpacketsspecifythesizeofthelargestIPpacketthatcanbesent
withoutfragmentationontheinterface.WhenarouterreceivesaDatabaseDescriptionpacket,it
examinestheMTUadvertisedbytheneighbor.Bydefault,iftheMTUislargerthantheroutercan
accept,theDatabaseDescriptionpacketisrejectedandtheOSPFadjacencyisnotestablished.
UsethiscommandtopreventtheOSPFv3routerprocessfromcheckingwhetherneighborsare
usingthesamemaximumtransmissionunit(MTU)onacommoninterfacewhenexchanging
DatabaseDescriptionpackets.
UsethenoformofthiscommandtoenableMTUmismatchdetection.
Example
ThisexampledisablesMTUmismatchdetectiononrouterinterfaceVLAN7.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf mtu-ignore
Syntax
ipv6 ospf network {broadcast | point-to-point}
no ipv6 ospf network {broadcast | point-to-point}
Parameters
broadcast
Setsthenetworktypetobroadcast.
pointtopoint
Setsthenetworktypetopointtopoint.
Defaults
Defaultnetworktypeisbroadcast.
20-26
OSPFv3 Configuration
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Normally,thenetworktypeisdeterminedfromthephysicalIPnetworktype.Bydefault,all
EthernetnetworksareOSPFv3typebroadcast.Similarly,tunnelinterfacesdefaulttopointto
point.WhenanEthernetportisusedasasinglelargebandwidthIPnetworkbetweentworouters,
thenetworktypecanbepointtopointsincethereareonlytworouters.Usingpointtopointas
thenetworktypeeliminatestheoverheadoftheOSPFv3designatedrouterelection.Itisnormally
notusefultosetatunneltoOSPFv3networktypebroadcast.
Usethenoformofthiscommandtosetthenetworktypetothedefault.
Example
ThisexamplesetsthenetworktypetopointtopointforrouterinterfaceVLAN7.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf network point-to-point
Syntax
ipv6 ospf priority priority
no ipv6 ospf priority
Parameters
priority
Priorityvaluecanrangefrom0to255.
Defaults
Defaultpriorityvalueis1.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Whentworoutersonthesamenetworkattempttobecomethedesignatedrouter,theonewiththe
higherrouterprioritytakesprecedence.Ifthereisatie,therouterwiththehigherrouterIDtakes
precedence.Arouterwitharouterprioritysettozeroisineligibletobecomethedesignatedrouter
orbackupdesignatedrouter.
Usethenoformofthiscommandtoreturnpriorityvaluetothedefaultof1.
Example
ThisexamplesetsthepriorityforrouterinterfaceVLAN7to5.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf priority 5
20-27
Syntax
ipv6 ospf retransmit-interval seconds
no ipv6 ospf retransmit-interval
Parameters
seconds
Settheretransmitintervalvalue,whichcanrangefrom0to3600
seconds.
Defaults
Defaultvalueis4seconds.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
Usage
Theretransmitintervalisthenumberofsecondsbetweenlinkstateadvertisement
retransmissionsforadjacenciesbelongingtothisrouterinterface.Thisvalueisalsousedwhen
retransmittingdatabasedescriptionandlinkstaterequestpackets.
Usethenoformofthiscommandtoresettheretransmitintervaltothedefaultvalueof4seconds.
Example
Thisexamplesetstheretransmitintervalto10secondsforrouterinterfaceVLAN7.
C3(su)->router(Config)# interface vlan 7
C3(su)->router(config-if(Vlan 7))# ipv6 ospf retransmit-interval 10
Syntax
ipv6 ospf transmit-delay seconds
no ipv6 ospf transmit-delay
Parameters
seconds
Setthetransmitdelay,whichcanrangefrom1to3600seconds.
Defaults
Defaultvalueis1second.
Mode
Routerinterfaceconfiguration:C3(su)>router(configif(Vlan1))#
20-28
OSPFv3 Configuration
Usage
Thetransmitdelay,specifiedinseconds,setstheestimatednumberofsecondsittakestotransmit
alinkstateupdatepacketoverthisinterface.
Usethenoformofthiscommandtoreturnthetransmitdelaytothedefaultvalueof1seconds.
Example
Thisexamplesetsthetransmitdelayvalueto4secondsforrouterinterfaceVLAN7.
C3(su)->router(Config)# interface vlan 7
(su)->router(config-if(Vlan 7))# ipv6 ospf transmit-delay 4
20-29
Commands
For information about...
show ipv6 ospf
20-30
20-32
20-34
20-35
20-36
20-39
20-41
20-43
20-45
20-47
20-48
20-49
Syntax
show ipv6 ospf
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
TheoutputfieldsofthisexamplearedescribedinTable 201onpage 2031.
20-30
Refer to page...
OSPFv3 Configuration
Note: Some of the information in Table 20-1 displays only if you enable OSPFv3 and configure
certain features.
C3(su)->router# show ipv6 ospf
Router ID
OSPF Admin Mode
ASBR Mode
ABR Status
Exit Overflow Interval
External LSA Count
External LSA Checksum
New LSAs Originated
LSAs Received
External LSDB Limit
Default Metric
Maximum Paths
Default Route Advertise
Always
Metric
Metric Type
Redistributing
Source
Metric
Metric Type
Tag
Redistributing
Source
Metric
Metric Type
Tag
Table 20-1
2.2.2.2
Enable
Enable
Enable
0
0
0
89
177
No Limit
Not Configured
4
Disabled
FALSE
External Type 2
Connected
Not Configured
2
0
static
Not Configured
2
0
Output...
What it displays...
Router ID
ASBR Mode
ABR Status
20-31
Table 20-1
Output...
What it displays...
LSAs Received
Default Metric
Maximum Paths
Shows the maximum number of paths that OSPF can report for a
given destination.
Always
Metric
Shows the metric for the advertised default routes. If the metric is
not configured, this field is blank.
Metric Type
Redistributing
Source
Metric
Metric Type
Tag
Subnets
Distribute-List
Syntax
show ipv6 ospf area areaid
Parameters
areaid
Defaults
None.
20-32
OSPFv3 Configuration
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
TheoutputfieldsofthisexamplearedescribedinTable 202onpage 2033.
C3(su)->router>show ipv6 ospf area 20
AreaID
External Routing
Spf Runs
Area Border Router Count
Area LSA Count
Area LSA Checksum
Stub Mode
OSPF NSSA Specific Information.
Import Summary LSAs
Redistribute into NSSA
Default Information Originate
Default Metric
Default Metric Type
Translator Role
Translator Stability Interval
Translator State
Table 20-2
0.0.0.20
Import NSSAs
7
0
5
188094
Disable
Enable
Enable
TRUE
100
Non-Comparable
Candidate
40
Elected
Output...
What it displays...
AreaID
External Routing
Spf Runs
Is the number of times that the intra-area route table has been
calculated using this area's link-state database.
The total number of area border routers reachable within this area.
Stub Mode
Shows the metric value of the stub area. This field displays only if
the area is a configured as a stub area.
The following OSPFv3 NSSA specific information displays only if the area is configured as an NSSA.
Import Summary LSAs
20-33
Table 20-2
Output...
What it displays...
Default Metric
Shows the metric value for the default route advertised into the
NSSA.
Shows the metric type for the default route advertised into the
NSSA.
Translator Role
Translator State
Syntax
show ipv6 ospf abr
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
TheoutputofthiscommandisdescribedinTable 203onpage 2034.
C3(su)->router# show ipv6 ospf abr
Type
Router Id
Cost
Area ID
Next Hop
Intf
----- -------------- ---- ------------ -------------------------------- -------INTRA 82.15.0.1
10
0.0.0.10
FE80::200:2DFF:FEE6:FB6B
Vlan 48
Table 20-3
Next Hop
Output...
What it displays...
Type
Router ID
20-34
OSPFv3 Configuration
Table 20-3
Output...
What it displays...
Cost
Area ID
Syntax
show ipv6 ospf asbr
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
TheoutputofthiscommandisdescribedinTable 204onpage 2035.
C3(su)->router# show ipv6 ospf asbr
Type
Router Id
Cost
Area ID
Next Hop
Intf
----- -------------- ---- ------------ -------------------------------- -------INTER 1.11.1.1
5
0.0.0.20
FE80::100:1111:FEE6:FB7A
Vlan 35
Table 20-4
Next Hop
Output...
What it displays...
Type
Router ID
Cost
Area ID
Next Hop
20-35
Syntax
show ipv6 ospf [areaid] database [{external | inter-area {prefix | router} | link |
network | nssa-external | prefix | router | unknown {area | as | link}}]
[lsid] [{adv-router [rtrid] | self-originate}]
Parameters
areaid
(Optional)Displaydatabaseinformationaboutaspecificarea.Enterthe
areaIDinIPaddressformat(dottedquad)orasadecimalvalue.
external
(Optional)DisplayexternalLSAs.
interarea
(Optional)DisplayinterareaLSAs.
prefix
(Optional)DisplayintraareaPrefixLSAs.
router
(Optional)DisplayrouterLSAs.
link
(Optional)DisplaylinkLSAs.
network
(Optional)DisplaynetworkLSAs.
nssaexternal
(Optional)DisplayNSSAexternalLSAs.
unknown
{area|as|link}
(Optional)Displayunknownarea,unknownAS,orunknownlink
LSAs.
lsid
(Optional)SpecifythelinkstateID.
advrouter[rtrid]
(Optional)DisplaytheLSAsthatarerestrictedbytheadvertisingrouter.
Optionally,specifytherouterbyitsrouterID(rtrid),enteredasa32bit
dottedquadvalue.
selforiginate
(Optional)DisplayLSAsthatareselforiginated.
Defaults
Ifnoparametersareentered,LSAheadersforallareasaredisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
Ifyouexecutethiscommandwithoutanyparameters,LSAheadersforallareasaredisplayed.Use
theareaidparametertodisplaydatabaseinformationforaspecificarea.Theotheroptional
parameterscanbeusedtospecifyaparticulartypeoflinkstateadvertisementtodisplay.
Examples
ThisexampledisplaystheoutputwhenanareaIDisspecified.Table 205onpage 2038describes
theoutputfieldsinthisdisplay.
20-36
OSPFv3 Configuration
Adv Router
Link Id
Age
Sequence Csum Options Rtr Opt
--------------- --------------- ----- -------- ---- ------- ------2.2.2.2
0 506
80000027 DD00
AS External States
Adv Router
Link Id
Age
Sequence Csum Options Rtr Opt
--------------- --------------- ----- -------- ---- ------- ------2.2.2.2
1 342
8000002C 0C20
Thisexampleshowspartialoutputofthiscommandwhennoparametersarespecified.Table 205
onpage 2038describestheoutputfieldsinthisdisplay.
C3(su)->router>show ipv6 ospf database
router links States (Area 0.0.0.0)
Adv Router
Link Id
--------------- --------------2.2.2.2
0
3.3.3.3
0
Age
Sequence Csum Options Rtr Opt
----- -------- ---- ------- ------1288
80000273 32A9 V6E--R- ---EB
1098
80000251 7D11 V6E--RD -----
Age
Sequence Csum Options Rtr Opt
----- -------- ---- ------- ------1098
800001DA 0F95 V6E--RD
1288
80000213 DFC0 V6E--R-
Thisexampleillustratestheoutputofthiscommandusingtheadvrouterparameter.
C3(su)->router>show ipv6 ospf database external adv-router
AS External States
LS Age: 930
LS Type: AS-External-LSA
LS Id: 1
Advertising Router: 2.2.2.2
LS Seq Number: 0x80000006
Checksum: 0x3e4c
Length: 36
Options:(E-Bit)
20-37
Metric Type: 2
Metric:20
IPv6 Prefix: 2301::/64 (None)
Table 20-5
Output...
What it displays...
Link Id
Adv Router
Age
Sequence
Checksum
Options
Option bits in LSA header. Refer to section A.2 in RFC 2740 for
more information. Possible values are:
V6 indicates status of V6 bit. If this bit is clear, the router/link
should be excluded from IPv6 routing calculations.
E indicates status of E-bit. This bit describes the way ASexternal-LSAs are flooded.
M indicates the status of MC-bit. This bit describes whether IP
multicast datagrams are forwarded.
N indicates the status of N-bit. This bit describes the handling of
Type-7 LSAs.
R indicates the status of R-bit. This bit (the `Router' bit)
indicates whether the originator is an active router.
D indicates the status of DC-bit. This bit describes the router's
handling of demand circuits.
Rtr Opt
Router Options are valid for router links only. Refer to section
A.4.3 in RFC 2740 for more information. Possible values are:
V indicates status of bit V. When this bit is set, the router is an
endpoint of one or more fully adjacent virtual links having the
described area as Transit area (V is for virtual link endpoint).
E indicates status of bit E. When set, the router is an AS
boundary router (E is for external).
B indicates status of bit B. When set, the router is an area
border router (B is for border).
W indicates status of bit W. When set, the router is a wild-card
multicast receiver. When running MOSPF, these routers receive
all multicast datagrams, regardless of destination.
20-38
OSPFv3 Configuration
Syntax
show ipv6 ospf database database-summary
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
Thisexampleillustratestheoutputofthiscommand.Table 206onpage 2040describesthe
outputfieldsofthiscommand.
C3(su)->router#show ipv6 ospf database database-summary
OSPF Router with ID (2.2.2.2)
2
1
1
0
0
2
2
0
0
0
0
0
8
2
1
51
0
0
2
2
0
0
0
0
0
58
20-39
Table 20-6
20-40
4
2
52
0
0
4
4
0
0
0
0
0
66
Output...
What it displays...
Router
Network
Inter-area Prefix
Inter-area Router
Type-7 Ext
Link
Intra-area Prefix
Link Unknown
Area Unknown
AS Unknown
Type-5 Ext
Self-Originated Type-5
Total
OSPFv3 Configuration
Syntax
show ipv6 ospf interface {vlan vlanid | tunnel tunnelid | loopback loopid}
Parameters
vlanvlanid
SpecifiestheVLANinterfacetodisplayinformationabout.
tunneltunnelid
Specifiesthetunnelinterfacetodisplayinformationabout.
loopbackloopid
Specifiestheloopbackinterfacetodisplayinformationabout.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Examples
ThisexampledisplaysinformationaboutOSPFv3routinginterfaceVLAN80.Table 207on
page 2042explainsthecontentoftheoutputfields.
C3(su)->router>show ipv6 ospf interface vlan 80
IPv6 Address
FE80::211:88FF:FE56:5D8F
ifIndex
430
OSPF Admin Mode
Enable
OSPF Area ID
0.0.0.20
Router Priority
1
Retransmit Interval
5
Hello Interval
10
Dead Interval
40
LSA Ack Interval
1
Iftransit Delay Interval
1
Authentication Type
None
Metric Cost
10 (computed)
OSPF Mtu-ignore
Disable
OSPF Interface Type
broadcast
State
designated-router
Designated Router
2.2.2.2
Backup Designated Router
0.0.0.0
Number of Link Events
2
20-41
Table 20-7
20-42
1
None
1 (computed)
Disable
point-to-point
point-to-point
0.0.0.0
0.0.0.0
1
Output...
What it displays...
IPv6 Address
ifIndex
OSPF Area ID
Router Priority
Retransmit Interval
Hello Interval
Dead Interval
Authentication Type
Metric Cost
Shows the priority of the path. Low costs have a higher priority
than high costs.
OSPF MTU-ignore
Broadcast LANs, such as Ethernet and IEEE 802.5, take the value
broadcast. Tunnel interfaces take the value point-to-point.
State
The OSPF Interface States are: down, loopback, waiting, point-topoint, designated router, and backup designated router.
Designated Router
OSPFv3 Configuration
Syntax
show ipv6 ospf interface stats vlan vlanid
Parameters
vlanvlanid
SpecifiestheVLANinterfaceforwhichtodisplaystatistics.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampledisplaystatisticsforVLAN80.Table 208onpage 2044describestheoutputfields.
C3(su)->router>show ipv6 ospf interface stats vlan 80
OSPFv3 Area ID
0.0.0.20
Spf Runs
7
Area Border Router Count
0
AS Border Router Count
0
Area LSA Count
5
IPv6 Address
FE80::211:88FF:FE56:5D8F/128
OSPF Interface Events
2
Virtual Events
0
Neighbor Events
0
External LSA Count
1
LSAs Received
1903
Originate New LSAs
4198
Sent Packets
Received Packets
Discards
Bad Version
Virtual Link Not Found
Area Mismatch
Invalid Destination Address
No Neighbor at Source Address
Invalid OSPF Packet Type
Packet Type
-------------------Hello
Database Description
LS Request
LS Update
LS Acknowledgement
Sent
---------1053
0
0
0
0
1053
0
0
0
0
0
0
0
0
Received
---------0
0
0
0
0
20-43
Table 20-8
20-44
Output...
What it displays...
OSPFv3 Area ID
Spf Runs
Is the number of times that the intra-area route table has been
calculated using this area's link-state database.
The total number of area border routers reachable within this area.
IPv6 Address
Virtual Events
Neighbor Events
LSAs Received
Sent Packets
Received Packets
Discards
Bad Version
Area Mismatch
OSPFv3 Configuration
Syntax
show ipv6 ospf neighbor [interface {vlan vlanid | tunnel tunnelid}] [neighborid]
Parameters
interface
(Optional)Restrictstheoutputdisplaytoaspecificinterface.
vlanvlanid
SpecifytheVLANinterfacetodisplayinformationabout.
tunneltunnelid
Specifythetunnelinterfacetodisplay
neighborid
(Optional)SpecifytheneighborbyitsrouterID,specifiedin32bit
dottedquadformat.
Defaults
Whennoparametersarespecified,informationaboutallneighborsisdisplayed.
Mode
Routerprivilegedexecution:C3(su)>router#
Usage
IfyoudonotspecifyaneighborrouterID,theoutputdisplayssummaryinformationinatable.If
youspecifyaninterfaceortunnel,onlytheinformationforthatinterfaceortunneldisplays.
WhenyouspecifyaneighborbyrouterID,detailedinformationabouttheneighbordisplays.
TheinformationisdisplayedonlyifOSPFv3isenabledandtheinterfacehasaneighbor.
Examples
Thisexampleillustratesthesummaryinformationdisplayedwhennoneighborisspecified.
Table 209onpage 2045describestheoutputfields.
C3(su)->router#show ipv6 ospf neighbor
Router ID
---------------3.3.3.3
6.6.6.6
Table 20-9
Priority
-------1
1
Intf
ID
----3
456
Interface
State
----------Vlan 36
Tunnel 0
---------------Full/DR
Full/PtP
Dead
Time
---32
31
Output...
What it displays...
Router ID
Priority
Intf ID
Interface
20-45
Table 20-9
Output...
What it displays...
State
Dead Time
Thisexampledisplaystheoutputofthiscommandwhenaneighborisspecified.Table 2010on
page 2046describestheoutputfieldswhenaneighborisspecified.
C3(su)->router#show ipv6 ospf neighbor 8.8.8.8
Interface
Area Id
Options
Router Priority
Dead timer due in (secs)
State
Events
Retransmission Queue Length
Table 20-10
20-46
Vlan 45
0.0.0.30
0x2
128
33
Full/DR
6
0
Output...
What it displays...
Interface
Area ID
Options
Router Priority
OSPFv3 Configuration
Table 20-10
Output...
What it displays...
State
Events
Syntax
show ipv6 ospf range areaid
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
Thisexampledisplaysrangeinformationforarea20.Table 2011onpage 2047describesthe
outputfields.
C3(su)->router#show ipv6 ospf range 20
Area ID
IPv6 Prefix/Prefix Length
Lsdb Type
Advertisement
--------------- ------------------------- --------------- ------------0.0.0.20
3345:1234::/64
Summary Link
Enabled
Table 20-11
Output...
What it displays...
Area ID
Lsdb Type
Advertisement
20-47
Syntax
show ipv6 ospf stub table
Parameters
None.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisexampledisplaystheOSPFv3stubtableinformation.Table 2012onpage 2048describesthe
outputfields.
C3(su)->router# show ipv6 ospf stub table
AreaId
TypeofService Metric Val Import SummaryLSA
---------------- ------------- ---------- ----------------0.0.0.20
Normal
1
Enable
Table 20-12
20-48
Output...
What it displays...
Area ID
Type of Service
Type of service associated with the stub metric. For this release,
Normal TOS is the only supported type.
Metric Val
OSPFv3 Configuration
Syntax
show ipv6 ospf virtual-link areaid neighborid
Parameters
areaid
EntertheareaIDinIPaddressformat(dottedquad)orasadecimal
value.
neighborid
SpecifytheneighborbyitsrouterID,specifiedin32bitdottedquad
format.
Defaults
None.
Mode
Routerprivilegedexecution:C3(su)>router#
Example
ThisinformationdisplaysvirtuallinkinformationforareaID10andtheneighborwithrouterID
of3.3.3.3.Table 2013onpage 2049describestheoutputfields.
C3(su)->router(Config)#show ipv6 ospf virtual-link 10 3.3.3.3
Area ID
10
Neighbor IP Address
3.3.3.3
Hello Interval
10
Dead Interval
40
Iftransit Delay Interval
1
Retransmit Interval
5
State
DOWN
Metric
0
Neighbor State
DOWN
Table 20-13
Output...
What it displays...
Area ID
Neighbor Router ID
Hello Interval
Dead Interval
Retransmit Interval
State
The OSPFv3 Interface States are: down, loopback, waiting, pointto-point, designated router, and backup designated router. This is
the state of the OSPFv3 interface.
Metric
20-49
Table 20-13
20-50
Output...
What it displays...
Neighbor State
OSPFv3 Configuration
21
Security Configuration
ThischapterdescribestheSecurityConfigurationsetofcommandsandhowtousethem.
For information about...
Refer to page...
21-1
Configuring RADIUS
21-4
21-12
21-23
21-34
21-42
21-46
21-56
21-68
21-70
LoginuseraccountsandpasswordsusedtologintotheCLIviaaTelnetconnectionorlocal
COMportconnection.Fordetails,refertoSettingUserAccountsandPasswordson
page 32.
HostAccessControlAuthentication(HACA)authenticatesuseraccessofTelnet
management,consolelocalmanagementandWebViewviaacentralRADIUSClient/Server
application.WhenRADIUSisenabled,thisessentiallyoverridesloginuseraccounts.When
HACAisactiveperavalidRADIUSconfiguration,theusernamesandpasswordsusedto
accesstheswitchviaTelnet,SSH,WebView,andCOMportswillbevalidatedagainstthe
configuredRADIUSserver.OnlyinthecaseofaRADIUStimeoutwillthosecredentialsbe
comparedagainstcredentialslocallyconfiguredontheswitch.Fordetails,referto
ConfiguringRADIUSonpage 214.
SNMPuserorcommunitynamesallowsaccesstotheSecureStackC3switchviaanetwork
SNMPmanagementapplication.Toaccesstheswitch,youmustenteranSNMPuseror
communitynamestring.Thelevelofmanagementaccessisdependentontheassociated
accesspolicy.Fordetails,refertoChapter 5.
21-1
802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol)
providesamechanismviaaRADIUSserverforadministratorstosecurelyauthenticateand
grantappropriateaccesstoenduserdevicescommunicatingwithSecureStackC3ports.For
detailsonusingCLIcommandstoconfigure802.1X,refertoConfiguring802.1X
Authenticationonpage 2112.
Note: To configure EAP pass-through, which allows client authentication packets to be forwarded
through the switch to an upstream device, 802.1X authentication must be globally disabled with the
set dot1x command.
MACAuthenticationprovidesamechanismforadministratorstosecurelyauthenticate
sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith
SecureStackC3ports.Fordetails,refertoConfiguringMACAuthenticationonpage 2123.
MultipleAuthenticationMethodsallowsuserstoauthenticateusingmultiplemethodsof
authenticationonthesameport.Fordetails,refertoConfiguringMultipleAuthentication
Methodsonpage 2134.
MultiUserAuthenticationOntheSecureStackC3,theonlytypeofmultipleuser
authenticationsupportedisUser+IPPhone.TheUser+IPPhoneauthenticationfeature
supportsauthenticationandauthorizationoftwodevices,specificallyaPCcascadedwithan
IPphone,onasingleportontheC3.TheIPphonemustauthenticateusingMAC
authentication,buttheusermayauthenticatebyanymethod.Thisfeatureallowsboththe
usersPCandIPphonetosimultaneouslyauthenticateonasingleportandeachreceivea
uniquelevelofnetworkaccess.Fordetails,refertoConfiguringMultiUserAuthentication
(User+IPphone)onpage 2134.
RFC3580TunnelAttributesprovideamechanismtocontainan802.1Xauthenticatedusertoa
VLANregardlessofthePVID.RefertoConfiguringVLANAuthorization(RFC3580)on
page 2142.
MACLockinglocksaporttooneormoreMACaddresses,preventingtheuseof
unauthorizeddevicesandMACspoofingontheportFordetails,refertoConfiguringMAC
Lockingonpage 2146.
PortWebAuthentication(PWA)locksdownaportauserisattachedtountilaftertheuser
logsinusingawebbrowsertoaccesstheswitch.Theswitchwillpassalllogininformation
fromtheendstationtoaRADIUSserverforauthenticationbeforeturningtheporton.PWAis
analternativeto802.1XandMACauthentication.Fordetails,refertoConfiguringPortWeb
Authentication(PWA)onpage 2156.
SecureShell(SSH)providessecureTelnet.Fordetails,refertoConfiguringSecureShell
(SSH)onpage 2168.
IPAccessLists(ACLs)permitsordeniesaccesstoroutinginterfacesbasedonprotocoland
inboundand/oroutboundIPaddressrestrictionsconfiguredinaccesslists.Fordetails,referto
ConfiguringAccessListsonpage 2170.
Security Configuration
returnsaRADIUSAccessAcceptmessagethatincludesaFilterIDmatchingapolicyprofilename
configuredontheswitch,theswitchthendynamicallyappliesthepolicyprofiletothephysical
porttheuser/deviceisauthenticatingon.
Tospecifythepolicyprofiletoassigntotheauthenticatinguser(networkaccess
authentication):
Enterasys:version=1:policy=string
wherestringspecifiesthepolicyprofilename.Policyprofilenamesarecasesensitive.
Tospecifyamanagementlevel(managementaccessauthentication):
Enterasys:version=1:mgmt=level
wherelevelindicatesthemanagementlevel,eitherro,rw,orsu.
Tospecifybothmanagementlevelandpolicyprofile:
Enterasys:version=1:mgmt=level:policy=string
Theundecoratedformatissimplyastringthatspecifiesapolicyprofilename.Theundecorated
formatcannotbeusedformanagementaccessauthentication.
DecoratedFilterIDsareprocessedfirstbytheswitch.IfnodecoratedFilterIDsarefound,then
undecoratedFilterIDsareprocessed.IfmultipleFilterIDsarefoundthatcontainconflicting
values,aSyslogmessageisgenerated.
21-3
Configuring RADIUS
Configuring RADIUS
Purpose
Toperformthefollowing:
ReviewtheRADIUSclient/serverconfigurationontheswitch.
EnableordisabletheRADIUSclient.
Setlocalandremoteloginoptions.
Setprimaryandsecondaryserverparameters,includingIPaddress,timeoutperiod,
authenticationrealm,andnumberofuserloginattemptsallowed.
ResetRADIUSserversettingstodefaultvalues.
ConfigureaRADIUSaccountingserver.
Commands
ThecommandsusedtoreviewandconfigureRADIUSarelistedbelow:
For information about...
21-4
Refer to page...
show radius
21-5
set radius
21-6
clear radius
21-8
21-9
21-10
21-11
Security Configuration
show radius
show radius
UsethiscommandtodisplaythecurrentRADIUSclient/serverconfiguration.
show radius [status | retries | timeout | server [index | all]]
Parameters
status
(Optional)DisplaystheRADIUSserversenablestatus.
retries
(Optional)DisplaysthenumberofretryattemptsbeforetheRADIUSserver
timesout.
timeout
(Optional)Displaysthemaximumamountoftime(inseconds)toestablish
contactwiththeRADIUSserverbeforeretryattemptsbegin.
server
(Optional)DisplaysRADIUSserverconfigurationinformation.
index|all
Forusewiththeserverparametertoshowserverconfigurationforall
serversoraspecificRADIUSserverasdefinedbyanindex.
Defaults
Ifnoparametersarespecified,allRADIUSconfigurationinformationwillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayRADIUSconfigurationinformation:
C3(rw)->show radius
RADIUS status:
Enabled
RADIUS retries:
3
RADIUS timeout:
20 seconds
RADIUS Server
IP Address
----------------------10
172.16.20.10
Auth-Port
--------1812
Realm-Type
----------------management-access
Table 211providesanexplanationofthecommandoutput.
Table 21-1
Output
What It Displays...
RADIUS status
RADIUS retries
Number of retry attempts before the RADIUS server times out. The default value of 3
can be reset using the set radius command as described in set radius on
page 21-6.
RADIUS timeout
Maximum amount of time (in seconds) to establish contact with the RADIUS server
before retry attempts begin. The default value of 20 can be reset using the set
radius command as described in set radius on page 21-6.
RADIUS Server
21-5
set radius
Table 21-1
Output
What It Displays...
Realm-Type
Realm defines who has to go through the RADIUS server for authentication.
Management-access: This means that anyone trying to access the switch (Telnet,
SSH, Local Management) has to authenticate through the RADIUS server.
Network-access: This means that all the users have to authenticate to a RADIUS
server before they are allowed access to the network.
Any-access: Means that both Management-access and Network-access have
been enabled.
set radius
Usethiscommandtoenable,disable,orconfigureRADIUSauthentication.
Syntax
set radius {enable | disable} | {retries number-of-retries} | {timeout timeout} |
{server index ip-address port [secret-value] [realm {management-access | any |
network-access}} | {realm {management-access | any | network-access} {index| all}}
Parameters
enable|disable
EnablesordisablestheRADIUSclient.
retriesnumberof
retries
SpecifiesthenumberofretryattemptsbeforetheRADIUSservertimesout.
Validvaluesarefrom1to10.Defaultis3.
timeouttimeout
Specifiesthemaximumamountoftime(inseconds)toestablishcontact
withtheRADIUSserverbeforeretryattemptsbegin.Validvaluesarefrom1
to30.Defaultis20seconds.
serverindex
ip_addressport
Specifiestheindexnumber,IPaddressandtheUDPauthenticationportfor
theRADIUSserver.
secretvalue
(Optional)Specifiesanencryptionkeytobeusedforauthentication
betweentheRADIUSclientandserver.
realm
management
access|any|
networkaccess
RealmallowsyoutodefinewhohastogothroughtheRADIUSserverfor
authentication.
managementaccess:Thismeansthatanyonetryingtoaccesstheswitch
(Telnet,SSH,LocalManagement)hastoauthenticatethroughthe
RADIUSserver.
networkaccess:Thismeansthatalltheusershavetoauthenticatetoa
RADIUSserverbeforetheyareallowedaccesstothenetwork.
any:Meansthatbothmanagementaccessandnetworkaccesshave
beenenabled.
Note: If the management-access or any access realm has been configured, the
local admin account is disabled for access to the switch using the console, Telnet,
or Local Management. Only the network-access realm allows access to the local
admin account.
index|all
Appliestherealmsettingtoaspecificserverortoallservers.
Defaults
Ifsecretvalueisnotspecified,nonewillbeapplied.
21-6
Security Configuration
set radius
Ifrealmisnotspecified,theanyaccessrealmwillbeused.
Mode
Switchcommand,readwrite.
Usage
TheSecureStackC3deviceallowsupto10RADIUSaccountingserverstobeconfigured,withup
totwoserversactiveatanygiventime.
TheRADIUSclientcanonlybeenabledontheswitchonceaRADIUSserverisonline,anditsIP
address(es)hasbeenconfiguredwiththesamepasswordtheRADIUSclientwilluse.
Examples
ThisexampleshowshowtoenabletheRADIUSclientforauthenticatingwithRADIUSserver1at
IPaddress192.168.6.203,UDPauthenticationport1812,andanauthenticationpasswordof
pwsecret.Aspreviouslynoted,theserversecretpasswordenteredheremustmatchthat
alreadyconfiguredastheReadWrite(rw)passwordontheRADIUSserver:
C3(su)->set radius server 1 192.168.6.203 1812 pwsecret
ThisexampleshowshowtosettheRADIUStimeoutto5seconds:
C3(su)->set radius timeout 5
ThisexampleshowshowtosetRADIUSretriesto10:
C3(su)->set radius retries 10
Thisexampleshowshowtoforceanymanagementaccesstotheswitch(Telnet,web,SSH)to
authenticatethroughaRADIUSserver.Theallparameterattheendofthecommandmeansthat
anyofthedefinedRADIUSserverscanbeusedforthisAuthentication.
C3(rw)->set radius realm management-access all
21-7
clear radius
clear radius
UsethiscommandtoclearRADIUSserversettings.
Syntax
clear radius [retries] | [timeout] | [server {index | all | realm {index | all}}]
Parameters
retries
ResetsthemaximumnumberofattemptsausercancontacttheRADIUS
serverbeforetimingoutto3.
timeout
ResetsthemaximumamountoftimetoestablishcontactwiththeRADIUS
serverbeforetimingoutto20seconds.
server
Deletesserversettings.
index|all
Forusewiththeserverparametertocleartheserverconfigurationforall
serversoraspecificRADIUSserverasdefinedbyanindex.
realm
ResetstherealmsettingforallserversoraspecificRADIUSserveras
definedbyanindex.
Mode
Switchcommand,readwrite.
Defaults
None.
Examples
ThisexampleshowshowtoclearallsettingsonallRADIUSservers:
C3(su)->clear radius server all
ThisexampleshowshowtoresettheRADIUStimeouttothedefaultvalueof20seconds:
C3(su)->clear radius timeout
21-8
Security Configuration
Syntax
show radius accounting [server] | [counter ip-address] | [retries] | [timeout]
Parameters
server
(Optional)DisplaysoneorallRADIUSaccountingserverconfigurations.
counteripaddress
(Optional)DisplayscountersforaRADIUSaccountingserver.
retries
(Optional)Displaysthemaximumnumberofattemptstocontactthe
RADIUSaccountingserverbeforetimingout.
timeout
(Optional)Displaythemaximumamountoftimebeforetimingout.
Mode
Switchcommand,readonly.
Defaults
Ifnoparametersarespecified,allRADIUSaccountingconfigurationinformationwillbe
displayed.
Example
ThisexampleshowshowtodisplayRADIUSaccountingconfigurationinformation.Inthiscase,
RADIUSaccountingisnotcurrentlyenabledandglobaldefaultsettingshavenotbeenchanged.
Oneserverhasbeenconfigured.
FordetailsonenablingandconfiguringRADIUSaccounting,refertosetradiusaccountingon
page 2110:
C3(ro)->show radius accounting
RADIUS accounting status:
Disabled
RADIUS Acct Server IP Address Acct-Port Retries Timeout Status
------------------ ---------- --------- ------- ------- -----1
172.16.2.10 1856
3
20
Disabled
21-9
Syntax
set radius accounting {[enable | disable][retries retries] [timeout timeout]
[server ip_address port [server-secret]
Parameters
enable|disable
EnablesordisablestheRADIUSaccountingclient.
retriesretries
SetsthemaximumnumberofattemptstocontactaspecifiedRADIUS
accountingserverbeforetimingout.Validretryvaluesare110.
timeouttimeout
Setsthemaximumamountoftime(inseconds)toestablishcontactwitha
specifiedRADIUSaccountingserverbeforetimingout.Validtimeout
valuesare130.
serverip_address
portserversecret
Specifiestheaccountingservers:
IPaddress
UDPauthenticationport(065535)
serversecret(ReadWritepasswordtoaccessthisaccountingserver.
Devicewillpromptforthisentryuponcreatingaserverinstance,as
shownintheexamplebelow.)
Mode
Switchcommand,readwrite.
Defaults
None.
Examples
ThisexampleshowshowtoenabletheRADIUSaccountingclientforauthenticatingwiththe
accountingserveratIPaddress10.2.4.12,UDPauthenticationport1800.Aspreviouslynoted,the
serversecretpasswordenteredheremustmatchthatalreadyconfiguredastheReadWrite(rw)
passwordontheRADIUSaccountingserver:
C3(su)->set radius accounting server 10.2.4.12 1800
Enter secret:
Re-enter secret:
ThisexampleshowshowtosettheRADIUSaccountingtimeoutto30seconds:
C3(su)->set radius accounting timeout 30
ThisexampleshowshowtosetRADIUSaccountingretriesto10:
C3(su)->set radius accounting retries 10
21-10
Security Configuration
Syntax
clear radius accounting {server ip-address | retries | timeout | counter}
Parameters
serveripaddress
Clearstheconfigurationononeormoreaccountingservers.
retries
Resetstheretriestothedefaultvalueof2.
timeout
Resetsthetimeoutto5seconds.
counter
Clearscounters.
Mode
Switchcommand,readwrite.
Defaults
None.
Example
ThisexampleshowshowtoresettheRADIUSaccountingtimeoutto5seconds.
C3(su)->clear radius accounting timeout
21-11
Commands
Thecommandsusedtoreviewandconfigure802.1Xarelistedbelow:
For information about...
21-12
Refer to page...
show dot1x
21-13
21-14
set dot1x
21-16
21-17
21-18
show eapol
21-19
set eapol
21-21
clear eapol
21-22
Security Configuration
show dot1x
show dot1x
Usethiscommandtodisplay802.1Xstatus,diagnostics,statistics,andreauthenticationor
initializationcontrolinformationforoneormoreports.
Syntax
show dot1x [auth-diag] [auth-stats] [port [init | reauth]] [port-string]
Parameters
authdiag
(Optional)Displaysauthenticationdiagnosticsinformation.
authstats
(Optional)Displaysauthenticationstatistics.
portinit|reauth
(Optional)Displaysthestatusofportinitializationandreauthentication
controlfortheport.
portstring
(Optional)Displaysinformationforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifnoparametersarespecified,802.1Xstatuswillbedisplayed.
Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
Thisexampleshowshowtodisplay802.1Xstatus:
C3(su)->show dot1x
DOT1X is disabled.
Thisexampleshowshowtodisplayauthenticationdiagnosticsinformationforfe.1.1:
C3(su)->show dot1x auth-diag fe.1.1
Port : 1
Auth-Diag
Enter Connecting:
EAP Logoffs While Connecting:
Enter Authenticating:
Success While Authenticating
Timeouts While Authenticating:
Fails While Authenticating:
ReAuths While Authenticating:
EAP Starts While Authenticating:
EAP logoff While Authenticating:
Backend Responses:
Backend Access Challenges:
Backend Others Requests To Supp:
Backend NonNak Responses From:
Backend Auth Successes:
Backend Auth Fails:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
21-13
Thisexampleshowshowtodisplayauthenticationstatisticsforfe.1.1:
C3(su)->show dot1x auth-stats
Port: 1
Auth-Stats
EAPOL Frames Rx:
EAPOL Frames Tx:
EAPOL Start Frames Rx:
EAPOL Logoff Frames Rx:
EAPOL RespId Frames Rx:
EAPOL Resp Frames Rx:
EAPOL Req Frames Tx:
EAP Length Error Frames Rx:
Last EAPOL Frame Version:
Last EAPOL Frame Source:
fe.1.1
0
0
0
0
0
0
0
0
0
00:00:00:00:00:00
Thisexampleshowshowtodisplaythestatusofportreauthenticationcontrolforfe.1.1through
fe.1.6:
C3(su)->show dot1x port reauth fe.1.1-6
Port 1: Port reauthenticate:
FALSE
Port 2: Port reauthenticate:
FALSE
Port 3: Port reauthenticate:
FALSE
Port 4: Port reauthenticate:
FALSE
Port 5: Port reauthenticate:
FALSE
Port 6: Port reauthenticate:
FALSE
Syntax
show dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod]
[reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [portstring]
Parameters
21-14
authcontrolled
portcontrol
(Optional)DisplaysthecurrentvalueofthecontrolledPortcontrol
parameterfortheport.
maxreq
(Optional)Displaysthevaluesetformaximumrequestscurrentlyinuseby
thebackendauthenticationstatemachine.
quietperiod
(Optional)Displaysthevaluesetforquietperiodcurrentlyinusebythe
authenticatorPAEstatemachine.
reauthenabled
(Optional)Displaysthestateofreauthenticationcontrolusedbythe
ReauthenticationTimerstatemachine.
reauthperiod
(Optional)Displaysthevalue,inseconds,setforthereauthentication
periodusedbythereauthenticationtimerstatemachine.
servertimeout
(Optional)Displaystheservertimeoutvalue,inseconds,currentlyinuse
bythebackendauthenticationstatemachine.
supptimeout
(Optional)Displaystheauthenticationsupplicanttimeoutvalue,in
seconds,currentlyinusebythebackendauthenticationstatemachine.
txperiod
(Optional)Displaysthetransmissionperiodvalue,inseconds,currentlyin
usebytheauthenticatorPAEstatemachine.
Security Configuration
portstring
(Optional)Limitsthedisplayofdesiredinformationinformationtospecific
port(s).Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 41.
Defaults
Ifnoparametersarespecified,all802.1Xsettingswillbedisplayed.
Ifportstringisnotspecified,informationforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Examples
ThisexampleshowshowtodisplaytheEAPOLportcontrolmodeforfe.1.1:
C3(su)->show dot1x auth-config authcontrolled-portcontrol fe.1.1
Port 1: Auth controlled port control:
Auto
Thisexampleshowshowtodisplaythe802.1Xquietperiodsettingsforfe.1.1:
C3(su)->show dot1x auth-config quietperiod fe.1.1
Port 1: Quiet period:
30
Thisexampleshowshowtodisplayall802.1Xauthenticationconfigurationsettingsforge.1.1:
C3(ro)->show dot1x auth-config
Port : 1
Auth-Config
PAE state:
Backend auth state:
Admin controlled directions:
Oper controlled directions:
Auth controlled port status:
Auth controlled port control:
Quiet period:
Transmission period:
Supplicant timeout:
Server timeout:
Maximum requests:
Reauthentication period:
Reauthentication control:
ge.1.1
Initialize
Initialize
Both
Both
Authorized
Auto
60
30
30
30
2
3600
Disabled
21-15
set dot1x
set dot1x
Usethiscommandtoenableordisable802.1Xauthentication,toreauthenticateoneormoreaccess
entities,ortoreinitializeoneormoresupplicants.
Syntax
set dot1x {enable | disable | port {init | reauth} {true | false} [port-string]}
Parameters
enable|disable
Enablesordisables802.1X.
port
Enableordisable802.1Xreauthenticationorinitializationcontrolononeor
moreports.
init|reauth
Configureinitializationorreauthenticationcontrol.
true|false
Enable(true)ordisable(false)reinitialization/reauthentication.
portstring
(Optional)Specifiestheport(s)toreinitializeorreauthenticate.
Defaults
Ifnoportsarespecified,thereinitializationorreauthenticationsettingwillbeappliedtoallports.
Mode
Switchcommand,readwrite.
Usage
Disabling802.1Xauthenticationglobally,bynotenteringaspecificportstringvalue,willenable
theEAPpassthroughfeature.EAPpassthroughallowsclientauthenticationpacketstobe
forwardedunmodifiedthroughtheswitchtoanupstreamdevice.
Examples
Thisexampleshowshowtoenable802.1X:
C3(su)->set dot1x enable
Thisexampleshowshowtoreinitializege.1.2:
C3(rw)->set dot1x port init true ge.1.2
21-16
Security Configuration
Syntax
set dot1x auth-config {[authcontrolled-portcontrol {auto | forced-auth |
forced-unauth}] [maxreq value] [quietperiod value] [reauthenabled {false | true}]
[reauthperiod value] [servertimeout timeout] [supptimeout timeout] [txperiod
value]} [port-string]
Parameters
authcontrolled
portcontrol
auto|forcedauth|
forcedunauth
Specifiesthe802.1Xportcontrolmode.
autoSetportcontrolmodetoautocontrolledportcontrol.This
isthedefaultvalue.
forcedauthSetportcontrolmodetoForcedAuthorized
controlledportcontrol.
forcedunauthSetportcontrolmodetoForcedUnauthorized
controlledportcontrol.
maxreqvalue
Specifiesthemaximumnumberofauthenticationrequestsallowed
bythebackendauthenticationstatemachine.Validvaluesare110.
Defaultvalueis2.
quietperiodvalue
Specifiesthetime(inseconds)followingafailedauthentication
beforeanotherattemptcanbemadebytheauthenticatorPAEstate
machine.Validvaluesare065535.Defaultvalueis60seconds.
reauthenabledfalse|
true
Enables(true)ordisables(false)reauthenticationcontrolofthe
reauthenticationtimerstatemachine.Defaultvalueisfalse.
reauthperiodvalue
Specifiesthetimelapse(inseconds)betweenattemptsbythe
reauthenticationtimerstatemachinetoreauthenticateaport.Valid
valuesare065535.Defaultvalueis3600seconds.
servertimeouttimeout
Specifiesatimeoutperiod(inseconds)fortheauthenticationserver,
usedbythebackendauthenticationstatemachine.Validvaluesare1
300.Defaultvalueis30seconds.
supptimeouttimeout
Specifiesatimeoutperiod(inseconds)fortheauthentication
supplicantusedbythebackendauthenticationstatemachine.Valid
valuesare1300.Defaultvalueis30seconds.
txperiodvalue
Specifiestheperiod(inseconds)whichpassesbetweenauthenticator
PAEstatemachineEAPtransmissions.Validvaluesare065535.
Defaultvalueis30seconds.
portstring
(Optional)Limitstheconfigurationofdesiredsettingstospecified
port(s).Foradetaileddescriptionofpossibleportstringvalues,refer
toPortStringSyntaxUsedintheCLIonpage 41.
Defaults
Ifportstringisnotspecified,authenticationparameterswillbesetonallports.
Mode
Switchcommand,readwrite.
21-17
Examples
Thisexampleshowshowtoenablereauthenticationcontrolonportsfe.1.13:
C3(su)->set dot1x auth-config reauthenabled true fe.1.1-3
Thisexampleshowshowtosetthe802.1Xquietperiodto120secondsonportsfe.1.13:
C3(su)->set dot1x auth-config quietperiod 120 fe.1.1-3
Syntax
clear dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod]
[reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [portstring]
Parameters
authcontrolled
portcontrol
(Optional)Resetsthe802.1Xportcontrolmodetoauto.
maxreq
(Optional)Resetsthemaximumrequestsvalueto2.
quietperiod
(Optional)Resetsthequietperiodvalueto60seconds.
reauthenabled
(Optional)Resetsthereauthenticationcontrolstatetodisabled(false).
reauthperiod
(Optional)Resetsthereauthenticationperiodvalueto3600seconds.
servertimeout
(Optional)Resetstheservertimeoutvalueto30seconds.
supptimeout
(Optional)Resetstheauthenticationsupplicanttimeoutvalueto30
seconds.
txperiod
(Optional)Resetsthetransmissionperiodvalueto30seconds.
portstring
(Optional)Resetssettingsonspecificport(s).Foradetaileddescriptionof
possibleportstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 41.
Defaults
Ifnoparametersarespecified,allauthenticationparameterswillbereset.
Ifportstringisnotspecified,parameterswillbesetonallports.
Mode
Switchcommand,readwrite.
Examples
Thisexampleshowshowtoresetthe802.1Xportcontrolmodetoautoonallports:
C3(su)->clear dot1x auth-config authcontrolled-portcontrol
21-18
Security Configuration
show eapol
Thisexampleshowshowtoresetreauthenticationcontroltodisabledonportsfe.1.13:
C3(su)->clear dot1x auth-config reauthenabled fe.1.1-3
Thisexampleshowshowtoresetthe802.1Xquietperiodto60secondsonportsfe.1.13:
C3(su)->clear dot1x auth-config quietperiod fe.1.1-3
show eapol
UsethiscommandtodisplayEAPOLstatusorsettingsforoneormoreports.
Syntax
show eapol [port-string]
Parameters
portstring
(Optional)DisplaysEAPOLstatusforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifportstringisnotspecified,onlyEAPOLenablestatuswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayEAPOLstatusforportsfe.1.13:
C3(su)->show eapol fe.1.1-3
EAPOL is disabled.
Port
-------fe.1.1
fe.1.2
fe.1.3
Authentication State
-------------------Initialized
Initialized
Initialized
Authentication Mode
-------------------Auto
Auto
Auto
Table 212providesanexplanationofthecommandoutput.Fordetailsonusingtheseteapol
commandtoenabletheprotocolandassignanauthenticationmode,refertoseteapolon
page 2121.
Table 21-2
Output
What It Displays...
Port
21-19
show eapol
Table 21-2
Output
What It Displays...
Authentication State
Current EAPOL authentication state for each port. Possible internal states for the
authenticator (switch) are:
initialized: A port is in the initialize state when:
authentication is disabled,
authentication is enabled and the port is linked. (In this case very
little time is spent in this state, it immediately transitions to the
connecting state, via disconnected.
disconnected: The port passes through this state on its way to connected
whenever the port is reinitialized, via link state change, reauthentication failure, or
management intervention.
connecting: While in this state, the authenticator sends request/ID messages to
the end user.
authenticating: The port enters this state from connecting after receiving a
response/ID from the end user. It remains in this state until the entire
authentication exchange between the end user and the authentication server
completes.
authenticated: The port enters this state from authenticating state after the
exchange completes with a favorable result. It remains in this state until linkdown,
logoff, or until a reauthentication begins.
aborting: The port enters this state from authenticating when any event occurs
that interrupts the login exchange.
held: After any login failure the port remains in this state for the number of
seconds equal to quietPeriod (can be set using MIB).
forceAuth: Management is allowing normal, unsecured switching on this port.
forceUnauth: Management is preventing any frames from being forwarded to or
from this port.
Authentication Mode Mode enabling network access for each port. Modes include:
Auto: Frames are forwarded according to the authentication state of each port.
Forced Authorized Mode: Meant to disable authentication on a port. It is
intended for ports that support ISLs and devices that cannot authenticate, such
as printers and file servers. If a default policy is applied to the port via the policy
profile MIB, then frames are forwarded according to the configuration set by that
policy, otherwise frames are forwarded according to the current configuration for
that port. Authentication using 802.1X is not possible on a port in this mode.
Forced Unauthorized Mode: All frames received on the port are discarded by a
filter. Authentication using 802.1X is not possible on a port in this mode.
21-20
Security Configuration
set eapol
set eapol
UsethiscommandtoenableordisableEAPOLportbaseduserauthenticationwiththeRADIUS
serverandtosettheauthenticationmodeforoneormoreports.
Syntax
set eapol [enable | disable] [auth-mode {auto | forced-auth | forced-unauth} portstring]
Parameters
enable|disable
EnablesordisablesEAPOL.
authmode
Specifiestheauthenticationmodeas:
auto|
forcedauth|
forcedunauth
autoAutoauthorizationmode.Thisisthedefaultmodeandwill
forwardframesaccordingtotheauthenticationstateoftheport.For
detailsonthismode,refertoTable 212.
forcedauthForcedauthorizedmode,whichdisablesauthentication
ontheport.
forcedunauthForcedunauthorizedmode,whichfiltersanddiscards
allframesreceivedontheport.
portstring
Specifiestheport(s)onwhichtosetEAPOLparameters.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Examples
ThisexampleshowshowtoenableEAPOL:
C3(su)->set eapol enable
ThisexampleshowshowtoenableEAPOLwithforcedauthorizedmodeonportfe.1.1:
C3(su)->set eapol auth-mode forced-auth fe.1.1
21-21
clear eapol
clear eapol
UsethiscommandtogloballycleartheEAPOLauthenticationmode,ortoclearsettingsforoneor
moreports.
Syntax
clear eapol [auth-mode port-string] [port-string]
Parameters
authmode
(Optional)GloballyclearstheEAPOLauthenticationmode.
portstring
Specifiestheport(s)onwhichtoclearEAPOLparameters.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifauthmodeisnotspecified,allEAPOLsettingswillbecleared.
Ifnotspecified,settingswillbeclearedforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheEAPOLauthenticationmodeforportge.1.3:
C3(su)->clear eapol auth-mode ge.1.3
21-22
Security Configuration
Commands
Thecommandsneededtoreview,enable,disable,andconfigureMACauthenticationarelisted
below:
For information about...
Refer to page...
show macauthentication
21-24
21-25
set macauthentication
21-26
21-27
21-27
21-28
21-28
21-29
21-29
21-30
21-30
21-31
21-31
21-32
21-33
21-23
show macauthentication
show macauthentication
UsethiscommandtodisplayMACauthenticationinformationforoneormoreports.
Syntax
show macauthentication [port-string]
Parameters
portstring
(Optional)DisplaysMACauthenticationinformationforspecificport(s).
Foradetaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifportstringisnotspecified,MACauthenticationinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMACauthenticationinformationforge.2.1through8:
C3(su)->show macauthentication ge.2.1-8
MAC authentication:
- enabled
MAC user password:
- NOPASSWORD
Port username significant bits - 48
Port
------ge.2.1
ge.2.2
ge.2.3
ge.2.4
ge.2.5
ge.2.6
ge.2.7
ge.2.8
Port
State
-------disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
Reauth
Period
---------3600
3600
3600
3600
3600
3600
3600
3600
Auth
Allowed
-------1
1
1
1
1
1
1
1
Auth
Allocated
--------1
1
1
1
1
1
1
1
Reauthentications
----------------disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
Table 213providesanexplanationofthecommandoutput.
Table 21-3
21-24
Output
What It Displays...
MAC authentication
Whether MAC authentication is globally enabled or disabled. Set using the set
macauthentication command as described in set macauthentication on
page 21-26.
User password associated with MAC authentication on the device. Set using the set
macauthentication password command as described in set macauthentication
password on page 21-27.
Security Configuration
Table 21-3
Output
What It Displays...
Port username
significant bits
Number of significant bits in the MAC addresses to be used starting with the left-most
bit of the vendor portion of the MAC address. The significant portion of the MAC
address is sent as a user-name credential when the primary attempt to authenticate
the full MAC address fails. Any other failure to authenticate the full address, (i.e.,
authentication server timeout) causes the next attempt to start once again with a full
MAC authentication. Default is 48 and cannot be reset.
Port
Port State
Reauth Period
Reauthentication period for this port. Default value of 30 can be changed using the
set macauthentication reauthperiod command described in set
macauthentication reauthperiod on page 21-32.
Auth Allowed
Auth Allocated
Reauthentications
Whether or not reauthentication is enabled or disabled on this port. Set using the set
macauthentication reauthentication command described in set
macauthentication reauthentication on page 21-30.
Syntax
show macauthentication session
Parameters
None.
Defaults
Ifportstringisnotspecified,MACsessioninformationwillbedisplayedforallMAC
authenticationports.
Mode
Switchcommand,readonly.
Usage
ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot
affectcurrentsessions.Newsessionsdisplaythecorrectperiod.
21-25
set macauthentication
Example
ThisexampleshowshowtodisplayMACsessioninformation:
C3(su)->show macauthentication session
Port
MAC Address
Duration
Reauth Period
--------------------- ---------- ------------ge.1.2
00:60:97:b5:4c:07 0,00:52:31 3600
Reauthentications
----------------disabled
Table 214providesanexplanationofthecommandoutput.
Table 21-4
Output
What It Displays...
Port
MAC Address
Duration
Reauth Period
Reauthentication period for this port, set using the set macauthentication
reauthperiod command described in set macauthentication reauthperiod on
page 21-32.
Reauthentications
Whether or not reauthentication is enabled or disabled on this port. Set using the set
macauthentication reauthentication command described in set
macauthentication reauthentication on page 21-30.
set macauthentication
UsethiscommandtogloballyenableordisableMACauthentication.
Syntax
set macauthentication {enable | disable}
Parameters
enable|disable
GloballyenablesordisablesMACauthentication.
Mode
Switchcommand,readwrite.
Defaults
None.
Example
ThisexampleshowshowtogloballyenableMACauthentication:
C3(su)->set macauthentication enable
21-26
Security Configuration
Syntax
set macauthentication password password
Parameters
password
SpecifiesatextstringMACauthenticationpassword.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosettheMACauthenticationpasswordtomacauth:
C3(su)->set macauthentication password macauth
Syntax
clear macauthentication password
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtocleartheMACauthenticationpassword:
C3(su)->clear macauthentication password
21-27
Syntax
set macauthentication port {enable | disable} port-string
Parameters
enable|disable
EnablesordisablesMACauthentication.
portstring
Specifiesport(s)onwhichtoenableordisableMACauthentication.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Enablingport(s)forMACauthenticationrequiresgloballyenablingMACauthenticationonthe
switchasdescribedinsetmacauthenticationonpage 2126,andthenenablingitonaportby
portbasis.Bydefault,MACauthenticationisgloballydisabledanddisabledonallports.
Example
ThisexampleshowshowtoenableMACauthenticationonge.2.1though5:
C3(su)->set macauthentication port enable ge.2.1-5
Syntax
set macauthentication portinitialize port-string
Parameters
portstring
SpecifiestheMACauthenticationport(s)toreinitialize.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
21-28
Security Configuration
Example
Thisexampleshowshowtoforcege.2.1through5toinitialize:
C3(su)->set macauthentication portinitialize ge.2.1-5
Syntax
set macauthentication portquietperiod time port-string
Parameters
time
Periodinsecondstowaitafterafailedauthentication
portstring
Specifiestheportsforwhichthequitperiodistobeapplied.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexamplesetsport1towait5secondsafterafailedauthenticationattemptbeforeanew
attemptcanbemade:
C3(su)->set macauthentication portquietperiod 5 ge.1.1
Syntax
clear macauthentication portquietperiod port-string
Parameters
portstring
(Optional)Specifiestheportsforwhichthequietperiodistobereset.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifaportstringisnotspecifiedthenallportswillbesettothedefaultportquietperiod.
21-29
Mode
Switchcommand,readwrite.
Example
Thisexampleresetsthedefaultquitperiodonport1:
C3(su)->clear macauthentication portquietperiod ge.1.1
Syntax
set macauthentication macinitialize mac_addr
Parameters
mac_addr
SpecifiestheMACaddressofthesessiontoreinitialize.
Mode
Switchcommand,readwrite.
Defaults
None.
Example
ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07
toreinitialize:
C3(su)->set macauthentication macinitialize 00-60-97-b5-4c-07
Syntax
set macauthentication reauthentication {enable | disable} port-string
Parameters
enable|disable
EnablesordisablesMACreauthentication.
portstring
Specifiesport(s)onwhichtoenableordisableMACreauthentication.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
None.
21-30
Security Configuration
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableMACreauthenticationonge.4.1though5:
C3(su)->set macauthentication reauthentication enable ge.4.1-5
Syntax
set macauthentication portreauthenticate port-string
Parameters
portstring
SpecifiesMACauthenticationport(s)tobereauthenticated.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoforcege.2.1though5toreauthenticate:
C3(su)->set macauthentication portreauthentication ge.2.1-5
Syntax
set macauthentication macreauthenticate mac_addr
Parameters
mac_addr
SpecifiestheMACaddressofthesessiontoreauthenticate.
Defaults
None.
Mode
Switchcommand,readwrite.
21-31
Example
ThisexampleshowshowtoforcetheMACauthenticationsessionforaddress006097b54c07
toreauthenticate:
C3(su)->set macauthentication macreauthenticate 00-60-97-b5-4c-07
Syntax
set macauthentication reauthperiod time port-string
Parameters
time
Specifiesthenumberofsecondsbetweenreauthenticationattempts.Valid
valuesare14294967295.
portstring
Specifiestheport(s)onwhichtosettheMACreauthenticationperiod.Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
ChangingtheReauthPeriodwiththesetmacauthenticationreauthperiodcommanddoesnot
affectcurrentsessions.Newsessionswillusethecorrectperiod.
Example
ThisexampleshowshowtosettheMACreauthenticationperiodto7200seconds(2hours)on
ge.2.1through5:
C3(su)->set macauthentication reauthperiod 7200 ge.2.1-5
21-32
Security Configuration
Syntax
clear macauthentication reauthperiod [port-string]
Parameters
portstring
(Optional)ClearstheMACreauthenticationperiodonspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifportstringisnotspecified,thereauthenticationperiodwillbeclearedonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtogloballycleartheMACreauthenticationperiod:
C3(su)->clear macauthentication reauthperiod
21-33
User+IPPhoneAuthenticationontheSecureStackC3isimplementedbyassigninganingressed
packetreceivedonaporttoapolicyrolebasedontheVLANthepacketwasassignedto,andnot
thepacketssourceMACaddress.Therefore,onaportconfiguredforUser+IPPhone
Authentication,thereexiststwodifferentVLANtopolicyrolemappings.
ThepolicyrolefortheIPphoneisstaticallymappedusingtheVLANtopolicymappingfeature
whichassignsanypacketsreceivedwithaVLANtagsettoaspecificVID(forexample,Voice
VLAN)toanindicatedpolicyrole(forexample,IPPhonepolicyrole).Therefore,itisrequiredthat
IPphoneisconfiguredtosendVLANtaggedpacketstotheVoiceVLAN.
Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole
ontheportordynamicallyassignedthroughauthenticationtothenetwork.Whenthedefault
policyroleisassignedonaport,theVLANsetastheportsPVIDismappedtothedefaultpolicy
role.Whenapolicyroleisdynamicallyappliedtoaportastheresultofasuccessfully
authenticatedsession,theauthenticatedVLANismappedtothepolicyrolesetintheFilterID
returnedfromtheRADIUSserver.TheauthenticatedVLANmayeitherbethePVIDoftheport,
ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedinthePVIDOverride
ifthePVIDOverrideisenabled.
Commands
Thecommandsneededtoreview,enable,disable,andconfiguremultipleauthenticationarelisted
below:
For information about...
21-34
Refer to page...
show multiauth
21-36
21-37
21-37
21-38
21-38
Security Configuration
Refer to page...
21-39
21-40
21-40
21-41
21-35
show multiauth
show multiauth
Usethiscommandtodisplaymultipleauthenticationsystemconfiguration.
Syntax
show multiauth
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaymultipleauthenticationsystemconfiguration:
C3(rw)->show multiauth
Multiple authentication system configuration
------------------------------------------------Supported types
: dot1x, pwa, mac
Maximum number of users
: 192
Current number of users
: 0
System mode
: multi
Default precedence
: dot1x, pwa, mac
Admin precedence
Operational precedence
: dot1x, pwa, mac
21-36
Security Configuration
Syntax
set multiauth mode {multi | strict}
Parameters
multi
Allowthesystemtousemultipleauthenticatorssimultaneously(802.1x,
PWA,andMACAuthentication)onaport.Thisisthedefaultmode.
strict
Usermustauthenticateusing802.1xauthenticationbeforenormaltraffic
(anythingotherthanauthenticationtraffic)canbeforwarded.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
MultiauthmultimoderequiresthatMAC,PWA,and802.1Xauthenticationbeenabledglobally,
andconfiguredappropriatelyonthedesiredportsaccordingtotheircorrespondingcommand
setsdescribedinthischapter.RefertoConfiguring802.1XAuthenticationonpage 2112and
ConfiguringMACAuthenticationonpage 2123andConfiguringPortWebAuthentication
(PWA)onpage 2156.
Example
Thisexampleshowshowtoenablesimultaneousmultipleauthentications:
C3(rw)->set multiauth mode multi
Syntax
clear multiauth mode
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
21-37
Example
Thisexampleshowshowtoclearthesystemauthenticationmode:
C3(rw)->clear multiauth mode
Syntax
set multiauth precedence {[dot1x] [mac] [pwa]}
Parameters
dot1x
Setsprecedencefor802.1Xauthentication.
mac
SetsprecedenceforMACauthentication.
pwa
Setsprecedenceforportwebauthentication
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Whenauserissuccessfullyauthenticatedbymorethanonemethodatthesametime,the
precedenceoftheauthenticationmethodswilldeterminewhichRADIUSreturnedfilterIDwillbe
processedandresultinanappliedtrafficpolicyprofile.
Example
ThisexampleshowshowtosetprecedenceforMACauthentication:
C3(rw)->set multiauth precedence mac dot1x
Syntax
clear multiauth precedence
Parameters
None.
Defaults
None.
21-38
Security Configuration
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoclearthemultipleauthenticationprecedence:
C3(rw)->clear multiauth precedence
Syntax
show multiauth port [port-string]
Parameters
portstring
(Optional)Displaysmultipleauthenticationinformationforspecificport(s).
Defaults
Ifportstringisnotspecified,multipleauthenticationinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
Thisexampleshowshowtodisplaymultipleauthenticationinformationforportsge.3.14:
C3(rw)->show multiauth port ge.3.1-4
Port
Mode
Max
users
------------ ------------ ---------ge.3.1
auth-opt
2
ge.3.2
auth-opt
2
ge.3.3
auth-opt
2
ge.3.4
auth-opt
2
Allowed
users
---------1
1
1
1
Current
users
---------0
0
0
0
21-39
Syntax
set multiauth port mode {auth-opt | auth-reqd | force-auth | force-unauth} |
numusers numusers port-string
Parameters
mode
authopt|
authreqd|
forceauth|
forceunauth
Specifiestheport(s)multipleauthenticationmodeas:
authoptAuthenticationoptional(nonstrictbehavior).Ifauser
doesnotattempttoauthenticateusing802.1x,orif802.1x
authenticationfails,theportwillallowtraffictobeforwarded
accordingtothedefineddefaultVLAN.
authreqdAuthenticationisrequired.
forceauthAuthenticationconsidered.
forceunauthAuthenticationdisabled.
numusers
numusers
Specifiesthenumberofusersallowedauthenticationonport(s).
portstring
Specifiestheport(s)onwhichtosetmultipleauthenticationproperties.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtosettheportmultipleauthenticationmodetorequiredonge.3.14:
C3(rw)->set multiauth port mode auth-reqd ge.3.14
Syntax
clear multiauth port {mode | numusers} port-string
Parameters
21-40
mode
Clearsthespecifiedportsmultipleauthenticationmode.
numusers
Clearsthevaluesetforthenumberofusersallowedauthenticationonthe
specifiedport.
portstring
Specifiestheportorportsonwhichtoclearmultipleauthentication
properties.
Security Configuration
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtocleartheportmultipleauthenticationmodeonportge.3.14:
C3(rw)->clear multiauth port mode ge.3.14
Thisexampleshowshowtoclearthenumberofusersonportge.3.14:
C3(rw)->clear multiauth port numusers ge.3.14
Syntax
show multiauth station [mac address] [port port-string]
Parameters
macaddress
(Optional)DisplaysmultipleauthenticationstationentriesforspecificMAC
address(es).
portportstring
(Optional)Displaysmultipleauthenticationstationentriesforspecific
port(s).
Mode
Switchcommand,readonly.
Defaults
Ifnooptionsarespecified,multipleauthenticationstationentrieswillbedisplayedforallMAC
addressesandports.
Example
Thisexampleshowshowtodisplaymultipleauthenticationstationentries.Inthiscase,twoend
userMACaddressesareshown:
C3(rw)->show
Port
-----------fe.1.20
fe.2.16
multiauth station
Address type Address
------------ -----------------------mac
00-10-a4-9e-24-87
mac
00-b0-d0-e5-0c-d0
21-41
TunnelType=VLAN(13)
TunnelMediumType=802
TunnelPrivateGroupID=VLANID
Commands
ThecommandsusedtoconfigureRADIUStunnelattributesarelistedbelow.
For information about...
21-42
Refer to page...
set vlanauthorization
21-43
21-43
clear vlanauthorization
21-44
show vlanauthorization
21-45
Security Configuration
set vlanauthorization
set vlanauthorization
EnableordisabletheuseoftheRADIUSVLANtunnelattributetoputaportintoaparticular
VLANbasedontheresultofauthentication.
Syntax
set vlanauthorization {enable | disable} [port-string]
Parameters
enable|disable
Enablesordisablesvlanauthorization/tunnelattributes
portstring
(Optional)SpecifieswhichportstoenableordisabletheuseofVLAN
tunnelattributes/authorization.Foradetaileddescriptionofpossibleport
stringvalues,refertoPortStringSyntaxUsedintheCLIonpage 41.
Defaults
VLANauthenticationisdisabledbydefault.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenableVLANauthenticationforallFastEthernetports:
C3(rw)-> set vlanauthorization enable fe.*.*
ThisexampleshowshowtodisableVLANauthenticationforallFastEthernetportsonstack
unit 3:
C3(rw)->
Syntax
set vlanauthorization egress {none | tagged | untagged} port-string
Parameters
none
Noegressmanipulationwillbemade.
tagged
Theauthenticatingportwillbeaddedtothecurrenttaggedegressforthe
VLANIDreturned.
untagged
Theauthenticatingportwillbeaddedtothecurrentuntaggedegressfor
theVLANIDreturned(default).
portstring
Theportorlistofports.towhichthiscommandwillapply.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntax
UsedintheCLIonpage 41.
21-43
clear vlanauthorization
Defaults
Bydefault,administrativeegressissettountagged.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenabletheinsertionoftheRADIUSassignedVLANtoan802.1qtag
foralloutboundframesforports10through15onunitnumber3.
C3(rw)->set vlanauthorization egress tagged ge.3.10-15
clear vlanauthorization
Usethiscommandtoreturnport(s)tothedefaultconfigurationofVLANauthorizationdisabled,
egressuntagged.
Syntax
clear vlanauthorization [port-string]
Parameters
portstring
(Optional)Specifieswhichportsaretoberestoredtodefault
configuration.Ifnoportstringisentered,theactionwillbeaglobal
setting.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 41.
Defaults
Ifnoportstringisentered,allportsacrossthestackwillberesettodefaultconfigurationwith
VLANauthorizationdisabledandegressframesuntagged.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowhowtoclearVLANauthorizationforallportsonslots3,4,and5:
C3(rw)->clear vlanauthorization ge.3-5.*
21-44
Security Configuration
show vlanauthorization
show vlanauthorization
DisplaystheVLANauthenticationstatusandconfigurationinformationforthespecifiedports.
Syntax
show vlanauthorization [port-string]
Parameters
portstring
(Optional)DisplaysVLANauthenticationstatusforthespecifiedports.If
noportstringisentered,thentheglobalstatusofthesettingisdisplayed.
Foradetaileddescriptionofpossibleportstringvalues,refertoPort
StringSyntaxUsedintheCLIonpage 41.
Defaults
Ifnoportstringisentered,thestatusforallportswillbedisplayed.
Mode
Switchcommand,readonly.
Example
ThiscommandshowshowtodisplayVLANauthorizationstatusforFastEthernetport1on
unit 1:
C3(rw)-> show vlanauthorization fe.1.1
port
----fe.1.1
status
------enabled
administrative egress
------------------------untagged
operational egress
--------------------none
vlan id
-------0
Table 215providesanexplanationofcommandoutput.Fordetailsonenablingandassigning
protocolandegressattributes,refertosetvlanauthorizationonpage 2143andset
vlanauthorizationegressonpage 2143.
Table 21-5
Output
What It Displays...
port
Port identification
status
administrative
egress
operational egress
vlan id
21-45
Commands
ThecommandsneededtoconfigureMAClockingarelistedbelow:
For information about...
21-46
Refer to page...
show maclock
21-47
21-48
21-49
21-50
set maclock
21-50
clear maclock
21-51
21-52
21-52
21-53
21-54
21-54
21-55
Security Configuration
show maclock
show maclock
UsethiscommandtodisplaythestatusofMAClockingononeormoreports.
Syntax
show maclock [port-string]
Parameters
portstring
(Optional)DisplaysMAClockingstatusforspecifiedport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifportstringisnotspecified,MAClockingstatuswillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMAClockinginformationforge.1.1through5:
C3(su)->show maclock ge.1.1-5
MAC locking is globally disabled
Port
Number
-------ge.1.1
ge.1.2
ge.1.3
ge.1.4
ge.1.5
Port
Status
-------disabled
disabled
disabled
disabled
disabled
Trap
Status
-------disabled
disabled
disabled
disabled
disabled
Max Static
Allocated
---------20
20
20
20
20
Max FirstArrival
Allocated
---------------600
600
600
600
600
Violating
MAC Address
----------------00:00:00:00:00:00
00:00:00:00:00:00
00:00:00:00:00:00
00:00:00:00:00:00
00:00:00:00:00:00
Table 216providesanexplanationofthecommandoutput.
Table 21-6
Output
What It Displays...
Port Number
Port Status
Whether MAC locking is enabled or disabled on the port. MAC locking is globally
disabled by default. For details on enabling MAC locking on the switch and on one or
more ports, refer to set maclock enable on page 21-49 and set maclock on
page 21-50.
Trap Status
Whether MAC lock trap messaging is enabled or disabled on the port. For details
on setting this status using the set maclock trap command, refer to set maclock
trap on page 21-55.
The maximum static MAC addresses allowed locked to the port. For details on
setting this value using the set maclock static command, refer to set maclock
static on page 21-52.
21-47
Table 21-6
Output
What It Displays...
Max FirstArrival
Allocated
The maximum end station MAC addresses allowed locked to the port. For details on
setting this value using the set maclock firstarrival command, refer to set maclock
firstarrival on page 21-53.
Violating MAC
Address
Most recent MAC address(es) violating the maximum static and first arrival value(s)
set for the port.
Syntax
show maclock stations [firstarrival | static] [port-string]
Parameters
firstarrival
(Optional)DisplaysMAClockinginformationaboutendstationsfirst
connectedtoMAClockedports.
static
(Optional)DisplaysMAClockinginformationaboutstatic(management
defined)endstationsconnectedtoMAClockedports.
portstring
(Optional)Displaysendstationinformationforspecifiedport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifnoparametersarespecified,MAClockinginformationwillbedisplayedforallendstations.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayMAClockinginformationfortheendstationsconnectedtoall
FastEthernetportsinunit2:
C3(su)->show maclock stations fe.2.*
Port Number
MAC Address
Status
------------ -----------------------------fe.2.3
00-10-a4-e5-08-4e
active
fe.2.3
08-00-20-7c-e0-db
active
fe.2.6
00-60-08-14-4b-15
active
fe.2.6
08-00-20-20-32-4b
active
fe.2.9
08-00-20-77-aa-80
active
fe.2.12
00-03-ba-08-4c-f0
active
fe.2.14
00-01-f4-2c-ad-b4
active
Table 217providesanexplanationofthecommandoutput.
21-48
Security Configuration
State
-------------first learned
first learned
first learned
first learned
first learned
first learned
first learned
Table 21-7
Output
What It Displays...
Port Number
MAC address
Status
State
Whether the end station locked to the port is a first learned, first arrival or static
connection.
Syntax
setmaclockenable[portstring]
Parameters
portstring
(Optional)EnablesMAClockingonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifportstringisnotspecified,MAClockingwillbeenabledonallports.
Mode
Switchcommand,readwrite.
Usage
WhenenabledandconfiguredforaspecificMACaddressandportstring,thislocksaportsothat
onlyoneendstationaddressisallowedtoparticipateinframerelay.
MAClockingisdisabledbydefaultatdevicestartup.ConfiguringoneormoreportsforMAC
lockingrequiresgloballyenablingitonthedeviceandthenenablingitonthedesiredports.
Example
ThisexampleshowshowtoenableMAClockingonfe.2.3:
C3(su)->set maclock enable fe.2.3
21-49
Syntax
setmaclockdisable[portstring]
Parameters
portstring
(Optional)DisablesMAClockingonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifportstringisnotspecified,MAClockingwillbedisabledonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableMAClockingonfe.2.3:
C3(su)->set maclock disable fe.2.3
set maclock
UsethiscommandtocreateastaticMACaddressandenableordisableMAClockingforthe
specifiedMACaddressandport.Whencreatedandenabled,thespecifiedMACaddressisthe
onlyMACthatwillbepermittedtocommunicateontheport.
Syntax
set maclock mac_address port-string {create | enable | disable}
Parameters
mac_address
SpecifiestheMACaddressforwhichMAClockingwillbecreated,
enabledordisabled.
portstring
Specifiestheportonwhichtocreate,enableordisableMAClockingfor
thespecifiedMAC.Foradetaileddescriptionofpossibleportstring
values,refertoPortStringSyntaxUsedintheCLIonpage 41.
create
EstablishesaMAClockingassociationbetweenthespecifiedMAC
addressandport.CreateautomaticallyenablesMAClockingbetweenthe
specifiedMACaddressandport.
enable|disable
EnablesordisablesMAClockingbetweenthespecifiedMACaddressand
port.
Defaults
None.
21-50
Security Configuration
clear maclock
Mode
Switchcommand,readwrite.
Usage
ConfiguringoneormoreportsforMAClockingrequiresgloballyenablingitontheswitchfirst
usingthesetmaclockenablecommandasdescribedinsetmaclockenableonpage 2149.
Example
ThisexampleshowshowtocreateaMAClockingassociationbetweenMACaddress0e03efd8
4455andportge.3.2:
C3(rw)->set maclock 0e-03-ef-d8-44-55 ge.3.2 create
clear maclock
UsethiscommandtoremoveastaticMACaddressentry.
Syntax
clear maclock mac_address port-string
Parameters
mac_address
SpecifiestheMACaddressthatwillberemovedfromthelistofstatic
MACsallowedtocommunicateontheport.
portstring
SpecifiestheportonwhichtocleartheMACaddress.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
TheMACaddressthatisclearedwillnolongerbeabletocommunicateontheportunlessthefirst
arrivallimithasbeensettoavaluegreaterthan0andthislimithasnotyetbeenmet.
Forexample,ifuserBsMACisremovedfromthestaticMACaddresslistandthefirstarrival
limithasbeensetto0,thenuserBwillnotbeabletocommunicateontheport.IfuserAsMACis
removedfromthestaticMACaddresslistandthefirstarrivallimithasbeensetto10,butonlyhas
7entries,userAwillbecomethe8thentryandallowedtocommunicateontheport.
Example
ThisexampleshowshowtoremoveaMACfromthelistofstaticMACsallowedtocommunicate
onportge.3.2:
C3(rw)->clear maclock 0e-03-ef-d8-44-55 ge.3.2
21-51
Syntax
set maclock static port-string value
Parameters
portstring
SpecifiestheportonwhichtosetthemaximumnumberofstaticMACs
allowed.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 41.
value
SpecifiesthemaximumnumberofstaticMACaddressesallowedper
port.Validvaluesare0to20.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthemaximumnumberofallowablestaticMACsto2onge.3.1:
C3(rw)->set maclock static ge.3.1 2
Syntax
clear maclock static port-string
Parameters
portstring
SpecifiestheportonwhichtoresetnumberofstaticMACaddresses
allowed.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
21-52
Security Configuration
Example
ThisexampleshowshowtoresetthenumberofallowablestaticMACsonfe.2.3:
C3(rw)->clear maclock static fe.2.3
Syntax
set maclock firstarrival port-string value
Parameters
portstring
SpecifiestheportonwhichtolimitMAClocking.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
value
SpecifiesthenumberoffirstarrivalendstationMACaddressestobe
allowedconnectionstotheport.Validvaluesare0to600.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Themaclockfirstarrivalcountresetswhenthelinkgoesdown.Thisfeatureisbeneficialifyou
haveroamingusersthefirstarrivalcountwillbereseteverytimeausermovestoanotherport,
butwillstillprotectagainstconnectingmultipledevicesonasingleportandwillprotectagainst
MACaddressspoofing.
IfyouwishtohaveonlystaticallysetMACs,setaportsfirstarrivallimitto0.
Example
ThisexampleshowshowtorestrictMAClockingto6MACaddressesonfe.2.3:
C3(su)->set maclock firstarrival fe.2.3 6
21-53
Syntax
clear maclock firstarrival port-string
Parameters
portstring
Specifiestheportonwhichtoresetthefirstarrivalvalue.Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetMACfirstarrivalsonfe.2.3:
C3(su)->clear maclock firstarrival fe.2.3
Syntax
set maclock move port-string
Parameters
portstring
SpecifiestheportonwhichMACwillbemovedfromfirstarrivalMACs
tostaticentries.Foradetaileddescriptionofpossibleportstringvalues,
refertoPortStringSyntaxUsedintheCLIonpage 41.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
IftherearemorefirstarrivalMACsthantheallowedmaximumstaticMACs,thenonlythelatest
firstarrivalMACswillbemovedtostaticentries.Forexample,ifyousetthemaximumnumberof
staticMACsto2withthesetmaclockstaticcommand,andthenexecutedthesetmaclockmove
command,eventhoughtherewerefiveMACsinthefirstarrivaltable,onlythetwomostrecent
MACentrieswouldbemovedtostaticentries.
21-54
Security Configuration
Example
ThisexampleshowshowtomoveallcurrentfirstarrivalMACstostaticentriesonportsge.3.140:
C3(rw)->set maclock move ge.3.1-40
Syntax
set maclock trap port-string {enable | disable}
Parameters
portstring
SpecifiestheportonwhichMAClocktrapmessagingwillbeenabledor
disabled.Foradetaileddescriptionofpossibleportstringvalues,referto
PortStringSyntaxUsedintheCLIonpage 41.
enable|disable
EnablesordisablesMAClocktrapmessaging.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
Whenenabled,thisfeatureauthorizestheswitchtosendanSNMPtrapmessageifanendstation
isconnectedthatexceedsthemaximumvaluesconfiguredusingthesetmaclockfirstarrivaland
setmaclockstaticcommands.ViolatingMACaddressesaredroppedfromthedevicesrouting
table.
Example
ThisexampleshowshowtoenableMAClocktrapmessagingonfe.2.3:
C3(su)->set maclock trap fe.2.3 enable
21-55
Purpose
Toreview,enable,disable,andconfigurePortWebAuthentication(PWA).
Commands
ThecommandsneededtoreviewandconfigurePWAarelistedbelow:
For information about...
21-56
Refer to page...
show pwa
21-57
set pwa
21-58
21-59
21-60
21-60
21-61
21-61
21-62
21-62
21-63
21-63
21-64
Security Configuration
show pwa
Refer to page...
21-64
21-65
21-65
21-66
21-66
21-67
show pwa
Usethiscommandtodisplayportwebauthenticationinformationforoneormoreports.
Syntax
show pwa [port-string]
Parameters
portstring
(Optional)DisplaysPWAinformationforspecificport(s).
Defaults
Ifportstringisnotspecified,PWAinformationwillbedisplayedforallports.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPWAinformationforge.2.1:
C3(su)->show pwa ge.2.1
PWA Status
PWA IP Address
PWA Protocol
PWA Enhanced Mode
PWA Logo
PWA Guest Networking Status
PWA Guest Name
PWA Redirect Time
Port
Mode
-------- ---------------ge.2.1
disabled
enabled
192.168.62.99
PAP
N/A
enabled
disabled
guest
N/A
AuthStatus
-------------disconnected
QuietPeriod
----------60
MaxReq
--------16
Table 218providesanexplanationofthecommandoutput.
21-57
show pwa
Table 21-8
21-58
Output
What It Displays...
PWA Status
PWA IP Address
IP address of the end station from which PWA will prevent network access until the
user is authenticated. Set using the set pwa ipaddress command as described in
set pwa ipaddress on page 21-61.
PWA Protocol
Whether PWA protocol is CHAP or PAP. Default setting of PAP can be changed
using the set pwa protocol command as described in set pwa protocol on
page 21-62.
PWA Enhanced
Mode
Whether PWA enhanced mode is enabled or disabled. Default state of disabled can
be changed using the set pwa enhancedmode command as described in set pwa
enhancedmode on page 21-67.
PWA Logo
Whether the Enterasys Networks logo will be displayed or hidden at user login.
Default state of enabled (displayed) can be changed using the set pwa displaylogo
command as described in set pwa displaylogo on page 21-61.
PWA Guest
Networking Status
Guest user name for PWA enhanced mode networking. Default value of guest can
be changed using the set pwa guestname command as described in set pwa
guestname on page 21-62.
PWA Guest
Password
Guest users password. Default value of an empty string can be changed using the
set pwa guestpassword command as described in set pwa guestpassword on
page 21-63.
Time in seconds after login success before the user is redirected to the PWA home
page.
Port
Mode
Auth Status
Quiet Period
Amount of time a port will be in the held state after a user unsuccessfully attempts to
log on to the network. Default value of 60 can be changed using the set pwa
quietperiod command as described in set pwa quietperiod on page 21-65.
MaxReq
Maximum number of log on attempts allowed before transitioning the port to a held
state. Default value of 2 can be changed using the set pwa maxrequests command
as described in set pwa maxrequest on page 21-65.
Security Configuration
set pwa
set pwa
Usethiscommandtoenableordisableportwebauthentication.
Syntax
set pwa {enable | disable}
Parameters
enable|disable
Enablesordisablesportwebauthentication.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
Thisexampleshowshowtoenableportwebauthentication:
C3(su)->set pwa enable
Syntax
show pwa banner
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaythePWAloginbanner:
C3(su)->show pwa banner
Welcome to Enterasys Networks
21-59
Syntax
set pwa banner string
Parameters
string
SpecifiesthePWAloginbanner.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAloginbannertoWelcometoEnterasysNetworks:
C3(su)->set pwa banner Welcome to Enterasys Networks
Syntax
clear pwa banner
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoresetthePWAloginbannertoablankstring
C3(su)->clear pwa banner
21-60
Security Configuration
Syntax
set pwa displaylogo {display | hide}
Parameters
display|hide
DisplaysorhidestheEnterasysNetworkslogowhenthePWAwebsite
displays.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtohidetheEnterasysNetworkslogo:
C3(su)->set pwa displaylogo hide
Syntax
set pwa ipaddress ip-address
Parameters
ipaddress
SpecifiesagloballyuniqueIPaddress.Thissamevaluemustbe
configuredintoeveryauthenticatingswitchinthedomain.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetaPWAIPaddressof1.2.3.4:
C3(su)->set pwa ipaddress 1.2.3.4
21-61
Syntax
set pwa protocol {chap | pap}
Parameters
chap|pap
SetsthePWAprotocolto:
CHAP(PPPChallengeHandshakeProtocol)encryptstheusername
andpasswordbetweentheendstationandtheswitchport.
PAP(PasswordAuthenticationProtocoldoesnotprovideany
encryptionbetweentheendstationtheswitchport.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetathePWAprotocoltoCHAP:
C3(su)->set pwa protocol chap
Syntax
set pwa guestname name
Parameters
name
Specifiesaguestusername.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAguestusernametoguestuser:
C3(su)->set pwa guestname guestuser
21-62
Security Configuration
Syntax
clear pwa guestname
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoclearthePWAguestusername
C3(su)->clear pwa guestname
Syntax
set pwa guestpassword
Parameters
None.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
PWAwillusethispasswordandtheguestusernametograntnetworkaccesstoguestswithout
establishedloginnamesandpasswords.
Example
ThisexampleshowshowtosetthePWAguestuserpasswordname:
C3(su)->set pwa guestpasword
Guest Password: *********
Retype Guest Password: *********
21-63
Syntax
set pwa gueststatus {authnone | authradius | disable}
Parameters
authnone
Enablesguestnetworkingwithnoauthenticationmethod.
authradius
EnablesguestnetworkingwithRADIUSauthentication.Uponsuccessful
authenticationfromRADIUS,PWAwillapplythepolicyreturnedfrom
RADIUStothePWAport.
disable
Disablesguestnetworking.
Defaults
None.
Mode
Switchcommand,readwrite.
Usage
PWAwilluseaguestpasswordandguestusernametograntnetworkaccesswithdefaultpolicy
privilegestouserswithoutestablishedloginnamesandpasswords.
Example
ThisexampleshowshowtoenablePWAguestnetworkingwithRADIUSauthentication:
C3(su)->set pwa guestnetworking authradius
Syntax
set pwa initialize [port-string]
Parameters
portstring
(Optional)Initializesspecificport(s).Foradetaileddescriptionofpossible
portstringvalues,refertoPortStringSyntaxUsedintheCLIon
page 41.
Defaults
Ifportstringisnotspecified,allportswillbeinitialized.
Mode
Switchcommand,readwrite.
21-64
Security Configuration
Example
Thisexampleshowshowtoinitializeportsfe.1.57:
C3(su)->set pwa initialize fe.1.5-7
Syntax
set pwa quietperiod time [port-string]
Parameters
time
Specifiesquiettimeinseconds.
portstring
(Optional)Setsthequietperiodforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifportstringisnotspecified,quietperiodwillbesetforallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAquietperiodto30secondsforportsfe.1.57:
C3(su)->set pwa quietperiod 30 fe.1.5-7
Syntax
set pwa maxrequests requests [port-string]
Parameters
maxrequests
Specifiesthemaximumnumberoflogonattempts.
portstring
(Optional)Setsthemaximumrequestsforspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifportstringisnotspecified,maximumrequestswillbesetforallports.
21-65
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtosetthePWAmaximumrequeststo3forallports:
C3(su)->set pwa maxrequests 3
Syntax
set pwa portcontrol {enable | disable} [port-string]
Parameters
enable|disable
EnableordissablePWAonspecifiedports.
portstring
(Optional)Setsthecontrolmodeonspecificport(s).Foradetailed
descriptionofpossibleportstringvalues,refertoPortStringSyntaxUsed
intheCLIonpage 41.
Defaults
Ifportstringisnotspecified,PWAwillenabledonallports.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePWAonports122:
C3(su)->set pwa portcontrol enable ge.1.1-22
Syntax
show pwa session [port-string]
Parameters
portstring
(Optional)DisplaysPWAsessioninformationforspecificport(s).Fora
detaileddescriptionofpossibleportstringvalues,refertoPortString
SyntaxUsedintheCLIonpage 41.
Defaults
Ifportstringisnotspecified,sessioninformationforallportswillbedisplayed.
21-66
Security Configuration
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplayPWAsessioninformation:
C3(su)->show pwa session
Port
MAC
-------- ----------------ge.2.19 00-c0-4f-20-05-4b
ge.2.19 00-c0-4f-24-51-70
ge.2.19 00-00-f8-78-9c-a7
IP
--------------172.50.15.121
172.50.15.120
172.50.15.61
User
------------pwachap10
pwachap1
pwachap11
Duration
-----------0,14:46:55
0,15:43:30
0,14:47:58
Status
--------active
active
active
Syntax
set pwa enhancedmode {enable | disable}
Parameters
enable|disable
EnableordisablePWAenhancedmode.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoenablePWAenhancedmode:
C3(su)->set pwa enhancedmode enable
21-67
Commands
ThecommandsusedtoreviewandconfigureSSHarelistedbelow:
For information about...
show ssh status
21-68
set ssh
21-69
21-69
Syntax
show ssh status
Parameters
None.
Defaults
None.
Mode
Switchcommand,readonly.
Example
ThisexampleshowshowtodisplaySSHstatusontheswitch:
C3(su)->show ssh status
SSH Server status: Disabled
21-68
Refer to page...
Security Configuration
set ssh
set ssh
Usethiscommandtoenable,disableorreinitializeSSHserverontheswitch.Bydefault,theSSH
serverisdisabled.
Syntax
set ssh {enable | disable | reinitialize}
Parameters
enable|disable
EnablesordisablesSSH,orreinitializestheSSHserver.
reinitialize
ReinitializestheSSHserver.
Defaults
None.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtodisableSSH:
C3(su)->set ssh disable
Syntax
set ssh hostkey [reinitialize]
Parameters
reinitialize
(Optional)Reinitializestheserverhostauthenticationkeys.
Defaults
Ifreinitializeisnotspecified,theusermustsupplySSHauthenticationkeyvalues.
Mode
Switchcommand,readwrite.
Example
ThisexampleshowshowtoregenerateSSHkeys:
C3(su)->set ssh hostkey reinitialize
21-69
Purpose
Toreviewandconfiguresecurityaccesscontrollists(ACLs),whichpermitordenyaccessto
routinginterfacesbasedonprotocolandIPaddressrestrictions.
Commands
Thecommandsusedtoreviewandconfiguresecurityaccesslistsarelistedbelow:
For information about...
Refer to page...
show access-lists
21-70
access-list (standard)
21-74
access-list (extended)
21-72
ip access-group
21-74
show access-lists
UsethiscommandtodisplayconfiguredIPaccesslistswhenoperatinginroutermode.
Syntax
showaccesslists[number]
Parameters
accesslist
number
(Optional)Displaysaccesslistinformationforaspecificaccesslistnumber.
Validvaluesarebetween1and199.
Defaults
Ifnumberisnotspecified,theentiretableofaccesslistswillbedisplayed.
Mode
Anyroutermode.
Example
ThisexampleshowshowtodisplayIPaccesslistnumber101.Thisisanextendedaccesslist,
whichpermitsordeniesICMP,UDPandIPframesbasedonrestrictionsconfiguredwiththeone
oftheaccesslistcommands.Fordetailsonconfiguringstandardaccesslists,refertoaccesslist
(standard)onpage 2171.Fordetailsonconfiguringextendedaccesslists,refertoaccesslist
(extended)onpage 2172.
C3(su)->router#show access-lists 101
Extended IP access list 101
21-70
Security Configuration
access-list (standard)
1:
2:
3:
4:
5:
access-list (standard)
UsethiscommandtodefineastandardIPaccesslistbynumberwhenoperatinginroutermode.
Thenoformofthiscommandremovesthedefinedaccesslistorentry.
Syntax
To create an ACL entry:
access-list access-list-number {deny | permit} source [source-wildcard]
no access-list access-list-number [entry]
Parameters
accesslist
number
Specifiesastandardaccesslistnumber.Validvaluesarefrom1to99.
deny|permit
Deniesorpermitsaccessifspecifiedconditionsaremet.
source
Specifiesthenetworkorhostfromwhichthepacketwillbesent.Valid
optionsforexpressingsourceare:
IPaddressorrangeofaddresses(A.B.C.D)
anyAnysourcehost
hostsourceIPaddressofasinglesourcehost
sourcewildcard
(Optional)Specifiesthebitstoignoreinthesourceaddress.
insert|replace
entry
(Optional)InsertsthisnewentrybeforeaspecifiedentryinanexistingACL,
orreplacesaspecifiedentrywiththisnewentry.
movedestination
source1source2
(Optional)Movesasequenceofaccesslistentriesbeforeanotherentry.
Destinationisthenumberoftheexistingentrybeforewhichthisnewentry
willbemoved.Source1isasingleentrynumberorthefirstentrynumberin
therangetobemoved.Source2(optional)isthelastentrynumberinthe
rangetobemoved.Ifsource2isnotspecified,onlythesource1entrywillbe
moved.
Defaults
Ifinsert,replaceormovearenotspecified,thenewentrywillbeappendedtotheaccesslist.
Ifsource2isnotspecifiedwithmove,onlyoneentrywillbemoved.
Mode
Globalconfiguration:C3(su)>router(Config)#
SecureStack C3 Configuration Guide
21-71
access-list (extended)
Usage
ValidaccesslistnumbersforstandardACLsare1to99.ForextendedACLs,validvaluesare100
to199.
Accesslistsareappliedtointerfacesbyusingthe ipaccessgroupcommand(ipaccessgroup
onpage 2174).
Examples
Thisexampleshowshowtocreateaccesslist1withthreeentriesthatallowaccesstoonlythose
hostsonthethreespecifiednetworks.Thewildcardbitsapplytothehostportionsofthenetwork
addresses.Anyhostwithasourceaddressthatdoesnotmatchtheaccesslistentrieswillbe
rejected:
C3(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255
C3(su)->router(Config)#access-list 1 permit 128.88.0.0 0.0.255.255
C3(su)->router(Config)#access-list 1 permit 36.0.0.0 0.255.255.255
Thisexamplemovesentry16tothebeginningofACL22:
C3(su)->router(Config)#access-list 22 move 1 16
access-list (extended)
UsethiscommandtodefineanextendedIPaccesslistbynumberwhenoperatinginroutermode.
Thenoformofthiscommandremovesthedefinedaccesslistorentry:
Syntax
To apply ACL restrictions to IP, UDP, ICMP or TCP packets:
access-list access-list-number {deny | permit} protocol source [source-wildcard]
[operator [port]] destination [destination-wildcard]
no access-list access-list-number [entry]
Parameters
21-72
accesslistnumber
Specifiesanextendedaccesslistnumber.Validvaluesarefrom100to199.
deny|permit
Deniesorpermitsaccessifspecifiedconditionsaremet.
protocol
SpecifiesanIPprotocolforwhichtodenyorpermitaccess.Validvalues
andtheircorrespondingprotocolsare:
Security Configuration
ipAnyInternetprotocol
udpUserDatagramProtocol
tcpTransmissionControlProtocol
icmpInternetControlMessageProtocol
access-list (extended)
source
Specifiesthenetworkorhostfromwhichthepacketwillbesent.Valid
optionsforexpressingsourceare:
IPaddressorrangeofaddresses(A.B.C.D)
anyAnysourcehost
hostsourceIPaddressofasinglesourcehost
sourcewildcard
(Optional)Specifiesthebitstoignoreinthesourceaddress.
operatorport
(Optional)AppliesaccessrulestoTCPorUDPsourceordestinationport
numbers.Possibleoperandis:
destination
eqportMatchesonlypacketsonagivenportnumber.
Specifiesthenetworkorhosttowhichthepacketwillbesent.Validoptions
forexpressingdestinationare:
IPaddress(A.B.C.D)
anyAnydestinationhost
hostsourceIPaddressofasingledestinationhost
destination
wildcard
(Optional)Specifiesthebitstoignoreinthedestinationaddress.
insert|replace
entry
(Optional)Insertsthisnewentrybeforeaspecifiedentryinanexisting
ACL,orreplacesaspecifiedentrywiththisnewentry.
movedestination
source1source2
(Optional)Movesasequenceofaccesslistentriesbeforeanotherentry.
Destinationisthenumberoftheexistingentrybeforewhichthisnewentry
willbemoved.Source1isasingleentrynumberorthefirstentrynumberin
therangetobemoved.Source2(optional)isthelastentrynumberinthe
rangetobemoved.Ifsource2isnotspecified,onlythesource1entrywillbe
moved.
Defaults
Ifinsert,replace,ormovearenotspecified,thenewentrywillbeappendedtotheaccesslist.
Ifsource2isnotspecifiedwithmove,onlyoneentrywillbemoved.
Ifoperatorandportarenotspecified,accessparameterswillbeappliedtoallTCPorUDPports.
Mode
Globalconfiguration:C3(su)>router(Config)#
Usage
Accesslistsareappliedtointerfacesbyusingtheipaccessgroupcommandasdescribedinip
accessgrouponpage 2174.
ValidaccesslistnumbersforextendedACLsare100to199.ForstandardACLs,validvaluesare1
to99.
Example
Thisexampleshowshowtodefineaccesslist101todenyICMPtransmissionsfromanysource
andforanydestination:
C3(su)->router(Config)#access-list 101 deny ICMP any any
21-73
ip access-group
ip access-group
Usethiscommandtoapplyaccessrestrictionstoinboundframesonaninterfacewhenoperating
inroutermode.Thenoformofthiscommandremovesthespecifiedaccesslist.
Syntax
ip access-group access-list-number in
no ip access-group access-list-number in
Parameters
accesslistnumber
Specifiesthenumberoftheaccesslisttobeappliedtotheaccesslist.This
isadecimalnumberfrom1to199.
in
Filtersinboundframes.
Defaults
None.
Mode
Interfaceconfiguration:C3(su)>router(Configif(Vlan<vlan_id>))#
Usage
ACLsmustbeappliedperroutinginterface.Anentry(rule)canbeappliedtoinboundframes
only.
Example
Thisexampleshowshowtoapplyaccesslist1forallinboundframesontheVLAN1interface.
Throughthedefinitionofaccesslist1,onlyframeswithasourceaddressonthe192.5.34.0/24
networkwillberouted.AlltheframeswithothersourceaddressesreceivedontheVLAN1
interfacearedropped:
C3(su)->router(Config)#access-list 1 permit 192.5.34.0 0.0.0.255
C3(su)->router(Config)#interface vlan 1
C3(su)->router(Config-if(Vlan 1))#ip access-group 1 in
21-74
Security Configuration
Index
Numerics
802.1D 6-1
802.1p 8-17, 9-1
802.1Q 7-1
802.1s 6-1
802.1w 6-1
802.1x 21-6, 21-21
A
Access Groups 21-74
Access Lists 21-71 to 21-72
Addresses
MAC, adding entries to routing
table 15-5
setting the router ID address 16-14
Advertised Ability 4-15
Alias
node 11-34
Area Border Routers (ABRs) 16-24
ARP
entries, adding in routing
mode 15-14
proxy, enabling 15-15
timeout 15-15
Authentication
EAPOL 21-21
MAC 21-23
MD5 16-22
OSPF
MD5 16-22
simple password 16-21
Port web 21-56
RADIUS server 21-6, 21-10
SSH 21-69
Auto-negotiation 4-15
B
banner motd 3-20
Baud Rate 3-28
Broadcast
settings for IP routing 15-17
suppression, enabling on ports 4-30
C
CDP Discovery Protocol 3-54
CIDR 16-8
Cisco Discovery Protocol 3-60
Class of Service 8-7, 8-12,
8-17 to 8-21, 9-1
Classification Policies 8-1
Clearing NVRAM 3-70
CLI
closing 3-67
scrolling screens 1-9
starting 1-6
Command History Buffer 11-12, 11-13
Command Line Interface. See also CLI
Configuration
clearing switch parameters 3-70
modes for router operation 14-3
Configuration Files
copying 3-50
deleting 3-50
displaying 3-48
executing 3-49
show running config 3-50
show running-config 15-6
Contexts (SNMP) 5-3
Copying Configuration or Image
Files 3-50
Cost
area default 16-25
OSPF 16-17, 16-25
Spanning Tree port 6-38
D
Defaults
CLI behavior, described 1-8
factory installed 1-2
DHCP server, configuring 13-1
DHCP/BOOTP Relay 13-1, 15-18
DHCPv6
about 19-1
configuring 19-1
DVMRP 16-36
Dynamic policy profile
assignment 21-2
E
EAP pass-through 21-2, 21-16
EAPOL 21-21
F
Flow Control 4-19
Forbidden VLAN port 7-15
G
Getting help xxx
GVRP
enabling and disabling 7-27
purpose of 7-23
timer 7-28
Image File
copying 3-50
downloading 3-38
Ingress Filtering 7-8, 7-11
Interface Configuration Mode 15-3
Interface(s)
configuring OSPF parameters 16-12
configuring settings for IP 15-1
loopback, configuring 18-10
RIP passive 16-9
RIP receive 16-10
RIP send 16-5
tunnel, configuring 15-8, 18-10
IP
access lists 21-71 to 21-72
address, setting for a routing
interface 15-5
routes, adding in router mode 15-20
routes, managing in switch
mode 11-17
IPv6
about 18-1
addresses, configuring 18-10
addresses, setting 17-3
configuration defaults 18-2
default router, setting 17-6
DHCPv6, configuring 19-1
displaying information 18-22
gateway, setting 17-6
general configuration
commands 18-3
interface configuration
commands 18-10
management 17-1
Neighbor Discovery Protocol
about 18-1
configuring 18-14
displaying cache 17-7
OSPFv3, configuring 20-1
IRDP 16-40
J
Jumbo Frame Support 4-12
Hardware
show system 3-13, 3-21
Hello Packets 16-20 to 16-21
Help
keyword lookups 1-9
Host VLAN 7-20
I
ICMP 11-14
IGMP 10-1
enabling and disabling 10-2, 10-11
License key
advanced routing 16-1
licenses
activating 3-29
license key field descriptions 3-29
procedure for stack
environment 3-29
Line Editing Commands 1-10
Index-1
M
MAC Addresses
displaying 11-20
MAC Authentication 21-23
MAC Locking 21-46
maximum static entries 21-52
static 21-52
Management VLAN 7-1
MD5 Authentication 16-22
motd 3-20
Multicast 16-54
Multicast Filtering 10-1, 10-2
Multiple Spanning Tree Protocol
(MSTP) 6-1
N
Name
setting for a VLAN 7-6
setting for the system 3-22
Neighbor Discovery Protocol
configuring 18-14
Neighbors
OSPF 16-33
Network Management
addresses and routes 11-17
monitoring switch events and
status 11-12
Networks
OSPF 16-16
Node Alias 11-34
NSSA Areas 16-26
NVRAM
clearing 3-70
O
OSPF
Area Border Routers (ABRs) 16-24
areas, defining NSSAs 16-26
areas, defining range 16-24
areas, defining stub 16-24
configuration mode, enabling 16-14
configuration tasks 16-12
cost 16-17, 16-25
hello packet intervals 16-20 to 16-21
information,
displaying 16-29 to 16-34
Index-2
P
Password
aging 3-6
history 3-6
set new 3-4
setting the login 3-4
PIM-SM 16-54
Ping 11-14, 15-21
Policy Management
assigning ports 8-15
classifying to a VLAN or Class of
Service 8-7, 8-12
dynamic assignment of profiles 21-2
profiles 8-2, 8-17
Port Mirroring 4-33
Port Priority
configuring 9-2
Port String
syntax used in the CLI 4-1
Port Trunking 4-38
Port web authentication
configuring 21-56
Port(s)
alias 4-9
assignment scheme 4-1
auto-negotiation and advertised
ability 4-15
broadcast suppression 4-30
counters, reviewing statistics 4-5
duplex mode, setting 4-9
flow control 4-19
link flap
about 4-20
configuration defaults 4-24
configuring 4-23
link traps, configuring 4-20
MAC lock 21-49
priority, configuring 9-2
speed, setting 4-9
status, reviewing 4-2
Power over Ethernet (PoE),
configuring 3-34
Priority
OSPF 16-17
VRRP 16-49
Priority to Transmit Queue
Mapping 9-5
Prompt
in router mode 14-3
set 3-19
Protocol Independant Multicast 16-54
PWA 21-56
R
RADIUS 21-4
realm 21-6
RADIUS Filter-ID 21-2
attribute formats 21-3
RADIUS server 21-6, 21-10
Rapid Spanning Tree Protocol
(RSTP) 6-1
Redistribute 16-11, 16-28
Related Manuals xxix
remote port mirroring
about 4-33
configuring 4-37
Reset 3-69
RFC 3580 21-42
RIP
CIDR 16-8
configuration mode, enabling 16-3
configuration tasks 16-2
passive interface 16-9
redistribute 16-11
Router Mode(s)
enabling 14-3
Routing Interfaces
configuring 15-3
Routing Protocol Configuration
DVMRP 16-36
IRDP 16-40
OSPF 16-12
OSPFv3 20-1
RIP 16-2
VRRP 16-45
S
Scrolling Screens 1-9
Secure Shell (SSH) 21-68
enabling 21-69
regenerating new keys 21-69
Security
methods, overview of 21-1
Serial Port
downloading upgrades via 3-38
show system utilization cpu 3-14
SNMP
access rights 5-16
accessing in router mode 5-3
enabling on the switch 5-18
MIB views 5-20
notification parameters 5-33
notify filters 5-33
W
WebView 1-2, 3-71
WebView SSL 3-73
U
User Accounts
default 1-7
setting 3-2
V
Version
RIP receive 16-5
RIP send 16-5
Version Information 3-21
Index-3
Index-4